An End-to-End Authentication Scheme for Healthcare IoT Systems Using WMSN

: The healthcare internet of things (IoT) system has dramatically reshaped this important industry sector. This system employs the latest technology of IoT and wireless medical sensor networks to support the reliable connection of patients and healthcare providers. The goal is the remote monitoring of a patient’s physiological data by physicians. Moreover, this system can reduce the number and expenses of healthcare centers, make up for the shortage of healthcare centers in remote areas, enable consultation with expert physicians around the world, and increase the health awareness of communities. The major challenges that affect the rapid deployment and widespread acceptance of such a system are the weaknesses in the authentication process, which should maintain the privacy of patients, and the integrity of remote medical instructions. Current research results indicate the need of a flexible authentication scheme. This study proposes a scheme with enhanced security for healthcare IoT systems, called an end-to-end authentication scheme for healthcare IoT systems, that is, an E2EA. The proposed scheme supports security services such as a strong and flexible authentication process, simultaneous anonymity of the patient and physician, and perfect forward secrecy services. A security analysis based on formal and informal methods demonstrates that the proposed scheme can resist numerous security-related attacks. A comparison with related authentication schemes shows that the proposed scheme is efficient in terms of communication, computation, and storage, and therefore cannot only offer attractive security services but can reasonably be applied to healthcare IoT systems.


Introduction
The main goal of internet of things (IoT) healthcare systems is the remote monitoring of the physiological data of patients by physicians to make their lives safer and more comfortable [1][2][3][4]. A patient's physiological data can be collected remotely using specific sensors when the patient is
• A lightweight cryptographic function should be used at the patient node to achieve fast and secure mutual authentication with WMSN nodes; • Mutual authentication is required not only between WMSN nodes and physician nodes but among all communication nodes using different cryptographic techniques; • Authentication should detect both random and malicious alterations of authentication messages without effecting the communication data rate; • With anonymity service becoming increasingly important, authentication should hide identities of physician nodes and all communication nodes; • Authentication should support perfect forward secrecy for long-term keys of communication nodes such that an unauthorized party cannot disclose previous authentication session keys.

Architecture of Healthcare IoT Systems
A healthcare IoT system must prevent unauthorized access to sensitive patient data and medical instructions, so a high priority in the design of the authentication scheme should be given for the malicious modifications. We propose a model architecture to monitor patient medical status using WMSN. Fig. 1 shows its main components. WMSN nodes are either sensor or actuator nodes. Sensor nodes can sense the physiological data of patients and send regular data reports to smart devices such as electroencephalogram, heartbeat, pulse rate, pedometer, breathing, vision, glucose level, and temperature sensors [24,30]. Actuator nodes receive medical instructions from a physician though a patient's smart device to carry out actions such as for insulin pumps, drug delivery, and brain and muscle stimulators [13,31].
A patient's smart device node should be able to store and transmit physiological data captured by sensor nodes, including on-demand and emergency sensor data [20]. Sensor nodes periodically send captured data to the smart device, which forwards it directly to the gateway node (GWN) though the internet. Therefore, the smart device must be able to compute the lightweight cryptographic functions to communicate with sensor nodes and GWN node.
The GWN node is the heart of the authentication process, providing registration stages to providers and patient smart devices. It coordinates authentication and key agreement (AKA) execution between all authentication nodes. The physician gathers a patient's physiological data indirectly from the GWN node to analyze it and monitor the patient's physical condition.
The main contributions of this paper are as follows. An architecture of the healthcare IoT system using WMSN is introduced, including the main authentication nodes and the communication flow. An authentication scheme for healthcare IoT systems using WMSN is proposed. Security verification based on BAN logic is used to verify mutual authentication between nodes. An informal, comparative security analysis shows how the proposed scheme can resist all types of attacks. A comparative performance analysis demonstrates the scheme's applicability.

Organization of This Paper
The remainder of this paper is organized as follows. Section 2 describes the proposed authentication scheme. Formal verification using BAN logic and an informal security analysis of the proposed scheme are described in Section 3. A performance analysis is presented in Section 4. We provide our conclusions in Section 5.

Proposed Authentication Scheme
An end-to-end authentication scheme for healthcare IoT systems using WMSN is proposed, which is based on the one-way hash function and symmetric cryptographic techniques.

Preliminaries
We address preliminaries such as scheme structure, notation, assumptions, and design requirements.

Scheme Structure
The proposed scheme has four types of authentication nodes; physician nodes (P i ), GWNs, WMSN nodes the physician must access (S k ), and smart device nodes (SD j ).
The scheme has 10 phases: physician node registration, smart device node registration, WMSN node registration, physician login authentication, patient login authentication, patient password change, physician password change, WMSN node authentication, and long-and short-term authentication.

Notation and Abbreviations
Notation and abbreviations are listed in Tab. 1.

Assumptions
We list the vulnerability assumptions used in the security analysis of the proposed authentication scheme.
• An adversary can recover the smartcard information of a physician node, and of the patient based on power consumption methods [44,45]. • An adversary can modify, intercept, capture, reroute, and retransmit authentication messages between all communication nodes where communication channels are considered unsecured and unreliable during authentication. • An adversary can act as a legitimate smart device of a patient or physician node. • The GWN node is considered a trusted communication node between the smart device of the physician node and the smart device node of the patient. • Registration phases are accomplished directly through secure and reliable channels with the GWN node.  Prefix identity for P i ID is Suffix identity for P i X i Secret key of GWN node for P i SD j Patient smart device node SID j Identity number of SD j SPW j Password of SD j SSC j Security code of SD j SN j Session number between SD j and GWN node SC j Smartcard of smart device SD j ID j SD j identity used in GWN side ID jp Prefix identity for SD j ID js Suffix identity for SD j X j Secret key of GWN node for SD j GWN node Gateway node/service provider S k WMSN node that physician node must access SID k Identity number of S k SS k0 , SS k1 Sensor sequence number ST Type of WMSN node PS ij Subsequent authentication key R 0 , R 5 , R 9 Random numbers generated by P i side R 2 , R 4 , R 7 , R 10 Random numbers generated by SD j side R 1 , R 3 , R 6 , R 8 Random numbers generated by GWN node side h 0 , h 1 , h 2 , h 3 Hash functions. TP Timestamps of P i side T GWN0 , T GWN1 Timestamps of GWN node side T SD Timestamp of SD j side T Predefined threshold value String concatenation operation XOR operation Null value

Design Requirements
We introduce the security requirements used to design the proposed authentication scheme.
• AKA concepts are utilized in all authentication phases. Therefore, communication nodes will mutually and securely authenticate each other to set up a reliable channel and exchange patient data after each authentication session between WMSN and physician nodes.
• Dynamic anonymity is used in authentication to hide the actual identities of patient's smart device and physician nodes. Therefore, communication nodes use a different identity in each authentication session, and an adversary cannot track or masquerade patients or service provider workers. • A robust integrity mechanism is used in all authentication phases to detect modifications in authentication messages exchanged between communication nodes. Hence, an adversary cannot alter these messages. • Lightweight symmetric cryptography is used in long-and short-term authentication to encrypt and decrypt authentication parameters with high entropy. Thus, an adversary cannot guess these parameters in polynomial time. Consequently, physiological data exchanged between communication nodes remain confidential, and only physician nodes can receive it. • One-way hash functions are used in long-and short-term authentication to derive the longterm session keys. Therefore, an adversary cannot disclose the current session keys nor disclose previous session keys.

