A Secure Cloud-Assisted Wireless Body Area Network in Mobile Emergency Medical Care System

Abstract

Recent advances in medical treatment and emergency applications, the need of integrating wireless body area network (WBAN) with cloud computing can be motivated by providing useful and real time information about patients’ health state to the doctors and emergency staffs. WBAN is a set of body sensors carried by the patient to collect and transmit numerous health items to medical clouds via wireless and public communication channels. Therefore, a cloud-assisted WBAN facilitates response in case of emergency which can save patients’ lives. Since the patient’s data is sensitive and private, it is important to provide strong security and protection on the patient’s medical data over public and insecure communication channels. In this paper, we address the challenge of participant authentication in mobile emergency medical care systems for patients supervision and propose a secure cloud-assisted architecture for accessing and monitoring health items collected by WBAN. For ensuring a high level of security and providing a mutual authentication property, chaotic maps based authentication and key agreement mechanisms are designed according to the concept of Diffie-Hellman key exchange, which depends on the CMBDLP and CMBDHP problems. Security and performance analyses show how the proposed system guaranteed the patient privacy and the system confidentiality of sensitive medical data while preserving the low computation property in medical treatment and remote medical monitoring.

Introduction

Wireless body area networks (WBAN) allow the integration of intelligent and tiny body sensors in and/or around a human body to sense and collect personal health information (PHI) periodically. The PHI sensed by WBAN can be collected by user’s personal mobile device, transmitted via wireless communication channels (WiFi, 3G/4G, or satellite) and processed by the authorized participants. WBAN are revolutionizing in a wide range of application domains [31], ranging from remote patient supervision, sport performance monitoring, and M-healthcare social networking. To fight against cardiovascular disease (CVD) and avoid critical emergencies, MyHeart project [9] was in progress and supported by several partners from ten different countries. The MyHeart project used smart clothes in which sensors are powered from a centralized on-body power supply and embedded in the piece of clothing [32]. Thus it is capable of transmitting sense data to professional doctors or clinical staffs and this CVD system can monitor patient status in real time. In a common healthcare scenario, the sampling of body sensors is required to be scalably stored and must be accessible at anytime and from anywhere. Owing to the above-mentioned requirements, the cloud-assisted WBAN system can satisfy PHI saving, data analyzing and sharing of sensor data and provide anytime/anywhere access to medical monitoring applications. In this way, it allows monitored patients to leave the healthcare center, provides ubiquitous healthcare and improves their own health and quality of life. Moreover, the consideration of integrating WBAN with cloud-assisted system [7, 36, 39, 48] can be motivated by discussing the following issues:

Interfacing the cloud with WBAN::

In order to manage sense data and maintain the quality of medical services, it is important to provide a well-designed interface between WBAN devices and the cloud-assisted platform.

Massive scale and real time processing::

A cloud-assisted WBAN system requires ensuring scalability of processing power for different kinds of data analysis and accurately stores and processes the sense data in a cloud environment.

Medical application multiplicity::

The development of cloud-assisted WBAN system is a complex task that needs to be tackled by exploiting software engineering methodologies and hardware smart sensors and seamlessly deployed onto the WBAN and cloud-assisted platform.

System efficiency and overhead::

In order to develop a reliable and efficient architecture for a cloud-assisted WBAN system, the challenges of this issue include reducing computation complexity, energy consumption and storage/communication overheads.

Security and privacy::

Considering ethical and legal aspects of medical systems, the PHI on cloud-assisted WBAN system may be exposed to various kinds of security attacks such as eavesdropping, modifying/forging messages to result in wrong medical diagnosis and masquerading medical participant to get all the private medical information. Therefore, it is important to guarantee both PHI privacy and system security in cloud-assisted WBAN system.

Because the sensitive PHI parameters transmitted over the air and stored in cloud-assisted WBAN system are the basis of medical diagnosis, any destruction of PHI parameters may bring fatal harm to patients and there is a need for introducing a cryptographic scheme to ensure secure communications [8, 34, 38, 42] in cloud-assisted WBAN system.

Related works

In recent years, secure authentication and pairwise key agreement schemes for cloud-assisted WBAN applications have been proposed [1, 17, 28, 47]. In [5, 6], Fortino et al. introduced SPINE2 for developing WBAN applications on heterogeneous sensor nodes and further proposed BodyCloud for integrating cloud computing into body sensor networks. In [37], Shen et al. proposed a hash chain and elliptic curve cryptosystem (ECC) based key management scheme to secure communication between the on-body devices. In [30], Muhammad et al. proposed BARI+, which is a key management scheme and the identities and authentication codes are pre-loaded among all the nodes. Their scheme achieves more efficiency and fulfills many security requirements for WBAN applications. In [29], Mana et al. proposed a trust key management scheme for WBANs and their scheme manages the generation and distribution of symmetric cryptographic keys to constituent body sensors and solves the problem of privacy in WBANs. In [46], Zhou et al. proposed an efficient and secure biometric based deterministic key agreement for WBANs by exploiting the overlap between the biometric characteristics collected by body sensors and the pairwise keys can be definitely negotiated by the interactions between body sensors embedded in the same human body for WBANs. In [33], Ren et al. introduced some approaches that can be used to monitor patients effectively and enhance the functionality of telemedicine systems. Moreover, they further discuss how current secure strategies can obstruct the security attacks faced by wireless communications in mobile healthcare systems. However, most of secure communication schemes are not suitable for WBAN applications due to unable to provide user anonymity [11, 13, 21, 22]. To protect user privacy in WBANs, Liu et al. [27] proposed two certificateless remote anonymous authentication schemes to enable remote WBAN users to anonymously enjoy healthcare service and their schemes ensure that application or service providers have no privilege to disclose the real identities of users. However, Zhao [45] pointed out that Liu et al.’s schemes cannot protect user anonymity and further proposed an identity and ECC based anonymous authentication scheme for WBANs. Zhao’s scheme not only protects user anonymity but also improves system efficiency in the client side and the application provide side. Unfortunately, Wang and Zhang [40] pointed out that Zhao’s scheme cannot ensure real anonymity because the users’ pseudo identities are unchanging value and the attacker could track the users. In [4], Chen et al. proposed a cloud-assisted medical data exchange scheme for WBAN healthcare service. They claimed that their scheme achieves better security as compared to those for other existing medical-oriented systems. However, in [25], Li et al. pointed out that Chen et al.’s scheme exposes the patient and the doctor to the flaw of private key reveal problem and is failing to provide real-time monitoring service and non-repudiation evidence in doctor diagnosis.

