An Anonymous Mutual Authenticated Key Agreement Scheme for Wearable Sensors in Wireless Body Area Networks

Abstract

The advancement of Wireless Body Area Networks (WBAN) have led to significant progress in medical and health care systems. However, such networks still suffer from major security and privacy threats, especially for the data collected in medical or health care applications. Lack of security and existence of anonymous communication in WBAN brings about the operation failure of these networks. Recently, Li et al. proposed a lightweight protocol for wearable sensors in wireless body area networks. In their paper, the authors claimed that the protocol may provide anonymous mutual authentication and resist against various types of attacks. This study shows that such a protocol is still vulnerable to three types of attacks, i.e., the offline identity guessing attack, the sensor node impersonation attack and the hub node spoofing attack. We then present a secure scheme that addresses these problems, and retains similar efficiency in wireless sensors nodes and mobile phones.

1. Introduction

The advancement of electromedical technology has led to new research topics associated with wireless body area networks (WBANs). A wireless body area network (WBAN) is formed by a medication information system and various wearable sensors attached to the patient’s body. Integration of WBAN with modern cloud and sensor technologies offers huge improvement in the efficiency and functionality of medical and health care systems. For instance, after the ischemic stroke, patients would require a long-term electrocardiographic monitoring [1]. They suffer from the sleep apnea, and, consequently, require to wear a portable monitor while sleeping [2]. A WBAN-enabled environment allows patients to enjoy the same quality of life without being tangled by the sensor wires. To provide a comprehensive and real-time health assessment to the patient, sensed data may be transmitted to the clouds.

A WBAN architecture is generally constituted of three layers, as shown in Figure 1. This architecture is composed of three types of nodes, first level nodes, second level nodes and a hub node. The first level node, e.g., a smartphone, acts as an intermediate node and forwards the data to the hob node. The second level nodes normally refer to the nodes or wearable devices situated in the body of human, sending the sensing information to a first level node. The hub node a local server or a remote cloud that analyses and manages the sensed data.

Despite the WBANs being endowed with the simplicity and high efficiency, they suffer from low security so that the transmitted data contain the health information of the user which is typically highly sensitive. The need of finding a secure solution for the network is immediate as the security association in the 802.15.6 standard is in doubt [3]. To guarantee a secure WBAN, a secure authentication key agreement protocol should be executed in advance of the communication. We argue that this protocol still requires the user anonymity. Consider a user wearing a portable electrocardiographic monitor to keep track of his cardio health, where the cardio data are appropriately encrypted. The privacy of a known data transfer channel is compromised so that the electrocardiographic monition has been related to a cardio problem through other users.

According to the previously reported works, e.g., [3,4], the authentication key agreement protocol of the WBAN shall provide the data secrecy, user anonymity, session unlinkability, mutual authentication, forward secrecy, resilient to online/offline dictionary attack, resilient to replay attack, and resilient to man-in-the-middle attack. Due to a few reasons, we should not use generic authentication key agreement protocols [5] or lightweight protocols for the general purpose short distance communications [6] in WBANs. Firstly, the specific architecture of the WBAN includes three tiers with multiple first level nodes whose most generic protocols are not optimized in this setting. Some first level nodes may be restricted in terms of power or computation ability so that a heavy computation is not possible. Furthermore, some generic authentication protocols may not offer the user anonymity as their protocol design requirement. However, in a WBAN, the identity of the patient should be concealed while being diagnosed with a WBAN.

WBANs share some similar properties with Hierarchical Wireless Sensor Networks (HWSN). The valuable experience established in the HWSN research area has in turn led to the fast development of WBANs. Wang et al. [7] has summarized some early advancement in the authentication protocol of HWSNs. However, conventional HWSNs assume a large-scale network and are more concerned about the battery power than the security and user’s privacy. As of today, there has been no direct applicable of HWSN to WBAN.

Recently, various authentication and key agreement protocols for WBANs have been proposed. In 2009, Keoh et al. [8] has reported a protocol using an on synchronized LED blinking pattern and keychains that provides a visual confirmation of the sensor pairing. Later, Liu et al. [9] presented another protocol using both public key and secret key cryptography in the authentication. In 2014 Liu et al. [10] improved the anonymity over their previous work and presented a protocol focusing on the communication between the first level and second level nodes using the elliptic curve cryptogrpahy and bilinear map. Moreover, the anonymity of the scheme was broken by Zhao in 2014 [11]. Zhao and, subsequently, Wu et al. [12] presented their protocols to overcome some weakness founded in previous works. Those protocols however require the use of public key cryptography (either elliptic curve cryptography or bilinear pairing) in the sensor node yielding a heavy computation and storage bundle [13]. In order to save resources and ensure anonymity, Shen et al. [14] proposed a cloud-aided lightweight authentication protocol. Their protocol ensures that the network manager cannot realize the user’s real identity in the authentication phase.