Proposed Scheme Description
The proposed authentication scheme deploys a set of hash and symmetric cryptographic functions; its steps are described using the notation and abbreviations in Tab. 1.

Physician Node Registration Phase
A new physician wanting to access the physiological data collected by the WMSN nodes through the smart device of a patient, whether for periodic monitoring or an emergency, must first register in the GWN node using his/her monitoring device. Fig. 2 shows the physician node registration phase, whose steps are as follows. Step 1: A new physician node (P i ) selects identity number (PID i ), password (PPW i ), and security code (PSC i ) according to the system specifications. P i generates a random number (R 0 ), and computes C i = h 2 (PID i PPW i R 0 ). P i sends a registration request message {PID i , C i , and PSC i } to the GWN node through a secure communication channel.
Step 2: In response to the P i request, the GWN node verifies the existence of the identity (PID i ) in the physicians table, which contains the data of physicians that have already registered.
If it exists, then the GWN node rejects the registration request message {M1}, and asks P i to select an unrepeated identity (PID i ). Otherwise, the GWN node generates a random number (R 1 ) and secret key (X i ), whose value is saved securely and separately.
The GWN node initiates the session number SN i = h 0 (R 1 ), and computes PK i = h 1 (PID i X i ), has the null value. The GWN node inserts the record of P i in the physician node table [PID i , ID ip , ID is , and SN i ]. The GWN node embeds the authentication parameters [SN i , PF i , and PV i ] in a new smartcard (SC i ), and connects the new physician with his/her patients through a specific table. The GWN node initiates the session counter (C0 ij = 0), and returns SC i and his/her list of patients [SID j , and C0 ij ] to P i via a secure communication channel.
Step 3: P i receives SC i and inserts R 0 . P i separately and securely stores the list of patients.

Smart Device Registration Phase
A new patient's smart device (SD j ) receives physiological data from connected WMSN nodes and forwards it to a service provider for periodic monitoring. This device must be registered in the GWN node. Fig. 3 shows the smart device registration phase, whose steps are as follows. Step 1: A new smart device (SD j ) selects an identity number (SID j ), password (SPW j ), and security code (SSC j ), whose values are formulated according to the system specifications. SD j generates a random number (R 2 ) and computes C j = h 2 (SID j SPW j R 2 ). SD j transmits the registration request message {M1: SID j , C j , and SSC j } to the GWN node through a secure communication channel.
Step 2: In response to the SD j request, the GWN node verifies the existence of identity SID j in the table of registered patients. If it exists, the GWN node rejects the request and asks SD j to select another identity. Otherwise, the GWN node generates a random number (R 3 ) and a secret key (X j ), whose value is saved securely. The GWN node initiates SN j = h 0 (R 3 ), and computes SN = (SSC j SN j ), SK j = h 1 (SID j X j ), SF j = (SK j SSC j ), and SV j = h 1 ((SN j SSC j ) (C j SK j )). The GWN node initiates the pseudonym identity ID j = h 1 (SID j SN j ), and ID jp = ID js = , assigns a specific P i to patient SID j , and securely updates the list of patients for P i . The GWN node adds the SD j record to the patient node table [SID j , ID j , ID jp , ID js , and SN j ], and embeds the authentication parameters [SN, SF j , and SV j ] in a new smartcard (SC j ). The GWN node returns SC j to SD j through a secure communication channel.
Step 3: SD j receives SC j and stores R 2 in SC j . SD j initiates and securely stores the session counter (C 1j = 0).

WMSN Node Registration Phase
When a new WMSN node (S k ) is created as a sensor node to sense the physiological data of the patient or an actuator node to receive medical instructions from physician node P i , the WMSN node must be registered in the patient's smart device SD j . This is a unique characteristic of the proposed authentication scheme. The stage can prevent the use of the sensor node by someone other than the patient. Fig. 4 shows WMSN node registration, which connects S k and SD j . The steps are as follows. Step 1: A new S k node sends a registration request message M1: SID k to SD j though a secure communication channel, where the identity value (SID k ) of S k is initiated when created by the healthcare service provider.
Step 2: In response to the S k node request message {M1}, SD j randomly generates the session number SN k0 = (R 4 ) and initiates sensor sequence numbers SS k0 = SS k1 = 0. SD j adds the S k node record to the sensor nodes table [SID k , SS k0 , and SN k0 ]. SD j node securely sends {M2: SS k1 , SN k0 } to S k .

Physician Login Authentication Phase
To monitor patients through WMSN services, the physician activates the monitoring device (P i ) by authentication to the smartcard (SC i ) obtained from the GWN node during physician node registration. Fig. 5 describes the physician login authentication phase between P i and SC i . The main steps can be summarized as follows.
Step 1: P i inserts (PID i ), (PPW i ), and (PSC i ) as the login authentication request to the SC i .
Step 2: In response to the P i request, SC i fetches (R 0 ) and computes C i = h 2 (PID i PPW i R 0 ), PK i = (PF i PSC i ), and XPV i = h 1 ((SN i PSC i ) (C i PK i )). SC i verifies whether (XPV i ) matches (PV i ) as stored in its memory by the GWN node. If not, then SC i rejects the login request and terminates the session. Otherwise, authentication will pass, and P i is considered a legitimate node and will be used by an authorized physician. SC i initiates the value of ID i = h 1 (PID i SN i ).

Patient Login Authentication Phase
To use WMSN services, the patient activates his/her smart device (SD j ) to authenticate himself/herself to the smartcard (SC j ) obtained from the GWN node during smart device registration. Fig. 6 describes the patient login authentication phase between SD j and SC j . The main steps are as follows.
Step 1: SD j inserts (SID j ), (SPW j ), and (SSC j ) as the login authentication request to SC j .
Step 2: In response to the SD j request, SC j fetches (R 2 ) and computes SN j = (SSC j SN), . SC j verifies whether (XSV j ) matches (SV j ) as stored in its memory by the GWN node. If not, then SC j terminates the login request and the session. Otherwise, authentication is passed, SD j is considered a legitimate node, and it will be used by an authorized patient.

