Provably Secure PUF-Based Lightweight Mutual Authentication Scheme for Wireless Body Area Networks

Abstract

Wireless body area networks (WBANs) are used in modern medical service environments for the convenience of patients and medical professionals. Owing to the recent COVID-19 pandemic and an aging society, WBANs are attracting attention. In a WBAN environment, the patient has a sensor node attached to him/her that collects patient status information, such as blood pressure, blood glucose, and pulse; this information is simultaneously transmitted to his/her respective medical professional through a gateway. The medical professional receives and checks the patient’s status information and provides a diagnosis. However, sensitive information, including the patient’s personal and status data, are transmitted via a public channel, causing security concerns. If an adversary intercepts this information, it could threaten the patient’s well-being. Therefore, a secure authentication scheme is essential for WBAN environments. Recently, Chen et al. proposed a two-factor authentication scheme for WBANs. However, we found out Chen et al.’s scheme is vulnerable to a privileged insider, physical cloning, verification leakage, impersonation, and session key disclosure attacks. We also propose a secure physical-unclonable-function (PUF)-based lightweight mutual authentication scheme for WBANs. Through informal security analysis, we demonstrate that the proposed scheme using biometrics and the PUF is safe against various security attacks. In addition, we verify the security features of our scheme through formal security analyses using Burrows–Abadi–Needham (BAN) logic, the real-or-random (RoR) model, and the Automated Validation of Internet Security Protocols and Applications (AVISPA). Furthermore, we evaluate the security features, communication costs, and computational costs of our proposed scheme and compare them with those of other related schemes. Consequently, our scheme is more suitable for WBAN environments than the other related schemes.

1. Introduction

Recently, with the increasing number of elderly people in society, the demand for medical services is increasing, owing to the health problems of the aging society [1]. In addition, the emergence and spread of infectious diseases such as COVID-19 has accelerated this demand [2]. Therefore, solving the problem of meeting the supply and demand for healthcare has emerged as a challenge for governments in various countries. Many attempts have been made to use wireless sensor networks (WSNs) to address this problem. Because of sensor miniaturization and improved wireless communication technology, WSNs are widely used in various environments, such as the Industrial Internet of Things [3], smart homes [4], and healthcare [5]. A method was thus proposed that comprises a wireless body area network (WBAN) that incorporates WSNs into the medical field [6]. The WBAN framework includes medical professionals, gateways, and sensor nodes. Through a gateway, a medical professional receives information concerning a patient’s condition from sensors attached to the patient or elderly person’s body [7]. Medical services that use WBANs are more efficient for both medical professionals and patients. Using them, medical professionals can conveniently treat more patients than before, and patients can receive treatment regardless of location. This approach also limited the spread of infectious diseases by reducing contact between medical professionals and patients during the COVID-19 pandemic. Therefore, research on WBANs has been conducted continuously.

In a WBAN, sensitive information, such as patient status and personal information, is transmitted to medical professionals using insecure channels. Thus, an adversary could steal information from these public channels and attempt security breaches, including replay, impersonation, and man-in-the-middle (MITM) attacks [8]. In addition, a medical professional’s mobile device could be stolen, and an adversary could attempt to impersonate the rightful owner using the parameters extracted from the device through power analysis attacks. Furthermore, an adversary could physically capture the sensor node, extract the secret parameters, and impersonate it. If a malicious adversary succeeds in any of the aforementioned attacks and gains sensitive patient information, this may have a significant adverse effect on the patient, such as a misdiagnosis [9]. Therefore, the security of authentication schemes for WBANs is directly related to the well-being of the patient [10].

In 2021, Chen et al. [11] proposed a two-factor authentication scheme for related existing WBAN schemes. They asserted that their scheme, which uses a single hash, is lightweight, heterogeneous, and allows joint operations to prevent various security threats, such as sensor node capture, privileged insider, and stolen verifier attacks. However, we demonstrate that Chen et al.’s scheme cannot resist physical cloning, privileged insiders, verification table leakage, impersonation, and session key disclosure attacks. To overcome the security issues in Chen et al.’s scheme, we designed a secure physical-unclonable-function (PUF)-based three-factor mutual authentication scheme, which we use with a fuzzy extractor [12] to increase security.

1.1. Research Contributions

The contributions of this paper are as follows:

• We review Chen et al.’s scheme to demonstrate that it cannot prevent physical cloning, privileged insider, verification table leakage, impersonation, and session key disclosure attacks.
• We propose a secure PUF-based three-factor mutual authentication scheme to remedy the security vulnerabilities in Chen et al.’s scheme.
• We conducted an informal security analysis to demonstrate that our scheme is secure against various security hazards, including stolen/lost mobile devices, privileged insiders, physical cloning, and stolen verifier attacks.
• We analyzed the security features of the proposed scheme using the well-known Burrows–Abadi–Needham (BAN) logic and real-or-random (RoR) model, which improve the mutual authentication and session key security, respectively. Furthermore, we utilized the Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation tool to prove that the proposed scheme is resistant to replay and man-in-the-middle attacks.
• We evaluated the communication costs, computational costs, and security features of our scheme. Consequently, our scheme provides lower communication and computational costs and higher security levels compared with the existing schemes.

1.2. Organization

In Section 2, we introduce related works for WMSNs. We describe the system model, adversary model, PUF, and fuzzy extractor in Section 3. We provide a review of Chen et al.’s scheme and cryptanalysis of their scheme in Section 4 and Section 5. Then, we propose the secure authentication scheme on WBANs in Section 6. The security and performance analyses of our scheme are shown in Section 7 and Section 8. Lastly, we present the paper’s conclusion in Section 9.

2. Related Works

Various authentication schemes have been proposed for wireless medical sensor networks (WMSNs). Kumar et al. [13] (2012) presented an authentication scheme for healthcare applications using WMSNs. This scheme provides a secure session key establishment between users and medical sensor nodes and allows the users to change their passwords. However, in 2013, He et al. [14] demonstrated that Kumar et al.’s scheme could not withstand attacks such as offline password guessing and privileged insider attacks. In addition, they proved that Kumar et al.’s scheme did not guarantee anonymity. Accordingly, He et al. proposed a more secure scheme and asserted that their scheme is robust against various attacks. Unfortunately, in 2015, Wu et al. [15] demonstrated that He et al.’s scheme was vulnerable to offline password guessing, user impersonation, and sensor node capture attacks. Accordingly, they proposed an authentication scheme using a smart card to store sensitive information from medical professionals, which provides a higher level of security in the WMSN environment. In 2017, Li et al. [16] proposed an anonymous mutual authentication and key agreement scheme for WMSNs using hash operations and XOR operations, which was more efficient than previous related schemes. Unfortunately, in 2020, Gupta et al. [17] demonstrated that Li et al.’s scheme could not prevent intermediate node capture, sensor node impersonation, and hub node impersonation attacks. They also proved that Li et al.’s scheme was vulnerable to linkable sessions and traceability. Therefore, they proposed an authentication scheme in the WBAN environments that overcomes the security vulnerabilities of Li et al.’s scheme. In 2019, Ostad–Sharif et al. [18] proposed an authentication key agreement scheme consisting of three tiers for WBANs. Their scheme ensured anonymity to protect users’ sensitive information. However, in 2020, Alzahrani et al. [19] claimed that Ostad et al.’s scheme is vulnerable to brute-force guessing attacks, and it is possible to compute all previous session keys. Subsequently, they presented an anonymous authenticated key exchange scheme with better security and efficiency to demonstrate the known weaknesses of Ostad et al.’s scheme.

Recently, PUF-based authentication schemes have been proposed for various environments to prevent attacks. In 2018, Mahalat et al. [20] proposed a PUF-based scheme that secures WiFi authentication for Internet of Things (IoT) devices and protects them against invasive, semi-invasive, or tampering attacks. In 2019, Zhu et al. [21] proposed a lightweight RFID mutual authentication scheme using a PUF. Their scheme provides secure authentication between the server and a tag. They asserted that their scheme could prevent clone attacks because a PUF cannot be duplicated. In 2021, Mahmood et al. [22] suggested a mutual authentication and key exchange scheme for multiserver-based device-to-device (D2D) communication. The entire process of Mahmood et al.’s scheme uses only XOR operations and hash functions, and PUF is introduced to protect against physical capture attacks. In the same year, Chuang et al. [23] proposed a PUF-based authenticated key exchange scheme for IoT environments. Their scheme did not require verifiers or explicit challenge–response pairs (CRPs). Therefore, IoT nodes can freely authenticate each other and generate a session key without the assistance of any verifier or server. Kwon et al. [24] proposed a three-factor-based mutual authentication and key agreement scheme with a PUF for WMSNs. They proved that their scheme could protect against physical cloning attacks using a PUF.

In 2020, Fotouhi et al. [25] proposed a two-factor authentication scheme for WBANs and asserted that it was safe against sensor node capture attacks. Unfortunately, in 2021, Chen et al. [11] demonstrated that the aforementioned scheme is vulnerable to sensor node attacks and proposed an improved security-enhanced two-factor authentication scheme for WBANs. However, we discovered that their scheme is insecure against privileged insider attacks, physical cloning attacks, verification table leakage attacks, etc. Therefore, we propose a secure PUF-based lightweight mutual authentication scheme for WBANs that resolves these security issues.

3. Preliminaries

This section introduces the general system model, the threat model, and relevant mathematical preliminaries including the PUF and fuzzy extractor, which can improve our scheme’s security.

3.1. System Model

Figure 1 shows the general system model of a WBAN, which consists of medical professionals such as doctors and nurses, sensor nodes, and a gateway. The details are as follows:

• User ($U_i$): A user who wants to use the WBAN services receives a smart card from the gateway. After registration, the user can receive information from the sensor node attached to the patient’s body.
• Gateway ($G{W}_j$): The gateway acts as a relay that connects patients with medical professionals. The gateway stores the value required for authentication.
• Sensor node ($S{N}_k$): The sensor node must be authenticated by the gateway. The authenticated sensor node is attached to the patient’s body and transmits information to the medical professionals.

3.2. Adversary Model

To analyze the security of the proposed scheme, we applied the widely used Dolev–Yao (DY) adversary model. Under the DY model, a malicious adversary can inject, eavesdrop, modify, or delete messages transmitted using public channels. We also adopted the Canetti and Krawczyk (CK) adversary model to analyze the proposed scheme. The CK model is relatively strong compared with the DY model and is widely used to analyze scheme security. In the CK model, the adversary can intercept a random value and generate the master key of a gateway:

• An adversary can steal a medical professional’s smart device and use a power analysis attack to extract sensitive information inside the cell phone.
• An adversary can obtain a patient’s sensor node and extract important information within the sensor node through a physical cloning attack.
• An adversary can be a privileged insider, so it can also obtain a registration message from medical professionals
• An adversary can perform various attacks, such as password guessing, stolen verifier, and man-in-the-middle attacks.

3.3. Physical Unclonable Function

PUFs are physical circuits that operate using only a one-way function. The PUF circuit uses an input–output bit-string pair termed the “challenge–response pair”. Even if numerous challenges are encountered in a PUF circuit, each has a unique output response. In this paper. We express this process as $R=PUF\left(C\right)$, where R and C are a response and a challenge. The PUF’s properties are as follows:

• The PUF is an unclonable circuit.
• The circuit of the PUF is easy to implement.
• The output of the PUF is unpredictable.
• The output of the PUF depends only on a physical circuit.