The sensors attached on the human bodies have direct access to the physiological signals of the person. As a result, following the electrocardiogram (ECG) or photoplethysmogram (PPG), the use of these physiological signals may be used to generate keys of the communication [15,16,17]. Such an approach is quite novel and can be possibly developed in good applications after its robustness and security may be verified in a larger scale or experiments. Unlike secrets, and like passwords or pre-loaded secret keys, the physiological signal may not be necessarily kept away from the attackers.

In 2017, Li and his colleagues proposed a lightweight mutual authentication and key agreement protocol with anonymity for the WBAN [4]. They claimed that their protocol provides anonymity and may be secure against various types of attacks. However, this study demonstrates that Li’s protocol is not secure while the first level node is being compromised. In addition, their approach fails to provide the node anonymity so that an attacker is able to track a second level node. To overcome these shortcomings, we provide a simple but effective amendment for the protocol. The repaired protocol is secured against impersonation attacks, replay attacks, and man-in-the-middle attacks. It also provides better anonymity of the WBAN users.

The organization of the paper is as follows. Section 2 reviews the Li’s scheme. In Section 3, we show the insecurity of their scheme. Next, an improvement scheme will be presented in Section 4. We then provide some security analysis on the improved scheme, and finally conclude the paper.

2. Review of the Li’s Protocol

In this section, we briefly review the Li’s protocol [4]. Figure 2 shows the architecture of this protocol, which consists of three level nodes, i.e., a hub node ($HN$), a first level nodes ($FN$) and some second level nodes ($SN$). The second level nodes are some wearable sensors to be attached to the human body. Usually, these $SN$ are resource-constrained with limited computational and communicational power. They report sensed data to a first level node ($FN$) via a public channel. A $FN$ is an intermediate node between $SN$ and $FN$. It may be considered as a smart phone or a smart watch, providing good communication and computation ability and coordinating a set of $SN$ attached to the same human body. Next, the $FN$ forwards the received sensed data to a hub node ($HN$), which was formed by rich resources and may be installed on a database.

Such a protocol is composed of two phases as follows, the registration phase and the authentication phase. In the registration phase, a system administrator registers and initializes the $HN$, $FN$, and $SN$. In the authentication phase, an $SN$ attempts to setup a secure connection in the network while authenticate the identity of the $HN$ and being authenticated by the $HN$.

2.1. Registration Phase

In this phase, an $HN$ generates a unique secret key, $k_{HN}$, and securely stores it in its memory. In addition, each second level node is registered individually.

Once a second node N is being registered, the following steps are performed:

• A unique secret identity $i{d}_N$ is generated for the N which is also used as the secret key of the N.
• A unique identity $i{d}_N^{\prime }$ is generated for the $FN$. (It is not explicit in their article that would another $i{d}_N^{\prime }$ be generated or not when another $SN$ is registered. However, if different $i{d}_N^{\prime }$ is generated for the $SN$ that will immediately fail the $SN$’s traceability since the unencrypted $i{d}_N^{\prime }$ is sent over the air every time the $SN$ attempts to connect to the server).
• A secret parameter $k_N$ is generated for the N.
• The system computes $a_N=i{d}_N\oplus h(k_{HN},k_N)$ and $b_N=k_{HN}\oplus a_N\oplus k_N$.
• The $FN$ stores the tuple $\langle i{d}_N^{\prime },i{d}_N,a_N,b_N\rangle$ in its memory.
• The N stores the tuple $\langle i{d}_N,a_N,b_N\rangle$ in its memory.
• The $HN$ stores the $\left(i{d}_N^{\prime }\right)$ in its memory.

Note that $k_N$ is not required to be stored in the sensor node $SN$ or at the hub node $HN$.

2.2. Authentication Phase

In this phase, the N establishes a session key with the $HN$ through the $FN$ as follows. The whole process is given in Figure 3.

