An Improved Authentication Protocol for Wireless Body Sensor Networks Applied in Healthcare Applications

Abstract

Wireless body sensor networks are now very popular for modern healthcare applications like health monitoring, remote healthcare, emergency healthcare etc. This healthcare application mainly used for constant monitoring of health specific data while doing regular activities. The wireless body area network is consisted of small wearing sensors which are implanted in human body for capturing medical data and send to a medical server through a network connector to base station. A major issue is secure transmission of patient’s medical healthcare information to the medical server through wireless communication. Also the data collected in this network is very sensitive because on the basis of this clinical data, further treatment will be occurred. Therefore, security requirements such as confidentiality, integrity, authenticity should be guaranteed during communication. This paper proposes a strong mutual authentication protocol based on public key cryptography for satisfying all security requirements. The proposed authentication approach resists the major vulnerable attacks in wireless body sensor networks with low computational and communicational load.

1 Introduction

Recent days healthcare applications are playing a major role for remote health monitoring. These applications are mainly used the patient data which is captured by the wearable sensors. These wearable sensors are the part of a Wireless Body Area Networks for patient monitoring purpose. The implanted sensors will collect the data from the patient body and the smart phone will collect the data from the sensors to supply it to the medical server [1].

Originally the wireless body area network (WBAN) was proposed by Zimmerman [2] uses wireless personal area network (WPAN) technology. In current days, the WBAN has played an important role in research community and health organizations for smart health applications. Normally in this type of networks many low power intelligent sensors are placed in or around the human body for measuring vital parameters such as heart rate, pulse, blood pressure, and temperature and oxygen saturation etc. Real-time monitoring could be implemented remotely through these sensors. A body sensor based healthcare application can provide many benefits in health sector also. This type of application can provide a convenient environment for monitoring those vital parameters during daily lives activity and medical conditions for long term critically ill (paralyzed patient, cancer patient) person to reduce the huge hospitalization cost. The sensed data is stored in health cloud so that doctors can view these data at anytime from anywhere in the country. In such environment, one of the biggest challenges is to send the data securely to the cloud server because any changes of this sensitive data may cause wrong diagnosis and wrong treatment of the patient. As the data gathered from the sensors will send to the base stations through a personal server (network coordinator), an adversary can easily capture the data from the wireless channels and modify that. This wrong data could endanger patient’s life. Also the personal server can be captured by the adversary with wrong intension. Hence strong authentication and secured communication is essential in this scenario. This is the main objective of this research work.

In WBAN, several authentication schemes based on Receiver Signal Strength [3,4,5,6] and Proximity [7,8,9] and Biometric based [10,11,12] has been found in the literature. The drawback of these schemes is mainly depending upon the distance between devices (sensors) which must be half of the wavelength distance of each other. These drawbacks can be overcome using cryptography based scheme because those schemas mainly depend upon the operational complexity not with signal strength or location. But implementation of suitable cryptographic protocol in this environment is challenging as these sensor devices are constrained in terms of memory, computing power and energy supply.

The traditional public key cryptography based authentication schemes are also found in literature [13,14,15,16,17]. One of the most secure public key cryptographic techniques is Elliptic Curve Cryptography which provides the highest security with smaller key size [14]. Compared to traditional techniques, ECC is more suitable for sensor networks due to the constraints like limited computing capabilities and battery capacity. In general practical implementations, ECC public key is distributed through digital certificates with the help of public key infrastructure (PKI). The distribution and management of certificates increases communicational overload. Thus ECC based authentication schemes [18,19,20,21,22] are not suitable for their complex operations. Shamir [23] first proposed Identity based cryptography where the identity plays the role of the public key. Therefore, the ID-based cryptography mainly overcomes the certificates management problem of the trusted third party. Yang et al. [24] proposed an ID based mutual authentication scheme for mobile devices. Yoon et al. [25] shows the demerits of this scheme through cryptanalysis. He et al. [26] used ECC to design a new ID based authentication scheme which is provably secure. Later on Wang et al. [27] pointed that He et al.’s scheme suffers parallel session attack, reflection attack and also does not provide mutual authentication. Biswas et al. [28] proposed another ECC based authentication to remove security weakness in Yoon and Yoo’s scheme. But Truong et al. [29] found that Yoon et al. scheme could not resist the denial of service attack. Some light weight authentication scheme have been found in wireless sensor networks [30,31,32] which fails to maintain perfect forward secrecy in communication.

Although the above ID-based authentication schemes is mainly suitable for client server environment with better performance than earlier schemes, but not suitable for BSN due to the algorithmic complexity. This paper proposes an improved authentication scheme based on public key cryptography for not only data security but also to maintain the privacy in BSN. The proposed scheme is based on Paillier cryptosystem which have homomorphic and self-binding property. This keeps the sensed data private while third party processes the data without seeing it which is essential for body sensor network. Also this cryptosystem provides randomness in encrypted data, so that the same plain text after several encryptions produces different cipher texts. Hence the main contribution in this paper is as follows:

• The proposed scheme is efficiently authenticates user device using biometric features while data transmission from body sensors to health server in WBAN.

