Provably Secure and Lightweight Patient Monitoring Protocol for Wireless Body Area Network in IoHT

As one of the important applications of Internet of Health Things (IoHT) technology in the field of healthcare, wireless body area network (WBAN) has been widely used in medical therapy, and it can not only monitor and record physiological information but also transmit the data collected by sensor devices to the server in time. However, due to the unreliability and vulnerability of wireless network communication, as well as the limited storage and computing resources of sensor nodes in WBAN, a lot of authentication protocols for WBAN have been devised. In 2021, Alzahrani et al. designed an anonymous medical monitoring protocol, which uses lightweight cryptographic primitives for WBAN. However, we find that their protocol is defenseless to off-line identity guessing attacks, known-key attacks, and stolen-verifier attacks and has no perfect forward secrecy. Therefore, a patient monitoring protocol for WBAN in IoHT is proposed. We use security proof under the random oracle model (ROM) and automatic verification tool ProVerif to demonstrate that our protocol is secure. According to comparisons with related protocols, our protocol can achieve both high computational efficiency and security.


Introduction
Wireless body area network (WBAN) exists as a transmission network for body monitoring. It has intellectual network appliances, such as personal wireless terminals, wearable devices, and wireless sensors. Individuals can use network devices to build personalized health networks based on WBAN, and they are substantial participants in the Internet of Health Tings (IoHT) application. WBAN is widely used in patient monitoring, physiological parameter measurement, and so on. Te measured data are transmitted by the sensor to the devices with a forwarding function in real time using wireless network transmission and then stored in the database of the remote server [1][2][3]. Using WBAN-based systems, patient-specifc electronic medical records can be established, and professionals can analyze medical data through patient electronic records. Moreover, the electronic data of patients can be used for later analysis and diagnosis, and medical personnel can provide targeted medical services based on these data [4].
Te communication and interaction of WBAN are based on an open wireless channel, so it is inevitable to face a series of challenges. Attackers can eavesdrop, tamper, intercept publicly transmitted information, and use the obtained information to launch attacks and obtain patients' privacy. Tis poses a great threat to the medical IoHTand patient privacy [5,6]. In addition, the WBAN system requires real-time data transmission and timely processing of a large number of communication requests, which makes the energy consumption of infrastructures with limited efciency very heavy [7]. However, most devices for WBAN have limited computing power, so they cannot perform traditional cryptographic calculations. Moreover, intensive computation will bring about overblown network loads, which will afect the performance of the system. Terefore, the medical feld urgently needs a lightweight privacy-protected secure key agreement to meet the above challenges.
In recent years, a lot of anonymous medical key agreements have been proposed. An innovative dynamic IDbased key agreement in telecare medical information system (TMIS) was presented by Chen et al. [8]. However, Xie et al. [9] state that Chen et al.'s scheme cannot defend against of-line password guessing attacks and impersonation attacks and has no privacy protection and perfect forward secrecy. Xie et al. [10] presented a novel authentication protocol for TMIS in 2014, which is considered to be pragmatic and secure. Radhakrishnan and Muniyandi [11] submitted a two-factor key agreement for TMIS based on elliptic curve cryptography (ECC). In 2015, Wang and Zhang [12] solved the anonymity of authentication in WBAN using bilinear pairs, and their scheme could defend against known-key attacks and man-in-middle attacks. However, according to the research of Jiang et al. [13], the protocol cannot resist client forgery attacks, is not suitable for practical applications, and may lead to nonsynchronization of system logs. In 2017, Li et al. [14] proposed an anonymous authentication scheme. It employs lightweight cryptographic primitives (e.g., hash function operations) and asserts that it has realized the mutual authentication of the sensor nodes worn by patients and the hub node and has realized unlinkability and anonymity. Later, Koya et al. [15] stated that it is not feasible because their scheme assumes that the central node is entirely credible. Moreover, it is defenseless to sensor impersonation attacks. Soni and Singh [16] submitted a lightweight authentication scheme employing low-cost operations for WBAN. Based on the wireless medical sensor network, Jan et al. [17] submitted a patient key agreement for the healthcare system to realize secure and efcient communication between users and sensors. Recently, Ullah et al. [18] submitted a hyperelliptic curve and pragmatic IoT-based crossdomain authentication scheme for WBAN. In addition, Ullah et al. [19][20][21] proposed a multimessage signcryption protocol, anonymous certifcateless signcryption protocol, and certifcate-founded signcryption protocol for IoHT. Khan et al. [22] proposed an online-ofine certifcate-less signature protocol for IoHT.
Wu et al. [23] designed an identity authentication scheme using unilateral bilinear pairing technology which only performs bilinear pairing at the access point (AP). After that, Chen and Peng [24] declared that it cannot realize mutual authentication and is also susceptible to client forgery attacks. Li et al. [25] devised a key agreement founded on ECC to realize user anonymity. But Sowjanya et al. [26] found that their scheme not only has the problems of clock nonsynchronization and excessive control power of users but also no perfect forward secrecy. Kalra and Sood [27] submitted a secure key agreement that is not afected by time synchronization, which is based on the password. In 2021, Chunka et al. [28] reviewed their scheme and found that it had many security issues. For instance, due to the defects in the gateway design, the scheme cannot confrm the authenticities of sensor nodes, so it cannot resist the sensor nodes captured attacks, and the gateway private key is prone to be leaked. In addition, a large number of redundant multiple hash calculations increase the computational burden on the system. Xu et al. [29] raised an anonymous and lightweight patient monitoring protocol using lightweight cryptographic primitives. Te survey of Alzahrani et al. [30] shows that of-line identity guessing attacks will wreck its anonymity, and it is also defenseless to key compromise attacks and replay attacks.