If the same challenge is entered into the PUF circuit of the same device, the same output response is printed. However, if a challenge is introduced into the PUF from different devices, different output responses are printed. Thus, the PUF provides a unique one-way function that cannot be replicated. The ability of the PUF to resist replication makes it impossible for adversaries to succeed with various attacks, such as physical cloning attacks.

3.4. Fuzzy Extractor

In this section, the purpose and basic concepts of the fuzzy extractor are discussed. However, biometric information is vulnerable to noise. Therefore, it is difficult to obtain a constant response value. Consequently, before users can utilize their biometrics, the biometric noise must be eliminated, for which we used a fuzzy extractor. The details are given below:

• $Gen\left(Bi{o}_i\right)=<{\sigma }_i,{\tau }_i>$: This algorithm is intended to generate keys using biometric information. It receives biometric information as a parameter and returns the secret key data $R_i$ and a public reproduction $P_i$ as a helper value.
• $Rep(Bi{o}_i^{*},{\tau }_i)={\sigma }_i$: This algorithm is for reproducing secret data $R_i$. The input of this algorithm is biometric information $Bi{o}_i^{*}$ and $P_i$. The algorithm returns the secret key $R_i$ as a result.

4. Review of Chen et al.’s Scheme

In 2021, Chen et al. [11] proposed a two-factor authentication scheme for WBANs. Their scheme provides sensor node registration, user registration and mutual authentication, and a key exchange phase. The notations used in the Chen et al.s scheme are also presented in

Table 1. Notations and definitions of Chen et al.’s scheme.

Notation	Definition
$U_i$	i-th user
$I{D}_i,P{W}_i$	identity of $U_i$, password of $U_i$
$G{W}_j$	j-th gateway
$GI{D}_j,G_j$	identity of $G{W}_j$, secret key of $G{W}_j$
$S{N}_k,SI{D}_k$	k-th sensor, its identity
$CI{D}_i,QI{D}_k$	Temporary pseudoidentity of $U_i$ and $S{N}_k$
$N_l$	Network identifier of sensor set
$M_i$	i-th message
$S{G}_k$	Shared key between sensor and gateway
$S{K}_u$	Session key generated by user
$S{K}_g$	Session key generated by gateway
$S{K}_s$	Session key generated by sensor node
$R_s,R_0,R_u,R_g,R_x,R_y,R_z$	Temporary random number
$Gen(.)$	Fuzzy biometric generator
$Rep(.)$	Fuzzy biometric reproduction
$BI{O}_i$	Biometric template of the user
$h(.)$	Hash function
$\left|\right|$	Concatenation operator
⊕	Exclusive-OR operator

.

4.1. User Registration Phase

A medical professional such as a doctor or nurse must register in the gateway to use this network system. We describe the sensor node registration phase below:

Step 1: 

The user enters her/his own $I{D}_i$, $P{W}_i$ and imprints $Bi{o}_i$ into the mobile device. Then, $U_i$ calculates $Gen\left(Bi{o}_i\right)=<{\sigma }_i,{\tau }_i>$, $HP{W}_i=h(P{W}_i\left|\right|{\sigma }_i)$ and sends $I{D}_i$, $HP{W}_i$ as a registration request to the gateway through a secure channel.

Step 2: 

Upon receiving $I{D}_i$, $P{W}_i$ determines whether the identity is new. If it is new, $G{W}_j$ calculates $CI{D}_i=h\left(I{D}_i\right)$ and stores $CI{D}_i$, $HP{W}_i$. Then, $G{W}_j$ selects a secret random number $R_0$. After that, $G{W}_j$ computes $A_1=h(CI{D}_i\left|\right|GI{D}_j\left|\right|R_0\oplus G_j)\oplus HP{W}_i$ and $A_2=h(GI{D}_j\left|\right|HP{W}_i)\oplus (R_0\oplus G_j)$ and stores $A_1$ in memory. Finally, $G{W}_j$ sends $\{A_2,GI{D}_i\}$ to $U_i$ via a secure channel.

Step 3: 

$U_i$ computes $A_3=h(I{D}_i\left|\right|HP{W}_i)$. Then, $U_i$ stores $\{A_2,A_3,GI{D}_j,Gen(.),Rep(.),{\tau }_i\}$.

4.2. Sensor Node Registration Phase

The sensor node must be registered with the gateway to transmit the health information of the patient. We show the sensor node registration phase of Chen et al.’s scheme as follows:

Step 1: 

$S{N}_k$ sends $SI{D}_k$ and $N_l$ over a secure channel.

Step 2: 

$G{W}_j$ determines whether $SI{D}_k$ is a new identity and generates a new pseudoidentity $QI{D}_k$. $G{W}_j$ computes $S{G}_k=h(SI{D}_k\left|\right|G_j\oplus N_l)$ and stores $\{QI{D}_k,N_l\}$ in the memory. Then, $G{W}_j$ sends $\{S{G}_k,QI{D}_k\}$ to $S{N}_k$ via a secure channel.

Step 3: 

$S{N}_k$ computes $RS{G}_k=S{G}_k\oplus SI{D}_k$ and saves $\{RS{G}_k,QI{D}_k\}$ in the memory.

4.3. Login Phase

A medical professional must log in to the mobile device to use this network system. The detailed steps are illustrated in Figure 2:

Step 1: 

$U_i$ enters his/her own $I{D}_i^{*}$, $P{W}_i^{*}$ and imprints $Bi{o}_i^{{}^{\prime }}$ into the mobile device.

Step 2: 

The mobile device computes $Rep(BI{O}_i^{*},{\tau }_i)={\sigma }_i^{*}$, $HP{W}_i^{*}=h(P{W}_i^{*}\left|\right|{\sigma }_i^{*})$, and $A_3^{*}=h(I{D}_i^{*}\left|\right|HP{W}_i)$. Then, the mobile device verifies $A_3$ by comparison. If $A_3=A_3^{*}$, the mobile device allows $U_i$ to log in.

4.4. Authentication and Key Agreement Phase

In this phase, the medical professionals and the sensor node conduct a mutual authentication and key agreement phase to authenticate each other and establish a session key. Figure 3 shows the authentication and key agreement phase of Chen et al.’s scheme, and the details are as follows:

Step 1: 

$U_i$ selects the $SI{D}_k$ of the sensor to be accessed, generates a random number $R_u$, and creates a timestamp $T_1$. Then, $U_i$ calculates $(R_0\oplus G_j)=A_2\oplus h(GI{D}_j\left|\right|HP{W}_i)$, $B_1=SI{D}_k\oplus h(GI{D}_j\left|\right|HP{W}_i)$, $B_2=R_u\oplus h(GI{D}_j\left|\right|HP{W}_i\oplus SI{D}_k)$, and $B_3=(R_0\oplus G_j)\oplus h(GI{D}_j\left|\right|R_u)$. Finally, $U_i$ sends message $M_1\{CI{D}_i,GI{D}_j,B_1,B_2,B_3,T_1\}$ to $G{W}_j$ via a public channel.

Step 2: 

$G{W}_j$ receives the message $M_1$ and verifies the legitimacy of $T_1$ by determining whether it matches $|T_1-T_c|\le \Delta T$. $G{W}_j$ retrieves the memory and obtains the $HP{W}_i$, $QI{D}_k$ that matches $CI{D}_i$ in $M_1$. $(SI{D}_m\left|\right|{\alpha }_m)=De{c}_{MSK}\left(MI{D}_m\right)$. Then, $G{W}_j$ computes $SI{D}_k=B_1\oplus h(GI{D}_j\left|\right|HP{W}_i)$, $R_u=B_2\oplus h(GI{D}_j\left|\right|HP{W}_i\oplus SI{D}_k)$, $(R_0\oplus G_j)=B_3\oplus h(GI{D}_j\left|\right|R_u)$, and $A_1^{*}=h(CI{D}_i\left|\right|GI{D}_j\left|\right|R_0\oplus G_j)\oplus HP{W}_i$. $G{W}_j$ verifies $A_1\equiv A_1^{*}$. If the verification is false, $G{W}_j$ stops the conversation. Otherwise, $G{W}_j$ confirms the justification of the identity of $U_i$, and it generates a random number $R_g$ and a new timestamp $T_2$. Then, $G{W}_j$ computes $S{G}_k=h(SI{D}_k\left|\right|G_j\oplus N_l)$, $B_4=R_u\oplus HP{W}_i\oplus S{G}_k$, $B_5=R_g\oplus h(S{G}_k\left|\right|SI{D}_k)$, and $B_6=h(QI{D}_k\left|\right|B_4\left|\right|B_5\left|\right|S{G}_k\left|\right|R_u\oplus HP{W}_i\left|\right|R_g)$. Finally, $G{W}_j$ sends $M_2\{QI{D}_k,B_4,B_5,B_6,T_2\}$ to $S{N}_k$ via a public channel.

Step 3: 

$S{N}_k$ receives the message $M_2$ and verifies that $|T_2-T_c|\le \Delta T$. The message is fresh if the verification is true. Then, $S{N}_k$ obtains the corresponding $RS{G}_k$ in storage based on $QI{D}_k$. $S{N}_k$ computes $S{G}_k=RS{G}_k\oplus SI{D}_k$, $(R_u\oplus HP{W}_i)=B_4\oplus S{G}_k$, and $B_6^{*}=h(QI{D}_k\left|\right|B_4\left|\right|B_5\left|\right|S{G}_k\left|\right|R_u\oplus HP{W}_i\left|\right|R_g)$. Afterward, $G{W}_j$ verifies whether $B_6^{*}\equiv B_6$. If it is true, $S{N}_k$ generates a random number $R_s$ and a timestamp $T_3$. $S{N}_k$ calculates the keys $S{K}_s=h(R_u\oplus HP{W}_i\left|\right|R_g\left|\right|R_s)$, $B_7=h(S{G}_k\left|\right|R_g\oplus R_s)$, and $B_8=h(R_g\left|\right|R_s\left|\right|S{G}_k\left|\right|T_3)$. Then, $S{N}_k$ sends message $M_3\{B_7,B_8,T_3\}$ to $G{W}_j$ via a public channel.

Step 4: 

$G{W}_j$ receives the message $M_3$ and verifies the freshness of timestamp $T_3$ using $|T_3-T_c|\le \Delta T$. If the verification passes, $G{W}_j$ generates timestamp $T_4$ and calculates $R_s=h(S{G}_k\left|\right|R_g)\oplus B_7$ and $B_8^{*}=h(R_g\left|\right|R_s\left|\right|S{G}_k\left|\right|T_3)$, then verifies whether $B_8^{*}\equiv B_8$. If the verification is correct, $G{W}_j$ generates $T_4$ and calculates $S{K}_s=h(R_u\oplus HP{W}_i\left|\right|R_g\left|\right|R_s)$, $B_9=h(R_u\oplus GI{D}_j\left|\right|HP{W}_i)\oplus (R_g\left|\right|R_s)$, and $B_{10}=h(R_0\oplus G_j\left|\right|S{K}_g\left|\right|R_u)$. After that, $G{W}_j$ sends message $M_4\{B_9,B_{10},T_4\}$ to $U_i$ via a public channel.

Step 5: 

$U_i$ receives the message $M_4$ and verifies that $|T_2-T_c|\le \Delta T$. If the verification is true, the message is fresh. Then, $U_i$ computes $(R_g\left|\right|R_s)=B_9\oplus h(R_u\oplus GI{D}_j\left|\right|HP{W}_i)$, $S{K}_u=h(R_u\oplus HP{W}_i\left|\right|R_g\left|\right|R_s)$, and $B_{10}^{*}=h(R_0\oplus G_j\left|\right|S{K}_u\left|\right|R_u)$. Finally, $U_i$ verifies whether $B_{10}^{*}\equiv B_{10}$, and if this is true, the verification and key exchange are a success.

