Efficient Anonymous Authenticated Key Agreement Scheme for Wireless Body Area Networks

Wireless body area networks (WBANs) are widely used in telemedicine, which can be utilized for real-time patientsmonitoring and home health-care.The sensor nodes inWBANs collect the client’s physiological data and transmit it to themedical center. However, the clients’ personal information is sensitive and there are many security threats in the extra-body communication. Therefore, the security and privacy of client’s physiological data need to be ensured. Many authentication protocols for WBANs have been proposed in recent years. However, the existing protocols fail to consider the key update phase. In this paper, we propose an efficient authenticated key agreement scheme for WBANs and add the key update phase to enhance the security of the proposed scheme. In addition, session keys are generated during the registration phase and kept secretly, thus reducing computation cost in the authentication phase. The performance analysis demonstrates that our scheme is more efficient than the currently popular related schemes.


Introduction
With the progress of society and the development of science and technology, people's health-care requirements are improved continuously.In the area of health-care, people are no longer satisfied with the traditional pattern of posttreatment, and hope that there is a new model achieving preventive early diagnosis and early treatment.As the population aging process accelerates and the number of older people increases, the need for surveillance of chronic diseases is increasing.The elderly can detect their own health anytime and anywhere, without having to go to the hospital.This can not only make a diagnosis and give treatment timely according to the patient's condition, but also reduce the cost of medical treatment and hospital burden.On the other hand, with the rapid development of wireless communication technology, the integration of physiological sensors and embedded computing technology, the health-care as the main application purpose of wireless body area networks (WBANs) has appeared correspondingly.WBANs act as an important branch of wireless sensor networks that provide a convenient and low-cost method for health monitoring of chronic patients.
WBANs can long-term monitor and record human health signals.WBANs mainly consist of wearable or implanted biomedical sensors and portable personal device, which can collect relevant physiological parameters such as heart rate, blood pressure, and blood sugar.WBANs achieve realtime or long-term monitoring of the relevant physiological parameters to provide timely and accurate data for doctors' diagnosis.The concept of WBANs was first introduced by Zimmerman in 1996 [1].Later, several variations of WBANs were presented in the literature.The papers [2,3] present a wireless EEG/ECG system using noncontact sensors to monitor human EEG and ECG data.The relevant sensors [4,5] can provide patients with timely warning of the disease and remind the patient to be treated early.In addition, blood glucose in diabetic patients is monitored by micro blood glucose sensors.When the blood glucose value is lower than a certain value, the miniature syringe placed on the patient will inject insulin to control the level of the blood glucose in time.The working mechanism of WBANs is using sensors and networks to acquire user's data as well as doing operation of the data like sensing, storing, processing, and transmitting [6].As is shown in Figure 1, the overall architecture of WBANs can be divided into two tiers.The first tier is the intrabody communication, which refers to the communication between sensor nodes and the smart portable device (SPD) held by the patient.The other is the extra-body communication, which refers to the whole network of the server.This tier enables SPD to communicate with the remote application provider (AP) such as the hospital, remote doctor, and medical institutions [7].Our concern in this paper is to enhance the security of the extra-body communication.
The data collected or transmitted in WBANs are very sensitive and important because these data are the basis of clinical diagnostics.Besides, the open wireless network environment makes the application of WBANs face many security risks and threats.Therefore, the protection of client's privacy is the most concerned about the client.Such as in telemedicine applications, the client may need anonymous access to medical services.Doctors only need to know the physiological information related to the patient's condition and cannot acquire the client's privacy information, such as the user's name and ID number.Therefore, in the WBANs medical applications, we should use the relevant cryptographic algorithms to encrypt the user's privacy information to achieve users and medical institutions anonymous authentication and to ensure that the privacy information is not disclosed when the user is receiving medical services.
Key agreement and mutual authentication are two fundamental building blocks for meeting the security and privacy requirements [8,9].More specifically, key agreement is needed to establish a session key between AP and the client for ensuring the confidentiality and integrity of the information in transmission [10].Mutual authentication requires that only the authorized WBANs client and AP are authenticated at the same time.Taking into account the importance of privacy security and resource constraint, we design an efficient and anonymous authenticated key agreement scheme for WBANs.Our contributions can be summarized as follows: (i) By analyzing the existing authenticated key agreement scheme, we propose a novel certificateless authenticated key agreement scheme for WBANs, which is cost-effective and achieves many security requirements.The proposed scheme is based on an efficient and provably secure signature scheme from bilinear pairings [11,12] and an identity-based authenticated key agreement protocol [13].
(ii) Most of the authentication protocols for WBANs generate the session key during the authentication phase, and our scheme generates the session key in the registration phase and stores it secretly.Therefore, when the WBANs client authenticates himself/herself to a requested AP, they do not need to establish the session key; thus, this design reduces the computation cost.
(iii) The proposed scheme implements the function of key update, which avoids the repeated use of the same session key.The WBANs client can update their session key freely.
This paper is organized as follows.We discuss related works in Section 2. Section 3 briefly describes the basic definition of the bilinear pairing and BDH assumption.Section 4 introduces the system model of our authenticated key agreement scheme for WBANs and lists several security requirements that need to be met.We describe the proposed scheme for WBANs in Section 5. We perform the security analysis for the proposed scheme in Section 6. Section 7 discusses computation cost of the proposed scheme.We make concluding remarks in Section 8.

