A Smartcard-Based User-Controlled Single Sign-On for Privacy Preservation in 5G-IoT Telemedicine Systems

Abstract

Healthcare is now an important part of daily life because of rising consciousness of health management. Medical professionals can know users’ health condition if they are able to access information immediately. Telemedicine systems, which provides long distance medical communication and services, is a multi-functional remote medical service that can help patients in bed in long-distance communication environments. As telemedicine systems work in public networks, privacy preservation issue of sensitive and private transmitted information is important. One of the means of proving a user’s identity are user-controlled single sign-on (UCSSO) authentication scheme, which can establish a secure communication channel using authenticated session keys between the users and servers of telemedicine systems, without threats of eavesdropping, impersonation, etc., and allow patients access to multiple telemedicine services with a pair of identity and password. In this paper, we proposed a smartcard-based user-controlled single sign-on (SC-UCSSO) for telemedicine systems that not only remains above merits but achieves privacy preservation and enhances security and performance compared to previous schemes that were proved with BAN logic and automated validation of internet security protocols and applications (AVISPA).

1. Introduction

Healthcare is now an important part of daily life because of rising consciousness of health management. People can check up health conditions by themselves, such as heartbeat rate, quality of sleep, amount of exercise, and so on, by supporting wearable technology, including smart phone, smart watch, smart bracelet, etc., which measures biodata and assists self-health management. Currently, biodata is only transferred to a smartphone and analyzed by applications on a smart phone, without being transferred to other outside systems [1]. Medical professionals can know users’ health conditions, if medical professionals are able to access the information immediately [1].

Telemedicine systems provide long distance medical communication and services through which patient and medical professionals can communicate online, and patient benefits from being supported with ambulatory care or other medical services, even in remote areas [1,2,3,4]. Telemedicine systems allow health related data and image to be reliably transmitted from one point to another [1]. Many researchers focused on monitoring patient’s health with specific diseases using telemedicine, such as diabetes and Parkinson’s disease, and telemedicine systems can help a patient recover from illness through this way [5,6,7,8]. In other words, telemedicine can help patients improve their quality of life [1]. Moreover, telemedicine systems can provide better solutions in emergency situations and serious disease monitoring [1,8,9,10]. Telemedicine systems are implemented with wireless communication environments, such as Wi-Fi, Internet of Things (IoT), and fifth generation (5G), to achieve long distance medical communication and services [8,11]. The sensors, such as wearable devices, for example, gather measured data, and measured data are then transmitted through gateways, 5G base stations, and core networks. After this, data is stored or analyzed by applications in back-end servers or cloud servers.

Telemedicine systems are implemented with wireless communication environments, which means data are transmitted through public networks. The patient sends healthcare-related information through public networks when using telemedicine technology, and the transmitted information is important, sensitive, and private [1]. Security issues related to data transmission were discussed, such as eavesdropping, man-in-the-middle (MITM) attack, data tempering attack, message modification attack, data interception attack, etc. [12] Although the Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and Safe Harbor Laws have regulations that provide privacy of personal information, technical support is still not enough [12,13,14].

Security issues exist in multi-server environments when applying conventional password-based authenticated key exchange schemes. Users have to maintain pairs of identifiers and passwords that increase computational cost and security risks. Moreover, a trustworthy third party is required, while users utilize a single pair of identity and password in multi-server telemedicine systems. However, a malicious third party is able to impersonate users to access other services, with knowledge of shared keys. The same can be proved if a malicious server exists. In terms of performance, the cost of establishing a session key for users is related to the number of servers in conventional schemes. A single sign-on (SSO) mechanism can overcome the above issues that allow users a single action to achieve authentication with a single pair of identity and password, rather than with multiple passwords [15,16,17].

In the proposed scheme, we apply a user-controlled SSO (UCSSO) authenticated key agreement. The key allows patients access to services in multi-server telemedicine systems with a user-defined password, and establishes a secret shared key among servers for securing subsequent communications and designing a smartcard-based user-controlled single sign-on (SC-UCSSO) scheme that can be applied in 5G-IoT multi-server telemedicine systems. The patients has data ownership as they can control and decide the data’s destination and time of transmission. The proposed scheme establishes a secure communication channel using authenticated session keys between patients and services, while meeting general security requirements. Moreover, computational complexity is better than the compared previous schemes. We sketch the remaining organization of paper below. We introduce telemedicine systems and the Chebyshev chaotic maps in Section 2. We introduce our scheme in Section 3, and security and performance analysis are detailed in Section 4 and Section 5. We present our results of implementation in Section 6. Finally, the conclusion is drawn in Section 7.

2. Related Works

2.1. Telemedicine Systems

Telemedicine systems is a technology of electronic message and telecommunication related to healthcare [1,18]. The National Health Services (NHS) of United Kingdom defines changes to NHS service model as “out of hospital care”, “reducing emergency hospital services”, “personalized care”, “digitally enables care”, and “integrated care systems models”, which can correspond to the features of telemedicine systems [19,20]. Thanks to the IoT technology, which enable medical professionals to monitor patients who are outside of medical institutes in real-time, medical professionals can know users’ health condition, if they are able to view the information immediately [1,20]. In other words, telemedicine systems with IoT can enhance functions of patient’s health monitor and proactive and preventive healthcare interventions [20].

A general telemedicine system can be divided into three level [21]. Level 1 (primary healthcare unit) consists of users with webcam, smart phone, or wearable devices, which is enables communications of measured biodata through wireless communications, including radio frequency identification (RFID), near field communication (NFC), Bluetooth, Wi-Fi, Zigbee, etc. [20]. Measured biodata are transmitted to the user’s smartphone without being transferred to other systems [1]. Level 2 (city or district hospital) is clinic or local hospital that the patient might visit before being transferred to a large hospital or medical center. Level 3 (specialty center) takes part in telemedicine in case of a rare disease or an incurable disease [21]. Figure 1 illustrates a general telemedicine system including two scenarios—asynchronous telemedicine and synchronous telemedicine [21,22]. Asynchronous telemedicine allows patients to decide a proper time to send medical image and health record to medical service providers for detailed examination. Synchronous telemedicine, also called synchronous video conferencing or interactive telemedicine, provides real-time communication between patient and medical professional [22].

2.2. Medical Privacy

Telemedicine systems have many challenges, such as infrastructure, connections, professional requirements, data management, and real-time monitoring [23,24]. Medical privacy is of the utmost importance, and damage of medical privacy not only brings huge economic losses and losses of credibility to hospitals and other related institutions but does potential harm to patients and endangers lives of patients [24,25]. Unfortunately, thus far, healthcare-related industries did not achieve users’ expectations [24]. Trust management (TM) is important for allowing reliable data collection and transmission, to provide qualified services and enhance user privacy and information security [26]. Gambetta first defined two widely accepted definitions of trust called reliability trust and decision trust [26,27]. Recently, researchers had discussions about TM of IoT [28,29,30,31,32]. Fortino et al. summarized and discussed main trust concepts, including behavior trust, reputation, honesty, and accuracy [26].