5. Cryptanalysis of Chen et al.’s Scheme

In this section, we analyze the security defects of Chen et al.’s scheme. Our analysis shows that their scheme is vulnerable to privileged insider attacks, physical cloning attacks, and verification table leakage attacks. In addition, malicious adversary $\mathcal{A}$ can impersonate the user, sensor node, and gateway and disclose a session key.

5.1. Privileged Insider Attack

A privileged insider can support $\mathcal{A}$ by giving various important information such as registration message and values stored on the mobile device of the user. We describe the procedures are as follows:

Step 1: 

$\mathcal{A}$ can obtain a registration request message $\{I{D}_i,HP{W}_i\}$ and the secret parameter $\{A_2,A_3,GI{D}_j,Gen(.),Rep(.),{\tau }_i\}$ extracted from the smart device of the user.

Step 2: 

The adversary $\mathcal{A}$ intercepts $M_1\{CI{D}_i,GI{D}_j,B_1,B_2,B_3,T_1\}$, and $M_3\{B_7,B_8,T_3\}$ transmitted by the public channel.

Step 3: 

$\mathcal{A}$ calculates ${(R_0\oplus G_j)}^{*}=A_2\oplus h(GI{D}_j\left|\right|HP{W}_i)$, $SI{D}_k^{*}=B_1\oplus h(GI{D}_j\left|\right|HP{W}_i)$, $R_u^{*}=B_2\oplus h(GI{D}_j\left|\right|HP{W}_i\oplus SI{D}_k)$, and $(R_g\left|\right|R_s{)}^{*}=B_9\oplus h(R_u\oplus GI{D}_j\left|\right|HP{W}_i)$. Then, $\mathcal{A}$ can extract the parameters ${(R_0\oplus G_j)}^{*}$, $SI{D}_k^{*}$, $R_u^{*}$, and $(R_g\left|\right|R_s{)}^{*}$.

Step 4: 

$\mathcal{A}$ calculates $B_1^{*}=SI{D}_k\oplus h(GI{D}_j\left|\right|HP{W}_i)$, $B_2^{*}=R_u\oplus h(GI{D}_j\left|\right|HP{W}_i\oplus SI{D}_k)$, $B_3^{*}=(R_0\oplus G_j)\oplus h(GI{D}_j\left|\right|R_u)$, and $S{K}_u=h(R_u\oplus HP{W}_i\left|\right|R_g\left|\right|R_s)$. Thereafter, $\mathcal{A}$ can generate $M_1\{CI{D}_i,GI{D}_j,B_1^{*},B_2^{*},B_3^{*},T_1^{*}\}$ and send it to $G{W}_j$ by impersonating legitimate user $U_i$. In addition, $\mathcal{A}$ can calculate $S{K}_u^{*}=h(R_u\oplus HP{W}_i\left|\right|(R_g\left|\right|R_s{)}^{*})$ to generate session key $S{K}_u^{*}$. Thus, $\mathcal{A}$ can disclose or exploit the session key.

Thus, Chen et al.’s scheme is insecure against privileged insider attacks.

5.2. Physical Cloning Attack

In this attack, we assume that $\mathcal{A}$ can clone sensor node $S{N}_k$ physically and extract the sensitive value $\{RS{G}_k,QI{D}_k\}$ stored in the memory of $S{N}_k$. In order to be able to forward message $\{B_7,B_8,T_3\}$ on behalf of the legitimate $G{W}_j$ and generate session key $S{K}_s$, then $\mathcal{A}$ has to calculate the value of $B_7=h(S{G}_k\left|\right|R_g\oplus R_s)$, $B_8=h(R_g\left|\right|R_s\left|\right|S{G}_k\left|\right|T_3)$, and $S{K}_s=h(R_u\oplus HP{W}_i\left|\right|R_g\left|\right|R_s)$ through the following steps:

Step 1: 

The adversary $\mathcal{A}$ can obtain the messages $M_2\{QI{D}_k,B_4,B_5,B_6,T_2\}$ and $M_3\{B_7,B_8,T_3\}$ by the eavesdropping attack.

Step 2: 

$\mathcal{A}$ computes $S{G}_k^{*}$ through $S{G}_k^{*}=RS{G}_k\oplus SI{D}_k$.

Step 3: 

$\mathcal{A}$ calculates ${(R_u\oplus HP{W}_i)}^{*}=B_4\oplus S{G}_k$, $R_g^{*}=B_5\oplus h(S{G}_k\left|\right|SI{D}_k)$, and $R_s^{*}=h(S{G}_k\left|\right|R_g)\oplus B_7$. Afterward, $\mathcal{A}$ obtains the parameters ${(R_u\oplus HP{W}_i)}^{*}$, $R_g^{*}$, and $R_s^{*}$.

Step 4: 

$\mathcal{A}$ can successfully compute $B_7^{*}=h(S{G}_k^{*}\left|\right|R_g^{*})\oplus R_s^{*}$, $B_8^{*}=h(R_g^{*}\left|\right|R_s^{*}\left|\right|S{G}_k^{*}\left|\right|T_3^{*})$, and $S{K}_s^{*}=h({(R_u\oplus HP{W}_i)}^{*}\left|\right|R_g^{*}\left|\right|R_s^{*})$. Finally, $\mathcal{A}$ can generate authentication message $M_3^{*}\{B_7^{*},B_8^{*},T_3^{*}\}$ and session key $S{K}_s$.

Therefore, the scheme of Chen et al. cannot resist thephysical cloning attack.

5.3. Verification Table Leakage Attack

If $\mathcal{A}$ extracts the verification table $\{QI{D}_k,N_l,CI{D}_i,HP{W}_i,A_1\}$ of $G{W}_j$, $\mathcal{A}$ attempts to impersonate $G{W}_j$ and generate a session key. The details are described below:

Step 1: 

The malicious adversary $\mathcal{A}$ can obtain the messages $M_1\{CI{D}_i,GI{D}_j,B_1,B_2,B_3,T_1\}$, $M_2\{QI{D}_k,B_4,B_5,B_6,T_2\}$, and $M_3\{B_7,B_8,T_3\}$ transmitted by the public channel.

Step 2: 

$\mathcal{A}$ computes $SI{D}_k^{*}=B_1\oplus h(GI{D}_j\left|\right|HP{W}_i)$, $R_u^{*}=B_2\oplus h(GI{D}_j\left|\right|HP{W}_i\oplus SI{D}_k^{*})$, ${(R_0\oplus G_j)}^{*}=B_3\oplus h(GI{D}_j\left|\right|R_u^{*})$, $S{G}_k^{*}=R_u^{*}\oplus HP{W}_i\oplus B_4$, $R_g^{*}=B_5\oplus h(S{G}_k^{*}\left|\right|SI{D}_k^{*})$, and $R_s^{*}=h(S{G}_k^{*}\left|\right|R_g^{*})\oplus B_7$ to generate parameters $SI{D}_k^{*},R_u^{*},{(R_0\oplus G_j)}^{*},S{G}_k^{*},R_g^{*},$$R_s^{*}$.

Step 3: 

$\mathcal{A}$ calculates $B_4=R_u\oplus HP{W}_i\oplus S{G}_k$, $B_5=R_g\oplus h(S{G}_k\left|\right|SI{D}_k)$, $B_6=h(QI{D}_k\left|\right|B_4\left|\right|B_5\left|\right|S{G}_k\left|\right|R_u\oplus HP{W}_i\left|\right|R_g)$, $S{K}_g^{*}=h(R_u^{*}\oplus HP{W}_i\left|\right|R_g^{*}\left|\right|R_s^{*})$, $B_9^{*}=h(R_u^{*}\oplus GI{D}_j\left|\right|$$HP{W}_i)\oplus (R_g^{*}\left|\right|R_s^{*})$, and $B_{10}^{*}=h({(R_0\oplus G_j)}^{*}\left|\right|S{K}_g^{*}\left|\right|R_u^{*})$.

Step 4: 

Eventually, $\mathcal{A}$ can generate authentication messages $M_2^{*}\{QI{D}_k,B_4^{*},B_5^{*},B_6^{*},T_2^{*}\}$ and $M_4^{*}\{B_9^{*},B_{10}^{*},T_4^{*}\}$ and send them to the user and gateway disguised as a legal $G{W}_j$. Furthermore, $\mathcal{A}$ can generate session key $S{K}_g^{*}$ of $G{W}_j$ and adversely affect the system by exposing $S{K}_g^{*}$.

Therefore, Chen et al.’s scheme cannot withstand verification table leakage attacks.

5.4. Impersonation Attack

(1)

User impersonation attack: In the previous privileged insider attack in Section 5.1, $\mathcal{A}$ can generate authentication message $M_1\{CI{D}_i,GI{D}_j,B_1^{*},B_2^{*},B_3^{*},T_1^{*}\}$ and send it to the gateway to impersonate a legitimate user. Therefore, the scheme of Chen et al. is vulnerable to the user impersonation attack.

(2)

Gateway impersonation attack: In the previous verification table attack in Section 5.3, $\mathcal{A}$ can calculate authentication messages $M_2^{*}\{QI{D}_k,B_4^{*},B_5^{*},B_6^{*},T_2^{*}\}$ and $M_4^{*}\{B_9^{*},B_{10}^{*},T_4^{*}\}$ and send them to the sensor node and user. However, the sensor node and gateway cannot recognize that the message transmitted from a gateway was not legal. Therefore, the scheme of Chen et al. cannot resist the gateway impersonation attack.

(3)

Sensor node impersonation attack: In the previous physical cloning attack in Section 5.2, a malicious adversary $\mathcal{A}$ can compute message $M_3^{*}\{B_7^{*},B_8^{*},T_3^{*}\}$ to be sent to the gateway. However, the gateway recognizes that the message was transmitted from a legitimate sensor node. Therefore, Chen et al.’s scheme cannot withstand sensor node impersonation attacks.

5.5. Session Key Disclosure Attack

In the previous attacks, privileged insider in Section 5.1, physical cloning in Section 5.2, and verification table leakage in Section 5.3, $\mathcal{A}$ can generate session keys $S{K}_u,S{K}_k$, and $S{K}_g$. $\mathcal{A}$ attempts to exploit the generated session key to adversely affect the system and disclose it to the outside. Thus, the scheme of Chen et al. cannot prevent session key disclosure attacks.

6. Proposed Scheme

In this section, we propose a secure three-factor mutual authentication scheme for WBANs to overcome the security weaknesses of Chen et al.’s scheme. Our scheme also considers the efficiency of the authentication process. Our scheme consists of user registration, sensor node registration, mutual authentication and key agreement, and password change phases. The notations and definitions used in the proposed scheme are explained in

Table 2. Notations and definitionsof the proposed scheme.

Notation	Definition
$U_i$	i-th user
$I{D}_i,P{W}_i$	identity of $U_i$, password of $U_i$
$G{W}_j$	j-th gateway
$GI{D}_j,G_j$	identity of $G{W}_j$, secret key of $G{W}_j$
$S{N}_k,SI{D}_k$	k-th sensor, its identity
$CI{D}_i$	Temporary pseudoidentity of $U_i$
$M_i$	i-th message
$S{G}_k$	Shared key between sensor and gateway
$S{K}_u$	Session key generated by user
$S{K}_g$	Session key generated by gateway
$S{K}_s$	Session key generated by sensor node
$R_u,R_g,R_s,R_0,R_1,R_2$	Temporary random number
$Gen(.)$	Fuzzy biometric generator
$Rep(.)$	Fuzzy biometric reproduction
$BI{O}_i$	Biometric template of the user
$h(.)$	Hash function
$\left|\right|$	Concatenation operator
⊕	Exclusive-OR operator

.