Smart Device Password Change Phase
This is accomplished between SD j and SC j when the patient wants to change a smart device (SD j ) password. Fig. 7 shows the smart device password change phase between SD j and SC j without going back to the GWN node. The patient must execute the following steps: Step 1: The patient inserts (SID j ), (SPW j ), (SSC j ), and a new password ( * SPW j ) through SD j as the request to change his/her password.
Step 2: SC j computes C j = h 2 (SID j SPW j R 2 ), SK j = (SF j SSC j ), and XSV j = h 1 ((SN j SSC j ) C j SK j )). SC j verifies whether (XSV j ) matches (SV j ) as stored in its memory by the GWN node. If not, then SC j rejects the request. Otherwise, SC j computes * C j = h 2 (SID j * SPW j R 2 ) and a new verification code, * SV j = h 1 ((SN j SSC j ) ( * C j SK j )). SC j replaces the new code with the old one (SV j = * SV j ).

Physician Password Change Phase
This is accomplished between P i and SC i when the physician (P i ) wants to change his/her password. Fig. 8 shows the details of the physician password change phase between P i and SC i without going back to the GWN node. The steps are as follows.
Step 1: The physician inputs (PID i ), (PPW i ), (PSC i ), and a new password ( * PPW i ) though P i to request a password change.
Step 2: . SC i verifies whether (XPV i ) matches (PV i ) as stored in memory by the GWN node. If not, SC i rejects the request. Otherwise, SC j computes * C i = h 2 (PID i * PPW i R 0 ), and a new verification code * PV i = h 1 ((SN i PSC i ) ( * C i PK i )), and replaces the verification code with the new one (PV i = * PV i ).

Long-Term Authentication Phase
A physician can monitor a patient's medical state by gathering physiological data indirectly from the patient's smart device through the GWN node. Therefore, the physician, through the monitoring device, must achieve mutual authentication with the GWN node and the patient's smart device SD j , and to establish the subsequence session key with SD j . Fig. 9 shows the long-term authentication phase between the physician's monitoring device P i , the patient's smart device SD j , and the GWN node as a service provider. The following steps are carried out.
Step 1: P i initiates the authentication request message through SC i by inserting a patient identity (SID j ). P i generates a random number (R 5 ) and computes TPK i = (ID i PK i ), where ID i was computed and PK i extracted during physician login authentication.
where TP 0 is a current timestamp of P i . P i sends an authentication request message {M1: ID i , CT i0 , and V i0 } to the GWN node through a public communication channel.
Step 2: Upon receiving M1 from P i , the GWN node searches the table of physician nodes to find (ID ip ) and (ID is ) based on ID i as received from P i . One of the following cases will occur [18,26]: , and TPK i = (ID i PK i ). The GWN node computes < TP 0 R 5 SID j >= D TPKi (CT i0 ) and checks whether P i can monitor the medical state of SID j . If not, then the GWN node rejects M1 and terminates the session. Otherwise, the GWN node verifies the value of (TP 0 ). If it does not hold, then the GWN node rejects M1 and terminates the session. Otherwise, the GWN node computes XV i0 = h 3 (TP 0 TPK i SN i ID i R 5 ) to verify whether (XV i0 ) matches V i0 . If so, then the GWN node renews ID is = ID ip , and ID ip = h 1 (ID i R 5 ). Otherwise, the GWN node rejects M1 and terminates the session.
The GWN node checks whether P i can monitor the medical state of SID j . If not, then the GWN node rejects M1 and terminates the session. Otherwise, the GWN node verifies the value of (TP 0 ). If it does not hold, then the GWN node rejects M1 and terminates the session. Otherwise, the GWN node computes XV i0 = h 3 (TP 0 TPK i SN i ID i R 5 ) to verify whether XV i0 matches V i0 . If so, then the GWN node renews ID is = ID ip and ID ip = h 1 (ID i R 5 ). Otherwise, the GWN node rejects M1 and terminates the session.
, and checks whether P i can monitor the medical status of SID j . If not, then the GWN node rejects M1 and terminates the session. Otherwise, the GWN node verifies the value of (TP 0 ). If it does not hold, then the GWN node rejects M1 and terminates the session. Otherwise, the GWN node computes XV i0 = h 3 (TP 0 TPK i SN i ID i R 5 ) to verify whether XV i0 matches V i0 . If so, then the GWN node renews ID ip = h 1 (ID i R 5 ). Otherwise, the GWN node rejects M1 and terminates the session.
Step 3: According to the values of PID i and SID j determined through M1, the GWN node computes the authentication session key where SQ ij is a sequence number of the current execution for long-term authentication. The GWN node fetches the SD j node record from the patient table and computes SK j = h 1 (SID j X j ) and TSK j = (ID j SK j ). The GWN node initiates session counter C0 j = (C0 j + 1) and computes the pseudonym identity ID jp = h 1 (SID j ID jp ), SN j = h 0 (SN j ), and ID j = h 1 (SID j SN j ). The GWN node generates random number R 6 and computes CT j0 = E TSKj (T GWN0 R 6 PS ij ) and V j0 = h 3 (T GWN0 PS ij ID jp SID j R 6 ), where T GWN0 is the current timestamp. The GWN node sends an authentication request message {M2: C0 j , CT j0 , and V j0 } to SD j through an unsecure public communication channel.
Step 4: When M2 is received from the GWN node, the SD j node through the SC j computes C j = (C0 j − C1 j ). SD j checks whether 1 ≤ C j ≤ μ2, where μ2 is assigned based on system requirements. If not, then SD j rejects M2 and terminates the session. Otherwise, it retrieves where SK j was computed during patient login authentication. SD j computes < T GWN0 R 6 PS ij >= D TSKj (CT j0 ). SD j checks the value of T GWN0 . If it does not hold, then SD j rejects M2 and terminates the session. Otherwise, SD j sets ID js = ID jp and computes to verify whether XV j0 matches V j0 . If not, then SD j rejects M2 and terminates the session. Otherwise, SD j believes the GWN node is legitimate. SD j generates random number R 7 , and computes CT j1 = E TSKj (T SD R 7 C1 j ) and V j1 = h 3 (T SD TSK j PS ij ID js R 7 ), where T SD is the current timestamp of SD j . Then SD j sets C1 ij = C0 ij , and sends the response authentication message {M3: ID js , CT j1 , and V j1 } to the GWN node through a public communication channel.
Step 5: Upon receiving M3 from SD j , the GWN node fetches TSK j again to compute < T SD R 7 C1 j >= D TSKj (CT j1 ), where the pseudonym identity ID js = ID jp . The GWN node verifies the value of T SD . If it does not satisfy, the GWN node rejects M3 and terminates the session. Otherwise, the GWN node computes XV j1 = h 3 (T SD TSK j PS ij ID js R 7 ) to verify whether XV j1 matches V j1 . If not, then the GWN node rejects M3 and terminates the session. Otherwise, the GWN node believes SD j is legitimate. The GWN node generates random number R 8 and , and sends the response authentication message {M4: CT i1 , and V i1 } to P i .
Step 6: When M4 is received from the GWN node, P i computes < R 7 PS ij T GWN1 >= D TPKi (CT i1 ) and checks the value of T GWN1 . If it does not hold, then P i rejects M4 and terminates the session. Otherwise, If not, then P i rejects M4 and terminates the session. Otherwise, P i believes the GWN node is legitimate.
. P i sends an acknowledgment message {M5: ID i , and V ix } to the GWN node.
Step 7: Upon receiving M5 from P i , the GWN node computes T P1 = ((T P1 T GWN1 ) T GWN1 ) and T P = (T P1 − T GWN1 ), and checks whether T P exceeds the threshold μ3, which is assigned based on system requirements. If not, then the GWN node resends M4, with a fresh value of T GWN1 , to P i . Otherwise, the GWN node computes XV i2 = h 3 (ID ip PS ij R 7 SN i T P ) to verify whether XV i2 matches V i2 . If not, then the GWN node rejects M5 and terminates the session. Otherwise, the GWN node believes P i node is legitimate, and it updates SN i = h 0 (SN i ), ID is = , and SQ ij = (SQ ij + 1).

