An End-to-End Authentication Mechanism for Wireless Body Area Networks

by   Mosarrat Jahan, et al.
University of Dhaka

Wireless Body Area Network (WBAN) ensures high-quality healthcare services by endowing distant and continual monitoring of patients' health conditions. The security and privacy of the sensitive health-related data transmitted through the WBAN should be preserved to maximize its benefits. In this regard, user authentication is one of the primary mechanisms to protect health data that verifies the identities of entities involved in the communication process. Since WBAN carries crucial health data, every entity engaged in the data transfer process must be authenticated. In literature, an end-to-end user authentication mechanism covering each communicating party is absent. Besides, most of the existing user authentication mechanisms are designed assuming that the patient's mobile phone is trusted. In reality, a patient's mobile phone can be stolen or comprised by malware and thus behaves maliciously. Our work addresses these drawbacks and proposes an end-to-end user authentication and session key agreement scheme between sensor nodes and medical experts in a scenario where the patient's mobile phone is semi-trusted. We present a formal security analysis using BAN logic. Besides, we also provide an informal security analysis of the proposed scheme. Both studies indicate that our method is robust against well-known security attacks. In addition, our scheme achieves comparable computation and communication costs concerning the related existing works. The simulation shows that our method preserves satisfactory network performance.


RAMHU: A New Robust Lightweight Scheme for Mutual Users Authentication in Healthcare Applications

Providing a mechanism to authenticate users in healthcare applications i...

A Review-based Taxonomy for Secure Health Care Monitoring: Wireless Smart Cameras

Health records data security is one of the main challenges in e-health s...

Cryptanalysis of Khatoon et al.'s ECC-based Authentication Protocol for Healthcare Systems

Telecare medical information systems are gaining rapid popularity in ter...

Secure Non-public Health Enterprise Networks

Increasing demand for secure remote operation in industry and technology...

BAN-GZKP: Optimal Zero Knowledge Proof based Scheme for Wireless Body Area Networks

BANZKP is the best to date Zero Knowledge Proof (ZKP) based secure light...

Security in Next Generation Mobile Payment Systems: A Comprehensive Survey

Cash payment is still king in several markets, accounting for more than ...

Motion and audio analysis in mobile devices for remote monitoring of physical activities and user authentication

In this article we propose the use of accelerometer embedded by default ...

I Introduction

Wireless Body Area Network (WBAN) promotes healthcare services by enabling continuous remote monitoring of the patients. To do so, it forms a short-range wireless network using the sensor nodes associated with the human body, responsible for monitoring and collecting different physiological data and communicating those data to healthcare services through the wireless signal. Hence, WBAN eliminates the need of the patients to frequently visit hospitals and turns the laborious task of healthcare givers more systematic. Especially, WBAN is beneficial for monitoring elderly patients and patients suffering from chronic conditions.

Nevertheless, wide deployment of WBAN is subject to concern due to various security and privacy issues caused mainly by the involvement of resource-constrained sensor nodes [wang2015preserving, saeed2018remote]. Moreover, WBAN transfers highly sensitive health-related data [baker2017internet, al2018context]. Therefore, the development of lightweight and rigorous security mechanisms is essential for the practical realization of WBAN. In this regard, user authentication is a predominant mechanism to confirm the identities of participating nodes and combat unauthorized access to patients’ data.