6.1. User Registration Phase

In order for a medical professional to receive patient information from the sensor node, he/she must be registered with the gateway in advance. The details are shown in Figure 4:

Step 1: 

$U_i$ inputs an identity $I{D}_i$, a password $P{W}_i$, and biometric template $BI{O}_i$ into the mobile device. Then, the mobile device computes $Gen\left(BI{O}_i\right)=<{\sigma }_i,{\tau }_i>$, $HI{D}_i=h(I{D}_i\left|\right|{\sigma }_i)$, and $HP{W}_i=h(P{W}_i\left|\right|{\sigma }_i)$. $U_i$ sends $HI{D}_i$ to the gateway through a secure channel.

Step 2: 

$G{W}_j$ receives $HI{D}_i$ from $U_i$ and checks whether $HI{D}_i$ is new. If it is new, $G{W}_j$ generates random numbers $R_0$ and $R_1$. Then, $G{W}_j$ calculates $CI{D}_i=h(HI{D}_i\left|\right|R_0)$ and $E{R}_j=R_1\oplus G_j$ and stores $CI{D}_i,HI{D}_i,E{R}_j$. Afterward, $G{W}_j$ computes $A_0=R_0\oplus G_j$ and $A_1=h(HI{D}_i\left|\right|A_0)\oplus G_j$ and stores $A_1$ into memory. Finally, $G{W}_j$ sends message $\{A_0,R_1,CI{D}_i\}$ to $U_i$ via a secure channel.

Step 3: 

$U_i$ receives message $A_0,R_1,CI{D}_i$ from $G{W}_j$ and computes $A_2=A_0\oplus R_1\oplus {\sigma }_i$, $A_3=h(I{D}_i\left|\right|HP{W}_i)$, and $E{R}_i=h(I{D}_i\left|\right|P{W}_i)\oplus R_1$. Then, $G{W}_j$ stores $\{A_2,A_3,$$Gen(.),Rep(.),{\tau }_i,E{R}_i,CI{D}_i\}$ in the mobile device.

6.2. Sensor Node Registration Phase

A sensor node must register with the gateway in order to transmit patient information to the medical professional. The sensor node registration phase is shown in Figure 5, and the detailed steps are as follows:

Step 1: 

$S{N}_k$ generates a challenge $C{H}_1$ and sends identity $SI{D}_k$ and $C{H}_1$ to $G{W}_j$ over a secure channel.

Step 2: 

$G{W}_j$ receives $SI{D}_k$ and $C{H}_1$ from $S{N}_k$ and determines whether $SI{D}_k$ is a new identity. If it is new, $G{W}_j$ computes $S{G}_k=h(SI{D}_k\left|\right|G_j)$ and stores $SI{D}_k$ and $C{H}_1$ into memory. Then, $G{W}_j$ sends $S{G}_k$ to $S{N}_k$ through a secure channel.

Step 3: 

$S{N}_k$ receives $S{G}_k$ from $G{W}_j$. Then, $S{N}_k$ computes $R{E}_1=PUF\left(C{H}_1\right)$ and $RS{G}_k=S{G}_k\oplus SI{D}_k\oplus R{E}_1$ and saves $\{RS{G}_k,C{H}_1\}$ in the memory.

6.3. Login Phase

A medical professional must log in to the mobile device to utilize this WBAN system. The details are shown in Figure 6:

Step 1: 

$U_i$ enters $I{D}_i^{*}$ and $P{W}_i^{*}$ and imprints $BI{O}_i^{*}$ into the mobile device.

Step 2: 

The mobile device calculates $Rep(BI{O}_i^{*},{\tau }_i)={\sigma }_i^{*}$, $HP{W}_i^{*}=h(P{W}_i^{*}\left|\right|{\sigma }_i^{*})$, and $A_3^{*}=h(I{D}_i^{*}\left|\right|HP{W}_i^{*})$. Then, the mobile device verifies $A_3$ by comparison. If $A_3=A_3^{*}$, $U_i$ logs in successfully.

6.4. Mutual Authentication and Key Agreement Phase

The medical professional sends an authentication message to the gateway and generates a session key among the medical professional, the sensor node, and the gateway. After that, the medical professionals can receive the patient’s information from the sensor node. In Figure 7, we show the mutual authentication and key agreement phase of our scheme, and the details are given below:

Step 1: 

$U_i$ selects $SI{D}_k,R_u,T_1$ and computes $R_1=E{R}_i\oplus h(I{D}_i\left|\right|P{W}_i)$ and $A_0=A_2\oplus R_1\oplus {\sigma }_i$. Then, $U_i$ generates random nonce $R_u$ and calculates $B_1=R_u\oplus R_1$, $B_2=A_0\oplus R_u\oplus R_1\oplus HI{D}_i$. Finally, $U_i$ sends $M_1\{SI{D}_k,CI{D}_i,B_1,B_2,T_1\}$ to $G{W}_j$ through a public channel.

Step 2: 

$G{W}_j$ receives message $M_1$ from $U_i$ and verifies that $|T_1-T_c|\le \Delta T$. If the verification passes, $G{W}_j$ checks whether $CI{D}_i=CI{D}_i^{old}$ or $CI{D}_i=CI{D}_i^{new}$. If $(CI{D}_i==CI{D}_i^{old})$, then it retrieves $\{HI{D}_i^{*},E{R}_j\}$ against $CI{D}_i^{old}$, and if $(CI{D}_i==CI{D}_i^{new})$, it retrieves $\{HI{D}_i^{*},E{R}_j\}$ against $CI{D}_i^{new}$. After that, $G{W}_j$ computes $R_1=E{R}_j\oplus G_j$, $R_u=B_1\oplus R_1$, $A_0=B_2\oplus R_u\oplus R_1\oplus HI{D}_i$, and $A_1^{*}=h(HI{D}_i\left|\right|A_0)\oplus G_j$. If $A_1\stackrel{?}{=}{A}_1^{*}$ is true, $G{W}_j$ computes $CI{D}_i^{new}=h(HI{D}_i\left|\right|R_u)$ and updates $CI{D}_i^{new}$. Then, $G{W}_j$ selects $R_g,T_2$ and calculates $S{G}_k=h(SI{D}_k\left|\right|G_j)$, $C_1=Ru\oplus HI{D}_i$, $B_3=C_1\oplus S{G}_k\oplus C{H}_1$, $B_4=R_g\oplus h(S{G}_k\left|\right|SI{D}_k)$, and $B_5=h(B_4\left|\right|B_5\left|\right|S{G}_k\left|\right|C_1\left|\right|R_g)$. Finally, $G{W}_j$ sends $M_2\{B_3,B_4,B_5,T_2\}$ to $S{N}_k$ via a public channel.

Step 3: 

$S{N}_k$ receives the message $M_2\{B_3,B_4,B_5,T_2\}$ and verifies the freshness of timestamp $T_2$ using $|T_2-T_c|\le \Delta T$. If the verification is true, the message is fresh. Then, $S{N}_k$ obtains the corresponding $RS{G}_k$, $C{H}_1$ and computes $R{E}_1=PUF\left(C{H}_1\right)$, $S{G}_k=RS{G}_k\oplus SI{D}_k\oplus R{E}_1$, $C_1=B_3\oplus S{G}_k\oplus C{H}_1$, $R_g=B_4\oplus h(S{G}_k\left|\right|SI{D}_k)$, and $B_5^{*}=h(B_3\left|\right|B_4\left|\right|S{G}_k\left|\right|C_1\left|\right|R_g)$. $S{N}_k$ verifies whether $B_5^{*}\stackrel{?}{=}{B}_5$. If verification is correct, $S{N}_k$ selects $R_s,T_3$ and computes $S{K}_s=h(C_1\left|\right|R_g\left|\right|R_s)$, $B_6=h(S{G}_k\left|\right|R_g)\oplus R_s$, and $B_7=h(R_g\left|\right|R_s\left|\right|S{G}_k\left|\right|T_3\left|\right|C_1)$. $S{N}_k$ sends $M_3=\{B_6,B_7,T_3\}$ to $G{W}_j$ through a public channel.

Step 4: 

$G{W}_j$ receives the message $M_3$ and verifies that $|T_3-T_c|\le \Delta T$. The message is fresh if the verification is true. Then, $G{W}_j$ computes $R_s=h(S{G}_k\left|\right|R_g)\oplus B_6$ and $B_7^{*}=h(R_g\left|\right|R_s\left|\right|S{G}_k\left|\right|T_3\left|\right|C_1)$. Afterward, $G{W}_j$ verifies whether $B_7^{*}\stackrel{?}{=}{B}_7$. If it is true, $G{W}_j$ selects $T_4$ and computes $S{K}_g=h(C_1\left|\right|R_g\left|\right|R_s)$, $B_8=R_u\oplus (R_g\left|\right|R_s)$, and $B_9=h(A_0\left|\right|S{K}_g\left|\right|R_u)$. $G{W}_j$ sends $M_4=\{B_8,B_9,T_4\}$ to $U_i$ via a public channel

Step 5: 

$U_i$ receives the message $M_4$ and verifies the legitimacy of $T_4$ by determining whether it matches $|T_4-T_c|\le \Delta T$. $U_i$ computes $(R_g\left|\right|R_s)=B_8\oplus R_u$, $S{K}_u=h(C_1\left|\right|R_g\left|\right|R_s)$, and $B_9^{*}=h(A_0\left|\right|S{K}_u\left|\right|R_u)$. Then, $U_i$ verifies whether $B_9^{*}\stackrel{?}{=}{B}_9$. If the verification is true, $U_i$ updates $CI{D}_i^{new}$. Finally, the verification and key exchange are successful.

6.5. Password Update Phase

In our scheme, we provide an efficient password update process of the medical professional. We show the password update phase in Figure 8, and the detailed steps are as follows:

Step 1: 

$U_i$ enters $I{D}_i^{*}$ and $P{W}_i^{*}$ and imprints $BI{O}_i^{*}$ to the mobile device.

Step 2: 

The mobile device calculates $Rep(BI{O}_i^{*},{\tau }_i)={\sigma }_i^{*}$, $HP{W}_i^{*}=h(P{W}_i^{*}\left|\right|{\sigma }_i^{*})$, and $A_3^{*}=h(I{D}_i^{*}\left|\right|HP{W}_i^{*})$ and verifies $A_3\stackrel{?}{=}{A}_3^{*}$. If the equation is true, user authentication passes.

Step 3: 

$U_i$ inputs a new password $P{W}_i^{new}$ and a new biometric $BI{O}_i^{new}$ to the mobile device.

Step 4: 

The mobile device computes $Gen\left(BI{O}_i^{new}\right)=<{\sigma }_i^{new},{\tau }_i^{new}>$, $HP{W}_i^{new}=$$h\left(P{W}_i^{new}\right|\left|{\sigma }_i^{new}\right)$, $R_1=E{R}_i\oplus h(I{D}_i^{*}\left|\right|P{W}_i^{*})$, $E{R}_i^{new}=h(I{D}_i^{*}\left|\right|P{W}_i^{new})\oplus R_1$, and $A_3^{new}=h(I{D}_i^{*}\left|\right|HP{W}_i^{new})$. Finally, the mobile device replaces $\{A_3,{\tau }_i,E{R}_i\}$ with $\{A_3^{new},$${\tau }_i^{new},E{R}_i^{new}\}$

7. Security Analysis

To prove the security features of the proposed scheme, we used BAN logic and the RoR model, which can prove the mutual authentication properties and session key security, respectively. Furthermore, we show that our scheme has resistance against man-in-the-middle and replay attacks using AVISPA. Furthermore, we claim that the proposed scheme can prevent various security attacks using informal analysis.