Our contributions

To solve the mentioned problems in previous schemes, we will proposed a new secure authentication system for cloud-assisted WBAN. The main contributions of this paper are described as follows.

• We propose a secure authentication and key agreement scheme for cloud-assisted WBAN system using extended chaotic maps [2, 18–20, 26, 43, 44]. Therefore, only authorized doctors and medical caregivers have ability to access patients’ health information and the proposed system can ensure patient privacy and data integrity [12, 14, 23, 24].

• Our proposed system supports a real-time analytics with continuous remote monitoring on WBAN-oriented health items and monitored patients can get treated proactively before their condition worsen.

• Based on the attacker model description, we have analyzed and proved the proposed system is secure against many well-known attacks and provision of several functionality aspects.

• From the execution of the proposed procedures, our system allows system participants to reduce the burden on some computations and is suitable for implementation in the current mobile emergency medical care environment.

Paper organization

The organization of this paper is organized as follows. In “The architecture of cloud-assisted wireless body area network in mobile emergency medical care system”, we first introduce the architecture of a cloud-based WBAN system and present a secure authentication scheme for mobile emergency medical care system in Section “The proposed mobile emergency medical care system”. Section “Security analysis of our proposed system” gives the security analysis of the proposed system and evaluates the performance of the proposed system with other related E-health care schemes in “Performance and comparative analysis of our proposed system”. Finally, we conclude the paper in “Conclusions”.

The architecture of cloud-assisted wireless body area network in mobile emergency medical care system

For cloud-assisted wireless body area network in mobile emergency medical care system, five roles participate in this system: the patient (P), the healthcare center (HC), the medical caregiver (MC), the doctor (D) and a trusted medical cloud center (C). Before accessing the system, every participant must register with the medical cloud center C and C will issue one specific certificate based on Chebyshev chaotic maps. Figure 1 shows the entire architecture of cloud-assisted wireless body area network in mobile emergency medical care system. First the patient P can go to the healthcare center HC to take a health inspection and HC will upload P’s personal health inspection reports to the medical cloud center C. Moreover, P can collect health personal items from WBAN and upload them to the medical cloud center C. Then the emergency monitoring applications which allow medical caregivers MC to access the uploaded data. Thus the monitored patient P can get treated proactively before his/her condition worsen.

Fig. 1

The architecture of cloud-assisted wireless body area network in mobile emergency medical care system

On the other hand, once P goes to the hospital for medical treatment, the doctor C can download P’s personal health inspection reports and collected personal health items of WBAN from medical cloud center C and diagnose the symptoms via P’s authorization. As shown in [10], the format of patient’s personal health inspection reports and collected personal health items of WBAN are shown in Tables 1 and 2, respectively.

Step 1.:

The patient P goes to the healthcare center HC to take a health inspection.

Step 2.:

The patient uploads his/her personal health inspection reports to the medical cloud center C and the designated doctor has ability to access P’s health inspection reports via P’s authorization.

Step 3.:

WBAN collect P’s personal health items and send them to P’s personal mobile device.

Step 4.:

The patient P uses personal mobile device to upload his/her personal health items to the medical cloud center C.

Step 5.:

In order to provide real time medical monitoring service, the patient P can authorize a medical caregiver MC to access P’s collected health items of WBAN stored in medical cloud center.

Step 6.:

After verification, the medical caregiver MC can access P’s personal health items of WBAN stored in medical cloud center. Thus the monitored patient P can get treated proactively before his/her condition worsen.

Step 7.:

In the doctor treatment time, the authorized doctor D can access and download P’s personal health items of WBAN and health inspection reports stored in medical cloud center.

Step 8.:

The doctor D can diagnose the symptoms of P and upload P’s treatment report to the medical cloud center as the non-repudiation evidence after treatment.

Table 1 The patient’s personal health inspection items

Table 2 The patient’s collected health items of WBAN

The proposed mobile emergency medical care system

In this section, we will show how our proposed mobile emergency medical care system works step by step. There are four phases involve in the proposed system: participant registration phase, health examination phase, real time monitoring phase and doctor treatment phase. The notations used throughout this paper are summarized in Table 3.

Table 3 Notations used in the paper

Participant registration phase

For cloud-assisted WBAN in mobile emergency medical care system, the trusted medical cloud center C is a platform for patients, doctors and medical caregivers. In other words, anyone can register at C as a user, a doctor or a medical caregiver. Concerning the fact that the proposed system mainly relies on the design of Chebyshev chaotic maps, it is assumed that the system participants can register at C in some secure way or by secure channel. Moreover, all participants’ certificates are issued by C and kept secret by them. The detailed steps are described as follows.

Step 1.:

When a patient wants to be a new legal patient, he/she chooses his/her identity I D _P and submits it to C via a secure channel. Upon receiving I D _P from P, C computes P’s certificate T _k (I D _P ) mod p and P securely stores (I D _P ,T _k (I D _P ) mod p) in his/her mobile device via a secure channel, where k is the secret key of C.

Step 2.:

When a doctor wants to be a new legal doctor, he/she chooses his/her identity I D _D and submits it to C via a secure channel. Upon receiving I D _D from D, C computes D’s certificate T _k (I D _D ) mod p and D stores (I D _D ,T _k (I D _D ) mod p) in a secure way via a secure channel.

Step 3.:

When a medical caregiver wants to be a new legal caregiver, he/she chooses his/her identity I D _{M C} and submits it to C via a secure channel. Upon receiving I D _{M C} from MC, C computes MC’s certificate T _k (I D _{M C} ) mod p and MC stores (I D _{M C} ,T _k (I D _{M C} ) mod p) in a secure way via a secure channel.

