*Article* **Provably Secure PUF-Based Lightweight Mutual Authentication Scheme for Wireless Body Area Networks**

**SangCheol Lee 1, SuHwan Kim 1, SungJin Yu 2, NamSu Jho <sup>2</sup> and YoHan Park 1,\***


**Abstract:** Wireless body area networks (WBANs) are used in modern medical service environments for the convenience of patients and medical professionals. Owing to the recent COVID-19 pandemic and an aging society, WBANs are attracting attention. In a WBAN environment, the patient has a sensor node attached to him/her that collects patient status information, such as blood pressure, blood glucose, and pulse; this information is simultaneously transmitted to his/her respective medical professional through a gateway. The medical professional receives and checks the patient's status information and provides a diagnosis. However, sensitive information, including the patient's personal and status data, are transmitted via a public channel, causing security concerns. If an adversary intercepts this information, it could threaten the patient's well-being. Therefore, a secure authentication scheme is essential for WBAN environments. Recently, Chen et al. proposed a twofactor authentication scheme for WBANs. However, we found out Chen et al.'s scheme is vulnerable to a privileged insider, physical cloning, verification leakage, impersonation, and session key disclosure attacks. We also propose a secure physical-unclonable-function (PUF)-based lightweight mutual authentication scheme for WBANs. Through informal security analysis, we demonstrate that the proposed scheme using biometrics and the PUF is safe against various security attacks. In addition, we verify the security features of our scheme through formal security analyses using Burrows–Abadi– Needham (BAN) logic, the real-or-random (RoR) model, and the Automated Validation of Internet Security Protocols and Applications (AVISPA). Furthermore, we evaluate the security features, communication costs, and computational costs of our proposed scheme and compare them with those of other related schemes. Consequently, our scheme is more suitable for WBAN environments than the other related schemes.

**Keywords:** wireless body area networks; authentication; biometric; physical unclonable function; BAN logic; RoR model; AVISPA

### **1. Introduction**

Recently, with the increasing number of elderly people in society, the demand for medical services is increasing, owing to the health problems of the aging society [1]. In addition, the emergence and spread of infectious diseases such as COVID-19 has accelerated this demand [2]. Therefore, solving the problem of meeting the supply and demand for healthcare has emerged as a challenge for governments in various countries. Many attempts have been made to use wireless sensor networks (WSNs) to address this problem. Because of sensor miniaturization and improved wireless communication technology, WSNs are widely used in various environments, such as the Industrial Internet of Things [3], smart homes [4], and healthcare [5]. A method was thus proposed that comprises a wireless body area network (WBAN) that incorporates WSNs into the medical field [6]. The WBAN framework includes medical professionals, gateways, and sensor nodes. Through a gateway, a medical professional receives information concerning a patient's condition from sensors attached

**Citation:** Lee, S.; Kim, S.; Yu, S.; Jho, N.; Park, Y. Provably Secure PUF-Based Lightweight Mutual Authentication Scheme for Wireless Body Area Networks. *Electronics* **2022**, *11*, 3868. https://doi.org/ 10.3390/electronics11233868

Academic Editor: Raed A. Abd-Alhameed

Received: 15 October 2022 Accepted: 18 November 2022 Published: 23 November 2022

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

to the patient or elderly person's body [7]. Medical services that use WBANs are more efficient for both medical professionals and patients. Using them, medical professionals can conveniently treat more patients than before, and patients can receive treatment regardless of location. This approach also limited the spread of infectious diseases by reducing contact between medical professionals and patients during the COVID-19 pandemic. Therefore, research on WBANs has been conducted continuously.

In a WBAN, sensitive information, such as patient status and personal information, is transmitted to medical professionals using insecure channels. Thus, an adversary could steal information from these public channels and attempt security breaches, including replay, impersonation, and man-in-the-middle (MITM) attacks [8]. In addition, a medical professional's mobile device could be stolen, and an adversary could attempt to impersonate the rightful owner using the parameters extracted from the device through power analysis attacks. Furthermore, an adversary could physically capture the sensor node, extract the secret parameters, and impersonate it. If a malicious adversary succeeds in any of the aforementioned attacks and gains sensitive patient information, this may have a significant adverse effect on the patient, such as a misdiagnosis [9]. Therefore, the security of authentication schemes for WBANs is directly related to the well-being of the patient [10].

In 2021, Chen et al. [11] proposed a two-factor authentication scheme for related existing WBAN schemes. They asserted that their scheme, which uses a single hash, is lightweight, heterogeneous, and allows joint operations to prevent various security threats, such as sensor node capture, privileged insider, and stolen verifier attacks. However, we demonstrate that Chen et al.'s scheme cannot resist physical cloning, privileged insiders, verification table leakage, impersonation, and session key disclosure attacks. To overcome the security issues in Chen et al.'s scheme, we designed a secure physical-unclonablefunction (PUF)-based three-factor mutual authentication scheme, which we use with a fuzzy extractor [12] to increase security.

### *1.1. Research Contributions*

The contributions of this paper are as follows:


### *1.2. Organization*

In Section 2, we introduce related works for WMSNs. We describe the system model, adversary model, PUF, and fuzzy extractor in Section 3. We provide a review of Chen et al.'s scheme and cryptanalysis of their scheme in Sections 4 and 5. Then, we propose the secure authentication scheme on WBANs in Section 6. The security and performance analyses of our scheme are shown in Sections 7 and 8. Lastly, we present the paper's conclusion in Section 9.

### **2. Related Works**

Various authentication schemes have been proposed for wireless medical sensor networks (WMSNs). Kumar et al. [13] (2012) presented an authentication scheme for healthcare applications using WMSNs. This scheme provides a secure session key establishment between users and medical sensor nodes and allows the users to change their passwords. However, in 2013, He et al. [14] demonstrated that Kumar et al.'s scheme could not withstand attacks such as offline password guessing and privileged insider attacks. In addition, they proved that Kumar et al.'s scheme did not guarantee anonymity. Accordingly, He et al. proposed a more secure scheme and asserted that their scheme is robust against various attacks. Unfortunately, in 2015, Wu et al. [15] demonstrated that He et al.'s scheme was vulnerable to offline password guessing, user impersonation, and sensor node capture attacks. Accordingly, they proposed an authentication scheme using a smart card to store sensitive information from medical professionals, which provides a higher level of security in the WMSN environment. In 2017, Li et al. [16] proposed an anonymous mutual authentication and key agreement scheme for WMSNs using hash operations and XOR operations, which was more efficient than previous related schemes. Unfortunately, in 2020, Gupta et al. [17] demonstrated that Li et al.'s scheme could not prevent intermediate node capture, sensor node impersonation, and hub node impersonation attacks. They also proved that Li et al.'s scheme was vulnerable to linkable sessions and traceability. Therefore, they proposed an authentication scheme in the WBAN environments that overcomes the security vulnerabilities of Li et al.'s scheme. In 2019, Ostad–Sharif et al. [18] proposed an authentication key agreement scheme consisting of three tiers for WBANs. Their scheme ensured anonymity to protect users' sensitive information. However, in 2020, Alzahrani et al. [19] claimed that Ostad et al.'s scheme is vulnerable to brute-force guessing attacks, and it is possible to compute all previous session keys. Subsequently, they presented an anonymous authenticated key exchange scheme with better security and efficiency to demonstrate the known weaknesses of Ostad et al.'s scheme.

Recently, PUF-based authentication schemes have been proposed for various environments to prevent attacks. In 2018, Mahalat et al. [20] proposed a PUF-based scheme that secures WiFi authentication for Internet of Things (IoT) devices and protects them against invasive, semi-invasive, or tampering attacks. In 2019, Zhu et al. [21] proposed a lightweight RFID mutual authentication scheme using a PUF. Their scheme provides secure authentication between the server and a tag. They asserted that their scheme could prevent clone attacks because a PUF cannot be duplicated. In 2021, Mahmood et al. [22] suggested a mutual authentication and key exchange scheme for multiserver-based device-to-device (D2D) communication. The entire process of Mahmood et al.'s scheme uses only XOR operations and hash functions, and PUF is introduced to protect against physical capture attacks. In the same year, Chuang et al. [23] proposed a PUF-based authenticated key exchange scheme for IoT environments. Their scheme did not require verifiers or explicit challenge–response pairs (CRPs). Therefore, IoT nodes can freely authenticate each other and generate a session key without the assistance of any verifier or server. Kwon et al. [24] proposed a three-factor-based mutual authentication and key agreement scheme with a PUF for WMSNs. They proved that their scheme could protect against physical cloning attacks using a PUF.