Although current research works address the user authentication mechanism of WBAN [saeed2018remote, jegadeesan2020epaw, li2018secure], they do not take into consideration various communication among the WBAN entities. Usually, WBAN follows a centralized two-hop WBAN architecture [li2018secure, li2017anonymous, kompara2019robust]. Here, sensor nodes collect physiological data such as blood glucose level, pulse rate, body temperature, and heart rate [kompara2019robust] and transmit to an intermediate node, generally the mobile phone associated with a patient. This communication is known as intra-BAN communication [li2018secure]. In addition, the intermediate node transfers data to a hub node, and this communication is known as inter-BAN communication [li2018secure]. Finally, the hub node transfers data to the health service providers using beyond-BAN communication [li2018secure]. In literature, most works [li2018secure, konan2019secure, chen2019analysis] proposed authentication mechanisms for the inter-BAN communication without providing any clue regarding the secure communication mechanism between the sensor nodes and the patient’s mobile phone. Only [wazid2017novel, abiramy2019secure] mentioned a key establishment mechanism for the intra-BAN part while proposing an authentication mechanism for the inter-BAN communication. As sensitive health data passes through each WBAN entity, an end-to-end authentication covering each communication between the WBAN entities is essential. Although [li2017anonymous, kompara2019robust] proposed an authentication mechanism between the sensor nodes and hub node, these schemes can optionally utilize the patient’s mobile phone as a forwarder node, and the authors considered the mobile phone to be completely trusted. In reality, sensor nodes in WBAN use an intermediate resource-rich device such as a patient’s smartphone and smartwatch to reduce energy overhead to transmit to a distant entity [li2017anonymous, wazid2017novel]. Therefore, in a realistic scenario patient’s associated mobile device should also participate in the authentication process. Moreover, a patient’s mobile phone can be stolen or affected by malware that secretly eavesdrops on valuable information. Therefore, the assumption of a completely trusted mobile phone is not practical.

To address these shortcomings, we extend Al-Turjman and Alturjman’s scheme [al2018context] by incorporating the patient’s mobile phone in the authentication process and considering the mobile phone as a semi-trusted entity. In particular, the following contributions are made in this paper:

  • We present an end-to-end user authentication and session key establishment mechanism to support secure communication between the sensor nodes connected to patients’ bodies and health experts. This scheme covers intra-BAN, inter-BAN, and beyond-BAN transmission in a setting where the patient’s mobile phone is semi-trusted.

  • We present a rigorous security analysis of the proposed scheme using widely accepted BAN logic. Besides, we also give an informal security analysis of the proposed scheme.

  • We demonstrate the performance of the proposed scheme concerning the other related works using computation and communication costs.

  • We implement the proposed scheme using NS-3 [riley2010ns] simulator and assess the effect of the proposed scheme on various network parameters.

The remaining paper is organized as follows. Section II summarizes the related works on the WBAN authentication mechanism. Besides, Section III presents the system model of our proposed scheme, while Section IV provides a comprehensive description of the proposed scheme. Section V discusses the security features of the proposed scheme. In addition, Section VI offers formal security proof using BAN logic, and section VII presents a comparative performance analysis of the proposed scheme. Section VIII illustrates the effect of the proposed scheme on network performance. Lastly, Section IX concludes the paper.

Ii Literature Review

Baker et al. [baker2017internet] presented a comprehensive study on the application of the Internet of Things (IoT) in the healthcare system and highlighted the recent research works in this direction. This study identifies the lack of research on providing treatment in emergencies. Also, it indicates the insufficiency of research on security schemes that covers end-to-end IoT-based healthcare systems. For example, Saeed et al. [saeed2018remote] presented a lightweight and anonymous user authentication scheme between a WBAN sensor and the application provider using an online/offline certificate-less signature mechanism. Hence, this scheme does not authenticate every entity of WBAN. Besides, Abiramy and Sudha [abiramy2019secure] proposed a lightweight inter-BAN authentication scheme between the patient’s mobile device and application providers. Further, this scheme creates a group key to support secure data transfer operation among the mobile terminal and sensor nodes. Hence, every sensor node and the mobile terminal can listen to messages interchanged by other sensors. Wazid et al. [wazid2017novel] handled this shortcoming by establishing pairwise secret keys between the implanted sensors and the patients’ mobile phone. Further, the authors proposed a three-factor remote user authentication mechanism between a doctor and a patient’s mobile phone. Similarly, Li et al. [li2018secure] proposed an authentication mechanism between a patient’s mobile phone and the medical expert in a three-phase mobile healthcare system. Besides, Konan and Wang [konan2019secure] introduced an efficient authentication scheme between the smartphone of a patient and the application provider. Moreover, the authors proposed a batch authentication process to reduce the computation and communication costs. On the other hand, Arfaoui et al. [arfaoui2019context] proposed a context-aware anonymous intra-BAN authentication scheme between the sensor nodes and the controller node. In case of emergency treatment, the authentication mechanism allows direct access to the sensor nodes.