As we mentioned, telemedicine is implemented in public networks, so privacy preservation is one of notable security issues, which has caught researchers’ attention. Mishra et al. [33] and Renuka et al. [34] utilized a biometric feature to design authentication schemes for telemedicine systems. Zriqat and Altamimi discussed issues through data collection, data transmission, and data storage and access level [12]. Dharminder et al. discussed authorized access to healthcare services [35]. Zhang et al. [36], Zhang et al. [37], and Sureshkumar et al. [38] designed authentication and key agreement for telemedicine system. Baker et al. [8], Guo et al. [39], and Anwar et al. [11] focused on telemedicine using IoT, blockchain, and 5G technology and proposed framework or scheme. In summary, three keys to the question must be solved for assuring telemedicine environments. First, image storage should be highly efficient. Second, transmitting sensitive image should satisfy confidence, integrity, and accessibility. Finally, encryption progress should be efficient, especially for the end-point.

3. Proposed Scheme

In the proposed system, there are i users and j servers. User $U_i$ can use a smartcard or a smart token to log in to whichever server $S_j$ user $U_i$ wishes to access, as shown in Figure 2. The proposed scheme includes four phases—system initialization phase, registration phase, authenticated key exchange phase, and offline password change phase. In the system initialization phase, Server $S_j$ generates essential parameters and functions for the whole scheme. User $U_i$ becomes a legitimate member in the system through the registration phase. In the authenticated key exchange phase, User $U_i$ and server $S_j$ authenticate each other and establish a session key for symmetric encryption for communication and transmitted measured biodata. The proposed scheme provides offline password change phase such that user $U_i$ can change the password periodically, without the participation of server $S_j$. Notations are defined in

Table 1. Notations of the proposed scheme.

Notations	Definitions
${\mathit{ID}}_{\mathit{i}}$	Identity of user $U_i$.
${\mathit{SID}}_j$	Identity of server $S_j$.
⊕	Exclusive OR (XOR) operation.
H(.)	Collision-resistant one-way hash function.
$\mathit{PWi}$	Password of user $U_i$.
$x_{S_j}$	Secret value of server $S_j$.
k	Encryption/decryption key k.
$E_k$(.)/$D_k$(.)	A symmetric encryption/decryption algorithm with secret key k.
x, $\mathit{yi}$, $\rho i$	Random numbers.
$h_k$(.)	Collision-resistance secure one-way chaotic hash function.
USB	Portable USB device.
$\mathit{sj}$	Server $S_j$’s new chaotic random number.

.

3.1. Preliminary

We briefly introduce Chebyshev chaotic maps in this section. The chaotic system has properties that can correspond to the cryptosystem’s properties. First, the result is unpredictable if small changes in initial values occur [40,41,42]. Second, the chaotic system is a complex oscillation [40,41,42]. Third, the chaotic system shows qualitative change of character of solutions [40,41,42]. The above features can correspond to confusion and diffusion of the cryptosystem, which was discussed for decades [24,40,41,42,43,44,45,46,47,48,49,50]. Mathematical definitions of the Chebyshev chaotic maps are introduced as below [24,46,47,48,49,50].

• Polynomials of Chebyshev chaotic maps $T_n\left(x\right): \left[-1,1]\to \right[-1,1]$ is formed as $T_n{\left(x\right)=\mathit{cos}(\mathit{ncos}}^{-1}\left(x\right))$ in x of degree n.
• If $n \ge 2$, polynomials of the Chebyshev chaotic maps is formed as $T_n{\left(x\right)=2\mathit{xT}}_{n-1}{\left(x\right)-T}_{n-2}\left(x\right)$. However, results of the Chebyshev chaotic maps are 1 and x when n is 0 and 1, respectively.
• If $(s, r) \in Z$ and $s\in [-1,1]$, $T_r{(T}_s{\left(x\right))=T}_{\mathit{rs}}{\left(x\right)=T}_s{(T}_r\left(x\right))$, which is the so-called semi-group property.
• Zhang [51] proved that semi-group property can hold if Chebyshev polynomials are extended on interval $[-\infty ,+\infty ]$. In the situation, polynomials of Chebyshev chaotic maps become $T_n{\left(x\right)=(2\mathit{xT}}_{n-1}{\left(x\right)-T}_{n-2}\left(x\right)) \mathrm{mod} N$ where $n \ge 2$, $x\in (-\infty ,+\infty )$, and N is a large prime number, and $T_r{(T}_s{\left(x\right)) \mathrm{mod} N=T}_{\mathit{rs}}{\left(x\right) \mathrm{mod} N=T}_s{(T}_r\left(x\right)) \mathrm{mod} N$.
• Even only with the knowledge of x and y, n is computationally infeasible to be obtained such that $T_n\left(x\right) \mathrm{mod} N=y$, which is the so-called Chaotic maps-based discrete logarithm problem (CMDLP).
• Even only with the knowledge of (x $T_r\left(x\right) \mathrm{mod} N$, $T_s\left(x\right) \mathrm{mod} N$), $T_{\mathit{rs}}\left(x\right) \mathrm{mod} N$ is computationally infeasible to be obtained, which is the so-called Chaotic maps-based Diffie-Hellman problem (CMDHP).

The proposed scheme applies the extended Chebyshev chaotic maps, which satisfies the above definitions.

3.2. System Initialization Phase

User $U_i$ sets up smartcard by entering an identifier and password in the system initialization phase. Server $S_j$ sets up the system’s parameters by performing the following steps.

Step 1.

Server $S_j$ generates a secret value $x_{S_j}$, a big prime p, and a random number $x \in (-\infty ,+\infty )$.

Step 2.

Server $S_j$ choses a symmetric encryption algorithm $E_k(.)$, a symmetric decryption algorithm $D_k(.)$, a collision-resistance one-way hash function H(.), and a collision-resistance secure one-way chaotic hash function $h_k$(.).

3.3. Registration Phase

User $U_i$ and server $S_j$ perform the following steps to complete the registration phase to become a legitimate member, as illustrated in Figure 3.

Step 1.

User $U_i$ enters ${\mathit{ID}}_i$ and ${\mathit{PW}}_i$.

Step 2.