In 2020, Fotouhi et al. [25] proposed a two-factor authentication scheme for WBANs and asserted that it was safe against sensor node capture attacks. Unfortunately, in 2021, Chen et al. [11] demonstrated that the aforementioned scheme is vulnerable to sensor node attacks and proposed an improved security-enhanced two-factor authentication scheme for WBANs. However, we discovered that their scheme is insecure against privileged insider attacks, physical cloning attacks, verification table leakage attacks, etc. Therefore, we propose a secure PUF-based lightweight mutual authentication scheme for WBANs that resolves these security issues.

### **3. Preliminaries**

This section introduces the general system model, the threat model, and relevant mathematical preliminaries including the PUF and fuzzy extractor, which can improve our scheme's security.

### *3.1. System Model*

Figure 1 shows the general system model of a WBAN, which consists of medical professionals such as doctors and nurses, sensor nodes, and a gateway. The details are as follows:

**Figure 1.** The general system model of WBANs.


### *3.2. Adversary Model*

To analyze the security of the proposed scheme, we applied the widely used Dolev–Yao (DY) adversary model. Under the DY model, a malicious adversary can inject, eavesdrop, modify, or delete messages transmitted using public channels. We also adopted the Canetti and Krawczyk (CK) adversary model to analyze the proposed scheme. The CK model is relatively strong compared with the DY model and is widely used to analyze scheme security. In the CK model, the adversary can intercept a random value and generate the master key of a gateway:


### *3.3. Physical Unclonable Function*

PUFs are physical circuits that operate using only a one-way function. The PUF circuit uses an input–output bit-string pair termed the "challenge–response pair". Even if numerous challenges are encountered in a PUF circuit, each has a unique output response. In this paper. We express this process as *R* = *PUF*(*C*), where *R* and *C* are a response and a challenge. The PUF's properties are as follows:


If the same challenge is entered into the PUF circuit of the same device, the same output response is printed. However, if a challenge is introduced into the PUF from different devices, different output responses are printed. Thus, the PUF provides a unique one-way function that cannot be replicated. The ability of the PUF to resist replication makes it impossible for adversaries to succeed with various attacks, such as physical cloning attacks.

### *3.4. Fuzzy Extractor*

In this section, the purpose and basic concepts of the fuzzy extractor are discussed. However, biometric information is vulnerable to noise. Therefore, it is difficult to obtain a constant response value. Consequently, before users can utilize their biometrics, the biometric noise must be eliminated, for which we used a fuzzy extractor. The details are given below:


### **4. Review of Chen et al.'s Scheme**

In 2021, Chen et al. [11] proposed a two-factor authentication scheme for WBANs. Their scheme provides sensor node registration, user registration and mutual authentication, and a key exchange phase. The notations used in the Chen et al.s scheme are also presented in Table 1.


**Table 1.** Notations and definitions of Chen et al.'s scheme.

### *4.1. User Registration Phase*

A medical professional such as a doctor or nurse must register in the gateway to use this network system. We describe the sensor node registration phase below:


**Step 3:** *Ui* computes *A*<sup>3</sup> = *h*(*IDi*||*HPWi*). Then, *Ui* stores {*A*2, *A*3, *GIDj*, *Gen*(.), *Rep*(.), *τi*}.

### *4.2. Sensor Node Registration Phase*

The sensor node must be registered with the gateway to transmit the health information of the patient. We show the sensor node registration phase of Chen et al.'s scheme as follows:

**Step 1:** *SNk* sends *SIDk* and *Nl* over a secure channel.


### *4.3. Login Phase*

A medical professional must log in to the mobile device to use this network system. The detailed steps are illustrated in Figure 2:


**Figure 2.** Login phase of Chen et al.'s scheme.


### *4.4. Authentication and Key Agreement Phase*

In this phase, the medical professionals and the sensor node conduct a mutual authentication and key agreement phase to authenticate each other and establish a session key. Figure 3 shows the authentication and key agreement phase of Chen et al.'s scheme, and the details are as follows:

```
User Ui Gateway GWj Sensor Node SNk
Selects SIDk, Ru, T1
Computes (R0 ⊕ Gj) = A2 ⊕ h(GIDj||HPWi)
B1 = SIDk ⊕ h(GIDj||HPWi)
B2 = Ru ⊕ h(GIDj||HPWi ⊕ SIDk)
B3 = (R0 ⊕ Gj) ⊕ h(GIDj||Ru)
                 M1 = {CIDi, GIDj, B1, B2, B3, T1} −−−−−−−−−−−−−−−−−−−−−−−−−−−−→
                                                Verifies |T1 − Tc| ≤ ΔT
                                                Gets HPWi, QIDk
                                                Computes SIDk = B1 ⊕ h(GIDj||HPWi)
                                                Ru = B2 ⊕ h(GIDj||HPWi ⊕ SIDk)
                                                (R0 ⊕ Gj) = B3 ⊕ h(GIDj||Ru)
                                                A∗
                                                 1 = h(CIDi||GIDj||R0 ⊕ Gj) ⊕ HPWi
                                                Checks A1 ≡ A∗
                                                               1
                                                Selects Rg, T2
                                                SGk = h(SIDk||Gj ⊕ Nl)
                                                B4 = Ru ⊕ HPWi ⊕ SGk
                                                B5 = Rg ⊕ h(SGk||SIDk)
                                                B6 = h(QIDk||B4||B5||SGk||Ru ⊕ HPWi||Rg)
                                                                      M2 = {QIDk, B4, B5, B6, T2} −−−−−−−−−−−−−−−−−−−−−−−→
                                                                                           Verifies |T2 − Tc| ≤ ΔT
                                                                                           Gets RSGk based on QIDk
                                                                                           SGk = RSGk ⊕ SIDk
                                                                                           (Ru ⊕ HPWi) = B4 ⊕ SGk
                                                                                           Rg = B5 ⊕ h(SGk||SIDk)
                                                                                           B∗
                                                                                            6 = h(QIDk||B4||B5||SGk||Ru ⊕ HPWi||Rg)
                                                                                           Verifies B∗
                                                                                                    6 ≡ B6
                                                                                           Selects Rs, T3
                                                                                           Computes SKs = h(Ru ⊕ HPWi||Rg||Rs)
                                                                                           B7 = h(SGk||Rg) ⊕ Rs
                                                                                           B8 = h(Rg||Rs||SGk||T3)
                                                                          M3 = {B7, B8, T3} ←−−−−−−−−−−−−−−−−−
                                                Verifies |T3 − Tc| ≤ ΔT
                                                Computes Rs = h(SGk||Rg) ⊕ B7
                                                B∗
                                                 8 = h(Rg||Rs||SGk||T3)
                                                Checks B∗
                                                         8 ≡ B8
                                                Selects T4
                                                SKg = h(Ru ⊕ HPWi||Rg||Rs)
                                                B9 = h(Ru ⊕ GIDj||HPWi) ⊕ (Rg||Rs)
                                                B10 = h(R0 ⊕ Gj||SKg||Ru)
                          M4 = {B9, B10, T4} ←−−−−−−−−−−−−−−−−−
Computes (Rg||Rs) = B9 ⊕ h(Ru ⊕ GIDj||HPWi)
SKu = h(Ru ⊕ HPWi||Rg||Rs)
B∗
 10 = h(R0 ⊕ Gj||SKu||Ru)
Checks B∗
        10 ≡ B10
If true, communication is possible
```
**Figure 3.** Authentication and key agreement phase of Chen et al.'s scheme.


