An Efficient, Hybrid Authentication Using ECG and Lightweight Cryptographic Scheme for WBAN

The Wireless Body Area Network (WBAN) plays a pivotal role in providing ubiquitous computing and has applications in different fields, especially in health monitoring. The advancement in wearable devices has revolutionized the concept of medical services and brought ease to our daily lives. However, the latent threat imposed by attackers has increased concerns related to the security and privacy of patient’s data due to the open nature of the wireless network. The authentication schemes are used to secure patient’s critical data from different types of cyber-attacks. In this paper, we extend our previous work by presenting an anonymous, hybrid authentication scheme that utilized physiological signals in combination with a lightweight cryptographic method to provide robust security against well-known attacks especially key escrow, base station compromise, and untraceability of sessions. The broadly accepted BAN logic is utilized to offer formal proof of mutual authentication and key agreement. The informal verification is performed by the Automated Validation of Internet Security Protocol and Applications (AVISPA) tool. Furthermore, the comparative analysis of the proposed scheme with peer work highlighted that it accomplished better security at low computational, communicational, energy consumption, and storage overheads.


I. INTRODUCTION
The recent developments in technology have opened new avenues in the field of research. The Wireless Body Area Network (WBAN) is one of the promising research directions that has received extensive attention. The medical services have been enhancing due to emerging trends in this technology that has added more convenience to our daily lives. However, the reliance on wireless technology is accompanied by the potential threat of an attacker breaching the privacy and confidentiality of the medical data by passively slipping into the network. The physiological data is usually collected through sensors that are attached to the human body and with the mediation of smartphones it is reached ultimately to the medical practitioner [1]. The architecture of WBAN is depicted in Fig. 1.
The associate editor coordinating the review of this manuscript and approving it for publication was Tie Qiu .
The authentication schemes provide a remedy to secure the most critical data of oneself carrying records like Electrocardiogram (ECG), Blood Pressure (BP), sugar level, etc. There are different classifications found in literature, every author has diversely categorized them [2]- [4]. The authentication schemes that utilized the physiological features of patients are considered adequate for the resource constraint devices like in WBAN [5]- [7]. However, they are considered vulnerable to Denial-of-Service (DoS) attacks, and capturing similar signals from different devices on various parts of the human body is also a challenging issue [8].
The anonymous authentication schemes are another promising category where a lot of research work is going on. It offers lightweight cryptographic solutions suitable for the WBAN environment. Kompara et al. [9] presented lightweight anonymous authentication and key agreement scheme using a hash function and XOR operations. Their work protected against various known attacks like eavesdropping, unlinkable session, hub, and sensor node VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ impersonation attacks. However, the performance results showed that the scheme holds equivalent ground in terms of computation time, energy consumptions, computational cost, and storage overheads. Moreover, on scrutinizing further, we unleashed few vulnerabilities in Kompara et al. [9] like sensor node impersonation, base-station, and Intermediate Node (IN) compromise attacks and offered solutions to these vulnerabilities in one of our earlier works, Rehman et al. [10].
In the work of Rehman et al., we offered an enhanced scheme by providing not only the solution of identified vulnerabilities but also made architectural level vital changes in the original scheme. Thus reduced the overall communicational cost up to remarkably lower than not only with the original scheme but with peer schemes as well. Similarly, the authentication schemes [11]- [13] are also anonymous, lightweight based on the hash function and XOR operations. These schemes enhanced the earlier work of Li et al.'s work [11]. The hybrid authentication schemes have caught much attention in the research communities because of the promising results achieved by combining physiological signals like ECG, Electroencephalogram (EEG), Photoplethysmogram (PPG), etc with cryptographic solutions. The resultant schemes are more flexible and robust, in providing mutual authentication. Koya et al. [14] presented a hybrid scheme by combining the authentication protocol of Li et al. [11] with ECG signals. The authors devised a 128bit biokey from the ECG signal to enhance the authentication process and thus providing better security. In another recent study, Wan et al. [15] proposed a continuous authentication protocol by utilizing the biokey generation procedure of Koya et al. [14] and mixing it with their authentication algorithm to come up with energy and time-efficient solution. Similarly, the authentication schemes [16]- [18] also utilized biometric signals joint with cryptographic solutions to produce cost-effective solutions. This research work also belongs to the same category.
The major contribution of our paper is to extend our earlier work [10] to further enhance security via the utilization of ECG signals. Our work is summarized as: • We have extended our earlier work [10] by utilizing physiological signal i.e. ECG and extracted features from the ECG signal to generate a bio-key of variable length. It adds up key entropy and robustness to the authentication process. Moreover, it enhances resilience against key escrow, anonymous unlinkable sessions, and eavesdropping attacks besides the security features already offered in the original work.
• We have proved the correctness of our scheme by welladopted BAN logic and informally verified by using the Automated Validation of Internet Security Protocol and Applications (AVISPA) tool.
• We have further tuned up the computational cost and energy consumption of the proposed work compared to our earlier work [10]. The performance analysis of our scheme showed that our scheme outperforms based on computational and energy consumption overheads and security characteristics. The remaining part of the paper is arranged as; section II details the system model of our proposed scheme, section III depicts the details of the proposed authentication scheme containing all its phases, section IV contributed as by providing the details of formal verification using BAN logic, security features analysis and simulation results, section V discusses performance evaluation of proposed scheme with other peer work, section VI provides discussion and finally conclusion as section VII.

