Efficient Authentication Protocol for Continuous Monitoring in Medical Sensor Networks

Currently, continuous monitoring on patients with the help of small devices (or sensors), is easy for doctors/nurses to check patients. Due to privacy issues, data collected from devices should be protected. Thus, a lightweight mutual authentication and key agreement protocol is required among doctors/nurses, trusted servers, sensors and patients. In this paper, we provide a secure protocol which could support continuous monitoring on patients. Firstly, user's biometrics will be used to verify users by means of continuous monitoring of physiological data (e.g., ECG signals) in which verification of the patient identity. This could prevent device theft attacks. In addition, dynamic identity is taken to provide user anonymity and mitigate against user traceability. Later, we provide informal and formal security analysis to prove that our protocol can establish a session key between the user and sensor after successfully mutually authentication. Performance analysis proved our scheme to be competitive in comparison to existing schemes relative to the added security benefits it provides.


I. INTRODUCTION
With the growth in the number of patients suffering chronic and cardiovascular diseases in advanced countries and the general aging of the population, demand for medical care and patient remote monitoring or telehealth rose [1]. Wearable medical sensor networks (WMSN) which includes sensors attached to the patient's body such as ECG electrodes, pulse oxi-meters, temperature or blood pressure sensors is provided in E-health care systems due to the growth in the number of patients and with the development of new wireless technologies [2]. In this system, doctors/nurses could monitor patients' heartbeat rate, temperature, blood pressure or blood oxygen level at any time without the need of being within physical proximity.
Data related to patients is highly sensitive, and needs to be protected. However, due to insecure communication channels, data collected from patients is easy to be listened, modified, and thus results in an incorrect diagnosis [3]. Therefore, strict precautions must be taken to prevent illegal access to the patient's private data through a strong user authentication mechanism. Thus, all users need to be authenticated before accessing the sensitive data. In addition, data needs to be encrypted by a session key among communication between doctors/nurses provider and patients. Such a protocol should be designed in wearable medical sensor networks to provide a balance between security, privacy and computational cost [1].

A. RELATED WORK
In 2009, Das et al. [6] designed a two-factor authentication scheme to authenticate user and sensor nodes using smart card and password; however, the scheme did not establish a session key at all. To improve on this scheme, Vaidya et al. [7] proposed a two-factor mutual user authentication scheme with key agreement for WSNs. In 2014, Kim et al. [8] showed that [7] was susceptible to user-impersonation and gateway node bypassing so introduced a two-factor user authentication and key agreement protocol for WSN claiming to resist both attacks. Chang et al. [4] was shown to be vulnerable to offline password guessing attacks and to lack perfect forward secrecy by Park et al. [9]. Once an attacker is successful at guessing the correct password, he can easily perform an impersonation attack, stolen verifier attack and lost smart card attack [9].
To address some weaknesses of two-factor authentication protocols including their failure to resist offline password guessing attacks and inability to update user passwords, authentication schemes introduced biometric keys as a third factor. Biometrics has several advantages in that they cannot be lost or forgotten and are difficult to copy, forge or break [10]. These properties make biometric-based schemes more reliable and more secure than conventional schemes [10].
In 2015, A.K. Das et al. [11] introduced a biometric based authentication scheme resisting well known security threats in WSNs including stolen smart card attack, impersonation attack, offline-password guessing attack and man-in-the-middle attack. Maurya et al. [12] found that the scheme is in fact susceptible to stolen smart card attack, [13] proved its susceptibility to impersonation attack, and [14] showed it allowed user-forgery attack and offline-password guessing attacks. In 2016, Choi et al. [15] proposed another biometric based scheme addressing the issues of lack of accuracy of biometric recognition, user verification difficulty. However, this scheme is vulnerable to user impersonation attack and known plain-text attack in addition to not providing user anonymity.
A three-factor user authentication and key agreement protocol for WSN is proposed by Park et al. [9] with the help of the elliptic curve cryptosystem and fuzzy extraction. Later, Wang et al. [1] proved that Park et al. [9] lacks resistance to offline password guessing due to its incorrect application of ECC in the protocol design. This is because all the parameters in the verification parameter can be computed using static knowledge readily accessible to an attacker sniffing the public channel with access to the smart card and biometrics. Moon et al. [16] improved on Park et al.'s scheme and claimed to address its weaknesses but was found to be susceptible to impersonation attack by Maurya et al. [12]. In 2017, an another three-factor user authentication scheme which uses smart card, password and biometrics protected through utilization of a bio-hash function is proposed [17]. Wang et al. [1] also proved that Jung et al. [17] is not resistant to impersonation and offline password guessing attacks in addition to not providing forward secrecy and user anonymity. Besides, utilizing biometrics are also introduced by [18] and [19], however, they are lack of off-line password update.
The above schemes belong to one-time (static) authentication which means that authentication is only invoked at the beginning of a communication session. However, if an attacker is able to gain access to the system, he/she can continue to use it for a long period of time without the need to re-authenticate [20]. Thus, static authentication does not protect against session hijacking. Due to the above issue, continuous authentication has been introduced as a supplemental means of automatically verifying the legitimacy of a user with the help of prior knowledge of their motion state collected from mobile devices or wearable motion sensors [21]- [23]. For example, using behavioral or physiological data including electroencephalogram (EEG), electrocardiogram (ECG) and photoplethysmography (PPG) can implement continuous authentication.