Short-Term Authentication Phase
When a physician wants to monitor a patient's medical status based on real-time data through a direct communication channel, physiological data must be received from the patient's smart device without returning to the GWN node. In this case, the physician achieves mutual authentication with the patient's smart device to prevent unauthorized access to the direct unsecured connection. Fig. 10 shows the short-term authentication phase between the P i and SD j devices. The following steps are carried out after long-term authentication: Step 1: P i initiates an authentication request message through SC i by inserting a patient identity (SID j ). SC i retrieves the authentication session key (PS ij ) generated during the last long-term authentication phase with SD j through the GWN node. P i generates random number R 9 and initiates a session counter, Step 2: Upon receiving M1, SD j computes C ij = (C0 ij − C1 ij ) and checks whether 1 ≤ C ij ≤ μ1, where μ1 is assigned based on system requirements. If not, then SD j rejects M1 and terminates the session. Otherwise, SD j sets . SD j verifies the value of TP i . If it does not satisfy, then SD j rejects M1 and terminates the session. SD j computes XV i3 = h 3 (TP i SID j PS ij ID1 ij R 9 ) to verify whether XV i3 matches V i3 . If not, then SD j rejects M1 and terminates the session. Otherwise, SD j believes P i is legitimate. SD j generates random number R 10 and computes CT j2 , sets C1 ij = C0 ij , and sends the response authentication message M2: ID1 ij , CT j2 , V j3 to P i .
Step 3: Upon receiving M2 from SD j , P i retrieves PS ij , where the pseudonym identity ID1 ij = ID0 ij . SD j computes <TP j R 10 C1 ij >= D PSij (CT j2 ), and P i verifies TP j . If it does not satisfy, then P i rejects M2 and terminates the session. Otherwise, P i computes XV j3 = h 3 (TP j SID j PS ij ID1 ij R 10 ) to verify whether XV j3 matches V j3 . If not, then P i rejects M2 and terminates the session. Otherwise, P i believes SD j is legitimate.

WMSN Node Authentication Phase
To exchange physiological data and medical instructions between smart device SD j and connected WMSN node S k , mutual authentication between both is achieved in all authentication sessions. Fig. 11 shows the WMSN node authentication phase between S k and SD j . The steps are as follows.
Step 1: To achieve mutual authentication with S k , SD j determines its identity (SID k ) of S k . SD j randomly generates a secret key (SK k ), updates SN k0 = h 1 (SN k0 SID k ), and computes , where the value of ST is used to determine whether SD j needs to receive physiological data or forward medical instructions. SD j computes the pseudonym identity , and renews SS k0 = SS k0 +1. SD j sends an authentication request message {M1: CT k , V k0 , SS k0 } to S k through an unsecure communication channel.
Step 2: Upon receiving M1 from SD j , S k computes SS k = (SS k0 − SS k1 ) and verifies whether 1 ≤ SS k ≤ μ0, where μ0 is assigned based on the system requirements. If not, then S k rejects M1 and terminates the session. Otherwise, S k sets SN k1 = SN k0 , computes the SN k1 = h 1 (SN k1 SID k ) function for SS k times until SS k − 1 = 1.
If not, then S k rejects M1 and terminates the session. Otherwise, SD j is considered a legitimate smart device for S k . Then S k computes , and ID k = h 1 (SK k SID k ); renews SS k1 = SS k0 ; and computes SN k0 = h 1 (SN k1 SID k ). S k sends response authentication {M2: ID k , and V k2 } to SD j through an unsecure communication channel.
Step 3: , and verifies whether V k3 matches V k2 . If so, then S k is considered a legitimate WMSN node for SD j . Otherwise, SD j rejects M2 and terminates the session.

Security Analysis
We discuss the security of the proposed authentication scheme. First, the BAN logic model is used to illustrate the validity of the mutual authentication service and secure session key [39]. Further analysis demonstrates that the scheme can resist all common attacks.

Formal Security Validation Using BAN Logic Model
The BAN logic model is used to validate the freshness, trustfulness and originality of the authentication messages exchanged between authentication nodes [41,42,46].
The login authentication and password change phases are not used frequently, and the registration phases are executed through secure communication channels. We concentrate on the soundness of the long-term, short-term, and WMSN node authentication phases. The basic notation and believing rules of the BAN logic model are summarized in Tabs. 2 and 3, respectively.
The lists the authentication phase goals, the idealized form of the authentication messages for the long-term, the short-term and WMSN node authentication phases, and the assumptions used in the verification process for the long-term, short-term, and WMSN node authentication phases are illustrated in Tabs. 4-6, respectively.
The physician node (P i ), GWN node (GWN), patient's smart device (SD j ), and sensor node (S k ) are considered the main involved principles in the security verification of the proposed authentication scheme.
In the long-term authentication phase, TPK i and TSK j are the secret keys used to symmetrically encrypt authentication messages, while sets of unrepeated timestamps (T P0 , T P1 , T GWN0 , T GWN1 , and T SD ) and random numbers (R 5 , R 6 , R 7 , and R 8 ) are used to guarantee the freshness of an authentication session. In the short-term authentication phase, PS ij is a secret key used to symmetrically encrypt the authentication messages, while unrepeated timestamps TP i , and TP j and random numbers R 9 and R 10 are used to guarantee the freshness of the authentication session. SK k is the secret key used to symmetrically encrypt the authentication messages in the WMSN node authentication phase, while serial numbers SS k0 and SS k1 are used to guarantee the freshness of authentication sessions. The session key used in the current session.
The basic BAN logic rules, idealized form, and assumptions in Tabs. 2, 5, and 6 are used to validate the authentication phases.

Validation of Long-Term Authentication Phase
The validation process of the long-term authentication phase can be summarized as follows.
The goals of the long-term authentication phase using the BAN logic model are proved. Therefore, mutual authentication can be achieved between the communication principles throughout this phase.