• This scheme used Pallier cryptosystem which is mainly used for privacy preservation of sensor data.

• Proposed Authentication approach enforces very light computational load due to simple operations like exclusive-OR operations.

• Mutual authentication as well as secret session key generation is essentially improves security.

• Proposed scheme also has low communicational load and messages are encrypted using symmetric encryption for this critically constrained devices.

The rest of the paper is organized as follows:

Section 2 presents Background, Sect. 3 provides Proposed Mutual Authentication Protocol; Sect. 4 discusses Security Analysis; Sect. 5 presents Performance Analysis; Finally, concluded in Sect. 6.

2 Background

In this section security threats and security requirements in WBAN are discussed.

2.1 Security Requirements, Threats and Solutions in WBAN

There are many sensor nodes in WBSN which are involve in data sensing. After that the gateway node will collect the sensed data and transmitted it to a health server via internet [33]. In such scenario, following security requirements are found in WBSN:

• Data Confidentiality is essential to protect the data from a disclosure, the system require data confidentiality.

• Data integrity is necessary as an adversary can alter the data that is transmitted over an insecure channel.

• Data authentication is essential to ensure that the data is coming from trusted node.

• Data availability is to ensure that the patient’s information is accessible to the doctor.

• Efficient key management is essential to securely transmission of data

• Efficient encrypting techniques are essential as the computation power is limited.

• Anonymity and Non traceability is required to maintain the privacy of the patient data.

• Perfect Forward Secrecy must be maintained even if the secret keys of the client and application provider is compromised.

• Mutual Authentication is essential to ensure user and server.

WBANs are vulnerable to many threats such are listed below:

• Message Modification- This type of threat is applicable to the message after intercepting it from the network. Sometimes the adversary can delete or delay the data to harm the person. Strong encryption algorithm and hash function can be used for prevention of this attack.

• Message Disclosure- This threat is activated when an application fails to properly protect sensitive information from others. Due to this privacy threat, some sensitive private data may be disclosed to those who are not supposed to get the information.

• Unauthorized access- When some unauthorized user gets some access grant, the data and the resources can be misused. Unauthorized access can be prevented by strong access control policy.

• Denial of Service- Due to this attack, the user cannot get the desired service. The attacker might use different strategies to achieve this such as by inserting bogus request to a server or drop request packets of the client. It can be resisted by implementing suitable Intrusion Detection System.

• Node tampering- An adversary can gain full control over a sensor node by this attack.

Also he can perform malicious activity by capturing that node. It can be resisted by any inconsistency detection algorithm.

• Routing attacks- Fake routing messages can be inserted in communication channels by this attack to divert the routes of the messages. Hence it is preferable to use secure routing protocols.

• Jamming Attacks- Due to this attack, the adversary can perform radio frequency interference to block the entire network. One simple solution is to apply high transmission power on jammed channels to avoid this attack.

2.2 Paillier Cryptosystem

The Paillier Cryptosystem is a modular, public key encryption scheme created by Pascal Paillier, with several interesting properties [34]. This public key encryption is based on composite residuosity classes. It has homomorphic property through which a person can delegate to process his own data without giving access on it. Also, it has self-blinding property through which a plaintext can be mapped into many different ciphertexts. Like all cryptosystems, it has three processes: Key generation, encryption and decryption.

In the key generation process, to construct the public key, one must choose two large primes, p and q, then calculate their product, n = p.q. Then a semi-random, nonzero integer, g, in \(Z_{\text{n}}^{2}\), must be selected, such that the order of g is a multiple of n in \(Z_{\text{n}}^{*2}\) [\(Z_{\text{n}}^{*2}\) being the units, or invertible elements, of \(Z_{\text{n}}^{2}\)].

The modular paillier cryptosystem uses the concept of public key encryption technique. To encrypt the message, the sender first generates a public key by choosing two large primes number p and q. Now, calculates n = p*q. For example [34], consider p = 7 and q = 11. The calculated value of n is 77. After that, a semi-random, non-zero integer g is chosen such that the order of g is a multiple of n in \(Z_{\text{n}}^{*2}\). The choose value of g is 5652, which fulfill the addressed properties. Thus, the generated public key is represented by (n,g) = (77, 5652).

Steps for Encryption:

1. 1.

   Generate the public key.

   In this example, the generated public key is (77, 5652).

2. 2.

   Create a message m such that m∈Z_n.

   Let m = 42.

3. 3.

   Choose a random nonzero integer r∈Z_n.

   Let r = 23.

4. 4.

   Compute the ciphertext c ≡ g^mrⁿ mod n².

   The value of c ≡ (5652)⁴²*(23)⁷⁷ mod 5929 ≡ 4624 mod 5929 = 4624

Steps for Decryption:

1. 1.

   Compute λ(n) = lcm[(p − 1)(q − 1)] by Carmichael’s function.