B. CONTRIBUTION
A lightweight biometric based authentication protocol is proposed in this paper. This protocol will utilize ECC and dynamic identity with user's biometrics to verify users. Fuzzy extraction which consists of two randomized operations is used to protect biometrics. The principle of fuzzy extraction is out of the paper, details can be seen in [12] To provide a continuous monitoring, our scheme mutually authenticates the doctor/nurse and trusted server through three-factor authentication, and generates a session key between doctor/nurse and sensor. Similarly to [21]- [23], we take patient's ECG signals to achieve a continuous patient's identity verification occurred in the trusted server. Note that, to reduce overhead in sensors, we do not perform continuous authentication on the sensor; rather, we chose to append our static sensor authentication with continuous verification.
The main contributions are: 1) End-to-end authentication: for the first time, providing a complete end-to-end scheme that can be deployed in a real-time environment across the doctor/nurse, trusted server, sensor and patient while utilizing biometrics on both ends to enhance security. Compared to existing scheme [1], [9], it could reduce lots of communication /computational overhead. 2) Continuous monitoring: our protocol could provide continuous monitoring for patients by verifying their physiological data. 3) Anonymity and resist sensor theft attack: our scheme could resist to sensor theft attack, and protect patient's identity. Also, Dynamic identities are introduced to provide the anonymity and untraceability of mutual authentications as these identities cannot be retrieved by adversaries without knowing secret random numbers and update in each round authentication process. 4) Security: formally validating that our protocol establishes a shared session key and achieves mutual authentication using BAN logic, and simulation results based AVISPA also prove that our protocol can resist replay attack, man-in-the-middle attack.

5) Efficiency
: evaluation comparisons show that our protocol has better performances (e.g., communication overhead, computational overhead). The remainder of this paper is organized as follows: Section II goes over some preliminaries and section III describes our authentication scheme and Sections IV and V perform formal and informal security analysis on it. Section VI analyzes the performance of our scheme and finally, section VII concludes the paper.

II. PRELIMIARIES
We are applying wireless wearable sensor networks to the IoT-based telemedicine system to enable doctors, nurses and caregivers to monitor patients dynamically and in real time (shown in Fig. 1). Patients are monitored dynamically in that while the doctor is on the move, he always has access to the patient's real-time sensor readings from any location through an application on his mobile device. The dynamic nature also implies that the patient can continue to live actively while constantly being tracked through the wireless sensors hooked on to limited-resource wearable devices. Patients are monitored in real-time meaning that whenever the doctors log on to the system, they have access to the current sensor readings and not static data like in medical information systems.
In designing our scheme, we assume that any adversary has the following capabilities when accessing our WMSN: 1) An adversary can conduct power analysis attack to obtain the information stored in the smart card and sensors [24]. 2) An adversary can intercept, modify, delete and replay all messages transmitted over public channels. 3) An adversary can obtain user fingerprint through the use of putty and gelatin or a high-quality scanner. The notations used throughout our scheme are presented in Table 1 below.

