Review Article Attacks and Solutions for a Two-Factor Authentication Protocol for Wireless Body Area Networks - Hindawi.com

Hindawi
Security and Communication Networks
Volume 2021, Article ID 3116593, 12 pages
https://doi.org/10.1155/2021/3116593

Review Article
Attacks and Solutions for a Two-Factor Authentication
Protocol for Wireless Body Area Networks

 Chien-Ming Chen ,1 Zhen Li ,1 Shehzad Ashraf Chaudhry ,2 and Long Li 3

 1
 College of Computer Science and Engineering, Shandong University of Science and Technology, Qingdao, China
 2
 Department of Computer Engineering, Istanbul Gelisim University, Istanbul, Turkey
 3
 Guangxi Key Laboratory of Trusted Software, Guilin University of Electronic Technology, Gullin, China

 Correspondence should be addressed to Long Li; lilong@guet.edu.cn

 Received 1 September 2021; Accepted 4 October 2021; Published 21 October 2021

 Academic Editor: Azees M

 Copyright © 2021 Chien-Ming Chen et al. This is an open access article distributed under the Creative Commons Attribution
 License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is
 properly cited.

 As an extension of the 4G system, 5G is a new generation of broadband mobile communication with high speed, low latency, and
 large connection characteristics. It solves the problem of human-to-thing and thing-to-thing communication to meet the needs of
 intelligent medical devices, automotive networking, smart homes, industrial control, environmental monitoring, and other IoT
 application needs. This has resulted in new research topics related to wireless body area networks. However, such networks are still
 subject to significant security and privacy threats. Recently, Fotouhi et al. proposed a lightweight and secure two-factor au-
 thentication protocol for wireless body area networks in medical IoT. However, in this study, we demonstrate that their proposed
 protocol is still vulnerable to sensor-capture attacks and the lack of authentication between users and mobile devices. In addition,
 we propose a new protocol to overcome the limitations mentioned above. A detailed comparison shows that our proposed
 protocol is better than the previous protocols in terms of security and performance.

1. Introduction responds to the explosive growth of Internet traffic, and it
 results in improved user experience for mobile Internet users.
Since the beginning of human civilization, the efficient and Low-latency communication is mainly for applications with
fast transmission of information has always been an un- high requirements for latency and reliability, such as tele-
swerving pursuit for mankind. From writing to printing, from medicine, autonomous driving, and virtual reality. Massive
cell towers to radio, from telephones to mobile Internet, the machine-like communication is mainly for applications that
speed of modern technology development has always involve the sensing and collection of data, such as Internet of
depended on the speed of information dissemination, and Things (IoT) [2–4], smart cities [5–7], smart homes, and
new ways of information dissemination often bring about environmental monitoring [8–10].
radical changes in society. 5G (fifth-generation mobile In the long run, consumer demand for health will
communication technology) is the current stage of progress in continue to rise, and the development potential of the
the latest wave of mobile communication [1]. 5G is a new medical and health fields is huge. Currently, 5G is partic-
generation of broadband mobile communication with high ularly useful for the healthcare sector, especially for the
speed, low latency, and large connection characteristics. It is a Internet of Things in the medical field [11–13]. 5G will
network infrastructure that enables the interconnection of empower the existing smart healthcare service system, and it
people, machines, and things. 5G has three major application will improve the service capability and management effi-
scenarios: enhanced mobile broadband, ultra-high reliability ciency of wireless body area networks, telemedicine, and
and low-latency communications, and massive machine-like emergency rescue. It will also give rise to the development
communications. Enhanced mobile broadband mainly and prosperity of smart healthcare.

2 Security and Communication Networks

 Owing to rapid advancements in life informatization,
people’s requirements for medical monitoring are con-
stantly improving. There is also a high demand for more
convenient and effective telemedicine and health-sign
monitoring. A wireless body area network (WBAN)
[14, 15] is a network composed of different intelligent
components, such as sensors, nodes, and actuators. The Doctor
network is designed for collecting and monitoring data Elderly with sensors
from the human body and its surrounding environment. Its
typical architecture is shown in Figure 1. For the elderly,
 Gateway
sensors/wearable devices on the elderly send the infor-
mation collected to a gateway node. For the patient, the
sensor acquires the patient’s body monitoring data, con-
nects it to a bedside monitor or other receiver, and
transmits it wirelessly to a doctor for monitoring or di- Patients with sensors Nurse
agnosis. The gateway acts as a local server which analyzes,
stores, and manages the data sent by the sensor or monitor. Figure 1: The typical architecture of a WBAN.
Users, who can be doctors, nurses, or other medical pro-
fessionals, can communicate with the gateway and access 2. Review of Fotouhi et al.’s Protocol
the data they want to know via mobile devices or computer-
based devices on a LAN with the gateway. For example, a In this section, we briefly review Fotouhi et al.’s authenti-
nurse can specifically track and check a patient’s body data, cation protocol. Their proposed protocol includes four
so that if an abnormality is detected, the patient’s condition phases: initialization, registration, authentication, and
can be checked and dealt with in a timely manner. password modification. Here we describe only the first two
 Because data transmission over a WBAN takes place phases. The detailed steps of their proposed protocol can be
over a public channel, attackers can access highly sensitive found in [22]. The notations used in this study are listed in
health information of patients. To ensure the security of a Table 1.
WBAN, a secure authentication and key agreement (AKA)
protocol should be implemented before communication.
Numerous AKA protocols have been proposed [16–21]. 2.1. Sensor Node Registration. In this phase, the corre-
However, many of these AKA protocols have proven to be sponding gateway injects the necessary information into
insecure against many types of attacks. Recently, Fotouhi each sensor node. We assume that a gateway GWj is the
et al. [22] proposed a lightweight and secure two-factor AKA corresponding gateway of SNk . GWj generates two random
protocol for WBANs in the healthcare-based IoT. They numbers, Ry and Rz , after which it injects
claimed that their proposed protocol is secure against many {SIDk , SGk , QIDk , GIDj , Ry , Rz } into the memory of SNk ,
attacks, such as key disclosure simulation attacks, special �� ��
session temporary information attacks, and offline password where SGk � h(SIDk ���Gj ��Nl ). GWj also stores
guess attacks. {SIDk , Nl , QIDk , Ry , h(Rz )} in its database.
 In this study, we first demonstrate that Fotouhi et al.’s
proposed protocol [22] is still vulnerable to sensor-capture
attacks. Additionally, their proposed protocol fails to pro- 2.2. User Registration. Assuming that a user, Ui , desires to
vide authentication between users and mobile devices. To register to GWj , the following steps are performed:
overcome these security pitfalls, we propose a secure and Step 1: Ui sends IDi and HPWi to GW
efficient AKA protocol for WBANs. The security analysis �� j through a
 secure channel, where HPWi � h(PWi ��R0 ).
shows that our proposed protocol is secure. We also provide
a detailed comparison to demonstrate that our proposed Step 2: if Ui is an unregistered user, GWj generates a
protocol achieves improved efficiency and security. pseudoidentity CIDi and a random number Rx , and it
 The remainder of this paper is organized as follows. In stores {IDi , HPWi , CIDi , Rx } in GWj ’s database. GWj
 �� �� ��
Section 2, we briefly review the authentication protocol then calculates A1 � h(CIDi ���Rx ���GIDj ���GIDj )⊕HPWi
proposed by Fotouhi et al. In Section 3, we provide a rea- �� ��
 and A2 � h(IDi ���Gj )⊕h(IDi ��HPWi ), after which it
sonable cryptanalysis of Fotouhi et al.’s proposed protocol.
In Section 4, we propose a new protocol for improving the sends {CIDj , GIDj , A1 , A2 } to Ui through a secure
flaws in the old protocol. In Section 5, we perform a security channel.
 ��
analysis, which includes both formal and informal analyses, Step 3: Ui calculates A3 � h(IDi ��PWi )⊕R0 , after which
to demonstrate the security and stability of our proposed it stores {CIDi , GIDj , A1 , A2 , A3 } in the mobile device.
protocol. In Section 6, we analyze the security and perfor-
mance of our proposed protocol in terms of security, per-
formance, and communication cost. Finally, we provide the 2.3. Authentication Phase. Assuming that Ui desires to
conclusions to this study. communicate with SNk , the following steps are performed:

Security and Communication Networks 3

 Table 1: Notations table.
Symbol Description
Ui , IDi , PWi i-th user, his/her identity, his/her password
GWj , GIDj , Gj j-th gateway, its identity, its secret key
SNk , SIDk k-th sensor, its identity
Nl Network identifier of the sensor set
SGk Shared key between sensor and gateway
SKu Session key generated by user
SKg Session key generated by gateway
SKs Session key generated by user
Mi i-th message
CIDi , QIDk Temporary pseudoidentity of Ui and SNk
Rs , R0 , Ru , Rg , Rx , Ry , Rz Temporary random number
Gen(·), Rep(·) Biometric extraction function, decryption function
BIOi Biometric information of the i-th user
h(·) Hash function
⊕ Bitwise XOR operation
‖ Concatenate operation

 �� ��
 Step 1: Ui generates a random number, Ru , after which �� SKg � h(Ru ⊕HPWi ���Rg ��Rs ). It further verifies the
 it calculates R0 � A3 ⊕h(IDi ‖PW), HPWi � h(PWi ��R0 ),
 correctness of B12 , generates a new CID′i for Ui , stores
 B1 ��A1 ⊕HPWi , B2 � B1 ⊕HPWi ⊕Ru , B3 � SIDk ⊕H
 � QIDk′ and Rz′, and replaces Ry′ and h(Rx ) with Ry and
 (IDi ��Ru ), and B4 � h(CIDi ⊕GIDj ⊕SIDk ⊕B1 ⊕IDi ⊕Ru ).
 Afterwards, Ui transmits M1 to GWj , where Rx , respectively. It then calculates
 �� �� �� ��
 M1 � {CIDi , GIDj , B2 , B3 , B4 }. B13 � h(CID′i���h(Rx )���GIDj ���Gj )⊕h(Ru ��HPWi ),
 �� �� ��
 Step 2: GWj obtains the corresponding IDi , Rx , and B14 � h(Ru ��IDi )⊕Rg , B15 � h(Ru ���Rg ��HPWi )⊕Rs ,
 �� ��
 HPWi from its database. GWj then calculates B1 � B16 � h(h(IDi ���Gj )��Rs )⊕CID′i, and B17 � h(SKg
 �� �� ��
 h(CIDi ���Rx ���GIDj ���Gj ) and Ru � B2 ⊕B1 ⊕HPWi , after ��� ��� ����
 �IDi �B13 �CID′i). GWj then generates {B13 , B14 ,
 which it verifies the correctness of B4 . GWj then B15 , B16 , B17 } and transmits it to Ui .
 generates two random numbers, Rg and Rz′, obtains ��
 Step 5: U�i calculates Rg � B14 ⊕h(Ru ��IDi ),
 SIDk with B3 , obtains Ry from its database, and gen- �
 � �
 Rs � B15 ⊕h(Ru ���Rg ��HPWi ), and CID′i � B16 ⊕h
 erates a new pseudonym QIDk′. GWj then calculates �� ��
 �� �� � ((A2 ⊕h(IDi �HPW � �
 i ))�Rs ). U� i then calculates the ses-
 SGk � h(SIDk ���Gj �N � l ), S � h(SGk ����GIDj ), B5 � (Ru �� ���
 sion key SKu � h(Ru ⊕HPWi ��Rg �Rs ) and verifies B17 .
 ⊕HPWi )⊕S⊕Ry , B6 � Rg ⊕S⊕SIDi ⊕Ry , B7 � QIDk′⊕
 �� �� When the verification
 �� is passed, Ui calculates
 Rg ⊕Ry , B8 � h(Rg ���Ry ‖S)⊕Rz′, and B9 � h(QIDk ���B7 �
 A1 � B13 ⊕h(Ru �HPWi ) and stores CID′i and A1′.
 ′
 �� ��� � �
 ��B8 ��SGk ����Ru ⊕HPWi ����Rg ). Afterwards, GWj transmits
 {QIDk , B5 , B6 , B7 , B8 , B9 } to SNk .
 Step 3: SNk verifies the correctness of QIDk .�If it is
 3. Cryptanalysis of Fotouhi et al.’s Protocol
 �
 correct, SNk calculates S � h(SGk ���GIDj ), This section shows that Fotouhi et al.’s protocol [22] is
 (Ru ⊕HPWi )B5 ⊕S⊕Ry , and Rg � B6 ⊕S⊕SIDk ⊕Ry . If B9 vulnerable to sensor-capture attacks and a lack of authen-
 is correct, SNk generates tication between users and mobile devices.
 �� a random number, Rs , and it
 calculates Rz′ � h(Rg ���Ry ‖S)⊕B8 , QIDk′ � B7 ⊕Rg ⊕Ry ,
 and B10 � Rg ⊕S⊕Rz . SNk then stores QIDk′, Rz′, and
 3.1. Threat Model. The attacker model briefly describes the
 Ry′ � h(Ry ), and it calculates SKs � h(Ru
 �� �� capabilities of an attacker. In this study, we use the D − Y
 � �
 ⊕HPWi ��Rg �Rs ). It then calculates B11 � h(SGk model [23–25] and assume that the attacker is A. The de-
 �� �� �� �� ��
 ��R )⊕h(R )⊕R and B12 � h(B10 ��B11 ��SKs ��SIDk ��� tailed capabilities are as follows:
 � g � y s
 �
 GIDj ��Rs ), after which it transmits {B10 , B11 , B12 } to (1) A can eavesdrop and intercept information trans-
 GWj . mitted by public channels and can forge, delete,
 replay, and tamper with such information
 Step 4: GWj calculates Ry′ � h(Ry ) and Rz′ � Rg ⊕S⊕B10 .
 It then verifies whether h(Rz ) is equal to h(Rz′). If the (2) A can extract the information from the captured
 verification sensor nodes
 ��is passed, it calculates
 Rs � B11 ⊕h(SGk ���Rg )⊕Ry′ and obtains the session key (3) A can access the information stored in the gateway