Motivation and Contributions.
According to the summary of the existing literature [30][31][32][33], we found that some protocols using lightweight cryptographic primitives cannot resist various attacks, and many protocols based on asymmetric cryptography have high time complexity. In 2021, Alzahrani et al. [30] designed an anonymous medical monitoring scheme. Nevertheless, their scheme is defenseless to stolen-verifer attacks, known-key attacks, and of-line identity guessing attacks and has no perfect forward secrecy. To realize a secure and lightweight authentication protocol in WBAN systems, we propose a patient monitoring protocol. Here, our contributions are as follows: (i) We reviewed Alzahrani et al.'s [30] protocol and analyzed its drawbacks, for example, known-key attacks, stolen-verifer attacks, and of-line identity guessing attacks (ii) A patient monitoring protocol is proposed to realize the security and lightweight requirements of WBAN systems (iii) Using the automated verifcation tool ProVerif and formal security proof in ROM, we demonstrate the proposed protocol is secure (iv) Our protocol is relatively pragmatic and secure by performance comparison Te remaining section is constructed as follows: the system model and preliminaries are given in Section 2. In Section 3, we describe the review and drawbacks of Alzahrani et al.'s protocol. Section 4 proposes a patient monitoring scheme. Its security is analyzed in Sections 5 and 6. Its security properties, computation cost, storage cost, and communication cost between ours and some related protocols are evaluated in Section 7. Section 8 concludes the paper.

System Model and Preliminaries
In this section, we present the system model and attack model. Concurrently, we describe the physically unclonable function (PUF). Figure 1 illustrates its system model. It adopts the centralized two-hop architecture of WBAN, which includes the following devices: sensor nodes (SNs), relay nodes (RNs), and medical server node (MS). RN is the intermediate node, and only needs to forward messages between SN and MS, and it can add or delete its identity before forwarding messages. RN is always within the communication coverage of MS, and SN is covered by at least one RN. Resource-constrained SN monitors and collects patients' medical health data by being worn or embedded into patients.  [34] and assume that the public channel is insecure 2.3. Physically Unclonable Function. As a hardware security technology, a physically unclonable function (PUF) can be regarded as the "digital fngerprint" of the chip [35]. It uses the inherent physical diferences to produce a specifc unclonable response to a given challenge. Terefore, it is difcult to be predicted before production and cloned after production. It has broad application prospects in the feld of security. According to the same challenge, the response of PUF can remain unchanged under diferent conditions. Any detection or observation of PUF will change the circuit characteristics, and the output of PUF will also change. Terefore, PUF is often used to protect crucial data in cryptography [36]. All notations in our paper are illustrated in Table 1.

System Initialization
(i) SA generates a long-term master secret key K MS for MS (ii) Subsequently, MS reserves the master secret key K MS

Devices Registration
(i) SA selects three random integers r, P R1 , P R2 , and an identity id j for the sensor node SN j and reserves tuple <id j , P R1 , P R2 > in the memory of MS (ii) SA computes x Nj � r⊕K MS , y Nj � id j ⊕h(K MS , r) (iii) SA reserves tuple <id j , x Nj , y Nj , P R1 , P R2 > in the memory of SN j (iv) Finally, the verifcation table of MS is <id j , P R1 , P R2 , id R > (v) RN removes its identity id R and forwards the Message 4 tuple <v, u, Δ, n> to SN j .
). Afterwards, SN j checks Δ * ? � Δ. If so, SN j computes the session key K SH � h(m * , j * , P R1 , P R2 ). SN j displaces x Nj and y Nj , with x N new+ j and y N new+ j , and stores them in its memory. Finally, SN j displaces P R1 with P R2 and P R2 with K SH .