### **5. Cryptanalysis of Chen et al.'s Scheme**

In this section, we analyze the security defects of Chen et al.'s scheme. Our analysis shows that their scheme is vulnerable to privileged insider attacks, physical cloning attacks, and verification table leakage attacks. In addition, malicious adversary A can impersonate the user, sensor node, and gateway and disclose a session key.

### *5.1. Privileged Insider Attack*

A privileged insider can support A by giving various important information such as registration message and values stored on the mobile device of the user. We describe the procedures are as follows:


Thus, Chen et al.'s scheme is insecure against privileged insider attacks.

### *5.2. Physical Cloning Attack*

In this attack, we assume that A can clone sensor node *SNk* physically and extract the sensitive value {*RSGk*, *QIDk*} stored in the memory of *SNk*. In order to be able to forward message {*B*7, *B*8, *T*3} on behalf of the legitimate *GWj* and generate session key *SKs*, then A has to calculate the value of *B*<sup>7</sup> = *h*(*SGk*||*Rg* ⊕ *Rs*), *B*<sup>8</sup> = *h*(*Rg*||*Rs*||*SGk*||*T*3), and *SKs* = *h*(*Ru* ⊕ *HPWi*||*Rg*||*Rs*) through the following steps:

**Step 1:** The adversary A can obtain the messages *M*2{*QIDk*, *B*4, *B*5, *B*6, *T*2} and *M*3{*B*7, *B*8, *T*3} by the eavesdropping attack.


Therefore, the scheme of Chen et al. cannot resist thephysical cloning attack.

*5.3. Verification Table Leakage Attack*

If A extracts the verification table {*QIDk*, *Nl*, *CIDi*, *HPWi*, *A*1} of *GWj*, A attempts to impersonate *GWj* and generate a session key. The details are described below:


Therefore, Chen et al.'s scheme cannot withstand verification table leakage attacks.


### *5.5. Session Key Disclosure Attack*

In the previous attacks, privileged insider in Section 5.1, physical cloning in Section 5.2, and verification table leakage in Section 5.3, A can generate session keys *SKu*, *SKk*, and *SKg*. A attempts to exploit the generated session key to adversely affect the system and disclose it to the outside. Thus, the scheme of Chen et al. cannot prevent session key disclosure attacks.

### **6. Proposed Scheme**

In this section, we propose a secure three-factor mutual authentication scheme for WBANs to overcome the security weaknesses of Chen et al.'s scheme. Our scheme also considers the efficiency of the authentication process. Our scheme consists of user registration, sensor node registration, mutual authentication and key agreement, and password change phases. The notations and definitions used in the proposed scheme are explained in Table 2.


**Table 2.** Notations and definitionsof the proposed scheme.

### *6.1. User Registration Phase*

In order for a medical professional to receive patient information from the sensor node, he/she must be registered with the gateway in advance. The details are shown in Figure 4:


**Figure 4.** User Registration of the proposed scheme.


### *6.2. Sensor Node Registration Phase*

A sensor node must register with the gateway in order to transmit patient information to the medical professional. The sensor node registration phase is shown in Figure 5, and the detailed steps are as follows:

**Figure 5.** Sensor node registration of the proposed scheme.


### *6.3. Login Phase*

A medical professional must log in to the mobile device to utilize this WBAN system. The details are shown in Figure 6:


**Figure 6.** Login phase of the proposed scheme.


### *6.4. Mutual Authentication and Key Agreement Phase*

The medical professional sends an authentication message to the gateway and generates a session key among the medical professional, the sensor node, and the gateway. After that, the medical professionals can receive the patient's information from the sensor node. In Figure 7, we show the mutual authentication and key agreement phase of our scheme, and the details are given below:


**User** *Ui* **Gateway** *GWj* **Sensor Node** *SNk* Selects *SIDk*, *Ru*, *T*<sup>1</sup> Computes *R*<sup>1</sup> = *ERi* ⊕ *h*(*IDi*||*PWi*) *A*<sup>0</sup> = *A*<sup>2</sup> ⊕ *R*<sup>1</sup> ⊕ *σ<sup>i</sup>* Generates random nonce *Ru B*<sup>1</sup> = *Ru* ⊕ *R*<sup>1</sup> *B*<sup>2</sup> = *A*<sup>0</sup> ⊕ *Ru* ⊕ *R*<sup>1</sup> ⊕ *HIDi <sup>M</sup>*<sup>1</sup> <sup>=</sup> {*SIDk*, *CIDi*, *<sup>B</sup>*1, *<sup>B</sup>*2, *<sup>T</sup>*1} −−−−−−−−−−−−−−−−−→ Verifies |*T*<sup>1</sup> − *Tc*| ≤ Δ*T* Checks whether *CIDi* = *CIDold <sup>i</sup>* or *CIDi* = *CIDnew i* if(*CIDi* == *CIDold <sup>i</sup>* ) {Retrieves {*HID*<sup>∗</sup> *<sup>i</sup>* , *ERj*} against *CIDold <sup>i</sup>* } if(*CIDi* == *CIDnew <sup>i</sup>* ) {Retrieves {*HID*<sup>∗</sup> *<sup>i</sup>* , *ERj*} against *CIDnew <sup>i</sup>* } Computes *R*<sup>1</sup> = *ERj* ⊕ *Gj Ru* = *B*<sup>1</sup> ⊕ *R*<sup>1</sup> *A*<sup>0</sup> = *B*<sup>2</sup> ⊕ *Ru* ⊕ *R*<sup>1</sup> ⊕ *HIDi A*∗ <sup>1</sup> = *h*(*HIDi*||*A*0) ⊕ *Gj* Check *A*<sup>1</sup> ? = *A*<sup>∗</sup> 1 *CIDnew <sup>m</sup>* = *h*(*HIDi*||*Ru*) Updates *CIDnew i* Selects *Rg*, *T*<sup>2</sup> *SGk* = *h*(*SIDk*||*Gj*) *C*<sup>1</sup> = *Ru* ⊕ *HIDi B*<sup>3</sup> = *C*<sup>1</sup> ⊕ *SGk* ⊕ *CH*<sup>1</sup> *B*<sup>4</sup> = *Rg* ⊕ *h*(*SGk*||*SIDk*) *B*<sup>5</sup> = *h*(*B*4||*B*5||*SGk*||*C*1||*Rg*) *<sup>M</sup>*<sup>2</sup> <sup>=</sup> {*B*3, *<sup>B</sup>*4, *<sup>B</sup>*5, *<sup>T</sup>*2} −−−−−−−−−−−−−−−−−→ Verify |*T*<sup>2</sup> − *Tc*| ≤ Δ*T* Gets *RSGk*, *CH*<sup>1</sup> *RE*<sup>1</sup> = *PUF*(*CH*1) *SGk* = *RSGk* ⊕ *SIDk* ⊕ *RE*<sup>1</sup> *C*<sup>1</sup> = *B*<sup>3</sup> ⊕ *SGk* ⊕ *CH*<sup>1</sup> *Rg* = *B*<sup>4</sup> ⊕ *h*(*SGk*||*SIDk*) *B*∗ <sup>5</sup> = *h*(*B*3||*B*4||*SGk*||*C*1||*Rg*) Verify *B*∗ 5 ? = *B*<sup>5</sup> Selects *Rs*, *T*<sup>3</sup> Computes *SKs* = *h*(*C*1||*Rg*||*Rs*) *B*<sup>6</sup> = *h*(*SGk*||*Rg*) ⊕ *Rs B*<sup>7</sup> = *h*(*Rg*||*Rs*||*SGk*||*T*3||*C*1) *<sup>M</sup>*<sup>3</sup> <sup>=</sup> {*B*6, *<sup>B</sup>*7, *<sup>T</sup>*3} ←−−−−−−−−−−−−−−−−− Verify |*T*<sup>3</sup> − *Tc*| ≤ Δ*T* Computes *Rs* = *h*(*SGk*||*Rg*) ⊕ *B*<sup>6</sup> *B*∗ <sup>7</sup> = *h*(*Rg*||*Rs*||*SGk*||*T*3||*C*1) Check *B*∗ 7 ? = *B*<sup>7</sup> Selects *T*<sup>4</sup> *SKg* = *h*(*C*1||*Rg*||*Rs*) *B*<sup>8</sup> = *Ru* ⊕ (*Rg*||*Rs*) *B*<sup>9</sup> = *h*(*A*0||*SKg*||*Ru*) *<sup>M</sup>*<sup>4</sup> <sup>=</sup> {*B*8, *<sup>B</sup>*9, *<sup>T</sup>*4} ←−−−−−−−−−−−−−−−−− |*T*<sup>4</sup> − *Tc*| ≤ Δ*T* Computes (*Rg*||*Rs*) = *B*<sup>8</sup> ⊕ *Ru C*<sup>1</sup> = *Ru* ⊕ *HIDi SKu* = *h*(*C*1||*Rg*||*Rs*) *B*∗ <sup>9</sup> = *h*(*A*0||*SKu*||*Ru*) Checks *B*∗ 9 ? = *B*<sup>9</sup> Updates *CIDnew i*

