Lightweight Mutual Authentication for Healthcare IoT
Round 1
Reviewer 1 Report
Greetings,
The arguments in the abstract are not evident in the introduction, as the entire paper focuses on the use of small computers which can be used to run light-weight authentication, such as Raspberry Pi devices as IoT devices.
This introduction is very weak, so it should be improved in order to explain why and how authentication modules can be uploaded on Pi and how IoT devices can provide safety to medical records. The authors choose to use only limited private information about patients, such as physiological signals such as blood pressure, pulse, and electrocardiogram, and provide a rationale as to why the complete data should not be utilized. There is a possiblity of using streams of data, so authors arguement is not proper in this proposal.
Section 2 contains no new information, so the author should provide more details about the preliminaries.
In order to justify the security analysis, readers would like to have a mathematical approach.
Figure 8. The Lightweight Authentication, where is IoT devices and its role in handling light weight authentication.
Generally, I have been unable to locate any IoT device which handles personal data (patients) and how it carries out processing. The performance of the application in terms of execution, load, and other relevant parameters are missing.
Author Response
Thank you for your review and suggestions. We have rewritten the abstract and strengthened the description of section 1 introduction. In addition, it is not IoT devices to provide the security of medical records; instead, medical records are currently collected by IoT devices with low computing power. To transmit which physiological data is decided by both the patient and the hospital; this research mainly discusses adding lightweight authentication between complete authentication to achieve fast authentication.
Therefore, this research proposes to make lightweight authentication with a certain degree of security and fast in IoT devices with low computing power. The lightweight authentication of this research is combined with complete authentication (CP-ABE) as shown in Figure 7. In the first authentication, complete authentication is used, and within a certain period, lightweight authentication is used. This can reduce the burden of IoT devices and achieve fast authentication.
Section 2 is the method that this research will use, especially 2.5.2. Ciphertext-Policy Attribute Based Encryption (CP-ABE) is the algorithm we use directly. Moreover, the lightweight authentication proposed by this research uses random number generator; so, these algorithms are introduced in section 2. This research does need to strengthen the security analysis, thanks to the reviewer for reminding. And our random number uses NIST's STS 2.1.2 to examine; and strengthens the analysis of 5.5. Security analysis of session key. We corrected the narrative of Figure 8. As shown in Figure 8, IDpC1 = Esession key( D1IDp1 || … || D1IDpi || timestampn+1) D1IDp1 || … || D1IDpi are the plaintext of the patient's physiological data. After the patient's physiological data is added to the timestamp, the existing symmetric encryption method such as AES is used to encrypt it as IDpC1.
Author Response File: 
Author Response.docx
Reviewer 2 Report
In this paper, the researcher deals with full authentication and light authentication. This study uses feature-based coding as the main framework. It used patient data and timestamp as the basis for the validation random number generators. Experiments have shown that lightweight authentication is faster than full authentication when using a Raspberry Pi. The proposal greatly improved the disadvantage of IoT devices in the lack of computing power.
In this way, the search is acceptable.
Author Response
Thank you for your review and affirmation. We will continue to work hard.
Author Response File: Author Response.docx
Reviewer 3 Report
1. An abstract is an abbreviation for a paper that can be seen as a small, stand-alone essay. Therefore, the abstract of this paper needs to be improved.
2. The motivation of the work is not well written. More recent results on encryption and decryption should be added. IEEE TCSVT, 2022, 32(6): 4028-4037; IEEE TCS1, 2022, 69(8): 3320-3327; Information Sciences, 2022, 596: 304-320.
3. There is a lack of comparative analysis in the safety analysis. Experimental proposals for security comparisons were added to the manuscript.
4. The manuscript claims that the session keys used in the study are virtually impossible to crack. What is the basis for this?
Author Response
Thank you for your review and suggestions. We have rewritten abstract; and added the encryption algorithm you mentioned as references. The session key is used in the existing AES, DPFSM, STFSM, DPFSV-CML and other algorithms; there is a detailed analysis in the above algorithm paper. Furthermore, if the session key is brute force cracked by Frontier, the fastest computer in the world, which also takes 1.217×10^136 seconds (3.859082*10^128 years). The above descriptions are all corrected in the paper simultaneously.
Author Response File: Author Response.docx
Round 2
Reviewer 1 Report
Greetings,
My questions have been answered by the authors. As a result, we are able to accept this article.