• A second level node N selects a random number $r_N$ and computes

  $$\begin{array}{c}\hfill x_N=a_N\oplus i{d}_N,\end{array}$$

  (1)

  $$\begin{array}{c}\hfill y_N=x_N\oplus r_N,\end{array}$$

  (2)

  $$\begin{array}{c}\hfill ti{d}_N=h(i{d}_N\oplus t_N,r_N),\end{array}$$

  (3)

  where $t_N$ is the current timestamp. Next, the N sends $\langle ti{d}_N,y_N,a_N,b_N,t_N\rangle$ to the $FN$.
• After receiving the message from the N, the $FN$ places his identity, $i{d}_N^{\prime }$, in the message and forwards the message $\langle i{d}_N^{\prime },ti{d}_N,y_N,a_N,b_N,t_N\rangle$ to the $HN$.
• Once receiving messages from the $FN$, the $HN$ first checks the $i{d}_N^{\prime }$ in its database. The process will be terminated if fails. Then, the $HN$ checks the timestamp $t_N$ by judging $t^{*}-t_N\stackrel{?}{<}\delta t$, where $t^{*}$ is the time when the message is received, with $\delta t$ being the maximum transmission delay. Next, the $HN$ computes the following:

  $$\begin{array}{c}\hfill k_N^{*}=k_{HN}\oplus a_N\oplus b_N,\end{array}$$

  (4)

  $$\begin{array}{c}\hfill x_N^{*}=h(k_{HN},k_N^{*}),\end{array}$$

  (5)

  $$\begin{array}{c}\hfill i{d}_N^{*}=x_N^{*}\oplus a_N,r_N^{*}=x_N^{*}\oplus y_N,\end{array}$$

  (6)

  $$\begin{array}{c}\hfill ti{d}_N^{*}=h(i{d}_N^{*}\oplus t_N,r_N^{*}),\end{array}$$

  (7)
• which checks whether $ti{d}_N^{*}\stackrel{?}{=}ti{d}_N$. If the equation holds, the $HN$ ensures that the N is legal. The $HN$ picks temporary secret parameters $f_N,k_N^{+}$ and continues to compute the following:

  $$\begin{array}{c}\hfill \alpha =x_N^{*}\oplus f_N,\end{array}$$

  (8)

  $$\begin{array}{c}\hfill \gamma =r_N^{*}\oplus f_N,\end{array}$$

  (9)

  $$\begin{array}{c}\hfill a_N^{+}=i{d}_N^{*}\oplus h(k_{HN},k_N^{+}),\end{array}$$

  (10)

  $$\begin{array}{c}\hfill b_N^{+}=k_{HN}\oplus a_N^{+}\oplus k_N^{+},\end{array}$$

  (11)

  $$\begin{array}{c}\hfill \eta =\gamma \oplus a_N^{+},\end{array}$$

  (12)

  $$\begin{array}{c}\hfill \mu =\gamma \oplus b_N^{+},\end{array}$$

  (13)

  $$\begin{array}{c}\hfill \beta =h(x_N^{*},r_N^{*},f_N,\eta ,\mu ).\end{array}$$

  (14)
• Finally, the $HN$ stores the session key $k_s=h(i{d}_N^{*},r_N^{*},f_N,x_N^{*})$ and sends the message $\langle \alpha ,\beta ,\eta ,\mu ,i{d}_N^{\prime }\rangle$ to the $FN$.
• Once the $FN$ receives the message from the $HN$, it drops his identity $i{d}_N^{\prime }$ and sends the message $\langle \alpha ,\beta ,\eta ,\mu \rangle$ to the N.
• Now, the N computes $f_N^{*}=x_N\oplus \alpha ,{\beta }^{*}=h(x_N,r_N,f_N^{*},\eta ,\mu )$ and checks ${\beta }^{*}\stackrel{?}{=}\beta$ to determine whether the $HN$ is legal or not. The authentication process will terminate if the equation does not hold. Then, the N computes $\gamma =r_N\oplus f_N^{*},a_N^{+}=\gamma \oplus \eta$, and $b_N^{+}=\gamma \oplus \mu$. Afterwards, the N stores the session key $k_s^{*}=h(i{d}_N,r_N,f_N^{*},x_N)$ and replaces the parameters $(a_N,b_N)$ with the parameters $(a_N^{+},b_N^{+})$.