**Figure 7.** Authentication and key agreement phase of the proposed scheme.

### *6.5. Password Update Phase*

In our scheme, we provide an efficient password update process of the medical professional. We show the password update phase in Figure 8, and the detailed steps are as follows:


**Figure 8.** Password update phase of the proposed scheme.


### **7. Security Analysis**

To prove the security features of the proposed scheme, we used BAN logic and the RoR model, which can prove the mutual authentication properties and session key security, respectively. Furthermore, we show that our scheme has resistance against man-in-themiddle and replay attacks using AVISPA. Furthermore, we claim that the proposed scheme can prevent various security attacks using informal analysis.

### *7.1. BAN Logic*

In this section, BAN logic [26] is used to prove the mutual authentication of the proposed scheme. BAN logic uses a simple logic to explain the beliefs between the communication participants of authentication schemes. From that, many security schemes are proven by using BAN logic [27–29]. Table 3 shows the basic notation in BAN logic.


**Table 3.** Basic notations in BAN logic.

### 7.1.1. Rules

We introduce five rules used in BAN logic:

1. Message meaning rule (MMR):

$$\frac{\mathcal{C}\_1 \mid \equiv \mathcal{C}\_1 \nrightarrow \mathcal{C}\_2 \quad \mathcal{C}\_1 \lhd (\mathcal{T}\_1)\_K}{\mathcal{C}\_1 \mid \equiv \mathcal{C}\_2 \mid \sim \mathcal{T}\_1} \succ$$

2. Nonce verification rule (NVR):

$$\frac{\mathcal{C}\_1 \vert \equiv \#(\mathcal{T}\_1)\_{\prime} \quad \mathcal{C}\_1 \vert \equiv \mathcal{C}\_2 \vert \; \sim \mathcal{T}\_1}{\mathcal{C}\_1 \vert \equiv \mathcal{C}\_2 \vert \equiv \mathcal{T}\_1};$$

3. Jurisdiction rule (JR):

$$\frac{\mathcal{C}\_1 \vert \equiv \mathcal{C}\_2 \Rightarrow \mathcal{T}\_1, \quad \mathcal{C}\_1 \vert \equiv \mathcal{C}\_2 \vert \equiv \mathcal{T}\_1}{\mathcal{C}\_1 \mid \equiv \mathcal{T}\_1};$$

4. Belief rule (BR):

$$\frac{\mathcal{C}\_1 \left\| \equiv (\mathcal{T}\_1, \mathcal{T}\_2) \right\|}{\mathcal{C}\_1 \left\| \equiv \mathcal{T}\_1 \right\|} \neq \mathcal{C}$$

5. Freshness rule (FR):

$$\left. \frac{\mathcal{C}\_1 \right| \equiv \mathfrak{\*} (\mathcal{T}\_1)}{\mathcal{C}\_1 \mid \equiv \mathfrak{\*} (\mathcal{T}\_1, \mathcal{T}\_2)}.$$

### 7.1.2. Goals

The final goal of BAN logic in the proposed scheme is to achieve mutual authentication by agreeing on the session key *SK*. We define *Ui*, *GWj*, and *SNk* as the user, gateway, and sensor node, respectively:

```
Goal 1: Ui| ≡ GWj
                   SK
                   ←→ Ui;
Goal 2: Ui| ≡ GWj| ≡ GWj
                           SK
                           ←→ Ui;
Goal 3: GWj| ≡ GWj
                     SK
                     ←→ Ui;
Goal 4: GWj| ≡ Ui| ≡ GWj
                           SK
                           ←→ Ui;
```
**Goal 5:** *SNk*| ≡ *GWj SK* ←→ *SNk*; **Goal 6:** *SNk*| ≡ *GWj*| ≡ *GWj SK* ←→ *SNk*; **Goal 7:** *GWj*| ≡ *GWj SK* ←→ *SNk*; **Goal 8:** *GWj*| ≡ *SNk*| ≡ *GWj SK* ←→ *SNk*.

### 7.1.3. Idealized Forms

In the proposed scheme, *M*<sup>1</sup> = {*SIDk*, *CIDi*, *B*1, *B*2, *T*1}, *M*<sup>2</sup> = {*B*3, *B*4, *B*5, *T*2}, *M*<sup>3</sup> = {*B*6, *B*7, *T*3}, and *M*<sup>4</sup> = {*B*8, *B*9, *T*4} are transmitted through public channels. We restructure the messages to fit the BAN logic, named "idealized forms":


### 7.1.4. Assumptions

The assumptions in the proposed scheme are shown as below:


*SK*


### 7.1.5. BAN Logic Proof

**Step 1:** We can obtain *PR*<sup>1</sup> based on the first message *T*1, and we obtain the following:

$$\{PR\_1 \colon GW\_j \prec \{R\_{\nu\nu} A\_{0\nu} HID\_{i\nu} T\_1\}\_{R\_1 \mathcal{I}\_i} \}$$

**Step 2:** Based on the message meaning rule, *PR*1, and S9, we can obtain the following:

$$|PR\_2; GW\_{\hat{1}}| \equiv \mathcal{U}\_{\hat{1}}| \sim (R\_{u\prime}A\_{0\prime}HID\_{i\prime}T\_1);$$

**Step 3:** Based on the freshness rule, *PR*2, and S1, we can obtain the following:

$$|PR\_{\mathfrak{Z}} \colon CW\_{\mathfrak{j}}| \equiv \# (R\_{\mathfrak{u}\prime} A\_{0\prime} HID\_{\mathfrak{i}\prime} T\_1) ;$$

**Step 4:** Based on the nonce verification rule, *PR*2, and *PR*3, we obtain the following:

$$|PR\_{\mathtt{4}} \colon GW\_{\mathtt{j}}| \equiv \mathcal{U}\_{\mathtt{i}}| \equiv (R\_{\mathtt{u}\prime} \, A\_{\mathtt{0}\prime} \, HID\_{\mathtt{i}} \, T\_{\mathtt{1}});$$

**Step 5:** Based on the second message *T*2, we obtain the following:

$$\operatorname{PR}\_{\mathsf{S}}\text{: }\operatorname{SN}\_{k}\lhd\{\operatorname{R}\_{\mathsf{S}'}\operatorname{C}\_{1},\operatorname{T}\_{2}\}\_{\operatorname{SG}\_{k}\mathcal{T}}$$

**Step 6:** Based on the message meaning rule, *PR*5, and S11, we can obtain the following:

$$|PR\_6\colon SN\_k| \equiv GW\_{\bar{j}}| \sim (R\_{\S'}, C\_1, T\_2);$$

**Step 7:** Based on the freshness rule, *PR*6, and S2, we can obtain the following:

$$|PR\_{\heartsuit} \colon SN\_k| \equiv \#(R\_{\gcurtharrow}, C\_1, T\_2);$$

**Step 8:** Based on the nonce verification rule, *PR*6, and *PR*7, we can obtain the following:

$$|PR\_{\mathbb{R}} \colon SN\_k| \equiv GW\_j| \equiv (R\_{\mathbb{S}'}C\_1, T\_2);$$