User $U_i$ uses the smartcard to choose a random number $y_i \in { Z}_p^{\ast }.$ After that, smartcard computes (${\alpha }_i,$ $A_i$) as below. Finally, smartcard stores $y_i$ and sends (${\mathit{ID}}_i$, $A_i$) to server $S_j$.

$${\alpha }_i{=T}_{y_i}\left(x\right) \mathrm{mod} p$$

(1)

$$A_i{=h}_{{\alpha }_i}{(\mathit{PW}}_i)\oplus h_{{\alpha }_i}{(y}_i{, \mathit{SID}}_j)$$

(2)

Step 3.

After receiving (${\mathit{ID}}_i$, $A_i$), server $S_j$ computes elements below. Then, server $S_j$ returns ($B_i$, $B_j$) to user $U_i$.

$${\beta }_j{=T}_{x_{S_j}}\left(x\right) \mathrm{mod} p$$

(3)

$$u_i{=h}_{{\beta }_j}{(\mathit{ID}}_i)$$

(4)

$$u_j{=h}_{{\beta }_j}{(\mathit{SID}}_i)$$

(5)

$$B_i{=U}_i\oplus A_i$$

(6)

$$B_j{=U}_j\oplus A_i$$

(7)

Step 4.

Upon receiving ($B_i$, $B_j$), user $U_i$ stores ($B_i$, $B_j$) in USB or smartcard.

3.4. Authenticated Key Exchange Phase

To complete the mutual authentication and session key confirmation and obtain the remote server’s services, user $U_i$, user $U_i$’s smartcard, and a server $S_j$ perform the following steps, as illustrated in Figure 4.

Step 1.

User $U_i$ enters ${\mathit{ID}}_i$ and ${\mathit{PW}}_i$.

Step 2.

Smartcard checks ${\mathit{PW}}_i$, utilizes ($y_i$, x) to compute $A_i$, retrieves ($B_i$, $B_j$) to recover $u_i$, and computes ($K_i$, $R_i$), as below.

$$u_i{=B}_i\oplus A_i$$

(8)

$$K_i{=A}_i\oplus h_{{\alpha }_i}{(y}_i)$$

(9)

$$R_i{=B}_j\oplus h_{{\alpha }_i}{(y}_i)$$

(10)

Step 3.

Smartcard chooses integer ${\rho }_i \in (-\infty ,+\infty )$ and a big prime $N_i$ to compute (${\mu }_i$, $b_i$, $C_i$) as below, and sends ($R_i$, $C_i$, $N_i$) to server $S_j$.

$${\mu }_i{=T}_{y_i}{(\rho }_i{) \mathrm{mod} N}_i$$

(11)

$$b_i{=E}_{u_i}{(N}_i{\left|\right|\mu }_i)$$

(12)

$$C_i{=E}_{K_i}{(\mathit{ID}}_i{, b}_i{, \rho }_i)$$

(13)

Step 4.

After receiving ($R_i$, $C_i$, $N_i$), server $S_j$ computes the equations below. If server $S_j$ can decrypt $b_i$ successfully, server $S_j$ successfully authenticates user $U_i$.

$$K_i{=R}_i\oplus h_{{\beta }_j}({\mathit{SID}}_j)$$

(14)

$${(\mathit{ID}}_i{, b}_i{, \rho }_i{)=D}_{K_i}{(C}_i)$$

(15)

$$u_i{=h}_{{\beta }_j}{(\mathit{ID}}_i)$$

(16)

$${(N}_i{\left|\right|\mu }_i{)=D}_{u_i}{(b}_i)$$

(17)

Step 5.

For establishing a shared session key, server $S_j$ chooses a random number $s_j \in { Z}_p^{\ast }$, utilizes ${\rho }_i$, $N_i$, and ${\mu }_i$ retrieved from Step 4 to compute ${\omega }_j$, $k_{\mathit{ji}}$, and ${\mathit{MAC}}_{S_j}$, and sends $\left({\mathit{MAC}}_{S_j}{, \omega }_j\right)$ to user $U_i$.

$${\omega }_j{=T}_{s_j}{(\rho }_i{) \mathrm{mod} N}_i$$

(18)

$$k_{\mathit{ji}}=H\left(T_{s_j}\right({\mu }_i) {\mathrm{mod} N}_i)$$

(19)

$${\mathit{MAC}}_{S_j}{=h}_{k_{\mathit{ji}}}\left({\mathit{SID}}_j{, \mathit{ID}}_i, {\mu }_i\right)$$

(20)

Step 6.

Upon receiving $\left({\mathit{MAC}}_{S_j}{, \omega }_j\right)$, user $U_i$’s smartcard computes $k_{\mathit{ij}}$ and checks whether ${\mathit{MAC}}_{S_j}$ is correct. If it holds, the mutually shared session key is correct. Then, user U_i’s smartcard computes ${\mathit{MAC}}_{U_i}$ and sends it to server $S_j$.

$$k_{\mathit{ij}}=H(T_{y_i}{(\omega }_j{) \mathrm{mod} N}_i)$$

(21)

$${\mathit{MAC}}_{S_j}{ ?=h}_{k_{\mathit{ji}}}\left({\mathit{SID}}_j{, \mathit{ID}}_i, {\mu }_i\right)$$

(22)

$${\mathit{MAC}}_{U_i}{=h}_{k_{\mathit{ij}}}{(\mathit{ID}}_i{, \mathit{SID}}_j{, \omega }_j)$$

(23)

Step 7.

Upon receiving ${\mathit{MAC}}_{U_i}$, server $S_j$ checks whether ${\mathit{MAC}}_{U_i}$ is correct. If it holds, the shared session key confirmation is complete.

$${\mathit{MAC}}_{U_i}{ ?=h}_{k_{\mathit{ij}}}{(\mathit{ID}}_i{, \mathit{SID}}_j{, \omega }_j)$$

(24)

3.5. Offline Password Change Phase

User $U_i$ and smartcard cooperatively perform the following steps to complete the password changing process, as illustrated in Figure 5.

Step 1.

User $U_i$ enters PIN to start smartcard and inputs old ${\mathit{PW}}_i$ and new ${{\mathit{PW}}^{\prime }}_i$.

Step 2.

Smartcard updates $A_i$ and stores it.

$$A_i{=h}_{{\alpha }_i}{({\mathit{PW}}^{\prime }}_i)\oplus h_{{\alpha }_i}{(\mathit{PW}}_i)\oplus h_{{\alpha }_i}{(y}_i{, \mathit{SID}}_j)$$

(25)

4. Security Analysis

We apply BAN logic [52] and AVISPA tool [53] for formal security proof. We also present informal security proof, which proves that the proposed scheme can achieve some security requirements.

