An Improved Authentication Protocol for Smart Healthcare System Using Wireless Medical Sensor Network

With the rapid development and evolution of wireless network technology, electronic health has shown great potential in continuously monitoring the health of patients. The wireless medical sensor network (WMSN) has played an important role in this field. In WMSN, medical sensors are placed on patients to collect relevant health data and transmitted to medical professionals in hospitals or at home through insecure channels. These health data need to be highly protected because they contain patient-related private information. Once the information is leaked or maliciously modified, it will cause the wrong diagnosis and endanger the health of patients. To protect information privacy and security from being stolen by illegal users, this article reviews the solutions of Farash et al. and further points out the existing vulnerabilities, such as privileged insider attack, user anonymity invalidation, and offline password guessing attack. In order to overcome these drawbacks, we use the Elliptic Curve Cryptography to propose an improved anonymous authentication protocol for a smart healthcare system. The security of our protocol is verified by Burrows-Abadi-Needham logic and Automated Validation of Internet Security Protocols and Applications (AVISPA) tools, and security features and efficiency analysis are performed with other related schemes. The results show that the improved protocol provides better security protection while ensuring computational and communication efficiency.


I. INTRODUCTION
In recent years, with the rapid growth of hospitalized patients, it has become an increasingly difficult task to continuously monitor the health of patients by relying solely on medical professionals (such as doctors or nurses) [1]. Electronic health (e-Health) and mobile health provide the possibility to solve this problem. E-Health is an application based on Internet of Things which contains a series of healthcare information services [2], [3]. In this system, medical sensors are placed on the patient in advance to collect relevant physiological information, such as ECG, body temperature, blood pressure, pulse, etc. After that, the doctor can obtain medical information about the patient at any time and any place. This can not only reduce medical costs and make The associate editor coordinating the review of this manuscript and approving it for publication was Gautam Srivastava . full use of limited medical resources but also help doctors make an early diagnosis and improve the quality of life of patients [1], [3], [4].
As a typical application in e-Health, Wireless Medical Sensor Network (WMSN) uses Wireless Sensing Network (WSN) to complete the task of monitoring the health status of patients. It comprises numerous lightweight smart devices with limited storage space, computation power, transmission range, and battery life [5]- [7]. Besides, when the patient's health data are transmitted through an unsafe public channel, information protection and privacy protection become prominent problems and big challenges [8].
If we transmit patient medical data without any encryption through an unsafe public channel, it is very likely that these information can be obtained by someone illegally, then the patient's privacy will be exposed. Meanwhile, a malicious user may modify the intercepted data and disguise it VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ as original information and then send it to remote medical professionals, which will lead to inappropriate diagnosis and affect patient treatment. User authentication and key agreement mechanism plays a vital role in protecting the patient's real-time data from unauthorized users; it can not only provide mutual authentication between all participating entities but also negotiate session keys to encrypt the transmitted data from eavesdropping [6], [8]- [11]. In 2012, Kumar et al. [12] proposed a user authentication protocol for medical monitoring. According to their security analysis, their solution can resist a variety of common security attacks and fully protect patient data from illegal users. However, Khan and Khan [13] and He et al. [14] pointed out that the protocol proposed by Kumar et al. [12] cannot resist insider privilege attack and offline password guessing attack, and lacks user anonymity and a complete mutual authentication mechanism. In order to overcome the above shortcomings, Khan and Khan [13] and He et al. [14] each proposed an improved two-factor user authentication protocol. Later in 2015, Wu et al. [15] found that He et al. scheme [14] could not resist offline password guessing attack, user impersonation attack, and sensor node capture attack. Then in 2016, Li et al. [16] found that He et al.'s scheme [14] had many problems during the login and authentication phases, and could not establish a correct session key. Besides, there is no check to verify whether the password inputted by user is correct until the information is delivered to the gateway node (GWN), and this may even cause the user to fail the authentication process after updating the password with a wrong old password. Therefore, Li et al. [16] introduced biometrics in their improved user authentication protocol to try to eliminate the previous drawbacks. Unfortunately, Das et al. [17] confirmed that Li et al.'s scheme [16] still could not resist various attacks such as privileged-insider attack.