   λ(77) = lcm[(6),(10)] = 30

2. 2.

   Calculation of u = g^λ(n) mod n² is necessary for the decryption of the message.

   U = (5652)³⁰ mod 5929 = 3928

3. 3.

   L(u) = (u − 1)/n

   L(3928) = 3927/77 = 51

4. 4.

   µ = L(u)⁻¹ mod n

   µ = 51⁻¹ mod 77 = 74

5. 5.

   Compute the plain text message m ≡ L(c^λ(n) mod n²)*µ mod n

   M ≡ L(4624³⁰ mod 5929)*74 mod 77 ≡ 42 mod 77 ≡ 42 (plain text message)

The paillier cryptosystem have following properties:

1. 1.

   The result of multiplication of two encrypted is equivalent to the addition of original of plaintext mod n.

2. 2.

   The result of full encryption of the second message (rⁿ is left out) is multiply with the first encrypted message is equivalent to the addition of original of plaintext mod n.

3. 3.

   A constant power on the ciphertext gives the result in the term of constant multiple of the original plaintext.

To solve Privacy issues, Paillier cryptosystem’s are used to ensure homomorphic encryption in databases [35]. Pallier cryptosystems are mainly depending upon modular arithmetic operations and integer arithmetic operations such as multiplication and exponentiation modulo n² for the encryption and decryption. Details of module sizes of Pallier Cryptosystem are as follows (Table 1):

Table 1 Fundamental sizes of Pallier cryptosystem

3 Proposed Authentication Protocol

In this section an authentication protocol based on Paillier Cryptosystem has been proposed.

3.1 System Network Model

This is a system network model of an electronic health care system which is mainly monitoring vital parameters of critically ill patient. The doctors are monitoring this parameter remotely with the help of their smart phones. Considering this scenario, many body sensor nodes has been installed in the patient body for measuring different vital parameters like heart rate, pulse, pressure, temperature and oxygen saturation etc. All sensor nodes are sending captured data to the gateway node. The gateway node will send data to local processing centre (Base Station) through the network coordinator which is called User Device. The user device is issued by the health care system while initial phase. All the captured data is gathered in the health cloud through this device and the doctors, nurses are observing data from the cloud server. The main focus is only on the secure transmission of data from the body sensor to the health cloud server. Figure 1 shows the architecture of the network.

Fig. 1

System model of BSN

3.2 Notations Used in this Protocol

Consider two large prime p and q over (\({\mathbb{F}}_{p}\)).

N:

The product of two prime p and q

G:

The semi-random, nonzero integer in \(\varvec{Z}_{{\mathbf{n}}}^{2}\)

H(.):

Hash function which is a one way function

E_k(.):

Asymmetric encryption function which uses key K

D_k(.):

Asymmetric decryption function which uses key K

T₁, T₂:

Present Timestamp of node

ΔT:

Expected transmission delay

T_s:

Session Duration Time

⊕:

Logic exclusive OR (XOR) operation

ǁ:

A bitwise concatenation operation

UID:

Identity of User Device

SID:

Health Server ID

PID:

Patient ID

P:

Secret No

n_u, P_u:

Private and Public key of User Device respectively

n_s, P_s:

Private and Public key of Health Server respectively

Assumptions

Consider many body sensor node has been installed in a human body for measuring different body parameters. All nodes are sending captured data to the gateway node. The gateway node will send data to local processing center (Base Station) through the network coordinator which is called User Device. After deployment of the sensor nodes, following assumptions are made

• After valid registration of the user device, it will forward capture data of sensor node.

• User Device is considered as trusted one.

• Clock of the nodes in human body are synchronized with the user device.

• Each sensor data is accumulated to a main gateway which is also a sensor.

• After Registration BS will send user details to Health Server.

• Health Server will create each patients table for storing his/her data.

• BS is playing the role of trusted third party.

• Signal intensity is within a given fixed range with high transmission power.

3.3 Phases of Authentication Protocol

The proposed scheme shown in Fig. 2 is divided into three phases as described below:

Fig. 2

Proposed authentication scheme

1. A.

   User Registration phase:

First the patients biometric input B will capture and pass through a fuzzy extractor which could produce a random string σ. The Fuzzy extractor will operate two functions (Gen & Rep) which will produce random string for identification. The random string will be same for close change of input. Actually the Gen() will output a random string σ and a random auxiliary string ν in enrolment phase. Rep() is computed while identification process after receiving biometric input B^* and the corresponding auxiliary string ν to recover σ.

1. (i)

   During registration phase, a temporal key is generated from the hash of biometric profile. The device first capture patients biometric impression B_i and computes (σ_i,ν_i) = Gen(B_i). The temporal key is h(PW ‖ σ_i) where PW is the user password.

   Now user device will send a request which contain user identity (UID) and the temporal key (η) to base station (Local Processing Centre).

   The request message R_u = UID ‖ h(PW ‖ σ_i)

   At the same time BSN cloud server send a registration request R_s‖ SID where R_s = h(SID‖ x). Here x is the server secret.

