Fine-Auth: A Fine-Grained User Authentication and Key Agreement Protocol Based on Physical Unclonable Functions for Wireless Body Area Networks

Abstract

Wireless body area networks (WBANs) can be used to realize the real-time monitoring and transmission of health data concerning the human body based on wireless communication technology. With the transmission of these sensitive health data, security and privacy protection issues have become increasingly prominent. Fine-grained authentication allows physicians to run authentication checks of another specific entity according to their identifying attributes. Hence, it plays a key role in preserving the security and privacy of WBANs. In recent years, substantial research has been carried out on fine-grained authentication. However, these studies have put considerable effort into WBAN performances, resulting in weakened security. This paper proposes a fine-grained user authentication and key agreement protocol based on physical unclonable functions (PUFs) while maintaining robust security and performance. This will allow physicians to perform mutual authentication and obtain key agreements with authorized body area sensor nodes according to their identity parameters, such as occupation type and title. We then provide comprehensive security and heuristic analyses to demonstrate the security of the proposed protocol. Finally, the performance comparison shows that the proposed protocol is more robust in security, cost-effective communication, and computational overheads compared to three leading alternatives.

1. Introduction

Wireless body area networks (WBANs) [1] have been widely used in healthcare as a mature wireless communication technology. By deploying tiny body area sensor nodes and communication devices around the body, medical staff can monitor and transmit physiological parameters and health status data in real time, effectively enhancing people’s quality of life.

As shown in Figure 1, WBANs involve collaboration among medical staff, gateway nodes, and body area sensor nodes (BASNs). Medical staff or physicians are the users and controllers of the system. They obtain the patient’s physiological parameters by communicating with BASNs and performing the operation of diagnosis and treatment. As an intermediate device, the gateway node (GWN) bridges medical staff and BASNs and is responsible for data transmission, forwarding, and coordination. BASNs are equipped to collect patients’ biological data, including heart rate, blood pressure, body temperature, etc., while allowing medical staff to access these data in real time. In addition, BASNs can receive instructions from medical staff to perform corresponding operations as needed. Medical staff can rapidly assess the patient’s physical condition via this network topology model and perform corresponding medical operations.

However, the openness of WBANs communication will undoubtedly lead to illegal network intrusion. If adequate security protection measures for health data involving personal privacy are not implemented, serious consequences will arise, including personal privacy disclosure, data tampering, and unauthorized access [2,3]. Meanwhile, given the different identity authentication requirements for users of different professional levels, it is important to perform personalized authentication according to corresponding levels and permissions to ensure that each user can only access the resources for which they have permission. Naturally, realizing efficient, safe, and credible data transmission and personalized authentication mechanisms in WBANs is essential.

Fine-grained authentication [4] is an authentication technology designed to provide detailed and precise identity verification in order to identify and authorize users in detail according to the users’ unique attributes and permissions. The advantage of this authentication technology is that it can provide a higher level of security and precise control and meet WBANs’ requirements for real-time accuracy and personalization in the authentication process.

This paper aims to provide an efficient and reliable fine-grained authentication solution to ensure the privacy and security of medical data. By carrying out this study, we expect to provide a useful reference and guidance for developing fine-grained authentication technology in order to promote the expansion and application of authentication in WBANs.

1.1. Related Work

In the health field, fine-grained user authentication is an important security measure that aims to ensure that only authorized individuals or entities can gain authentication from other specific entities, maintaining personal privacy and data security. In this section, we summarize existing fine-grained authentication schemes for healthcare systems.

Chatterjee et al. pioneered an attribute-based fine-grained access control scheme to secure communication in the client–server architecture [5]. This groundbreaking scheme utilizes smart cards and biometric authentication for verification purposes. Furthermore, it enables the establishment of session keys to encrypt subsequent communications. However, it is important to highlight that the solution’s communication overheads are relatively substantial, potentially impacting the overall user experience.

Wang et al. [6] introduced an access control with fog computing to achieve a more optimal balance between efficiency and security. This approach is well suited for a range of scenarios, including data storage, directory management, and file organization. However, Singh et al. in [7] reported that the scheme proposed by Wang et al. cannot achieve mutual authentication or resist device impersonation attacks.

Ogundoyin et al. recognized the sensitivity of medical data and consequently introduced a lightweight privacy-preserving authentication and fine-grained access control solution: PAASH [8]. They presented an elliptic curve cryptography (ECC)-based certificateless signature scheme. Simultaneously, they employed attribute-based encryption and signature technology to achieve precise access control. Nevertheless, Benil et al. [9] highlighted that the PAASH fails to counter impersonation, forgery, and modification attacks.

There are also works for securing communication in WBANs. The authors of Ali et al. in [10] offered a robust authentication and access control solution by using expensive bilinear pairing. However, the password of the user can be effectively guessed by the adversary if there is no use of “modulus” operations.

Similarly, one research study [11] designed an E-health-oriented proposal that is relevant to authentication, key agreement, and access control. Furthermore, this study was the first to propose a method of transferring the ownership of patient information from the former physician to the new physician. Before the application of this charming proposal, forward secrecy and three-factor security should be applied.

For the scenario of wireless medical sensor networks, Yao et al. [12] proposed multiple solutions for user–server authentication, patient–server authentication, and user–patient authentication scenarios. However, the password verifier table is stored in the registration center and can face password-guessing attacks, which lead to the exposure of the user’s password.

1.2. Motivations and Contribution

Given the increasing adoption of WBANs in security-critical scenarios, the need to provide a fine-grained three-factor authentication solution increases. However, according to our performance analysis in Section 5, most existing fine-grained user authentication protocols commonly cannot balance security and performance:

• Security: In terms of security, similar approaches exhibit the same security problems to greater and lesser degrees [10,11,12]: for example, the lack of mutual authentication, the inevitable smart card loss attacks, or the failure to provide forward secrecy.
• Performance: From the view of storage, communication, and computation costs, existing solutions still require more resources in order to ensure the functionality of fine-grained authentication. However, WBANs are more resource-constrained than conventional networks, and a tiny body area sensor device cannot run extensive operations according to the published protocols.

Thereupon, we consider a robust and effective fine-grained user authentication scheme that can maintain a good balance between security and performance. The specific contributions of this study are as follows:

• Fine-grained authentication protocol: We design a fine-grained authentication protocol for WBANs. This proposed scheme slows for mutual authentication among users with varying privileges and corresponding authorized BASNs while also facilitating the negotiation of a session key for encrypting subsequent data transmission.
• Complete security analysis: The proposed protocol’s security is rigorously examined via heuristic and provable security analyses, which show that the proposed protocol attains multiple desired security properties and exhibits resilience against all known attacks.
• Performance evaluation: Via a comparative assessment of storage, communication, and computational overheads for the proposed protocol and also other established methods, we show the advantages of the proposed protocol with respect to performance.

2. Preliminaries

In this section, we introduce preliminaries, which include the system model, adversary model, physically unclonable function, fuzzy extractor, and RSA cryptosystem, in order to ease the reader’s understanding of this study.

2.1. System Model

As shown in Figure 2, based on the standard single-gateway model [13], our system model consists of three entities: physicians at different occupational levels (A, B, and C), a gateway node (GWN), and a series of body area sensor nodes (BASNs).

In the registration phase, users and BASNs register at the gateway, which corresponds to the registration process in Figure 2. At the same time, the gateway sets the user’s fine-grained authentication parameters according to the user’s occupation level and type in order to prepare for subsequent fine-grained authentication between users and BASNs. At the end of registration, the physicians (BASNs) retain real-time fine-grained authentication parameters (resp. secret value), and GWN stores the identity of BASNs.

In the login and authentication phase, if the user wants to access the data of some body area sensor nodes, they first need to initiate an authentication request in the gateway, which corresponds to process 1 in Figure 2. Next, the gateway authenticates the user. If authentication is successful, the gateway node sends the user’s request to the BASN, which corresponds to process 2 in Figure 2. After the BASN receives the request, it first verifies the identity of the gateway, and if the authentication passes, it sends the authentication-related parameters to the gateway, which corresponds to process 3. Upon the gateway’s receipt of data from BASN, it first authenticates the BASN and then updates relevant fine-grained authentication parameters according to the user’s occupation; then, it sends the relevant authentication data to the user, which corresponds to process 4. Finally, the user negotiates a consistent session key with BASN via authentication data from the gateway node. The purpose of this phase is to ensure that only legitimate physicians can access the data resources of BASNs.