4 Security and Communication Networks

3.2. Sensor-Capture Attack. Assuming that A captures SNk can log into the system. AELSA comprises four main phases:
and obtains {SIDk , SGk , GIDj , Ry , Rz , QIDk } in the memory (a) initialization, (b) registration, (c) login, and (d) mutual
of sensor SNk , A can calculate the session key SK through the authentication and key exchange phases. The registration
following steps: phase includes the user registration and sensor registration
 �� phases. The symbols used are also listed in Table 1.
 Step 1: calculate S � h(SGk ���GIDj ), and then obtain
 (Ru ⊕HPWi ) by calculating B5 ⊕S⊕Ry 4.1. Initialization Phase. We assume that all the gateways are
 Step 2: obtain Rg by calculating B6 ⊕S⊕SID
 �� k ⊕Ry considered trusted parts, the gateways are identified through
 Step 3: obtain Rs by calculating h(SGk ���Rg )⊕h(Ry )⊕B11 GIDj when transmitting messages, and the gateways gen-
 erate Gj as their private key during initialization. In this
 Therefore, A ��can� calculate the correct session key phase, important parameters and functions of the system are
 �
SK � h(Ru ⊕HPWi ���Rg ��Rs ) shared among Ui , GWj , and generated and published, such as initializing the stored
SNk . information within the gateway.

3.3. Lack of Authentication between Users and Mobile Devices.
 4.2. Registration Phase. This phase comprises a sensor node
Assuming that an attacker A captures Ui ’s mobile device, A
 enrollment phase and a user enrollment phase with the
performs the following steps:
 following steps.
 Step 1: because A does not know PWi , A randomly
 generates PW′i and then inputs IDi and PW′i to the
 4.2.1. Sensor Node Enrollment. In the sensor registration
 captured mobile device. The mobile device calculates
 phase of AELSA, if a new sensor SNk wants to join the
 and transmits M1 with the fake password PW′i to GWj .
 WBAN, it must interact with the data and submit regis-
 Step 2: GWj verifies GIDj and CIDi , after which it tration information to the gateway GWj . First, SNk sends its
 calculates B1 and Ru . Afterwards, GWj attempts to SIDk and Nl to GWj over a secure channel. After GWj
 verify the correctness of B4 , and GWj realizes that M1 receives the message, it determines whether SIDk is a new
 sent from Ui is not legal. identity and generates a new pseudoidentity QIDk for SNk if
 Essentially, A does not need to capture a mobile device it is a new identity. Next, it computes ��SGk as a shared key for
because the attacker can eavesdrop the M1 between any user SNk and GWj , where SGk � h(SIDk ���Gj ⊕Nl ), and it stores
and GWj and then send M1 to GWj . {QIDk , Nl } into the memory. Afterwards, GWj securely
 The scenario mentioned above illustrates two weaknesses sends {SGk , QIDk } to SNk . Once SNk receives the message, it
in Fotouhi et al.’s proposed protocol. First, the mobile device encrypts SGk using its SIDk , RSGk � SGk ⊕SIDk , and it stores
does not verify the password that a user inputs. Regardless of {RSGk , QIDk }.
whether the password or account number entered by Ui is
correct, the mobile device sends all the necessary messages to 4.2.2. User Enrollment. In this stage, the user completes the
GWj . Second, GWj calculates B1 and Ru before verifying B4 . registration in GWj based on the generation function of the
Owing to the limited computing power of a gateway, if an bioinformation embedded in the mobile device as well as
attacker has been sending a large number of error messages other information. The user enters their identity IDi ,
to a gateway through multiple mobile devices, the gateway password PWi , and bioinformation BIOi on the mobile
may be paralyzed and unable to respond to the requests of device. The mobile device then generates σ i and τ i using the
other users, which will result in immeasurable losses in generation function Gen. It�uses σ i to mask and protect PWi ,
medical Internet environments. �
 calculates HPWi � h(PWi ��σ i ), and sends {IDi , HPWi } to
 GWj on the anti-interference channel. Upon receiving
4. The Improved Protocol
 {IDi , GWj } determines whether the identity is new. A new
In this section, we present an enhanced lightweight and identity represents an unregistered identity. If it is new, it
secure two-factor authentication protocol (AELSA) for then calculates CIDi � h(IDi ) and stores CIDi , HPWi . It
medical IoT and WBANs to address and enhance the out- then selects a secret random number R0 and computes A1 �
standing vulnerabilities and fragile shortcomings of Fotouhi �� �� ��
et al.’s protocol. AELSA also applies to the WBAN archi- h(CIDi ���GIDj ���R0 ⊕Gj )⊕Hpwi and A2 � h(GIDj ��HPWi )
tecture and includes three main participants: (a) the phy- ⊕(R0 ⊕Gj ), which, in turn, store A1 into memory. It then
sician or nurse as the user, (b) the gateway node as the server, transmits the secure message {A2 , GIDj } to Ui over the
and (c) as the sensor. The sensors can include the dynamic private channel. After Ui receives the secure message, it
collection of patient data for real-time data. On the other ��
 computes A3 � h(IDi ��HPWi ) and stores
hand, the gateway represents a server, which acts as an {A2 , A3 , GIDj , Gen(.), Rep(.), an d τ i }, where Rep can de-
authentication and data-delivery center for ensuring mutual
 crypt σ i using the biological information BIOi and τ i .
authentication between the physician and the sensor. The
physician or nurse, as the user, can access the information
from the sensor, which is delivered using the gateway 4.3. Login Phase. Compared to the protocol proposed by
through a device, such as a mobile device or a computer that Fotouhi et al., AELSA adds a login phase in which the mobile