2. (ii)

   After R_u and R_s local processing center will compute the following parameters

   $${\text{R}}_{\text{i}} = {\text{h}}\left( {{\text{UID}}\left\| { \, y} \right.} \right)$$
   $${\text{Z}}_{\text{i}} = {\text{R}}_{\text{i}} \oplus {\text{h}}({\text{PW}}_{\text{i}} \left\| {\sigma_{i} } \right.)$$
   $${\text{T}}_{\text{i}} = {\text{Z}}_{\text{i}} \oplus {\text{h}}\left( {\text{UID}} \right)$$

   T_i and R_i is stored in the Smart card and the card is issued for that user device which will collect patient data to the local processing center.

3. (iii)

   Now the base station also sends a list of registered users to cloud health server which is responsible to collect and store data of the patients. In this way the base station completes the registration phase for secure data collection. The message flow is shown in Table 2. BS will send an updated list of records to cloud server including UID and PID (Patient ID) with regular interval.

   Table 2 Flow of registration phase

4. B.

   Login phase:

During this phase, user will perform following steps as shown in Table 3:

Table 3 Flow of Login phase

Step 1 The user device first submits its biometric impression \(B_{i}^{*}\) and UID with password (PW). The device will compute \(Gen \, (B_{\text{i}}^{*} ,\nu_{\text{i}} ) =\upsigma_{\text{i}}\) and extracted the value T_i from the card to compute \({\text{Z}}_{\text{i}}^{\prime } = {\text{ T}}_{\text{i}} \oplus {\text{h}}\left( {\text{UID}} \right)\).

Now the device computes \({\text{R}}_{\text{i}}^{\prime } = {\text{Z}}_{\text{i}}^{\prime } \oplus {\text{h}}\,({\text{PW}}_{\text{i}} {||\sigma }_{\text{i}} )\) and matches with extracted value of R_i.

Step 2 The user device will generate the public key PU_A = (N,G) using Pailliar cryptosystem. Now it sends a message to local processing center (BS) which contains a token \({\text{C}}_{1} = {\text{h}}\left( {\text{UID||x}} \right) \oplus {\text{N}}_{1}\) and the public key with user ID for authentication.

Hence \({\text{Msg}}\_1 \, = {\text{UID}}\left\| {{\text{C}}_{1} } \right\|\left. {{\text{PU}}_{\text{A}} } \right\|{\text{N}}_{1} {\text{P}}\)

Similarly Health server will send a message \({\text{Msg}}\_2 \, = {\text{SID}}\left\| {{\text{C}}_{2} } \right\|\left. {{\text{PU}}_{\text{S}} } \right\|{\text{N}}_{2} {\text{P}}\)

Step 3 BS will verify \({\text{C}}_{1} ? = {\text{C}}_{1}^{\prime } ,{\text{C}}_{2} ? = {\text{C}}_{2}^{\prime }\). After verification BS will generate

Two tokens for user device and health server. The tokens are

$${\text{C}}_{3} = {\text{h}}\left[ {{\text{h}}\left( {\text{UID||y}} \right)} \right] | | {\text{UID||N}}_{1} {\text{P||N}}_{2} {\text{P}}\;{\text{and}}\;{\text{C}}_{5} = {\text{C}}_{3} \oplus {\text{N}}_{3}$$

$${\text{C}}_{4} = {\text{h}}\left[ {{\text{h}}\left( {\text{SID||x}} \right)} \right] | | {\text{SID||N}}_{1} {\text{P||N}}_{2} {\text{P}}\;{\text{and}}\;{\text{C}}_{6} = {\text{C}}_{4} \oplus {\text{N}}_{3}$$

BS will generate two encrypted Msg using Pailliar cryptosystem for user device and server.

$${\text{Msg}}\_3 = {\text{Enc}}\,({\text{C}}_{3} | | {\text{C}}_{5} | | {\text{N}}_{2} {\text{P}})$$

$${\text{Msg}}\_4 = {\text{Enc}}\,({\text{C}}_{4} | | {\text{C}}_{6} | | {\text{N}}_{1} {\text{P}})$$

Step 4 User Device first checks C₅? = \({\text{C}}_{5}^{\prime }\). If it is equal than extract N₃ by C₃ ⊕ C₅.

Now generate another token C₇ = h(N₂N₃) + 1 for acknowledgement.

Similarly Server first checks C₆? = \({\text{C}}_{6}^{\prime }\). If it is equal than extract N₃ by C₄ ⊕ C₆.

Now generate another token C₈ = h(N₁N₃) + 1 for acknowledgement.

1. C.

   Mutual authentication phase:

In this phase the user device and BSN server will perform mutual authentication by using following steps:

Step 4 In this step User Device generate a message Msg_5 = Enc [UID ‖ C₇‖ T₁] and send to BSN server.