3. Cryptanalysis of the Li’s Protocol

This section shows that the protocol proposed by Li, and his colleagues, is vulnerable to three types of attacks, i.e., offline identity guessing attacks, sensor node impersonation attacks and hub node spoofing attacks.

3.1. The Adversary Model

We assume the adversary is capable of performing the following, once being attacked. The first three capabilities are adopted from the Li’s paper while the last one is a reasonable extension of their model:

• The adversary can control the communication channel. It means that it may eavesdrop, modify and replay any messages transmitted on the communication channel. This intends to capture the protocol requirements, e.g., resilient to replay the attack, resilient man-in-middle attack, mutual authentication, resilient to online/offline dictionary attack.
• The adversary can capture any sensor node by some ways and further extract the secret data store in a captured node. This intends to capture the ability of mutual authentication and forward secrecy.
• The hub node, $HN$, is always trustworthy. However, an adversary may intrude the $HN$’s database and read and manipulate all the data in the database except for the $HN$’s master key, $k_{HN}$. This intends to capture the resilient of the hub-node-stolen-database attack where the $HN$’s database is stolen.
• An adversary may intrude a first level node $FN$ and read all data stored in it. Assuming that both the bottom level $SN$ and the top level $HN$ can be compromised by the adversary, the $FN$ may not remain unintruded for all the time, especially an $FN$ may be viewed as a smart phone or a smart watch which may be easily stolen.

3.2. Vulnerable against Intruding $FN$ Attacks

In the protocol design, an $FN$ is mainly served as a intermediate relay. However, during the registration phase, the secret information, e.g., $i{d}_N,a_N$ and $b_N$ are all stored in the $FN$. It is not explicit how these values shall be used in the $FN$ according to their paper. It is observed that the $FN$ does not have the capability to authenticate an $SN$ and to be authenticated by the $HN$ on behalf of an $SN$, if the $FN$ is responsible to coordinate the $SN$. Nevertheless, this turns out to become a point of vulnerability of the protocol. For an adversary which is able to intrude an $FN$, all $SN$ s coordinated by this $FN$ are compromised.

3.3. Vulnerable to the Tracking Attack

Li claimed that the protocol allows anonymous communication so that an adversary cannot link any communication session to another session of the same $SN$. However, this claim is not true, based on the following facts.

Every $SN$ is registered to the system through one single $FN$. The identity of the $FN$, $i{d}_N^{\prime }$, is sent over the air in Step 2 of the authentication phase. Since $i{d}_N^{\prime }$ would not be changed in the protocol, adversary can be easily associated with two sessions with the same $FN$ s. For an $FN$ coordinating only one $SN$, the adversary is allowed to link two sessions of the same $SN$ by inspecting only Step 2. If the $FN$ coordinates more $SN$ s, the user’s privacy/anonymity does not enhance as in some applications suggested in Li’s paper. Consider the medication, where the sensors of a patient are likely to be connected to a single $FN$, e.g., his smart phone. Revealing the identity of the $FN$ (smart phone) is even worse than revealing only the identity of an $SN$ (a sensor).

In certain applications, an $FN$ may coordinate extremely large amount of $SN$ s, where the identity of the $SN$ is the only concern and an adversary is still able to link two sessions with the same $SN$ s. Assuming that the adversary $\mathcal{A}$ captures only the messages sent from the $SN$ to $FN$ and $FN$ to $SN$ at the time $T_1$ and a later time $T_2$, as

$$\begin{array}{c}\hfill \mathrm{Capture}\mathrm{at}{T}_1:\left\{\begin{array}{c}\langle ti{d}_1,y_1,a_1,b_1,t_1\rangle \hfill \\ \langle {\alpha }_1,{\beta }_1,{\eta }_1,{\mu }_1\rangle \hfill \end{array}\right.,\mathrm{Capture}\mathrm{at}{T}_2:\left\{\begin{array}{c}\langle ti{d}_2,y_2,a_2,b_2,t_2\rangle \hfill \\ \langle {\alpha }_2,{\beta }_2,{\eta }_2,{\mu }_2\rangle \hfill \end{array}\right..\end{array}$$

To investigate if the messages captured at $T_2$ is a subsequent login of the messages captured at $T_1$, the $\mathcal{A}$ simply computes $a_2\oplus b_2$. If these two sessions are related, this value corresponds to $({\gamma }_1\oplus {\eta }_1)\oplus ({\gamma }_1\oplus {\mu }_1)={\eta }_1\oplus {\mu }_1$, which is indeed $k_{HN}\oplus k_N$. Except for an extreme low probability of coincident ($2^{-\mathrm{length}\left(k_{HN}\right)}$), comparing $a_2\oplus b_2\stackrel{?}{=}{\eta }_1\oplus {\mu }_1$ will allow for determining if these two sessions are related.