Security and Communication Networks 5

 �� �� ��
device verifies the legitimacy of Ui ’s identity and effectively B8 � h(Rg ��Rs ��SGk ��T3 ). SNk then sends M3 {B7 , B8 , T3 }
prevents the consumption of redundant functions resulting to GWj over the public channel.
from the nonuse of authentication. It is assumed that when
 Step 4: after receiving message M3 , GWj verifies the
Ui logs into the mobile device, Ui enters ID∗i and PW∗i and
 freshness of timestamp T3 using |T3 − TC |≦ΔT. After
enters biological information BIO∗i , such as the fingerprint
 ∗ ∗ verifying that it passes, GWj generates timestamp T4
and iris. The mobile
 � ∗ device ∗calculates∗ �� Rep(BIOi , τ i )σ i , ��
 ∗ ∗�� � and computes Rs � h(SGk ���Rg )⊕B7 and
HPWi � h(PWi �σ i ), and A3 � h(IDi �HPWi ). It then
 �� �� ��
verifies A3 by comparison. If A3 � A∗3 , the mobile device ∗
 B � h(Rg �R
 8
 � s �SG
 � k �T � 3 ), after which it verifies the le-
allows Ui to log in. Otherwise, it denies Ui to log into the gitimacy of B8 .� If B8 qualifies, the key
system and sends an alert. Figure 2 shows the detailed � �� ��
 SKg � h(Ru ⊕HPWi ���Rg ��Rs ), B9 � h(Ru ⊕GIDj ��HPWi )
process of the user login phase. �� �� ��
 ⊕(Rg ��Rs ), and B10 � h(R0 ⊕Gj ���SKg ��Ru ). Finally, GWj
 generates M4 {B9 , B10 , T4 } and passes M4 back to Ui .
4.4. Mutual Authentication and Key Exchange Phase. In the
 Step 5: in the final step, after receiving the message M4 ,
key exchange phase, the user, gateway, and sensor negotiate
 Ui verifies whether |T4 − �� TC |≦ΔT, and if this is�� correct,
to create a three-way trusted key for ensuring the correctness
and security of future messages. This phase comprises five it computes (Rg ��Rs ) � B9 ⊕h(Ru ⊕GIDj ��HPWi ),
 �� �� ��
steps, as described below. Among other things, Figure 3 SKu � h(Ru ⊕HPWi ���Rg ��Rs ), and B∗10 � h(R0 ⊕Gj ��SKu
shows the stages of mutual authentication and key exchange. ��� ?
 �Ru ). Finally, Ui verifies whether B∗10 � B10 , and if this is
 Step 1: user Ui selects the SIDk of the sensor to be true, the verification and key exchange phase is
 accessed, generates a random number Ru , and creates a complete.
 timestamp T1 . Ui computes (R0 ⊕Gj ) � A2
 �� ��
 ⊕h(GIDj �HPWi ), B1 � SIDk ⊕h(GIDj ��HPWi ), B2 �
 �
 �� 5. Security Analysis
 Ru ⊕h(GIDj ��HPWi ⊕SIDk ), and B3 � (R0 ⊕Gj )h(GIDj
 ��
 ��Ru ), after which Ui transmits the message M1 In this section, we use the random oracle model (ROR) to
 {CIDi , GIDj , B1 , B2 , B3 , T1 } to the gateway GWj . conduct a rigorous formal security analysis of the improved
 protocol. In addition, an informal security analysis is carried
 Step 2: after receiving the message M1 , GWj verifies the out to logically analyze the protocol. Through the following
 legitimacy of T1 by determining whether it matches security analysis, it is easy to prove the security and ro-
 |T1 − TC |ΔT. GWj searches and obtains the corre- bustness of the improved protocol.
 sponding HPWi and QIDk in the memory based on
 CIDi in M1 . Afterwards, GWj computes
 �� ��
 SIDk � B1 ⊕h(GIDj ��HPWi ), Ru � B2 ⊕h(GIDj �� 5.1. Formal Security Analysis. In this section, the ROR model
 ��
 HPWi ⊕SIDk ), (R0 ⊕Gj ) � B3 ⊕h(GIDj ��Ru ), and is mainly used to prove the security and feasibility of our
 �� �� proposed protocol, and we successfully demonstrated that
 ∗ � �
 A1 � h(CIDi ��GIDj ��R0 ⊕Gj )⊕HPWi , and it verifies users and sensor nodes can securely establish session keys
 ? through the gateway. In the proof process, U represents a
 A1 � A∗1 . If the verification fails, GWj aborts the con-
 versation. Otherwise, GWj confirms the legitimacy of user, G represents a gateway, and S represents a sensor node.
 The detailed proof of the procedure is presented as follows.
 the identity of Ui , after which it generates a random
 number Rg and a new timestamp T2 , and it computes
 ��
 SGk � h(SIDk ���Gj ⊕Nl ), B4 � Ru ⊕HPWi ⊕SGk , B5 � Rg 5.1.1. ROR Model. In this section, we will use the ROR
 �� �� �� �� ��
 ⊕h(SGk ��SIDk ), and B6 � h(QIDk ��B4 ��B5 ��SGk ��Ru model to prove the security and reliability of our proposed
 �� new scheme, where A represents the attacker. There are
 ⊕HPWi ���Rg ). Finally, GWj sends M2 {QIDk , B4 , three participants which are user U, gateway G, and sensor S.
 B5 , B6 , T2 } to the sensor node SNk . Suppose ΠxU represents the x-th communication of the user,
 j
 Step 3: once M2 is received, SNk verifies that ΠiU ∗ represents the i-th instance of the user, ΠG represents
 |T2 − TC |≦ΔT, and if this is true, then the message M2 the j-th instance of the gateway, and ΠkS represents the k-th
 is fresh. Afterwards, SNk obtains the corresponding instance of the sensor. The attacker has special capabilities
 RSGk in storage based on QIDk . It computes and can initiate the following queries:
 SGk � RSGk ⊕SIDk , (Ru ⊕HPWi ) � B4 ⊕SGk , Rg � B5 ⊕ j
 Execute(ΠxU ∗ , ΠG , ΠkS ): by executing this query, A can
 �� �� �� �� �
 h(SGk �SID � k ),
 � 5 ���SGk ����Ru ⊕
 and B∗6 � h(QIDk ���B4 �B intercept and obtain the messages transmitted between
 �� the various participant instances on the public channel.
 HPWi ���Rg ), and it verifies whether B∗6 � B6 . If the
 ?
 Passive attacks can be executed by this query
 verification is successful, SNk creates a random number
 Send(ΠxU , M): in this query, A can get the corresponding
 Rs and a timestamp �T3 , after which it computes�� the keys
 �� ��� � response by sending message M to ΠxU . A can perform
 � �
 SKs � h(Ru ⊕HPWi �Rg �Rs ), B7 � h(SGk �Rg )⊕Rs , and man-in-the-middle attacks and impersonation attacks.

6 Security and Communication Networks

 Figure 2: Login phase.