2.2. Adversary Model

The Dolev–Yao (DY) model, which portrays the capabilities of the adversary, has been widely used in formal and heuristic analyses with respect to the security of authentication protocols [14]. Currently, the latest research [15] has taken this a step further by consolidating adversary capabilities in order to comprehensively evaluate the authentication protocol. In this refined threat model, an adversary 𝒜 possesses six capacities (A-), which are as follows:

• (A-1) $\mathcal{A}$ can intercept, modify, insert, and delete any messages that are being transmitted through the open channel.
• (A-2) $\mathcal{A}$ can systematically enumerate all elements within the Cartesian product of the identity space and password space, which is denoted as $D_{id}\times D_{pw}$.
• (A-3) $\mathcal{A}$ is capable of obtaining previously established session keys between the physician and BASN.
• (A-4) $\mathcal{A}$ possesses the capability to acquire the secret key of the GWN in situations where the system eventually experiences failure.
• (A-5) $\mathcal{A}$ can breach some specific BASNs, extracting sensitive data stored within them. Furthermore, $\mathcal{A}$ can manipulate the compromised BASN so that it can participate in subsequent communications involving the GWN, other users, and body area sensor nodes.
• (A-6) $\mathcal{A}$ could potentially register as either a legitimate user or even the role of the GWN administrator only if the security of the physician’s password is evaluated during the registration phase.
  Carrying out formal and heuristic analyses in Section 4, based on the DY adversary’s capability, we can quantify the advantage of the adversary relative to their ability to bypass semantic security, and via heuristic analyses, we prove that the protocol can resist all kinds of attacks issued by the DY adversary.

2.3. Physical Unclonable Function

The physical unclonable function (PUF) [16] generates an output based on physical characteristics, such as delay, resistance, capacitance, or reflection properties. Since the output of the PUF is based on slight randomness and unevenness in the manufacturing process, it is difficult for an adversary to generate the same response sequence as the original PUF via copying or simulation. Therefore, the PUF has a high degree of security and protection in security systems, and it is widely used to protect sensitive information in cryptographic authentication protocols.

During the registration phase of the authentication protocol, the user or device generates a unique identifier or a unique key $C$ via PUF and stores it securely. In the login phase, PUF generates a response: $R$, $R=PUF\left(C\right)$. Response $R$ is compared with a previously registered identifier or key. If $R$ matches the key, the login can be seen as a success, and the user is allowed to send the authentication request to the GWN. This PUF-based user-authentication mechanism takes advantage of the physical properties and unclonability of the PUF in order to ensure a secure, unique, and difficult-to-forge identity verification process. In the proposed protocol, we use a physical unclonable function $PU{F}_{sum}\left(·\right)$, which configures the embedded trigger sum for the user, where the sum refers to the number of times that the user is allowed to try to use $PU{F}_{sum}\left(·\right)$ in the event that the user forgets the secret key.

2.4. Fuzzy Extractor

The fuzzy extractor [17] is an important concept in cryptography, and it is especially suitable for correcting data inconsistencies caused by noise or changes. In the field of cryptographic authentication, fuzzy extractors are used to deal with the variability and noise that may be present when physical characteristics are collected to ensure authentication.

The fuzzy extractor works by converting irregular physical characteristics into a stable and consistent key or bit string. This stable key can be used for the following authentication. Importantly, the fuzzy extractor allows for the extraction of fixed and verifiable information without compromising the accuracy of physical characteristic identification in order to ensure stability and consistency during the login phase of the authentication protocol.

In this paper, the fuzzy extractor is utilized to mitigate the influence of noise during PUF execution. The system executes the PUF to obtain the $R$, $R=PUF\left(C\right)$ response during the registration process; then, it adds $R$ to the $FE.Gen\left(R\right)=\left(K, hd\right)$ fuzzy extractor and stores the auxiliary string $hd$. During the login phase, the system can execute the PUF to obtain the current $R\prime =PUF\left(C\prime \right)$ response and employ the $hd$ stored in memory to determine $K\prime =FE.Rec\left(R\prime , hd\right)$. If $K\prime$ and $K$ are not equal, this indicates that an unauthorized user attempted to initiate a login request, and the system dismisses this illegal login request.

2.5. RSA Cryptosystem

In the realm of public key cryptography, the RSA cryptosystem [18], founded on the intricacies of the large number factorization problem, is elucidated below. To aid comprehension, an example involving a message sender denoted as $\mathit{S}\mathit{e}\mathit{d}$ who transmits a message $\mathit{m}$ to a message receiver $\mathit{R}\mathit{e}\mathit{v}$ is presented.

Initiation: The message receiver $\mathit{R}\mathit{e}\mathit{v}$ selects two substantial prime numbers $p \mathrm{and} q$. Subsequently, $\mathit{R}\mathit{e}\mathit{v}$ computes $n=p · q$ and Euler’s totient function of $n$, which is denoted as $\phi \left(n\right)=\left(p-1\right)·\left(q-1\right)$. Next, $\mathit{R}\mathit{e}\mathit{v}$ chooses an integer $e$ that satisfies $\gcd \left(e,\phi \left(n\right)\right)=1$. The receiver then computes $d\equiv e^{-1}\left(\mathrm{mod}\phi \left(n\right)\right)$. The outcome is that $\mathit{R}\mathit{e}\mathit{v}$ publicizes the public key $\left(e,n\right)$ while keeping the private key $d$ confidential.

Encryption: The message sender $\mathit{S}\mathit{e}\mathit{d}$ takes the message $m$ and performs an encryption operation $c=m^e \mathrm{mod} n$ using $\mathit{R}\mathit{e}\mathit{v}$’s public key $e$. Consequently, $\mathit{S}\mathit{e}\mathit{d}$ transmits the resultant cipher $c$ to $\mathit{R}\mathit{e}\mathit{v}$.

Decryption: Upon the receipt of the cipher $c$, message receiver $\mathit{R}\mathit{e}\mathit{v}$ employs private key $d$ to decipher the message. This is accomplished via the computation $m=c^d\mathrm{mod} n$.

In Section 3 (i.e., step L2 in the user login phase and step V10 in the authentication and key agreement phase), we provide the detailed method of using RSA to securely transmit secret values.

3. The Proposed Protocol

Aiming at the solving common security and storage problems of authentication protocols in WBANs, we propose a fine-grained user authentication method based on the physical unclonable function (PUF). Specifically, it includes seven phases, namely system initialization, body area sensor node and user registration, user login, authentication and key agreement, password update, and dynamic node addition. To promote the understanding of researchers, some notations used in the proposed protocol are explained in

Table 1. Notations with related descriptions in the proposed protocol.

Notations	Descriptions	Notations	Descriptions
$GWN$	Gateway node	$S_M$	The set of BASN’s identity
$\oplus$	XOR operation	$T_{reg}^{U_i}$	Registration timestamp of $U_i$
$T_c$	Current timestamp	$PI{D}_i$	A pseudo-random identity of $U_i$
$GID$	$GWN’\mathrm{s}$ identity	$f_{U_i}\left(t\right)$	Authorization check polynomial
$\parallel$	Bit concatenation	$\left(I{D}_i,P{W}_i\right)$	The identity and password of $U_i$
$MI{S}_j$	The identity of $M{S}_j$	$FE.REP\left(·\right)$	Fuzzy extraction and recovery function
$h\left(\cdot \right)$	Secure hash function	$A⟹B:M$	The message M is sent from A to B through a secure channel
$U_i$	$i$th user (medical staff)	$A\to B:M$	The message M is sent from A to B through a public channel
$x_j$	The secret value of $M{S}_j$	$PU{F}_{sum}\left(·\right)$	The physically unclonable function with embedded $sum$
$x,y$	$GWN’\mathrm{s}$ long-term key pair	$\Delta T_{auth}^{U_i}$	Time threshold for $U_i$ to be authorized in order to obtain authentication
$M{S}_j$	$j$th body area sensor node	$S_M^{U_i}$	The set of BASN’s identity for $U_i$ to be authorized in order to obtain authentication

.

3.1. System Initialization Phase

In the initialization phase, given a security parameter $n$, the gateway node $GWN$ selects a long-term key pair $x,y\in {\left\{0,1\right\}}^n$ and generates a unique identity GID. Then, $GWN$ saves $\left\{x,y\right\}$ and publicizes identity GID.

3.2. Registration Phase

The registration phase comprises the following: In the terminal of the GWN, the user and BASN need to complete the registration of identity information and receive authentication parameters in order to be ready for future identity authentication and key agreement. Specifically, the registration phase includes the registration of the BASN and users.

3.2.1. Registration Phase of BASN ${\mathrm{MS}}_{\mathrm{j}}$

The registration of $M{S}_j$ includes R11~R13:

R11: $M{S}_j⟹GWN: MI{S}_j$; the $M{S}_j$ transmits identity $MI{S}_j$ to gateway node $GWN$ via a secure channel. Then, gateway $GWN$ collects $MI{S}_j$ and stores it in identity set $S_M=\left\{MI{S}_j\right\}$.

R12: $GWN⟹M{S}_j:\left\{x_j\right\}$; GWN calculates secret value $x_j=h\left(MI{S}_j\parallel x\right)$ for $M{S}_j$ and also returns secret value $x_j$ to $M{S}_j$ via a secure channel.

R13: $M{S}_j$ stores $x_j$ secretly.

Note that the secure channel can be understood here as comprising the user and node devices that are within the same physical space (such as a computer room managed by a hospital administrator); then, the registration and sharing of secret values can be completed in a face-to-face manner.