III. PROPOSED AUTHENTICATION AND KEY AGREEMENT SCHEME
Our scheme consists of five phases described in this section. These include doctor/nurse and sensor registration,

A. REGISTRATION 1) DOCTOR/NURSE REGISTRATION
Through the registration phase, a legal user U i obtains his/her smart card from the trusted server. Communications between U i and the trusted server take place over a secure channel as it is a one-time process. Details are as follows: Step 1: U i inserts his/her identity ID i , chooses a password PW i and imprints fingerprint BIO i . U i computes (R i , P i ) = Gen(BIO i ) and HPW i = h(PW i ||R i ). He/she then sends {ID i , HPW i , R i } to the trusted server.
Step 2: The trusted server chooses a random number r 0 and uses its secret key x to compute X S i = h(ID i PxPr 0 ), The server then generates another random number r 1 to compute It then chooses a third random number r 2 to compute the dynamic identity Honey_List} in its database where the Honey_List is meant to track the number of failed logins to block a user exceeding a specific threshold as is done in [1], and is set to 0 at the beginning.
Step 3: The trusted server issues a smart card SC to U i con-

2) SENSOR REGISTRATION
Similarly, communications between the sensor and the trusted server take place over a secure channel as it is a one-time process. Details are as follows: Step 1: The patient is hooked up to the ECG sensor which collects data. The data is segmented and processed as in [24] to generate a FeatureSet ECG . This is sent to the trusted server together with the PID which the patient enters directly in the secure channel.
Step 2: The sensor sends its SID j to the trusted server.
Step 3: The trusted server uses PID and FeatureSet ECG as training data for the convolutional neural network inside the server as is used in [17]. The server also stores {h(SID j ||x), PID ⊕ x} in its database and computes C 0 = h(x). It then sends {C 0 } to the sensor.

B. DOCTOR/NURSE LOGIN
In order to establish a connection with the sensor through the trusted server, U i must login to the system. The following steps need to be executed: Step 1: U i inserts ID i and PW i , and imprints fingerprint BIO i .
Step 2: The smart card computes If they are equal, it selects a random number α ∈ Z p * and computes

C. AUTHENTICATION AND KEY AGREEMENT
In this phase, the trusted server receives the login request message from U i and mutually authenticates itself with the user and the sensor. After successful mutual authentication, U i and S j establish a common secret session key SK i, j which is used for future secure communications between them. Details follow: Step 1: The trusted server computes X = xX i and T ID i = DID i ⊕ h(X i PX ). It then uses h(T ID i Px) to lookup the corresponding r 0 , ID i and Honey_List from its database. If Honey_List >threshold, the server thinks the smart card has been suspended and rejects the request. If it could not find an entry for h(T ID i Px) in its database, it also rejects the login request. Otherwise, it proceeds to compute , then the server increments the value in the Honey_List by 1. Otherwise, it looks up PID using h(SID j ||x) and chooses β ∈ Z p * to compute Y j = βP, Step 2: At this time, the patient would have been hooked up to the ECG sensor and entered his PID to the sensor. The sensor checks the freshness of T G and computes = h(k j PY j PX S j PX i PT j PPID ). If they are not equal, the server rejects the session because this means that the neural network did not match the received signals with the correct PID. Otherwise, it generates a new random number r 3 , computes T ID new i = h(r 3 PID i ) and updates the database entry to h(T ID new i ||x). The server sends {Y j , M G,U i , r 3 } to the user.
Step 4: The user checks if M G,U i If they are not equal, authentication fails. Otherwise, it computes SK i, j = h(X i ||αY j ||Y j ) and updates T ID i = h(r 3 PID i ) in its smart card.

D. CONTINUOUS MONITORING
Data collected from sensor is continuous sent to the doctor after the one-time authentication has completed successfully. This data is encrypted using a session key SK i, j = h(X i ||αY j ||Y j ). Also, data collected from sensor should be sent to the trusted server periodically, e.g., 30minutes. This could help to verify patient through comparisons of the cached the PID and trained results from the trust server using neural network to train data. If both of them are matched, it means the patient is the registered one and the session continues. If they don't match, the server warns the doctor that the patient might have changed and the doctor may or may not choose to terminate the session.