After receiving of Msg_5, server decrypts it and get the session time. If T – T₁ ≤ ΔT where T is the present timestamp of server, then it accepts the message otherwise rejects. Now BSN servers get the UID value and compute

$$C_{7}^{\prime } = {\text{ h}}\left( {{\text{N}}_{2} {\text{N}}_{3} } \right) + 1 \, .{\text{ If }}C_{7}^{\prime } = {\text{ C}}_{7} ,\;{\text{then}}\,{\text{it}}\;{\text{computes}}\;{\text{Msg}}\_6 = {\text{Enc}}\,[{\text{SID||C}}_{8} | | {\text{T}}_{2} ]$$

Step 2 In this step, User received Msg_6 from BSN server. After decryption it first checks the timestamp with present timestamp. If it is valid, then it computes \(C_{8}^{\prime } = \,{\text{h}}\left( {{\text{N}}_{1} {\text{N}}_{3} } \right)\, + \,1\).

If \({\text{C}}_{8}^{\prime } \, = \,{\text{C}}_{8}\), then it generates the response message Msg_7 as a proof of mutual authentication and shared secret key generation.

$${\text{Msg}}\_7 = {\text{ h}}\left( {{\text{C}}_{7} } \right) | | {\text{UID}}\;{\text{and}}\;{\text{the}}\;{\text{shared}}\;{\text{secret}}\;{\text{key}}\;K = {\text{h}}\left( {\text{UID||y}} \right) \oplus {\text{h}}\left( {\text{SID||x}} \right) \oplus {\text{h}}\left( {{\text{N}}_{3} } \right).$$

Step 3 After receiving Msg_7, server confirmed that the user is valid user and generate the shared secret key K = h(UID‖ y) ⊕ h(SID‖ x) ⊕ h(N₃). Server sends the confirmation message Msg_8 = h(C₈)‖ SID. The message flow is shown in Table 4. After that all messages will be sending using symmetric encryption.

Table 4 Flow of mutual authentication phase

4 Detail Security Analysis

In this section analysis of the proposed authentication scheme on the basis of different attacks and also formal proof using BAN logic is performed.

4.1 Probable Attack Analysis

This sub section includes detail discussion of following attacks:

4.1.1 Password Guessing Attack

Considering a case, an attacker gets the smart card and he has tried to login the system. First he need to give the biometric impression of the patient as the device is registered for that patient. The smart card also carries the specific biometric parameter of that patient. If he is able to do that, then also he has to submit the password for authentication. Moreover it is not possible to guess biometrics and password correctly at the same time. Hence on-line password guessing attack could not be successful.

The off-line password guessing attack also will not work as h(PW ‖ σ_i) is used to calculate R_u and the two parameters

$${\text{Z}}_{\text{i}} \, = \,{\text{R}}_{\text{i}} \, \oplus \,{\text{h}}({\text{PW}}_{\text{i}} ||\upsigma_{\text{i}} )\;{\text{where}}\;{\text{R}}_{\text{i}} \, = \,{\text{h}}\left( {\text{UID||y}} \right),\;{\text{T}}_{\text{i}} \, = \,{\text{Z}}_{\text{i}} \, \oplus \,{\text{h}}\left( {\text{UID}} \right)$$

At a time both are required and limited attempts will be given. Hence this protocol will resist dictionary attack.

4.1.2 Replay Attack

To prevent replay attack, nonce value is inserted in each message. Also the freshness of the message is always be calculated after receiving each message. For example Msg_1 = UIDǁ C₁ǁ PU_Aǁ N₁P contains random nonce for preventing replay attack.

Similarly Health server message Msg_2 = SID ‖ C₂ ǁ PU_Sǁ N₂P also carrying random nonce for preventing replay attack.

In mutual authentication phase, User Device generate a message Msg_5 = Enc [UID ‖ C₇‖ T₁] and send to BSN server. After receiving of Msg_5, server decrypts it and get the session time. If T–T₁ ≤ ΔT where T is the present timestamp of server, then it accepts the message. This is also for prevention of replay attack.

4.1.3 Impersonation Attack

Impersonation attack happened when an attacker pretend as a valid user. The probability of this attack is very less as biometric impression is captured and inserted in the smart card. To prevent impersonation, mutual authentication phase is also there. In this phase the BSN server authenticates itself to the user so that any fake server cannot able to establish a connection.

4.1.4 Insertion/Message Modification Attack

In this authentication protocol after login message all messages are in encrypted form. After mutual authentication, a shared session key is generated to encrypt the data which the sensors are sending to BSN server. For example,

$${\text{Msg}}\_3 = {\text{Enc}}\,({\text{C}}_{3} | | {\text{C}}_{5} | | {\text{N}}_{2} {\text{P)}}$$

$${\text{Msg}}\_4 = {\text{Enc}}\,({\text{C}}_{4} | | {\text{C}}_{6} | | {\text{N}}_{1} {\text{P)}}$$

$${\text{Msg}}\_5 = {\text{Enc }}[{\text{UID||C}}_{7} | | {\text{T}}_{1} ]$$

$${\text{Msg}}\_6 = {\text{Enc }}[{\text{UID||C}}_{8} | | {\text{T}}_{2} ]$$

Now after mutual authentication the shared secret key is used for data transmission. For insertion attack, an attacker must have to decrypt the messages and for decryption he needs the shared key. If any insider knows the UID and SID, then also he has to know N₃. No single message carrying N₃ which can be tracked by an attacker. Hence this attack cannot be possible.