Related Works
Because the patient health data is sensitive and face many security threats in open wireless network environment, thus the protection of patient's privacy is an important issue.Over the last few years, many authentication schemes for WBANs have been proposed for practical applications.
In 2012, Liu et al. presented a remote anonymous authentication protocol to enable client terminals and application to securely access WBANs services [14].Liu et al. also presented a pair of efficient and light-weight authentication protocols to enable remote WBANs clients to anonymously enjoy healthcare service in 2013 [15].However, Xiong demonstrated that their signature schemes fail to resist the public key replacement attack.Moreover, Liu et al. authentication protocols cannot offer forward security and scalability [16].
Zhao [17] discovered that the protocols of Liu et al. are insecure when the verifier table is disclosed.To improve security and efficiency, Zhao proposed an identity-based efficient anonymous authentication scheme for WBANs.However, Zhao's scheme cannot provide real anonymity because the users' pseudo identities are constant value and the adversary could tract the users; then Wang and Zhang proposed a new anonymous authentication scheme for WBANs [18].Security analysis shows that the proposed scheme could overcome weakness in previous scheme.
He reviewed the Liu et al. scheme [15] and pointed out that it is not secure for medical applications by proposing an impersonation attack.Afterwards, they proposed a new anonymous authentication scheme for WBANs and proved that is provably secure [19].In 2017, Xiao et al. proposed a novel certificateless anonymous remote authentication protocol featured with efficient revocation [7], and this is the first time considering the revocation functionality of anonymous remote authentication for the WBANs.In 2015, Shen et al. proposed an enhanced secure sensor association and key management protocol based on elliptic curve cryptography and hash chains for WBANs [20].Their protocol achieves mutual authentication and secure communication between sensor nodes, the patient controller, and health-care worker.Because the computation ability of medical sensors and controller nodes in WBANs is very limited, we proposed an efficient certificateless authenticated key agreement scheme for WBANs.

Preliminaries
In this section, the basic definition and properties of the bilinear pairing and the Bilinear Diffie-Hellman (BDH) assumption [21] are briefly introduced.

Bilinear Pairing.
Let G 1 be a cyclic additive group with a prime order , and let G 2 be a cyclic multiplicative group with the same order . is an arbitrary generator of G 1 .

Computability.
There is a computable algorithm to get ê(, ) for all ,  ∈ G 1 .
As is shown in [22], the modified Tate pairing on a supersingular elliptic curve is such a bilinear pairing.

The Bilinear Diffie-Hellman (BDH) Assumption.
Let G 1 , G 2 be two groups of prime order .Let ê: G 1 × G 1 → G 2 be an admissible bilinear map.We have {, , , } ∈ G 1 and compute ê(, )  , where , ,  are randomly chosen from Z * .An algorithm is said to solve the BDH problem with an advantage of  if Pr [A (, a, b, c) = ê (, )  ] ≥ . ( We assume that the BDH problem is hard, which means there is no polynomial time algorithm to solve BDH problem with nonnegligible probability.

Problem Statement
In this section, some security requirements that should be reached in the proposed scheme are stated.Then, the system model of our authenticated key agreement scheme is introduced.