 Figure 3: Mutual authentication and key agreement phase.

 Hash(ΠxU , string): in this query, the hash value of the Test(ΠxU ): A can perform this query by flipping a coin
 input string can be obtained by A. C. If C results in 1, the attacker will get the correct
 Corrupt(ΠxU ): through this query, A can send this query session key; otherwise, the attacker will receive a
 to the instance ΠxU and ΠxU returns the secret value of U: random string.
 long-term private key, password, and secret parameters
 stored in the smart card (based on the smart card). A can
 simulate the execution of forward secrecy, privilege Theorem 1. In the above ROR model, we redefine the A’s
 insider (internal) attacks, and stolen smart card attacks. capabilities and allow the attacker to execute the above query,
 so the probability P of our proposed new protocol being broken
 Reveal(ΠxU ): A can send this query to the instance ΠxU
 and ΠxU returns the current session key SK generated by is expressed as AdvvA (ξ) ≤ qsend /2l−2 + 3q2hash /
 l−1 s′ l
 its partner to A. A can simulate the execution of 2 + 2 max C′ , qsend , qsend /2 , where qhash represents the
 known session key attacks. number of hash queries performed and qsend represents the

Security and Communication Networks 7

number of queries performed. The number of bits of biological 2
 Pr SuccGM4 (ξ) − Pr SuccGM3 (ξ) ≤ qsend + qhash .
information is expressed by l, C′ and s′ are Zipf ′ s law [26]. A A 
 2l 2l+1
 (5)
Proof. We define GM0 to GM5 to mimic and verify the
 GM
behavior that may be performed by A. SuccA i (ξ) is used to GM5 : in GM5 , A can execute smart card stolen attacks.
denote the probability of success of A’s attack on the A uses Corrupt(ΠxU ) to get the information stored in
protocol in GMi . The specific process is as follows: SC A2 , A3 , GIDj , Gen(.), Rep(.), τ i . The mobile user
 uses password PWi and biological information �� BIOi to
 GM0 : in GM0 , A does not initiate any queries.
 register. If A tries to guess A∗3 � h(ID∗i ��HPWi ), since
 Therefore, in GM0 , the probability P that the protocol is
 HPWi is encrypted with biological information, the
 broken in this query round is
 probability of A guessing the biometric σ i is 1/2l [27].
 A can also guess low-entropy passwords; using Zipf ′ s
 AdvvA (ξ) � 2Pr SuccA 0 (ξ) − 1 .
 GM
 (1) law [26], we can get
 
 Pr SuccGM5 (ξ) − Pr SuccGM4 (ξ) ≤ max C′ , q′s , qsend .
 GM1 : GM1 adds Execute query, and the others have no A A send
 2l
 difference with GM0 . We can obtain
 (6)
 GM GM
 Pr SuccA 1 (ξ) � Pr SuccA 0 (ξ) . (2) GM6 : GM6 is used to verify whether the proposed
 protocol is resistant to impersonation
 �� �� attacks. In GM6 ,
 GM2 : GM2 adds Send query, and there is no difference if A issues a h(Ru ⊕HPWi ���Rg ��Rs ) query, the game is
 with GM1 . Therefore, we can get terminated. So we can obtain
 
 Pr SuccGM2 (ξ) − Pr SuccGM1 (ξ) ≤ qsend . 2
 Pr SuccGM6 (ξ) − Pr SuccGM5 (ξ) ≤ qhash .
 A A (3) (7)
 2l A A
 2l+1
 GM3 : GM3 and GM2 are indistinguishable except that it Since GM6 has half the probability of success and
 adds the Hash query and deletes the Send query. We failure,
 can obtain
 GM 1
 2 Pr SuccA 6 (ξ) � . (8)
 Pr SuccGM3 (ξ) − Pr SuccGM2 (ξ) ≤ qhash . (4) 2
 A A 
 2l+1
 To sum up, we can obtain the following conclusions:
 
 GM4 : in GM4 , whether a session key is secure or not can 1 1 
 AdvVA (ξ) � Pr SuccA 0 (ξ) − 
 GM
 be seen in the following two cases. The first case is 2 2
 whether the protocol can ensure perfect forward se-
 
 crecy security when A obtains the long-term private � Pr SuccA 0 (ξ) − Pr SuccA 6 (ξ) 
 GM GM
 key. The second is whether the protocol can resist the
 temporary information leakage attack when the tem- 
 � Pr SuccA 1 (ξ) − Pr SuccA 6 (ξ) 
 GM GM
 porary information is compromised.
 j
 (1) Perfect forward secrecy: using ΠG , A tries to obtain 5 
 
 ≤ Pr SuccA i+1 (ξ) − Pr SuccA i (ξ) 
 GM GM
 the long-term key SGk between the gateway and the
 sensor, or A uses ΠxU ∗ or ΠkS to try to get a certain i�0
 secret value in the registration phase
 (2) Known session-specific temporary information qsend 3q2hash ′ qsend
 j � + + max C′ , qssend , .
 attacks: A uses one of ΠG or ΠiU ∗ or ΠkS to try to 2 l−1
 2 l−1
 2l
 obtain temporary information from one entity (9)
 In both cases, A only needs to use Send �� and
 �� Hash
 queries to compute SKu � h(Ru ⊕HPWi ���Rg ��Rs ). For Finally, we can get
 the first case, assuming that A obtains the long-term qsend 3q2hash ′ qsend
 key SGk , although Ru ⊕HPWi can be computed by AdvvA (ξ) ≤ � l−1
 + l−1
 + 2 max C′ , qssend , .
 intercepting B4 , A has no access to SIDk and thus 2 2 2l
 cannot compute Rg and Rs and thus even less likely to (10)
 compute SK. For the second case, assuming that A
 obtains the temporary information Ru , A has no access Therefore, we can use the ROR model to demonstrate
 to the other random numbers Rg and Rs and thus that our proposed new protocol can provide perfect forward
 cannot crack this protocol. Therefore, we get security against common attacks such as smart card theft