4.1. Formal Security Proof Using BAN Logic

This subsection describes the logical analyses of the proposed scheme by using the logical tool defined by Burrows et al. [52]. The process of proof in this section is similar with some schemes, because these schemes, including the proposed scheme, aim to prove that the principles in schemes can believe the established session keys. The notations used in the BAN logic [52] analysis are defined in

Table 2. Notations of BAN logic [52] used in analyzing the proposed scheme.

Notations	Definitions
P, Q	Principles.
X, Y	Statements.
r, w	Readers (receivers) and writers (senders).
K	Encryption key.
P believes X	P believes X.
P once said X	P once said X.
C(X)	X is transited through communication channel C.
r(C)/w(C)	Readers/writers of C.
P sees C(X)	P sees C(X).
P sees X|C	P sees X via C.
${\left(X\right)}_K$	X is encrypted with the key K.
$P\stackrel{K}{\leftrightarrow }Q$	P and Q establish a secure communication channel using K.

.

4.1.1. Initial Assumptions

Making initial assumptions is necessary for ensuring success of scheme and establishing the foundation of logical proof [52]. Initial assumptions of the proposed scheme are listed below.

• A1. $P\in {r(C}_{P, Q})$: P can read from channel $C_{P, Q}$.
• A2. ${P \mathit{believes} w(C}_{P, Q})=\{P, Q\}$: P believes that P and Q can write on $C_{P, Q}$.
• A3. $P \mathit{believes} Q \mathit{once} \mathit{said} (\Phi \to \Phi )$: P believes that Q only says what it believes.
• A4. ${P \mathit{believes} \#(N}_P)$: P believes that $N_P$ is fresh.
• A5. $P \mathit{believes} ({\stackrel{a}{\to }}_{\mathrm{ECMDH}\left(\mathit{secret}\right)}P)$: P believes that a is P’s extended chaotic maps-based Diffie-Hellman secret [24,49].

4.1.2. Inference Rules

The purpose of inference rules is analyzing belief, which pays attention to beliefs of principals in authentication and key agreement schemes, in order to verify message, freshness, and trustworthiness of origin of scheme [52,54,55,56,57]. We apply the seeing rules, interpretation rules, freshness rules, and the rationality rules for logical proof.

The seeing rules define that if a principle sees a formula, the principle also sees its components with knowing necessary keys. We apply S1 and S2 as below.

• S1. $\frac{P \mathit{sees} C\left(X\right), P\in r\left(C\right)}{P \mathit{believes} (P \mathit{sees} X|C), P \mathit{sees} X}$: If P receives and reads X via C, then P believes that X has arrived on C and P sees X.
• S2. $\frac{P \mathit{sees} C(X, Y)}{P \mathit{sees} X, P \mathit{sees} Y}$: If P sees a hybrid message (X, Y), then P sees X and Y separately.

The interpretation rules define that a principle can believe some hybrid facts by logical reasoning. We apply I1, I2, and I3, as below.

• I1. $\frac{P \mathit{believes} \left(w\right(C)=\{P, Q\left\}\right)}{P \mathit{believes} (P \mathit{sees} X|C)\to Q \mathit{once} \mathit{said} X}$: If P believes that C can only be written by P and Q, then P believes that if P receives X via C, then Q said X.
• I2. $\frac{P \mathit{believes} (Q \mathit{once} \mathit{said} (X, Y\left)\right)}{P \mathit{believes} (Q \mathit{once} \mathit{said} X), P \mathit{believes} (Q \mathit{once} \mathit{said} Y)}$: If P believes that Q said a hybrid message (X, Y), then P believes that Q has said X and Y separately.
• I3. $\frac{P \mathit{believes} ({\stackrel{a}{\to }}_{\mathrm{ECMDH}\left(\mathit{secret}\right)}P), P \mathit{believes} ({\stackrel{T_b\left(x\right) \mathrm{mod} N}{\to }}_{\mathrm{ECMDH}\left(\mathit{public}\right)}Q)}{P \mathit{believes} (P\stackrel{T_{\mathit{ab}}\left(x\right) \mathrm{mod} N}{\leftrightarrow }Q)}$: If P believes that a is P’s extended chaotic maps-based Diffie-Hellman secret and $T_b\left(x\right) \mathrm{mod} N$ is extended chaotic maps-based Diffie-Hellman component from Q, then P believes that $T_{\mathit{ab}}\left(x\right) \mathrm{mod} N$ is symmetric key shared between P and Q.

The freshness rules define that if one part of a formula is fresh, the entire formula must be fresh. We apply F1 and F2 as below.

• F1. $\frac{P \mathit{believes} (Q \mathit{once} \mathit{said} X), P \mathit{believes} \#\left(X\right)}{P \mathit{believes} (Q \mathit{once} \mathit{said} X)}$: If P believes that another Q said X and P also believes that X is fresh, then P believes that Q recently said X.
• F2. $\frac{P \mathit{believes} \#\left(X\right)}{P \mathit{believes} \#(X, Y)}$: If P believes that a part of a mixed message X is fresh, then it believes that the whole message (X, Y) is fresh.

The rationality rules define that a principle can only believe what it believes. We have R1 as below.

• R1. $\frac{{P \mathit{believes} (\Phi }_1\to {\Phi }_2{), P \mathit{believes} \Phi }_1}{{P \mathit{believes} \Phi }_2}$: If P believes that ${\Phi }_1$ implies ${\Phi }_2$ and P believes that ${\Phi }_1$ is true, then P believes that ${\Phi }_2$ is true.

4.1.3. Goals

Goals are what schemes must achieve, and goals are required while designing schemes. The goals of the proposed scheme are listed below.

• Goal 1. $U_i \mathit{believes} (U_i\stackrel{T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i}{\leftrightarrow }{S}_j)$: User $U_i$ believes that $T_{y_i{s}_j}({\rho }_i) {\mathrm{mod} N}_i$ is a symmetric key shared between participants $U_i$ and $S_j$.
• Goal 2. $S_j \mathit{believes} (U_i\stackrel{T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i}{\leftrightarrow }{S}_j)$: Server $S_j$ believes that $T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i$ is a symmetric key shared between participants $U_i$ and $S_j$.
• Goal 3. $U_i{ \mathit{believes} S}_j \mathit{believes} (U_i\stackrel{T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i}{\leftrightarrow }{S}_j)$: User $U_i$ believes that $S_j$ believes $T_{y_i{s}_j}({\rho }_i) {\mathrm{mod} N}_i$ is a symmetric key shared between $U_i$ and $S_j$.
• Goal 4. $S_j{ \mathit{believes} U}_i \mathit{believes} (U_i\stackrel{T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i}{\leftrightarrow }{S}_j)$: Server $S_j$ believes that $U_i$ believes $T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i$ is a symmetric key shared between $U_i$ and $S_j$.