3.2.2. Registration Phase for User ${\mathrm{U}}_{\mathrm{i}}$

The registration of user $U_i$ includes R21~R23:

• R21: $U_i⟹GWN:\left\{A_0\right\}$; user $U_i$ transmits the calculated $A_0$ to $GWN$ via a secure channel.

Specifically, $U_i$ inputs the $I{D}_i \mathrm{and} P{W}_i$ of their own choice to the personal digital assistant (PDA). The PDA selects a random number $r\in \left[1,n-1\right]$, where $n$ is a system security parameter. Then, PDA calculates the following: hash value $A_0=h\left(I{D}_i\oplus P{W}_i\parallel r\right) \mathrm{mod} n_0$; $n_0$ is a large prime number.

• R22: $GWN⟹U_i:$ {Registration Package (RP)}. The $GWN$ sends a registration package to $U_i$.

After $GWN$ receives information $A_0$ from user $U_i$, it first records the registration timestamp $T_{reg}^{U_i}$, selects a pseudo-random identity $PI{D}_i$, and computes $V_i=h\left(PI{D}_i\parallel x\right) \mathrm{and} A_1=$ $V_i\oplus A_0$. Secondly, $GWN$ determines the body area sensor node identity set $S_M^{U_i}$, which is authorized for the authentication of $U_i$, and binds the authorization check polynomial; the authorized authentication time threshold; and the authorization, authentication, and verification value for user $U_i$, where $S_M^{U_i}$ is a subset of $S_M$, the check polynomial is $f_{U_i}\left(t\right)=h\left(PI{D}_i\oplus x\right)+{\displaystyle \prod }_{MI{S}_j\in S_M^{U_i}}\left(t-h\left(PI{D}_i\oplus MI{S}_j\right)\right)$, the time threshold is $\Delta T_{auth}^{U_i}$, and the authentication verification value is $EI{D}_i=T_{reg}^{U_i}·{\left(h\left(y\parallel PI{D}_i\right)\right)}^{-1}$. Furthermore, $GWN$ uses symmetrical algorithms (e.g., the well-known AES [19]) to generate symmetric ciphertext $F_{U_i}\left(t\right)$ and configures the physically unclonable function $PU{F}_{sum}\left(·\right)$ with embedded trigger $sum$, where $F_{U_i}\left(t\right)=En{c}_{h\left(x\oplus \mathrm{y}\right)}\left[f_{U_i}\left(t\right),\Delta T_{auth}^{U_i},EI{D}_i\right]$, and $sum$ refers to the number of times the user is allowed to try to use $PU{F}_{sum}\left(·\right)$. Here, we set the maximum value to 3 and the initial value to 0. Finally, $GWN$ sends the registration package (RP) to $U_i$, where RP stores parameters $PI{D}_i,PU{F}_{sum}\left(·\right),A_1,S_M^{U_i}, \mathrm{and} F_{U_i}\left(t\right)$.

• R23: After $U_i$ receives RP, $U_i$ updates $A_1$ and calculates $A_2$ as follows: At first, $U_i$ inputs $I{D}_i \mathrm{and} P{W}_i$ to PDA, and PDA computes $V_i=$ $A_0\oplus A_1 \mathrm{and} V_{ii}=PU{F}_{sum}\left(P{W}_i\right)$. PDA then uses $FE.GEN\left(·\right)$ to compute the following: $\left(k_i,k_{ii}\right)=FE.GEN\left(V_{ii}\right)$, $A_2=h\left(V_i\parallel k_i\parallel S_M^{U_i}\right) \mathrm{mod} n_0$. After that, PDA updates secret value $A_1=V_i\parallel S_M^{U_i}\parallel k_{ii}\oplus h\left(I{D}_i\parallel V_{ii}\right)$. Finally, PDA stores a series of values: $〈PI{D}_i,A_1,A_2,PU{F}_{sum}\left(·\right),F_{U_i}\left(t\right)〉$.

During registration, the gateway node no longer issues smart cards to users, thereby avoiding offline password-guessing attacks, which result from smart card loss attacks. At the same time, the periodicity of modulo calculations makes it impossible for the adversary to guess passwords effectively in order to protect password security. Meanwhile, the gateway needs to encrypt these fine-grained authentication parameters to prevent users from tampering with them. Additionally, to ease the understanding of readers, Figure 3 summarizes the registration operation of the user and BASN.

3.3. Login Phase

In the login phase, the user needs to be verified via the PDA. Upon the PDA’s authentication of the user identity’s legitimacy, the user can log in via the PDA successfully; then, the PDA generates an authentication request for some specific BASN. Furthermore, the PDA transmits this authentication request to the GWN. The login phase includes three steps from L1 to L3:

L1: Firstly, $U_i$ enters the identity and password $\left(I{D}_i^{*},P{W}_i^{*}\right)$. Secondly, PDA uses the physically unclonable function $PU{F}_{sum}\left(·\right)$ to verify the user’s identity. Specifically, PDA computes $V_{ii}^{*}=PU{F}_{sum}\left(P{W}_i^{*}\right),V_i^{*}\parallel S_M^{U_i\ast }\parallel k_{ii}{}^{*}=h\left(I{D}_i^{*}\parallel V_{ii}^{*}\right)\oplus A_1,k_i{}^{*}=FE.REP\left(V_{ii}^{*},k_{ii}{}^{*}\right),$ and $A_2^{*}=h\left(V_i^{*}\parallel k_i^{*}\parallel S_M^{U_i\ast }\right) \mathrm{mod} n_0$. Thirdly, PDA compares whether $A_2{}^{*}$ is equal to $A_2$; if $A_2{}^{*}$=$A_2$, the user’s identity can be verified. Then, it proceeds to step L2 to continue the execution; otherwise, $PU{F}_{sum}\left(·\right)$ will add 1 to the value of $sum$ automatically when the user tries to enter another $\left(I{D}_i^{*},P{W}_i^{*}\right)$ again for the login. If the value exceeds the preset maximum value, the session will be terminated, and the user’s account will be frozen until $U_i$ re-registers.

L2: PDA runs a 1024-bit RSA cryptosystem to generate public key $e_i$ and private key $d_i$ for $U_i$, and PDA keeps $d_i$ secret. Then, the PDA selects a random number $r_u\in \left[1,n-1\right]$; chooses the identity of $M{S}_j$, which the user wants to acquire; extracts the timestamp $T_1$; and calculates the following parameters: $B_1=h\left(V_i\right)\oplus \left(h\left(r_u\parallel T_1\right)\parallel e_i\parallel S_M^{U_i}\right)$ and $B_2=h\left(PI{D}_i\parallel MI{S}_j\parallel h\left(r_u\parallel T_1\right)\parallel e_i\parallel S_M^{U_i}\right)$, where $e_i$ is the public key of $U_i$.

L3: $U_i\to GWN: \left\{F_{U_i}\left(t\right),PI{D}_i,MI{S}_j,B_1,B_2,T_1\right\}$. PDA sends the requested information to $GWN$ in a public channel.

3.4. Authentication and Key Agreement Phase

In the authentication and key agreement phase, three entities (i.e., user, GWN, and BASN) first verify the identity of the communicating party when communicating with each other. At the same time, $U_i$ and $M{S}_j$ can negotiate a consistent session key. This phase includes ten steps from V1 to V10:

V1: Upon $GWN$’s receipt of the requested information by user $U_i$, it first extracts the current timestamp $T_c$ and checks whether the time gap between $T_c$ and $T_1$ is less than time threshold $\Delta T$. If not, $GWN$ directly discards the request information; if so, $GWN$ decrypts $F_{U_i}\left(t\right)$ and obtains $\left[f_{U_i}^{*}\left(t\right),\Delta T_{auth}^{U_i\ast },EI{D}_i^{*}\right]$.

Then, $GWN$ verifies whether $U_i$ is authorized to obtain authentication with $M{S}_j$, for which its identity is $MI{S}_j$. $GWN$ calculates $f_{U_i}^{*}\left(h\left(PI{D}_i\oplus MI{S}_j\right)\right)$ and $h\left(PI{D}_i\oplus x\right)$ and checks whether the two values are equal. If so, $GWN$ further judges whether $EI{D}_i^{*}$ belongs to case (a), case (b), or case (c):

(a)

$EI{D}_i^{*}·h\left(y\parallel PI{D}_i\right)=h\left(PI{D}_i\parallel y\right);$

(b)

$\left|T_c-EI{D}_i^{*}·h\left(y\parallel PI{D}_i\right)\right|>\Delta T_{auth}^{U_i\ast };$

(c)

$\left|T_c-EI{D}_i^{*}·h\left(y\parallel PI{D}_i\right)\right|\le \Delta T_{auth}^{U_i\ast }$.