In 2014, Turkanovć et al. [18] designed a novel lightweight user authentication and key agreement protocol for resource-constrained WSN which is claimed to have high security and can resist various common attacks. Unfortunately, in 2016, Farash et al. [19] showed Turkanovć et al.'s scheme [18] is very vulnerable to man-in-the-middle attack and stolen smart card attack. Besides, there was a lack of user untraceability and a secure session key protection mechanism. Subsequently, Amin and Biswas [20] further pointed out that any attacker can easily guess out a user's identity and password in [18]. Later, the analysis results of Amin et al. [21] showed that the improved user authentication scheme of Farash et al. [19] still has multiple security flaws. Similarly, in 2016, Wu et al. [22] showed that the scheme of Amin and Biswas [20] has the problem of mission key leakage and forgery attacks.
In 2016, in order to reduce the communication cost of sensing nodes mentioned in [20], Amin et al. [23] designed a new lightweight user authentication scheme that is used in patient monitoring systems. However, in 2017, Jiang et al. [24] showed that Amin et al.'s protocol [23] could not withstand the stolen mobile device attack, session key leakage, and desynchronization attack. Later, Wu et al. [25] in 2017 and Ali et al. [26] in 2018 further pointed out system insiders can use their own privileges to obtain the password of any user, and an unauthorized attacker can also pass the system authentication through forged login information in Amin et al.'s protocol [23]. But in 2018, Li et al. [27] analyzed Wu et al.'s scheme [25] and pointed out that the scheme is not user-friendly and does not provide forward security. In 2019, Chandrakar [9] mentioned that the protocol of Wu et al. [25] has some drawbacks such as it cannot prevent replay attack. In the same year, in order to solve the historical flaws in the authentication protocol used for remote patient monitoring (including the lack of forward security and desynchronization attack problem), Shuai et al. [28] designed a three-factor authentication scheme using hash functions and pseudonyms. In 2020, Mo et al. [29] pointed out that Ali et al.'s and Shuai et al.'s schemes [26], [28] are not as perfect as their own security analysis. Both of them have the same security problems, i.e., there is still the possibility of privileged insider attack and offline dictionary guessing attack. To make matters worse, once the user changes his/her password, they will be permanently rejected by GWN from login the network using the updated password.
In 2017, Challa et al. [30] designed a three-factor user authentication protocol for use in healthcare environments that takes into account both computational efficiency and security. In their scheme, in addition to providing a regular password update function, the user can also update his/her biometrics. In addition, a user re-registration function is added to the scheme to prevent the user's smart card from being lost or stolen. In 2019, Soni et al. [31] found many weaknesses in Challa et al.'s scheme [30]. Firstly, the attacker can easily calculate the session key; secondly, the attacker may destroy the normal connection process between the user and the sensor node; thirdly, the user re-registration process does not consider the issue of the revocation of the old smart card, which may cause the smart card flood. In 2020, Xu et al. [32] introduced chaotic maps and Rabin cryptosystem to improve Soni et al.'s scheme [31], providing a higher level of security and less computational consumption, which is more suitable for WMSN. Besides, Yazdinejad et al. [33] shortened the time for authentication in the hospital network by using the idea of blockchain.

A. MOTIVATION, METHODOLOGY AND CONTRIBUTION
The scheme of Farash et al. has been studied and analyzed by a large number of researchers, and many enhanced schemes have been proposed afterwards. However, most of the schemes did not adopt the architecture of Farash et al. for protocol design. Although Farash et al.'s protocol still uses the GWN to perform the authentication process, it does not need to interact with the GWN directly and can only obtain aggregated information about the sensor node as in other schemes. The user can directly connect and access a specific sensor node, thus providing a more direct approach. Therefore, we believe that the design idea of Farash et al. is worth learning.
In this article, we first point out the security problems that still exist in Farash et al.'s scheme (i.e., privileged insider attack, user anonymity problem, and stolen smart card attack). Furthermore, we want to overcome these weaknesses. Therefore, we use the principle of elliptic curve cryptography (ECC) to improve the scheme. There is a CDH (Computational Diffie-Hellman) problem in ECC. The CDH problem believes that when given random numbers a, b and point P, it is easy to calculate abP; but when only the information of P, aP, and bP is given, it is impossible to calculate the value of abP in a limited time. Besides, we preserve the timestamp mechanism to ensure the freshness of the message in our protocol.
Based on the above principles, we propose an improved anonymous user authentication and key agreement protocol for health monitoring. In the subsequent security analysis, we proved the security of our protocol through Burrows-Abadi-Needham (BAN) logic and Automated Validation of Internet Security Protocols and Applications (AVISPA) tools. The performance comparison and efficiency analysis results confirm that the improved protocol provides a higher security level while ensuring computation efficiency.