**Step 9:** Based on the third message *T*3, we can obtain the following:

$$PR\_9\text{: } GW\_j \lhd \{\mathcal{R}\_{\mathbf{s}\prime} \, T\_3\}\_{SG\_k} \dot{\mathbf{y}}$$

**Step 10:** Based on the message meaning rule, *PR*9, and S10, we can obtain the following:

$$|PR\_{10} \colon GW\_{\bar{\jmath}}| \equiv SN\_k| \sim (R\_{s\nu} \, T\_3);$$

**Step 11:** Based on the freshness rule, *PR*10, and S3, we can obtain the following:

$$|PR\_{11} \colon GW\_{\bar{\jmath}}| \equiv \#(R\_{\mathfrak{s}}, T\_{\mathfrak{3}})\_{\bar{\jmath}}$$

**Step 12:** Based on the nonce verification rule, *PR*10, and *PR*11, we can obtain the following:

$$|PR\_{12} \colon GW\_{\mathfrak{j}}| \equiv SN\_{\mathfrak{k}}| \equiv (R\_{\mathfrak{s}\mathfrak{k}} \, T\_{\mathfrak{3}});$$

**Step 13:** Based on *PR*<sup>8</sup> and *PR*12, *SNk* and *GWj* compute the session key *SK* = *h*(*C*1||*Rg*||*Rs*). Therefore, we can obtain the following goals:

$$\begin{aligned} \vert PR\_{13} \colon SN\_k \vert &\equiv GW\_j \vert \equiv GW\_j \stackrel{SK}{\underset{j}{\rightleftharpoons}} SN\_k \quad \text{(Goal 6)}\\ \vert PR\_{14} \colon GW\_j \vert &\equiv SN\_k \vert \equiv GW\_j \stackrel{SK}{\underset{j}{\rightleftharpoons}} SN\_k \quad \text{(Goal 8)}; \end{aligned}$$

**Step 14:** Based on the jurisdiction rule, *PR*13, *PR*14, S7, and S8, we can obtain the following goals:

$$\begin{aligned} \text{PR}\_{15} &\colon SN\_k | \equiv \text{GW}\_{\not\supset} \xleftrightarrow{\text{SK}}\_{k} \quad \text{(Goal 5)}\\ \text{PR}\_{16} &\colon GW\_{\not\supset} | \equiv \text{GW}\_{\not\supset} \xleftrightarrow{\text{SK}}\_{k} \quad \text{(Goal 7)}; \end{aligned}$$

**Step 15:** Based on the last message *T*4, we can obtain the following:

$$PR\_{17} \\ \text{: } \mathcal{U}\_i \preccurlyeq \{ \mathcal{R}\_{\mathcal{S}'} \mathcal{R}\_{\mathcal{S}'} T\_4 \}\_{\mathcal{R}\_{\mathcal{U}}};$$

**Step 16:** Based on the message meaning rule, *PR*17, and S12, we can obtain the following:

$$|PR\_{18} \colon \mathcal{U}\_i \equiv \mathcal{S} \\ N\_k | \sim (R\_{\mathcal{S}'} \: R\_{\text{s}} \: T\_4);$$

**Step 17:** Based on the freshness rule, *PR*18, and S4, we can obtain the following:

$$|PR\_{19};\ Ll\_i| \equiv \#(R\_{\mathcal{S'}}R\_{s\prime}T\_4);$$

**Step 18:** Based on the nonce verification rule, *PR*19, and *PR*17, we can obtain the following:

*PR*20: *Ui*| ≡ *GWj*| ≡ (*Rg*, *Rs*, *T*4);

**Step 19:** Based on *PR*<sup>4</sup> and *PR*20, *Ui* and *GWj* compute the session key *SK*. Therefore, we can obtain the following goals:

$$\begin{aligned} \text{PR}\_{21} &\colon \mathcal{U}\_{i}| \equiv \mathcal{G} \\ \text{PR}\_{22} &\colon \mathcal{G} \mathcal{W}\_{j}| \equiv \mathcal{U}\_{i}| \equiv \mathcal{G} \mathcal{W}\_{j} \stackrel{\scriptstyle \mathcal{G} \mathcal{K}}{\stackrel{\scriptstyle \mathcal{G} \mathcal{K}}{\longrightarrow}} \mathcal{U}\_{i} \end{aligned}$$

**Step 20:** Based on the jurisdiction rule, *PR*21, *PR*22, S5, and S6, we can obtain the following goals:

$$\begin{aligned} \text{PR}\_{23} & \text{: } \mathcal{U}\_{i}| \equiv \mathcal{G} \mathcal{W}\_{\not\!j} \xleftrightarrow{\mathcal{S}\!\!k} \mathcal{U}\_{i} \quad \text{(Goal 1)}\\ \text{PR}\_{24} & \text{: } \mathcal{G} \mathcal{W}\_{\not\!j}| \equiv \mathcal{G} \mathcal{W}\_{\not\!j} \xleftrightarrow{\mathcal{S}\!\!k} \mathcal{U}\_{i} \quad \text{(Goal 3)}. \end{aligned}$$

### *7.2. RoR Model*

To prove the security of the session key, we utilized a formal proof named the "realor-random" (ROR) model [30]. Firstly, we define the participants, adversary, and queries. In the proposed scheme, there are three entities that perform the authentication phase to establish the session key. These entities are instantiated as participants and applied to the ROR model: *EP<sup>i</sup> US*, *EP<sup>j</sup> GW*, *EP<sup>k</sup> SN*. Note that *i*, *j*, and *k* are the instances of the user, gateway, and sensor node, respectively. Next, we define the adversary of the ROR model. The adversary can fully control the whole network, including modifying, deleting, hijacking, and intercepting messages. Moreover, we introduce queries that are utilized to reveal the session key security of the scheme. The details are as follows:


### Security Proof

**Theorem 1.** *We define the adversary and possibility of breaking the session key security as* M *and* A*M*(*BP*)*, respectively. In the ROR model,* M *tries to guess SK* = *h*(*C*1||*Rg*||*Rs*) *in polynomial time. To do this, we give a definition of hash and puf as the range space of the hash function and PUF, respectively. Moreover, qhash, qpuf , and qsnd are the number of hash, puf , and Snd queries, respectively. We define C and s as Zipf's parameter [31], and the number of bits in the biometrics is BIO.*

$$\mathcal{A}\_M(BP) \le \frac{q\_{\text{hash}}^2}{|\text{hash}|} + \frac{q\_{\text{puf}}^2}{|\text{puf}|} + 2\max\{\text{C}'q\_{\text{snd}'}^{s'}\frac{q\_{\text{snd}}}{2^{BIO}}\}$$

**Proof.** In the proposed scheme, the ROR security proof consists of five games *Gn* (0 ≤ *n* ≤ 4). M tries to compute the session key *SK* in each game *Gk*, and we define this winning possibility as *WNGk* . Our ROR security proof is performed according to the method of [32–34]:

*G*0: M begins the real attack. Thus, M picks a random bit *c*. Therefore, we obtain Equation (1) as follows.

$$\mathcal{A}\_M(BP) = |2\mathcal{M}[WN\_{\mathbb{G}\_0}] - 1|. \tag{1}$$

*G*1: As we mentioned before, M can obtain all of the messages in the proposed scheme using the query *Exe*. Thus, *M*1, *M*2, *M*3, and *M*<sup>4</sup> can be intercepted and M executes the *Test* query as Equation (2). The session key *SK* is composed of *C*<sup>1</sup> = *Ru* ⊕ *HIDi*, *Rg*, and *Rs*. Thus, M must know all of the random nonces and the secret parameter of *US*. This means that M cannot calculate *SK*.

$$|\mathcal{M}[\mathsf{WN}\_{\mathsf{G}\_{1}}]| = |\mathcal{M}[\mathsf{WN}\_{\mathsf{G}\_{0}}]|.\tag{2}$$

*G*2: In this game, the *hash* and *Snd* queries are utilized. However, we used the "cryptographic hash function", which can overcome the hash collision problem in the proposed scheme. Thus, M has no advantage using the *hash* and *Snd* queries. We show the following inequation (3) by applying the birthday paradox [35].