4.1.4. Proof

The proposed scheme can be normalized as Steps 1 and 2.

Step 1.

$S_j \mathit{sees} ({\stackrel{T_{y_i}({\rho }_i){ \mathrm{mod} N}_i}{\to }}_{\mathrm{ECMDH}\left(\mathit{public}\right)}{U}_i{,C}_{S_j{, U}_i}({\mathit{ID}}_i{\left|\right|b}_i{\left|\right|x}_{i2})K_i{, N}_i)$

Step 2.

$U_i \mathit{sees} ({\stackrel{T_{s_j}{(\rho }_i{) \mathrm{mod} N}_i}{\to }}_{\mathrm{ECMDH}\left(\mathit{public}\right)}{S}_j{,C}_{U_i{, S}_j}{({\mathit{SID}}_j{, \mathit{ID}}_i{, T}_{y_i}{(\rho }_i{) \mathrm{mod} N}_i)}_{k_{\mathit{ij}}}{, T}_{s_j}{(\rho }_i{) \mathrm{mod} N}_i)$

Equation (26) means user $U_i$ believes that $y_i$ is its extended chaotic maps-based Diffie-Hellman secret. Equation (27) means user $U_i$ believes that $T_{s_j}{(\rho }_i{) \mathrm{mod} N}_i$ is the extended chaotic maps-based Diffie-Hellman component from server $S_j$_. To accomplish Goal 1 (User $U_i$ believes that $k_{\mathit{ij}}{=T}_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i$ is a symmetric key shared between participants user $U_i$ and server $S_j$), Equations (25) and (26) must hold, because of the interpretation rule (I3) and assumption (A5).

$$U_i \mathit{believes} ({\stackrel{y_i}{\to }}_{\mathrm{ECDHM}\left(\mathit{secret}\right)}{U}_i)$$

(26)

$$U_i \mathit{believes} ({\stackrel{T_{s_j}{(\rho }_i{) \mathrm{mod} N}_i}{\to }}_{\mathrm{ECDHM}\left(\mathit{public}\right)}{S}_j)$$

(27)

The meaning of Equation (28) is described below. The first fact is that server $S_j$ once said that $T_{s_j}$(x) mod p is the extended chaotic maps-based Diffie-Hellman public component from server $S_j$, $({\mathit{SID}}_j{, \mathit{ID}}_i{, T}_{y_i}{(\rho }_i{) \mathrm{mod} N}_i)$ is encrypted by $k_{\mathit{ij}}$ and $T_{s_j}{\left(\rho i\right) \mathrm{mod} N}_i$. The second fact is that server $S_j$ once said that $T_{s_j}$(x) mod p is the extended chaotic maps-based Diffie-Hellman public component from server $S_j$. In Equation (29), user $U_i$ believes that the first fact implies the second fact. Equation (28) means that user $U_i$ believes that server $S_j$ once said that $T_{s_j}{(\rho }_i{) \mathrm{mod} N}_i$ is the extended chaotic maps-based Diffie-Hellman public component from server $S_j$. Next, to accomplish Equation (27), Equations (28) and (29) must hold because of assumption (A3) and the rationality rule (R1).

$$U_i \mathit{believes} (S_j \mathit{once} \mathit{said} ({\stackrel{T_{s_j}{(\rho }_i{) \mathrm{mod} N}_i}{\to }}_{\mathrm{ECDHM}\left(\mathit{public}\right)}{S}_j{, (\mathit{SID}}_j{, \mathit{ID}}_i{, T}_{y_i}{(\rho }_i{) \mathrm{mod} N}_i)k_{\mathit{ij}}{, T}_{s_j}{(\rho }_i) \mathrm{mod} p)\to ({\stackrel{T_{s_j}{(\rho }_i{) \mathrm{mod} N}_i}{\to }}_{\mathrm{ECDHM}\left(\mathit{public}\right)}{S}_j))$$

(28)

$$U_i \mathit{believes} (S_j \mathit{once} \mathit{said} ({\stackrel{T_{s_j}{(\rho }_i{) \mathrm{mod} N}_i}{\to }}_{\mathrm{ECDHM}\left(\mathit{public}\right)}{S}_j))$$

(29)

To accomplish Equation (29), Equation (30) must hold, which means that user $U_i$ believes that $T_{s_j}{(\rho }_i{) \mathrm{mod} N}_i$, which is that the extended chaotic maps-based Diffie-Hellman public component from server $S_j$ is fresh because of freshness rules (F1) and (F2), and assumption (A4).

$$U_i \mathit{believes} \#({\stackrel{T_{s_j}{(\rho }_i{) \mathrm{mod} N}_i}{\to }}_{\mathrm{ECDHM}\left(\mathit{public}\right)}{S}_j)$$

(30)

Equation (31) means that user $U_i$ can read from the channel $C_{S_j{, U}_i}$. Equation (32) means that user $U_i$ believes that user $U_i$ and server $S_j$ can write messages on channel $C_{S_j{, U}_i}$. Equation (33) means that user U_i sees and believes that $T_{s_j}{(\rho }_i{) \mathrm{mod} N}_i$ is in the channel $C_{S_j{, U}_i}$, which is the extended chaotic maps-based Diffie-Hellman public component from server $S_j$. To accomplish Equation (30), we have Equations (31)–(33) that must hold because of the interpretation rules (I1), the seeing rules (S1), (S2), assumptions (A1) and (A2). By using the interpretation rules (I3), our proposed scheme realizes that Goal 1 is achieved. Similarly, we ensured that the proposed scheme realizes Goal 2 by using the same arguments of Goal 1.

$$U_i\in r(C_{S_j{, U}_i})$$

(31)

$$U_i{ \mathit{believes} \left(w\right(C}_{S_j{, U}_i}{)=\{U}_i{, S}_j\left\}\right)$$

(32)

$$U_i{ \mathit{sees} \mathit{believes} C}_{S_j{, U}_i}({\stackrel{T_{s_j}{(\rho }_i{) \mathrm{mod} N}_i}{\to }}_{\mathrm{ECDHM}\left(\mathit{public}\right)}{S}_j)$$

(33)

The meaning of Equation (34) is described below. The first fact is that server $S_j$ once said that $T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i$ is the symmetric key shared between $U_i$ and $S_j$. The second fact is that server $S_j$ believes that $T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i$ is the symmetric key shared between $U_i$ and $S_j$. In Equation (35), user $U_i$ believes that the first fact implies the second fact. To accomplish the Goal 3, we have Equations (34) and (35), which must hold because of the rationality rule (R1) and assumption (A3).