B. ORGANIZATION OF THE PAPER
The remainder of this paper is organized as follows. In Section II, we briefly reviewed Farash et al.'s scheme and further pointed out the drawbacks of the scheme in Section III. In order to eliminate these shortcomings, we proposed an improved user authentication protocol for intelligent medical systems in Section IV. In Section V and VI, the security analysis of the proposed protocol is showed, including informal security analysis and mutual authentication proof using BAN logic. Further, we depict the simulation outputs using AVISPA in Section VII. The security features comparison and effectiveness analysis with other related schemes are illustrated in Section VIII. Finally, the conclusion is represented in Section IX.

II. REVIEW OF FARASH et al.'s SCHEME
In this section, we will briefly review Farash et al.'s scheme [19] in order to better understanding their content. According to Farash et al.'s description, their scheme includes five phases. For the purpose of this article, we will only describe the first four phases in detail except for the dynamic node addition phase. TABLE 1 depicts all notations used in the scheme.

A. PRE-DEPLOYMENT PHASE
In order to enable the network to operate normally, the system administrator SA must first perform the pre-deployment phase in offline mode. At this stage, SA will select a secure password X GWN which is known only to the GWN. Each sensor node S j will be pre-defined with its identity SID j , and the gateway node GWN will generate and store a password X GWN −Sj which is familiar by only GWN and the related S j (1≤ j ≤ m), where m represents the number of sensor nodes. The shared key X GWN −Sj will be used in the next sensor node registration phase. It is worth noting that when S j is successfully registered, the password X GWN −Sj will be deleted from the memory of S j . Meanwhile, the gateway node GWN will also lose this information forever. In addition, the information of the sensor identity SID j will also be deleted from the GWN, which allows the GWN to add a huge number of additional sensor nodes to this network, regardless of the GWN memory limit.

B. REGISTRATION PHASE
In this stage, a user needs to get a legal identity to access the system and sensors need to complete the rest initialization to normal work. In the subsequent login and authentication phases, only registered users and sensor nodes can be verified by GWN, then negotiate the session key between each other and achieve successful mutual communication. User and sensor node registration are shown in FIGURE 1 and 2.

C. LOGIN AND AUTHENTICATION PHASE
This phase is shown in FIGURE 3.

D. PASSWORD CHANGE PHASE
This phase is shown in FIGURE 4.

III. WEAKNESSES OF FARASH et al.'s SCHEME A. WEAKNESS 1: PRIVILEGED INSIDER ATTACK
A privileged insider attack is an attack initiated by a privileged but malicious person. Although the GWN is generally VOLUME 9, 2021  considered as a trusted subject in the authentication scheme, the system administrator may also use his/her privileges to try to obtain some sensitive information, such as user identity, user password, session key, and so on. Assuming that adversary A is a privileged attacker, A can compute the session key of a session through the following steps: Step1: A gets X GWN from the GWN memory.
Step2: During the login and authentication phase, A can receive the message and then A computes: Once a privileged insider A calculates the session key SK, he/she can eavesdrop on the messages which are exchanged between the user and the sensor node even if these messages are encrypted by SK.

B. WEAKNESS 2: USER ANONYMITY PROBLEM
A secure identity authentication protocol requires complete confidentiality of the user's identity ID i , hence all transmitted information that covers it should be highly encrypted so that no adversary can crack it in any way. However, Farash et al.'s scheme is not secure in terms of user anonymity. The user's identity ID i can be extracted through the following steps: Step1: Any authenticated user U i has the capacity to retrieve the information {r i , e i , f i , g i } from his/her smart card using the power consumption monitoring methods.
Step2: Assuming adversary A is an authenticated user, A can use his/her password PW i to compute Step3: During the login and authentication phase of Therefore, any registered user can easily obtain the identity information of other users, which violates the user anonymity property that a security scheme should have.