4. Repairing the Protocol

One of the biggest problems associated with the protocol is that the $FN$ does not perform its function in the authentication while it is possessing the secret information of the coordinating $SN$. A simple straightforward approach is to let the $FN$ not store any information about the $SN$. Instead, the $FN$ only acts as a relay between the $SN$ and the $HN$. The protocol will be remaining secure (but not anonymous) even if the $FN$ is being compromised. This however does not resolve the vulnerability of the protocl against the tracking attacks. Moreover, this option removes the ability of an $FN$ to control other $SN$ s, which may not be suitable in some applications.

The security and system requirements may be investigated as follows. The $SN$ s assume low computation/communication power; while $FN$ s and $HN$ s are less constrained, the $SN$ s and $HN$ s require being mutually authenticated. The $SN$ and $FN$ should be mutually authenticated where these two authentications may not be necessarily at the same time. Based on these requirements, we propose a simpler repaired protocol exhibiting better security and anonymity.

4.1. Architecture

In our architecture, we maintain the three-level role. However, the communication between an $SN$ and an $FN$ ($SN$-$FN$) is different from the communication session between an $SN$ and an $HN$ ($SN$-$HN$). A two-party authentication protocol will be described in this section, and the same protocol will be used in the case of $SN$-$FN$ and $SN$-$HN$. In the case of an $SN$-$HN$ communication, the $FN$ will be served as a relay to support the communication. The $SN$-$HN$ communication normally takes place when the sensing data is reported to the $HN$. The $SN$-$FN$ communication normally takes place when $FN$ manages the $SN$ or gathering data from the $SN$. In the case where $FN$-$HN$ communication is required, we assume that general purpose authentication protocols, e.g., [5,18], will be used since both of them have less constraint computation power.

4.2. Description of the Repaired Protocol

As mentioned above, this protocol is a two-party protocol. The reader may assume a duplication of keys for the $SN$-$FN$ and $SN$-$HN$ communications. We call the $UN$ an upstream node that represents either an $FN$ or an $HN$. Unless it is specified, all variables have the same length as the output of a hash function $\mathrm{length}\left(h\right)$.

A $SN$ should separately register with an $FN$ and an $HN$, and two sets of keys are required. Practically, these two registrations may be simultaneously performed via the $FN$, as long as the process is securely accomplished. Assume that the $SN$ is registering with either of them, denoted as a $UN$. The $SN$ will then be assigned with the followings:

• $i{d}_N$, a unique secret identity for the $SN$.
• $a_N=i{d}_N\oplus h(k_{UN},k_N)$, where $k_{UN}$ is the secret key of the $UN$, $k_N$ is a nonce.
• $b_N=a_N\oplus k_{UN}\oplus k_N$.
• $c_N=h(i{d}_N,k_{UN})$.

In this protocol, the $UN$ does not require storing any secret information about the $SN$. If the $UN$ wishes to keep track of the identity of the $SN$, it may keep a truncated or hashed $i{d}_N$. The value of the $i{d}_N$ needs to be unique and a bit of $i{d}_N$ may be used to indicate the association with either of $SN$-$HN$ or $SN$-$FN$, and several bits from the identity of the $UN$.

When the $SN$ wishes to initiate a communication with a $UN$, the $SN$ will perform the following operations (In case an $FN$ wishes to initiate the protocol, the protocol will be preceded by a Hello message from the $FN$ to the $SN$.). Please also refer to Figure 4.

• The $SN$ generates a random number $r_N$ and a timestamp $t_N$ and computes:

  $$\begin{array}{c}\hfill x_N=a_N\oplus i{d}_N,\end{array}$$

  (15)

  $$\begin{array}{c}\hfill y_N=x_N\oplus r_N,\end{array}$$

  (16)

  $$\begin{array}{c}\hfill ti{d}_N=h(i{d}_N,t_N,c_N,r_N).\end{array}$$

  (17)
  Then, it sends $\langle ti{d}_N,y_N,a_N,b_N,t_N\rangle$ to the $UN$.
• On receiving the request, the $UN$ first checks if the timestamp is still valid. Then, it computes:

  $$\begin{array}{c}\hfill k_N^{*}=k_{UN}\oplus a_N\oplus b_N,\end{array}$$

  (18)

  $$\begin{array}{c}\hfill x_N^{*}=h(k_{UN}\oplus k_N^{*}),i{d}_N^{*}=x_N^{*}\oplus a_N,\end{array}$$