$$U_i{ \mathit{believes} \left(\right(S}_j{ \mathit{once} \mathit{said} U}_i\stackrel{T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i}{\leftrightarrow }{S}_j)\to S_j{ \mathit{believes} (U}_i\stackrel{T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i}{\leftrightarrow }{S}_j\left)\right)$$

(34)

$$U_i{ \mathit{believes} (S}_j{ \mathit{once} \mathit{said} U}_i\stackrel{T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i}{\leftrightarrow }{S}_j)$$

(35)

Equation (36) means that user $U_i$ believes symmetric key $T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i$ is fresh. To accomplish Equation (35), Equation (36) must hold because of the freshness rules (F1) and (F2) and assumption (A4).

$$U_i{ \mathit{believes} \#(U}_i\stackrel{T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i}{\leftrightarrow }{S}_j)$$

(36)

Equation (37) means that user $U_i$ sees and believes that $T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i$ is in the channel $C_{S_j{, U}_i}$. To accomplish Equation (36), Equations (31), (32) and (37) must hold because of the interpretation rule (I1), the assumptions (A1) and (A2), and the seeing rules (S1) and (S2). Thus, the proposed scheme realizes that Goal 3 is achieved. Similarly, using the same arguments of Goal 3, the proposed scheme realizes Goal 4.

$$U_i{ \mathit{sees} \mathit{believes} C}_{S_j{, U}_i}{(U}_i\stackrel{T_{y_i{s}_j}{(\rho }_i{) \mathrm{mod} N}_i}{\leftrightarrow }{S}_j)$$

(37)

Therefore, the proposed scheme realizes Goals 1, 2, 3, and 4.

4.2. Formal Security Proof Using AVISPA

Automated validation of internet security protocols and applications (AVISPA) is a high-level language tool for security protocols, and it provides automatic analysis techniques through its back-ends, called on-the-fly model-checker (OFMC), constraint logic based attack searcher (CL-AtSe), SAT-based model-checker (SATMC), and tree automata based on automatic approximations for the analysis of security protocols (TA4SP) [53,58,59,60]. The AVISPA tool executes a simulated protocol through high-level protocol specification language (HLPSL) [61]. We used the AVISPA tool to verify the proposed scheme. The HLPSL specification of user U and server S are shown in Figure 6 and Figure 7, respectively. The session role, environment role, and goals are also specified in HLPSL, shown in Figure 8. Figure 9 shows the results and proves that the proposed scheme is safe.

4.3. Informal Security Proof

We present theoretical analyses that proved that proposed scheme could achieve security requirements.

4.3.1. Preventing MITM Attack

In order to prevent MITM attack, user $U_i$ and server $S_j$ can confirm whether the message is resent, modified, and replaced, by checking information through message authentication codes ${\mathit{MAC}}_{S_j}$ and ${\mathit{MAC}}_{U_i}$. User $U_i$ verifies ${\mathit{MAC}}_{S_j}{=h}_{k_{\mathit{ji}}}{(\mathit{SID}}_j{, \mathit{ID}}_i, {\mu }_i)$ at Step 6, and server $S_j$ verifies ${\mathit{MAC}}_{U_i}{=h}_{k_{\mathit{ij}}}{(\mathit{ID}}_i{, \mathit{SID}}_j{, \omega }_j)$ at Step 7 in the authenticated key exchange phase of the proposed scheme. In this way, the adversary cannot modify message authentication codes ${\mathit{MAC}}_{S_j}$ and ${\mathit{MAC}}_{U_i}$ without session key $k_{\mathit{ij}}$.Thus, the proposed scheme can prevent MITM attack.

4.3.2. Key Confirmation

User $U_i$ can check session key $k_{\mathit{ij}}$ by ${\mathit{MAC}}_{S_j}{ ?=h}_{k_{\mathit{ji}}}{(\mathit{SID}}_j{, \mathit{ID}}_i, {\mu }_i)$, and server $S_j$ can also check session key $k_{\mathit{ji}}$ through ${\mathit{MAC}}_{U_i}{ ?=h}_{k_{\mathit{ij}}}{(\mathit{ID}}_i{, \mathit{SID}}_j{, \omega }_j)$ in the proposed scheme. As a result, the proposed scheme achieves key confirmation.

4.3.3. Preventing Key-Compromise Impersonation and Server Spoofing Attacks

User $U_i$’s random number $y_i$ is stored in a smartcard, which is hard to obtain information. The adversary must have user $U_i$’s smartcard and correct password if they want to impersonate a legitimate user. The number of attempts that a password can be entered is limited; if the number of attempts to enter a password exceeds the allowable number of attempts, the smartcard will get locked. On the other hand, the adversary cannot obtain $K_i$ due to not knowing $x_{S_j}$, and afterwards the process cannot be completed by adversary. As a result, the proposed scheme can prevent key-compromise impersonation and server spoofing attacks.

4.3.4. Mutual Authentication

In the authenticated key exchange phase of the proposed scheme, server $S_j$ encrypts ${(\mathit{SID}}_j{, \mathit{ID}}_i, {\mu }_i)$ from user $U_i$ to message authentication code ${\mathit{MAC}}_{S_j}$ with session key $k_{\mathit{ji}}{=H(T}_{s_j}({\mu }_i) \mathrm{mod} \mathit{Ni})$ and sends ${(\mathit{MAC}}_{S_j}{, \omega }_j)$ to user $U_i$. In Step 6, user $U_i$ uses ${\omega }_j$ from server $S_j$ to obtain session key $k_{\mathit{ij}}$ and verify ${\mathit{MAC}}_{S_j}{=h}_{k_{\mathit{ji}}}{(\mathit{SID}}_j{, \mathit{ID}}_i{, \omega }_j)$. Server $S_j$ verifies message authentication code ${\mathit{MAC}}_{U_i}{=h}_{k_{\mathit{ij}}}{(\mathit{ID}}_i{, \mathit{SID}}_j{, \omega }_j)$ sent by user $U_i$ in Step 7. ${\mathit{MAC}}_{S_j}$ and ${\mathit{MAC}}_{U_i}$ are included in session keys that only two parties of communication have, so only user $U_i$ and server $S_j$ can verify each other.

4.3.5. User Anonymity

User $U_i$’s identity ${\mathit{ID}}_i$ is protected by being encrypted in $C_i{=E}_{K_i}{(\mathit{ID}}_i{, b}_i{, \rho }_i)$ with $K_i$, before being sent. Server $S_j$ must obtain $K_i$ by computing $K_i{=R}_i\oplus h_{{\beta }_j}{(\mathit{SID}}_j)$. The adversary cannot obtain ${\mathit{ID}}_i$ even with $R_i$ and $C_i$ because only server $S_j$ has knowledge of secret $x_{S_j}$. The adversary cannot obtain $K_i$ without $x_{S_j}$ and decrypting $C_i$; thus, the adversary cannot obtain ${\mathit{ID}}_i$. As a result, the proposed scheme provides user anonymity during communication.