Health examination phase

In this phase, the patient P goes to the healthcare center HC to take a health inspection and P can upload his/her health inspection reports m _{H C} to the medical cloud center C, where m _{H C} =(I D _P ,d a t a ₁,d a t a ₂,...,d a t a ₆,T _{H C} ) Moreover, if P wants to consult with some doctor D, C will help P to authenticate D and help P and D to establish the session key S K _{P D} = S K _{D P} for protecting P’s health inspection reports. Figure 2 shows the flowchart of the health examination phase and the detailed steps are described as follows.

Step 1.:

P chooses a random number a and computes X _P1 = T _a (x) mod p and 𝜃 _P−C = H(T _k (I D _P ) mod p||X _P1||T _P1), where T _P1 is the current timestamp of P. Then P sends the request messages M ₁={I D _P ,I D _D ,X _P1,T _P1} and M ₂={I D _P ,I D _D ,X _P1,𝜃 _P−C ,T _P1} to D and C, respectively.

Step 2.:

After receiving P’s request, D chooses a random number b and computes X _D1 = T _b (x) mod p, 𝜃 _D−P = H(S K _{D P} ||X _D1||X _P1||T _P1||T _D1) and 𝜃 _D−C = H(T _k (I D _D ) mod p||X _D1||T _D1), where T _D1 is the current timestamp of D and the session key S K _{D P} = T _b (X _P1) mod p. Then D sends M ₃={I D _D ,I D _P ,X _D1,𝜃 _D−P ,T _D1} and M ₄={I D _D ,I D _P ,X _D1,𝜃 _D−C ,T _D1} to P and C, respectively.

Step 3.:

After receiving M ₂ and M ₄ from P and D, C checks |T _C1−T _P1|≤ΔT and |T _C1−T _D1|≤ΔT, where T _C1 is the current timestamp of C. If it holds, C computes \(\theta _{P-C}^{\prime }=H(T_{k}(ID_{P}) ~\text {mod}~ p ||X_{P1}||T_{P1})\) and checks if computed \(\theta _{P-C}^{\prime }\) equals received 𝜃 _P−C . If it holds, P is authenticated by C. Similarly, C computes \(\theta _{D-C}^{\prime }=H(T_{k}(ID_{D}) ~\text {mod}~ p ||X_{D1}||T_{D1})\) and checks if computed \(\theta _{D-C}^{\prime }\) equals received 𝜃 _D−C . If it holds, D is also authenticated by C and it means D is the doctor that P wants to consult with. Next, C computes 𝜃 _C−P = H(I D _P ||I D _D ||T _k (I D _P ) mod p||X _P1||X _D1||T _C1) and 𝜃 _C−D = H(I D _P ||I D _D ||T _k (I D _D ) mod p||X _P1||X _D1||T _C1) and sends M ₅={𝜃 _C−P ,T _C1} and M ₆={𝜃 _C−D ,T _C1} to P and D, respectively. Note that the protocol will be terminated immediately if any authenticated process does not pass.

Step 4.:

After receiving M ₃ and M ₅ from D and C, P checks |T _P2−T _D1|≤ΔT and |T _P2−T _C1|≤ΔT, where T _P2 is the current timestamp of P. If it holds, P computes the session key S K _{P D} = T _a (X _D1) mod p and \(\theta _{D-P}^{\prime }=H(SK_{PD}||X_{D1}||X_{P1}||T_{P1}||T_{D1})\) and checks if computed \(\theta _{D-P}^{\prime }\) equals received 𝜃 _D−P . If it holds, D is authenticated by P. Similarly, P computes \(\theta _{C-P}^{\prime }=H(ID_{P}||ID_{D}||T_{k}(ID_{P}) ~\text {mod} p ||X_{P1}||X_{D1}||T_{C1})\) and checks if computed \(\theta _{C-P}^{\prime }\) equals received 𝜃 _C−P . If it holds, C is also authenticated by P. Then P generates another key confirmation message 𝜃 _P−D = H(S K _{P D} ||X _P1||X _D1||T _P2) for D and sends M ₇={𝜃 _P−D ,T _P2} to D. Note that the protocol will be terminated immediately if any authenticated process does not pass.

Step 5.:

After receiving M ₆ and M ₇ from C and P, D checks |T _D2−T _C1|≤ΔT and |T _D2−T _P2|≤ΔT, where T _D2 is the current timestamp of D. If it holds, D computes \(\theta _{C-D}^{\prime }=H(ID_{P}||ID_{D}||T_{k}(ID_{D}) ~\text {mod} p ||X_{P1}||X_{D1}||T_{C1})\) and checks if computed \(\theta _{C-D}^{\prime }\)equals received 𝜃 _C−D . If it holds, C is authenticated by D. Similarly, D computes \(\theta _{P-D}^{\prime }=H(SK_{DP}||X_{P1}||X_{D1}||T_{P2})\) and checks if computed \(\theta _{P-D}^{\prime }\) equals received 𝜃 _P−D . If it holds, P is also authenticated by D. As a result, both P and D treat S K _{P D} = T _a (X _D1) mod p = T _{a b} (x) mod p = T _b (X _P1) mod p = S K _{D P} as the session key shared between them. Note that the protocol will be terminated immediately if any authenticated process does not pass.

Step 6.:

After that, P uses the session key S K _{P D} to encrypt the health inspection reports and uploads \(C_{patient}=\{(ID_{P}, ID_{D}, E_{SK_{PD}}(m_{HC}))\}\) to the medical cloud center C. Finally, C stores C _{p a t i e n t} in its DB.

Fig. 2

The flowchart of the health examination phase

Remark 1

We can view D and C as an integrated system for P, so from the perspective of P, we adopt mutual authentication and key agreement that means only authorized D has ability to decrypt C _{p a t i e n t} and inspect P’s health inspection reports in private way.