Security Requirements.
There are some security requirements which need to be met in the design of the certificateless authenticated key agreement scheme for WBANs [23].
4.1.1.Anonymity.This requirement ensures that an adversary does not get the identities of legal users in authentication process.Sensor nodes detection, collection, and transmission of data are closely related to the user in WBANs.These data refer to the user's private information, so users want to enjoy their own wireless medical services, and at the same time their privacy will not be disclosed to the unauthorized illegal third party.Therefore, the purpose of anonymity is to protect the user from being compromised when enjoying the service.

Forward Secrecy.
In case that the private key of users or AP is compromised, the attacker could not effectively generate the forward session key, the confidentiality of previous session keys is still fulfilled, and we called this condition forward secrecy.

Unlinkability.
It indicates that any third party except the client and AP is unable to learn whether two different protocol sessions are initiated by the same user.In other words, the adversary cannot distinguish whether he has seen the same WBANs client twice.

Mutual Authentication.
This requirement is used to confirm the legitimacy of the user's and AP's identity in WBANs, so as to achieve the purpose of identifying and preventing illegal third parties from participating in communications.For example, in medical WBANs applications,  the authentication scheme enables AP to identify illegal third parties and ensures that only an authorized user accesses services from AP.

Session Key Establishment.
Upon a successful mutual authentication process, a session key is established between the WBANs users and the application provider for secure subsequent communication.This session key is used to encrypt physiological data while requesting and accessing services from an AP.
4.1.6.Nonrepudiation.The user cannot deny that he/she enjoys the service provided by application providers, while service providers cannot deny that they provide a certain service for the user.The user computes the signature information with the application provider for authentication; once the authentication is successful, the user cannot deny that he/she has accessed the medical service.

System
Model.The proposed system consists of three types of entities.The working flow between them is illustrated in Figure 2, which has the following process [24].
(i) Server: the server is similar to a completely trusted third party and responsible for system initialization.Moreover, it is in charge of the registration of WBANs clients and application providers (APs).Specifically, the server acts as a key generating center, whose responsibility is to generate system parameters and the secret keys for the client and AP.
(ii) WBANs client: the WBANs client is monitored by the server and enjoys medical services though smart portable devices or a smart phone.Before accessing some services offered by AP, the client should be registered with the server and preloaded with the public parameters.
(iii) Application provider (AP): application providers may be hospitals, clinics, or any other medical institutions.It also should be registered with the server and preloaded with public parameters before they offer some health-care monitoring and treatments remotely to WBANs clients.

Proposed Scheme
In this section, an efficient certificateless authenticated key agreement scheme for WBANs is proposed, and our scheme involves three entities; they are the WBANs client, the server, and the application provider, respectively.In addition, this scheme consists of the initialization, registration, authentication, and key update phases.In the registration phase, the client submits some personal information to the server; then the server generates partial private key for user and some related parameters.After that, the server sends them to the client in a secure channel.This phase is carried out only once, unless the client reregisters.Upon accomplishment of the registration phase, the client is able to access the server in the authentication phase.This phase can be performed as many times as needed.In the key update phase, the client can update his session key and change his pseudonym by interacting with the server.

Initialization.
The server performs the following operations firstly.Given a security parameter , the server chooses two groups G 1 and G 2 of the same prime order  > 2  and a modified Weil pairing map ê: The server generates a random number  ∈ Z *  as its master key and computes its public key  pub =  ∈ G 1 .

Client
Server AP Afterwards, the server picks a message authentication code MAC (⋅) (⋅).

Registration.
Each client needs to perform the following operations (shown as Figure 3) with the server once before he or she can access the AP for medical services.Likewise, an application provider should first perform this phase with the server once before it can provide services to the clients.
(a) The client generates a pseudonym id = {0, 1} * as his identity when he needs to authenticate with AP and picks a random number  ∈ Z *  secretly.After that, this client computes   =  and sends the message {ID  ,   , id} to the server in a secure channel.Note that ID  is the real identity of the client.
(b) AP associated with identity ID AP selects a secret value  ∈ Z *  and computes  AP =  and then sends its identity ID AP and  AP to the server in a secure channel.
(c) Once the server receives this client's message {ID  ,   , id} and the message {ID AP ,  AP } from AP, it first verifies that their identities are valid or not and defines the client's right and then computes   =  1 (ID  ),   =   ,   =   , and   = (1/( +   )).Among them,   is the partial private key of the client.Likewise, the server also computes  AP =  1 (ID AP ),  AP =  AP ,  AP =  AP , and  AP = (1/( +  AP )).Afterwards, the server sends the message {  ,  AP ,  AP ,   , right} and the message { AP ,   ,   ,  AP , id} to the client and AP in secret, respectively.
(d) After receiving the message {  ,  AP ,  AP ,   , right} from the server, the client first computes   =  pub +   and verifies the message's validity by checking whether the formula ê(  ,   ) = .If it holds, the client generates the session key   = ê( AP ,  pub )ê(  ,  AP ).Now the client stores   ,   , right, and   in a registration table secretly.