$$|\mathcal{M}[\mathcal{W}\mathcal{N}\_{\mathbb{G}\_2}] - \mathcal{M}[\mathcal{W}\mathcal{N}\_{\mathbb{G}\_1}]| \le \frac{q\_{\text{hash}}^2}{|\text{hash}|}\tag{3}$$

*G*3: In *G*3, M attempts to break the session key security using the *puf* query. However, it is impossible to guess or compute the PUF function according to Section 3.3. Therefore, we obtain the following Equation (4).

$$|\mathcal{M}[\mathsf{WN}\_{\mathsf{G}\_{3}}] - \mathcal{M}[\mathsf{WN}\_{\mathsf{G}\_{2}}]| \leq \frac{q\_{\mathit{pull}}^{2}}{|\mathsf{pull}|}\tag{4}$$

*G*4: In the final game *G*4, M utilizes the *CorrD* query and obtains secret parameters {*A*2, *A*3, *Gen*(.), *Rep*(.), *τi*, *ERi*, *CIDi*} from the smart card. In the proposed scheme, all of the parameters are masked in the user's identity, password, and biometrics. To calculate *SK* using the secret parameters, M must guess *Ui*, *PWi*, and *BIOi* at the same time. Since guessing them in polynomial time is obviously impossible, M cannot derive *SK*. We apply Zipf's law and obtain the following Equation (5).

$$|\mathcal{M}[\text{WN}\_{\mathbb{G}\_4}] - \mathcal{M}[\text{WN}\_{\mathbb{G}\_2}]| \le \max\{\mathbb{C}'q\_{\text{snd}'}^{s'} \frac{q\_{\text{snd}}}{2^{\text{BIO}}}\} \tag{5}$$

After that, M obtains the result bits *b*. Moreover, we can set up the following Equation (6).

$$\mathcal{M}[\mathsf{WN}\_{\mathsf{G}\_{4}}] = \frac{1}{2} \tag{6}$$

Using (1) and (2), Equation (7) can be calculated.

$$\frac{1}{2}\mathcal{A}\_{\mathcal{M}}(BP) = |\mathcal{M}[\mathcal{W}\mathcal{N}\_{\mathbb{G}\_0}] - \frac{1}{2}| = |\mathcal{M}[\mathcal{W}\mathcal{N}\_{\mathbb{G}\_1}] - \frac{1}{2}|\tag{7}$$

From (6) and (7), Equation (8) can be calculated.

$$\frac{1}{2}\mathcal{A}\_{\mathcal{M}}(BP) = |\mathcal{M}[\mathsf{W}\mathsf{N}\_{\mathsf{G}\_{1}}] - \mathcal{M}[\mathsf{W}\mathsf{N}\_{\mathsf{G}\_{4}}]|\,\tag{8}$$

Using the triangular inequality, we can obtain the following Equation (9).

$$\begin{array}{l} \frac{1}{2}\mathcal{A}\_{\mathcal{M}}(BP) = |\mathcal{M}[\![WN\_{\mathbb{G}\_{1}}] - \!\!M[\![WN\_{\mathbb{G}\_{4}}] \!]| \\ \qquad \leq |\mathcal{M}[\![WN\_{\mathbb{G}\_{1}}] - \!\!M[\![WN\_{\mathbb{G}\_{3}}] \!]| \\ \quad + |\mathcal{M}[\![WN\_{\mathbb{G}\_{3}}] - \!\!M[\![WN\_{\mathbb{G}\_{4}}] \!]| \\ \leq |\mathcal{M}[\![WN\_{\mathbb{G}\_{1}}] - \!\!M[\![WN\_{\mathbb{G}\_{2}}] \!]| \\ \quad + |\mathcal{M}[\![WN\_{\mathbb{G}\_{2}}] - \!\!M[\![WN\_{\mathbb{G}\_{3}}] \!]| \\ \quad + |\mathcal{M}[\![WN\_{\mathbb{G}\_{3}}] - \!\!M[\![WN\_{\mathbb{G}\_{4}}] \!]| \end{array} \tag{9}$$

$$\leq \frac{q\_{\text{hash}}^2}{2|hash|} + \frac{q\_{\text{puf}}^2}{2|puf|} + \max\{\mathcal{C}'q\_{\text{snd}'}^{s'}\frac{q\_{\text{snd}}}{2^{BIO}}\} \tag{10}$$

We obtain the resulting inequation by multiplying (10) by two.

$$\mathcal{A}\_{M}(BP) \le \frac{q\_{hash}^2}{|hash|} + \frac{q\_{puf}^2}{|puf|} + 2\max\{\mathcal{C}'q\_{snd'}^{s'}\frac{q\_{snd}}{2^{BIO}}\}.$$

Thus, we prove the Theorem.

### *7.3. AVISPA Simulation*

In this section, we utilize the AVISPA simulation tool [36,37] to verify the resistance against the replay and man-in-the-middle attacks of the proposed scheme. The AVISPA simulation tool verifies the authentication scheme through a code called "High-Level scheme Specification Language (HLPSL)" on the Linux OS. Afterwards, the HLPSL code is converted to "Intermediate Format (IF)" to perform security verification on the four backends ("On-the-Fly Model Checker (OFMC)", "Three Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP)", "SAT-based Model Checker (SATMC)", and "Constraint Logic-based Attack Searcher (CL-AtSe)"). In this paper, we used the CL-AtSe and OFMC backends because these backends can support the XOR operator. Finally, the result window, i.e., "Output Format (OF)", is shown, and we can demonstrate that the proposed scheme can resist the replay and man-in-the-middle attacks if the OF summarizes the verification as "SAFE". We show the three basic roles of the proposed scheme: user *U I*, gateway *GW J*, and sensor node *SNK*. The session, environment, and goals are shown in Figure 9. We also show the role of *U I* in Figure 10.

**Figure 9.** Role specification for the session, environment, and goals.

**Figure 10.** Role specification for the user.

In State 1, *U I* receives the start message and computes *HIDi* and *HPWi*. Then, *U I* sends {*HIDi*} to *GW J*. *GW J* registers *U I* and returns {*A*0, *R*1, *CIDi*} through a secure channel. State 2 is the login and authentication phase, for which *U I* generates *Ru*, *T*<sup>1</sup> and computes the authentication request message {*SIDk*, *CIDi*, *B*1, *B*2, *T*1} to *GW J*. At the same time, *U I* generates function *witness*(*U I*, *GW J*, *uigwru*, *Ru* ) and *witness*(*U I*, *SNK*, *uisnru*, *Ru* ), which means the proof of random nonce *Ru*'s freshness. Finally, *U I* receives {*B*8, *B*9, *T*4} and computes the session key *SK* = *h*(*C*1||*Rg*||*Rs*). We verified the proposed scheme in the CL-AtSe and OFMC backends, and the result window is shown in Figure 11. Therefore, the proposed scheme can resist the replay and man-in-the-middle attacks.


**Figure 11.** The AVISPA simulation result of the proposed scheme.

### *7.4. Informal Analysis*

In this section, we demonstrate the security features of our proposed scheme, including those that resist against privileged insider, insider, physical, cloning, verification table leakage, impersonation, session key disclosure, ephemeral secret leakage, replay, man-inthe-middle, stolen mobile device, offline password guessing, and denial-of-service attacks. Moreover, the proposed scheme can provide user anonymity and perfect forward secrecy.

### 7.4.1. User Anonymity

In our scheme, A cannot obtain the legitimate *U <sup>i</sup>s* identity *IDi*, and even A extracts values {*A*2, *A*3, *Gen*(.), *Rep*(.), *τi*, *ERi*, *CIDi*} inside *U <sup>i</sup>s* mobile device. *IDi* is masked by a hash function with *U <sup>i</sup>s* biometric information or *PWi* such that *HIDi* = *h*(*IDi*||*σi*), *A*<sup>3</sup> = *h*(*IDi*||*HPWi*), and *ERi* = *h*(*IDi*||*PWi*) ⊕ *R*1.