4.1.5 Man-in-Middle Attack

In this attack, the attacker manages to set a key between the user and the server so that he will be able to hear all the transmitted messages. For that intension, he wants to set a common key between user device and BSN server. Now to replace the value of attacker replace the value of C₇, C₈ by \({\text{C}}_{7}^{\prime }\), \({\text{C}}_{8}^{\prime }\), the attacker first have to decrypt the Msg_5 and Msg_6. It is impossible. If he replaces these messages with another encrypted messages, then also a successful session key will not established.

Thus this attack is not possible with this scheme.

4.1.6 Server Spoofing Attack

There is no verification table stored in the server so that it can authenticate any user device. All user devices are authenticated by the Base Station and after authentication this device will communicate with the server. Suppose the intended server block the BSN server and capture the message Msg_4 = Enc(C₄ ‖ C₆ ‖ N₁P) which is coming from the user device. The attacker must decrypt the message to get C₄ and C₆ which carries N₃. Again to authenticate itself, the fake server also needs to know the value of x as the authentication needs h(SID||x). Therefore, Server Spoofing attack cannot be successful.

4.1.7 Perfect Forward Secrecy

This property shows that even if the secrets x, y of the past session is disclosed, then also the attacker cannot able to calculate the past session key. The shared secret key K = h(UID ‖ y) ⊕ h(SID ‖ x) ⊕ h(N₃). To calculate the past session key, the attacker must know the past nonce value of N₃. Hence the scheme is preserving perfect forward secrecy.

4.1.8 Message Disclosure

This threat is triggered when some sensitive private data may be disclosed to those who are not supposed to get the information. During communication, one of the sensitive information is login details. In this scheme, password h(PW ‖ σ_i) is used to calculate R_u and the two parameters Z_i = R_i ⊕ h(PWi ‖ σ_i)where R_i = h(UID‖y), T_i = Z_i ⊕ h(UID). From this message it is very difficult to gain the knowledge of password which is sensitive information.

Other sensitive information such as patient vital parameters data is always sent and restored in an encrypted form so that unauthorized person cannot get the data. Only those who have the shared secret key and access right, can access the original data. Pailliar cryptosystem is used to maintain the privacy of the data. Hence message disclosure threat cannot be successful in the proposed scheme.

4.1.9 Node Tempering Attack

In this proposed scheme, the sensor nodes are implanted inside the body. Suppose the user device which is transferring the data to the base station is compromised and the attacker gets all stored information such as UID, PW. From that, T_i, R_i is generated and stored in the Smart card and the card is issued for that user device.

During login, the user device first submits user’s biometric impression B^*_i and UID with password (PW). The device will compute Gen (B^*_i,ν_i)= σ_i and extracted the value T_i from the card to compute \({\text{Z}}_{\text{i}}^{\prime } \, = \,{\text{T}}_{\text{i}} \, \oplus \,{\text{h}}\left( {\text{UID}} \right)\). Now the device computes \({\text{R}}_{\text{i}}^{\prime } \, = \,{\text{Z}}_{\text{i}}^{\prime } \, \oplus \,{\text{h}}({\text{PW}}_{\text{i}} ||\upsigma_{\text{i}} )\) and matches with extracted value of R_i.

If the device is tampered, then also with valid smart card any adversary cannot able to send data using that device.

4.1.10 Jamming Attack

It is one of the possible attacks in sensor network. To avoid this attack, high transmission power on jammed channels has been considered as mentioned in protocol assumptions.

4.2 Authentication Proof Based on BAN Logic

The authentication protocol can be proved by using BAN logic [14] which is defined as a set of logical rules to analyze any protocol. Here goal has been set and on the basis of six defined rule. For verification, this work first starts with its normal definition:

Let us consider R and S are principals, I and J are statements, K is the encryption key.

Now the standard relationships and its uses are shown in Table 5 below

Table 5 Symbol representation

For correctness measurement, the key agreement protocol must achieve the following goals:

Goal 1: \(U_{n} | \equiv U_{n} \mathop \leftrightarrow \limits^{SK} S_{n}\)

Goal 2: \(U_{n} \left| { \equiv S_{n} } \right| \equiv U_{n} \mathop \leftrightarrow \limits^{SK} S_{n}\)

Goal 3: \(S_{n} | \equiv U_{n} \mathop \leftrightarrow \limits^{SK} S_{n}\)

Goal 4: \(S_{n} \left| { \equiv U_{n} } \right| \equiv U_{n} \mathop \leftrightarrow \limits^{SK} S_{n}\)

Now transforming the proposed scheme to the idealized form is as follows:

1. 1.