If it belongs to case (a), this means that $U_i$ does not have authentication authority with respect to $M{S}_j$; if it belongs to case (b), this means that the authentication authority of $U_i$ exceeds the time threshold for $U_i$ to be authorized; if it belongs to case (c), this means that the body area sensor node $M{S}_j$ that $U_i$ wants to access can be authorized for authentication within a valid period of time. $GWN$ further computes $V_i^{*}=h\left(PI{D}_i\parallel x\right),$ $h\left(r_u^{*}\parallel T_1\right)\parallel e_i^{*}\parallel S_M^{U_{i\ast }}=B_1\oplus h\left(V_i^{*}\right),$ and $B_2^{*}=h\left(PI{D}_i\parallel MI{S}_j^{*}\parallel h\left(r_u^{*}\parallel T_1\right)\parallel e_i^{*}\parallel S_M^{U_{i\ast }}\right)$. Finally, $GWN$ compares $B_2^{*}$ and $B_2$. If they are equal, i.e., $h\left(r_u^{*}\parallel T_1\right)=h\left(r_u\parallel T_1\right) \mathrm{and} e_i^{*}=e_i,S_M^{U_{i\ast }}=S_M^{U_i}$, this means that $U_i$ can be validated, and the operation proceeds to step V2; otherwise, $GWN$ terminates this session.

V2: $GWN$ selects random number $r_g\in \left[1,n-1\right]$, extracts the current timestamp $T_2$, and computes the following: $x_j=h\left(MI{S}_j\parallel x\right),B_3=h\left(x_j\parallel MI{S}_j\right)\oplus \left(r_g\parallel h\left(r_u\parallel T_1\right)\right),B_4=\left(e_i\parallel h\left(V_i\parallel EI{D}_i\right)\right)\oplus h\left(x_j\parallel r_g\right)$, and $B_5=h\left(h\left(r_u\parallel T_1\right)\parallel r_g\parallel x_j\parallel h\left(V_i\parallel EI{D}_i\right)\parallel T_2\right)$.

V3: $GWN\to M{S}_j: \left\{B_3,B_4,B_5,T_2\right\}$. $GWN$ sends $\left\{B_3,B_4,B_5,T_2\right\}$ to the body area sensor node $M{S}_j$.

V4: $M{S}_j$ firstly extracts timestamp $T_c$ and checks whether the time gap between $T_c$ and $T_2$ is less than time threshold $\Delta T$. If so, $M{S}_j$ recovers $r_g^{*},h\left(r_u^{*}\parallel T_1\right),e_i^{*},h\left(V_i^{*}\parallel EI{D}_i^{*}\right):r_g^{*}\parallel h\left(r_u^{*}\parallel T_1\right)=B_3\oplus h\left(x_j\parallel MI{S}_j\right),\mathrm{and} e_i^{*}\parallel h\left(V_i^{*}\parallel EI{D}_i^{*}\right)=B_4\oplus h\left(x_j\parallel r_g^{*}\right)$. At the same time, $M{S}_j$ computes $B_5^{*}=h\left(h\left(r_u^{*}\parallel T_1\right)\parallel r_g^{*}\parallel x_j\parallel h\left(V_i^{*}\parallel EI{D}_i^{*}\right)\parallel T_2\right)$ and compares the value of $B_5^{*}$ and $B_5$. If the two values are equal, $GWN’\mathrm{s}$ identity is verified, and $M{S}_j$ proceeds to step V5; otherwise, $M{S}_j$ terminates this session.

V5: $M{S}_j$ selects random number $r_s\in \left[1,n-1\right]$, extracts timestamp $T_3$, and computes $r_s^{\prime }={\left(r_s\right)}^{e_i}$ via the RSA algorithm: $SK=h\left(h\left(r_u\parallel T_1\right)\parallel r_s\parallel h\left(V_i\parallel EI{D}_i\right)\right)$, $B_6=MI{S}_j\oplus h\left(r_g\right),B_7=r_s^{\prime }\parallel h\left(SK\parallel r_g\right)\oplus x_j,B_8=h\left(r_s^{\prime }\parallel h\left(SK\parallel r_g\right)\parallel x_j\right)\parallel T_3), \mathrm{and} B_9=h\left(SK\parallel r_g\right)\oplus x_j\oplus h\left(r_s^{\prime }\parallel SK\right)$, where $B_6,B_7,B_8, \mathrm{and} B_9$ represent the intermediate parameters, and $SK$ represents the session key of $M{S}_j$ and $U_i$.

V6: $M{S}_j\to GWN: \left\{B_6,B_7,B_8,B_9,T_3\right\}$. $M{S}_j$ sends information $B_6,B_7,B_8,B_9, \mathrm{and} T_3$ to $GWN$.

V7: $GWN$ firstly checks the validity of the timestamp. Next, $GWN$ uses the secret value $r_g$ to compute $x_j^{*},{r^{\prime }}_s^{*}$: $MI{S}_j^{*}=B_6\oplus h\left(r_g\right),x_j^{*}=h\left(MI{S}_j^{*}\parallel x\right),{r^{\prime }}_s^{*}\parallel h\left(S{K}^{*}\parallel r_g^{*}\right)=B_7\oplus x_j^{*}, \mathrm{and} B_8^{*}=h\left({r^{\prime }}_s^{*}\parallel h\left(S{K}^{*}\parallel r_g^{*}\right)\parallel x_j^{*}\right)\parallel T_3)$. Then, $GWN$ checks the consistency of $B_8^{*}$ and $B_8$. If the two values are equal, $GWN$ executes step V8; otherwise, it terminates this communication.

V8: $GWN$ computes $h\left(r_s^{\prime }\parallel SK\right)=B_9\oplus h\left(SK\parallel r_g\right)\oplus x_j$ and updates the parameters as follows:

$GWN$ updates the new pseudo-random identity $PI{D}_i^{new}$ for $U_i$;

$GWN$ updates $V_i^{new}=h\left(PI{D}_i^{new}\parallel x\right)$;

$GWN$ updates the authorization verification value $EI{D}_i^{new}$, the authorized authentication time threshold $\Delta T_{auth}^{U_i}{}^{new}$, and the authorized authentication body area sensor node identity set $S_M^{{U_i}^{new}}$. Specifically, if the authentication authority of $U_i$ needs to be revoked, then $GWN$ computes $EI{D}_i^{new}=h\left(PI{D}_i^{new}\parallel y\right)·{\left(h\left(y\parallel PI{D}_i^{new}\right)\right)}^{-1}$ and sets ${\Delta T_{auth}^{U_i\ast }}^{new}=\mathrm{null},f_{U_i}^{new}\left(t\right)=\mathrm{null},\mathrm{and} S_M^{{U_i}^{new}}=\mathrm{null}$; otherwise, $GWN$ computes $EI{D}_i^{new}={\left(h\left(y\parallel PI{D}_i^{new}\right)\right)}^{-1}·T_c$, updates ${\Delta T_{auth}^{U_i\ast }}^{new}$, and further updates the authorized authentication identity set $S_M^{{U_i}^{new}}$ according to situations (d), (e), (f), and (g):

(d)

If there is no change in the identity set of the body area sensor node, then ${S_M^{U_i}}^{new}=S_M^{U_i}$.

(e)

If there is a newly added identity set $S_M^{add}$ with respect to the body area sensor node, then ${S_M^{U_i}}^{new}=S_M^{U_i}+S_M^{add}$.

(f)

If identity set $S_M^{del}$ is removed from the body area sensor node, then ${S_M^{U_i}}^{new}=S_M^{U_i}-S_M^{del}$.

(g)

If cases (e) and (f) occur simultaneously, then ${S_M^{U_i}}^{new}=S_M^{U_i}-S_M^{del}+S_M^{add}$.

$GWN$ updates the value of $f_{U_i}^{new}\left(t\right)$, where $f_{U_i}^{new}\left(t\right)=h\left(PI{D}_i^{new}\oplus x\right)+{\displaystyle \prod }_{MI{S}_j\in {S_M^{U_i}}^{new}}\left(t-h\left(PI{D}_i\oplus MI{S}_j\right)\right)$.

$GWN$ updates $F_{U_i}^{new}\left(t\right)=En{c}_{h\left(x\oplus \mathrm{y}\right)}\left[f_{U_i}^{new}\left(t\right),{\Delta T_{auth}^{U_i}}^{new},EI{D}_i^{new}\right]$.

$GWN$ computes $B_{10}=\left(V_i^{new}\parallel {S_M^{U_i}}^{new}\parallel h\left(V_i\parallel EI{D}_i\right)\right)\oplus V_i \mathrm{and} B_{11}=PI{D}_i^{new}\parallel r_s^{\prime }\oplus h(V_i^{new}\parallel h\left(r_u\parallel T_1)\right)$ and further computes $B_{12}=h\left(V_i^{new}\parallel h\left(r_s^{\prime }\parallel SK\right)\parallel {S_M^{U_i}}^{new}\right)$.

V9: $GWN\to U_i:\left\{F_{U_i}^{new}\left(t\right),B_{10},B_{11},B_{12}\right\}$; $GWN$ sends related information $F_{U_i}^{new}\left(t\right),B_{10},B_{11},B_{12}$ to $U_i$.

