An Efficient Lightweight Authentication and Key Agreement Protocol for Patient Privacy

: Tele-medical information system provides an efficient and conve-nient way to connect patients at home with medical personnel in clinical centers. In this system, service providers consider user authentication as a critical requirement. To address this crucial requirement, various types of validation and key agreement protocols have been employed. The main problem with the two-way authentication of patients and medical servers is not built with thorough and comprehensive analysis that makes the protocol design yet has flaws. This paper analyzes carefully all aspects of security requirements including the perfect forward secrecy in order to develop an efficient and robust lightweight authentication and key agreement protocol. The secureness of the proposed protocol undergoes an informal analysis, whose findings show that different security features are provided, including perfect forward secrecy and a resistance to DoS attacks. Furthermore, it is simulated and formally analyzed using Scyther tool. Simulation results indicate the protocol’s robustness, both in perfect forward security and against various attacks. In addition, the proposed protocol was compared with those of other related protocols in term of time complexity and communication cost. The time complexity of the proposed protocol only involves time of performing a hash function T h , i.e.,: O(12T h ) . Average time required for executing the authentication is 0.006 seconds; with number of bit exchange is 704, both values are the lowest among the other protocols. The results of the comparison point to a superior performance by the proposed protocol.

Medical online service is one of the most sensitive Internet-based services, in which patient medical records are stored in databases and transmitted over the Internet. These records contain confidential information on patient illness and treatment. To take advantage of telemedicine, patients must register with a medical provider. After the initial registration process, whenever telemedicine services are accessed, the user and the server must authenticate to each other. If each party confirms the other party's identity, the two can reach a key agreement and exchange their messages through the shared key.
When Internet-based communications are not secure, it is very possible that an unauthorized party disclosures patient information and resulting violation of patient's privacy. To address this issue, many research works have focused on the security and authentication of telecommunications protocols [1][2][3][4][5][6]. Nevertheless, the proposed protocols are still lack of perfect forward secrecy feature. This research work attempts to address the issue and come up with a robust and efficient lightweight authentication and key agreement protocol for patient privacy in network communications by considering perfect forward secrecy. A robust protocol should be developed based on comprehensive analysis and evaluation on the security requirements. Thus, this work begins with investigating the existing relevant protocols to reveal the flaws and strengths then design the protocol in such a way to avoid the flaws.
The article is organized as follows. Section 2 reviews previous studies and Section 3 analyzes the Mehmood et al. [7] protocol. Section 4 proposes a secure and efficient protocol for authentication and key exchange which is resistant to various attacks. Section 5 deals with the security analysis of the introduced protocol, while Section 6 presents formal analysis using Scyther tool [8]. Then, Section 7 compares the proposed protocol with similar ones in terms of time complexity. Finally, Section 8 provides conclusion and discusses future work.