Real time monitoring phase

In this phase, body sensors of WBAN are embedded into the patient P’s body and P uses his/her mobile device to collect the measured health items m _{B S} , where m _{B S} =(I D _P ,B S_d a t a ₁,…,B S_d a t a ₆,T _{B S} ). Then P can use the mobile device to collect the measured health items m _{B S} and uploads them to C via a public channel. In order to protect patient privacy, m _{B S} must be encrypted before transmission. Moreover, in order to support real time analytics with continuous remote monitoring on stream-oriented health items, the monitored patient P can authorize a medical caregiver MC to access his/her collected health items of WBAN stored in C. Therefore, C will help P to authenticate MC and help P and MC to establish the session key S K _{P M C} = S K _{M C P} for securing P’s measured health items of WBAN. Finally, the health conditions of P can be monitored on a real time basis, avoiding unnecessary doctor visits. The advantage of this phase not only provides home care but also improves the quality of life. Figure 3 shows the flowchart of the real time monitoring phase and the detailed steps are described as follows.

Step 1.:

P chooses a random number c and computes X _P3 = T _c (x) mod p and β _P−C = H(T _k (I D _P ) mod p||X _P3||T _P3), where T _P3 is the current timestamp of P. Then P sends the request messages N ₁={I D _P ,I D _{M C} ,X _P3,T _P3} and N ₂={I D _P ,I D _{M C} ,X _P3,β _P−C ,T _P3} to MC and C, respectively.

Step 2.:

After receiving P’s request, MC chooses a random number d and computes X _{M C3} = T _d (x) mod p, β _{M C−P} = H(S K _{M C P} ||X _{M C3}||X _P3||T _P3||T _{M C3}) and β _{M C−C} = H(T _k (I D _{M C} ) mod p||X _{M C3}||T _{M C3}), where T _{M C3} is the current timestamp of MC and the session key S K _{M C P} = T _d (X _P3) mod p. Then MC sends N ₃={I D _{M C} ,I D _P ,X _{M C3},β _{M C−P} ,T _{M C3}} and N ₄={I D _{M C} ,I D _P ,X _{M C3},β _{M C−C} ,T _{M C3}} to P and C, respectively.

Step 3.:

After receiving N ₂ and N ₄ from P and MC, C checks |T _C3−T _P3|≤ΔT and |T _C3−T _{M C3}|≤ΔT, where T _C3 is the current timestamp of C. If it holds, C computes \(\beta _{P-C}^{\prime }=H(T_{k}(ID_{P}) ~\text {mod}~ p ||X_{P3}||T_{P3})\) and checks if computed \(\beta _{P-C}^{\prime }\) equals received β _P−C . If it holds, P is authenticated by C. Similarly, C computes \(\beta _{MC-C}^{\prime }=H(T_{k}(ID_{MC}) ~\text {mod}~ p ||X_{MC3}||T_{MC3})\) and checks if computed \(\beta _{MC-C}^{\prime }\) equals received β _{M C−C} . If it holds, MC is also authenticated by C and it means MC is the designated medical caregiver that P wants to consult with. Next, C computes β _C−P = H(I D _P ||I D _{M C} ||T _k (I D _P ) mod p||X _P3||X _{M C3}||T _C3) and β _{C−M C} = H(I D _P ||I D _{M C} ||T _k (I D _{M C} )mod p ||X _P3||X _{M C3}||T _C3) and sends N ₅={β _C−P ,T _C3} and N ₆={β _{C−M C} ,T _C3} to P and MC, respectively. Note that the protocol will be terminated immediately if any authenticated process does not pass.

Step 4.:

After receiving N ₃ and N ₅ from MC and C, P checks |T _P4−T _{M C3}|≤ΔT and |T _P4−T _C3|≤ΔT, where T _P4 is the current timestamp of P. If it holds, P computes the session key S K _{P M C} = T _c (X _{M C3}) mod p and \(\beta _{MC-P}^{\prime }=H(SK_{PMC}||X_{MC3}||X_{P3}||T_{P3}||T_{MC3})\) and checks if computed \(\beta _{MC-P}^{\prime }\) equals received β _{M C−P} . If it holds, MC is authenticated by P. Similarly, P computes \(\beta _{C-P}^{\prime }=H(ID_{P}\) ||I D _{M C} ||T _k (I D _P ) mod p||X _P3||X _{M C3}||T _C3) and checks if computed \(\beta _{C-P}^{\prime }\) equals received β _C−P . If it holds, C is also authenticated by P. Then P generates another key confirmation message β _{P−M C} = H(S K _{P M C} ||X _P3||X _{M C3}||T _P4) for D and sends N ₇={β _{P−M C} ,T _P4} to MC. Note that the protocol will be terminated immediately if any authenticated process does not pass.

Step 5.:

After receiving N ₆ and N ₇ from C and P, MC checks |T _{M C4}−T _C3|≤ΔT and |T _{M C4}−T _P4|≤ΔT, where T _{M C4} is the current timestamp of MC. If it holds, MC computes \(\beta _{C-MC}^{\prime }=H(ID_{P}\) ||I D _{M C} ||T _k (I D _{M C} ) mod p||X _P3||X _{M C3}||T _C3) and checks if computed \(\beta _{C-MC}^{\prime }\) equals received β _{C−M C} . If it holds, C is authenticated by MC. Similarly, MC computes \(\beta _{P-MC}^{\prime }=H(SK_{MCP}||X_{P3}||X_{MC3}||T_{P4})\) and checks if computed \(\beta _{P-MC}^{\prime }\) equals received β _{P−M C} . If it holds, P is also authenticated by MC. As a result, both P and MC treat S K _{P M C} = T _c (X _{M C3}) mod p = T _{c d} (x) mod p = T _d (X _P3) mod p = S K _{M C P} as the session key shared between them. Note that the protocol will be terminated immediately if any authenticated process does not pass.

Step 6.:

After that, P uses the session key S K _{P M C} to encrypt the measured health items of WBAN and P’s mobile device will periodically upload \(C_{WBAN}=\{(ID_{P}, ID_{MC}, E_{SK_{PMC}}(m_{BS}))\}\) to the medical cloud center C. Thus MC can download C _{W B A N} from C and monitor P’s measured health items of WBAN by computing \(m_{BS}=D_{SK_{MCP}}(E_{SK_{PMC}}(m_{BS}))\). Finally, the proposed system can support real time analytics with continous remote monitoring on stream-oriented health items of WBAN and the monitored patient can get treated proactively before his/her condition worsen.