7.1. BAN Logic

In this section, BAN logic [26] is used to prove the mutual authentication of the proposed scheme. BAN logic uses a simple logic to explain the beliefs between the communication participants of authentication schemes. From that, many security schemes are proven by using BAN logic [27,28,29].

Table 3. Basic notations in BAN logic.

Notation	Definition
${\mathcal{C}}_1,{\mathcal{C}}_2$	Principals
${\mathcal{T}}_1,{\mathcal{T}}_2$	Statements
$SK$	Session key
${\mathcal{C}}_1|\equiv {\mathcal{T}}_1$	${\mathcal{C}}_1$believes${\mathcal{T}}_1$
${\mathcal{C}}_1|\sim {\mathcal{T}}_1$	${\mathcal{C}}_1$ once said ${\mathcal{T}}_1$
${\mathcal{C}}_1\Rightarrow {\mathcal{T}}_1$	${\mathcal{C}}_1$controls${\mathcal{T}}_1$
${\mathcal{C}}_1⊲{\mathcal{T}}_1$	${\mathcal{C}}_1$receives${\mathcal{T}}_1$
$\#{\mathcal{T}}_1$	${\mathcal{T}}_1$ is fresh
${\left({\mathcal{T}}_1\right)}_K$	${\mathcal{T}}_1$ is encrypted with K
${\mathcal{C}}_1\stackrel{K}{\leftrightarrow }{\mathcal{C}}_2$	${\mathcal{C}}_1$ and ${\mathcal{C}}_2$ have shared key K

shows the basic notation in BAN logic.

7.1.1. Rules

We introduce five rules used in BAN logic:

1.

Message meaning rule (MMR):

$$\frac{{\mathcal{C}}_1|\equiv {\mathcal{C}}_1\stackrel{K}{\leftrightarrow }{\mathcal{C}}_2,{\mathcal{C}}_1⊲{\left({\mathcal{T}}_1\right)}_K}{{\mathcal{C}}_1|\equiv {\mathcal{C}}_2|\sim {\mathcal{T}}_1};$$

2.

Nonce verification rule (NVR):

$$\frac{{\mathcal{C}}_1|\equiv \#\left({\mathcal{T}}_1\right),{\mathcal{C}}_1|\equiv {\mathcal{C}}_2|\sim {\mathcal{T}}_1}{{\mathcal{C}}_1|\equiv {\mathcal{C}}_2|\equiv {\mathcal{T}}_1};$$

3.

Jurisdiction rule (JR):

$$\frac{{\mathcal{C}}_1|\equiv {\mathcal{C}}_2\Rightarrow {\mathcal{T}}_1,{\mathcal{C}}_1|\equiv {\mathcal{C}}_2|\equiv {\mathcal{T}}_1}{{\mathcal{C}}_1|\equiv {\mathcal{T}}_1};$$

4.

Belief rule (BR):

$$\frac{{\mathcal{C}}_1|\equiv ({\mathcal{T}}_1,{\mathcal{T}}_2)}{{\mathcal{C}}_1|\equiv {\mathcal{T}}_1};$$

5.

Freshness rule (FR):

$$\frac{{\mathcal{C}}_1|\equiv \#\left({\mathcal{T}}_1\right)}{{\mathcal{C}}_1|\equiv \#({\mathcal{T}}_1,{\mathcal{T}}_2)}.$$

7.1.2. Goals

The final goal of BAN logic in the proposed scheme is to achieve mutual authentication by agreeing on the session key $SK$. We define $U_i$, $G{W}_j$, and $S{N}_k$ as the user, gateway, and sensor node, respectively:

Goal 1: 

$U_i|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }{U}_i$;

Goal 2: 

$U_i|\equiv G{W}_j|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }{U}_i$;

Goal 3: 

$G{W}_j|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }{U}_i$;

Goal 4: 

$G{W}_j|\equiv U_i|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }{U}_i$;

Goal 5: 

$S{N}_k|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }S{N}_k$;

Goal 6: 

$S{N}_k|\equiv G{W}_j|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }S{N}_k$;

Goal 7: 

$G{W}_j|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }S{N}_k$;

Goal 8: 

$G{W}_j|\equiv S{N}_k|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }S{N}_k$.

7.1.3. Idealized Forms

In the proposed scheme, $M_1=\{SI{D}_k,CI{D}_i,B_1,B_2,T_1\}$, $M_2=\{B_3,B_4,B_5,T_2\}$, $M_3=\{B_6,B_7,T_3\}$, and $M_4=\{B_8,B_9,T_4\}$ are transmitted through public channels. We restructure the messages to fit the BAN logic, named “idealized forms”:

${\mathcal{T}}_1:$ 

$U_i\to G{W}_j:{\{R_u,A_0,HI{D}_i,T_1\}}_{R_1}$;

${\mathcal{T}}_2:$  

$G{W}_j\to S{N}_k:{\{R_g,C_1,T_2\}}_{S{G}_k}$;

${\mathcal{T}}_3:$  

$S{N}_k\to G{W}_j:{\{R_s,T_3\}}_{S{G}_k}$;

${\mathcal{T}}_4:$  

$G{W}_j\to U_i:{\{R_g,R_s,T_4\}}_{R_u}$.

7.1.4. Assumptions

The assumptions in the proposed scheme are shown as below:

${\mathcal{S}}_1$: 

$G{W}_j|\equiv \#\left(T_1\right)$;

${\mathcal{S}}_2$: 

$S{N}_k|\equiv \#\left(T_2\right)$;

${\mathcal{S}}_3$: 

$G{W}_j|\equiv \#\left(T_3\right)$;

${\mathcal{S}}_4$: 

$U_i|\equiv \#\left(T_4\right)$;

${\mathcal{S}}_5$: 

$U_i|\equiv G{W}_j\Rightarrow (G{W}_j\stackrel{SK}{\leftrightarrow }{U}_i)$;

${\mathcal{S}}_6$: 

$G{W}_j|\equiv U_i\Rightarrow (G{W}_j\stackrel{SK}{\leftrightarrow }{U}_i)$;

${\mathcal{S}}_7$: 

$G{W}_j|\equiv S{N}_k\Rightarrow (G{W}_j\stackrel{SK}{\leftrightarrow }S{N}_k)$;

${\mathcal{S}}_8$: 

$S{N}_k|\equiv G{W}_j\Rightarrow (G{W}_j\stackrel{SK}{\leftrightarrow }S{N}_k)$;

${\mathcal{S}}_9$: 

$G{W}_j|\equiv G{W}_j\stackrel{R_1}{\leftrightarrow }{U}_i$;

${\mathcal{S}}_{10}$: 

$G{W}_j|\equiv G{W}_j\stackrel{S{G}_k}{\leftrightarrow }S{N}_k$;

${\mathcal{S}}_{11}$: 

$S{N}_k|\equiv G{W}_j\stackrel{S{G}_k}{\leftrightarrow }S{N}_k$;

${\mathcal{S}}_{12}$: 

$U_i|\equiv G{W}_j\stackrel{R_u}{\leftrightarrow }{U}_i$.

7.1.5. BAN Logic Proof

Step 1: 

We can obtain $P{R}_1$ based on the first message $T_1$, and we obtain the following:

$$P{R}_1:G{W}_j⊲{\{R_u,A_0,HI{D}_i,T_1\}}_{R_1};$$

Step 2: 

Based on the message meaning rule, $P{R}_1$, and ${\mathcal{S}}_9$, we can obtain the following:

$$P{R}_2:G{W}_j|\equiv U_i|\sim (R_u,A_0,HI{D}_i,T_1);$$

Step 3: 

Based on the freshness rule, $P{R}_2$, and ${\mathcal{S}}_1$, we can obtain the following:

$$P{R}_3:G{W}_j|\equiv \#(R_u,A_0,HI{D}_i,T_1);$$

Step 4: 

Based on the nonce verification rule, $P{R}_2$, and $P{R}_3$, we obtain the following:

$$P{R}_4:G{W}_j|\equiv U_i|\equiv (R_u,A_0,HI{D}_i,T_1);$$

Step 5: 

Based on the second message $T_2$, we obtain the following:

$$P{R}_5:S{N}_k⊲{\{R_g,C_1,T_2\}}_{S{G}_k};$$

Step 6: 

Based on the message meaning rule, $P{R}_5$, and ${\mathcal{S}}_{11}$, we can obtain the following:

$$P{R}_6:S{N}_k|\equiv G{W}_j|\sim (R_g,C_1,T_2);$$

Step 7: 

Based on the freshness rule, $P{R}_6$, and ${\mathcal{S}}_2$, we can obtain the following:

$$P{R}_7:S{N}_k|\equiv \#(R_g,C_1,T_2);$$

Step 8: 

Based on the nonce verification rule, $P{R}_6$, and $P{R}_7$, we can obtain the following:

$$P{R}_8:S{N}_k|\equiv G{W}_j|\equiv (R_g,C_1,T_2);$$

Step 9: 

Based on the third message $T_3$, we can obtain the following:

$$P{R}_9:G{W}_j⊲{\{R_s,T_3\}}_{S{G}_k};$$

Step 10: 

Based on the message meaning rule, $P{R}_9$, and ${\mathcal{S}}_{10}$, we can obtain the following:

$$P{R}_{10}:G{W}_j|\equiv S{N}_k|\sim (R_s,T_3);$$

Step 11: 

Based on the freshness rule, $P{R}_{10}$, and ${\mathcal{S}}_3$, we can obtain the following:

$$P{R}_{11}:G{W}_j|\equiv \#(R_s,T_3);$$

Step 12: 

Based on the nonce verification rule, $P{R}_{10}$, and $P{R}_{11}$, we can obtain the following:

$$P{R}_{12}:G{W}_j|\equiv S{N}_k|\equiv (R_s,T_3);$$

Step 13: 

Based on $P{R}_8$ and $P{R}_{12}$, $S{N}_k$ and $G{W}_j$ compute the session key $SK=h\left(C_1\right|\left|R_g\right|\left|R_s\right)$. Therefore, we can obtain the following goals:

$$P{R}_{13}:S{N}_k|\equiv G{W}_j|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }S{N}_k\hspace{1em}\mathbf{(}\mathbf{Goal}\mathbf{6}\mathbf{)}$$

$$P{R}_{14}:G{W}_j|\equiv S{N}_k|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }S{N}_k\hspace{1em}\mathbf{(}\mathbf{Goal}\mathbf{8}\mathbf{)};$$

Step 14: 

Based on the jurisdiction rule, $P{R}_{13}$, $P{R}_{14}$, ${\mathcal{S}}_7$, and ${\mathcal{S}}_8$, we can obtain the following goals:

$$P{R}_{15}:S{N}_k|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }S{N}_k\hspace{1em}\mathbf{(}\mathbf{Goal}\mathbf{5}\mathbf{)}$$

$$P{R}_{16}:G{W}_j|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }S{N}_k\hspace{1em}\mathbf{(}\mathbf{Goal}\mathbf{7}\mathbf{)};$$

