LAKS-NVT: Provably Secure and Lightweight Authentication and Key Agreement Scheme Without Verification Table in Medical Internet of Things

Wireless body area networks (WBANs) and wireless sensor networks (WSNs) are important concepts for the Internet of Things (IoT). They have been applied to various healthcare services to ensure that users can access convenient medical services by exchanging physiological data between user and medical server. User physiological data is collected by sensor nodes and sent to medical service providers, doctors, etc. using public channels. However, these channels are vulnerable to various potential attacks, and hence, it is essential to design provably secure and lightweight mutual authentication (MA) schemes for medical IoT to protect user privacy and achieve secure communication. A lightweight mutual authentication and key agreement (MAKA) scheme was designed in 2019 to guarantee user privacy, but we found that the scheme does not withstand impersonation, stolen senor node and leaking verification table attacks, and it does not also ensure anonymity, untraceability and secure mutual authentication. This paper proposes a provably secure and lightweight MAKA scheme for medical IoT, called LAKS Non-verification table (NVT), that does not require a server verification table. We assess LAKS-NVT’s security against various potential attacks and demonstrate that it achieves secure MA between sensor node and server using Burrows-Abadi-Needham logic. We employ the well-known Real-Or-Random which is random oracle model to prove that LAKS-NVT provides a session key security. In addition, the formal security verification using the widely-accepted Automated Validation of Internet Security Protocols and Applications (AVISPA) software tool has been performed and the results show that LAKS-NVT is also secure. We compare LAKS-NVT’s performance against contemporary authentication schemes, and verify that it achieves better security and comparable efficiency. The practical perspective of LAKS-NVT is also carried out via the Network Simulator 2 (NS2) simulation study.


Recent information and communication (ICT) and embedded technology advances have facilitated the emerging internet
The associate editor coordinating the review of this manuscript and approving it for publication was Lorenzo Mucchi . of things (IoT) development. IoT will include over 50 billion devices linked to the internet by 2020, with users employing a variety of convenient services based on IoT devices, such as smart homes, smart-cities, smart health care, smart grid, etc. [1]. Medical IoT, i.e., wireless body area networks (WBANs), and health care services are particularly important IoT components focused on improving human quality of human. VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ FIGURE 1. Typical wireless body area network system. Figure 1 shows a general WBAN concept model, first designed by Zimmerman in 1996 [2]. Sensor devices located on the human body collect user healthcare data, such as heart rate, behavior, blood pressure, etc., and then transmit the biometric data to server. The server(s) subsequently communicate with doctors, healthcare service providers, emergency services, etc. to provide suitable medical services. Thus, it enables real-time patient condition monitoring and provides personalized healthcare services. However, these services are not secure against various potential attacks because an adversary can intercept, eavesdrop, reveal, delete, and/or modify data transmitted through public channels. Therefore, secure mutual authentication and key agreement schemes (MAKA) for medical IoT are important security issues to protect user health information while providing efficient healthcare services.
Many MAKA schemes have been presented over the preceding few decades to ensure user privacy. Lamport [3] first suggested an password based mutual authentication (MA) scheme in 1981, and several subsequent password based MA schemes have been proposed [4]- [6]. However, these designed protocols were vulnerable to various potential attacks, including privileged insider, impersonation and offline password guessing attacks, because they relied exclusively on the password. Many subsequent MAKA schemes have been designed to overcome these security weaknesses using smart cards [7]- [9] and/or biometrics [10]- [12]. However, these schemes stored user sensitive data in a server database, hence if the server stored data is revealed by an adversary, the whole system collapses.
Several authentication protocols have been designed for medical IoT to ensure user privacy [24]- [29]. However, these protocols were not secure against stolen verifier and/or leaking verification table attacks, not do they provide secure mutual authentication, untraceability, or anonymity.
Xu et al. [30] designed a lightweight MAKA scheme for medical IoT to prevent various attacks, including impersonation, replay and sensor node capture attacks. They also claimed their scheme provided sensor node anonymity and untraceability. However, we showed previously that the Xu et al.'s scheme does not provide anonymity and untraceability, nor does it prevent most attacks because their presented scheme stored user authentication parameters in a server database. Xu et al. also did not perform (mathematical) formal security analyses to prove their scheme security. For these reasons, we need provably secure and lightweight authentication scheme for medical IoT without verification table to protect user's medical data in which legal users and IoT things can securely authenticate and establish a session key. Therefore, we propose LAKS-NVT for medical IoT without requiring a verification table to overcome these observed security vulnerabilities.