II. SYSTEM MODEL
The system model utilized in the proposed scheme consists of network and rival models which are detailed as under:

A. NETWORK MODEL
We have retained the network model of our earlier work [10] in this extended scheme which consists of three tiers. Tier 1 consists of sensor nodes denoted by N, tier 2 contains Intermediate Node (IN) normally smartphone or PDA, and tier 3 comprises of Hub Node (HN) normally the server computer. We have modified the communication between N -HN as IN plays the relaying role in the whole model. It does not store any information or identity in itself but passes on any data received from either N or HN to the destination. Thus the role of IN is rather supportive than authoritarian. The network model is depicted in Fig. 2.

B. RIVAL MODEL
We have furnished the following suppositions for our scheme.
• An adversary may not be able to recover the master key K UN because HN is considered secured.
• The data can be falsely injected, altered, or replayed by intercepting the communication.
• An attacker can maliciously disturb the communication by compromising the sensor nodes N and hence disturbing the authentication process. Additionally, N cannot be physically made secured due to cost constraints.
• The renowned Dolev-Yao [19] rival model is followed in our scheme which undertakes the parties communicate over insecure channels.

III. THE PROPOSED SCHEME
We propose a hybrid authentication scheme that utilizes physiological signals especially ECG and pre-deployed keys for security enhancement of WBAN. The proposed authentication scheme is an extension of our earlier work [10]. Our scheme comprises four phases namely: Bio-key Extraction, registration, authentication, and key update phase. The Intermediate Node (IN) or Hub Node (HN) is referred to as Upstream Node (UN). The notations used are listed in Table 1.

A. BIO-KEY EXTRACTION PHASE
We have taken the raw ECG signal and then preprocessed it using Symlet4 (Sym4) Wavelet Transform. The Sym4 wavelet is considered a better choice for QRS detection due to its resemblance with the QRS complex. As we are using Sym4 so the No. of vanishing moments or length of the filter is 8. Here our main objective is to preserve R-waves and eliminate all other frequencies components. Therefore, bandpass action is required which can be achieved using wavelet transform by segregating signal components into different frequency bands. The bandpass filtering can be implemented by removing some unwanted frequency bands (high and low frequencies) and keeping the important ones. This process is shown in Fig. 3. We have taken the following three considerations into account for bio-key extraction: • The selected method should be less computational suitable for a key update in real-time.
• The extracted key should be random to confirm its robustness.
• The key should be capable of identifying Intra and Interpersonal variations The bio-key is excerpted from the Inter-Pulse-Interval (IPI) of the filtered ECG signal. We estimate variable-length key size for our proposed authentication scheme. The sync signal from UN will initiate the sampling process of ECG signal for extraction of variable length bio-key. The process of extracting bio-key starts firstly by calculating IPI then the gray coding is applied and lastly, the output bits of gray coding are concatenated to get the result. The experiments are conducted using multiple channels of ECG data available at PTB Diagnostic ECG database (PTBDB), on PhysioBank ATM resource to check the performance of extracted bio-keys. We have taken data from 8 channel leads i.e., ''I, II, V1'' to ''V6'' and calculated the entropy of bio-keys extracted from 4 different subjects as depicted in Table 2. It is noticeable that bio-keys exhibit higher randomness as entropy values are closer to 1. The hamming distance between extracted bio-keys is shown in Table 3. It is also evident that the technique used for biokey extraction reveals satisfactory entropy with intra-inter personal variations.