V10: $U_i$ uses $V_i$ to recover $V_i^{new\ast } \mathrm{and} {S_M^{U_i}}^{new\ast },h\left(V_i^{*}\parallel EI{D}_i^{*}\right)$, i.e., $(V_i^{new\ast }\parallel {S_M^{U_i}}^{new\ast }\parallel h\left(V_i^{*}\parallel EI{D}_i^{*}\right)=B_{10}\oplus V_i$. Then, $U_i$ uses private key $d_i$ and then computes $PI{D}_i^{new\ast }\parallel {r^{\prime }}_s^{*}=B_{11}\oplus h\left(V_i^{new\ast }\parallel h\left(r_u\parallel T_1\right)\right),r_s^{*}={\left({r^{\prime }}_s^{*}\right)}^{d_i},S{K}^{*}=h\left(h\left(r_u\parallel T_1\right)\parallel r_s^{*}\parallel h\left(V_i^{*}\parallel EI{D}_i^{*}\right)\right)$, and $B_{12}^{*}=h(V_i^{new\ast }\parallel h\left({r^{\prime }}_s^{*}\parallel S{K}^{*}\right)\parallel {S_M^{U_i}}^{new\ast })$. If $B_{12}^{*}$ equals $B_{12}$, $U_i$ accepts session key $SK$ and completes the authentication; otherwise, $U_i$ rejects the session key. After accepting the session key, the PDA computes parameters $A_1^{new}=\left(V_i^{new}\parallel {S_M^{U_i}}^{new}\right)\oplus h\left(I{D}_i\oplus P{W}_i\right) \mathrm{and} A_2^{new}=h\left(V_i^{new}\parallel k_i\parallel {S_M^{U_i}}^{new}\right)\mathrm{mod} n_0$. Finally, the PDA updates the value from $\left\{PI{D}_i,A_1,A_2,F_{U_i}\left(t\right)\right\}$ to $\{PI{D}_i^{new},A_1^{new},A_2^{new},F_{U_i}^{new}\left(t\right)\}$. Additionally, Figure 4 summarizes the login, authentication, and key agreement operations of the user and BASN.

3.5. Password Update Phase

$U_i$ can update the password by following steps U1~U2 below without interacting with $GWN$:

U1: At first, $U_i$ enters $\left(I{D}_i^{*},P{W}_i^{*}\right)$. PDA then uses $PU{F}_{sum}\left(·\right)$ to verify the identity of $U_i$. Specifically, PDA computes $V_{ii}^{*}=PU{F}_{sum}\left(P{W}_i^{*}\right),V_i^{*}\parallel S_M^{U_i\ast }\parallel k_{ii}{}^{*}=h\left(I{D}_i^{*}\parallel V_{ii}^{*}\right)\oplus A_1,k_i{}^{*}=FE.REP\left(V_{ii}^{*},k_{ii}{}^{*}\right), \mathrm{and} A_2^{*}=h\left(V_i^{*}\parallel k_i^{*}\parallel S_M^{U_i\ast }\right) \mathrm{mod} n_0$. If $A_2{}^{*}$ is equal to $A_2$, PDA continues to run step U2; otherwise, this session is terminated.

U2: Via the new password $P{W}_i^{new}$, which is chosen by $U_i$, the PDA computes the new parameters: $V_{ii}^{new}=PUF\left(P{W}_i^{new}\right),\left(k_i^{new},k_{ii}^{new}\right)=FE.GEN\left(V_{ii}^{new}\right)$, $A_1^{new}=V_i\parallel S_M^{U_i}\parallel k_{ii}^{new}\oplus h\left(I{D}_i\parallel V_{ii}^{new}\right)$, and $A_2^{new}=h\left(V_i\parallel k_i^{new}\parallel S_M^{U_i}\right) \mathrm{mod} n_0$. Finally, the PDA updates the value of $\left\{A_1,A_2\right\}$ to $\left\{A_1^{new},A_2^{new}\right\}$.

3.6. Dynamic Increase in Sensor Nodes

In order to adapt or meet the continuous medical needs of WBANs, the addition of new body area sensor nodes is undoubtedly necessary. When a new body area sensor node $S_t$ joins WBANs, $S_t$ only needs to initiate a registration request as in Section 3.2.1. After $S_t$ is successfully registered, $GWN$ broadcasts $S_t’\mathrm{s}$ identity $SI{D}_t$ and stores $SI{D}_t$ in identity set $S_M$.

4. Security Analysis of the Proposed Protocol

In this section, we carry out the security analysis of the protocol, which includes formal security and heuristic security analyses. Given the DY adversary’s capabilities, via formal security analysis, we can demonstrate that the adversary does not have a significant and strong advantage with respect to breaking the semantic security of the session key in our protocol. Then, via heuristic analysis, one can observe that the proposed protocol not only fulfills the desired attributes but also demonstrates resilience against a multitude of known attacks [20,21].

4.1. Formal Security Proof

Formal security analysis is an effective method for demonstrating the semantic security of the proposed protocol. It employs formal mathematical techniques to prove whether the proposed protocol satisfies the desired security properties within a specific security model. In this type of analysis, the initial step involves defining a formal model that describes participants, furthering the DY adversary’s capabilities. Subsequently, security properties need to be precisely defined. Lastly, the desired security properties are proven to be satisfied within the defined security model via mathematical, logical deduction.

4.1.1. Basis for Security Proof

In this study, three primary participants within our protocol $\mathit{P}$ are identified as follows: a physician denoted as $U_i$, a gateway node referred to as $GWN$, and a body area sensor node labeled as $M{S}_j$. Before initiating the simulation, the simulator selects the RSA cryptosystem, employing two large prime numbers $p$ and $q$ with equal bit lengths, i.e., $\left|p\right|=\left|q\right|=n$. Subsequently, $U_i$ selects a set of personal information $\left\{I{D}_i,P{W}_i\right\}$. Simultaneously, $GWN$ generates a long-term key pair $\left\{x,y\right\}$, and $M{S}_j$ owns an identity–secret key pair $\left\{MI{S}_j,x_j\right\}$.

During the proof process, three entities will instantiate $U_i,GWN$, and $MI{S}_j$, with their respective instances denoted as ${\mathsf{\Pi }}_{u_i}^u,{\mathsf{\Pi }}_{GWN}^g$, and ${\mathsf{\Pi }}_{M{S}_j}^m$. For the sake of simplicity, these instances can collectively be marked as ${\mathsf{\Pi }}^t$ when distinguishing them is unnecessary. Moreover, each instance is treated as an oracle. This implies that if a message input is valid, invalid, or null, the oracle’s state accordingly is an acceptance, rejection, or “$\perp$”, respectively, where “$\perp$” indicates that there is no response to the input.

Subsequently, we introduce certain terms that are pertinent to this proof:

Accepted State: An instance ${\mathsf{\Pi }}^t$ reaches an accepted state upon receiving the final expected protocol message. Notably, the ordered concatenation of all exchanged messages (both sent and then received) shapes the session identifier for the current session of ${\mathsf{\Pi }}^t$.

Partnering: Instances ${\mathsf{\Pi }}^{t_1}$ and ${\mathsf{\Pi }}^{t_2}$ are considered partnered if they simultaneously meet the following criteria: (a) both are in an accepted state, (b) mutual authentication has occurred, and they share an identical session identifier.

Adversary: In this context, adversary $\mathcal{A}$ can interact solely with honest entities by initiating query oracles and controlling the simulator. $\mathcal{A}$ aims to compromise the security of authentication messages and re-construct the session key within protocol $\mathit{P}$. The queries that $\mathcal{A}$ can launch include the following:

-

Execute (${\mathsf{\Pi }}_{u_i}^u,{\mathsf{\Pi }}_{GWN}^g,{\mathsf{\Pi }}_{M{S}_j}^m$): This query allows $\mathcal{A}$ to simulate the entire authentication process and access exchanged messages between $U_i,GWN$, and $M{S}_j$.

-

Send (${\mathsf{\Pi }}^t,m$): $\mathcal{A}$ can send message $m$ and conduct an active attack on instance ${\mathsf{\Pi }}^t$. If $l$ is valid and ${\mathsf{\Pi }}^t$ has received $m$, the simulator responds to $\mathcal{A}$ with the computation of $m$; otherwise, this query is terminated.

-

Reveal (${\mathsf{\Pi }}^t$): This query results in revealing the session key calculated by ${\mathsf{\Pi }}^t$ and its partner to adversary $\mathcal{A}$.

-

Corrupt (${\mathsf{\Pi }}_{u_i}^u,\mathsf{\alpha }$): In this query, $\mathcal{A}$ can obtain authentication factors associated with $U_i$ based on value $\alpha$. Specifically, the oracle exposes the password to $\mathcal{A}$ when $\alpha =0$ and exposes the data stored in the registration package to $\mathcal{A}$ when $\alpha =1$.

-

Corrupt (${\mathsf{\Pi }}_{GWN}^g$): In this query, $\mathcal{A}$ can gain access to the long-term key $x$ possessed by $GWN$.

-

Corrupt (${\mathsf{\Pi }}_{M{S}_j}^m$): This query enables $\mathcal{A}$ to obtain the secret value of $M{S}_j$.