8 Security and Communication Networks

attacks, man-in-the-middle attacks, and other more com- 5.2.5. Resisting Offline Password-Guessing Attacks. In the
mon attacks. □ authentication stage, we use the pseudo-password HPWi as
 a substitute for the user password to ensure the security and
 privacy of the password. Because the user password is
5.2. Informal Security Analysis. In this section, we prove that obtained through the user’s biological information and
our proposed protocol is secure against common attacks. password encryption, assuming that the attacker obtains
The security of our proposed protocol and the reasons it can HPWi , the user password cannot be calculated. In the login
withstand attacks are analyzed. phase, assuming that the attacker obtains A3 and IDi , the
 attacker cannot calculate PWi from these data. Therefore,
 our proposed protocol can resist offline password-guessing
5.2.1. Resisting Sensor Node Capture Attacks. If an attacker attacks.
captures a sensor node and obtains its memory information,
although the attacker already knows the parameters RSGk
and QIDk , to obtain SK, the attacker must also know SIDk 5.2.6. Resisting Privileged Insider Attacks. Assuming that an
and the long-term key SGk between the gateway and the attacker is an insider of the gateway and has access to the
sensor node, which is obtained from RSGk and SIDk through gateway’s memory information [30], the attacker can obtain
heterodyning. However, SIDk is not stored in the memory of CIDi , HPWi , and QIDi . After obtaining this internal in-
the sensor node. Therefore, our proposed protocol is im- formation, the attacker cannot compute any valuable in-
proved to effectively prevent sensor node capture attacks. formation, and thus, the exact protocol is completely
 resistant to privileged insider attacks.
5.2.2. Ensuring Authentication between Users and Mobile
Devices. An attacker can replay eavesdropped messages and 5.2.7. Resisting Relay Attacks. In the general three-party
obtain valuable information through replay and feedback. authentication protocol, the general steps involve authen-
For example, an attacker can replay message M1 by imitating ticating communications between the user and the server.
the user. However, our improved protocol does not provide The server then communicates with the sensor or other
this opportunity to the attacker. This is because we add a devices for authentication, after which the sensor and other
timestamp T to verify the freshness of the message, and we devices pass the information to the user through the server,
set a reasonable timestamp threshold. Moreover, we add and the information finally reaches the user, server, sensors,
biometric authentication to ensure accurate authentication and other devices involved in the three-party authentication
between users and mobile devices, thereby preventing at- process. However, the transmission process is prone to relay
tackers from attacking the gateway using large amounts of attacks [30, 31], where information can easily be intercepted
useless information resulting from the lack of authentication by the attacker using disguised devices to obtain the correct
between users and devices. information sent by the official server or the user, so that
 they can disguise themselves as legitimate servers and send
5.2.3. Perfect Forward Secrecy. If an attacker cannot obtain instructions to the user or disguise themselves as legitimate
the previous session key when the private long-term key is users to obtain valuable information. However, in our
destroyed, the authentication protocol has perfect forward proposed protocol, the server GWj properly verifies the
confidentiality [28, 29]. Assuming that an attacker has ob- legitimacy of user Ui and sensor SNk by comparing A1 and
tained the long-term key SGk between the gateway and the B8 . Additionally, the sensors and users verify the legitimacy
sensor, although it can be obtained through the message B4 of the server, and they employ a timestamp to verify the
of the common channel (Ru ⊕HPWi ), Rg and Rs are pro- freshness of the message. Thus, our proposed protocol is
tected by the long-term key SGk in addition to SIDk . resistant to relay attacks.
Therefore, an attacker cannot obtain SIDk while obtaining
the long-term key. As such, it can be inferred that the at-
tacker cannot crack the long-term key in the case of 5.2.8. Resisting Stolen-Verifier Attacks. In a stolen authen-
obtaining the past session key. Thus, our proposed protocol tication attack, we assume that the user authentication value
demonstrates perfect forward security. stored on the server side is stolen by an attacker, and the
 attacker can directly use the authentication value to disguise
 themselves as a user and log into the system. Further, we
5.2.4. Resisting Session-Specific Temporary Information assume that the secret information stored on the server side
Attacks. If short-term secret information, such as random is also stolen, and the attacker can use this information to
numbers, is cracked and obtained by an attacker, the attacker obtain the public key. Assuming that an attacker obtains the
cannot calculate the key SK. Because the improved protocol stored information inside the gateway GWj , which is
uses a three-way random number and the encrypted value of CIDi , HPWi , A1 , QIDk , Nl , the key to determining SK
the user’s password information composition, an attacker involves obtaining SGk and obtaining Ru using SGk .
cannot obtain the user’s password information through the However, SGk cannot be obtained using the information in
knowledge of the random number. Therefore, our proposed the memory of GWj . Therefore, our proposed protocol can
protocol can resist temporary information leakage attacks. resist stolen authentication attacks.

Security and Communication Networks 9

 Table 2: Comparisons of security.
 Gope and Hwang
Security properties Fotouhi et al. [22] Kumari et al. [32] Srinivas et al. [33] Ours
 [34]
Perfect forward secrecy ✓ ✓ ✓ ✓ ✓
Resists impersonation attacks ✓ ✓ ✓ ✓ ✓
Resists offline password-guessing attacks ✓ ✕ ✕ ✕ ✓
User anonymity security ✓ ✓ ✓ ✓ ✓
Mutual authentication ✓ ✓ ✓ ✓ ✓
Resists replay attacks ✕ ✓ ✓ ✓ ✓
Resists sensor-capture attacks ✕ ✕ ✓ ✓ ✓
Resists known session temporary information
 ✓ × ✓ ✓ ✓
attacks
Resists relay attacks ✓ ✓ ✓ ✓ ✓
Resists man-in-the-middle attacks ✓ ✕ ✓ ✓ ✓
Provable security ✕ ✕ ✕ ✕ ✓

 Table 3: The computational cost of complex operations.
Operations Host node(s)
Hash function 0.00032
Fuzzy function 0.0171
Chaotic map function 0.0171
Encryption and decryption 0.0056

 Table 4: Calculation cost comparison.
Protocol User Gateway Sensor Total (ms)
Fotouhi et al.’s [22] 10Th 17Th 7Th 37Th � 10.88
Kumari et al.’s [32] 8Th + 2Ts 4Th + Ts 4Th + 2Ts 16Th + 5Ts � 33.12
Srinivas et al.’s [33] 4Th + 2Tc + 2Ts 6Th + 2Ts 3Th + 2Tc 4Tc + 4Ts + 13Th � 94.96
Gope et al.’s [34] 7Th 9Th 3Th 19Th � 6.08
Ours 9Th + 1Tfe 10Th 4Th 23Th + 1Tfe � 24.46