Step 7.:

Continued from previous phase, P can also use the session key S K _{P D} to encrypt the measured health items of WBAN and P’s mobile device will periodically upload \(C_{WBAN}^{\prime }=\{(ID_{P}, ID_{D}, E_{SK_{PD}}(m_{BS}))\}\) to the medical cloud center C, where S K _{P D} = S K _{D P} is a common session key shared between P and D. As a result, the authorized D can download \(C_{WBAN}^{\prime }\) from C at any time and use the common session key S K _{D P} to inspect P’s measured health items of WBAN by computing \(m_{BS}=D_{SK_{DP}}(E_{SK_{PD}}(m_{BS}))\).

Fig. 3

The flowchart of the real time monitoring phase

Fig. 4

The flowchart of the doctor treatment phase

Remark 2

We can view MC and C as an integrated system for P, so from the perspective of P, we adopt mutual authentication and key agreement that means only designated MC has ability to decrypt C _{W B A N} and monitor P’s measured health items of WBAN in real time.

Doctor treatment phase

In this phase, P goes to the hospital and tells the doctor D to download P’s health inspection reports C _{p a t i e n t} and measured health items \(C_{WBAN}^{\prime }\) from the medical cloud center C, where \(C_{patient}=\{ID_{P}, ID_{D}, E_{SK_{PD}}(m_{HC})\}\) and \(C_{WBAN}^{\prime }=\{ID_{P}, ID_{D}, E_{SK_{PD}}(m_{BS})\}\). Then D can use the session key S K _{D P} which is established in health examination phase to reveal m _{H C} and m _{B S} . Finally, D uses these health information to diagnose P’s symptom and uploads T r e a t m e n t _P−D to the medical cloud center as the non-repudiation evidence after the treatment. Figure 4 shows the flowchart of the doctor treatment phase and the detailed steps are described as follows.

Step 1.:

D chooses a random number e and computes X _D5 = T _e (x) mod p and δ _D−C = H(T _k (I D _D ) mod p||X _D5||T _D5), where T _D5 is the current timestamp of D. Then D makes a download request message O ₁={I D _D ,I D _P ,X _D5,δ _D−C ,T _D5} and sends it to the medical cloud center C via a public channel.

Step 2.:

After receiving the download request O ₁ from D, C checks |T _C5−T _D5|≤ΔT, where T _C5 is the current timestamp of C. If it holds, C computes \(\delta _{D-C}^{\prime }=H(T_{k}(ID_{D}) ~\text {mod}~ p ||X_{D5}||T_{D5})\) and checks if computed \(\delta _{D-C}^{\prime }\) equals received δ _D−C . If it holds, D is authenticated by C. Next, C chooses a random number f and computes X _C5 = T _f (x) mod p, the session key S K _{C D} = T _f (X _D5) mod p, δ _C−D = H(T _k (I D _D ) mod p||S K _{C D} ||X _C5||X _D5||T _D5||T _C5) and \(C_{report}=E_{SK_{CD}}(C_{patient}, C_{WBAN}^{\prime })\). Then C sends the download response message O ₂={X _C5,δ _C−D ,C _{r e p o r t} ,T _C5} to D. Note that the protocol will be terminated immediately if any authenticated process does not pass.

Step 3.:

After receiving the download response O ₂ from C, D checks |T _D6−T _C5|≤ΔT, where T _D6 is the current timestamp of D. If it holds, D computes S K _{D C} = T _e (X _C5) mod p and \(\delta _{C-D}^{\prime }=H(SK_{DC}||X_{C5}||X_{D5}||T_{D5}||T_{C5})\) and checks if computed \(\delta _{C-D}^{\prime }\) equals received δ _C−D . If it holds, C is authenticated by D. Then D uses S K _{D C} to reveal C _{p a t i e n t} and \(C_{WBAN}^{\prime }\) by computing \(D_{SK_{DC}}(C_{report})\). Finally, D uses the session key S K _{D P} which is established in health examination phase to reveal health inspection reports m _{H C} and measured health items of WBAN m _{B S} by computing \(D_{SK_{DP}}(E_{SK_{PD}}(m_{HC}))\) and \(D_{SK_{DP}}(E_{SK_{PD}}(m_{BS}))\), respectively.

Step 4.:

After the treatment, in order to provide non-repudiation evidence in doctor diagnosis, D uses his/her private key to sign the medical diagnoses of P’s symptom by computing T r e a t m e n t _P−D = S i g _D (I D _P ,I D _D ,m _{D G} ,T _D6), where m _{D G} means D’s medical diagnosis of P’s symptom. Finally, D computes \(C_{diagnosis}=E_{SK_{DC}}(Treatment_{P-D}, ID_{P}, ID_{D}, m_{DG}, T_{D6})\) and uploads O ₃={C _{d i a g n o s i s} ,T _D6} to C.

Step 5.:

After receiving O ₃ from D, C checks |T _C6−T _D6|≤ΔT, where T _C6 is the current timestamp of C. If it holds, C reveals (T r e a t m e n t _P−D ,I D _P ,I D _D ,m _{D G} ,T _D6) by computing \(E_{SK_{CD}}(C_{diagnosis})\) and stores them in its DB as the non-repudiation evidence.

Security analysis of our proposed system

Before analysing the security of our proposed system, we will present an attacker model which discusses several valid assumptions including capabilities of the attacker. In the following subsections, we have analyzed and proved the security of the proposed system based on the attacker model description.

Attack model

Due to the authentication systems are executed over insecure channels, the malicious attackers may have several capabilities to damage the security of the proposed system and we listed some widely accepted valid assumptions in the following.

• An attacker may eavesdrop all the communications between participants involved of the system over the public channels. Then the attacker can modify, delete, resend and reroute the eavesdropping messages. Note that an attacker cannot intercept the message during participant registration phase.

• An attacker may guess low entropy password easily, but guessing secret parameters (e.g. certificate, random number) is computationally infeasible in polynomial time.