C. WEAKNESS 3: STOLEN SMART CARD ATTACK
Sometimes the user's smart card SC would be lost, such as being picked up or stolen by an adversary A. Afterward, A can retrieve the information {r i , e i , f i , g i } from the smart card. As stated in subsection B, if adversary A is an authenticated user, A can easily obtain the identity information ID i of any other user U i . Based on this information, A can launch the offline password guessing attack through the following steps: Step1 Step3: Otherwise, A repeats from Step1 until he/she guesses the correct password PW i .
After extracting the correct password PW i , A can also launch the new smart card problem attack. In this situation, the attacker may use U i 's original identity ID i and a new password (not equal to PW i ) to create a new smart card, and then use the new smart card to login to the network as ID i and pass the verification. Further, he/she can access all the information which is transmitted by any registered S j . We conclude the implementation process of this attack by the following steps: Step1 Step2

Step3: A chooses a new smart card and inserts {r
Obviously, the adversary can use this new smart card to pass GWN's verification and successfully login to the system.

IV. PROPOSED PROTOCOL
In this section, we propose an enhanced protocol based on the CDH problem to overcome the shortcomings of Farash et al.'s scheme, and the architecture of the health monitor system is depicted in FIGURE 5. Medical sensor nodes are placed on the patient, collect relevant physiological data, and regularly upload it to a cloud service platform with sufficient storage and computing capabilities. Users (i.e., medical professionals) can obtain historical data of patients through the cloud service platform, analyze the transfer and development of the disease, and help guide patients' longterm health management. This aspect does not belong to the concern of our article (shown by the dashed line). More often, medical professionals want to obtain real-time patient data. In this scenario, the communication between doctors and medical sensors is carried out through insecure public channels. Therefore, before accessing the medical information of a patient, the mutual authentication between the user and the medical sensor must be completed to verify the legitimacy of both parties. In the proposed protocol, the mutual authentication process includes four steps, as shown by the solid line. The medical user first establishes a connection with a specific sensor node and sends an authentication request; then the sensor node sends its own information along with the information received from the user to the gateway node for authentication. After successfully verifying their identities, the gateway node sends a reply message to the sensor node and the user in turn to complete the authentication and key agreement process.
Inheriting the framework of Farash et al.'s scheme, the enhanced protocol still consists of the above five phases. The difference is that we will redesign some of the details of the previous process to improve the security features. TABLE 2 depicts all new notations in our protocol.

A. PRE-DEPLOYMENT PHASE
This phase is the same as Farash et al.'s scheme which has been described above. In particular, the system administrator SA is to preset the identity information SID j and the corre-    sponding security password X GWN −Sj for each medical sensor that will be placed on the patient in our protocol.

B. REGISTRATION PHASE
The phase still contains two different parts: medical professional user registration and medical sensor node registration. For the user registration phase, a medical professional must first register in the system when he/she wants to obtain the medical data of a patient in order to protect the privacy of patients. Only authorized users (such as doctors and nurses) can access this sensitive information. We describe the process of user registration in detail: Step1: The medical professional U i , chooses an identity ID i , a password PW i , and a random number r i , then com- Step2: Upon receiving the message Then GWN writes e i , f i , and g i into a SC and issues it to U i .
Step3: The medical professional U i computes r * i = h(ID i PW i ) ⊕ r i , and inserts r * i into SC. The illustration of the process is depicted in FIGURE 6. When a medical sensor node needs to be registered, there is no change and just following the steps of FIGURE 2: Step1: S j firstly selects a random number r j , and computes Step2: After receiving the sensor registration message, GWN checks if |T 1 − T c | < T to avoid potential replay attack. If the condition holds, GWN uses its X GWN −S j and the received information MN j to compute its own version Finally, the message {e j , f j , d j , T 2 } is sent to S j as a response.
Step3: Similarly, S j firstly checks if |T 2 − T c | < T to avoid potential replay attack. Afterwards, S j computes its own version x j = e j ⊕ X GWN −S j and authenticates the identity of GWN by checking if f j = h(x j d j X GWN −S j T 2 ). S j then computes h(X GWN 1 ) = d j ⊕ h(X GWN −S j T 2 ) and stores these information {x j , h(X GWN 1 )} to its memory. Finally, S j deletes the shared password X GWN −S j and sends a successful confirmation message to GWN.
Step4: After receiving the successful confirmation message, GWN deletes {SID j , X GWN −S j }.