Related Works
In 2012, Wu et al. [9] introduced a "password and smart card" authentication protocol. However, in the same year, Debiao et al. [10] revealed that the Wu et al. protocol was not resistant to "insider and impersonation" attacks and so they introduced an improved protocol. Tan et al. [11] proposed a biometric-based authentication protocol for Telecare medical information system (TMIS), claiming it was resistant to all attacks and could meet various security needs. Finding that the Tan et al. [11] protocol was not immune to DoS and replay attacks, Arshad and Arshad et al. [12] introduced a new three-factor biometric-based protocol. In 2015, Giri et al. [13] demonstrated that the Khan et al. [14] protocol was not resistant to the Stolen-verifier attack and off-line password guessing attack and then developed an RSA encryption-based validation protocol to ward off this attack. When studying the Giri et al. [13] protocol in 2015, Amin et al. [15] discovered that it was vulnerable to insider and password guessing attacks and, thus, could not meet the security requirement of anonymity. In the same year, Arshad et al. [16] demonstrated that the Muhaya protocol [17] was not resistant to the Stolen-verifier attack and off-line password guessing attack and unable to meet the "perfect forward secrecy" security requirement, so Arshad et al. proposed an Elliptic-curve cryptography (ECC)-based authentication scheme for TMIS, in which the user is anonymous.
Chaudhry et al. [18] evaluated Amin and Biswas protocol [19] and reported its lack of resistance to stolen smart card attacks and an ineffective password change phase. They further improved the protocol.
Jiang et al. [19] examined the three-factor authentication protocol proposed by Lu et al. [20] and declared it to be vulnerable to password guessing and user and server impersonation attacks. After making enhancements to the three-factor protocol, they provided a more viable solution to the security issues proposed by Lu et al. [20]. Zhang et al. [21] presented a three-factor plan for medical service authentication, by then, Aghili et al. [22], showed to be at risk of DoS and insider attacks.
At the same time, Ostadsharif et al. [23] reviewed the protocols presented in [13,15] and found they were not resistant to key compromise impersonation attacks. In addressing this, they introduced a new protocol for authentication and key agreement between patients and medical practitioners. Later, Kumari et al. [24] reported that the protocol of Ostadsharif et al. [25] still failed to resist key compromise impersonation attacks. Furthermore, Khatoon et al. [26] presented a physician and medical practitioner authentication protocol, which Amintoosi et al. [4] reviewed the same year, concluding that its security did not provide perfect forward secrecy and was open to known-session-specific temporary information attacks.
Ravanbakhsh et al. [2] then came up with an interesting scheme for authentication and key agreement in telemedicine, which, although their design had several advantages, but their design could not meet the "perfect forward secrecy" and is not resistant to "known session-specific temporary information attack". Sowjanya et al. [27] examined the plan proposed by Li et al. [28] and concluded that the plan [28] has shortcomings such as not meeting the security requirements of Perfect Forward Secrecy. Also, He et al. [29] states that the plan in their other article [30] unable to meet the "perfect forward secrecy" security requirement Lastly, He et al. introduced a protocol for remote patient and physician authentication and claimed that it was resistant to all attacks and met various security requirements. The present study, nevertheless, proves that this protocol does not satisfy the security demands of perfect forward secrecy. Tab. 1 summarizes existing protocols and their issues in chronological time.  [9] Insider & impersonate attacks [10] 2013 Biometric-based authentication for TMIS [11] DoS and Replay attacks [12], then proposed a new one, 2014 2013 Authentication scheme for healthcare services [14] Stolen verifier & offline password guessing [13], 2015 2015 Robust RSA-based authentication for TMIS [13] -Insider attack [15], then propose Improved RSA-based authentication -Key compromise impersonation attacks attack [23] 2015 Zhau's authentication scheme cryptanalyst for TMIS [17] Stolen verifier and password guessing attacks [16], then propose ECC-based authentication protocol 2015 Improved RSA-based authentication [15] -   [21] DoS & insider attacks [22], 2019 2015 Robust RSA-based authentication [13] 2017 Enhanced 1-round authentication protocol for wireless body area networks with user anonymity [28] Does not meet the security requirements of Perfect Forward Secrecy [27], 2020 2013 Improved remote user mutual authentication and session key agreement [30] Missing perfect forward secrecy and is not resistant to known session-specific temporary information attack [29], 2016 2019 Privacy Preserved, Provable Secure, Mutually Authenticated Key Agreement [26] Missing perfect forward secrecy [4], then propose ECC-based Authentication and Key Management, 2019 2019 Robust & efficient ECC-based mutual authentication [23] Key compromise impersonation attack [24] 2019 Resistant to all attacks authentication and secure key management [7] Missing perfect forward secrecy [this work]

Analyzing the Weaknesses of the Mehmood et al.'s Protocol
This section briefly reviews the protocol by Mehmood et al. [7] and analyzes the weaknesses of its security. Authentication and key authentication protocols usually include three phases: registration, authentication, and password change. According to Fig. 1, in the registration phase, the communication channel between the two channel entities is assumed to be secure. Furthermore, the parties communicate through a secure channel or in person. During the login and authentication process (    Mehmood et al. [7] presented a protocol for two-way authentication of patients and medical servers, declaring that it was resistant to most attacks and fulfilled various security needs. This section, however, proves that this protocol does not provide perfect forward secrecy and is vulnerable to DoS attacks.

Perfect Forward Secrecy
The security system of Perfect Forward Secrecy assumes that an attacker should not be able to access the session key even if long term parameters, such as the server's secret key, are compromised. However, if such a breach occurs in Mehmood et al.'s protocol, the attacker can, in fact, obtain the session key. To explain the matter, one can suppose that the attacker has the secret key of the server. Because parameter NID i is exchanged on the public channel (an insecure channel), the attacker can decode this parameter and obtain id ui and r s . As assumed that the attacker already have had the server's secret key and now also to possess parameter id ui , the attacker can then calculate X i based on X i = h(id ui || x s ). However, because there is a G i parameter on the public channel in r u1 = G i ⊕ h(id ui || X i ) and the attacker had acquired X i and id ui in the previous steps, the attacker can now obtain r u1 .
Furthermore, due to the relationship r s1 = m 2 ⊕ h(id ui || X i ) has parameter m 2 on the public channel and the attacker had obtained id ui and X i in the previous steps, the attacker is able to acquire r s1 . As a result, the attacker can procure the session key from relationship SK = h(X i || id ui || r s1 || r u1 ).

DOS Attack
When the user sends the first message to the server, the initial action taken before authentication is decryption, which is a demanding operation. During this strain on the server, the attacker can repeatedly send the message, thus keeping the server extremely busy and unable to respond to requests.