Li et al. [li2017anonymous] proposed an anonymous and lightweight authentication protocol where a sensor node authenticates with a hub node. In this scheme, the patient’s mobile device can be optionally used as a completely trusted forwarder node between the sensor node and the hub. Kompara et al. [kompara2019robust] proposed authentication and key agreement scheme based on Li’s scheme [li2017anonymous] that incorporates the session unlinkability property. This scheme also assumes the mobile phone as a trusted entity following [li2017anonymous]. Rehman et al. [rehman2020efficient] extended Kompara’s scheme [kompara2019robust] to prevent rogue intermediate node attack, sensor node masquerading attacks, and compromised base station attacks. Likewise, Almuhaideb et al. [almuhaideb2020lightweight] improved the efficiency of kompara’s scheme [kompara2019robust] by introducing the concept of re-authentication. In this scheme, a sensor node authenticates with a hub node where a mobile terminal can be used as a forwarder node. Besides, Alzahrani et al. [alzahrani2020provably] offered a lightweight and secure authentication scheme between the sensor node and hub node, where a mobile terminal can also be used as a forwarder. This scheme also assumes the mobile terminal to be trusted.

Apart from the works discussed above, Jegadeesan et al. [jegadeesan2020epaw] proposed an authentication mechanism between a patient and a doctor that preserves user privacy, data integrity, and non-repudiation property. Further, Mahender and Satish [kumar2020lightweight] introduced an identity-based anonymous authentication and key agreement protocol for WBAN in the cloud-aided environment where a sensor node authenticates with the cloud server. In addition, Chen and Peng [chen2019analysis] proposed an authentication scheme that mutually authenticates a WBAN client with application provider using asymmetric bilinear pairing. Moreover, Al-Turjman and Alturjman [al2018context] proposed authentication and key agreement mechanism for Wireless Multimedia Medical Sensor Network (WMSN) to support mutual authentication between sensor nodes/smartphones and the medical experts. A healthcare professional collects physiological data from sensor nodes connected to the patient’s body in this scheme. Parvez et al. [parvez2019secure] extended this scheme to include a patient’s mobile phone in the authentication mechanism. However, this scheme also considers a patient’s mobile phone as a trusted entity.

In summary, existing works lack in supporting end-to-end authentication, crucial for the security of health data. Moreover, user authentication mechanisms of WBAN usually assume that the patient’s mobile phone gathering data from sensor nodes is trustworthy [li2017anonymous, almuhaideb2020lightweight, alzahrani2020provably]. In our work, we address these shortcomings and propose a concrete solution that can operate even if the mobile phone is semi-trusted and handle the complete authentication process between a medical expert and a particular sensor node.

Iii System Model

Figure 1 presents the system model of our proposed scheme. It comprises sensors, patient’s mobile phone, gateway server, and medical experts.

Sensors are resource-limited devices attached to the patient’s body. They obtain various physiological data and transmit these data with the help of the patient’s mobile phone for further processing. We assume that the sensor node works as an honest entity.

Mobile phone is the patient’s portable phone that a patient always carries with them. It accumulates data collected from sensor nodes attached to the patient’s body and transmits them for further processing. We assume that the patient’s mobile phone is semi-trusted. This situation occurs when a mobile phone is infected by malware. A a semi-trusted entity, the compromised mobile phone accurately follows the protocol but tries to snoop information from the processing [arfaoui2020context].

Fig. 1: System model of the proposed scheme.

Gateway is a trustworthy entity managed by a medical organization. It is responsible for registering the patient’s mobile phone, the patient’s sensor nodes, and medical experts. It also computes secret keys and exchanges them with the corresponding entities using secure communication channels. Besides, gateway takes part in the authentication process between medical professionals and patients.

Medical Experts are healthcare providers such as doctors and nurses who periodically monitor the patient’s health condition and thus access the patient’s health-related information.

Iv The Proposed Scheme

Our proposed scheme enhances Al-Turjman, and Alturjman’s scheme [al2018context] to enable end-to-end user authentication in a realistic WBAN scenario where a patient’s mobile phone is semi-trusted. Table I lists the symbols used to delineate the proposed scheme.

Our scheme consists of three phases. They are:

Iv-a Registration Phase

In this phase, medical experts, patients’ mobile phones, and patients’ sensor nodes register with a trusted gateway server .

Iv-A1 Medical Expert Registration

The procedure of registering a medical expert consists of the following steps:

  • Step 1: The medical expert selects a unique ID and password and enters them into their authorized mobile device. This device selects a random number , computes and sends to using a secure channel.