C. LOGIN AND AUTHENTICATION PHASE
Step1: U i inserts the SC into a reader and inputs his/her . SC verifies the legitimacy of U i by checking if e i = h(RSP i MID i ). If this condition holds, U i has a successful login. Step2 . SC respectively chooses a to compute R 1 =aP and c to mask the true identity with , and sends the message {M 1 , M 2 , R 1 , T 1 } to GWN for authentication.
Step3: After receiving U i 's authentication message, S j will add its own information and send it to GWN for verification. But before that, S j must first check if |T 1 − T c | < T to prevent replay attack. Then S j chooses a random number b, Step4: Similarly, GWN first check if |T 2 − T c | < T to prevent replay attack. Then GWN computes its own version Step5: When S j receives the response message from GWN, this shows that U i is a legitimate user. Hence, S j starts to check if |T 3 − T c | < T to prevent replay attack. Then S j authenticates GWN by comparing the received value M 5 with its own computed value h(x j R 1 T 3 ). If the two values are equal, then it proves that the received message is trustworthy. S j continues to compute MID 1 = M 6 ⊕ h(x j T 3 ) and generates the session key Step6: When U i receives the response message from S j , U i starts to check if |T 4 − T c | < T to prevent replay attack. Then U i authenticates GWN by comparing the received value M 4 with its own computed value h(x i R 2 T 3 ). If the two values are equal, then S j continues to compute R 4 = aR 2 , and generates the session keySK = h(MID 1 SID j R 4 T 3 T 4 ). At the end of authentication phase, U i needs to verify the legitimacy of S j by comparing the received value M 7 with its own computed value h(SK M 4 T 3 T 4 ). If this condition holds, U i verifies the legitimacy of S j and can use the SK for subsequent information transmission.
The illustration of the process is depicted in FIGURE 7.

D. PASSWORD CHANGE PHASE
Step1: U i must first finish the successful login process through section IV-subsection C's Step1. Step2 Thus SC computes all the values that need to be changed due to the new password, including: The illustration of the process is depicted in FIGURE 8.

E. DYNAMIC NODE ADDITION PHASE
The main purpose of this phase is to meet the needs of system expansion and replacement of damaged nodes. During the operation of the system, there will be new patients who need to be monitored, then new medical sensors need to be added to ensure the system performance. In addition, medical sensor nodes in some patients maybe maliciously damaged or have reached the end of their useful lives, so new nodes need to be replaced at these patients to ensure the normal operation of the system. Suppose a new sensor node S new j needs to be replaced in a patient, the dynamic node addition will be performed by the following steps: Step1 Step3: SA informs the registered users (i.e., medical professionals) that they can communicate with S new j .

V. SECURITY ANALYSIS A. PRIVILEGED INSIDER ATTACK
It is well known that many users may use the same identity and password in different systems. Therefore, even though the GWN is regarded as a trusted subject in our protocol, we should also avoid the possibility of privileged but malicious system administrators extracting the sensitive information (i.e., ID i , PW i ) of registered users in various ways. Once this sensitive information is extracted, the adversary would impersonate a legitimate user and further initiate more attacks. The proposed protocol resists this possible attack and eliminates it by providing more careful steps in user information protection. During user registration phase, the user U i VOLUME 9, 2021 . To guess the correct information {ID i , PW i }, the privileged insider attacker needs to know r i firstly. However, r i is not stored in SC but r * i , where r * i = h(ID i PW i )⊕r i . In other words, there is no way for GWN to retrieve r i . In addition, during the authentication phase, GWN can only retrieve MID 1 from {M 1 , M 2 , M 3 , T 1 , T 2 , ESID j , R 1 , R 1 } which is different in each session and PW i has never been transmitted over these insecure channels. As a result, it is impossible for any privileged insider to reveal these useful information in our protocol.