• An attacker may try to impersonate as a medical worker (e.g. doctor, medical caregiver) and reply malicious responses during execution of the proposed system.

• An attacker may try to impersonate as a patient to the medical worker after intercepting the request message during execution of the proposed system.

Security proof of the proposed system

In the following, we informally analyzed the security of the proposed system and proved that the system provides many security criteria and it is secure against several well-known attacks.

Theorem 1

The proposed authentication scheme for mobile emergency medical care system is able to provide mutual authentication property.

Proof

In the health examination phase of the proposed system, C has common secret certificates T _k (I D _P ) mod p and T _k (I D _D ) mod p shared with P and D and can authenticate P and D by verifying 𝜃 _P−C and 𝜃 _D−C . In addition, after receiving M ₃ and M ₅ from D and C, P has a secret certificate T _k (I D _P ) mod p shared with C and can authenticate C and D by verifying 𝜃 _C−P and 𝜃 _D−P . Moreover, after receiving M ₆ and M ₇ from C and P, D has a secret certificate T _k (I D _D ) mod p shared with C and can authenticate C and P by verifying δ _D−C .

On the other hand, in the real time monitoring phase of the proposed system, C has common secret certificates T _k (I D _{M C} ) mod p and T _k (I D _P ) mod p shared with MC and P and can authenticate MC and P by verifying β _{M C−C} and β _P−C . Next, after receiving N ₃ and N ₅ from MC and C, P has a secret certificate T _k (I D _P ) mod p shared with C and can authenticate MC and C by verifying β _{M C−P} and β _C−P . Furthermore, after receiving N ₆ and N ₇ from C and P, MC has a secret certificate T _k (I D _{M C} ) mod p shared with C and can authenticate C and P by verifying β _{C−M C} and β _{P−M C} .

Besides, in the doctor treatment phase of the proposed system, C has a common secret certificate T _k (I D _D ) mod p shared with D and can authenticate D by verifying δ _D−C . Finally, after receiving the download response O ₂ from C, D can authenticate C by verifying S K _{D C} and δ _C−D . Therefore, the malicious attacker cannot generate fake request and response messages which not only avoids congestion in the network system but also achieves mutual authentication property. □

Theorem 2

The proposed authentication scheme for mobile emergency medical care system is able to provide the property of session key security.

Proof

During the authentication phases of our proposed system, a common session key should be established after the successful authentication steps. In the health examination phase, both patient P and doctor D will exchange secret parameters T _a (x) mod p and T _a (x) mod p and they will use them to generate a common session key S K _{D P} = S K _{P D} for protecting P’s health inspection reports m _{H C} and establishing a secure channel. An extended chaotic map is used to ensure the correctness of the scheme and is given below.

$$\begin{array}{@{}rcl@{}} SK_{PD} &\equiv& T_{a}(X_{D1}) ~\text{mod}~ p \\ &\equiv& T_{b}(T_{a}(x)) ~\text{mod}~ p \\ &\equiv& T_{ab}(x) ~\text{mod}~ p \\ &\equiv& T_{b}(X_{P1}) ~\text{mod}~ p \equiv SK_{DP} \end{array} $$

Moreover, in the real time monitoring phase, both patient P and medical caregiver MC will exchange secret parameters T _c (x) mod p and T _d (x) mod p and they will use them to generate a common session key S K _{P M C} = S K _{M C P} for protecting P’s measured health items of WBAN m _{B S} and establishing a secure channel. An extended chaotic map is used to ensure the correctness of the scheme and is given below.

$$\begin{array}{@{}rcl@{}} SK_{PMC} &\equiv& T_{c}(X_{MC3}) ~\text{mod}~ p \\ &\equiv& T_{c}(T_{d}(x)) ~\text{mod}~ p \\ &\equiv& T_{cd}(x) ~\text{mod}~ p \\ &\equiv& T_{d}(X_{P3}) ~\text{mod}~ p \equiv SK_{MCP} \\ \end{array} $$

Finally, in the doctor treatment phase, both doctor D and medical cloud center C will exchange secret parameters T _e (x) mod p and T _f (x) mod p and they will use them to generate a common session key S K _{D C} = S K _{C D} for protecting P’s C _{p a t i e n t} and \(C_{WBAN}^{\prime }\) and establishing a secure channel. An extended chaotic map is used to ensure the correctness of the scheme and is given below.

$$\begin{array}{@{}rcl@{}} SK_{DC} &\equiv& T_{e}(X_{C5}) ~\text{mod}~ p \\ &\equiv& T_{e}(T_{f}(x)) ~\text{mod}~ p \\ &\equiv& T_{ef}(x) ~\text{mod}~ p \\ &\equiv& T_{f}(X_{D5}) ~\text{mod}~ p \equiv SK_{CD} \end{array} $$

□

Theorem 3

The proposed authentication scheme for mobile emergency medical care system is able to provide the property of perfect forward secrecy.

Proof

In the health examination phase of the proposed system, the session key S K _{P D} = T _a (X _D1) mod p = T _b (X _P1) mod p = S K _{D P} is related to random numbers a and b, which were randomly chosen by P and D, respectively. So any session key has not related to C’s secret key. Since the random numbers are different in every request session, it is computationally infeasible for an attacker to derive the previously established session keys due to it is as difficult as solving the Diffie-Hellman problem.

Similarly, in the real time monitoring phase, the session key S K _{P M C} = T _c (X _{M C3}) mod p = T _d (X _P3) mod p = S K _{M C P} is related to random numbers c and d, which were randomly chosen by P and MC, respectively. Since the random numbers are different in every request session, an attacker cannot compute the previously established session keys because of the intractability of the Diffie-Hellman problem.

Finally, in the doctor treatment phase, the session key S K _{D C} = T _e (X _C5) mod p = T _f (X _D5) mod p = S K _{C D} is related to random numbers e and f, which were randomly chosen by D and C, respectively. Since the random numbers are different in every request session, an attacker cannot compute the previously established session keys because of the intractability of the CMBDLP and CMBDHP problems [3]. Therefore, the proposed system achieves perfect forward secrecy. □

Theorem 4

The proposed authentication scheme for mobile emergency medical care system is able to provide the properties of patient privacy and data integrity.