Validation of Short-Term Authentication Phase
The steps in the validation of the short-term authentication phase can be summarized as follows.
The goals of the short-term authentication phase using the BAN logic model are proved. Therefore, mutual authentication can be achieved between the communication principles throughout this phase.

Validation of WMSN Node Authentication Phase
The validation process of the WMSN node authentication phase can be summarized as follows.
The goals of the WMSN node authentication phase using the BAN logic model are proved, and mutual authentication can be achieved between the communication principles throughout this phase.

Further Informal Security Analysis
When authentication is performed via unsecured public communication channels between authentication nodes, an adversary can capture, intercept, alternate, trace, impersonate, and retransmit authentication messages over these channels. We show how the proposed authentication scheme can prevent common attacks in such an environment. Comparisons with related authentication schemes are also presented.

Session and Key Agreement
To achieve session and key agreement, communication nodes should be able to securely create and agree on one or more session keys. After that, communication nodes can use different security techniques based on the session keys to establish secure communication. In the proposed authentication scheme, the (TPK i ), (TSK j ), and (PS ij ) keys are created in the long-term authentication phase, and the (SK k ) key is created during WMSN node authentication. P i and the GWN node can create TPK i = (ID i PK i ) to achieve mutual authentication. (TPK i ) is changed according to renewal of the value of (ID i ) by performing ID i = h 1 (ID i R 5 ) on both sides for each authentication session. But (PK i ) cannot be extracted without inserting (PSC i ) on the P i side. (PK i ) is computed on the GWN side as PK i = h 1 (PID i X i ), where (X i ) is known only to the GWN node.
Similarly, (TSK j ) is established by SD j and the GWN node as TSK j = (ID j SK j ) to achieve mutual authentication. (TSK j ) is changed according to the renewal of (ID j ) as ID j = h 1 (ID j SN j ) on both sides for each authentication session. But (SK j ) cannot be extracted without inserting the security code (SSC j ) on the SD j side. (SK i ) is computed by the GWN node side as SK j = h 1 (SID j X j ), where (X j ) is known only to the GWN node.

The session key is generated by the GWN node as PS
where the sequence number of the current authentication session (SQ ij ) is incremented when a new authentication session is executed between the authentication nodes. (PS ij ) is exchanged between P i and SD j as encrypted messages through the GWN node, where P i and SD j verify the extracted value of (PS ij ) using the verification codes (V i1 ) and (V j0 ), respectively.
The (SK k ) key is created randomly by SD j to achieve mutual authentication with S k . This key can be retrieved by S k as SN k1 = h 1 (SN k1 SID k ), where (SN k1 ) is changed according to the renewed value of ( SS k ) in each authentication session between them.
Therefore, session and key agreement service can be securely supported by the proposed authentication scheme, where the adversary can determine no session keys, either in the longterm phase or during WMSN node authentication phase. It should be noted that when long-term authentication is executed one time, short-term authentication may be executed (C ij ) times. Thus the (PS ij ) key may be used (C ij ) times more than the (TPK i ), and (TSK j ) keys in the optimal case.

Mutual Authentication Service
Mutual authentication is considered an essential security service in most secure communication schemes, regardless of the system environment. Therefore, communication nodes should be able to authenticate each other to achieve trusted communication [34][35][36][37][38][39][40][41][42][43]. The proposed authentication scheme can support fully mutual authentication between all communication nodes through the long-and short-term authentication phases as well as through WMSN node authentication phase.
In the long-term authentication phase, the GWN node is considered the trusted node between P i and SD j . Therefore, explicit mutual authentication can be achieved between communication nodes as follows. P i and the GWN node can prove each other's authenticity by exchanging M2 and M4 based on symmetric encryption using the shared key (TPK i ).

M1:
When the GWN node receives this message from P i , it decrypts (CT i0 ) to extract the authentication parameters (T P0 ), (R 5 ), and (SID j ), then computes the verification code function , where the secret shared values (SN i ) and (ID i ) are changed in each authentication session. The GWN node checks the following conditions during this procedure: whether P i has permission to monitor the medical state of patient SID j ; if (T P0 ) is a fresh value; and if the received (V i0 ) value matches (XV i0 ). If these conditions are met, then the GWN node can ensure that this message has been transmitted from a legitimate P i .

M4:
When P i receives this message from the GWN node, P i decrypts CT i1 to extract the authentication parameters (T GWN1 ), (R 8 ), and (PS ij ), and computes the verification code function XV i1 = h 3 (PID i PS ij R 8 SN i T GWN1 ), where the secret shared values (SN i ) and (PS ij ) are changed in each authentication session. P i checks the following conditions during this procedure: whether (T GWN1 ) is a fresh value; and whether the received V i1 matches XV i1 . If these conditions are met, then P i ensures that this message has been transmitted from a trusted GWN node.
Similarly, SD j and the GWN node can prove each other's authenticity by exchanging M2 and M3 based on symmetric encryption using the shared key TSK j , and the synchronized one-way hash function based on serial numbers C0 ij and C1 ij .

M2:
When SD j receives this message from the GWN node, it computes C j = (C0 j − C1 j ) to compute the shared key (TSK j ); decrypts CT j0 to extract the authentication parameters (T GWN0 ), (R 6 ), and (PS ij ); and computes the pseudonym identity function ( C j − 1) times as ID jp = h 1 (SID j ID jp ). SD j computes the verification code function XV j0 = h 3 (T GWN0 PS ij ID js SID j C0 j ), where the secret shared values (ID jp ) and (PS ij ) are changed in each authentication session. SD j checks whether 1 ≤ C j ≤ μ2, T GWN0 is a fresh value, and the received V j0 matches XV j0 . If these conditions are met, then SD j can ensure that this message has been transmitted from a trusted GWN node.

M3:
When the GWN node receives this message from SD j , it decrypts CT j1 to extract authentication parameters (T SD ), (R 7 ), and (C1 j ). It computes the verification code function XV j1 = h 3 (T SD TSK j PS ij ID js R 7 ), where the secret shared values (TSK j ) and (ID js ) are changed in each authentication session. The GWN node checks whether T SD is a fresh value, and the received V j1 matches XV j1 . If these conditions are met, then the GWN node can ensure that this message has been transmitted from a legitimate SD j .
When mutual authentication is achieved between P i and the GWN node and between the GWN node and SD j , the GWN node is considered a trusted node for both P i and SD j . Then, mutual authentication has been achieved indirectly between P i and SD j through the GWN node after long-term authentication. P i and SD j can authenticate each other during short-term authentication by exchanging M1 and M2. This phase is based on the symmetric encryption method using the shared key (PS ij ), and the synchronized one-way hash function method based on two serial numbers (C0 ij ) and (C1 ij ) as described in the following: M1: When SD j receives this message from P i , SD j computes C ij = (C0 ij − C1 ij ); decrypts CT i2 to extract the authentication parameters (TP i ), (R 9 ), and (C0 ij ); and computes the verification code function XV i3 = h 3 (TP i SID j PS ij ID1 ij R 9 ), where the secret shared value (ID1 ij ) is changed in each authentication session. SD j checks whether TP i is a fresh value, 1 ≤ C ij ≤ μ1, and the received V j1 matches XV j1 . If these conditions are met, then SD j can ensure that this message has been transmitted from a legitimate P i .