E. PASSWORD CHANGE
This phase enables the legal user U i to change his/her password and biometric without communication with the server. Details are seen as follows.
Step 1: U i inserts ID i and PW i , and imprints fingerprint BIO i .
Step 2: The smart card computes R i * = Rep(BIO i , P i ),  Table 2 below shows the notation used to describe the protocol logic as well as the BAN logic postulates [26]. We used BAN logic to formally prove the security of our scheme. The proposed scheme should satisfy the following

A. FORMAL PROOF OF AUTHENTICATION AND KEY AGREEMENT USING BAN LOGIC
The following represents the idealized version of our scheme: The following defines the initial assumptions we made about the state of the scheme: H1 : S j | ≡ #(T G ); H2 : T S| ≡ #(X ) ; H3 : T S| ≡ #(T j ) ; H4 : U i | ≡ #(X ); H5 : Formal security analysis of the idealized scheme is as follows: From M1, we get S1: Using H5 and S1, we can apply the message meaning rule: Then we can get S2:T S| ≡ U i | ∼ (DID i , X i , U i X ↔ T S). Using H2 and M1, we can apply the freshness conjugation rule: Thus we can get S3:T S| ≡ #(DID i , X i , U i X ↔ T S). Using S3 and S2, we can apply the none verification rule: From M2, we get S4: S j < (X i , SID j , T G ) X S j . Using H7 and S5, we can apply the message meaning rule: Similar, using H1 and M2, we can apply the freshness conjugation rule: Then, we apply the none verification rule: Using H6 and S5, we can apply the message meaning rule By using H3, the freshness conjugation rule and the none verification rule, we have T S| ≡ S j | ≡ (k j , Y j , T j , PID).
Similarly, from M$ and using H8 and H4, the freshness conjugation rule and the none verification rule, we have U i | ≡ T S| ≡ (αY j , X, T ID i ).
Since SK i, j = h(X i ||αY j ||Y j ) and given S j | ≡ T S| ≡ (X i , SID j , T G ) and T S| ≡ S j | ≡ (k j , Y j , T j , PID), we have We have successfully proved goals G1, G2, G3 and G4. Therefore, we can conclude that our scheme ensures that the user U i and server S j have been mutually authenticated and have established a shared session key SK i, j .

B. INFORMAL SECURITY ANALYSIS 1) USER (DOCTOR/NURSE) IMPERSONATION ATTACK
If an attacker accesses to a smart card and obtains its content, The reason is that R i and PW i are never stored in the server database, and are never computed due to one-way hash function feature. Thus, resists impersonation attack.

2) WEARABLE MEDICAL SENSOR IMPERSONATION ATTACK
If an attacker accesses to C 0 in the sensor, it still cannot be able to compute M S j ,G = h(k j PY j PX S j PX i PT j PPID) due to without known of X S j andY j . Computing of two of X S j and Y j requires PID and β. Similarly, the attacker cannot construct a valid SK i, j .
If the attacker accesses to the trusted server database, but it needs need x to get PID. This could avoid the drawback in ang et al. [1] where once the sensor is compromised, carrying out an impersonation attack and computing the session key is simple.

3) PATIENT IMPERSONATION ATTACK
Since the patient's PID is never stored as plain text, it is not possible for attacker to get PID without knowing x since the server stores {h(SID j ||x), PID ⊕ x}. Thus, it could resist patient impersonation attack.

4) PHYSICAL SENSOR THEFT
Since with the help of prior knowledge about data collected from patient (for example, continuously monitoring the patient and verifying every 30 minutes that the patient identity cached on the server matches the result computed by the neural network using the detected ECG signals), it could provide a protection mechanism for cases where an attacker steals the sensor and hooks it up to a different patient. Thus, it could resist to physical sensor theft.