   Message 1: \(U_{n}\) → BS: (UID, I)_h(UID‖k)

2. 2.

   Message 2: \(S_{n}\) → BS: (UID, I, SID, J)_h(SID‖k)

3. 3.

   Message 3: BS → \(U_{n}\): (UID, SID, I, J,\(U_{n} \mathop \leftrightarrow \limits^{J} S_{n}\)) _{h(UID‖ k)}

4. 4.

   Message 4: BS → \(S_{n}\): (UID, SID, I, J,\(U_{n} \mathop \leftrightarrow \limits^{I} S_{n}\)) _{h(SID‖ k)}

5. 5.

   Message 5: \(S_{n}\) → \(U_{n}\): (UID, SID, I, J,\(U_{n} \mathop \leftrightarrow \limits^{SK} S_{n}\)) _SK

6. 6.

   Message 6: \(U_{n}\) → \(S_{n}\): (UID, SID, I, J,\(U_{n} \mathop \leftrightarrow \limits^{SK} S_{n}\)) _SK

Verifying this protocol using BAN logic requires some assumption. They are as follows

• A₁: \(U_{n} | \equiv \# \left( I \right)\)

• A₂: \(S_{n} | \equiv \# \left( J \right)\)

• A₃: \(U_{n} | \equiv\)\(U_{n} \mathop \leftrightarrow \limits^{{{\text{h}}\left( {\text{UID||k}} \right)}} BS\)

• A₄: BS\(| \equiv\)\(U_{n} \mathop \leftrightarrow \limits^{{{\text{h}}\left( {\text{UID||k}} \right)}} BS\)

• A₅: \(S_{n} | \equiv\)\(S_{n} \mathop \leftrightarrow \limits^{{{\text{h}}\left( {\text{SID||k}} \right)}} BS\)

• A₆:\(BS| \equiv S_{n} \mathop \leftrightarrow \limits^{{{\text{h}}\left( {\text{SID||k}} \right)}} BS\)

• A₇: \(U_{n} | \equiv\) BS ⇒ \(U_{n} \mathop \leftrightarrow \limits^{J} S_{n}\)

• A₈: \(S_{n} | \equiv\) BS ⇒ \(U_{n} \mathop \leftrightarrow \limits^{I} S_{n}\)

• A₉: \(S_{n} | \equiv\)\(U_{n}\) ⇒ \(U_{n} \mathop \leftrightarrow \limits^{SK} S_{n}\)

• A₁₀: \(U_{n} | \equiv\)\(S_{n}\) ⇒ \(U_{n} \mathop \leftrightarrow \limits^{SK} S_{n}\)

Now with the help of BAN logic rules and assumptions, the proof of the proposed scheme will be performed.

From Msg 1, it will get that

S₁: BS ⊲ (UID, I)_{h(UID ‖ K)}

Using assumption A₄ and message meaning rule, it will get that

S₂: \(BS| \equiv U_{n } \left( {UID, I} \right)\)

From Msg 2, it will get that

S₃: BS ⊲ (UID, SID, I, J)_{h(SID ‖ K)}

Using assumption A₆ and message meaning rule, it will get that

S₄: \(BS| \equiv S_{n } \left( {UID, I, SID, J} \right)\)

From Msg 3, it will get that

S₅: \(U_{n}\) ⊲ (UID, SID, I, J,\(U_{n} \mathop \leftrightarrow \limits^{J} S_{n}\)) _{h(UID‖ k)}

Using assumption A₄ and message meaning rule, it will get that

S₆: \(U_{n } | \equiv BS (UID,SID, I,J, U_{n} \mathop \leftrightarrow \limits^{J} S_{n}\))

Using assumption A₃ and freshness conjugation rule, it will get that

S₇: \(U_{n } | \equiv BS \equiv (UID,SID, I,J, U_{n} \mathop \leftrightarrow \limits^{J} S_{n}\))

Now break the conjunctions to produce

S₈: \(U_{n } | \equiv BS \equiv ( U_{n} \mathop \leftrightarrow \limits^{J} S_{n}\))

According to assumption A₇, apply the jurisdiction rule to obtain

S₉: \(U_{n } | \equiv U_{n} \mathop \leftrightarrow \limits^{J} S_{n}\)

Now session key SK is a secret parameter could obtain

S₁₀: \(U_{n } | \equiv U_{n} \mathop \leftrightarrow \limits^{sk} S_{n}\) (Goal 1 is achieved)

According to Msg 5, it will get that

S₁₇: \(U_{n}\) ⊲ (UID, SID, I, J,\(U_{n} \mathop \leftrightarrow \limits^{SK} S_{n}\)) _SK

Using assumption S₁₀ and message meaning rule

S₁₈: \(U_{n } | \equiv S_{n} (UID,SID, I,J, U_{n} \mathop \leftrightarrow \limits^{sk} S_{n}\))