Step 15: 

Based on the last message $T_4$, we can obtain the following:

$$P{R}_{17}:U_i⊲{\{R_g,R_s,T_4\}}_{R_u};$$

Step 16: 

Based on the message meaning rule, $P{R}_{17}$, and ${\mathcal{S}}_{12}$, we can obtain the following:

$$P{R}_{18}:U_i\equiv S{N}_k|\sim (R_g,R_s,T_4);$$

Step 17: 

Based on the freshness rule, $P{R}_{18}$, and ${\mathcal{S}}_4$, we can obtain the following:

$$P{R}_{19}:U_i|\equiv \#(R_g,R_s,T_4);$$

Step 18: 

Based on the nonce verification rule, $P{R}_{19}$, and $P{R}_{17}$, we can obtain the following:

$$P{R}_{20}:U_i|\equiv G{W}_j|\equiv (R_g,R_s,T_4);$$

Step 19: 

Based on $P{R}_4$ and $P{R}_{20}$, $U_i$ and $G{W}_j$ compute the session key $SK$. Therefore, we can obtain the following goals:

$$P{R}_{21}:U_i|\equiv G{W}_j|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }{U}_i\hspace{1em}\mathbf{(}\mathbf{Goal}\mathbf{2}\mathbf{)}$$

$$P{R}_{22}:G{W}_j|\equiv U_i|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }{U}_i\hspace{1em}\mathbf{(}\mathbf{Goal}\mathbf{4}\mathbf{)};$$

Step 20: 

Based on the jurisdiction rule, $P{R}_{21}$, $P{R}_{22}$, ${\mathcal{S}}_5$, and ${\mathcal{S}}_6$, we can obtain the following goals:

$$P{R}_{23}:U_i|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }{U}_i\hspace{1em}\mathbf{(}\mathbf{Goal}\mathbf{1}\mathbf{)}$$

$$P{R}_{24}:G{W}_j|\equiv G{W}_j\stackrel{SK}{\leftrightarrow }{U}_i\hspace{1em}\mathbf{(}\mathbf{Goal}\mathbf{3}\mathbf{)}.$$

7.2. RoR Model

To prove the security of the session key, we utilized a formal proof named the “real-or-random” (ROR) model [30]. Firstly, we define the participants, adversary, and queries. In the proposed scheme, there are three entities that perform the authentication phase to establish the session key. These entities are instantiated as participants and applied to the ROR model: $E{P}_{US}^i$, $E{P}_{GW}^j$, $E{P}_{SN}^k$. Note that i, j, and k are the instances of the user, gateway, and sensor node, respectively. Next, we define the adversary of the ROR model. The adversary can fully control the whole network, including modifying, deleting, hijacking, and intercepting messages. Moreover, we introduce queries that are utilized to reveal the session key security of the scheme. The details are as follows:

• $Exe(E{P}_{US}^i,E{P}_{GW}^j,E{P}_{SN}^k)$: This is a passive attack, where the adversary obtain messages exchanged through public channels.
• $CorrD\left(E{P}_{US}^i\right)$: The $CorrD$ query is an active attack. The adversary obtains secret parameters that are stored in the smart card of $E{P}_{US}^i$ using power analysis attack.
• $Snd\left(EP\right)$: When the adversary uses the $Snd$ query, the adversary transfers messages to $E{P}_{US}^i$, $E{P}_{GW}^j$, and $E{P}_{SN}^k$. Moreover, the adversary receives return messages from the participants.
• $Test\left(EP\right)$: An unbiased coin c is tossed, and the adversary obtains the result of this query. If the result value of c is 0, the session key is not fresh. If the result value of c is 1, we can demonstrate that the session key is fresh and secure. Otherwise, a null value $(\perp )$ is obtained.

Security Proof

Theorem 1. 

We define the adversary and possibility of breaking the session key security as $\mathcal{M}$ and ${\mathcal{A}}_M\left(BP\right)$, respectively. In the ROR model, $\mathcal{M}$ tries to guess $SK=h\left(C_1\right|\left|R_g\right|\left|R_s\right)$ in polynomial time. To do this, we give a definition of hash and puf as the range space of the hash function and PUF, respectively. Moreover, $q_{hash}$, $q_{puf}$, and $q_{snd}$ are the number of $hash$, $puf$, and $Snd$ queries, respectively. We define $C^{\prime }$ and $s^{\prime }$ as Zipf’s parameter [31], and the number of bits in the biometrics is $BIO$.

$${\mathcal{A}}_M\left(BP\right)\le \frac{q_{hash}^2}{\left|hash\right|}+\frac{q_{puf}^2}{\left|puf\right|}+2max\{C^{\prime }{q}_{snd}^{s^{\prime }},\frac{q_{snd}}{2^{BIO}}\}$$

Proof. 

In the proposed scheme, the ROR security proof consists of five games $G_n$$(0\le n\le 4)$. $\mathcal{M}$ tries to compute the session key $SK$ in each game $G_k$, and we define this winning possibility as $W{N}_{G_k}$. Our ROR security proof is performed according to the method of [32,33,34]:

$G_0$: 

$\mathcal{M}$ begins the real attack. Thus, $\mathcal{M}$ picks a random bit c. Therefore, we obtain Equation (1) as follows.

$${\mathcal{A}}_M\left(BP\right)=|2\mathcal{M}\left[W{N}_{G_0}\right]-1|.$$

(1)

$G_1$: 

As we mentioned before, $\mathcal{M}$ can obtain all of the messages in the proposed scheme using the query $Exe$. Thus, $M_1$, $M_2$, $M_3$, and $M_4$ can be intercepted and $\mathcal{M}$ executes the $Test$ query as Equation (2). The session key $SK$ is composed of $C_1=R_u\oplus HI{D}_i$, $R_g$, and $R_s$. Thus, $\mathcal{M}$ must know all of the random nonces and the secret parameter of $US$. This means that $\mathcal{M}$ cannot calculate $SK$.

$$|\mathcal{M}\left[W{N}_{G_1}\right]|=|\mathcal{M}\left[W{N}_{G_0}\right]|.$$

(2)

$G_2$: 

In this game, the $hash$ and $Snd$ queries are utilized. However, we used the “cryptographic hash function”, which can overcome the hash collision problem in the proposed scheme. Thus, $\mathcal{M}$ has no advantage using the $hash$ and $Snd$ queries. We show the following inequation (3) by applying the birthday paradox [35].

$$|\mathcal{M}\left[W{N}_{G_2}\right]-\mathcal{M}\left[W{N}_{G_1}\right]|\le \frac{q_{hash}^2}{\left|hash\right|.}$$

(3)

$G_3$: 

In $G_3$, $\mathcal{M}$ attempts to break the session key security using the $puf$ query. However, it is impossible to guess or compute the PUF function according to Section 3.3. Therefore, we obtain the following Equation (4).

$$|\mathcal{M}\left[W{N}_{G_3}\right]-\mathcal{M}\left[W{N}_{G_2}\right]|\le \frac{q_{puf}^2}{\left|puf\right|.}$$

(4)

$G_4$: 

In the final game $G_4$, $\mathcal{M}$ utilizes the $CorrD$ query and obtains secret parameters $\{A_2,A_3,$$Gen(.),Rep(.),{\tau }_i,E{R}_i,CI{D}_i\}$ from the smart card. In the proposed scheme, all of the parameters are masked in the user’s identity, password, and biometrics. To calculate $SK$ using the secret parameters, $\mathcal{M}$ must guess $U_i$, $P{W}_i$, and $BI{O}_i$ at the same time. Since guessing them in polynomial time is obviously impossible, $\mathcal{M}$ cannot derive $SK$. We apply Zipf’s law and obtain the following Equation (5).

$$|\mathcal{M}\left[W{N}_{G_4}\right]-\mathcal{M}\left[W{N}_{G_2}\right]|\le max\{C^{\prime }{q}_{snd}^{s^{\prime }},\frac{q_{snd}}{2^{BIO}}\}$$

(5)

After that, $\mathcal{M}$ obtains the result bits b. Moreover, we can set up the following Equation (6).

$$\mathcal{M}\left[W{N}_{G_4}\right]=\frac{1}{2}$$

(6)

Using (1) and (2), Equation (7) can be calculated.

$$\frac{1}{2}{\mathcal{A}}_M\left(BP\right)=|\mathcal{M}\left[W{N}_{G_0}\right]-\frac{1}{2}|=|\mathcal{M}\left[W{N}_{G_1}\right]-\frac{1}{2}|$$

(7)

From (6) and (7), Equation (8) can be calculated.

$$\frac{1}{2}{\mathcal{A}}_M\left(BP\right)=|\mathcal{M}\left[W{N}_{G_1}\right]-\mathcal{M}\left[W{N}_{G_4}\right]|$$

(8)

Using the triangular inequality, we can obtain the following Equation (9).

$$\begin{gathered} \frac{1}{2}{\mathcal{A}}_M\left(BP\right)=|\mathcal{M}\left[W{N}_{G_1}\right]-\mathcal{M}\left[W{N}_{G_4}\right]| \\ \le |\mathcal{M}\left[W{N}_{G_1}\right]-\mathcal{M}\left[W{N}_{G_3}\right]| \\ +|\mathcal{M}\left[W{N}_{G_3}\right]-\mathcal{M}\left[W{N}_{G_4}\right]| \\ \le |\mathcal{M}\left[W{N}_{G_1}\right]-\mathcal{M}\left[W{N}_{G_2}\right]| \\ +|\mathcal{M}\left[W{N}_{G_2}\right]-\mathcal{M}\left[W{N}_{G_3}\right]| \\ +|\mathcal{M}\left[W{N}_{G_3}\right]-\mathcal{M}\left[W{N}_{G_4}\right]| \end{gathered}$$

(9)

$$\le \frac{q_{hash}^2}{2\left|hash\right|}+\frac{q_{puf}^2}{2\left|puf\right|}+max\{C^{\prime }{q}_{snd}^{s^{\prime }},\frac{q_{snd}}{2^{BIO}}\}$$

(10)

We obtain the resulting inequation by multiplying (10) by two.

$${\mathcal{A}}_M\left(BP\right)\le \frac{q_{hash}^2}{\left|hash\right|}+\frac{q_{puf}^2}{\left|puf\right|}+2max\{C^{\prime }{q}_{snd}^{s^{\prime }},\frac{q_{snd}}{2^{BIO}}\}.$$

Thus, we prove the Theorem. □

7.3. AVISPA Simulation

In this section, we utilize the AVISPA simulation tool [36,37] to verify the resistance against the replay and man-in-the-middle attacks of the proposed scheme. The AVISPA simulation tool verifies the authentication scheme through a code called “High-Level scheme Specification Language (HLPSL)” on the Linux OS. Afterwards, the HLPSL code is converted to “Intermediate Format (IF)” to perform security verification on the four backends (“On-the-Fly Model Checker (OFMC)”, “Three Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP)”, “SAT-based Model Checker (SATMC)”, and “Constraint Logic-based Attack Searcher (CL-AtSe)”). In this paper, we used the CL-AtSe and OFMC backends because these backends can support the XOR operator. Finally, the result window, i.e., “Output Format (OF)”, is shown, and we can demonstrate that the proposed scheme can resist the replay and man-in-the-middle attacks if the OF summarizes the verification as “SAFE”. We show the three basic roles of the proposed scheme: user $UI$, gateway $GWJ$, and sensor node $SNK$. The session, environment, and goals are shown in Figure 9. We also show the role of $UI$ in Figure 10.