B. RESEARCH CONTRIBUTIONS
The main contributions of this paper are as follows.
• We analyzed the Xu et al.'s scheme security vulnerabilities and demonstrate that it is not safe against impersonation, stolen SN, and leaking verification table attacks. We also prove that Xu et al.'s scheme does not ensure anonymity, secure mutual authentication, and untraceability.
• We propose LAKS-NVT for medical IoT without requiring a server verification table to resolve these security weaknesses. LAKS-NVT also prevents stolen SN, impersonation, and replay; and provides anonymity, secure mutual authentication, and untraceability. In addition, if the server verification table is leaked, LAKS-NVT is still secure because it does not store user's authentication parameters and sensitive data in the server's database.
• We perform (mathematical) formal security analysis using the Real-or-random (ROR) model [32] to prove session key security, and verified that LAKS-NVT provides secure MA using widely accepted Burrows-Abadi-Needham (BAN) logic [36].
• We also perform the formal security verification of the proposed LAKS-NVT using the widely-accepted ''Automated Validation of Internet Security Protocols and Applications (AVISPA)'' software tool [37] to show that it is secure.
• We analyze the performance of our scheme compared with other contemporary schemes, and then perform simulation analysis using the NS2 simulator.

C. THREAT MODEL
A server is generally considered as trustworthy node. However, an adversary can look up all parameters in the server's database, except the server master key, K ser . An adversary can also eavesdrop, delete, replace, inject, and replay data transmitted in public channels. This case is called the Dolev-Yao (DY) threat model [31]. We assume that the sensor node (SN) is untrustworthy. After obtaining a SN, an adversary can extract and get data stored in the SN using the power analysis attacks [44], [45] and performs various potential attacks using this obtained data.

D. ORGANIZATION
The remainder of this paper is organized as follows. Section II discusses related works, and then Sections III reviews Xu et al.'s scheme and Section IV cryptanalyzes it. Section V details the proposed LAKS-NVT for medical IoT, and Sections VI and VIII analyze the proposed scheme security and practical demonstration using NS2 simulation study. Section X provides performance comparison with related schemes. Finally, Section XI concludes and summarizes this paper.

II. RELATED WORK
Many MAKA schemes as well as access control schemes for IoT and other related domains have been designed over the last few decades to guarantee user privacy and provide convenient services [13]- [28], [30], [38]- [43]. Liu et al. [24] suggested a ''certificateless remote anonymous MAKA scheme'' for WBANs, but this was subsequently shown to be vulnerable to ''stolen verifier attacks'' and could not provide scalability and forward secrecy [25]. Zhao [25] then designed an efficient authentication scheme for WBANs using an elliptic curve cryptosystem (ECC). Turkanovic et al. [38] proposed an MAKA scheme for IoT to provide ''secure communication between user and sensor''. However, Chang and Le [39] showed that scheme could not prevent various attacks, including impersonation, stolen smart card, sensor node spoofing, node capture, and stolen verifier attacks. They also suggested an ''enhanced provably secure authentication scheme'', considering flexibility and efficiency. Gope and Hwang [41] designed an anonymity-preserving MAKA for global mobility networks that guaranteed the communication security. However, Li et al. [40] showed that the Chang and Le scheme was not secure against trace and stolen smart card attack, and the Gope and Hwang scheme did not provide secure MA and an efficient password change phase. They suggested a robust and efficient MA protocol to overcome these security drawbacks. Li et al. [29] showed that the Gope and Hwang [41] scheme did not provide an ''efficient verification mechanism'' and perfect forward secrecy, and designed a robust biometrics-based MA scheme to resolve these security weaknesses. However, all the above schemes [24], [25], [29], [38]- [41] are somewhat inefficient and inapplicable for practical medical IoT environments, since they all use public key cryptosystems, which require high computational cost.
The several lightweight authentication and key agreement schemes [26]- [28], [30] have been proposed, considering computational costs. Ibrahim et al. [27] introduced a ''secure and lightweight mutual authentication for WBANs'' to provide anonymity and secure mutual authentication. Li et al. [28] designed an anonymous mutual authentication and key agreement scheme for WBANs that guaranteed anonymity and unlinkability for wearable sensors. Xu et al. [26] presented a lightweight mutual authentication and key agreement scheme for WBANs and claimed the scheme was secure against various attacks, including manin-the-middle, spoofing, replay, and impersonation attacks. Xu et al. [30] subsequently introduced a ''lightweight mutual authentication and key agreement scheme for medical IoT''. However, they did not prove their scheme security using the (mathematical) formal security analysis. The above schemes [26]- [28], [30] are all vulnerable to leaking verification table attack because they store sensitive user data in a server database.  Table 1 shows the notation used in this paper.