4.3.6. Resistant to Bergamo et al.’s Attack

Bergamo et al.’s attack is based on [62]. (i) The adversary is able to obtain related elements (x, ${\rho }_i$, ${\mu }_i$, ${\omega }_j$); and (ii) several Chebyshev polynomials pass through the same point due to periodicity of the cosine function. In the proposed scheme, the adversary is unable to obtain any related elements (x, ${\rho }_i$, ${\mu }_i$, ${\omega }_j$) as these are encrypted in transmitted messages where only user $U_i$ and server $S_j$ can retrieve decryption key. Moreover, the proposed protocol utilizes the extended Chebyshev polynomials, in which the periodicity of the cosine function is avoided by extending the interval of x to $(-\infty ,+\infty )$ [51]. As a result, the proposed scheme can resist the attack proposed by Bergamo et al. [62].

5. Performance Analysis

We present relevant security requirements and computational complexity comparison.

5.1. Comparisons of Security Requirements

Table 3. Comparisons of Security Requirements.

Properties	[63]	[46]	[48]	[64]	[49]	[65]	[38]	Ours
Preventing key-compromise impersonation attack	X	O	X	X	O	O	O	O
Preventing server spoofing attack	X	O	O	O	O	X	X	O
Multi-server environments	X	X	X	X	X	O	O	O
Preventing MITM attack	X	X	O	O	O	X	O	O
Stolen-verification table attack	X	O	O	O	X	X	O	O
Key confirmation	X	X	X	X	X	X	X	O
Preventing clock synchronization problem	O	X	X	O	X	O	X	O
User anonymity	X	X	O	O	O	X	O	O
Preventing denial-of-service (DoS) attack	X	X	X	O	O	X	O	O

shows comparisons of security requirements that were presented in the schemes designed by Wang and Zhao [63], Yoon and Jeon [46], Lin [48], Lin and Zhu [64], Lee et al. [49], Madhusudhan et al. [65], Sureshkumar et al. [38], and us. Wang and Zhao’s [63], Lin’s [48], and Lin and Zhu’s schemes [64] are not secure against key-compromise impersonation attack, since the transmitted messages can be replayed by an adversary. Wang and Zhao’s [63], Madhusudhan et al.’s [65], and Sureshkumar et al.’s [38] scheme cannot prevent server spoofing attack. Our scheme is secure against both key-compromise impersonation attack and server spoofing attack. Furthermore, our scheme provides user anonymity, which Wang and Zhao’s [63], Yoon and Jeon’s [46], and Madhusudhan et al.’s [65] scheme do not. Our scheme can also prevent MITM attack, which Wang and Zhao’s [63], Yoon and Jeon’s [46], and Madhusudhan et al.’s [65] scheme cannot. Furthermore, our scheme ensures that users and servers use the same shared key in a session via key confirmation, which is not present in Wang and Zhao’s [63], Yoon and Jeon’s [46], Lin’s [48], Lin and Zhu’s [64], Lee et al.’s [49], Madhusudhan et al.’s [65], and Sureshkumar et al.’s [38] scheme. Moreover, our scheme can prevent DoS attacks, which Wang and Zhao’s [63], Yoon and Jeon’s [46], Lin’s [48], and Madhusudhan et al.’s [65] scheme cannot.

5.2. Comparisons of Computational Complexity

We present the computational complexity comparison with Lee et al.’s [49], Madhusudhan et al.’s [65], and Sureshkumar et al.’s [38] scheme, as shown in

Table 4. Comparisons of Computational Complexity.

Roles	Lee et al. [49]	Madhusudhan et al. [65]	Sureshkumar et al. [38]	Ours
User	$$\begin{gathered} {3T}_h{+3T}_{\mathit{ch}}{+T}_{\mathit{sym}} \\ \approx {3T}_h{+525T}_h+2.5T_h \\ =530.5T_h \end{gathered}$$	$$\begin{gathered} {8T}_h{+5T}_{\mathit{ch}} \\ \approx {8T}_h{+875T}_h \\ {=883T}_h \end{gathered}$$	$$\begin{gathered} {7T}_h{+5T}_{\mathit{ch}} \\ \approx {7T}_h{+875T}_h \\ {=882T}_h \end{gathered}$$	$$\begin{gathered} {5T}_h{+2T}_{\mathit{ch}}{+2T}_{\mathit{sym}} \\ \approx {5T}_h{+350T}_h{+5T}_h \\ {=360T}_h \end{gathered}$$
Server	$$\begin{gathered} T_h{+3T}_{\mathit{ch}}{+2T}_{\mathit{sym}} \\ \approx T_h{+525T}_h{+5T}_h \\ =531.5T_h \end{gathered}$$	$$\begin{gathered} {5T}_h{+4T}_{\mathit{ch}} \\ \approx {5T}_h{+700T}_h \\ {=705T}_h \end{gathered}$$	$$\begin{gathered} {3T}_h{+2T}_{\mathit{ch}} \\ \approx {3T}_h{+350T}_h \\ {=353T}_h \end{gathered}$$	$$\begin{gathered} {4T}_h{+2T}_{\mathit{ch}}{+2T}_{\mathit{sym}} \\ \approx {4T}_h{+350T}_h{+5T}_h \\ {=359T}_h \end{gathered}$$
Both	${1061T}_h$	1588$T_h$	1235 $T_h$	719 $T_h$

$T_{\mathit{ch}}$: Time for performing a Chebyshev chaotic maps operation; $T_{\mathit{sym}}$: Time for performing a symmetry encryption operation; $T_h$: Time for performing a one-way hash function operation; $T_{\mathit{ch}} \approx$175$T_h$; $T_{\mathit{sym}} \approx$2.5$T_h$.

. We ignore the time taken for computing XOR operations because the value is too low to influence result. Although our scheme needs more one-way hash function operations than Lee et al.’s [49] scheme and more symmetry encryption operations than Lee et al.’s [49], Madhusudhan et al.’s [65], and Sureshkumar et al.’s [38] scheme, our scheme allows key confirmation. Even so, our scheme has the less overall computational cost than Lee et al.’s [49], Madhusudhan et al.’s [65], and Sureshkumar et al.’s [38] scheme. Users in our scheme can enjoy telemedicine services witha lower computational cost. As a result, our scheme is more efficient than Lee et al.’s [49], Madhusudhan et al.’s [65], and Sureshkumar et al.’s [38]. Figure 10 illustrates the computational complexity of the server with varying number of users, and Figure 11 illustrates the computational complexity of user with varying number of servers. The computational complexity of user in Lee et al.’s scheme [49] is related to the number of servers. Computational complexity of user in Madhusudhan et al.’s [65], Sureshkumar et al.’s [38], and the proposed scheme is not related to number of servers, and the proposed scheme shows the least computational complexity among the compared schemes.