### 7.4.2. Privileged Insider Attack

We can assume privileged insider A obtains the registration request message {*HIDi*} of the medical professional. Furthermore, A can extract the parameters {*A*2, *A*3, *Gen*(.), *Rep*(.), *τi*, *ERi*, *CIDi*} from the stolen mobile device of the medical professional using power analysis attack. A can also intercept transmitted messages such as *M*<sup>1</sup> and *M*4 on a public channel. After that, A attempts to impersonate a medical professional. To calculate authentication message *M*1{*SIDk*, *CIDi*, *B*1, *B*2, *T*1}, A must compute parameters *R*<sup>1</sup> and *A*0. However, A cannot compute *R*<sup>1</sup> = *ERi* ⊕ *h*(*IDi*||*PWi*) and *A*<sup>0</sup> = *A*<sup>2</sup> ⊕ *R*<sup>1</sup> ⊕ *σ<sup>i</sup>* because A cannot generate the *IDi*, *PWi* and biometric information *BIOi* of *Ui*. Therefore, it is difficult for A to calculate the authentication message *M*<sup>1</sup> to impersonate a medical professional. A can also attempt to compute *SKu* = *h*(*C*1||*Rg*||*Rs*). However, A cannot generate a session key of *Ui SKu*. A cannot calculate (*Rg*||*Rs*) = *B*<sup>8</sup> ⊕ *Ru* and *Ru* = *B*1 ⊕ *R*1. In conclusion, the proposed scheme can resist the privileged insider attack.

### 7.4.3. Insider Attack

Suppose that *Ui* registers with *GWj* as a legal user and intercepts the transmitted messages such as *M*2, *M*3, and *M*4. However, *Ui* cannot calculate important parameters such as the symmetric key *SGk* shared by *GWj* and *SNk*. Thus, *Ui* cannot attempt various attacks, including the impersonate and session key disclosure attacks. As as result, our scheme can prevent the insider attack.

### 7.4.4. Physical Cloning Attack

Assume that an adversary A physically captures a sensor node *SNk* and attempts to authenticate with *GWj* by disguising it as *SNk*. A physically clones *SNk* to obtain a values {*RSGk*, *CH*1} in the memory of *SNk* and intercepts authentication request messages *M*<sup>2</sup> on the public channel. Then, A attempts to generate authenticate message *M*3{*B*6, *B*7, *T*3}. However, A cannot generate a message *M*<sup>3</sup> because he/she cannot calculate the parameter *RE*<sup>1</sup> necessary to generate message *M*3. A can replicate the same *CH*<sup>1</sup> from *SNk*, but cannot generate the same *RE*1. The PUF circuit cannot be forged. Thus, our scheme can withstand the physical cloning attack.

### 7.4.5. Verification Table Leakage Attack

Suppose that A intercepts {*CIDi*, *HIDi*, *ERj*, *A*1, *SIDk*, *CH*1} in *GW <sup>j</sup>s* verification table of *GWj*. Then, A eavesdrops the transmitted messages such as *M*1, *M*2, *M*<sup>3</sup> and intercepts message *M*<sup>4</sup> via an insecure channel. After that, A attempts to compute authentication request messages *M*<sup>2</sup> or *SKg* = *h*(*C*1||*Rg*||*Rs*). However, A cannot calculate *SGk* = *h*(*SIDk*||*Gj*), which is essential for generating *M*<sup>2</sup> and *SKg*, because *GW <sup>j</sup>s* secret key *Gj* is unknown. Therefore, A cannot generate both *M*<sup>2</sup> and *SKG*. As a result, our scheme can protect against verification table leakage attack.


### 7.4.7. Session Key Disclosure Attack

If A tries to calculate a legitimate session key *SK* = *h*(*C*1||*Rg*||*Rs*), the adversary must obtain *HIDi*, *Ru*, *Rg*, *Rs*. However, A cannot obtain these values. *Ru*, *Rg*, and *Rs* are temporary random nonces used in a session, and *HIDi* is masked as the legitimate *U is* biometric information *BIOi*. Hence, the proposed scheme provides protection against the session key disclosure attacks.

### 7.4.8. Perfect Forward Secrecy

A obtains long-term secret keys {*SGk*, *Gj*} and intercepts transmitted message {*M*1, *M*2, *M*3, *M*4} through a public channel. After that, A attempts to generate *M*<sup>4</sup> to impersonate *GWj* or calculate *SKg* = *h*(*C*1||*Rg*||*Rs*) to exploit the session key. However, A cannot compute the parameters *C*<sup>1</sup> without *U <sup>i</sup>s* identity *HIDi* and random nonce *Ru*. For these reasons, our scheme provides perfect forward secrecy.

### 7.4.9. Ephemeral Secret Leakage Attack

A obtains random numbers {*Ru*, *Rg*, *Rs*, *R*0, *R*1, *R*2}. After that, A attempts to compute the session key *SKG* = *h*(*C*1||*Rg*||*Rs*). Unfortunately, A cannot generate session key *SK* because A cannot calculate *C*<sup>1</sup> = *Ru* ⊕ *HIDi*, which is essential for generating a session key *SK*. Thus, the proposed scheme can prevent the ESL attacks.

### 7.4.10. Replay and Man-in-the-Middle Attack

We assume that A eavesdrop transmitted message {*M*1, *M*2, *M*3, *M*4} through a public channel. However, A cannot impersonate *Ui*, *GWj*, and *SNk* by sending a message again. Because timestamps and random numbers such as {*T*1, *T*2, *T*3, *Ru*, *Rg*, *Rs*} are essential to generate a message, and the transmitted message is verified by {*T*1, *T*2, *T*3, *Ru*, *Rg*, *Rs*}. Therefore, our scheme can prevent replay and man-in-the-middle attack.

### 7.4.11. Stolen Mobile Device Attack

Suppose that A succeeds in extracting stored values {*A*2, *A*3, *Gen*(.), *Rep*(.), *τi*, *ERi*, *CIDi*} from *U <sup>i</sup>s* stolen mobile device. However, A cannot compute any meaningful value from *Ui*. The values stored in the mobile device are masked with *IDi*, *PWi*, and *BIOi* such as *A*<sup>2</sup> = *A*<sup>0</sup> ⊕ *R*<sup>1</sup> ⊕ *σi*, *A*<sup>3</sup> = *h*(*IDi*||*HPWi*), *ERi* = *h*(*IDi*||*PWi*) ⊕ *R*1. Therefore, A cannot attempt any attack. Thus, our scheme can resist the stolen mobile device attacks.

### 7.4.12. Offline Password Guessing Attack

A obtains *U <sup>i</sup>s* mobile device and extracts parameters {*A*2, *A*3, *Gen*(.), *Rep*(.), *τi*, *ERi*, *CIDi*} using the power analysis attack. After that, A tries to guess the password of *Ui* using the extracted parameters. However, A cannot guess the *U <sup>i</sup>s* password *PWi* because the password is masked by the *U <sup>i</sup>s IDi*, *BIOi*, or random nonce *R*<sup>1</sup> such as *HPWi* = *h*(*PWi*||*σi*), *A*<sup>3</sup> = *h*(*IDi*||*HPWi*), and *ERi* = *h*(*IDi*||*PWi*) ⊕ *R*1. Therefore, the proposed scheme is secure against the offline password guessing attacks.

### 7.4.13. Denial-of-Service

Assume that malicious A attempts to send *M*1{*SIDk*, *CIDi*, *B*1, *B*2, *T*1} to *GWj* as a replay message. To do this, A must verify the value of *A*<sup>3</sup> = *h*(*IDi*||*HPWi*) and pass the login phase. However, A cannot calculate a valid *A*<sup>3</sup> because A cannot obtain *IDi* and *HPWi*. Therefore, A cannot transmit a replay message *M*<sup>1</sup> to *GWj*. Thus, the proposed scheme is secure against the denial-of-service attacks.

### 7.4.14. Untraceability

Suppose a malicious A obtains *U <sup>i</sup>s* pseudoidentity *CIDi*. However, A cannot attempt any attack with the obtained *CIDi*. Every session, *GWj* updates the *CIDi* stored with a *CIDnew <sup>i</sup>* using random nonce *Ru* after verifying that it is a legitimate user through *A*<sup>1</sup> ? = *A*∗ 1 verification. For this reason, the proposed scheme ensures untraceability.