A. INITIALIZATION PHASE
The SA establishes system parameters in this phase, first generating server master key, K ser , and then storing it in the server memory.

B. REGISTRATION PHASE
This phase registers SNs and IAps, as shown in Fig. 2 with detailed steps as follows.
Step 1: S generates identity ID SN , random number r, and P K s for each SN; and generates identity ID IAP for each AP.  Fig. 3 shows that the SN and S authenticate each other and generate the current session key to access useful medical services, with detailed steps as below.
Step 1. SN generates a random number n1 and the current timestamp t1, and then sends the login request messages {A SN , S1, S2, t1} to the AP. Step 2. After receiving messages {A SN , S1, S2, t1}, IAP resends the data to S, including its own identity ID IAP . Step 3. Upon receiving messages {A SN , S1, S2, t1, ID IAP } from IAP, S checks whether ID IAP is in the database. If it does not exist, S discontinues the current session. Step 6. If it is valid, S chooses random number n2, timestamp t2, and unique number r + ; then computes and stores session key K s .

IV. CRYPTANALYSIS FOR THE XU et al.'s SCHEME
This section cryptanalyzes the Xu et al.'s scheme, and demonstrates the scheme does not prevent various attacks nor guarantee essential security requirements, such as ''untraceability'', ''anonymity'', and ''secure mutual authentication''.

A. STOLEN SERVER NODE ATTACK
Section I-C shows the DY threat model to evaluate the security of protocols in this paper. We suppose that an adversary U A obtains SN for a legitimate user, intercepts transmitted messages in a public channel, and extracts values {ID SN , A SN , B SN , and P K s } using power analysis [44], [45]. Under Xu et al.'s scheme, authentication parameters {ID SN , B SN } are stored as plaintext, and hence the scheme does not prevent stolen SN attack because U A can perform various attacks using these security parameters.

B. IMPERSONATION ATTACK
Section IV-A shows how U A can obtain SN parameters and messages transmitted via public channels. After obtaining these values, U A generates a random nonce n1 A and current timestamp t1 A , and computes S1 A = B SN ⊕ n1 A and S2 A = h(ID SN ||A SN ||S1||t1||n1 A ). U A can also retrieve n2 = S3 ⊕ B SN and calculate K sA = h(n1 A ||n2||P K s ). Therefore, Xu et al.'s scheme does not withstand impersonation attack since U A can successfully compute login request, response messages and the session key.

C. ANONYMITY AND UNTRACEABILITY
Section I-C shows how U A can look up all parameters in the S database, except the server's master key, K ser . After receiving login request {A SN , S1, S2, t1, ID IAP }, U A checks whether A SN exist in database. If it exist, U A retrieves A SN prev and traces a legal user by finding A SN prev , where A SN prev is the parameter used in previous session. U A can also obtain SN's real identity because ID SN is stored in SN memory as plaintext. Therefore, Xu et al.'s scheme does not ensure untraceability and anonymity.