6. Security and Performance Comparisons 6.2. Performance Comparisons. We performed a perfor-
 mance comparison between the new authentication protocol
In this section, we discuss the typical costs of the authen- and the other four authentication protocols listed in Table 4.
tication protocols from three aspects: protocol security, Additionally, we made the following calculations in terms of
computing cost, and storage consumption [22, 32–34]. the time consumption of cryptographic operations, as shown
 in Table 3, including hash functions, symmetric key en-
 cryption/decryption, chaotic mapping functions, and fuzzy
6.1. Security Comparisons. As shown in Table 2, we com- extraction functions, as the most important operations [22].
pared the security analysis of the mentioned protocols and The meanings of symbols in Table 4 are as follows: Th de-
used ✓ and ✕ to signify whether the protocol meets the notes the time of the regular hash operation, Tfe denotes the
security requirements involved. The security of the protocol operation time of the fuzzy function, Ts denotes the oper-
proposed by Kumari et al. [32] was disproved by Li et al. [35] ation time of symmetric encryption and decryption, and Tc
in that it cannot resist sensor node capture attacks, session- denotes the operation time of the chaotic map function.
specific temporary information attacks, sensor node im- In the login and mutual authentication phase, we
personation attacks, and man-in-the-middle attacks. compared the computation times of the user, gateway, and
Therefore, Li et al. designed a mutual authentication and key sensor node sides along with other protocols to design our
agreement protocol for wireless sensor networks. However, proposed protocol. As shown in Table 4, the newly designed
it was later proved to be unsafe. The protocol proposed by protocols guarantee security and time appropriateness.
Srinivas et al. [33] cannot resist offline password-guessing Although our new protocol takes slightly more time than the
attacks. The security of the protocol proposed by Gope and protocols proposed in Fotouhi et al.’s [22] and Gope and
Hwang [34] was disproved by Adavoudi-Jolfaei et al. [36] in Hwang’s [34], it ensures improved security. This is because
that the adversary can obtain the session key between the the extra time spent is mainly in the user login phase, where
user and the sensor using the dy model. Compared to the the user biometric information needs to be compared, a very
protocols mentioned above, our proposed protocol can resist important and indispensable step that amounts to a partial
such attacks and meet the security requirements. performance sacrifice to improve the security of the

10 Security and Communication Networks

 Communication cost (ms)
 6000

 5000

 4000

 3000

 2000

 1000

 0
 Fotouhi et al Kumari et al Srinivas et al Gope et al ours
 Figure 4: Communication cost.

protocol. As a result, the new protocol is more secure than the time being. Most of the problems exist because there is
the two protocols and ensures that the user’s legitimacy is no all-in-one healthcare IoT solution; all solutions are tai-
verified. Compared to Kumari et al.’s [32] and Srinivas lored to specific challenges and therefore can be too ex-
et al.’s [33] proposed protocols, it is evident that our pro- pensive for any organization. The second is the lack of a set
posed protocol significantly reduces the computational cost. of standards for the healthcare industry to protect extremely
In addition, we compared the communication costs, as sensitive healthcare data from security risks and threats. It is
shown in Figure 4. Considering the computational cost and hoped that this paper will provide a reference for addressing
communication in terms of cost and security for the new the security aspects of healthcare data.
protocol, it is evident that our proposed protocol can be
better adapted to the wireless human medical environment Data Availability
regional network, thereby providing improved service ex-
perience for hospital staff and individual patients. No data were used to support this study.

 Conflicts of Interest
7. Conclusion
 The authors declare that they have no conflicts of interest.
In this study, we improve on the WBAN-based authenti-
cation protocol proposed by Fotouhi et al. in medical IoT. Acknowledgments
The improved protocol compensates for the defects in the
original protocol, and it can resist attacks that cannot be The work of Long Li was supported by Guangxi Key Lab-
resisted by the original protocol. It also improves the au- oratory of Trusted Software (no. KX202033).
thentication speed of the protocol, thereby reducing com-
putational expenditure. Moreover, it is advantageous in that References
it is lightweight compared to the original protocol. The [1] M. Shafi, A. F. Molisch, P. J. Smith et al., “5G: a tutorial
improved protocol adds biometric authentication and login overview of standards, trials, challenges, deployment, and
authentication to significantly increase the security of the practice,” IEEE Journal on Selected Areas in Communications,
user login process, and it also makes extensive use of single vol. 35, no. 6, pp. 1201–1221, 2017.
hash, heterogeneous, and joint operations to reduce com- [2] H. Xiong, X. Huang, M. Yang, L. Wang, and S. Yu, “Un-
putational cost. Our proposed protocol is highly secure bounded and efficient revocable attribute-based encryption
against a range of attacks, such as sensor node capture at- with adaptive security for cloud-assisted internet of things,”
tacks, replay attacks, and internal privilege attacks. It IEEE Internet of Things Journal, vol. 2021, Article ID 3094323,
demonstrates excellent performance in terms of security and 2021.
 [3] H. Xiong, Y. Wu, C. Jin, and S. Kumari, “Efficient and privacy-
efficiency. Therefore, it can be considered more suitable for
 preserving authentication protocol for heterogeneous systems
the WBAN-based medical IoT. For every new technology in IIoT,” IEEE Internet of Things Journal, vol. 7, no. 12,
development there are bound to be technical implementa- pp. 11713–11724, 2020.
tion and realization challenges, and the Internet of [4] X. Chen, M. Li, H. Zhong, Y. Ma, and C. H. Hsu, “DNNOff:
Healthcare is facing some problems in terms of adoption for offloading DNN-based intelligent IoT applications in mobile