  (19)

  $$\begin{array}{c}\hfill r_N^{*}=x_N^{*}\oplus y_N,c_N^{*}=h(i{d}_N^{*},k_{UN}).\end{array}$$

  (20)
  Next, it validates $ti{d}_N$ by $h(i{d}_N^{*},t_N,c_N^{*},r_N^{*})$. The protocol will be aborted if this does not hold.
• The $UN$ continues the protocols by selecting random numbers $f_N,k_N^{+}$ and computing the following:

  $$\begin{array}{c}\hfill a_N^{+}=i{d}_N^{*}\oplus h(k_{UN},k_N^{+}),\end{array}$$

  (21)

  $$\begin{array}{c}\hfill b_N^{+}=a_N^{+}\oplus k_{UN}\oplus k_N^{+},\end{array}$$

  (22)

  $$\begin{array}{c}\hfill \eta =h(f_N,c_N^{*})\oplus a_N^{+},\end{array}$$

  (23)

  $$\begin{array}{c}\hfill \mu =h(c_N^{*},f_N)\oplus b_N^{+},\end{array}$$

  (24)

  $$\begin{array}{c}\hfill \alpha =c_N^{*}\oplus f_N,\end{array}$$

  (25)

  $$\begin{array}{c}\hfill \beta =h(i{d}_N^{*},r_N^{*},f_N,\eta ,\mu ),\end{array}$$

  (26)

  $$\begin{array}{c}\hfill k_s=h(i{d}_N^{*},r_N^{*},f_N,x_N^{*}),\end{array}$$

  (27)

  where $k_s$ represents the session key. Finally, the $UN$ sends $\langle \alpha ,\beta ,\eta ,\mu \rangle$ to the $SN$.
• The $SN$ validates the message by computing $f_N^{*}=c_N\oplus \alpha$ and checking whether $\beta$ equals to $h(i{d}_N^{*},r_N,f_N^{*},\eta ,\mu )$. If not, it rejects the protocol.
• Finally, the $SN$ computes the session keys and updates its keys, as

  $$\begin{array}{c}\hfill a_N^{+}=h(f_N^{*},c_N)\oplus \eta ,\end{array}$$

  (28)

  $$\begin{array}{c}\hfill b_N^{+}=h(c_N,f_N^{*})\oplus \mu ,\end{array}$$

  (29)

  $$\begin{array}{c}\hfill k_s^{*}=h(i{d}_N,r_N,f_N^{*},x_N).\end{array}$$

  (30)
  The $SN$ will compute the same session key $k_s$ as the $UN$ in the absence of the adversary or noise. It will then replace $(a_N,b_N)$ with $(a_N^{+},b_N^{+})$ in its memory.

5. Security Analysis of the Repaired Protocol

This section demonstrates that our repaired protocol is secure against the aforementioned attacks.

5.1. Intruding on the $FN$ Attacks

In the repaired protocol, the $FN$ no longer stores the key between an $SN$ and an $HN$. Therefore, compromising an $FN$ would only leak the keys between the $SN$ s and the $FN$. The compromised $FN$ would not be able to impersonate an $SN$ to communicate with the $HN$. It is true that the compromised $FN$ will still be able to access the $SN$ in an $SN$-$FN$ communication, but no extra access, e.g., data exclusive for the $HN$, will be given to the $FN$. This protocol also assures a secure $SN$-$FN$ communication, and vice versa if all secrets stored in the $HN$ are compromised.

5.2. Impersonation, Man-in-the-Middle and Replay Attacks

The protocol provides a sound mutual authentication between an $SN$ and an $FN$/$HN$. The adversary defined in Section 3.1 models the necessary capabilities that requires performing impersonation, man-in-the-middle, and replay attacks. The goals of this adversary are as follows: (Goal 1) Convincing either an $SN$ or a $UN$ to misbelieve that a legitimate partner is participating in a communication within the timeout period; (Goal 2) Having better strategy than the wild guess in distinguishing a session key $k_s$ against a random string with the same length. We show that there is no adversary to effectively, and with non-negligible probability, achieve either of these goals.