Authentication.
In this phase, as shown in Figure 4, the client and AP can authenticate each other by performing the below process.
(a) The client chooses a random number  ∈  *  and sets  as his secret value and then outputs a pair (  , ) as the client's private key.That is, the client's private key sk  = (  , ) is the pair consisting of the partial private key and the secret value.Afterwards, the client generates his public key pk  =   and computes ℎ =  2 (  , pk  ),  = (1/( + ℎ))  , where   denotes the current timestamp.The client encrypts id, right, and   with the session key generated during the registration phase; this process denotes  =   (id, right,   ).The client sends the message {pk  , , } to AP.
(b) Upon receiving {pk  , , }, AP gets (id, right,   ) by using the session key  to decrypt .AP calculates ℎ =  2 (  , pk  ) and checks whether the equation ê(, pk  + ℎ  ) =  holds.If it does not hold, AP rejects the client's request.Otherwise, AP computes the authentication code MAC  (ℎ) and sends the code to the client.In addition, the session key has been generated during the registration phase and kept secretly in the database.
The correctness of the verification algorithm ê(, pk  + ℎ  ) =  is proved as follows: (c) Once receiving the response message MAC  (ℎ), the client checks the integrity of the authentication code.If the result is negative, the user quits the current session.Otherwise, the client will authenticate AP and regard  as the session key in the later communication.

Key Update.
The key update phase is provided to allow the client and AP to change their session key freely.When the client wants to update his/her session key, he/she first needs to go through the authentication phase to make sure that the past session key is valid and then updates the session key by reregistering with the server.More specifically, the client selects a new random number  * and computes  *  =  *  and then sends  *  to the server.Likewise, AP updates the session key with the same steps.Afterwards, the client and AP replace  with  * and store  * secretly.

Security Analysis
In this section, the security analysis of the proposed scheme is presented.The security properties of the proposed scheme can be listed as follows.
6.1.Client Anonymity.The real identity of the requesting client cannot be revealed by any third party, including the application provider [25,26].As specified in Section 5, in the registration phase, the client sends his/her pseudonym to the server.Afterwards, the server sends this pseudonym id to AP in a secure channel; then AP stores id as the client identity.AP does not know the client real identity.In the authentication phase, the client encrypts his pseudonym id using the session key  and sends it to AP.Only AP can decrypt it with .On the other hand, even if the adversary gets the client's pseudonym, he/she still cannot know the client's real identity ID  .Moreover, the client pseudonym id is dynamic; the user can update the pseudonym by reregistering.Therefore, the proposed protocol achieves client anonymity.
6.2.Forward Secrecy.Forward secrecy indicates that the session keys agreed upon in previous sessions remain undisclosed even when the long-term secret key of the participants is disclosed [27].In the proposed scheme, the long-term secret keys of the client and AP are   and  AP , respectively.
Even if   and  AP are disclosed, the adversary cannot compromise the session key in the past.Because the adversary cannot get the secret values ,  and the server's master keys.

Unlinkability.
In each run of our authenticated key agreement protocol, the message {pk  , , } that the client sends to AP is different.More specifically, in each authentication phase,  is a secret random number and the public key pk  and the signature  are different.  is a current timestamp, so MAC  (ℎ) is also unique in each session.Therefore, the adversary cannot learn whether two authentication sessions involve the same client.

Mutual Authentication.
In the registration phase of the proposed scheme, the client and the server perform mutual authentication through the formula ê(  ,   ) =  and the identity of the client ID  .Because the message in the registration phase is transmitted over a secure channel, only the legitimate client has the knowledge of   and computes   =  Pub +   .AP and the server are authenticated in the same way to prevent the adversary from sending junk information to AP constantly.In authentication phase, only the requested AP can authenticate the accessing user by checking user's signature , and AP verifies whether the formula ê(, pk  + ℎ  ) =  holds.Among them,  is generated by the secret value  and the hash value ℎ.In addition, ℎ is related to   , which can only be recovered by AP.The client authenticates AP by the authentication code MAC  (ℎ), because ℎ =  2 (  , pk  ) is related to   , and the session key  is kept secret by the client and AP.Overall, the proposed scheme accomplishes mutual authentication between the client and AP.