E. LEAKING VERIFICATION TABLE ATTACK
Section I-C shows how U A can obtain SN authentication parameters and data stored in the server database except the server's master key, K ser . If U A obtains the partial user dataset, e.g. {ID SN , A SN }, {ID SN , B SN }, or {B SN , X }, U A can successfully perform an impersonation attack. U A also breaks anonymity, untraceability, and secure mutual authentication between SN and S. Therefore, it is important that essential parameters be managed directly by the user.

V. THE PROPOSED SCHEME
This section proposes LAKS-NVT for medical IoT without requiring a server verification table to overcome security flaws in the Xu et al.'s scheme as shown in in Section IV. The designed scheme also includes three phases: a) ''initialization'', b) ''registration'', and c) ''mutual authentication and key agreement (MAKA)''.

A. INITIALIZATION PHASE
The SA establishes the system parameters, generates a master key, K ser , for the server, and stores it in server memory.

B. REGISTRATION PHASE
When user U wants to use medical services from S, U must first register their identity with S. The IAP provides a connecting node between SN and S. This phase is shown in Fig. 4 with detailed steps as follows.

1) User registration phase
Step 1: U picks identity ID U , password PW U , random number r, k; computes PID = h(ID U ||PW U ) ⊕ r; and sends {PID, r} to S.
Step 6. If valid, S chooses random number n2, timestamp t2 and unique number r + ; and then computes

VI. SECURITY ANALYSIS
This section discusses a mathematical security analysis using the ROR model [32] and BAN logic [36], and informal (non-mathematical) security analysis to prove LAKS-NVT is secure against potential attacks, including stolen SN, impersonation, and replay attacks. We also demonstrate the scheme achieves secure MA, anonymity, untraceability, and session key security.
Wang et al. [47] observed while analyzing several existing authentication protocols that the broadly-used formal security methods, such as ''random oracle model'' and ''BAN logic'' can not capture some structural mistakes. As a result, they pointed out that guaranteeing soundness of authenticated key agreement protocols still remains an open issue. Due to this, we require formal and informal security analysis along with the formal security verification using automated VOLUME 8, 2020 validation tools so that the proposed scheme (LAKS-NVT) will be secure against possible potential attacks with high probability.

A. FORMAL SECURITY ANALYSIS USING THE ROR MODEL
In this section, we first briefly discuss the ROR model [32]. After that the formal (mathematical) security analysis under the ROR model is presented to prove the session key security for the proposed scheme (LAKS-NVT) in Theorem 1.
Based on the ROR model, a malicious adversary A communicates with the t-th of participant instance, P t . Following the proposed scheme, we define SN or S as P t and let P t 1 SN and P t 2 S be the t-th SN and S instances, respectively. The ROR model uses Execute, Reveal, CorruptSN, Send and Test queries to simulate an actual attack, as shown in Table 2. We use a collision resistant one-way hash function Hash, i.e., h(·)), as a random oracle -a deterministic function that outputs a fixed length string.
Wang et al. [46] demonstrated that user chosen passwords are extremely non-uniformly distributed using Zipf's law. Password dictionary size is also limited since users do not utilize the whole dictionary extent for passwords [46]. Zipf's law is widely applied in formal (mathematical) security analysis to prove session key security for cryptographic protocols. We now prove that the proposed LAKS-NVT achieves session key security.

1) SESSION KEY SECURITY
Based on the ROR model, A tries to distinguish between a session key and a random number using the several Test queries. After obtaining the result of Test query, A checks whether the guessed coin c is consistent against the coin c of a real session key. If c = c, A wins the game and its probability is Succ.
Theorem 1: Assume that Adv AKM A is the advantage of an adversary A running in polynomial time to break session key security for the proposed authenticated key management (AKM) scheme. Then, where q h , q s , and |Hash| are the number of Hash and Send queries, and the hash function h(·) output string length, respectively; and C and s are Zipf's parameters [46]. Proof: We define a sequence of four games, G j , where j = 0, 1, 2, 3, with probability Succ The proof follows from [5], [33]- [35] as shown below.
• Game G 0 is simulated as the actual attack by A against the proposed protocol. Since bit c was chosen randomly at the beginning of G 0 ,