Proof

In our proposed system, in order to ensure the patients’ privacy and protect the data integrity, we use the session key to encrypt the private information of patients and the medical cloud center has inability to know patients’ health inspection reports m _{H C} and health data items collected by WBAN m _{B S} . In Step 6 of the health examination phase, the patient uses the session key S K _{P D} to protect his/her health inspection reports and only authorized doctor has ability to reveal patient’s health inspection reports in private way. Moreover, In Step 6 and Step 7 of the real time monitoring phase, the patient also uses the session keys S K _{P M C} and S K _{P D} to protect his/her health data items collected by WBAN and only authorized medical caregiver and authorized doctor have ability to monitor and inspect patient’s measured health items of WBAN in real time way. Finally, according to the proof of Theorem 2, we prove that the proposed system could provide the property of session key security and no outsiders can reveal patients’ health inspection reports m _{H C} and health data items collected by WBAN m _{B S} . Therefore, the proposed system could ensure patient privacy and data integrity. □

Theorem 5

The proposed authentication scheme for mobile emergency medical care system is able to provide the property of non-repudiation in doctor diagnosis.

Proof

In Step 4 of the doctor treatment phase, we suggest doctor’s diagnose of P’s symptom m _{D G} should be involved in T r e a t m e n t _P−D = S i g _D (I D _P ,I D _D ,m _{D G} ,T _D6), where S i g _D is doctor’s private key and it is used to sign the messages (I D _P ,I D _D ,m _{D G} ,T _D6). Finally, in Step 5 of this phase, the doctor uploads the current timestamp T _D6 and \(C_{diagnosis}=E_{SK_{DC}}(Treatment_{P-D}, ID_{P}, ID_{D}, m_{DG}, T_{D6})\) to the medical cloud center as the non-repudiation evidence. Therefore, the proposed system achieves non-repudiation in doctor diagnosis. □

Theorem 6

The proposed authentication scheme for mobile emergency medical care system is secure against the replay attacks.

Proof

In this attack, an attacker may eavesdrop request messages during execution of the protocol and transmit the same messages to system participants. In order to avoid the replay attacks, we have adopted the random numbers and timestamps in the proposed system. As discussed in Step 1 and Step 2 of the health examination phase, our proposed system ingeniously uses the random numbers a and b and timestamps T _P1 and T _D1 to avoid the immediate replay attacks within the valid time interval. Similarly, as discussed in Step 1 and Step 2 of the real time monitoring phase, our proposed system successfully uses the random numbers c and d and timestamps T _P3 and T _{M C3} to avoid the strong replay attacks within the valid time interval. Furthermore, as discussed in Step 1 and Step 2 of the doctor treatment phase, our proposed system smartly uses the random numbers e and f and timestamps T _D5 and T _C5 to avoid the malicious replay attacks within the valid time interval. As a result, our proposed system provides the message freshness property and the system participants could avoid the replay attacks by checking the freshness of random numbers and timestamps. □

Theorem 7

The proposed authentication scheme for mobile emergency medical care system is secure against the man-in-the-middle attacks.

Proof

In this attack, we suppose an attacker intercepts the request messages during execution of the protocol and transmits the modified messages to system participants. As discussed in Step 1 of the health examination phase, an attacker intercepts the messages M ₁={I D _P ,I D _D ,X _P1,T _P1} and M ₂={I D _P ,I D _D ,X _P1,𝜃 _P−C ,T _P1} and computes \(X_{A1}=T_{a^{\prime }}(x)~\text {mod}~ p\), where \(a^{\prime }\) is a random number chosen by the attacker. Then the attacker changes M ₁ to \(M_{1}^{\prime }=\{ID_{P}, ID_{D}, X_{A1}, T_{A1}\}\), where T _A1 is the current timestamp of the attacker. However, the attacker cannot modify M ₂ because it involves computation of H(T _k (I D _P ) mod p||X _A1||T _A1), which needs the secret certificate T _k (I D _P ) mod p of the patient. Since T _k (I D _P ) mod p is protected by a secure one-way cryptographic hash function H(⋅), it is computationally infeasible for the attacker to modify M ₂. Therefore, the attacker does not have any ability to modify patient’s request messages and sends them to the doctor and the medical cloud center. In a similar manner, the attacker also has inability to modify other request messages (N ₁,N ₂) and O ₁ during the real time monitoring phase and the doctor treatment phase. Hence, our proposed system is secure against the man-in-the-middle attacks. □

Theorem 8

The proposed authentication scheme for mobile emergency medical care system is secure against the participant impersonation attacks.

Proof

For participant impersonation attacks, two kinds of cases are taken into consideration. Case 1: an attacker may attempt to impersonate as a system participant (i.e. patient, doctor and medical caregiver) to transmit fake requests to the medical cloud center. Case 2: an attacker may attempt to impersonate as a medical cloud center to cheat the system participant.