  • Step 2: computes master keys and for [al2018context]. It computes and . then sends to using a secure communication channel.

    Symbol Description
    Medical expert’s ID
    Extended password
    Gateway server
    Gateway server’s ID
    Mobile phone’s ID of th patient
    ID of th sensor node
    Secret key between a gateway and a medical expert
    , Master keys between a gateway and a medical expert
    Secret key between a gateway and patient’s mobile phone
    Secret key between patient’s mobile phone and th sensor node
    Secret key between a gateway and th sensor node
    Secret session key
    Current timestamp
    Delay time period
    Encryption using
    Decryption using
    (.) One-way hash function
    TABLE I: List of Notations
  • Step 3: The medical expert stores the received information and in their mobile phone in a secure way. also stores for .

Iv-A2 Patient’s Mobile Device Registration

The gateway selects a unique ID for a patient’s mobile phone and computes . It then securely shares with the patient’s mobile phone. also stores for .

Iv-A3 Sensor Registration

The gateway assigns a unique ID to the th sensor node connected to and computes and . It sends to the sensor node via a secure channel. Besides, it securely shares to the mobile phone . also stores and for .

Iv-B Authentication Phase

In this phase, a medical expert, a patient’s mobile phone, and a specific sensor node authenticate each other through mutual authentication. At the end of this phase, a medical expert and a sensor node establish a unique session key to continue their future communications. The required steps of this phase are as follows:

  • Step 1: The medical expert enters and to their authorized mobile device to log in to the system. This device calculates with the supplied and . If , the medical expert can proceed for further computations. This step prevents a wicked person to use the device allocated to a honest medical professional. The medical expert calculates and where is a randomly selected nonce. The medical expert transmits to using a public channel.

  • Step 2: The gateway checks into its database for and fetches corresponding and . It computes and excerpts , and from . If and , continues further processing where is the time when receives . This test ensures is received within a permitted time period . Besides, computes , extracts from and computes . If and then computes and and sends to the patient’s mobile phone .

  • Step 3: The mobile phone computes and excerpts , and from . It checks for and where is the time when receives . If both conditions are satisfied and then the mobile phone computes and sends to through a public channel.

  • Step 4: The sensor node computes and retrieves and from . Besides, it computes and extracts and . If and where is the time when receives , the sensor performs subsequent computations. If the sensor calculates . Alongside, it computes and sends to the medical expert over the public channel.

  • Step 5: The medical expert also computes using information stored in their mobile device. also computes and retrieves and . If and the medical expert continues future computations where is the time when receives . If and , then the medical expert is confirmed that the same secret key is set up between and .

Iv-C Password Update Phase

To update the password, the medical expert must log in to the system. The necessary steps are as follows:

  • Step 1: The medical professional enters and to their assigned mobile device. The device computes and compares . If the comparison is true, the medical expert can proceed further computations.

  • Step 2: The medical expert enters a new password . The device again chooses a random number , computes and sends to through a secure communication channel.

  • Step 3: computes and sends to using a secure channel. The device replaces and with and in its memory.

V Security Analysis

We first present the security properties preserved when the patient’s mobile phone works genuinely. Subsequently, we discuss the resiliency of the proposed scheme when the patient’s mobile phone is compromised.

V-a Security Analysis when Patient’s Mobile Phone is Trusted

  • Mutual Authentication: A medical expert and a sensor connected to a patient authenticate each other to set up a secure communication. During registration phase, transmits = to the medical expert. In the authentication phase, sends the same along with to . The gateway computes and . It authenticates when and . Furthermore, generates and then . As is shared between and , the patient’s mobile phone can decrypt . computes using . As is a secret between and , only the sensor node can decrypt and retrieve , and . The sensor node further decrypts using and obtains to generate . It also computes and sends to the medical expert. computes using , , and available to its storage. then decrypts using and obtains the identifies of the medical expert and the sensor node. If these identities match with those parameters sent through , the medical expert is sure that same is generated between and . Hence, our scheme ensures mutual authentication.

  • Unique Secret Key Generation: After successful authentication, a sensor node and a medical expert share a secure session key. This session key is calculated as = . Since the medical expert selects a new random nonce in every session, a unique session key is created for each new data transfer operation between and .