In State 1, $UI$ receives the start message and computes $HI{D}_i$ and $HP{W}_i$. Then, $UI$ sends $\left\{HI{D}_i\right\}$ to $GWJ$. $GWJ$ registers $UI$ and returns $\{A_0,R_1,CI{D}_i\}$ through a secure channel. State 2 is the login and authentication phase, for which $UI$ generates $R_u$, $T_1$ and computes the authentication request message $\{SI{D}_k,CI{D}_i,B_1,B_2,T_1\}$ to $GWJ$. At the same time, $UI$ generates function $witness(UI,GWJ,u{i}_g{w}_{r}u,R{u}^{\prime })$ and $witness(UI,SNK,$$u{i}_s{n}_{r}u,R{u}^{\prime })$, which means the proof of random nonce $R_u$’s freshness. Finally, $UI$ receives $\{B_8,B_9,T_4\}$ and computes the session key $SK=h\left(C_1\right|\left|R_g\right|\left|R_s\right)$. We verified the proposed scheme in the CL-AtSe and OFMC backends, and the result window is shown in Figure 11. Therefore, the proposed scheme can resist the replay and man-in-the-middle attacks.

7.4. Informal Analysis

In this section, we demonstrate the security features of our proposed scheme, including those that resist against privileged insider, insider, physical, cloning, verification table leakage, impersonation, session key disclosure, ephemeral secret leakage, replay, man-in-the-middle, stolen mobile device, offline password guessing, and denial-of-service attacks. Moreover, the proposed scheme can provide user anonymity and perfect forward secrecy.

7.4.1. User Anonymity

In our scheme, $\mathcal{A}$ cannot obtain the legitimate $U_i^{\prime }s$ identity $I{D}_i$, and even $\mathcal{A}$ extracts values $\{A_2$, $A_3$, $Gen(.)$, $Rep(.)$, ${\tau }_i$, $E{R}_i$, $CI{D}_i\}$ inside $U_i^{\prime }s$ mobile device. $I{D}_i$ is masked by a hash function with $U_i^{\prime }s$ biometric information or $P{W}_i$ such that $HI{D}_i=h(I{D}_i\left|\right|{\sigma }_i)$, $A_3=h(I{D}_i\left|\right|HP{W}_i)$, and $E{R}_i=h(I{D}_i\left|\right|P{W}_i)\oplus R_1$.

7.4.2. Privileged Insider Attack

We can assume privileged insider $\mathcal{A}$ obtains the registration request message $\left\{HI{D}_i\right\}$ of the medical professional. Furthermore, $\mathcal{A}$ can extract the parameters $\{A_2$, $A_3$, $Gen(.)$, $Rep(.)$, ${\tau }_i$, $E{R}_i$, $CI{D}_i\}$ from the stolen mobile device of the medical professional using power analysis attack. $\mathcal{A}$ can also intercept transmitted messages such as $M_1$ and $M4$ on a public channel. After that, $\mathcal{A}$ attempts to impersonate a medical professional. To calculate authentication message $M_1\{SI{D}_k,CI{D}_i,B_1,B_2,T_1\}$, $\mathcal{A}$ must compute parameters $R_1$ and $A_0$. However, $\mathcal{A}$ cannot compute $R_1=E{R}_i\oplus h(I{D}_i\left|\right|P{W}_i)$ and $A_0=A_2\oplus R_1\oplus {\sigma }_i$ because $\mathcal{A}$ cannot generate the $I{D}_i,P{W}_i$ and biometric information $BI{O}_i$ of $U_i$. Therefore, it is difficult for $\mathcal{A}$ to calculate the authentication message $M_1$ to impersonate a medical professional. $\mathcal{A}$ can also attempt to compute $S{K}_u=h(C_1\left|\right|R_g\left|\right|R_s)$. However, $\mathcal{A}$ cannot generate a session key of $U_i$$S{K}_u$. $\mathcal{A}$ cannot calculate $(R_g\left|\right|R_s)=B_8\oplus R_u$ and $R_u=B1\oplus R_1$. In conclusion, the proposed scheme can resist the privileged insider attack.

7.4.3. Insider Attack

Suppose that $U_i$ registers with $G{W}_j$ as a legal user and intercepts the transmitted messages such as $M_2$, $M_3$, and $M_4$. However, $U_i$ cannot calculate important parameters such as the symmetric key $S{G}_k$ shared by $G{W}_j$ and $S{N}_k$. Thus, $U_i$ cannot attempt various attacks, including the impersonate and session key disclosure attacks. As as result, our scheme can prevent the insider attack.

7.4.4. Physical Cloning Attack

Assume that an adversary $\mathcal{A}$ physically captures a sensor node $S{N}_k$ and attempts to authenticate with $G{W}_j$ by disguising it as $S{N}_k$. $\mathcal{A}$ physically clones $S{N}_k$ to obtain a values $\{RS{G}_k,C{H}_1\}$ in the memory of $S{N}_k$ and intercepts authentication request messages $M_2$ on the public channel. Then, $\mathcal{A}$ attempts to generate authenticate message $M_3\{B_6,B_7,T_3\}$. However, $\mathcal{A}$ cannot generate a message $M_3$ because he/she cannot calculate the parameter $R{E}_1$ necessary to generate message $M_3$. $\mathcal{A}$ can replicate the same $C{H}_1$ from $S{N}_k$, but cannot generate the same $R{E}_1$. The PUF circuit cannot be forged. Thus, our scheme can withstand the physical cloning attack.

7.4.5. Verification Table Leakage Attack

Suppose that $\mathcal{A}$ intercepts $\{CI{D}_i,HI{D}_i,E{R}_j,A_1,SI{D}_k,$$C{H}_1\}$ in $G{W}_j^{\prime }s$ verification table of $G{W}_j$. Then, $\mathcal{A}$ eavesdrops the transmitted messages such as $M_1,M_2,M_3$ and intercepts message $M_4$ via an insecure channel. After that, $\mathcal{A}$ attempts to compute authentication request messages $M_2$ or $S{K}_g=h(C_1\left|\right|R_g\left|\right|R_s)$. However, $\mathcal{A}$ cannot calculate $S{G}_k=h(SI{D}_k\left|\right|G_j)$, which is essential for generating $M_2$ and $S{K}_g$, because $G{W}_j^{\prime }s$ secret key $G_j$ is unknown. Therefore, $\mathcal{A}$ cannot generate both $M_2$ and $S{K}_G$. As a result, our scheme can protect against verification table leakage attack.

7.4.6. Impersonation Attack

(1)

User impersonation attack: For this attack, suppose an adversary $\mathcal{A}$ attempts to impersonate $U_i$. $\mathcal{A}$ must generate a valid authentication request message $M_1\{SI{D}_k,CI{D}_i,B_1,B_2,T_1\}$. $\mathcal{A}$ can extract $CI{D}_i$ from $U_i^{\prime }s$ mobile device and intercept message $M_1\{SI{D}_k,CI{D}_i,B_1,B_2,T_1\}$ through a public channel, but cannot calculate the remaining values $\{B_1,B_2\}$ because $U_i^{\prime }s$$I{D}_i$, $P{W}_i$, and $BI{O}_i$ are essential for calculating the remaining values $\{B_1,B_2\}$. Therefore, the proposed scheme is resilient against the user impersonation attack.

(2)

Gateway impersonation attack: Suppose malicious adversary $\mathcal{A}$ tries to impersonate $G{W}_j$ and sends a authentication request message $M_2\{B_3,B_4,B_5,T_2\}$ to $S{N}_k$. To do this, $\mathcal{A}$ eavesdrops the transmitted messages $M_1$ and $M_2$. However, without having credentials $S{G}_k,C_1,HI{D}_i,C{H}_1$, it is an impossible task for $\mathcal{A}$ to compute $M_2\{B_3,B_4,B_5,T_2\}$. Hence, the proposed scheme provides protection against the gateway impersonation attack.

(3)

Sensor node impersonation attack: A malicious adversary $\mathcal{A}$ can try to impersonate $S{N}_k$. To do this, $\mathcal{A}$ intercepts transmitted messages $M_2$ and $M_3$ via an insecure channel and calculates the key agreement message $M_3\{B_6,B_7,T_3\}$. However, since $PUF(.)$ is a physically unclonable circuit, $\mathcal{A}$ cannot calculate $R{E}_1=PUF\left(C{H}_1\right)$ and $S{G}_k=RS{G}_k\oplus SI{D}_k\oplus R{E}_1$. Therefore, $\mathcal{A}$ cannot generate message $M_3\{B_6,B_7,T_3\}$. Thus, the proposed scheme prevents the sensor node impersonation attacks.

7.4.7. Session Key Disclosure Attack

If $\mathcal{A}$ tries to calculate a legitimate session key $SK=h\left(C_1\right|\left|R_g\right|\left|R_s\right)$, the adversary must obtain $HI{D}_i,R_u,R_g,R_s$. However, $\mathcal{A}$ cannot obtain these values. $R_u$, $R_g$, and $R_s$ are temporary random nonces used in a session, and $HI{D}_i$ is masked as the legitimate $U_i^{\prime }s$ biometric information $BI{O}_i$. Hence, the proposed scheme provides protection against the session key disclosure attacks.

7.4.8. Perfect Forward Secrecy

$\mathcal{A}$ obtains long-term secret keys $\{S{G}_k,G_j\}$ and intercepts transmitted message $\{M_1,M_2,M_3,M_4\}$ through a public channel. After that, $\mathcal{A}$ attempts to generate $M_4$ to impersonate $G{W}_j$ or calculate $S{K}_g=h(C_1\left|\right|R_g\left|\right|R_s)$ to exploit the session key. However, $\mathcal{A}$ cannot compute the parameters $C_1$ without $U_i^{\prime }s$ identity $HI{D}_i$ and random nonce $R_u$. For these reasons, our scheme provides perfect forward secrecy.

7.4.9. Ephemeral Secret Leakage Attack

$\mathcal{A}$ obtains random numbers $\{R_u,R_g,R_s,R_0,R_1,R_2\}$. After that, $\mathcal{A}$ attempts to compute the session key $S{K}_G=h(C_1\left|\right|R_g\left|\right|R_s)$. Unfortunately, $\mathcal{A}$ cannot generate session key $SK$ because $\mathcal{A}$ cannot calculate $C_1=R_u\oplus HI{D}_i$, which is essential for generating a session key $SK$. Thus, the proposed scheme can prevent the ESL attacks.

7.4.10. Replay and Man-in-the-Middle Attack

We assume that $\mathcal{A}$ eavesdrop transmitted message $\{M_1,M_2,M_3,M_4\}$ through a public channel. However, $\mathcal{A}$ cannot impersonate $U_i$, $G{W}_j$, and $S{N}_k$ by sending a message again. Because timestamps and random numbers such as $\{T_1,T_2,T_3,R_u,$$R_g,R_s\}$ are essential to generate a message, and the transmitted message is verified by $\{T_1,T_2,T_3,R_u,R_g,R_s\}$. Therefore, our scheme can prevent replay and man-in-the-middle attack.

7.4.11. Stolen Mobile Device Attack

Suppose that $\mathcal{A}$ succeeds in extracting stored values $\{A_2,A_3,Gen(.),Rep(.),{\tau }_i,E{R}_i,$$CI{D}_i\}$ from $U_i^{\prime }s$ stolen mobile device. However, $\mathcal{A}$ cannot compute any meaningful value from $U_i$. The values stored in the mobile device are masked with $I{D}_i$, $P{W}_i$, and $BI{O}_i$ such as $A_2=A_0\oplus R_1\oplus {\sigma }_i$, $A_3=h(I{D}_i\left|\right|HP{W}_i)$, $E{R}_i=h(I{D}_i\left|\right|P{W}_i)\oplus R_1$. Therefore, $\mathcal{A}$ cannot attempt any attack. Thus, our scheme can resist the stolen mobile device attacks.