• Case 1: During the health examination phase of this case, the attacker has to generate some correct request messages M ₁={I D _P ,I D _D ,X _A1,T _A1} and M ₂={I D _P ,I D _D ,X _A1,𝜃 _A−C ,T _A1} to impersonate as a legal patient, where a ^′ is a random number chosen by the attacker, \(X_{A1}=T_{a^{\prime }}(x)~\text {mod}~ p\), 𝜃 _A−C = H(T _k (I D _P ) mod p||X _A1||T _A1) and T _A1 is current timestamp of the attacker. The attacker could generate \(X_{A1}=T_{a^{\prime }}(x)~\text {mod}~ p\) and T _A1 easily. However, the attacker cannot generate a valid 𝜃 _A−C without knowing the patient’s certificate T _k (I D _P ) mod p. On the other hand, in Step 2 of the real time monitoring phase, the attacker may generate some fake response messages N ₃={I D _{M C} ,I D _P ,X _A3,β _A−P ,T _A3} and N ₄={I D _{M C} ,I D _P ,X _A3,β _A−C ,T _A3} to impersonate as a legal medical caregiver, where a ^′ is a random number chosen by the attacker, \(X_{A3}=T_{a^{\prime }}(x)~\text {mod}~ p\), β _A−C = H(T _k (I D _{M C} ) mod p||X _A3||T _A3) and T _A3 is current timestamp of the attacker. Also, the attacker could generate \(X_{A3}=T_{a^{\prime }}(x)~\text {mod}~ p\) and T _A3 easily. However, the attacker cannot generate a valid β _A−C without knowing the medical caregiver’s certificate T _k (I D _{M C} ) mod p. Finally, in Step 1 of the doctor treatment phase, the attacker may generate a malicious request message O ₁={I D _D ,I D _P ,X _A5,δ _A−C ,T _A5} to impersonate as a valid doctor, where a ^′ is a random number chosen by the attacker, \(X_{A5}=T_{a^{\prime }}(x)~\text {mod}~ p\), δ _A−C = H(T _k (I D _D ) mod p||X _A5||T _A5) and T _A5 is current timestamp of the attacker. Thus the attacker could generate \(X_{A5}=T_{a^{\prime }}(x)~\text {mod}~ p\) and T _A5 easily. However, the attacker cannot generate a valid δ _A−C without knowing the doctor’s certificate T _k (I D _D ) mod p and participant impersonate attacks of Case 1 can be prevented by the proposed system.

• Case 2: In this case, we suppose the attacker wants to impersonate as a medical cloud center to cheat the system participants when he/she intercepts the request messages (M ₁,M ₂), (N ₃,N ₄) and (O ₁) sent by the patient, medical caregiver and doctor, respectively. The attacker must reply correct responses (M ₅={𝜃 _A−P ,T _A1},M ₆={𝜃 _A−D ,T _A1}), (N ₅={β _A−P ,T _A1},N ₆={β _{A−M C} ) and (O ₂) and send them to the patient, medical caregiver and doctor, respectively. However, the attacker cannot generate correct response (𝜃 _A−P ,𝜃 _A−D ), (β _A−P ,β _{A−M C} ) and δ _A−D and send them to P, MC and D without knowing patient’s certificate T _k (I D _P ) mod p, medical caregiver’s certificate T _k (I D _{M C} ) mod p and doctor’s certificate T _k (I D _D ) mod p, respectively. Therefore, we claim that the proposed system resists medical cloud center impersonation attack.

□

Theorem 9

The proposed authentication scheme for mobile emergency medical care system is secure against the known-key attacks.

Table 4 The computation cost of our proposed system

Proof

During the health examination phase of the proposed system, we know a common session key S K _{P D} = T _a (X _D1) mod p = T _{a b} (x) mod p = T _b (X _P1) mod p = S K _{D P} is only shared between the patient and the doctor. Thus the compromise of a session key in previous session does not influence the security of session keys in other sessions because the patient and the doctor will generate new random numbers (a,b) and it is protected by CMBDLP and CMBDHP problems [3]. In a similar manner, the attacker also has inability to derive other session keys S K _{P M C} = T _c (X _{M C3}) mod p = T _{c d} (x) mod p = T _d (X _P3) mod p = S K _{M C P} and S K _{D C} = T _e (X _D5) mod p = T _{e f} (x) mod p = T _f (X _C5) mod p = S K _{C D} during the real time monitoring phase and the doctor treatment phase. Therefore, the attacker cannot extract random numbers from any session key and our proposed system resists the known-key attacks. □

Theorem 10

The proposed authentication scheme for mobile emergency medical care system is secure against the stolen-verifier attacks.

Proof

For a secure authentication scheme, there must be a password/verifier table stored in server side to verify the validity of system participants. However, in our scheme, the medical cloud center uses Chebyshev chaotic maps to generate system participants’ certificates and the medical cloud center does not maintain any password/verifier tables in its DB. Therefore, an attacker has no ability to get the secret information of the system participants and our system can avoid the stolen-verifier attack. □

Performance and comparative analysis of our proposed system

In the following, we define some cryptographic notations and evaluate the computation cost of our proposed system in Table 4. We have followed the experimental results performed in [15] with specifications as CPU: 2.4 GHz Intel core i5, RAM: 4.0 GB, using a GNU with multiple precision library and OpenSSL library. The average time of executing one T _{H a s h} , one T _{C h e} and one T _{S y m} are 0.02 ms, 32.9 ms and 0.042 ms, respectively. As seen in Table 4, our proposed system allows participants to reduce the burden on some computations, and thus is more suitable for practical usages including mobile emergency medical care systems.

• T _{H a s h} : The time for executing a one-way hash function.

• T _{S i g} : The time for executing a signature computation.

• T _{S y m} : The time for executing a symmetric en/decryption computation.

• T _{C h e} : The time for executing a Chebyshev polynomial computation.

In Table 5, we compared the proposed system with existing related schemes in terms of different functional requirements and security attacks. It is visible from Table 5 that the schemes in [4, 16, 41] cannot provide real time monitoring and non-repudiation properties in E-health care systems. In contrast, our proposed system not only achieves several functionality aspects but also provides strong security protection on the relevant security attacks.

Table 5 Comparisons of our proposed system with related E-health care schemes

Conclusions

With the medical application of cloud-assisted WBAN in our daily life, it is urgent to design a remote medical care system for cloud-assisted WBAN to allow medical staffs to monitor patients’ health in real time. Thus the monitored patient can get treated proactively before his/her health condition worsen. In order to get rid of the various security threats, this paper designed a secure emergency medical care system using medical cloud, WBAN, symmetric encryption/decryption algorithm, hash function and chaotic maps. The major advantage of the proposed system is providing continuous remote patient supervision both in and out of hospital conditions and this way improves the quality of life of monitored patients as well as the treatment efficiency. The security and performance analysis shows that the proposed system not only protects patient privacy and data integrity but also reduces the burden of system overhead. Additionally, our proposed system achieves desirable security functionalities such as mutual authentication, session key agreement, perfect forward secrecy and non-repudiation in doctor diagnosis. Finally, the above-mentioned properties and advantages demonstrate that the proposed cloud-assisted WBAN scheme is worth implementing in mobile emergency medical care system.