Adv AKM
• Game G 2 was simulated as an active attack by Hash query. A wants to find message digest collision to deceive a participant using several Hash queries. However, all transmitted messages {PID, A SN , S1, S2, t1, ID IAP } and {S3, S4, S5, S6, t2} are protected by short-term secret, master secret, and timestamp. Therefore, G 1 and G 2 are indistinguishable because the collision probability is negligible when A sends several Send(P t , Msg) queries. Thus, from the birthday paradox, • Game G 3 was modeled as an active attack. A obtains credentials {CPID, V , C, CB SN , CA SN } from SN's memory using the CorruptSN ), B SN = h(r||PID||K ser ), A SN = r ⊕ S, and S = h(PID||K ser ). A must know the user's real identity ID U , password PW U , and short-term secrets r to retrieve secret parameters B SN and A SN . However, since A does not know B SN , A SN , K ser , or r, they cannot correctly guess PW i for SN using Send query. Therefore, games G 2 and G 3 are indistinguishable, from Zipf's law on passwords [46], After all the games are executed, A tries to guess c to win the game using Test query. Therefore, Combining (1), (2), and (5), From the triangular inequality with (4), (5), and (6), Finally, multiplying both sides of (7) by 2,

B. SECURITY ANALYSIS USING BAN LOGIC
This section demonstrates that LAKS-NVT achieves secure mutual authentication using the BAN logic [36]. We first present the BAN logic postulates, and then define the security goals, assumptions, and idealized forms. Finally, we perform BAN logic proof to confirm secure MA for LAKS-NVT. It is worth noticing that by the BAN logic proof, we only provide the mutual authentication proof of LAKS-NV among a user (U )/sensor node (SN ) and the server/system administrator (S/SA) during the mutual authentication and key agreement phase. Table 3 presents BAN logic notations used in this proof.

1) BAN LOGIC POSTULATES
The BAN logic postulates are as follows.

2) GOALS AND ASSUMPTIONS
We define goals (Goal 1 -Goal 4 ) and assumptions (A 1 -A 6 ) as follows to verify the proposed protocol security.

4) BAN LOGIC PROOF
We perform BAN logic analysis to verify that LAKS-NVT guarantees secure MA.
Step 8. From the NVR with S 6 and S 7 , Step 9. From S 4 and S 8 , S and SN can compute session key K s because they trust each other by BAN logic postulates, Step 10. From the JR with S 9 and A 5 , Step 11. From the JR with S 10 and A 6 , Therefore, (Goal 1 -Goal 4 ) prove that SN and S can trust each other and LAKS-NVT achieves secure MA.

C. INFORMAL SECURITY ANALYSIS
We analyzed LAKS-NVT for various potential attacks.

1) STOLEN SN ATTACK
Assume that attacker U A obtains the SN for some legitimate user, intercepts public messages, and extracts SN values {CPID, V , C, CB SN , andCA SN } using power analysis [44], [45]. However, although U A obtains these parameters, they cannot obtain user credentials, such as short-term secrets r or authentication parameters A SN andB SN without knowing the user's ID U and PW U . Thus, LAKS-NVT is secure against stolen SN attack.

2) IMPERSONATION ATTACK
If U A wants to impersonate legitimate user U i , they must correctly compute login request messages {PID, A SN , S1, S2, t1}, where, PID = CPID ⊕ SPW , SPW = h(PW U ||k), Since all login parameters are protected by hash function and secret parameters {k, r, ID U andPW U }, U A } cannot compute the login request messages without knowing ID U and PW U . Therefore, LAKS-NVT prevents impersonation attack.

4) ANONYMITY AND UNTRACEABILITY
Suppose U A obtains CPID, V , C, CB SN , CA SN from SN memory and intercepts all previous messages to try to obtain ID U . U A cannot obtain ID U since the user only employs the pseudo-identity PID to authenticate with the server. Since all transmitted messages ({PID, A SN , S1, S2, t1}, {S3, S4, S5, S6, t2}) change every session, U A is also unable to successfully perform trace attack. Therefore, LAKS-NVT achieves anonymity and untraceability.