M2:
When SD j receives this message from P i , SD j decrypts CT i2 to extract the authentication parameters (TP i ), (R 9 ), and (C0 ij ); determines C ij = (C0 ij − C1 ij ); computes ID1 ij = h 1 (SID j ID1 ij ) function for ( C ij − 1) times; and computes the verification code function XV i3 = h 3 (TP i SID j PS ij ID1 ij R 9 ), where the secret shared value (ID1 ij ) is changed in each authentication session. SD j checks whether TP i is a fresh value, 1 ≤ C ij ≤ μ1, and the received V j1 matches XV j1 . If these conditions are met, then SD j can ensure that this message has been transmitted from a legitimate P i . Therefore, mutual authentication can be achieved between P i and SD j through the exchange of M1 and M2 when short-term authentication is executed C ij times.
S k and SD j can authenticate each other during WMSN node authentication by exchanging M1 and M2. This is based on the synchronized one-way hash function based on serial numbers SS k0 and SS k1 , as follows.

M1:
When S k receives this message from SD j , S k finds SS k = (SS k0 − SS k1 ), computes SN k1 = h 1 (SN k1 SID k ) for SS k times, and computes (SK k ST) = CT k h 2 (SK k SID k SS k0 ) and verification code function V k1 = h 3 (ST SID k SK k SN k1 SS k0 − 1). SD j checks whether 1 ≤ SS k ≤ μ0), and whether the received V k0 matches V k1 . If these conditions are met, then S k can ensure that this message has been transmitted from a legitimate SD j .

M2:
When SD j receives this message from S k , SD j computes V k3 = h 3 (ST SID k SK k SN k0 SS k0 ) and SD j node checks whether V k3 matches V k2 as received from S k . If so, then S k is considered a legitimate WMSN node. Therefore, P i and S k can achieve mutual authentication through the exchange of M1 and M2.

Anonymity and Untraceability Service
To support user anonymity and untraceability, a user's real identity should be protected to prevent an unauthorized node from realizing the user identity and from recognizing who communicates with whom [18,25,26,43].
The proposed authentication scheme hides the actual identities of the physician (PID i ), patient (SID j ), and WMSN node (SID k ) during authentication. During long-and short-term authentication, neither P i nor SD j uses its actual identity. Also, the actual identity of S k is not used during WMSN node authentication.
In long-term authentication, P i computes a pseudonym identity (ID i ) to achieve mutual authentication with the GWN node. ID i is initiated as ID i = h 1 (PID i SN i ) during physician login authentication, where PID i is inserted by the physician. After that, P i and the GWN node synchronously renew ID i = h 1 (ID i R 5 ), where the random number R 5 is generated in each authentication session.
Similarly, SD j computes a new pseudonym identity (ID j ) to achieve mutual authentication with the GWN node. ID j is initiated as ID j = h 1 (SID j SN j ), where SID j is inserted by the patient. SD j and the GWN node synchronously renew ID j = h 1 (SID j SN j ) based on a refresh session number that is renewed using the one-way hash function as SN j = h 0 (SN j ) in each authentication session.
In short-term authentication, P i and SD j use new pseudonym identities for each session. On the P i side, a new identity for SD j is computed as ID0 ij = h 1 (SID j ID0 ij ). On the SD j side, its identity is computed as ID1 ij = h 1 (SID j ID1 ij ). It should be noted that to synchronize the values of (ID1 ij ) and (ID0 ij ), SD j executes the one-way hash function ( C ij − 1) times, where ( C ij ) is changed in each session.
In WMSN node authentication, a new pseudonym identity for S k is used in each session. SD j and S k can compute ID k = h 1 (SK k SID k ), where (SK k ) is changed in each session. Therefore, the proposed authentication scheme can support full anonymity and untraceability service during all phases.

Perfect Forward Secrecy Service
To achieve forward secrecy, encryption and session keys are generated to ensure that past communication channels cannot be recovered even if the long-term secret keys are disclosed [18,25,26,42,43].
To ensure that the proposed authentication scheme can support forward secrecy, we consider the following scenarios. Scenario 1: Suppose the (TPK i ), (TSK j ), and (PS ij ) keys of the current authentication session have been disclosed during long-term authentication. The (TPK i ) and (TSK j ) keys are updated according to the fresh pseudonym identities for P i and SD j computed as ID i = h 1 (ID i R 5 ) and ID j = h 1 (ID j SN j ), respectively. PS ij is updated by the GWN node as PS ij = h 2 ((PID i X i ) (SID j X j ) SQ ij ) based on a fresh sequence number (SQ ij ). Since the session keys used in this phase are updated after each successful authentication session, the secrecy of previous and future communications will not be affected.

Scenario 2:
Suppose an adversary discloses the (PS ij ) key of the current session during shortterm authentication. The (PS ij ) key is updated in each authentication session according to the fresh pseudonym identity for SD j , which is computed as ID0 ij = h 1 (SID j ID0 ij ). As a result, the secrecy of previous and future communications will not be affected.

Scenario 3:
Suppose the (SK k ) key of the current authentication session is disclosed to an adversary during WMSN node authentication. The (SK k ) key is generated randomly in each authentication session by SD j . Thus, the secrecy of previous and future communications will not be affected.
Based on the above, the proposed authentication scheme can support forward secrecy during all authentication phases.

Attacks Resistance Analysis
We illustrate how the proposed authentication scheme can prevent related and common attacks of such an environment according to previously mentioned vulnerability assumptions.

Desynchronization Attack
The most commonly used techniques to achieve user anonymity and perfect forward secrecy are the pseudonym identity, timestamp, encryption, and hashing techniques. Authentication schemes mostly renew the user identity and generate a new session key to be used in subsequent authentication sessions. The incorrect use of such techniques can lead to a desynchronization attack [18,26,42,43]. Therefore, synchronization between communication nodes in terms of identities and session keys is critical. The proposed authentication scheme can preserve synchronization between communication nodes in each authentication session. It should be noted that the desynchronization attack may be able to temporarily suspend the proposed authentication scheme but cannot impact resuming the authentication sessions in future.

Replay Attack
Authentication schemes usually deal with replay attacks using current timestamps, sequence or serial numbers, random numbers, and nonce values [18,26], which can generally prevent the reuse of authentication request messages gained by eavesdropping. Therefore, these methods can maintain the freshness of exchanged authentication messages between nodes. The proposed authentication scheme employs a set of timestamps, random numbers, and serial numbers as part of all challenge-and-response messages.
To ensure the proposed authentication scheme can resist the replay attack, consider the following attack scenarios.