A Secure and Efficient Protocol for Authentication and Key Exchange
In order to address the drawbacks of Mehmood et al. [7] protocol, this work introduces a secure and efficient ECC-based protocol for authentication and key exchange. This scheme features registration, authentication, key agreement, and password update stages, for which a detailed description will be provided. Tab. 3 presents the symbols utilized in the proposed protocol.

Registration Phase
As seen in Fig. 3, during the registration process, the patient selects his/her own ID (ID i ) and a password (pw i ). Then, after selecting a random number, a i , the proposed protocol computes A i as A i = h(ID i || pw i || a i ) and finally sends A i and ID i to the server via a secure channel. Upon receiving a message from the patient, the server obtains parameters B i , HID i , D i , Q i , and G i from relationships described in the following. In the registration process for each patient, the Q i and d i parameters are ultimately saved in the server's memory. Additionally, the D i , B i , G i , b i and d i parameters are stored in the patient's smart card, which is sent to the patient. The patient then adds the a i and W i = G i ⊕ A i parameter to the smart card and the registration process finishes.

Login and Authentication Phase
In this phase, the patient and server authenticate each other, after which the patient can log into the server. As presented in Fig. 4, during the login and authentication stage of the proposed protocol, the patient inserts his/her smart card into the card reader and enters the correct ID and password. Initially, through the following relationships, the smart card is verified as belonging to the patient in question and, therefore, not stolen. As soon as it receives the patient's message, the server checks for its freshness. Possessing its own secret key, the server obtains parameter Q i from the relation Q i = h(HID i || s). Then, from the following relationships, the server determines whether the message received is fake or not; in other words, the authenticity of the patient message is verified.

Enters his/her ID
Now, the server selects the timestamp (T s ) and obtains the session key from the relationship Also acquired is parameter Auth s from the following relation. Finally, the server sends Auth s and T s to the patient.
As soon as it receives the server's message, the patient checks for its freshness. After creating the session key from the following relationship, the patient authenticates the received message to verify its authenticity and identity. In this manner, the login and authentication phase of the proposed protocol finishes.
Check Auth s =?Auth u

Change Password Phase
In this phase, the patient can securely change his/her password. To do so, the patient first enters the password (pw * i ) as well as ID (ID * i ). Then, the following relationships are computed to determine if the smart card belongs to the patient in question.
At this point, the patient enters the new password (pw * * i ). The following relationships are computed and then parameter D * * i replaces parameter D i in the smart card.

Security Analysis of the Proposed Protocol
The security parameters of the proposed protocol are discussed in the following sections.

Perfect Forward Secrecy
According to Nikooghadam et al. [31], the security measure of Perfect Forward Secrecy assumes that an attacker cannot obtain the session key even if the secret key of one of the parties is disclosed or if long term parameters are exposed. In the proposed protocol, the session key is equal to SK i = h(Q i || d i || G i ), such that the attacker cannot access parameter d i , even when it is able to acquire the secret key of the server. Since d i is a random parameter, the attacker cannot obtain it.

Anonymity
In anonymity, it is presumed that the attacker cannot access the identity of the parties if it intercepts all messages transmitted on the public channel. In the proposed protocol, even if the attacker hears all messages transmitted on the public channel, it will not be able to obtain the parties' IDs.

Replay Attack
In the replay attack, the attacker is assumed to intercept an old message from the public channel and send it to the parties after a period of time. In the proposed protocol, such attack does not occur due to the use of time stamps and random parameters.

DoS Attack
A DoS attack occurs when a substantial operation, such as scalar multiplication, is performed by one of the two entities. The proposed protocol would not experience such an attack as no considerable jobs are undertaken, such as decoding or scalar multiplication.

User Impersonation Attack
Due to the two-way authentication between the patient and server, impersonation is not possible. One can consider the scenario in which the attacker sends fake parameters, i.e.,: M i , T u , B i , and HID i , instead of the main parameters. Since the attacker does not have the server's secret key, it is not able to obtain the Q i parameter nor is feasible to continue.

Server Impersonation Attack
Since there is a session key within the Auth s parameter and Auth s is used for authentication, the attacker cannot obtain the session key and, therefore, cannot impersonate. Furthermore, with the output of the Scyther tool, there is also no possibility of impersonation attacks occurring.

Insider Attack
In the insider attack, it is assumed that the attacker is on the server side and intends to acquire the user password. Consequently, in the registration stage, the proposed protocol does not send the patient's password directly to the server. Therefore, the password is sent to the service provider in the form of A i = h(ID i || pw i || a i ). As a result, such an attack is not possible.

Password Guessing Attack
The assumption of the password guessing attack is that the user password cannot be guessed even if the attacker intercepts all the messages transmitted on the public channel. Because the user password is in the format of A i = h(ID i || pw i || a i ), it has been exchanged and, therefore, cannot be guessed.