5) LOST/STOLEN SMART CARD ATTACK
If an adversary obtains {A i , B i , C i , ϒ, P, P i , T ID i } from the smart card, it cannot construct a valid login message {DID i , X i , M U i ,G }. This is because it is hard to get X S i without knowing user's R i and PW i or the random numbers r 0 and x. All these parameters are never stored in the smart card. Therefore, our scheme resists lost/stolen smart card attack.

6) REPLAY ATTACK
If an adversary obtains contents in the smart card, and then is eavesdropping over the public channel, it cannot construct a valid login message. If he/she tries to replay a valid login message, the trusted server will compute T ID i = DID i ⊕ h(X i PX ) and then lookup h(T ID i Px) in its database. This is because that T ID i is a dynamic identity that is recomputed with a new randomly generated number each time when user is successfully authenticated. Therefore, the login request will be rejected. Also, using the timestamp staleness, replaying messages will be detected by the trusted sever and the sensor.

7) USER ANONYMITY AND PROTECTION AGAINST TRACEABILITY
If an attacker monitors the public channel, it will not be capable of determining which user the messages correspond to with the help of the randomness of DID i (= T ID i ⊕ h(X i PX )) and the flesh of X i and X per each login session. Thus, it is computationally infeasible for an attacker to determine which ID i the transmitted DID i belongs to. It is very difficult for an attacker to know if two messages belong to the same ID i . What's more, PID is never exposed at all over the public channel. Thus, our protocol could provide user anonymity and un-traceability.

8) OFFLINE PASSWORD GUESSING ATTACK
If the attacker obtains the information {A i , B i , C i , ϒ, P, P i , T ID i } stored in the smart card of a legal user, it cannot guess the correct password. This is because the password is protected by the one-way hash function HPW i = h(PW i ||R i ). It is impossible to guess these four parameters correctly at the same time. Thus, our protocol can prevent offline password guessing attack.

9) SYMMETRIC KEY PROTECTION
As discussed above, the session key is computed as SK i, j = h(Z||X i ||Y j ). Given X i and Y j , an intruder cannot compute Z without knowing β. Thus, it is hard to compute the session key SK i, j = h(Z||X i ||Y j ).

10) PROTECTION OF BIOMETRIC TEMPLATE
Biometric templates are protected using fuzzy extraction function. In addition, the patient's ECG is always encrypted before being sent over the public channel. As previously discussed, it is computationally infeasible for an intruder to compute the session key.

V. FORMAL SECURITY VALIDATION: SIMULATION USING AVISPA TOOL
The Automated Validation of Internet Security Protocols and Applications, or AVISPA, is a push-button tool utilizing industrial-strength technology to build and analyze formal models of large-scale security sensitive protocols and detect both active and passive attacks they may be susceptible to [27]- [29]. Protocol schemes and their security properties are defined using a High-Level Protocol Specification Language (HLPSL). The architectural structure of the AVISPA tool constitutes several components. HLPSL is first translated into an intermediate format (IF) through the HLPSL2IF translator. IF is a low-level language that can be directly fed to the integrated verification back-ends which include On-thefly Model-Checker (OFMC), CL-based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC) and the Tree Automata-based Protocol Analyzer (TA4SP). All of them are used to measure whether a protocol is SAFE or UNSAFE and return a trace of the potential attack. Because the analysis method used by each of these tools is different, they may yield  different results in terms of the safety of the protocol and the sequence of events leading up to the trace [29].
Results from both OFMC and CL-AtSe backends proved our protocol to be safe against passive and active attacks (like replay and man-in-the-middle attack) under the Dolev-Yao model. Simulation results are shown in Fig. 2 and Fig. 3.