  • User Masquerading Attack: An adversary can capture as this message is transmitted through a public channel. They may try to alter the message and introduce a new message in the channel where is constructed using , , , and selected by the adversary. As (distributed between and ) is not known to the adversary, they cannot produce in a correct form that can be decrypted successfully by using . Similarly, an adversary cannot counterfeit as is not known. An adversary also cannot forge , due to the lack of access to and , respectively. Moreover, the adversary cannot regenerate due to the lack of access to . Besides, they cannot reproduce as , and are unknown. Thus, masquerading a user is not possible.

  • Secret Gateway Guessing Attack: Our scheme utilizes six different keys such as , , , , and . shares these keys with different entities in a secure way. Moreover, an adversary cannot obtain these keys from as it is a trusted entity. Besides, our scheme exchanges the identities of medical experts, patient’s mobile phones, sensor nodes, and in a secure way. Therefore, the adversary cannot guess or reproduce , and . Hence, secret gateway guessing attacks are not possible. In addition, the adversary is not able to compute the session key as , , and are hidden.

  • Replay Attack: An adversary cannot utilize previous obsolete messages , , , and to access the system. They can alter the timestamp component of these messages only. Besides, , , , and also include the timestamp . An adversary cannot change in these messages due to not having access to the necessary keys. Hence, comparing the timestamp obtained from , , , and with the timestamp component modified by the adversary in the message request will never be successful. Moreover, each entity of the WBAN also ensures that messages are received within a pre-defined time frame . Therefore, our scheme is resilient to replay attacks.

  • Man-in-the-middle attack: In this attack, an adversary can snoop and possibly alter the messages transmitted through the communication channel without informing the communicating parties. Since attackers do not have access to the secret keys , , , , and , they can not recover the original message by eavesdropping or can not reconstruct a new message that decrypts successfully. Therefore, a man-in-the-middle attack is not possible.

  • User Anonymity: The proposed scheme hides the identities of patients’ mobile phones, sensor nodes, and medical experts from unauthorized parties. All this information is stored in encrypted form in the messages exchanged during the authentication process. Since the adversaries do not have access to the required keys to decrypt these messages, they cannot gain any information regarding the identities of patients’ mobile phones, sensor nodes, and medical experts. Thus our scheme ensures the anonymity of patients and medical professionals.

  • Forward and Backward Secrecy: The proposed scheme ensures that the compromise of a session key does not hamper the secrecy of previous and future sessions. In our scheme, is generated as and for the use of one-way hash function , it is not possible to extract , , and . Moreover, the identities of sensors, mobile phones, and medical experts are always transmitted in an encrypted form. Due to not having access to the decryption keys, an adversary cannot retrieve that information. In addition, changes in every session to generate a unique key. Therefore, it is not possible to construct any previous and future session keys when a session key is exposed.

V-B Patient’s Mobile Device is Compromised

The proposed scheme prevents false authentication in case of patient’s mobile phone is compromised for example through malware attacks. The mobile device receives from where and . It decrypts using and obtains . is unable to decrypt due to lack of access to . Therefore, it cannot obtain and which are necessary to generate the session key. Moreover, the mobile phone delivers to the sensor node where , and decrypts using and forms the session-key .

As is compromised, an adversary can obtain the secret key for a particular patient’s mobile phone and the secret key of the sensor nodes associated with that mobile device. As the adversary does not have access to , they cannot decrypt . Hence, it is not possible for an adversary to obtain and required for a session key. Also, the adversary cannot alter without the possession of .

An adversary can reconstruct and for and arbitrary as they possess and (obtained from compromised patients’ mobile phones). In the worst case, they can incorporate a captured from previous sessions involving the same , and with the reconstructed and . Besides, they can manipulate the timestamp component in and . Thus an adversary can replay and in the channel that a medical expert does not initiate. In this case, when a is reached to the medical experts, they can identify the false attempt to establish a session, and may be reached after the pre-defined time interval. Hence, the adversary cannot get any advantages by replaying and .

Due to access of and , an adversary can obtain information about a particular patient and sensor nodes associated with that patient. Possession of and does not help to identify the medical expert. An adversary also cannot construct the secret keys of other entities with the help of the leaked identities as they do not have access to .