Freshness: An instance of ${\mathsf{\Pi }}_{u_i}^u$, ${\mathsf{\Pi }}_{GWN}^g$, or ${\mathsf{\Pi }}_{M{S}_j}^m$ is deemed fresh if the session key between $U_i$ and $M{S}_j$ remains undisclosed to $\mathcal{A}$ via the aforementioned reveal query.

Test (${\mathsf{\Pi }}^t$): This query assesses the semantic security of session key $SK$. In this query, $\mathcal{A}$ can make only one inquiry. Considering protocol $\mathit{P}$, instance ${\mathsf{\Pi }}^t$ can only either be ${\mathsf{\Pi }}_{u_i}^u$ or ${\mathsf{\Pi }}_{M{S}_j}^m$. Formally, if test $\left({\mathsf{\Pi }}^t\right)$ has been queried before, the query outputs “$\perp$” (null). Otherwise, the oracle flips an unbiased coin $b$. If $b=1$, test (${\mathsf{\Pi }}^t$) provides the real session key to $\mathcal{A}$; if $b=0$, test (${\mathsf{\Pi }}^t$) yields a random string with the same length as the real session key and sends it to $\mathcal{A}$.

Semantic Security: Given a protocol $\mathit{P}$, probabilistic polynomial time (PPT) adversary $\mathcal{A}$ requests new instances for a series of queries, including execute query, send query, corrupt query, and test query. $\mathcal{A}$ endeavors to compromise protocol $\mathit{P}$ by guessing the value of $b$ in the test query and returns a guessed value $b^{*}$. Let $\mathrm{Succ}\left(\mathcal{A}\right)$ denote $\mathcal{A}$’s successful guess of $b^{*}$ as $b$, i.e., $b^{*}=b$. Then, the advantage of $\mathcal{A}$ successfully breaking the semantic security of protocol $\mathit{P}$ concerning the session key is defined as $Ad{v}_{\mathcal{A}}^{\mathit{P}}=2\mathrm{Pr}\left[\mathrm{Succ}\left(\mathcal{A}\right)\right]-1$.

4.1.2. Security Proof

In this section, we set up a total of eight games to simulate the semantic security of the adversary’s ability to break the session key from different perspectives. Among these simulated games, the only difference is that the latter game provides more information to the adversary; the former and latter games are indistinguishable to the adversary. In each game, the simulator responds to queries from the adversary, who, in turn, obtains different information to increase their advantage of interfering with semantic security. Finally, based on the advantage of the adversary in each game, the total advantage of the adversary in interfering with the semantic security of the session key can be quantified.

Theorem 1.

Let $\mathit{P}$ be the proposed protocol, $\left|\mathcal{D}\right|$ be the space of password, and $n$ be the system’s security parameter. Then, PPT adversary $\mathcal{A}$ breaks $\mathit{P}$ with a negligible advantage $Ad{v}_{\mathcal{A}}^{\mathit{P},\mathcal{D}}$ by making a series of queries, including $q_e$ execute query, $q_s$ send query, $q_h$ hash query, and $q_p$ PUF query, where $Ad{v}_{\mathcal{A}}^{\mathit{P},\mathcal{D}}$ encounters the following.

$$Ad{v}_{\mathcal{A}}^{\mathit{P},\mathcal{D}}\le \frac{q_h^2+6q_s}{2^{l_1}}+\frac{{\left(q_s+q_e\right)}^2}{p}+\frac{q_p^2+2q_p}{2^{l_2}}+2\left(C^{\prime }{q}_{send}^{s^{\prime }}+Ad{v}_{\mathcal{A}}^{RSA}\left(n\right)\right)$$

Proof. 

We now demonstrate and prove that the adversary’s advantage in breaking the semantic security of the session key is factually negligible due to the involvement of $Gam{\mathbf{e}}_{\mathbf{1}}$ with $Gam{e}_{\mathbf{8}}$. $Suc{c}_i$ is set to be the event during which $\mathcal{A}$ guesses $b$ in the test query of $Gam{e}_k \mathrm{successfully},\mathrm{where} k=1,2,\cdots ,8$.

$Gam{e}_{\mathbf{1}}$: This game simulates a real attack by a random oracle. Bit $b$ is then randomly chosen at the beginning of this game. Thus, we obtain the following:

$$Ad{v}_{\mathcal{A}}^{P,\mathcal{D}}=2\mathrm{Pr}\left[Suc{c}_1\right]-1$$

(1)

$Gam{e}_{\mathbf{2}}$: This game shapes hash list ${\Omega }_h$. For example, $\mathcal{A}$ initiates a hash query $h\left(\gamma \right)$ and hash oracle ${\Theta }_h$ takes $\gamma$ to retrieve ${\Omega }_h$. If there is a retrieved hash value, $h\left(\gamma \right)$, in ${\Omega }_h$, ${\Theta }_h$ responds to the hash value. Otherwise, a random string $\psi$ will be sent to $\mathcal{A}$; meanwhile, $\left(\gamma ,\psi \right)$ is stored in ${\Omega }_h$.

Using the known list in this game, $\mathcal{A}$ performs a test query to distinguish the real session key and the random string. Factually, given $SK=h\left(h\left(r_u\parallel T_1\right)\parallel r_s\parallel h\left(V_i\parallel EI{D}_i\right)\right)$, only secret values including $U_i$’s $r_u,V_i$, and $M{S}_j$’s $r_s$ essentially comprise $SK$. Hence, $\mathcal{A}$ has no way of computing $SK$ and cannot distinguish whether $b=0$ or $b=1$ other than making guesses.

Thus, compared to $Gam{e}_{\mathbf{1}}$, $\mathcal{A}$’s chance of winning this game does not empower $\mathcal{A}$’s advantage.

$$\mathrm{Pr}\left[Suc{c}_2\right]=\mathrm{Pr}\left[Suc{c}_1\right]$$

(2)

$Gam{e}_{\mathbf{3}}$: In this game, the active attack is modeled based on $Gam{e}_{\mathbf{2}}$. $\mathcal{A}$ can execute the send query and hash query to try to persuade a participant to accept a forged message. Thus, $\mathcal{A}$’s advantage may be enhanced by finding the collision that generates a valid message compared with $Gam{e}_{\mathbf{1}/\mathbf{2}}$. That is, if the following collisions occur, this game is aborted:

(i)

A collision can be found in the hash values or PUF’s outputs, and the probability is $\frac{q_h^2}{2^{l_1+1}}$ or $\frac{q_p^2}{2^{l_2+1}}$, where $l_1$ and $l_2$ denote the length of output by the hash function and PUF, respectively.

(ii)

Another collision that can be found is relative to the choice of random numbers $r_u,r_g, \mathrm{and} r_s$, where the probability is $\frac{{\left(q_s+q_e\right)}^2}{2p}$.

Thus, we have the following:

$$\left|\mathrm{Pr}\left[Suc{c}_3\right]-\mathrm{Pr}\left[Suc{c}_2\right]\right|\le \frac{q_h^2}{2^{l_1+1}}+\frac{q_p^2}{2^{l_2+1}}+\frac{{\left(q_s+q_e\right)}^2}{2p}$$

(3)

$Gam{e}_{\mathbf{4}}$: In this game, $\mathcal{A}$ desires to guess $B_2,B_5,B_8, \mathrm{and} B_{12}$ without asking the hash query.

We can obtain:

$$\left|\mathrm{Pr}\left[Suc{c}_4\right]-\mathrm{Pr}\left[Suc{c}_3\right]\right|\le \frac{q_s}{2^{l_1}}$$

(4)

$Gam{e}_{\mathbf{5}}$: In this game, $\mathcal{A}$ tries to guess $A_2$ without asking the hash query. Similarly, we can obtain the following:

$$\left|\mathrm{Pr}\left[Suc{c}_5\right]-\mathrm{Pr}\left[Suc{c}_4\right]\right|\le \frac{q_s}{2^{l_1}}$$

(5)

$Gam{e}_{\mathbf{6}}$: In this game, via the corrupt $\left({\mathsf{\Pi }}_{u_i}^u,\alpha \right)$ query, $\mathcal{A}$ computes $A_2$. There are two cases we need to consider:

• Case 1, i.e., corrupt $\left({\mathsf{\Pi }}_{u_i}^u,\alpha =0\right)$: with respect to “fuzzy keywords + honeywords”, the probability that $\mathcal{A}$ guesses a physician’s password is no greater than $C^{\prime }{q}_{send}^{s^{\prime }}$ [22,23,24];
• Case 2, i.e., corrupt $\left({\mathsf{\Pi }}_{u_i}^u,\alpha =1\right)$: the probability that $\mathcal{A}$ guesses the values of $A_2$ is less than $\frac{q_s}{2^{l_1}}$.

Therefore, we obtain the following:

$$\left|\mathrm{Pr}\left[Suc{c}_6\right]-\mathrm{Pr}\left[Suc{c}_5\right]\right|\le C^{\prime }{q}_{send}^{s^{\prime }}+\frac{q_s}{2^{l_1}}$$

(6)

$Gam{e}_{\mathbf{7}}$: In this game, $\mathcal{A}$ initiates a corrupt (${\mathsf{\Pi }}_{M{S}_j}^m$) query to compromise body area sensor node $M{S}_j$, and then $\mathcal{A}$ further obtains secret values $x_j$ and $r_s^{\prime }$. However, $\mathcal{A}$ cannot obtain $r_s$ from $r_s^{\prime }$ since there is no PPT solution for solving the difficulty of the large number factorization problem [18].