Scenario 1:
Suppose an adversary resends the authentication request message {M1 : ID i , CT i0 , V i0 } to the GWN node, which was sent during long-term authentication. The GWN node will reject the authentication request and terminate the session because the value of (T P0 ) is out of range.

Scenario 2:
Suppose an adversary resends the authentication request message {M2 : C0 j , CT j0 , V j0 } to SD j , which was sent during long-term authentication. SD j will reject the authentication request and terminate the session because the value of ( C j ) may be out of the system requirement, and the value of (T GWN0 ) out of the range.

Scenario 3:
Suppose an adversary resends the short-term authentication request message {M1 : C0 ij , CT i2 , V i3 } to SD j , which was sent during short-term authentication. In response, SD j will reject the authentication request and terminate the session because the value of ( C ij ) may be out of the system requirement, and the value of (TP i ) out of range.

Scenario 4:
Suppose an adversary resends the request authentication message {M1 : CT k , V k0 , SS k0 } to S k , which was sent during WMSN node authentication. In response, S k will reject the authentication request and terminate the session because the value of ( SS k ) may be out of the system requirement, and the value of (TP i ) out of range.
The values of timestamps and serial numbers are used in all authentication messages, and are updated after each successful authentication session. In the previous attack scenarios, the proposed authentication scheme could resist a replay attack during authentication.

Smartcard Loss Attack
It has been pointed out that an adversary can uncover the two authentication factors (identity and password) of the user from a stolen smartcard based on a power analysis attack or an offline procedure within polynomial time [18,26,44,45]. Therefore, this attack should be considered when designing an authentication scheme using smartcards.
The proposed authentication scheme is based on three authentication factors (identity, password, and secret security code). It should be noted that the secret security code may be computed by imprinting a biometric method (e.g., fingerprint, iris scan, or face recognition) using the smart devices of the physician and patient. The proposed authentication scheme employs a set of parameters and one-way hash functions to prevent such an attack.
It is useful to consider the following attack scenarios to ensure that the proposed authentication scheme can resist a smartcard loss attack using a fuzzy verifier [26].

Scenario 1:
Suppose an adversary steals a physician's smartcard (SC i ) and finds the data , and C i = h 2 (PID i PPW i R 0 ). The adversary cannot retrieve and guess the correct values of (PID i ) and (PPW i ), not even of (PSC i ), since there is an imperial address space of candidates for (PID i ), (PPW i ), and (PSC i ), which can be calculated by and |PSC i | are the address spaces of the physician's identity, password, and security code, respectively.

Scenario 2:
Suppose an adversary steals a patient's smartcard (SC j ) and finds the data , and C j = h 2 (SID j SPW j R 2 ). Similar to the previous scenario, the adversary cannot retrieve and guess the correct value of (SID j ) or (SSC j ), not even (SSC j ), since there is an imperial address space of candidates for (SID j ), (SPW j ), and (SSC j ), which can be calculated by (|SID j | × |SPW j | × |SSC j |)/1024, where |SID j |, |SPW j |, and |SSC j | are the address spaces of the patient's identity, password, and security code, respectively.
The proposed authentication scheme can resist attacks on both the physician's side and patient's side.

Impersonation Attack
An adversary can generally intercept and forge authentication request messages transmitted through public channels to impersonate a communication node in the system. The adversary uses previously collected information to generate valid authentication parameters and initiate an illegal authentication request. Under the proposed authentication scheme, authentication request messages include infeasible authentication parameters that cannot be generated by the adversary. We consider the following attack scenarios to ensure the proposed scheme can resist an impersonation attack.

Scenario 1:
Suppose an adversary intercepts the authentication request message {M1 : ID i , CT i0 , V i0 } that has been sent to the GWN node to impersonate P i during long-term authentication. The encrypted value (CT i0 ) is infeasible because the adversary does not know the secret keys (TPK i ), nor the current (SN i ) value. Thus, the adversary cannot compute (V i0 ) using different (T P0 ), (SN i ), and (R 5 ), and therefore cannot impersonate P i .

Scenario 2:
Suppose an adversary intercepts the authentication request message {M2 : C 0j , CT j0 , V j0 } that has been sent to SD j to impersonate the GWN node during long-term authentication. The encrypted value of (CT j0 ) is infeasible because the adversary does not know the secret keys (TSK j ), nor the value of (SID j ). Thus, the adversary cannot compute (V j0 ) using different (PS ij ), (T GWN0 ), and (R 6 ), and therefore cannot impersonate the GWN node.

Scenario 3:
Suppose an adversary intercepts the short-term authentication request message {M1 : C0 ij , CT i2 , V i3 } that has been sent to SD j to impersonate P i during short-term authentication. The encrypted value of (CT i2 ) is infeasible because the adversary does not know the secret keys (PS ij ), nor the value of (SID j ). Thus, the adversary cannot compute (V i3 ) using different (TP i ), (ID0 ij ), and (R 9 ). Therefore, the adversary cannot impersonate P i .

Scenario 4:
Suppose an adversary intercepts the request authentication message {M1 : CT k , V k0 , SS k0 } that has been sent to the S k node to impersonate the SD j node when the WMSN node authentication phase has been executed. However, the values of (SN k0 ) and (CT k ) are infeasible because the adversary does not know (SID k ). Thus, the adversary cannot compute (V k0 ) using different (SK k ) and (SN k0 ), and therefore cannot impersonate SD j .
The proposed authentication scheme can resist attacks when the adversary tries to impersonate the physician, GWN, and patient nodes.

Man-in-the-Middle Attack
Through the man-in-the-middle attack, an adversary can intercept and forge an authentication message transmitted through public channels to control the connection between communication nodes in the system. The adversary resends these authentication messages to make the nodes believe they are connected directly through forged authentication messages.
In the proposed authentication scheme, challenge and response messages exchanged between communication nodes are protected throughout all authentication phases. The long-term authentication phase uses (TPK i ) and (TSK j ) as secret keys to protect M1, M2, M3, M4, and M5, and ( C j ) is used to guarantee synchronization between connection sides. The secret key (PS ij ) is used in short-term authentication to protect M1 and M2, and ( C ij ) is used to guarantee synchronization between connection sides. The secret key (SK k ) is used in WMSN node authentication to protect M1 and M2, and ( SS k ) is used to guarantee synchronization between connection sides. The proposed authentication scheme can resist the man-in-the-middle attack when the adversary tries to intercept and forge authentication requests and response messages to control the connection between communication nodes.