B. REGISTRATION PHASE
This phase is initiated when a new sensor node (N) registers with UN through a secure channel. We have retained the registration phase of our earlier work [10].
The tuple x N , a N , Z N and id N are stored on N while other parameters K UN , id N , and K N are stored on UN. The new parameter Z N holds secret values regarding the key and identity of UN.

C. AUTHENTICATION PHASE
The details of this phase (Fig. 4) is as follows: 1. The upstream node (UN) initiates the process and sends a synchronization signal to sensor node (N) that acquires ECG signals and then bio-key r N is extracted VOLUME 9, 2021   from it. N generates timestamp t N and takes another ECG signal to extract another bio-key r SN The UN ensures the validity of timestamp on receiving (tid N , a N , b N , t N ) and then computes: Calculates the Hamming distance between two biokeys r N and r SN . If it is under the threshold level then both N and UN can be authenticated.
Finally the session key r) k S = α ⊕ x + N s) Now the UN sends the tuple (β, µ, η) to N. 3. On reception of (β, µ, η), N will compute the following: The key for the UN can be updated in either of two ways, firstly, it can be pre-deployed during installation of nodes at the beginning, or secondly, the nodes can be added dynamically later on. In the first case, the single master key can be pre-deployed while installation of all nodes. In the second case, the UN can have two master keys one is fixed, and the other is a dynamic one. The dynamic bio-key will be used to update all related parameters after the first round of the authentication phase. The procedure of the updated master key begins by following steps.
• The bio-key r SN generated at the registration phase can be utilized to update the master key as:- This updated master can be utilized to update all the relevant parameter links (x + * N , a + N ).

IV. SECURITY ANALYSIS OF PROPOSED SCHEME
Here, we analyze our scheme based on formal proof using mathematical modeling commonly based on BAN logic [20] to verify the correctness proposed scheme's correctness. We present security features analysis, and lastly, simulation results depicting informal analysis.

A. FORMAL EVIDENCE USING BAN LOGIC
The BAN logic [20] is widely used to present formal proof of authentication schemes, we have utilized the same to verify that our scheme provides mutual authentication between the nodes N and UN. The following four goals ensure that the proposed scheme is secure.
The communicated messages are idealized as:

3) ASSUMPTIONS
To achieve goals we have made few assumptions as: We prove mutual authentication of the proposed scheme based on assumptions, idealized form, and interference rules. V1: From If1, message-meaning rule, and A1, we get V2: By applying the freshness rule and A2, we infer: V3: From nonce verification rule, (1) and (2), we obtain (3), as shown at the bottom of the page. V4: From Belie rule, and (3), we achieve the goal G1 as: Hence we achieve Goal G1. V5: By jurisdiction rule, A3 and (4).
Hence we achieve Goal G2. V6: By If2, A4, the message meaning rule, we get V7: By the freshness rule, and A5, we obtain V8: By nonce verification rule, (6), and (7), we acquire (8), as shown at the bottom of the page.
V9: By the belief rule and (8) Hence the goal G3 is achieved. V10: By the jurisdiction rule, A6 and (9), we have (10), as shown at the bottom of the next page.
Therefore, we obtained goal G4.