B. USER ANONYMITY
In the registration phase, only {MID i , RSP i } is sent to the gateway node GWN via a secure channel, where Moreover, the user U i communicates with S j and GWN as MID 1 , where MID 1 = h(c ID i ) and c is generated freshly for each session. This means that the user U i never reveals his/her true identity ID i to transmit between channels and the adversary A cannot extract ID i .

C. OFFLINE PASSWORD GUESSING ATTACK
Assuming that the adversary A retrieves the information {r * i , e i , f i , g i } from a stolen/lost smart card SC. However, , the ID i is anonymous and never revealed to others. Thus, the adversary A must first guess the correct identity ID i before A can guess the password PW i . This is almost impossible for the attacker.

D. KNOWN SESSION SPECIFIC TEMPORARY INFORMATION ATTACK
In the authentication phase, we use the timestamp mechanism and CDH to prevent known session specific temporary information attack. Random numbers a, b are regenerated in each session to evaluate the session key SK = h(MID 1 SID j abP T 3 T 4 ). Based on CDH, it is a computationally difficult problem to guess abP even if the attacker gets the information aP and bP. Besides, it uses T 3 and T 4 to check whether the session message is the latest or not. If the condition does not hold, the protocol rejects the message and aborts the session.

E. PASSWORD CHANGE ATTACK
In the password change phase, user U i inserts his/her SC into a terminal and inputs ID i , PW i . Then SC com- and checks whether e i = e i or not. If the condition holds, SC asks U i for a new password PW new i to replace the old one. Otherwise, SC rejects the request. If an attacker wants to change the password, he/she must know the information {ID i , PW i } in advance to pass the equation verification e i = e i . As mentioned earlier, the attacker cannot obtain {ID i , PW i } in any way. Therefore, the proposed protocol provides security against the password change attack.

F. TRACEABILITY ATTACK
In this attack, the attacker usually eavesdrops on two different session login and authentication messages and compares them. If the two messages have the same components, the attacker infers that they belong to the same user, so that the login activity of a single user can be tracked by the attacker. However, it is impossible for the attacker to track anyone in our protocol. In the login and authentication phase, the user sends the mes- , R 1 = aP, and T 1 is the current timestamp. Note the random numbers (i.e., a, c) and timestamp are different in each session, so the message of each session differs from the other sessions. Similarly, other transmitted messages in this phase also depend on random numbers and timestamps. Hence, the protocol can resist the traceability attack.

VI. MUTUAL AUTHENTICATION PROOF USING BAN LOGIC
Through the security analysis using the widely-accepted BAN logic [34], it is shown that the proposed protocol provides the mutual authentication between a user U i and a medical sensor node S j .

A. GOALS
The proposed protocol must meet the following goals to prove that the protocol is secure: The ideal form of the messages exchanged in the protocol is expressed as follows: Message 1: Message 4:

C. ASSUMPTIONS
The following assumptions about the initial state are used to analyze the proposed protocol: Based on logical postulates in the BAN logic, the proof process is as follows: From Message 1, we have, From (1), A 14 , and message-meaning rule, we have, From A 1 and freshness rule, we have, From (2), (3), and nonce-verification rule, we have, From (4) and belief rule, we have, From (5), A 17 and jurisdiction rule, we have, From Message 2, we have, From (7), A 11 , and message-meaning rule, we have, From A 1 , A 5 , and freshness rule, we have, From (8), (9), and nonce-verification rule, we have, From (10) and belief rule, we have, From (11), A 16 , and jurisdiction rule, we have, From Message 3, we have, From (13), A 15 , and message-meaning rule, we have, From A 2 and freshness rule, we have, From (14), (15), and nonce-verification rule, we have, From (16) and belief rule, we have, From (17), A 19 , and jurisdiction rule, we have, From Message 4, we have, From (19), A 13 , and message-meaning rule, we have, From A 2 , A 6 , and freshness rule, we have, From (20), (21), and nonce-verification rule, we have, From (22) and belief rule, we have, From (23), A 18 , and jurisdiction rule, we have, From Message 5, we have, From (25), A 12 , and message-meaning rule, we have, From A 7 and freshness rule, we have, From (26), (27), and nonce-verification rule, we have, From (28) and belief rule, we have, From Message 6, we have, From (30), A 12 , and message-meaning rule, we have, From A 3 , A 9 , and freshness rule, we have, From (31), (32), and nonce-verification rule, we have, From (33) and belief rule, we have, From (Goal 4), A 20 , and jurisdiction rule, we have, From Message 7, we have, From (34), A 10 , and message-meaning rule, we have, From A 8 and freshness rule, we have, From (35), (36), and nonce-verification rule, we have, From (37) and belief rule, we have, From Message 8, we have, From (39), A 10 , and message-meaning rule, we have, From A 4 and freshness rule, we have, From (40), (41), and nonce-verification rule, we have, From (42) and belief rule, we have, From (Goal 2), A 21 , and jurisdiction rule, we have, According to Goal 1, Goal 2, Goal 3, and Goal4, it is obvious that the improved protocol makes it successful to provide a secure mutual authentication between a medical professional user U i and a medical sensor node S j . VOLUME 9, 2021

VII. SIMULATION OF PROPOSED PROTOCOL USING AVISPA TOOL
There is a popular simulation tool called AVISPA which has the ability to automatically verify network security protocols and applications. In this section, we use the AVISPA tool to simulate the proposed protocol and verify whether the protocol is secure against an attacker.
Before the simulation, the protocol needs to be implemented in HLPSL (High Level Protocol Specification Language) that can be recognized by the AVISPA tool. In the implementation of HLSPL, the roles of all participating entities are specified, including the medical professional U i , the medical sensor S j , the gateway node GWN, as well as the session, the environment, and the goal. In FIGURE 9, we depict the role of the medical professional U i . When the user wants to register in the system, U i first computes and transmits the request message {MID i , RSP i } to the gateway node GWN using Snd() operation via a secure channel. The statement secret ({ID i , PW i }, sec_subs1, U i ) indicates that only the U i knows the information of ID i and PW i . Afterward, the U i obtains a smart card with the information {E i , F i ,G i } stored in it using Rcv() operation via a secure channel. When the professional wants to login the system, the U i generates a fresh timestamp T 1 and random number An, Cn with the help of new() operation, and then forwards these message {M 1 , M 2 , R 1 , T 1 } to the medical sensor S j by Snd() operation via an insecure channel. The statements secret ({An'}, sec_a, U i ) and secret ({Cn'}, sec_a, U i ) indicate that An' and Cn' are U i 's secret and undisclosed to anyone else. The statements witness (U i , S j , user_sensor_a, An') and witness (U i , G, user_gwn_a, An') indicate that the U i generates the fresh value An for S j and GWN respectively. Finally, when the U i receives the message {M 4 , M 7 , R 2 , T 3 , T 4 } from the S j using Rcv() via a insecure channel, the U i computes SK. The statement secret ({SK'}, sec_sk, {U i , S j }) indicates that SK is a secret that only U i and S j know. The statement request (S j , U i , sensor_user_b, Bn) indicates that S j authenticated the identity of U i by its generated number Bn. The type statement channel(dy) indicates that the channels follow the Dolev-Yao threat model.
In FIGURE 10, we give out the role of the medical sensor S j in HLPSL. In the medical sensor registration phase, the S j initially generates timestamp TS 1 and random number R j , and then transmits the message {SID j , MP j , MN j , TS 1 } to GWN by Snd() operation through an insecure open channel. The statement witness (S j , G, sensor_gwn_rj, R j ) indicates that the S j generates the fresh value R j for GWN. In the login and authentication phase, when S j gets the message {M 1 , M 2 , R 1 , T 1 } from U i using Rcv() operation, the S j generates timestamp T 2 and random numbers Bn using new() operation, and forwards the message {M 1 , M 2 , M 3 , T 1 , T 2 , ESID j , R 1 , R 2 } to GWN. The statement secret ({Bn'}, sec_b, S j ) indicates that Bn' is known to only S j . The statements witness (S j , U i , sensor_user_b, Bn') and witness (S j , G, sensor_gwn_b, Bn') indicate that the S j generates the fresh value Bn for U i and GWN respectively. Hereafter, S j gets the message {M 4 , M 5 , M 6 , R 1 , T 3 } from GWNusing Rcv() operation. Then the S j generates timestamp T 4 using new() operation and computes SK. In the end, S j transmits the message {M 4 , M 7 , R 2 , T 3, T 4 } to U i using Snd() operation. The statement request (U i , S j , user_sensor_a, An) indicates that U i authenticated the identity of S j by its generated number An.
In FIGURE 11, we summarize the implementation of gateway node GWN in HLPSL. In the user registration phase, GWN gets the request message {MIDi, RSPi} from the medical professional Ui using Rcv() operation. GWN sends the   We also describe the role of session, environment, and goal in FIGURE 12. There are 6 secrecy goals and 4 authentication goals as follows:  FIGURE 13 and 14 represent the simulation results of our protocol in the OFMC and CL-AtSe backend respectively. The results show that the proposed protocol is secure against potential attacks.   and T pa ≈0.0288 ms as mentioned in [35], [36]. TABLE 4 shows the results. Through comparison, it is found that our proposed protocol has increased the computational cost compared with some other schemes [9], [19], [25]. This is because we use additional point multiplication operations to solve potential security problems. Besides, compared with those schemes [1], [37], [38] that also use point multiplication operations, the computational cost of our protocol is not high. Besides, we also compare the communication cost of our protocol with other existing schemes. We supposed that the lengths of identity, password, random number, and hash function output (SHA-512) are each 512 bits. The lengths of timestamp and ECC point are 160 bits and 320 bits, respectively. The analysis result is shown in TABLE 5. We can see that the protocol in [19] needs the most communication cost and our protocol is in the middle level. Even though the protocols in [1], [38] require less communication cost than ours, their schemes lack many of the security features shown in TABLE 3. Above all, our protocol provides a more complete security feature and a more robust authentication process whereas ensuring efficiency in terms of computational and communication costs.