Wrong Login Attack
Wrong login detection is considered fundamental to user login authentication. This not only can prevent a wrong login attack but can save needless computation and communication costs that can affect network congestion. When a smartcard receives the wrong login authentication data, the proposed authentication scheme provides a detection mechanism to prevent such an attack at the beginning of the physician or patient login authentication phases without unnecessary computation.
When SC i receives the wrong login information, whether in (PID i ), (PPW i ), or (PSC i ) at the physician login authentication phase, SC i fetches (R 0 ) and computes C i = h 2 (PID i PPW i R 0 ), PK i = (PF i PSC i ) and verification code XPV i = h 1 ((SN i PSC i ) (C i PK i )). SC i verifies whether (XPV i ) matches (PV i ) as stored in its memory. If not, then SC i rejects the login request and terminates the session.
Similarly, when SC i receives the wrong login information, whether in (SID j ), (SPW j ), or (SSC j ), at the patient login authentication phase, SC j fetches (R 2 ) and computes SN j = (SSC j SN), C j = h 2 (SID j SPW j R 2 ), SK j = (SF j SSC j ), and XSV j = h 1 ((SN j SSC j ) (C j SK j )). SC j verifies whether (XSV j ) matches (SV j ) as stored in its memory. If not, then SC j terminates the login request and terminates the session. The proposed authentication scheme can resist an unauthorized login attack without extra communication with the GWN node.

Insider Attack
In an insider attack, a gateway administrator or other privileged insider can use registration data to imitate a user through another system gateway. The proposed authentication scheme does not give the chance for privileged insiders to perform such attack, whether through execution of the physician or patient registration phases.
In the physician registration phase, the physician sends a registration request message {PID i , C i , and PSC i } to the GWN node. Therefore, an adversary cannot get the physician's password (PPW i ), whose value has been transmitted using the one-way hash function C i = h 2 (PID i PPW i R 0 ) instead of the clear value. Similarly, a patient sends the registration request message {SID j , C j , and SSC j } to the GWN node at the patient registration phase. An adversary cannot get the patient's password (SPW j ), whose value has been transmitted using the oneway hash function C j = h 2 (SID j SPW j R 2 ) instead of the clear value. Hence, the proposed authentication scheme can resist and avoid an insider attack.

Stolen Password-verifier Table Attack
An adversary can use a stolen password-verifier attack to steal a password from the passwordverifier table stored in the network gateway to impersonate an authorized user and login to the system. Under the proposed authentication scheme, the GWN has no password-verifier table containing a physician's password (PPW i ) or patient's password (SPW j ). Hence, the scheme can resist such an attack.

Security Comparisons
We compare the proposed authentication scheme to other schemes [38][39][40][41][42][43] in terms of security services and resistance to attacks. The main security issues that distinguish the proposed authentication scheme from the other schemes can be summarized as follows.
Throughout the authentication phases of E2EA, the actual identities of the communication nodes are not used completely, all authentication messages are protected by both symmetric encryption and cryptographic hash functions, and all authentication messages include fresh and nonce values to synchronize the communication nodes. Patients can determine and control the connected sensor nodes with them, and can prevent their sensor nodes from being used by others.
As illustrated in Tab. 7, the other schemes [38][39][40][41][42][43] fail to provide anonymity and untraceability for patients and sensor nodes. Schemes [38][39][40][41][42][43] cannot support full mutual authentication. The other schemes fail to resist a patient's smartcard loss attack, patient impersonation attack, sensor node impersonation attack, or wrong patient login attack. Scheme [38] cannot support the physician's anonymity and untraceability. Schemes [38][39][40][41] fail to support perfect forward secrecy, and cannot resist a desynchronization attack. Scheme [40] fails to detect a physician impersonation attack, insider attack, or stolen password-verifier table attack. It should be noted that, compared to the other new authentication schemes [38][39][40][41][42][43], the proposed authentication scheme can fulfill more security features and can resist all related attacks. Table 7: Security feature comparisons long-term, short-term, and WMSN node authentication phases. Other phases are not examined, as these are not executed frequently in any of the schemes.
In long-term authentication, a physician node sends an authentication request to the GWN node to obtain permission to monitor the physiological data of a specific patient, and delegates the GWN node to perform mutual authentication with the patient. Since to monitor the physiological data of the patient through the GWN node is expensive in terms of the size of data signaling and access time, the physician and patient obtain the session key to directly authenticate each other (n) times by short-term authentication without going back to the GWN node. The patient executes WMSN node authentication (n + 1) times with the connected sensor nodes, as shown in Fig. 12.  Using the same execution timeline, Figs. 12 and 13 show that while the proposed authentication scheme executes long-term authentication (m) times, the other schemes execute login authentication (m × n + m) times. According to an analytic model proposed to find the desired values of (n) [47], the best value satisfies 1 ≤ n ≤ 5. Therefore, in our analysis, we select m and n as 1 and 5, respectively. Thus, login authentication is executed six times in other authentication schemes [38][39][40][41][42][43] while in the proposed scheme, long-term authentication will be executed once, short-term authentication five times, and WMSN authentication six times. To perform valid comparisons, the sizes of all identities, passwords, security codes, random numbers, sequential numbers, and timestamps are set to 128 bits. The input and output block sizes of symmetric encryption and decryption functions are multiples of 128 bits, and the output of the hash functions is 160 bits. According to experimental results [18], [26], the running time of SHA-1 and AES cryptographic functions are (T h ∼ = 0.00032 s), and (T E/D ∼ = 0.0056 s), respectively. So, we have (T h ∼ = 0.00032 s), and (T E/D ∼ = 0.0056 s).

Storage Space Cost Analysis
One of the main challenges in such a system is to optimize the storage space costs of sensor nodes and smartcards. To facilitate analysis, the size of embedded hash functions is not considered.

Computation Cost Analysis
We compare the proposed scheme with schemes [38][39][40][41][42][43] in terms of computation costs. These are calculated based on the total execution time of the cryptographic functions in each authentication node. Tab. 10 shows the total cryptographic functions in each authentication node.  1 Total value is calculated when n = 5, and m = 1.

Conclusion
We proposed an end-to-end authentication scheme for healthcare IoT systems using WMSN (E2EA) to overcome current security weaknesses and make such systems more widely deployed and accepted. E2EA has appealing security features such as fully mutual authentication, full anonymity, and perfect forward service in all authentication phases. To design the E2EA authentication scheme, a usable architecture model for healthcare systems using WMSN was proposed. The BAN logic model was used to verify the mutual authentication between all nodes during all authentication phases. Throughout several attack scenarios, the security level of the E2EA authentication scheme was shown. Therefore, it cannot only support appealing security features but can resist common attacks such as desynchronization, impersonation, smartcard loss, replay, man-in-the-middle, insider, wrong login information, and password table. Moreover, compared to new state-of-the-art authentication schemes, E2EA authentication has the highest security level. A performance analysis illustrated that E2EA authentication incurs the minimum cost in terms of storage space and communication, and has a suitable level of computation costs compared to the other new authentication schemes. Finally, E2EA is applicable to healthcare IoT systems to remotely monitor a patient's physiological data.