Known-Session-Specific Temporary Information Attack
In this attack, it is presumed that the attacker cannot obtain nor construct the session key, even if it acquires random parameters. Furthermore, in the session key, there are long term parameters, such as Q i . Therefore, if the attacker acquires random parameters, the long term parameters shall prevent this attack.

Stolen-Verifier Attack
The stolen-verifier attack assumes that it is not possible for the attacker to access the session key if it has acquired the parameters within the server memory or the smart card. In the proposed protocol, since the server's memory is tamper-proof, such parameters cannot be stolen. In addition, since there are no important parameters inside the smart card, the attacker cannot obtain the session key by stealing it.

Formal Security Analysis with Scyther
Scyther [8] is a powerful and effective tool for analyzing and identifying potential attacks and security protocol vulnerabilities. This official tool automatically analyzes protocol and scrutinizes its behavior when faced with most possible attacks. Implementation code Scyther tool is shown in Fig. 5. As shown in Fig. 6, the proposed authentication protocol provides all of the above features.

Analysis and Validation Using BAN Logic
In this section, we analyze and validate our proposed design using BAN logic. The logical assumptions and rules of the Burrows-Abadi-Needham (BAN) logic, as well as the security objectives and ideal forms, are defined in (1) to (6). The symbols used are shown in Tab. 5.
Message meaning rule is : The freshness rule is : The nonce verification rule is : The jurisdiction rule is : The belief rule is : The H rule is : Some assumptions are shown in Tab. 6. P| ≡ X The principal P believes a statement X P X The principal P sees a statement X P| ∼ X The principal P once said a statement X P ⇒ X The principal P has jurisdiction over X #(X ) The message X is fresh The secret key K is used by P and Q for communicating {X }K The formula X is encrypted with the key K <X>K The formula X is XORed with the key K (X )K The formula X is hashed with the key K Goals are as follows: Idealized forms are as follows: Based on the assumptions and logical rules of BAN logic, we analyze the ideal form of the proposed protocol as follows: According to the Message 1, we can obtain the following: Based on the assumption A2, and after applying the H rule to R1, R2 can be deduced as: Based on the assumption A7, and after applying the nonce verification rule H to R2, R3 can be deduced as: Based on the Message 2, R4 can be deduced as: Based on the assumption A4, and after applying the H rule to R4, R5 can be deduced as: Based on the applying the nonce verification rule to R5, R6 can be deduced as: Based on the assumptions A1, A3, A6, and the session key sk = h (Q i || d i || G i ), R7 can be deduced as: Based on the assumption A5, and after applying the jurisdiction rule to R7, R8 can be deduced (which is Goal1) as: Based on the R3, assumptions A2, A4 and the session key sk = h (Q i || d i || G i ), R9 can be deduced as: Based on the assumption A6, and after applying the jurisdiction rule to R9, R10 can be deduced (which is Goal2) as:

Analysis and Comparison of the Proposed Protocol's Time Complexity with Other Similar Protocols
Based on research work by He et al. [30] the computation time of a fuzzy extraction operation, the time of performing a hash function, the time of performing symmetric encryption/decryption, the time of performing ECC point multiplication, the time of performing ECC point addition operation, and the time of modular exponentiation operation is 0.063075, 0.0005, 0.0087, 0.063075, 0.000262, and 0.522 s, respectively and the symbol for each are listed in the Tab. 7. Furthermore, for the communication cost, we have considered the size of an identifier or timestamp to be 32 bits, a nonce to be 64 bits, an EC point to be 320 bits, and a hash output to be 256 bits. As exhibited in Tabs. 8 and 9, the proposed protocol performs better than or closer to similar protocols in the past. The importance of this issue is apparent when the proposed protocol is able to meet security requirements with less complexity than of most similar protocols.  [29] 7 T h + 8T mu 0.5081 [28] 4 T h + 5T mu 0.3173 Table 9: The number of messages exchanged on the channel at the authentication stage and ultra-lightweight protocol for medical services communication. The proposed protocol was analyzed in term of secureness and performance during the authentication stage was measured. Formal analysis using Scyther tool proves its robustness against various attacks, and demonstrates its ability to provide various security features. During the authentication stage, measurement results showed that the proposed protocol outperforms other existing protocol and achieves a satisfactory computational time and less number of bits in the exchanged messages. Telemedicine provides easy and secure access to patient information by physicians and access to the large number of specialist physicians needed by patients, even patients in remote and underprivileged areas, while saving time and money.
As future work, the proposed protocol can be implemented hardware-wise using the ARM and FPGA programming languages and the Cortex-M3 Microcontroller board, and the results can be reviewed.

Funding Statement:
The authors received no specific funding for this study.

Conflicts of Interest:
The authors declare that they have no conflicts of interest to report regarding the present study.