VI. PERFORMANCE ANALYSIS
We compare the performance and computational complexity of our protocol with [1], [9], [17], and [23]. Note that [1], [9] and [17] are user-sensor three-factor authentication schemes whereas [23] is a continuous authentication scheme between a sensor and gateway node. Table 3 shows the the security properties of our protocol with aforementioned schemes and observe that none of them satisfy all 11 security requirements. In contrast, our protocol satisfies all 11 security requirements our protocol in addition to providing continuous patient monitoring. Table 4 compares the smart card's computational overhead where T h , T F , T E , T s represent the time complexity of the one-way hash function operation, fuzzy extraction operation, ECC multiplication operation, and the symmetric key encryption/decryption operation respectively. According to Maurya et al. [12], the time complexity (in ms) on a windows 7 operating system with Intel (R) core (TM) 2 Quad CPU Q8300, @2.50 Hz and 2 GB RAM is T h ≈ 0.5, T F ≈ 0.5, T E ≈ 50.3 and T s ≈ 8.7. The fuzzy extraction execution time is assumed to be equal to that of the one-way function since it can typically be constructed using universal hash functions or  [12]. Because the XOR operation's running time is negligible, it is ignored in our analysis.
The total computational overhead for the static authentication phase is 22T h + 8T E + 2T F + 2T S in our protocol, 21T h in [17], 25T h + 4T E + T F in [9] and 29T h + 6T E + T F in [1]. Although [17] has the smallest computational cost, Table 4 shows that it has the weakest security and is not fit for practical applications. In comparison to [1] and [9], our protocol demonstrates acceptable overhead while maintaining stronger security. Table 5 lists the computational overhead incurred by the sensor. It shows that the sensor computational overhead in our protocol is almost half that in [1] and [9]. This makes it much easier to deploy our protocol on sensors which have very limited resource capacity. Fig. 4 provides the comparison of computational overhead. From the figure, we can see that our protocol needs 61.5 ms    for static authentication, and 8.7ms for continuous authentication. Note that [17], [9] and [1] are not satisfied for continuous authentication according to Table 3. Table 6 lists the computational overhead incurred by the trusted server. It shows that our protocol has the largest overhead but it must be noted that offloading the sensor greatly enhances the efficiency and practicality of the protocol and this can be done at the price of achieving higher security and lower sensor overhead. Fig. 5 shows a comparison of the communication overhead is listed in Table 6 to provide a comparison to [1], [9], [17], [23]. The size of output of the one-way hash function and bio-hash function, real identity and any random integer is 160bits long. The length of the output of the symmetric encryption/decryption is 256bits. Our protocol has a better performance compared to [23].

VII. CONCLUSION
In this paper, a new ECC based lightweight static and continuous mutual authentication and key agreement protocol is proposed to protect data privacy and provide mutual authentication between the doctor/nurse, trusted server, sensor and patient. Continuous authentication is provided with the help of prior knowledge of their data collected from patients. Security analysis showed that our protocol is resistant to user and sensor impersonation attacks, physical sensor theft and more.
BIDI YING received the B.S. degree in communication engineering from Hangzhou Dianzi University, Hangzhou, China, in 2003, and the Ph.D. degree in information and communication engineering from Zhejiang University, Hangzhou, China. She is currently an Associate Professor with the School of Information and Electronic Engineering, Zhejiang Gongshang University. She also is an Associate Researcher with the University of Ottawa, Ottawa, ON, Canada. Her research interests include security or privacy in social networks, vehicular networks, Adhoc network, and wireless sensor network. She was a Member of the program committees of many conferences.
NADA RADWAN MOHSEN received the bachelor of applied science degree in software engineering and master degree in computer science degree from the University of Ottawa, Ottawa, ON, Canada, in 2018 and 2019, respectively. She is currently a Full Stack Software Developer with Cognos Analytics division, IBM. Her thesis defense was exploring a new lightweight and efficient authentication protocol for continuous static and dynamic patient monitoring in wireless medical sensor networks. She has authored or coauthored international publications in highly recognized outlets. Her research interest areas include authentication, E-health, body sensor network, IoT, Elliptic curve cryptography, and biometrics.
AMIYA NAYAK received the B.Math. degree in computer science and combinatorics and optimization from the University of Waterloo, Waterloo, ON, Canada, in 1981, and the Ph.D. degree in systems and computer engineering from Carleton University, Ottawa, ON, Canada, in 1991. He has more than 17 years of industrial experience in software engineering, avionics and navigation systems, and simulation and system level performance analysis. He is currently a Full Professor with the School of Electrical Engineering and Computer Science, University of Ottawa, Ottawa, ON, Canada. He has authored or coauthored more than 300 research articles in international journals and conferences.