7.4.12. Offline Password Guessing Attack

$\mathcal{A}$ obtains $U_i^{\prime }s$ mobile device and extracts parameters $\{A_2,A_3,Gen(.),Rep(.),{\tau }_i,E{R}_i,$$CI{D}_i\}$ using the power analysis attack. After that, $\mathcal{A}$ tries to guess the password of $U_i$ using the extracted parameters. However, $\mathcal{A}$ cannot guess the $U_i^{\prime }s$ password $P{W}_i$ because the password is masked by the $U_i^{\prime }s$$I{D}_i$, $BI{O}_i$, or random nonce $R_1$ such as $HP{W}_i=h(P{W}_i\left|\right|{\sigma }_i)$, $A_3=h(I{D}_i\left|\right|HP{W}_i)$, and $E{R}_i=h(I{D}_i\left|\right|P{W}_i)\oplus R_1$. Therefore, the proposed scheme is secure against the offline password guessing attacks.

7.4.13. Denial-of-Service

Assume that malicious $\mathcal{A}$ attempts to send $M_1\{SI{D}_k,CI{D}_i,$$B_1,B_2,T_1\}$ to $G{W}_j$ as a replay message. To do this, $\mathcal{A}$ must verify the value of $A_3=h(I{D}_i\left|\right|HP{W}_i)$ and pass the login phase. However, $\mathcal{A}$ cannot calculate a valid $A_3$ because $\mathcal{A}$ cannot obtain $I{D}_i$ and $HP{W}_i$. Therefore, $\mathcal{A}$ cannot transmit a replay message $M_1$ to $G{W}_j$. Thus, the proposed scheme is secure against the denial-of-service attacks.

7.4.14. Untraceability

Suppose a malicious $\mathcal{A}$ obtains $U_i^{\prime }s$ pseudoidentity $CI{D}_i$. However, $\mathcal{A}$ cannot attempt any attack with the obtained $CI{D}_i$. Every session, $G{W}_j$ updates the $CI{D}_i$ stored with a $CI{D}_i^{new}$ using random nonce $R_u$ after verifying that it is a legitimate user through $A_1\stackrel{?}{=}{A}_1^{*}$ verification. For this reason, the proposed scheme ensures untraceability.

7.4.15. Mutual Authentication

To ensure mutual authentication, our scheme verifies that each entity is justified by $A_1\stackrel{?}{=}{A}_1^{*}$, $B_5\stackrel{?}{=}{B}_5^{*}$, $B_7\stackrel{?}{=}{B}_7^{*}$, and $B_9\stackrel{?}{=}{B}_9^{*}$. Moreover, all entities have verified freshness of messages through random values $R_u$, $R_g$, and $R_s$ generated by each entity. When the verification processes are passed, the entities are authenticated with each other. Therefore, our scheme achieves mutual authentication.

8. Performance

In this section, we evaluate the security features, communication costs, and computational costs of our scheme compared with the related schemes [11,38,39,40,41].

8.1. Security Features Comparison

We compared the performance of the proposed scheme with the related existing schemes [11,38,39,40,41]. As shown in

Table 4. Security and functionality features’ comparison with related schemes.

Security Properties	[38]	[39]	[40]	[41]	[11]	Proposed
$SP1$	×	✔	✔	×	×	✔
$SP2$	×	✔	×	×	×	✔
$SP3$	✔	✔	✔	×	✔	✔
$SP4$	✔	✔	✔	×	✔	✔
$SP5$	✔	✔	✔	✔	✔	✔
$SP6$	×	✔	✔	✔	×	✔
$SP7$	×	✔	✔	✔	×	✔
$SP8$	✔	✔	✔	✔	✔	✔
$SP9$	✔	×	×	✔	✔	✔
$SP10$	✔	✔	✔	✔	✔	✔
$SP11$	✔	✔	×	✔	✔	✔
$SP12$	✔	✔	×	×	×	✔
$SP13$	×	×	✔	×	×	✔
$SP14$	×	✔	✔	✔	✔	✔
$SP15$	×	✔	✔	×	×	✔
$SP16$	×	✔	✔	✔	✔	✔
$SP17$	✔	✔	✔	×	×	✔

Note: SP1: user anonymity; SP2: privileged insider attack; SP3: offline password guessing attack; SP4: stolen mobile device attack; SP5: denial-of-service attack; SP6: replay attack; SP7: man-in-the-middle attack; SP8: mutual authentication; SP9: session key security; SP10: known session specific temporary information attack; SP11: untraceability property; SP12: server-independent password update phase; SP13: physical cloning attack; SP14: perfect forward secrecy; SP15: impersonation attack; SP16: session-specific random number leakage attack; SP17: stolen verifier attack; ✔: provides or supports the security/functionality feature. ×: does not provide or support the security/functionality feature.

, we considered various security functionalities and attacks, including “user anonymity”, “privileged-insider attack”, “offline password guessing attack”, “stolen mobile device attack”, “denial-of-service attack”, “replay attack”, “man-in-the-middle attack”, “mutual authentication”, “session key security”, “known session specific temporary information attack”, “untraceability property”, “server-independent password update phase”, “physical cloning attack”, “perfect forward secrecy”, “impersonation attack”, “session-specific random number leakage attack”, and “stolen verifier attack”. Therefore, our scheme offers functional features and security in comparison with the related schemes [11,38,39,40,41].

8.2. Communication Cost Comparison

In this section, we demonstrate the comparison analysis for the communication cost of the proposed scheme with related existing schemes [11,38,39,40,41]. According to [42], we define that the bit lengths for the SHA-256 hash output, random number, identity, password, PUF challenge–response, timestamp, and ECC point are 256, 256, 128, 128, 128, 32, and 320 bits, respectively. Therefore, the communication costs of the proposed scheme can be described as below:

• Message 1: The message $M_1=\{SI{D}_k,CI{D}_i,B_1,B_2,$$T_1\}$ needs (128 + 256 + 256 + 256 + 32) = 928 bits;
• Message 2: The message $M_2=\{B_3,B_4,B_5,T_2\}$ requires (256 + 256 + 256 + 32) = 800 bits;
• Message 3: The message $M_3=\{B_6,B_7,T_3\}$ requires (256 + 256 + 32) = 544 bits;
• Message 4: The message $M_4=\{B_8,B_9,T_4\}$ needs (256 + 256 + 32) = 544 bits.

Therefore, the total communication cost of our scheme is 928 + 800 + 544 + 544 = 2816 bits. We show the total communication cost of our scheme and other related scheme [11,38,39,40,41] in

Table 5. Comparison of communication costs required for AKA.

Schemes	Communication Costs	Messages
Li et al. [38]	3584 bits	4 messages
Shin et al. [39]	4480 bits	4 messages
Rangwani et al. [40]	2816 bits	4 messages
Masud et al. [41]	3200 bits	4 messages
Chen et al. [11]	3072 bits	4 messages
Proposed	2816 bits	4 messages

. As a result, Figure 12 illustrates that our scheme has more efficient communication costs than other related schemes.

8.3. Computational Cost Comparison

We evaluated the computational costs of our scheme. According to [24], we determined the comparative analysis for the computational cost of the proposed scheme with [11,38,39,40,41] in the AKA phase. According to [24], we define $T_H$, $T_{RNG}$, $T_{EM}$, $T_{EA}$, $T_F$, and $T_{PUF}$ as the hash function (≈0.00023 ms), random number generation (≈0.0539 ms), ECC multiplication (≈0.2226 ms), ECC addition (≈0.00288 ms), fuzzy extractor (≈0.268 ms), and PUF operation time (≈0.012 ms), respectively. Additional, we did not consider the execution time of Exclusive-OR (⊕) operations because it is computationally negligible.

Table 6. Computational costs of each related scheme.

Scheme	User	Gateway	Sensor Node	Total	Total Cost (s)
Li et al. [38]	$1T_{RNG}+9T_H+3T_{EM}$	$1T_{RNG}+8T_H+1T_{EM}$	$1T_{RNG}+4T_H+2T_{EM}$	$3T_{RNG}+21T_H+6T_{EM}$	≈1.5021 ms
Shin et al. [39]	$1T_{RNG}+1T_F+14T_H+2T_{EM}$	$12T_H+1T_{EM}$	$1T_{RNG}+5T_H+1T_{EM}$	$2T_{RNG}+1T_F+31T_H+4T_{EM}$	≈1.232 ms
Rangwani et al. [40]	$5T_H+2T_{EM}+3T_{EA}$	$4T_H+2T_{EM}+3T_{EA}$	$8T_H+2T_{EM}+4T_{EA}$	$17T_H+6T_{EM}+10T_{EA}$	≈1.36831 ms
Masud et al. [41]	$1T_{RNG}+3T_H$	$4T_{RNG}+3T_H$	$2T_{RNG}+2T_H$	$7T_{RNG}+8T_H$	≈0.379 ms
Chen et al. [11]	$9T_H$	$7T_H+2T_{ENC}$	$7T_H$	$23T_H+2T_{ENC}$	≈0.739 ms
Proposed	$5T_H+1T_{RNG}+1T_F$	$9T_H+1T_{RNG}$	$5T_H+1T_{RNG}+1T_{PUF}$	$19T_H+3T_{RNG}+1T_F+1T_{PUF}$	≈0.44607 ms

shows the detail.

The total computational costs of our scheme was estimated to be lower than other related schemes, except Masud et al.’s scheme. However, our scheme uses the fuzzy extractor and PUF to outperform Masud et al.’s scheme. Figure 13 shows that the computational cost (delay) increases with increasing numbers of users.

9. Conclusions

In this paper, we reviewed Chen et al.’s scheme and demonstrated that it is vulnerable to several attacks, such as privileged insider attacks, physical cloning attacks, verification leakage attacks, impersonation attacks, and session key disclosure attacks. Therefore, it is hard for Chen et al.’s scheme to be applied to WBANs properly, and a secure user authentication scheme should be presented for wireless medical environments. To enhance the security level of Chen et al.’s scheme, we proposed a secure three-factor mutual authentication and key agreement scheme using a secure PUF in the WBAN environment. Our scheme is lightweight because it uses only hash functions and Exclusive-OR operators and a fuzzy extractor to provide a secure login process. Moreover, our scheme resists physical cloning attacks using the PUF. The proposed scheme guarantees mutual authentication through BAN logic and utilizes the RoR model by which the session key is secured. Using the AVISPA simulation tool, we also demonstrated that our proposed scheme could withstand the replay and man-in-the-middle attacks. Moreover, we performed an informal security analysis to show that our proposed scheme provides protection against diverse hazards and attacks, including privileged insiders, physical cloning, verification table leakage, impersonation, session key disclosure, ephemeral secret leakage, replay, man-in-the-middle, stolen mobile device, offline password guessing, and denial-of-service attacks. We also proved that our scheme provides user anonymity, mutual authentication, and perfect forward secrecy. Finally, we compared the communication and computational costs of our scheme with those of related schemes after estimation. Based on the results, our scheme provides a lower communication cost and a higher security level compared to related existing schemes. Accordingly, we expect that our proposed scheme is to provide secure medical environments and to increase the use of the various healthcare applications.