Therefore, we can yield the following:

$$\left|\mathrm{Pr}\left[Suc{c}_7\right]-\mathrm{Pr}\left[Suc{c}_6\right]\right|\le Ad{v}_{\mathcal{A}}^{RSA}\left(n\right)$$

(7)

$Gam{e}_{\mathbf{8}}$: This game simulates the attack where $\mathcal{A}$ tries to calculate the session key, which means that $\mathcal{A}$ no longer queries the oracle’s execute query, send query, and corrupt query. However, similarly to the analysis in $Gam{e}_{\mathbf{7}}$, $\mathcal{A}$ cannot compute $r_s$ from $r_s^{\prime }$. In other words, $\mathcal{A}$’s advantage in this game is equal to the advantage in $Gam{e}_{\mathbf{7}}$. Thus, we can have the following:

$$\mathrm{Pr}\left[Suc{c}_8\right]=\mathrm{Pr}\left[Suc{c}_7\right]$$

(8)

Ultimately, we can observe that $\mathcal{A}$ has no un-negligible advantage greater than $\frac{1}{2}$; thus, $\mathrm{Pr}\left[Suc{c}_8\right]=\frac{1}{2}$.

From Equation (1) to Equation (8) and with respect to the triangular inequality, we yield the following:

$$\begin{gathered} Ad{v}_{\mathcal{A}}^{\mathit{P},\mathcal{D}}=2\mathrm{Pr}\left[Suc{c}_1\right]-1=2\mathrm{Pr}\left[Suc{c}_8\right]-1+2\left(\mathrm{Pr}\left[Suc{c}_1\right]-\mathrm{Pr}\left[Suc{c}_8\right]\right)\le \\ \frac{q_h^2+6q_s}{2^{l_1}}+\frac{{\left(q_s+q_e\right)}^2}{p}+\frac{q_p^2}{2^{l_2}}+2\left(C^{\prime }{q}_{send}^{s^{\prime }}+Ad{v}_{\mathcal{A}}^{RSA}\left(n\right)\right) \end{gathered}$$

In sum, we can conclude that adversary $\mathcal{A}$ does not have a significant and strong advantage, $Ad{v}_{\mathcal{A}}^{\mathit{P},\mathcal{D}}$, in breaking the semantic security of the session key in our protocol. □

4.2. Heuristic Analysis

The heuristic method [25,26] eschews the use of intricate formulas, making it remarkably straightforward. This approach proves to be both highly efficient and uncomplicated, enabling a succinct yet all-encompassing security analysis of the scheme. In this section, via the heuristic analysis, one can observe that our solution not only fulfills the desired attributes but also demonstrates resilience against a multitude of known attacks.

4.2.1. Mutual Authentication

The proposed scheme can attain mutual authentication since $U_i$ and $GWN$ authenticate each other bidirectionally by checking if $B_2^{*}=B_2$ and $B_{12}^{*}=B_{12}$, respectively. Similarly, with $M{S}_j$ checking whether $B_5^{*}=B_5$ and $GWN$ verifying that $B_8^{*}=B_8$, $GWN$ and $M{S}_j$ can authenticate each other successfully.

4.2.2. Session Key Agreement

The session key agreement means that no one can solely pre-compute the session key without interacting with another entity. Factually, in the proposed protocol, $SK=h\left(h\left(r_u\parallel T_1\right)\parallel r_s\parallel h(V_i\parallel EI{D}_i)\right)$ contains an indispensable part from $U_i$ (secret parameter $r_u$) and $M{S}_j$ (secret parameter $r_s$); thus, our scheme meets this well-defined attribute.

4.2.3. Forward Secrecy

Forward secrecy holds if the past built session keys are still secure on the condition that the long-term secret holds; i.e., $GWN$’s $x$ is corrupted. As a matter of fact, suppose the following: the adversary knows $x$, they can obtain $PI{D}_i$ from the open channel and then compute $V_i=h\left(PI{D}_i\parallel x\right)$, and they can obtain $h\left(r_u\parallel T_1\right)$. However, an important consideration is that they cannot retrieve $r_s$ due to the difficulty of large number factorization in RSA [18]. That is, we can retain forward secrecy.

4.2.4. User Anonymity

User anonymity mainly comprises user identity protection, which prevents the adversary from obtaining the user’s identity, and user un-traceability, which guarantees that the adversary cannot decide upon who the communicating user is, nor does it allow them to distinguish whether two instances of data interaction are from the same communicating user.

For the first form of identity protection, on the one hand, during the registration phase, $U_i$ only submits $A_0$ to $GWN$; thus, it cannot directly extract identity information for the adversary even if $GWN$ could be destroyed. On the other hand, $PI{D}_i$ cannot be used to deduce the identity of the user during the authentication phase; thus, the adversary cannot capture the user’s identity, $I{D}_i$. As for the un-traceability of another user, the randomness of $PI{D}_i$ breaks the statistical property, which effectively confuses the adversary in determining whether two sessions are from the same communicating user.

4.2.5. Password-Guessing Attack

In this attack, the adversary tries to guess the password via the physical unclonable function (PUF), in which the PUF generates an inherently unclonable output for a given input. That is, the adversary prepares a guessed password $P{W}_i^{gue}$; then, the PDA computes $A_2^{gue}$ using the same operations as in the login phase. Even if $A_2^{gue}$ may be equal to $A_2$, “fuzzy keywords + honey words”, by inducing the modulus operation, cannot help the adversary in determining whether the guessed password is correct.

4.2.6. Body Area Sensor Node Impersonation Attack

This attack [25] gives the adversary, i.e., the legitimate inside user, an opportunity: The user could obtain the body area sensor node’s secret key $x_j$ and create a faulty session key for the new physician. However, this attack makes no sense in our scheme. Factually, this adversary cannot extract this secret $x_j$ from $B_7,B_8, \mathrm{and} B_9$ because they do not possess the secret value $r_g$ of $GWN$. Therefore, the proposed protocol resists sensor node impersonation attacks.

4.2.7. De-Synchronization Attack

Generally, after the session key is established, $U_i, GWN, \mathrm{and} M{S}_j$ have no need to update any parameters; thus, the de-synchronization attack is impossible. In our proposed protocol, $U_i$ needs to update the parameters for the next authentication. Then, $U_i$ checks whether $B_{12}^{*}$ is equal to $B_{12}$. Luckily, the checking operation can detect this attack in a timely manner. That is, the occasion in which $B_{12}^{*}\ne B_{12}$ holds implies that this attack interferes with the normal update of parameters, and the user only asks $GWN$ to run the update operation of $B_{12}$ again.

4.2.8. Replay Attack

The replay attack comprises the following: the adversary usually sends old messages to pass the verification of entities and re-computes the session key. However, in each session, $U_i$, $GWN$, and $M{S}_j$ choose random numbers $r$, $r_u, r_g$, and $r_s$, respectively, to ensure the freshness and independence of exchanged messages. As a result, the adversary can neither calculate the correct session key based on the replayed message nor can they pass the authentication of $U_i$.

4.2.9. Privileged Insider Attack

In order to prevent the adversary (even corrupted $GWN$) from using privileged insider attacks and extracting the identity information of legitimate users during the registration phase, $U_i$ only submits $A_0 \left(A_0=h\left(I{D}_i\oplus P{W}_i\parallel r\right) \mathrm{mod} n_0\right)$, which encapsulates $I{D}_i$ relative to $GWN$, rather than bare string $I{D}_i$, and the adversary cannot obtain the real $I{D}_i$.

4.2.10. Node Capture Attack

Even if it is possible to assume that the adversary has the node’s secret $x_j$ value and retrieve $r_g$ and $e_i,h\left(r_u\parallel T_1\right),h\left(V_i\parallel EI{D}_i\right)$, this adversary cannot re-calculate session key $SK$ unless they can effectively solve the difficulty of large number factorization in RSA [18] in obtaining another important value $r_s$.

4.2.11. Denial of Service (DoS) Attack

In the proposed scheme, even if the adversary may render BASN unavailable by replaying old messages $B_3,B_4,B_5, \mathrm{and} T_2$ repeatedly, BASN firstly verifies whether the time gap meets $\left|T_c-T_2\right|>\Delta T$ or not. If it does, BASN directly terminates this session. Furthermore, even if the adversary updates timestamp $T_2$ to obtain $\left|T_c-T_2\right|<\Delta T$, BASN also ignores this session due to the following verification failure of value $B_5$, where $B_5$ can only be derived by the original timestamp. Thus, the denial-of-service (DoS) attack cannot succeed. Similarly, the terminal of $GWN$ does not suffer from this DoS attack.