IX. CONCLUSION
In this research, we first reviewed and analyzed the scheme of Farash et al. and found that there are many security problems, such as privileged insider attacks, user anonymity problems, stolen smart card attacks, and offline password guessing attacks. In order to solve these security flaws, the authors proposed an improved ECC-based anonymous authentication protocol for smart healthcare systems using WMSN. The formal analysis using BAN logic and informal security analysis ensured that our protocol can provide secure mutual authentication and the ability to resist various security attacks. In addition, simulation outputs using AVISPA showed the scheme is secure to guard against intruders. Finally, security features comparison and efficiency analysis of our protocol with other existing schemes could prove that the improved protocol can provide more robust security features and less communication cost whereas increasing a small amount of computational cost. Therefore, our protocol is suitable for use in the smart healthcare environment.
However, we must point out that the protocol still has some shortcomings. There is still room for improvement in the communication cost of our protocol. Besides, the storage and computational capacity of a single gateway node are always limited, which makes the authentication tasks it can undertake is also limited. Therefore, in practical use, multiple gateways would be used to coordinately manage a huge medical monitoring network. Hence how to enable users registered in one GWN to pass the authentication of another GWN and access the medical sensor information managed by the latter GWN becomes a question worth considering. In the future, we need to think how to solve this problem in an authentication protocol for multi-gateway WMSN. In addition, how to achieve cross-hospital information transmission is also what the protocol needs to settle. From 1990 to 1996, he worked in hospital and global medical equipment manufacture. He has been trained on MRI and CT technology four times in Japan and USA. Since 1997, he has been in charge of device management and quality control of medical equipment with Shanghai Sixth People's Hospital for 20 years. He is currently the Vice-Director of Shanghai Sixth People's Hospital Affiliated to Shanghai Jiao Tong University (East-Campus). He authorized and coauthorized six books and published over 60 articles in national statistical source journal. His research interests include regional medical equipment management and quality control, assessment and management of medical equipment suppliers, management of service and rating of customer satisfaction, evaluation of medical imaging equipment performance and service system, the IoT, and communication safety in medical technology management.
Mr. Li