Goal 1 happens when either $UN$ accepts or $SN$ accepts. We separately discuss these cases.

• The $UN$ accepts. This happens if and only if $ti{d}_N=h(i{d}_N^{*},t_N,c_N^{*},r_N^{*})$. We assume that the $SN$ does not generate a $ti{d}_N$ after $t^{*}-\Delta T$, otherwise it violates definition of Goal 1. If this equation is true but the hash $h(i{d}_N^{*},t_N,c_N^{*},r_N^{*})$ has never been computed, this will happen only with $p=2^{-\mathrm{length}\left(h\right)}$.
  If this equation is true and the hash has been computed before, we may conclude that it is not produced by a legitimate $SN$ and $UN$. This is due to the fact that $i{d}_N$ is unique and $SN$ does not produce any at $t_N$ and $UN$ would never send computed $ti{d}_N$. Therefore, the only possibility is that the adversary computes the hash by itself. This happens only if the adversary has $i{d}_N$ and $c_N$ which are not sent over the network. This is bounded by $p^2\times q_h$ where $q_h$ is the maximum number of the hashes that are able to query with reasonable resources.
• The $SN$ accepts. This happens if and only if the value of the $\beta$ is equal to $h(x_N^{+},r_N,f_N^{*},\eta ,\mu )$. Similarly, if the hash was never computed, the probability is bounded by p. If the hash is previously computed by the $UN$, the same $SN$ (with $i{d}_N^{*}$) has already sent a login request with $r_N^{*}$. Since $r_N^{*}$ is randomly chosen, this happens only with $p\times q_E$, where $q_E$ is the total number of the sessions executed by the $SN$. Otherwise, the adversary should correctly guess $i{d}_N^{*}$ and $c_N$, which happen only with $p^2\times q_h$.

To sum up, the occurrence of Goal 1 has a probability lower than $(q_E+2)p+2q_h{p}^2,$ where $p=2^{-\mathrm{length}\left(h\right)}$, $q_E$ is the total number of the sessions executed by the $SN$, and $q_h$ is the total number of the hashes that are able to be computed by the adversary with reasonable resources. This number is negligible when the length of the hash is large.

Goal 2 happens only when the $UN$ accepts and the hash $h(i{d}_N,r_N,f_N,x_N)$ has been computed by the adversary since $k_s$ is never transmitted. However, $i{d}_N$ and $x_N$ are both secret. A correct guess of this variable is bounded by $p^2\times q_h$.

Considering the probability to concurrently achieve the both Goals 1 and 2, an attacker may cast as an impersonation attack, a man-in-the-middle attack, or a replay attack has a probability less than $(q_E+2)p+3q_h{p}^2$.

5.3. Tracking Attacks and Anonymity

We may see that the tracking attack, mentioned in Section 3.3, no longer operates. First of all, an $FN$ serves only as a relay to replay a message. No information can be harvested to identify the relay $FN$. Furthermore, the equality $a_2\oplus b_2={\eta }_1\oplus {\mu }_1$ no longer holds, where ${\eta }_1\oplus {\mu }_1=a_2\oplus b_2\oplus h(f_N,c_N)\oplus h(c_N,f_N)$. Since $c_N$ and $f_N$ are not computable by the adversary, computing $h(f_N,c_N)$ or $h(c_N,f_N)$ is not possible.

6. Simulation Verification Using a Proverif Tool

Proverif is an automatic cryptographic protocol verifier, which is widely used to specify and analyze the security of authenticated key agreement protocols [19,20,21,22,23].

In this section, we utilize Proverif to further analyze the security and validity of the proposed protocol. In this simulation, two main roles, $SN$ and $UN$, are included. The whole simulation contains the following procedures:

• First, we need to define some variables used in this simulation. $K_{UN}$ is the secret key $H_N$, and $S{K}_{SN}$ and $S{K}_{UN}$ are the final shared key established by $SN$ and $UN$, respectively—then comes the functions and events (Figure 5),
• Second, we list the goals of this simulation. More specifically, our goals is to ensure that the whole authentication process is successful, the shared key can be established, and the attacker cannot obtain the key anyway (Figure 6),
• The process of $SN$ (Figure 7),
• The process of $UN$ (Figure 8),
• The main execution (Figure 9).
• According to the simulation results depicted in Figure 10, we can observe that the proposed protocol can achieve the goals mentioned in Figure 6.