4.2.12. Man-in-the-Middle (MITM) Attack

In our scheme, we suppose that the adversary [26] listens and blocks the user’s login message $F_{U_i}\left(t\right), PI{D}_i,MI{S}_j, B_1,B_2, \mathrm{and} T_1$ and response messages $F_{U_i}^{new}\left(t\right), B_{10},B_{11}, \mathrm{and} B_{12}$ from $GWN$. To issue a man-in-the-middle (MITM) attack, the adversary must create a flow of new login and response messages or replay old messages. As discussed above, the proposed protocol can resist impersonation and replay attacks. That is, the adversary cannot be authenticated by both the user and the gateway. Hence, the proposed scheme can be used against MITM attacks.

5. Summary Comparisons: Functionality and Performance

In this section, we begin by introducing the criteria designed for the assessment of authentication protocols in Section 5.1. Subsequently, in Section 5.2, we conduct a comparative analysis between our proposed protocol and alternative approaches to determine their alignment with the security prerequisites outlined in Section 5.1. Lastly, in Section 5.3, we provide a comparison with regard to storage, communication overheads, and computational overheads.

5.1. Security Evaluation Criteria

Over the years, Wang et al. [15,22,27] conducted in-depth studies on the security criteria of authentication protocols. Based on their studies, we summarize 10 criteria for fine-grained authentication protocols, as shown in

Table 2. Criteria for evaluating authentication schemes.

Notation	Description	Notation	Description
$E{C}_1$	User anonymity and un-traceability	$E{C}_6$	Key agreement provision
$E{C}_2$	Sound repairability	$E{C}_7$	Mutual authentication
$E{C}_3$	Password exposure is avoidable	$E{C}_8$	Resist known attacks
$E{C}_4$	Password friendly	$E{C}_9$	Forward secrecy
$E{C}_5$	No password verifiers in GWN	$E{C}_{10}$	No smart card loss attack

. Additionally, $E{C}_8$ states that password-guessing, privileged insider, de-synchronization, replay, stolen verifier, node impersonation, node capture, and DoS attacks cannot be effectively initiated by the adversary.

5.2. Functionality Comparison

The comparative outcomes of our proposed protocol with respect to other protocols in [10,11,12] are displayed in

Table 3. Functionality comparison among relevant AKA protocols.

Protocols	Ref.	Evaluation Criteria
		$\mathbf{E}{\mathbf{C}}_1$	$\mathbf{E}{\mathbf{C}}_2$	$\mathbf{E}{\mathbf{C}}_3$	$\mathbf{E}{\mathbf{C}}_4$	$\mathbf{E}{\mathbf{C}}_5$	$\mathbf{E}{\mathbf{C}}_6$	$\mathbf{E}{\mathbf{C}}_7$	$\mathbf{E}{\mathbf{C}}_8$	$\mathbf{E}{\mathbf{C}}_9$	$\mathbf{E}{\mathbf{C}}_{10}$
Ali et al.	[10]	✔	✔	✔	✔	✔	✔	✔	🗴	✔	✔
Aghili et al.	[11]	✔	✔	✔	✔	✔	✔	🗴	🗴	🗴	✔
Yao et al.	[12]	🗴	✔	✔	✔	🗴	✔	🗴	🗴	✔	🗴
Ours	---	✔	✔	✔	✔	✔	✔	✔	✔	✔	✔

. From our analyses, we can observe that the protocol presented in [10] is vulnerable to the verifier loss attack, resulting in an inability to achieve $E{C}_8$.

The protocol shown in [11] falls short of achieving $E{C}_7$, $E{C}_8$, and $E{C}_9$. Specifically, neither the physician nor the sensor node can authenticate the gateway, aligning with $E{C}_7$. Also, the protocol of [11] is susceptible to user impersonation attacks, which is in line with $E{C}_8$. Additionally, it falters in attaining forward security, corresponding to $E{C}_9$.

For the protocol in [12], the server or GWN in [12] retains many more password-related parameters, which threatens the security of passwords ($E{C}_5$). As for $E{C}_7$, mutual authentication ($E{C}_7$) cannot be met because the messages do not guarantee that BASN can realize mutual authentication with respect to the GWN. Additionally, the users in [12] directly submit their bare identities to the GWN or the registration center in order to complete the registration phase, and once the gateway is corrupted by the adversary, the anonymity ($E{C}_1$) of the user will not be respected.

Only our proposal fulfills all the stipulated security prerequisites. It is evident that our proposal exhibits resistance against known attacks, enabling the attainment of optimal security and usability objectives. Notably, since no smart card has been used in our proposal, our proposal can meet criterium $E{C}_{10}$ naturally.

5.3. Storage, Communication, and Computation Cost Comparisons

In order to provide a comprehensive evaluation of storage and communication overheads,

Table 4. The lengths of all terms involved in storage and communication costs.

Symbols	Bits	Symbols	Bits
Module ${\mathrm{n}}_0$	32	ECC point $\mathrm{p}$	160
Counter $\mathrm{c}$	32	Hash value $\mathrm{h}$	160
Threshold value t	16	$\mathrm{Secret} \mathrm{key} \mathrm{value} \mathrm{x}$	160
Timestamp $\mathrm{T}$	32	Random/once $\mathrm{r}$	160
User’s/BASN’s identity	128	Symmetric ciphertext size $\mathrm{enc}$	256
BASN’s identity set ${\mathrm{S}}_{\mathrm{M}}/{\mathrm{S}}_{\mathrm{M}}^{{\mathrm{U}}_{\mathrm{i}}}$	32	$\mathrm{Public} \mathrm{reproduction} \mathrm{parameter} {\tau }_{\mathrm{i}}$	128

provides reasonable reference lengths for all components.

Simultaneously, to ascertain computational costs during the login and verification phases, we executed the RSA algorithm with a key length of 1024 bits on a 12th-generation intel core i7–12700 H with 16 G memory; we report that the elapsed time with respect to 1024-bit RSA modular exponentiation is 0.63 ms. For other cryptographic functions, based on the results from [10,11,12,28,29], the time required for the SHA-1 hash function is 0.00069 ms [28], the PUF function requires 0.43 ms [29], and symmetric encryption/decryption and the bio-hash function demand 0.1303 ms and 0.01 ms, respectively [11]. ECC point multiplication requires 0.0018 ms [12], and the fuzzy extractor function and bilinear pairing require 2.226 ms and 5.811 ms, respectively [10].

Then, we provide

Table 5. Storage, communication, and computation costs in the login and authentication phase.

Schemes	Ref.	Storage Cost: Bits			Communication Cost: Bit			Computation Cost: ms
		${\mathit{U}}_{\mathit{i}}$	$\mathit{G}\mathit{W}\mathit{N}$	$\mathit{B}\mathit{A}\mathit{S}\mathit{N}$	${\mathit{U}}_{\mathit{i}}$	$\mathit{G}\mathit{W}\mathit{N}$	$\mathit{B}\mathit{A}\mathit{S}\mathit{N}$	${\mathit{U}}_{\mathit{i}}$	$\mathit{G}\mathit{W}\mathit{N}$	$\mathit{B}\mathit{A}\mathit{S}\mathit{N}$
Ali et al.	[10]	1328	288	2336	1056	800	1280	10.27	0.005	5.81
Aghili et al.	[11]	1057	322	128	1408	1856	352	0.16	0.14	0.003
Yao et al.	[12]	576	288	1024	1888	3488	2144	0.03	0.03	0.90
Ours	---	864	352	160	1920	3616	1664	3.28	0.20	0.64

, which presents a comparative analysis covering the storage, communication, and computational overheads consumed in all compared schemes.

In our protocol, our total storage overhead is the smallest at 1376 bits, and the storage overhead of Ali et al. [10] is the largest at 3952 bits. The storage overhead of each scheme increases in the order of 1376 bits, 1507 bits, 1888 bits, and 3952 bits. Moreover, our proposal has obvious advantages in terms of storage overheads. As for communication overheads, the user, GWN, and BASN costs are 1920 bits, 3616 bits, and 1664 bits, respectively, with corresponding computation times of 3.28 ms, 0.20 ms, and 0.64 ms. It is evident that our solution boasts the lowest cumulative storage overhead compared to [10,11,12]. Simultaneously, the consumed times of the user and BASN in our scheme are 3.28 ms and 0.64 ms, respectively, which can reduce the user’s and BASN’s computation cost by 68.1% and 83.8% compared to the scheme reported in [10].

In summary, our proposal outperforms others in terms of optimal security, superior storage and communication efficiency, and competitively efficient computational overheads. Other schemes, to varying degrees, require improvements in terms of security, communication overheads, or computational overheads.

6. Conclusions

With respect to high-security-requirement WBAN scenarios, we first introduced the authentication model of WBANs. Then, based on the PUFs, we proposed a fine-grained user authentication and key agreement protocol for WBANs. The proposed protocol does not need to allocate smart cards for users, and it can provide fine-grained user authentication and authorization. In the final security and performance analysis, the proposed protocol demonstrates advantages in terms of overall performance, and it is expected to significantly improve the security, efficiency, and availability of user authentication in WBANs. Regarding future studies, we will concentrate on blockchain-based authentication schemes in order to avoid single-point failure in a centralized GWN.