5) SECURE MUTUAL AUTHENTICATION (MA)
From Section VI-C2, U A cannot successfully compute valid login request and response messages. SN and S also check S6 * ? = S6 and S2 * ? = S2 are valid during the authentication and key agreement phase. Therefore, LAKS-NVT guarantees secure MA.

6) LEAKING VERIFICATION TABLE ATTACK
If U A obtains SN information CPID, V , C, CB SN , CA SN and accesses the server database, they cannot obtain user sensitive data because user information is not stored in the server database. All authentication parameters are changed every session and user manages it on himself/herself. Therefore, although the server database is compromised, LAKS-NVT remains secure against potential attacks.

VII. FORMAL SECURITY VERIFICATION USING AVISPA
This section provides the formal security verification of the proposed scheme (LAKS-NVT) using one of widely-accepted automated validation software tools, known as ''Automated Validation of Internet Security Protocols and Applications (AVISPA)'' tool [48]. • SUMMARY: It indicates ''whether the tested protocol is safe, unsafe, or whether the analysis is inconclusive''.
• DETAILS: It tells a ''detailed explanation of why the tested protocol is concluded as safe, or under what conditions the test application or protocol is exploitable using an attack, or why the analysis is inconclusive''.
• PROTOCOL: It defines the ''HLPSL specification of the target protocol in intermediate form''.
• GOAL: It indicates ''the goal of the analysis which is being performed by AVISPA using HLPSL specification''.
• BACKEND: It is ''the name of the back-end that is used for the analysis, that is, one of OFMC, CL-AtSe, SATMC and TA4SP''.
• Final section tells about the ''trace of a possible vulnerability to the target protocol, if any, along with some useful statistics and relevant comments''. The basic types supported by HLPSL are as follows: • agent: It indicates a ''principal name''. The intruder is always denoted by i and considered as a legitimate entity in the specification of the protocol.
• symmetric_key: The keys that are relevant in the context of a ''symmetric-key cryptosystem'' are declared in this category.
• text: It usually represents a random nonce. It is also used sometimes to declared as the messages.
• nat: Under this category, the natural numbers are denoted in non-message contexts.
• const: Under this type, the constants in the protocol specification are declared.
• hash_func: This type indicates the ''one-way cryptographic hash functions'', which are treated as non-invertible functions. Given a ''plaintext message, say m'' and an ''encryption key k'', the symmetric/public-key encryption of m using the key k is defined by {m}_k. The concatenation of In HLPSL syntax, two messages/strings X and Y are concatenated by X · Y using the ''·'' operator, which follows the ''associative rule''.

B. HPLSL IMPLEMENTATION
The proposed scheme (LAKS-NVT) has been implemented using the HPLSL. In this implementation, we have three basic roles for a user/sensor node, a server/system administrator and the intermediate access point, which are shown in Figures 6, 7 and 8. Apart from these three basic roles, we have defined two mandatory roles for the ''session'' and ''goal and environment'' which are defined in Figure 9.
Consider the basic role of a user/sensor node in Figure 6 where user registration and authentication phases are implemented. The registration takes place via secure channel be means of encrypting the registration messages using a pre-defined secret key, SKus between the user and the server. The authentication phase is implemented via public channel. In this phase, the user sends the message {PID, A SN , S1, S2, t1} to the IAP which is forwarded to the server by the IAP. Later, the user receives the message {S3, S4, S5, S6, t2} from the IAP which was forwarded by the server to the IAP.
The intruder simulation under the SPAN has been demonstrated in Figure 10. From this figure, it is seen that there are no attacks on the proposed scheme (LAKS-NVT). Finally, the simulation results under the OFMC and CL-AtSe backends are shown in Figure 11. It is also clear that LAKS-NVT is resilient against both ''replay'' and ''man-in-the-middle'' attacks.