B. SECURITY FEATURES ANALYSIS
The following are the security features provided by the proposed scheme that extends our earlier work [10].

1) RESILIENCE AGAINST KEY ESCROW
It becomes a problem when a security threat is imposed by an insider like system admin, physician, etc., Therefore, fixed master key K UN would be a potential threat. Our scheme has provided a dynamic update of the master key by extracting a new bio-key and generating the new master key. This feature eliminates the potential threat of impersonation of nodes N and UN. Hence we resolved Key escrow problem.

2) EAVESDROPPING ATTACK
An eavesdropper can collect the parameters sent over a public network like (tid N , a N , b N , t N ) and the same holds for (β, µ, η). Even if an adversary can collect it but it cannot forge secret values like bio-key r N , x + N , K + UN , K + N , x N , and K N . Some of these values are XOR-ed with other secrets parameters in such a blend that it is impossible to eliminate all. Therefore, an eavesdropper cannot uncover or even construct the secret key k S .

3) ANONYMOUS AND UNLINKABLE SESSIONS
Anonymity is a feature that allows us to keep the identity hidden from an adversary. This feature is well preserved in our scheme by utilizing the temporary identity tid N , that is secured by a non-reversible hash function and it also contains the bio-key r N forged randomly by N. An adversary cannot guess the valid set of tuples used for tid N and hence it cannot link the two sessions. Another reason is that all parameters transmitted over the public network are formalized using fresh and secret values. Some parameters keep on changing in each session like b N that is constructed on random bio-key and K + N . Therefore, unlinkability and anonymity of sessions are achieved in our proposed scheme.

4) SENSOR NODE IMPERSONATION AND CAPTURE ATTACK
To implement a sensor node impersonation attack, an adversary has to generate the valid tuple (tid N , a N , b N , t N ) which would be impossible because they are protected by hash functions, the randomness of bio-key and Z N . An attacker would have to know the master key K UN for capturing sensor node, which would not be possible because the key is updated afterward and it would also require another bio-key r SN . Therefore, the proposed scheme provides resilience against both types of attacks.

5) BACKWARD AND FORWARD SECRECY
An adversary would have to know the parameters α and x + N before forging the session key k S which would be impossible and even if somehow he has constructed it, the session keys for past and future will not be revealed. The parameters are calculated dynamically during every session and the values would be changed. Therefore, this feature is added to the list.

6) BASE STATION CAPTURE ATTACK
If the base station (UN in our case) is compromised somehow, and the master key K UN is captured. An adversary would also require some other valid parameters like x + N , α, β, η, k S and the master key is also updated with random bio-key r SN which is constructed through a random ECG sample of the patient. Therefore, this attack would not be possible.

7) IN COMPROMISE ATTACK
The Intermediate Node (IN) does not store any identity, it is utilized only as relaying node, therefore, compromising it would not make much of the difference. Therefore, launching successive impersonation attack would be difficult. To forge identity parameters like bio-key r N and Z N would also be required which are not communicated publically.

8) DESYNCHRONIZATION/JAMMING ATTACK
This type of attack prevents the communicating entities (N and UN in our case) to synchronously update their mutual parameters by jamming the link. In such a case the sensor node N would not able to calculate new values for (x + * N , a + N ). Nevertheless, the proposed scheme can continue with a new authentication phase along with older values (x N , a N ).

C. SIMULATION USING AVISPA TOOL
Here, we accomplish informal verification using a widely utilized tool for cryptographic protocols' verification called AVISPA [21] which testifies the safety of the proposed scheme. The High-Level Protocol Specification Language (HLPSL) is utilized to code the scheme which is translated into Intermediate Format (IF). The IF is run through backends verification models i.e., On-the-Fly Model Check (OFMC) and Constraint Logic-based Attack Searcher (CL-AtSe). The output of these models assures that the proposed scheme is safe and provides resilience against attacks whether active or passive. The summary report of OFMC and CL-AtSe are shown in Fig. 5 (a) and (b) respectively.