6. Implementation

We developed SC-UCSSO system using the proposed scheme, in a multi-function smart token, as shown in Figure 12, which supports the public key infrastructure and the X.509 certificate. A user can insert a smart token to a computer or a laptop and insert the smartcard shown in Figure 13 into a smart token, in order to use the system. Figure 14 and Figure 15 show the registration and login interfaces. Figure 16 shows that the user can login to multiple services, which implies that the proposed system can be used in multi-server environments. The proposed system also provides account checking (Figure 17) to manage the user’s accounts. The user can login to the online telemedicine website using a computer, laptop, smartphone, or any wireless devices that has a webcam with a smart token and a smartcard in synchronous telemedicine scenario. The channel of online video consult between the patient and medical professional is protected by the session key generated by the proposed scheme. In asynchronous telemedicine, the measured biodata is transmitted to a smartphone using Bluetooth, and the user can decide when to send data to the designed server of telemedicine systems. The user logins with smart token and smartcard, before sending data. Transmitted measured data between smartphone and servers would be protected by the session key generated through the proposed scheme. The user has data ownership because the user can control data’s destination and the time of being transmitted. Once data are sent by user, the privacy of user would be protected because the transmission channel is secure with the session key.

7. Discussion

We give a discussion for brief review, real-life scenario, and limitations of this research.

Telemedicine systems work in public networks, where privacy preservation issue of users and sensitive and private transmitted information is important [1]. Security issues related to data transmission are discussed, such as eavesdropping, MITM attack, data tempering attack, message modification attack, data interception attack, etc. [12] Although regulations, such as HIPAA, GDPR, Safe Harbor Laws, etc., were developed, technical support is still not enough [12,13,14]. We proposed an SC-UCSSO for the 5G-IoT telemedicine systems, which can be applied in the 5G-IoT telemedicine multi-server environments. Security of the proposed scheme was proved by BAN logic, AVISPA tool, and theoretical analyses. The proposed scheme achieved general security requirements, such as preventing MITM attack, preventing key-compromise impersonation, and server spoofing attacks, and user anonymity, key confirmation, and mutual authentication. Moreover, the proposed scheme overcomes the drawbacks of the compared previous schemes, such as stolen-verification table attack, clock synchronization problem, and DoS attack, as shown in Table 3 in the previous section. The proposed scheme applies the extended Chebychev chaotic maps that can resist Bergamo et al.’s attack [62]. Performance of the proposed scheme is also compared with Lee et al.’s [49], Madhusudhan et al.’s [65], and Sureshkumar et al.’s [38] scheme by analyzing the computational complexity of each scheme, and the results showed that the proposed scheme was less expensive (719$T_h$) in total than Lee et al.’s [49] (${1061T}_h$), Madhusudhan et al.’s [65] (1588$T_h$), and Sureshkumar et al.’s [38] scheme (1235$T_h$), as shown in Table 4.

We give four possible real-life scenarios of telemedicine systems in 5G-IoT environments that can apply the proposed scheme.

Scenario 1:

Patient inserts smartcard (e.g., health insurance card or smartcard, as in Figure 13) into measurement devices that include a smartcard reader, such as sphygmomanometer or blood-glucose meter, before measuring biodata. Once a patient inserts smartcard, the authenticated key agreement phase of the proposed scheme is activated, and measured biodata can be transmitted securely to server as it is encrypted by the session key.

Scenario 2:

Patient’s wearable healthcare device (e.g., sensors, smart watch, etc.) transmits the measured biodata to the related mobile application (APP) on a smartphone, through data synchronization via Bluetooth, NFC, RFID, etc. If the patient wants to transmit the measured biodata to server, the patient can use a smartphone with a smartcard adopter, such as the smart token in Figure 13. Once a patient inserts the smartcard, the authenticated key agreement phase of proposed scheme is activated, and the measured biodata can be securely transmitted to server as it is encrypted by the session key.

Scenario 3:

Patient’s measured biodata are recorded or stored in storage at home. If the patient wants to transmit the measured biodata to server, the patient can use the smartcard with a reader. Once a patient inserts the smartcard, the authenticated key agreement phase of proposed scheme is activated, and the measured biodata can be transmitted securely to server as it is encrypted by the session key.

Scenario 4:

If a medical professional would like to access the measured biodata on server, the medical professional has to use the smartcard (e.g., healthcare certification IC card [66]) with a reader. Once a medical professional inserts smartcard, the authenticated key agreement phase of proposed scheme is activated, and the measured biodata can be securely transmitted as it is encrypted by the session key.

Scenario 1 to 3 allow the patient to decide the data’s destination and time of transmission.

This research has limitations. We only give a software security analysis, but hardware security and availability are other aspects of security in telemedicine systems, such as electromagnetic interference (EMI), which might affect the functions on wearable devices. Although there are already measurement devices with a smartcard reader on the market, we did not evaluate the hardware’s effects with the proposed scheme. We assumed that the users (patient/medical professional) have a smartcard (health insurance card/ healthcare certification IC card) and proposed a smartcard-based scheme, but authentication could be achieved in many ways, such as three-factor authentication, two-step verification, fast identity online (FIDO), etc., which can be related to works in the future.

8. Conclusions

Telemedicine systems is a multi-functional remote medical service that can help patients in bed in long-distance communication environments [1,2,3,4]. As telemedicine systems work in public networks, privacy preservation issue of sensitive and private transmitted information is important. [1]. We proposed a SC-UCSSO for 5G-IoT telemedicine systems, which could achieve some general security requirements, such as preventing MITM attack, preventing key-compromise impersonation and server spoofing attacks, provide user anonymity, and overcomes the drawbacks of the previous schemes compared herein. The proposed scheme establishes a secure communication channel using the authenticated session keys between patients and services of telemedicine systems, without threats of eavesdrop, impersonation, etc., and allow patient access to multiple telemedicine services, with a pair of identity and password. Formal security analysis using BAN logic [52] and the AVISPA tool [67] was given. We also gave a performance analysis and proved that the proposed scheme is more efficient than previous compared schemes, and computational complexity of the user in proposed scheme was not related to the number of servers. Moreover, the proposed scheme is suitable for asynchronous and synchronous telemedicine, and patients have data ownership because the user can control and decide data’s destination and time of transmission.