VIII. PRACTICAL PERSPECTIVE: NS2 SIMULATION STUDY
The practical demonstration of LAKS-NVT using the well-known NS2 simulator [50] is executed in this section. In recent years, NS2 simulator becomes also a popular simulation tool for measuring the network performance parameters in many other networks apart from ''simulation of Transmission Control Protocol (TCP), routing, and multicast protocols over wired and wireless networks'' [13], [51], [52]. Table 4 consists of the details of various parameters used during the simulation. Ubuntu 18.04 LTS platform was utilized for conducting the simulation with the help of NS2 2.35 simulation tool. The wireless protocol IEEE 802.11 was used. Two different cases were considered in the simulation. We have taken one intermediate access point (IAP) and one server/system administrator for both cases. The number of sensor nodes were taken as 25 (in Case 1) and 30 (in Case 2). The simulation was conducted for a duration of 1800 seconds. The communication ranges of sensor nodes and intermediate access point are considered as 200 and 1000 meters, respectively. The Ad-hoc on-demand distance vector routing (AODV) [55] designed by Perkins and Royer was considered   as the routing protocol. The remaining parameters associated with the NS2 simulation were taken with the standard values.

IX. SIMULATION PARAMETERS
The communication costs between various entities are computed as follows. During the MAKA phase among sensor node (SN ), intermediate access point (IAP) and server/system administrator (S/SA), we have the following messages exchanged among the entities:  During the experimentation, we have calculated ''the network performance parameters, such as end-to-end delay (in seconds), throughput (in bits per second) and packet loss rate''.

1) IMPACT ON END-TO-END DELAY
The end-to-End Delay (EED) is defined as ''the average time required by the messages that reached the destination station from the source station''. It can be mathematically calculated as '' where T S i and T R i are sending and receiving packet time of i respectively, ν p is the total number of exchanged messages''. In an authentication and key agreement procedure, it is important to calculate the value of EED, because it is needed for ''the establishment of session key among the communicating parties with the help of certain exchange of messages''. It is expected that the EED value should be less for an efficient authentication and key agreement mechanism. The EED values for LAKS-NVT for both considered cases (for instance, Case 1 and Case 2) are depicted in Figure 12. The EED values are 0.07697 and 0.10196 seconds for Case 1 and Case 2, respectively. Furthermore, it is worth noticing that the value of EED increases with the increasing number of sensor nodes because it causes the increment in the number of exchanged messages. Hence, there is a slight increment in EED from Case 1 to Case 2.

2) IMPACT ON THROUGHPUT
Throughput is another essential network performance parameter that can be computed as ''the number of bits transmitted per unit of time''. The throughput (in bps) values of LAKS-NVT for various considered cases are depicted in Figure 13. It can be mathematically formulated as '' N r ×|PKS| T τ , where T τ is the total time (in seconds), |PKS| packet's size and N r is total number of received packets''. Furthermore, the considered simulation time was 1800 seconds, which was the total time. The throughput values of LAKS-NVT are 46.88 and 55.91 bps for Case 1 and Case 2, receptively. The value of the throughput increases with the increasing number of sensor nodes (for instance, Case 1 to Case 2). This is because there was an increment in the number of exchanged messages from Case 1 to Case 2, which further increases the network throughput.

3) IMPACT ON PACKET LOSS RATE
Packet loss rate is also another crucial network performance parameter which is formulated as the ''number of packets loss per unit time'' and defined by '' N lp T d , where T d is the total time (in seconds) and N lp is the total number of lost packets in a given duration of time''. An authentication and key agreement scheme is considered to be reliable if it produces less ''packet loss rate''. The packet loss rates of LAKS-NVT under various cases are depicted in Figure 14. The considered simulation time (total time) is 1800 seconds. The values of ''packet loss rate'' of LAKS-NVT are 0.01556 and 0.01667 for Case 1 and Case 2, respectively. Moreover, the ''packet loss rate'' increases with the increasing number of sensor nodes, because with the increasing number of sensor nodes more number of messages are required to be exchanged. It further causes traffic congestion, and therefore, ''packet loss rate'' also increases from Case 1 to Case 2. However, the increased value of ''packet loss rate'' is marginal as LAKS-NVT utilizes the ''lightweight cryptographic methods''.