V. PERFORMANCE EVALUATION
The performance of the proposed scheme is evaluated based on storage, energy communicational, and computational overheads with related work i.e., Koya et al. [14], Tao et al. [15], Xu et al. [22], Wazid et al. [16], Rehman et al. [10] We present a comparison with state-of-the-art authentication schemes of a similar category. The performance of our proposed scheme can easily be judged throughout this section. The security features comparison is detailed in Table 4.

A. STORAGE COST
As per [10], the sensor node (N) stores parameters like (id N , x N , a N , Z N ) along with session key k S requires 160bits each, while Intermediate Node (IN) performs as relaying node without storing anything. The Upstream Node (UN) saves the tuple like K UN , id N , K N besides session key k S , each requires 160 bits. The storage cost and comparison with peers is depicted in Table 5.

B. COMMUNICATION COST
The communication cost or proposed scheme is calculated by the number of messages exchanged between N and UN. The first message transmitted to UN from N is (tid N , a N , b N , t N )    and the timestamp |t N | = 32 b. Therefore, the cost of sending a message from N −→ UN is 512 b whereas, the cost of receiving the message is 480 b. The communication cost is detailed in Table 6.

C. COMPUTATION COST AND TIME
The time it takes to perform the hash function be denoted as t h while the time it takes for XOR operation to perform is denoted as t xor . The N-side of the authentication phase of our scheme used 2 hash functions and 8 XOR operations while UN-side has 5 hash functions and 10 XOR. So, the equation on N-side as well as on UN-side is formalized as 2t h +8t xor ≈ 2t h and 5t h + 10t xor ≈ 5t h respectively as XOR operations require negligible time therefore it is ignored.  As per an experiment performed by [22] t h = 0.0023 ms, t r = 0.65 ms, t ecm = 0.123 ms. Therefore, our scheme consumes 0.0069 ms on N-side and 0.0138ms on UN-side. The comparison on the basis of same parameters are detailed in Table 7.

D. ENERGY CONSUMPTION
The consumption of power during active mode is calculated as 118.8mW, this implies our scheme consumes 0.0046 * 118.8/1000 ≈ 0.547µJ on N-side and 0.0115 * 118.8/1000 ≈ 1.366 µJ. The comparison with peer work is depicted in Table 8.

E. THE PERFORMANCE RESULTS COMPARISON
While comparing the results of storage cost in Table 5, it is noticeable that the proposed scheme does not store any data on IN therefore it can be concluded that the overall storage requirement is less than other schemes except our earlier work [10]. Moreover, while comparing communicational cost, it is revealed from Table 6, the reflection of no storage on IN impacted positively in terms of no extra communication cost added to the scheme but it is the same as [10]. Therefore, our proposed scheme has incurred the lowest communicational cost than the peer work. It is also highlighted through Fig. 6 that the communication process between IN -UN and vice-versa has been improved significantly. It is also worth stating here that the communication cost depicted, is the cost of the whole process starting from N -UN and reverse.
The computational cost and time are depicted in Table 7 where it is evident that the proposed scheme has achieved the lowest computation on N and UN (in our case) as compared to peer work including our earlier work [10]. Therefore, our scheme is efficient in terms of computational cost as well. This fact is made evident from Fig. 7 as well. Furthermore, the energy consumption is shown in Table 8. It is calculated in micro Joules (µJ) and by comparing it with peer work, we claim that the proposed scheme is efficient in terms of energy consumption as well. As shown in Fig. 8.