Security and Communication Networks 11

 edge computing,” IEEE Transactions on Industrial Infor- [19] C. Wang and Y. Zhang, “New authentication scheme for
 matics, vol. 2021, Article ID 3075464, 2021. wireless body area networks using the bilinear pairing,”
 [5] J. W. Jiao Wang, J.-S. P. Jiao Wang, S.-C. C. Jeng-Shyang Pan, Journal of Medical Systems, vol. 39, no. 11, pp. 1–8, 2015.
 Z.-Y. M. Shu-Chuan Chu, and H. L. Zhen-Yu Meng, “Im- [20] P. K. Dhillon and S. Kalra, “Multi-factor user authentication
 proved black hole algorithm for intelligent traffic navigation,” scheme for IoT-based healthcare services,” Journal of Reliable
 Journal of Internet Technology, vol. 22, no. 4, pp. 725–734, Intelligent Environments, vol. 4, no. 3, pp. 141–160, 2018.
 2021. [21] F. Wu, X. Li, A. K. Sangaiah et al., “A lightweight and robust
 [6] X. Xue, X. Wu, C. Jiang, G. Mao, and H. Zhu, “Integrating two-factor authentication scheme for personalized healthcare
 sensor ontologies with global and local alignment extrac- systems using wireless medical sensor networks,” Future
 tions,” Wireless Communications and Mobile Computing, Generation Computer Systems, vol. 82, pp. 727–737, 2018.
 vol. 2021, Article ID 6625184, 2021. [22] M. Fotouhi, M. Bayat, A. K. Das, F. Han, S. M. Pournaghi, and
 [7] S. Lv and Y. Liu, “PLVA: privacy-preserving and lightweight M. A. Doostari, “A lightweight and secure two-factor au-
 V2I authentication protocol,” IEEE Transactions on Intelligent thentication scheme for wireless body area networks in
 health-care IoT,” Computer Networks, vol. 177, Article ID
 Transportation Systems, vol. 2021, Article ID 3059638, 2021.
 107333, 2020.
 [8] P. Wang, C. M. Chen, S. Kumari, M. Shojafar, R. Tafazolli, and
 [23] D. Dolev and A. Yao, “On the security of public key proto-
 Y. N. Liu, “HDMA: hybrid D2D message authentication
 cols,” IEEE Transactions on Information Theory, vol. 29, no. 2,
 scheme for 5G-enabled VANETs,” IEEE Transactions on In-
 pp. 198–208, 1983.
 telligent Transportation Systems, vol. 2020, Article ID 3013928, [24] D. Wang, D. He, P. Wang, and C. H. Chu, “Anonymous two-
 2020. factor authentication in distributed systems: certain goals are
 [9] J. Song, Q. Zhong, W. Wang, C. Su, Z. Tan, and Y. Liu, “FPDP: beyond attainment,” IEEE Transactions on Dependable and
 flexible privacy-preserving data publishing scheme for smart Secure Computing, vol. 12, no. 4, pp. 428–442, 2014.
 agriculture,” IEEE Sensors Journal, vol. 2020, Article ID [25] D. Wang and P. Wang, “Two birds with one stone: two-factor
 3017695, 2020. authentication with security beyond conventional bound,”
[10] E. K. Wang, X. Liu, C. M. Chen, S. Kumari, M. Shojafar, and IEEE Transactions on Dependable and Secure Computing,
 M. S. Hossain, “Voice-transfer attacking on industrial voice vol. 15, no. 4, pp. 708–722, 2016.
 control systems in 5G-aided IIoT domain,” IEEE Transactions [26] D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s
 on Industrial Informatics, vol. 2020, Article ID 3023677, 2020. law in passwords,” IEEE Transactions on Information Fo-
[11] W. Zhang, Y. Wu, H. Xiong, and Z. Qin, “Accountable at- rensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017.
 tribute-based encryption with public auditing and user rev- [27] V. Odelu, A. K. Das, and A. Goswami, “A secure biometrics-
 ocation in the personal health record system,” KSII based multi-server authentication protocol using smart
 Transactions on Internet and Information Systems (TIIS), cards,” IEEE Transactions on Information Forensics and Se-
 vol. 15, no. 1, pp. 302–322, 2021. curity, vol. 10, no. 9, pp. 1953–1966, 2015.
[12] J. Sun, H. Xiong, X. Liu, Y. Zhang, X. Nie, and R. H. Deng, [28] P. Li, J. Su, and X. Wang, “iTLS: lightweight transport-layer
 “Lightweight and privacy-aware fine-grained access control security protocol for iot with minimal latency and perfect
 for IoT-oriented smart health,” IEEE Internet of Things forward secrecy,” IEEE Internet of Things Journal, vol. 7, no. 8,
 Journal, vol. 7, no. 7, pp. 6566–6575, 2020. pp. 6828–6841, 2020.
[13] C.-M. Chen, C.-T. Li, S. Liu, T.-Y. Wu, and J.-S. Pan, “A [29] L. Xiong, D. Peng, T. Peng, H. Liang, and Z. Liu, “A light-
 provable secure private data delegation scheme for moun- weight anonymous authentication protocol with perfect
 taineering events in emergency system,” Ieee Access, vol. 5, forward secrecy for wireless sensor networks,” Sensors, vol. 17,
 pp. 3410–3422, 2017. no. 11, p. 2681, 2017.
[14] E. Jovanov, A. Milenkovic, C. Otto et al., “A WBAN system for [30] T. Y. Wu, L. Yang, Z. Lee, S. C. Chu, S. Kumari, and S. Kumar,
 ambulatory monitoring of physical activity and health status: “A provably secure three-factor authentication protocol for
 wireless sensor NETWORKS,” Wireless Communications and
 applications and challenges,” IEEE, vol. 2005, Article ID
 Mobile Computing, vol. 2021, Article ID 5537018, 2021.
 1615290, 3813 pages, 2005.
 [31] M. Safkhani, C. Camara, P. Peris-Lopez, and N. Bagheri,
[15] M. R. Yuce, “Implementation of wireless body area networks
 “RSEAP2: an enhanced version of RSEAP, an RFID based
 for healthcare systems,” Sensors and Actuators A: Physical,
 authentication protocol for vehicular cloud computing,”
 vol. 162, no. 1, pp. 116–129, 2010. Vehicular Communications, vol. 28, Article ID 100311, 2021.
[16] J. Liu, Z. Zhang, X. Chen, and K. S. Kwak, “Certificateless [32] S. Kumari, X. Li, F. Wu, A. K. Das, H. Arshad, and
 remote anonymous authentication schemes for wirelessbody M. K. Khan, “A user friendly mutual authentication and key
 area networks,” IEEE Transactions on Parallel and Distributed agreement scheme for wireless sensor networks using chaotic
 Systems, vol. 25, no. 2, pp. 332–342, 2013. maps,” Future Generation Computer Systems, vol. 63,
[17] Z. Zhao, “An efficient anonymous authentication scheme for pp. 56–75, 2016.
 wireless body area networks using elliptic curve cryptosys- [33] J. Srinivas, D. Mishra, and S. Mukhopadhyay, “A mutual
 tem,” Journal of Medical Systems, vol. 38, no. 2, pp. 13–17, authentication framework for wireless medical sensor net-
 2014. works,” Journal of Medical Systems, vol. 41, no. 5, p. 80, 2017.
[18] S. Chatterjee, A. K. Das, and J. K. Sing, “A novel and efficient [34] P. Gope and T. Hwang, “A realistic lightweight anonymous
 user access control scheme for wireless body area sensor authentication protocol for securing real-time application
 networks,” Journal of King Saud University - Computer and data access in wireless sensor networks,” IEEE Transactions on
 Information Sciences, vol. 26, no. 2, pp. 181–201, 2014. Industrial Electronics, vol. 63, no. 11, pp. 7124–7132, 2016.

12 Security and Communication Networks

[35] J. Li, W. Zhang, S. Kumari, K. K. R. Choo, and D. Hogrefe,
 “Security analysis and improvement of a mutual authenti-
 cation and key agreement solution for wireless sensor net-
 works using chaotic maps,” Transactions on Emerging
 Telecommunications Technologies, vol. 29, no. 6, Article ID
 e3295, 2018.
[36] A. Adavoudi-Jolfaei, M. Ashouri-Talouki, and S. F. Aghili,
 “Lightweight and anonymous three-factor authentication and
 access control scheme for real-time applications in wireless
 sensor networks,” Peer-to-Peer Networking and Applications,
 vol. 12, no. 1, pp. 43–59, 2019.