Session Key Establishment.
Beside mutual authentication, another critical task is to establish the session key to protect the health information in transit.In registration phase, we used the smart key agreement scheme which uses the Weil pairing to generate the session key;  can only be shared by AP and the client.The session key  = ê( AP +   , ) between the AP and the user is generated by the secret random values  and  from the client and AP.More specifically, the common session key depends on the identities   ,   of the client and AP, the master key  of the server, and two ephemeral keys , .So that the adversary cannot get .Therefore, the proposed scheme for WBANs could provide session key establishment.6.6.Nonrepudiation.When the client requests a service from the server, then he/she sends his signature  to the server.In the certificateless cryptographic mechanism, the user's private key sk  consists of two parts.The first part is the secret value  selected by the client randomly, and the other part is the partial private key   provided by the server.The adversary cannot forge this signature without knowing the user's private key.Therefore, once the authentication between the client and AP is successful, AP will provide services for the client and this client cannot deny that he had requested services from the AP and enjoyed services.Similarly, when AP receives the client's request message, pk  , , and , then

Performance Analysis
On account of the resource limited system for WBANs, we analyze the computational cost of the proposed scheme in this section.We also give comparison of the proposed scheme with He and Jiang's schemes in terms of computational complexity.
For convenience, we give the definition of the notations used in this section as follows: (1)  mul : the execution time of a elliptic curve point multiplication operation The comparison of computation cost among related schemes is summarized as the following two tables.In Table 1, we compare our scheme with Xiong [16] and Jiang et al. 's [27] schemes in the registration phase.In the authentication phase, the comparison results in terms of computational cost are summarized in Table 2.Although the computational cost of Xiong and Jiang et al. 's schemes is lower than our scheme in the registration phase.However, the registration phase is carried out only once, unless the client reregisters.In the authentication phase, our scheme is more efficient than the other two schemes and this phase can be performed as many times as needed.In addition, Jiang et al. 's and Xiong's schemes do not have the key update phase.If the session keys of their protocols are compromised, then their protocols are insecure.In order to improve the shortcomings of Jiang et al. 's and Xiong's schemes, the proposed scheme add the key update phase.The client and AP can update their session keys freely to enhance the security of the communication between the client and AP.

Conclusion
Due to the limited computing capability and storage resource of sensor nodes in WBANs, we propose an efficient anonymous authenticated key agreement scheme for WBANs in this paper.The proposed scheme can reduce the computational cost at the client side in the authentication phase.In addition, we add the key update phase in the scheme to guarantee the security of the session key.In order to provide the real anonymity of clients, we use the pseudonym to replace the user's real identity when the user requests the service from AP.The client can update the pseudonym by reregistering, so that the client pseudonym is dynamic.Moreover, the proposed scheme satisfies a set of security properties, such as forward secrecy, unlinkability, and nonrepudiation.The performance analysis shows that our scheme is more efficient than Xiong's scheme [16] and Jiang et al. 's scheme [27] in the authentication phase.It can be concluded that the proposed scheme can be well utilized in practical WBANs application scenarios.

Figure 1 :
Figure 1: A typical wireless body area networks.
R e g i s t r a t i o n ( 1 ) R e g i s t r a t i o n ( 2 ) K e y u p d a t e ( 2 ) K e y u p d a t e (4) Service

Figure 2 :
Figure 2: Working flow of the proposed authenticated key agreement protocol.

Figure 3 :
Figure 3: Working flow of the registration phase.

Figure 4 :
Figure 4: Working flow of the authentication phase.

( 2 ) 3 ) 4 )
: the execution time of a symmetric key encryption/decryption operation ( ℎ : the execution time of a hash function operation ( add : the execution time of a point addition operation (5)   : the execution time of a bilinear map operation

Table 1 :
Comparison of computation cost in the registration phase.Our 2 mul + 1 add + 2  2 mul + 1 add + 2  it uses the session key to decrypt .Afterwards, the server can get   and computes ℎ =  2 (  , pk  ) and then sends MAC  (ℎ) to the client to complete the authentication.Since any third party cannot get the session key, so AP cannot deny that he has provided services to the user.