According to assumption A₁, apply the freshness conjunction rule to obtain

S₁₉: \(U_{n } | \equiv S_{n} \equiv (UID,SID, I,J, U_{n} \mathop \leftrightarrow \limits^{sk} S_{n}\))

According to S₁₉ and BAN logic rule to break conjunction to produce

S₂₀: \(U_{n } | \equiv S_{n} \equiv (U_{n} \mathop \leftrightarrow \limits^{sk} S_{n}\)) (Goal 2 is achieved)

From Msg 4, it will get that

S₁₁: \(S_{n}\) ⊲ (UID, SID, I, J,\(U_{n} \mathop \leftrightarrow \limits^{I} S_{n}\)) _{h(SID‖ k)}

Using assumption A₆ and message meaning rule

S₁₂: \(S_{n } | \equiv BS\sim (UID,SID, I,J, U_{n} \mathop \leftrightarrow \limits^{I} S_{n}\))

According to assumption A₂, apply the freshness conjunction rule to obtain

S₁₃: \(S_{n } | \equiv BS\sim (UID,SID, I,J, U_{n} \mathop \leftrightarrow \limits^{I} S_{n}\))

Now applying BAN logic rule to break conjunction rule, it will get that

S₁₄: \(U_{n } | \equiv BS \equiv (U_{n} \mathop \leftrightarrow \limits^{I} S_{n}\))

Using assumption A₆ and jurisdiction rule, it will get that

S₁₅: \(S_{n } | \equiv ( U_{n} \mathop \leftrightarrow \limits^{I} S_{n}\))

Now session key SK is a secret parameter could obtain

S₁₆: \(S_{n } | \equiv ( U_{n} \mathop \leftrightarrow \limits^{sk} S_{n}\)) (Goal 3 is achieved)

According to Msg 6, it will get that

S₂₁: \(S_{n}\) ⊲ (UID, SID, I, J,\(U_{n} \mathop \leftrightarrow \limits^{sk} S_{n}\)) _SK

Using S₁₉ and applying message meaning rule to produce

S₂₂: \(S_{n } | \equiv U_{n} (UID,SID, I,J, U_{n} \mathop \leftrightarrow \limits^{sk} S_{n}\))

According to assumption A₂ and freshness conjunction rule

S₂₃: \(S_{n } | \equiv U_{n} \equiv (UID,SID, I,J, U_{n} \mathop \leftrightarrow \limits^{sk} S_{n}\))

According to S₂₃ to break conjunctions to produce

S₂₄: \(S_{n } | \equiv U_{n} \equiv (U_{n} \mathop \leftrightarrow \limits^{sk} S_{n}\)) (Goal 4 is achieved)

From Goal 1, Goal 2, Goal 3, and Goal 4 it shows that the session key shared by the user and BSN server is only known to them only.

5 Performance Analysis

Performance analysis of the proposed scheme has been done in following two parts:

1. A.

   The performance of the proposed protocol is measured in terms of computation cost (total time required for performing complex operation such as hashing) and communication cost (total no of bits transmitted). Also the throughput is measured for different modulus size shown below in Table 6.

   Table 6 Throughput measurement during encryption and decryption

The communication cost is mainly calculated for considering message transmission. Assuming that the identity (UID, SID) are 10 bytes long and the random nonce (N₁, N₂), secure one-way hash function are 160 bit long, the total no. of bits exchanged between user and base station is 940 bits (for transmitting msg 1, msg 3). Total no. of bits exchanged between base station and BSN server is 940 bits (for transmitting msg 2, msg 4). For mutual authentication total no. of bits exchanged is 976 bits (for transmitting msg 5, msg 6, msg 7, msg 8). Performance comparison is shown in Table 7 where T_H is the time required to perform one hashing.

Table 7 Performance comparison of different algorithms

Now the proposed scheme is compared with other existing algorithms in Table 8. Functionality Comparison shows that the scheme is favorably comparable with existing protocols.

Table 8 Functionality comparison of the scheme with existing protocols

1. B.

   To evaluate the performance of overall proposed system model, a database is considered from the hospital server which is mainly used for remote patient monitoring. The data samples are collected from different body sensors and aggregated in the hospital server into large packets to improve the transmission efficiency. The simulation scenario is considered that patient data (suppose ECG Signal, blood pressure and blood flow) is transmitted through the network coordinator to the remote computer (Doctor’s laptop). OPNET simulator is used for this purpose. The total end to end delay is summarized in Table 9 given bellow:

   Table 9 Remote data transfer delay for equal sample size

The Table 9 shows that it is possible to transfer patient data within a reasonable delay for remote monitoring purpose or any emergency cases.

6 Conclusion

In this paper, a strong efficient authentication protocol for Wireless Body Sensor Networks is being proposed which can be applied in healthcare applications. It resist all possible attacks in distributed networks. The scheme provides mutual authentication between target server and user and also generate different session key for different server. The proposed scheme is based on Paillier cryptosystem which have homomorphic and self-binding property. For privacy preservation this type of system is very useful. The experiment results show that this scheme has low computational load and communicational load.