### 7.4.15. Mutual Authentication

To ensure mutual authentication, our scheme verifies that each entity is justified by *A*1 ? = *A*∗ <sup>1</sup>, *<sup>B</sup>*<sup>5</sup> ? = *B*∗ <sup>5</sup> , *<sup>B</sup>*<sup>7</sup> ? = *B*∗ <sup>7</sup> , and *<sup>B</sup>*<sup>9</sup> ? = *B*∗ <sup>9</sup> . Moreover, all entities have verified freshness of messages through random values *Ru*, *Rg*, and *Rs* generated by each entity. When the verification processes are passed, the entities are authenticated with each other. Therefore, our scheme achieves mutual authentication.

### **8. Performance**

In this section, we evaluate the security features, communication costs, and computational costs of our scheme compared with the related schemes [11,38–41].

### *8.1. Security Features Comparison*

We compared the performance of the proposed scheme with the related existing schemes [11,38–41]. As shown in Table 4, we considered various security functionalities and attacks, including "user anonymity", "privileged-insider attack", "offline password guessing attack", "stolen mobile device attack", "denial-of-service attack", "replay attack", "manin-the-middle attack", "mutual authentication", "session key security", "known session specific temporary information attack", "untraceability property", "server-independent password update phase", "physical cloning attack", "perfect forward secrecy", "impersonation attack", "session-specific random number leakage attack", and "stolen verifier attack". Therefore, our scheme offers functional features and security in comparison with the related schemes [11,38–41].

### *8.2. Communication Cost Comparison*

In this section, we demonstrate the comparison analysis for the communication cost of the proposed scheme with related existing schemes [11,38–41]. According to [42], we define that the bit lengths for the SHA-256 hash output, random number, identity, password, PUF challenge–response, timestamp, and ECC point are 256, 256, 128, 128, 128, 32, and 320 bits, respectively. Therefore, the communication costs of the proposed scheme can be described as below:


**Table 4.** Security and functionality features' comparison with related schemes.

Note: *SP*1: user anonymity; *SP*2: privileged insider attack; *SP*3: offline password guessing attack; *SP*4: stolen mobile device attack; *SP*5: denial-of-service attack; *SP*6: replay attack; *SP*7: man-in-the-middle attack; *SP*8: mutual authentication; *SP*9: session key security; *SP*10: known session specific temporary information attack; *SP*11: untraceability property; *SP*12: server-independent password update phase; *SP*13: physical cloning attack; *SP*14: perfect forward secrecy; *SP*15: impersonation attack; *SP*16: session-specific random number leakage attack; *SP*17: stolen verifier attack; : provides or supports the security/functionality feature. ×: does not provide or support the security/functionality feature.


Therefore, the total communication cost of our scheme is 928 + 800 + 544 + 544 = 2816 bits. We show the total communication cost of our scheme and other related scheme [11,38–41] in Table 5. As a result, Figure 12 illustrates that our scheme has more efficient communication costs than other related schemes.


**Table 5.** Comparison of communication costs required for AKA.

### *8.3. Computational Cost Comparison*

We evaluated the computational costs of our scheme. According to [24], we determined the comparative analysis for the computational cost of the proposed scheme with [11,38–41] in the AKA phase. According to [24], we define *TH*, *TRNG*, *TEM*, *TEA*, *TF*, and *TPUF* as the hash function (≈0.00023 ms), random number generation (≈0.0539 ms), ECC multiplication (≈0.2226 ms), ECC addition (≈0.00288 ms), fuzzy extractor (≈0.268 ms), and PUF

operation time (≈0.012 ms), respectively. Additional, we did not consider the execution time of Exclusive-OR (⊕) operations because it is computationally negligible. Table 6 shows the detail.

**Figure 12.** Communication cost comparison of related schemes [11,38–41].

The total computational costs of our scheme was estimated to be lower than other related schemes, except Masud et al.'s scheme. However, our scheme uses the fuzzy extractor and PUF to outperform Masud et al.'s scheme. Figure 13 shows that the computational cost (delay) increases with increasing numbers of users.

**Scheme User Gateway Sensor Node Total Total Cost (s)** Li et al. [38] 1*TRNG* + 9*TH* + 3*TEM* 1*TRNG* + 8*TH* + 1*TEM* 1*TRNG* + 4*TH* + 2*TEM* 3*TRNG* + 21*TH* + 6*TEM* ≈1.5021 ms Shin et al. [39] 1*TRNG* + 1*TF* + 14*TH* + 2*TEM* 12*TH* + 1*TEM* 1*TRNG* + 5*TH* + 1*TEM* 2*TRNG* + 1*TF* + 31*TH* + 4*TEM* ≈1.232 ms Rangwani et al. [40] 5*TH* + 2*TEM* + 3*TEA* 4*TH* + 2*TEM* + 3*TEA* 8*TH* + 2*TEM* + 4*TEA* 17*TH* + 6*TEM* + 10*TEA* ≈1.36831 ms Masud et al. [41] 1*TRNG* + 3*TH* 4*TRNG* + 3*TH* 2*TRNG* + 2*TH* 7*TRNG* + 8*TH* ≈0.379 ms Chen et al. [11] 9*TH* 7*TH* + 2*TENC* 7*TH* 23*TH* + 2*TENC* ≈0.739 ms

Proposed 5*TH* + 1*TRNG* + 1*TF* 9*TH* + 1*TRNG* 5*TH* + 1*TRNG* + 1*TPUF* 19*TH* + 3*TRNG* + 1*TF* + 1*TPUF* ≈0.44607 ms

**Table 6.** Computational costs of each related scheme.

### **9. Conclusions**

In this paper, we reviewed Chen et al.'s scheme and demonstrated that it is vulnerable to several attacks, such as privileged insider attacks, physical cloning attacks, verification leakage attacks, impersonation attacks, and session key disclosure attacks. Therefore, it is hard for Chen et al.'s scheme to be applied to WBANs properly, and a secure user authentication scheme should be presented for wireless medical environments. To enhance the security level of Chen et al.'s scheme, we proposed a secure three-factor mutual authentication and key agreement scheme using a secure PUF in the WBAN environment. Our scheme is lightweight because it uses only hash functions and Exclusive-OR operators and a fuzzy extractor to provide a secure login process. Moreover, our scheme resists physical cloning attacks using the PUF. The proposed scheme guarantees mutual authentication through BAN logic and utilizes the RoR model by which the session key is secured. Using the AVISPA simulation tool, we also demonstrated that our proposed scheme could withstand the replay and man-in-the-middle attacks. Moreover, we performed an informal security analysis to show that our proposed scheme provides protection against diverse hazards and attacks, including privileged insiders, physical cloning, verification table leakage, impersonation, session key disclosure, ephemeral secret leakage, replay, man-in-the-middle, stolen mobile device, offline password guessing, and denial-of-service attacks. We also proved that our scheme provides user anonymity, mutual authentication, and perfect forward secrecy. Finally, we compared the communication and computational costs of our scheme with those of related schemes after estimation. Based on the results, our scheme provides a lower communication cost and a higher security level compared to related existing schemes. Accordingly, we expect that our proposed scheme is to provide secure medical environments and to increase the use of the various healthcare applications.

**Author Contributions:** Conceptualization, S.L.; Formal analysis, S.Y. and Y.P.; Methodology, S.L. and S.K.; Software, S.Y.; Validation, N.J. and Y.P.; Formal Proof, Y.P.; Writing—original draft, S.L. and Y.P.; Writing—review and editing, S.K. and Y.P.; Supervision, N.J. and Y.P. All authors have read and agreed to the published version of the manuscript.

**Funding:** This work was supported by the Korean Government under Electronics and Telecommunications Research Institute (ETRI) Grant (20ZR1300, Core Technology Research on Trust Data Connectome).

**Institutional Review Board Statement:** Not applicable.

**Informed Consent Statement:** Not applicable.

**Data Availability Statement:** Not applicable.

**Conflicts of Interest:** The authors declare no conflict of interest.

### **References**