Vi Protocol Analysis using BAN Logic

We use BAN logic [burrows1989logic] to verify the validity of the proposed scheme in generating secret session keys. Table II presents a brief description of the notations used for the BAN logic [burrows1989logic].

Notation Narration Notation Narration
is encrypted by controls
sees is fresh
said and shares
TABLE II: List of Notations used in BAN Logic

We need to satisfy the following goals to confirm the security of the proposed scheme:

•Goal 1:

•Goal 2:

•Goal 3:

•Goal 4:

We use the BAN logic rules, idealized messages, and assumptions to prove that the proposed scheme satisfies the security goals. Table III shows the BAN logic rules [burrows1989logic] used in our analysis.

Rule Narration
(Message-meaning rule): If believes that shares with and observes encrypted with , trusts said
(Nonce-verification rule): If believes that is new and believes uttered , believes trusts
(Freshness-conjunction rule): If trusts that is new, admits is fresh
(Jurisdiction rule): If believes controls and believes trusts , trusts
TABLE III: BAN Logic Rules

The idealized form of the transmitted messages are as follows:

We extract the following initial assumptions from the protocol messages:

From , we get

From and using we get

From and using we get

From and using , we get

From , we get

From and using , we get

From and we get

From and using , we get

From , we get

From and using we get,

From and we get,

From and , using we get,

From , we get

From and using we get,

From using we get,

From and using we get,

From we get

From and using we get

From and we get

From and using we get

As = and combining , , and we get

(Goal 2)

As = , from we get

(Goal 1)

From and using we get

(Goal 4)

From and using we get

(Goal 3)

Vii Comparative Study

In this section, we present a comparison of the proposed scheme with the other related works: the schemes of Abiramy and Sudha [abiramy2019secure], Li et al. [li2017anonymous] and Al-Turjman and Alturjman [al2018context] in respect to computation, communication, and security features.

Features Abiramy and Sudha [abiramy2019secure] Al-Turjman and Alturjman [al2018context] Li et al. [li2017anonymous] Proposed scheme
Mutual authentication
User anonymity
Resilient to semi-trusted mobile device
End-to-end authentication
User masquerading attack
Replay attack
Man-in-the-middle attack
Secret gateway guessing attack
Forward and backward secrecy forward secrecy only
  • ✓: a scheme conserves a feature; : a scheme does not conserve a feature; : a scheme unresponsive about a feature.

TABLE IV: Comparison based on Security Features

Vii-a Comparison in respect to Security Features

A comparison of our scheme with the existing techniques based on security features is shown in Table IV. It is apparent from the table that our scheme provides better security compared to the other schemes. Notably, none of the current schemes raise protection against the semi-trusted patient’s mobile phone. Abiramy and Sudha [abiramy2019secure] and Li et al. [li2017anonymous] assumed that patient’s mobile phone is their scheme is fully trusted. Besides, existing schemes do not provide end-to-end authentication. Furthermore, Abiramy and Sudha [abiramy2019secure] does not achieve user anonymity and provides forward secrecy only.

Vii-B Comparison in respect to Computation Cost

The computation cost is measured as the total time required to perform mutual authentication. We use , , , , and to denote the time required to compute hash function, ex-or operation, symmetric key encryption/decryption, Elliptic Curve Cryptography (ECC) point multiplication, and exponentiation operation, respectively. Table V shows the computation cost of each entity in our proposed scheme. In total the computation cost of the proposed scheme is (Here to mention that is negligible compared to the other costs). Table VI presents a comparison of our scheme with the existing schemes in respect to computation cost. Our scheme attains higher computation time compared to the Al-Turjman and Alturjman scheme [al2018context] due to the explicit inclusion of the patient’s mobile phone in the authentication process and preventing crucial information for session key generation from the semi-trusted mobile phone. These two features are missing in other low-cost related works.

Node Computation cost
Medical expert 4 + 5 + 2
Gateway 4 +
Mobile device 2
Sensor 3 + + 2
TABLE V: Computation Cost of Our Scheme
Scheme Computation cost
Abiramy and Sudha [abiramy2019secure] 9 + 2 + 3
Al-Turjman and Alturjman [al2018context] 6 + 7 + 2 6 + 7
Li et al. [li2017anonymous] 8 + 17