4) IMPACT ON PACKET DELIVERY RATIO
It is ''the ratio of number of received packets to number of sent packets''. For an efficient and reliable communication system its value should be closer to 1. The packet delivery ratio of LAKS-NVT under various cases are depicted in Fig. 15. The values of ''packet delivery ratio'' of LAKS-NVT are 0.97 and 0.96 for Case 1 and Case 2, respectively. Moreover, the ''packet delivery ratio decreases slightly with the increasing number of sensor nodes, because  with the increasing number of sensor nodes more number of messages are required to be exchanged''. It further causes traffic congestion, and therefore, the ''packet delivery ratio also decreases from Case 1 to Case 2''. However, the decreased value of ''packet delivery ratio'' is marginal as LAKS-NVT utilizes the ''lightweight cryptographic methods''.

X. PERFORMANCE ANALYSIS
We compared the propose scheme performance with contemporary authentication schemes for medical IoT [26], [28], [30], and also compared security features to verify LAKS-NVT offers enhanced secure. Table 5 compares security features between LAKS-NVT and several contemporary schemes. LAKS-NVT can withstand more potential attacks than any other scheme, and is secure against leaking verification table attack because user sensitive information is not stored in the server database. Therefore, LAKS-NVT is significantly more secure, achieving essential security requirements for medical IoT environments.

B. COMPUTATION AND COMMUNICATION OVERHEADS
For comparative analysis on communication and computational costs, we consider the authentication and key agreement phase for LAKS-NVT and other compared schemes.
Tables 6 and 7 compare computational and communication costs, respectively, between LAKS-NVT and contemporary lightweight authentication schemes. All considered   schemes [26], [28], [30] have high efficiency because they require only hash and XOR operations. Table 6 only considers the hash operation, since XOR computational costs are negligible.
For computational costs comparison, T h denotes the time needed for a ''cryptographic one-way hash function''. Based on the experimental results reported in [53], [54], we consider T h ≈ 0.5 ms. LAKS-NVT needs the computation cost 20 T h ≈ 0.01 seconds, whereas the computation cost for other schemes, such as the schemes of Li et al. [28], Xu et al. [26] and Xu et al. [30] require 8 T h ≈ 0.004 seconds, 10 T h ≈ 0.005 seconds and 11 T h ≈ 0.0055 seconds, respectively. VOLUME 8, 2020 Section X-A showed that the schemes [26], [28], [30] are unsuitable for practical environments because they are vulnerable to various attacks, including impersonation, stolen device and leaking verification attacks. Thus, although LAKS-NVT has slightly higher computational cost than the considered contemporary schemes, it is significantly more secure and also provides session key security. Therefore, LAKS-NVT can successfully protect user privacy in the practical medical IoT environments.

XI. CONCLUSION
This paper proved that the previous Xu et al.'s scheme does not prevent various attacks, including impersonation, stolen SN, and leaking verification table attacks; and does not achieve anonymity, secure MA, and untraceability. To overcome these security flaws, we designed a provably secure and lightweight MAKA scheme for medical IoT without requiring a server verification table.
We showed LAKS-NVT was secure against impersonation, stolen SN, replay, and leaking verification table attacks since it does not store user sensitive data in a server database. LAKS-NVT also achieves anonymity, secure MA and untraceability. Formal (mathematical) security analysis confirmed that LAKS-NVT guaranteed secure MA between SN and S using the ''BAN logic, and session key security using the ROR model''. In addition, the formal security verification using the AVISPA tool proves that LAKS-NVT is also secure.
Performance comparison with contemporary lightweight authentication schemes confirmed that computational and communication cost performances were comparable with the contemporary schemes. Furthermore, LAKS-NVT exhibited significantly enhanced security and functionality. In addition, through the NS2 simulation study we evaluated the network performance of LAKS-NVT. Therefore, LAKS-NVT is suitable for practical medical IoT environments.