7. Performance Evaluation

This section describes performance evaluation of the repaired protocol along with other related protocols [4,10,11,12,14] in security properties and estimated time. We focus on the security against the anonymity, tracking attack, insider attack, replay attack, impersonation attack, man-in-the-middle attack, mutual authentication and the session key forward secrecy. From

Table 1. Comparison of the security properties. Y and N stands for fulfilling and not fulfilling the requirement respectively.

	C1	C2	C3	C4	C5	C6	C7	C8
[10]	Y	Y	N	Y	Y	Y	Y	Y
[11]	N	N	Y	Y	Y	Y	Y	Y
[12]	Y	Y	Y	Y	Y	Y	Y	Y
[4]	N	N	N	Y	N	Y	Y	Y
[14]	Y	Y	Y	Y	Y	Y	Y	Y
Ours	Y	Y	Y	Y	Y	Y	Y	Y
C1: Provide anonymity; C2: Withstand tracking attack; C3: Withstand insider attack; C4: Withstand repay attack; C5: Withstand impersonation attack; C6: Withstand man-in-the-middle attack; C7: Mutual authentication; C8: The session key forward secrecy

, we see that only the repaired protocol, Wu’s protocol [12] and Shen et al. [14] fulfill all the security properties.

We analyze the time performance of these protocol by analysis of the core cryptographic operations used in each of them, and then estimate the running time of these protocols by adding the time of executed cryptographic operations. We do not consider the possibility of parallel computation with multi-core technologies since most wearable devices are only single core. Pipelining is also not discussed here since the authentication usually needs to be executed once.

We consider two possible realizations of an $SN$. A sensor device using the MICAz with 4 KB RAM (Crossbow Technology, San Jose, CA, USA) and 7-MHz ATmega128L microcontroller (Microchip Technology Inc, Chandler, AZ, USA) and a smart phone using an iPhone 6s (Apple, Cupertino, CA, USA) with 2 GB RAM ARM (armv8-a) CPU. The data are taken from [13,24,25] for the time required on the MICAz while we implement those implementations on a smart phone using the Pairing Based Cryptographic Library [26]. The result is summarized in

Table 2. Computation of the cryptographic operations.

Symbol	Description	Running Time on a Smartphone	Running Time on a MICAz
$T_h$	Hash function	0.03 ms	8 ms [25]
$T_{sym}$	Symmetric encryption/description operation	0.12 ms	3.5 ms [24]
$T_{sm}$	Scalar multiplication over elliptic curves	20.23 ms	2450 ms [13]
$T_{bp}$	Bilinear pairing operation	25.64 ms	5320 ms [13]

.

Table 3. Comparison of the estimated time.

Protocols	Time Cost	Running Time on a Smartphone	Running Time on a MICAz
[10]	$4T_h+5T_{sm}+3T_{bp}$	178.19 ms	28242 ms
[11]	$11T_h+9T_{sm}+3T_{sym}$	182.64 ms	22148.5 ms
[12]	$7T_h+8T_{sm}+T_{bp}+2T_{sym}$	187.93 ms	24983 ms
[4]	$9T_h$	0.27 ms	72 ms
[14]	$9T_h+13T_{sm}$	263.26 ms	31922 ms
Ours	$15T_h$	0.45 ms	120 ms

lists the estimated time of the mentioned protocols, considering the above experimental data. From this table, we may observe that the repaired protocol costs more time than Li’s protocol [4] as it takes six more hash functions, but costs less time than the other related protocols [10,11,12,14] .

8. Conclusions

We demonstrated that Li’s protocol is broken and should not be used in any application implementation related to the WBAN. At the same time, we proposed another architecture that research should be considered when designing any authentication. In this architecture, the linear relationship connecting an $SN$ to an $FN$ and an $FN$ to an $HN$ is abandoned. Instead, $SN$ s, $FN$ s and $HN$ s are directly connected to each other through a pairwise secret. The $FN$ changes its role in an $SN$-$HN$ communication from coordinating to relaying messages between the $SN$ and $HN$. We believe that this approach is highly effective and secure so that compromise of the $HN$ or $FN$ would not lead to a total compromise of the system. In such an architecture, an $FN$ may be abused through consuming the relay service by attackers. This problem, however, appears in most of the relaying systems in all wireless networks, which may be handled via some firewall rules or intrusion detection techniques. This represents an interesting research topic to be further studied by the authors in the future.