VI. DISCUSSION
We have extracted variable-length bio-key from ECG signal with high randomness and key entropy. The variable-length keys are usually difficult to judge, therefore, the chances of applying a guessing attack are eliminated. We have adopted a bio-key extraction procedure that requires less computation time thus resulting in increased efficiency. The proposed scheme offered a dynamic key update feature that added up resilience against attacks like key escrow, eavesdropping, base-station compromise, and untrackability, etc. Moreover, the performance evaluation discussed in the previous section highlighted the concept that the proposed scheme behaved better than other hybrid schemes as shown in Figures 6 -8. It is also worth mentioning here, although we have enhanced our work successfully in terms of computational cost and energy consumption, however, the storage requirements and communicational cost remains the same as previously [10] because storage and communicational requirements are already optimized enough that cannot be further reduced. Therefore, we claim that the proposed scheme further tune-up the authentication algorithm. Hence the proposed scheme accomplished efficiency, to provide anonymous and lightweight authentication and key agreement scheme.

VII. CONCLUSION
We have presented a hybrid authentication scheme that utilized physiological features extracted from ECG signal to generate a variable length bio-key and mixed it with a cryptographic solution of our earlier work [10] by further optimizing it. The formal proof of concept is provided using BAN logic and it is shown that the proposed scheme achieved security goals and mutual authentication. The simulation results informally proved that the schemes withstand the various known security attacks using the AVISPA tool. We have evaluated the performance in terms of storage, computation, communication, and energy consumption overheads. We have also compared the results with renowned related schemes and proved that our scheme is efficient in terms of storage, computation, communication, and energy consumption costs.
SAUD ALTAF received the Ph.D. degree in computer science from Auckland University of Technology (AUT), New Zealand, in 2015, and the master's degree in computer science from Iqra University, Islamabad, Pakistan, in 2007. He is currently an Assistant Professor with UIIT, PMAS-AAR University, Rawalpindi, Pakistan. He is the author of number of research publications in international journals or conferences proceedings. His research interests include several fields of wireless sensor networks, biomedical signal and image processing, security of cyber-physical systems (CPSs), gesture recognition, through-the-wall radar imaging and sensing, visible light communication, the Internet of Things (IoT), artificial intelligence, and data mining.
SHAFIQ AHMAD received the Ph.D. degree from RMIT University, Melbourne, Australia. He is currently working as an Associate Professor with the Industrial Engineering Department, College of Engineering, King Saud University, Riyadh, Saudi Arabia. He has more than two decades working experience both in industry and academia in Australia, Europe, and Asia. He has published a research book and several research articles in international journals and refereed conferences. His research interests include smart manufacturing, IIOT and data analytics, multivariate statistical quality control, process monitoring and performance analysis, operations research models, and bibliometric network analysis. He is also a Certified Practitioner in six sigma business improvement model. SHAMSUL HUDA received the Ph.D. degree in computer science from the Centre for Informatics and Applied Optimization (CIAO), Federation University Australia. He is currently a Lecturer with the School of Information Technology, Deakin University, Australia. Prior to join Deakin, he worked as an Academician with Federation University and an Assistant Professor with Khulna University of Engineering and Technology (KUET), Bangladesh. He is a Certified Information System Security Professional (CISSP) by the International Information System Security Certification Consortium, (ISC) 2 . He is also a member of Cyber Security Research and Innovation Centre (CSRI), Deakin University. He is involved in many international cyber security projects, including cybersecurity capacity maturity for nations at Oceania Cyber Security Centre (OCSC), Melbourne, with partnership of the Global Cyber Security Capacity Centre (GCSCC), University of Oxford. He has published more than 60 journals and conference papers in well reputed journals, including IEEE TRANSACTIONS. His research interests include communication and network security, strategies for secure operations for industrial control systems (SCADA) and critical infrastructure, intelligent counter measure for threats against mobile systems, detection of data breaches through the darknet, the IoT security, malware analysis and detection, reverse engineering for endpoint security, malware analysis, and detection for SCADA systems. SOFIA IQBAL received the M.Phil. degree in applied statistics from Quaid-e-Azam University, Islamabad, Pakistan, in 2012. She has more than 12 years of practical experience in the public sector in the area of data analysis. She is currently working as a Data Analyst Manager with Pakistan Space and Upper Atmosphere Research Commission (SUPARCO), Islamabad. She is a member of different professional societies around the world. VOLUME 9, 2021