Of-Line
Only id j in Δ * is unknown, and AR guesses id j to verify if Δ * ? � Δ. If so, AR obtains id j successfully. Otherwise, guesses id j again.

Desynchronization
Attack. If AR intercepts Message4 and drops it, the SN j will miss it. Te insecurity is that MS has updated x Nj , y Nj , P R1 , P R2 , but SN j has not. Tis will make every subsequent authentication process between SN j and MS fail.

Stolen-Verifer Attack.
If the verifer table <id j , P R1 , P R2 , id R > of MS is stolen, AR can obtain all the data in it. AR eavesdrops on the communication between SN j and MS, intercepts Message1 tuple <x Nj , y Nj , Vid j , T 1 >, Message 4 tuple <v, u, Δ, n>, computes s * � id j ⊕y Nj , m * � v⊕s * , and j * � id j ⊕x Nj , and computes the session key K SH � h(m * , j * , P R1 , P R2 ). Tat is, AR can obtain the session key.

Known-Key Attack.
If the session keys of two consecutive rounds are leaked, AR will get P R1−3 and P R2−3 of the third round. According to identity guessing attacks, AR obtains the SN's identity id j . In the third round of protocol execution, AR intercepts message 1 and message 4 and . Terefore, the session key of the subsequent round will be obtained by the AR.

No Perfect Forward Security.
If the long-term secret key K MS and short-term secret key P R1 and P R2 of the Alzahrani et al.'s [30] scheme are leaked, AR calculates r * � x Nj ⊕K MS , id j � y Nj ⊕h(K MS , r * ). Ten, AR calculates s * � id j ⊕y Nj , m * � v⊕s * , g * � h(m * , s * , j * , P R2 ). Finally, AR can compute the session key K SH � h(m * , j * , P R1 , P R2 ). Terefore, it doesn't achieve perfect forward secrecy.

Proposed Protocol
A security-enhanced protocol is presented, which involves three steps: (1) system initialization; (2) device registration; (3) mutual authentication and key agreement. SA executes initialization and registration steps through a private channel as follows.

Registration.
Te registration phase can be described as follows: (1) SA chooses the random integer a j and the identity id j for the sensor node SN j , an identity id R for RN, and reserves id j and id R in the memory of MS (2) SA computes x Nj � a j ⊕h(K MS , T j ), y Nj � id j ⊕h(K MS , a j , T j ),  Figure 2.
(1) SN j chooses the random integer b j and the timestamp T 1 and calculates , T j , T 1 ) and checks Vid * j ? � Vid j . If so, MS creates random numbers a i and b i . Next, MS computes   on the side of the MS. Even if AR intercepts the Message4, it has no impact on the next session between the sensor node SN j and the MS.

Stolen-Verifer Attack.
Stolen-verifer attack means that an adversary can obtain verifcation table except the secret key from MS by trespassing on the device or side channel attack and then launch attacks. In the proposed scheme, the verifcation table of MS only contains the identities id j and id R of SN j and RN. So the adversary cannot launch any attacks even if he or she obtains these identities. Tus, the protocol defends against stolen-verifer attacks.

Known-Key Attack. Assuming that AR knows the session key K SH
, so AR cannot launch any attack.

Smart Card Lost Attack.
By the side-channel attack, AR is able to get all data reserved in the smart card when it is lost, and then launch attacks. However, in our protocol, smart card isn't used, so the protocol defends against the smart card lost attack.

Sensor Node Captured Attack.
In the improved protocol, the sensor node SN j stores id j , x Nj , y Nj , ST j , Cha j , T j , where id j is SN 1 's identity, x Nj � a j ⊕h(K MS , T j ), y Nj ⊕id j ⊕ h(K MS , a j , T j ), ST j � h(PUF(Cha j ))⊕MH j , Cha j is the challenge of PUF, T j is the timestamp, and K MS is the secret key of MS. Assuming that the sensor node SN j is captured by AR, he/she cannot obtain the secret parameter MH j to impersonate SN j because of PUF. In addition, AR cannot obtain the secret key K MS . Terefore, the sensor node captured attack cannot infuence the security of nodes and the sensor network.

Anonymity and Unlinkability.
Te identity id j of the sensor node SN j is in Message 1 � x Nj , y Nj , Vid j , A 1 , T j , T 1 and transmitted via an open channel, where a j , T j ). So an adversary cannot compute the identity id j of the sensor SN j because he can not know the secret key K MS of MS. Tus, our scheme achieves anonymity. Moreover, because each session will generate new b j and T j , the identity id j of the sensor node SN j cannot be tracked by AR.

Perfect Forward Secrecy.
If AR obtains all the secret information of the sensor node SN j and the long-term master secret key K MS of MS, because of CDHP, he/she still Journal of Healthcare Engineering 5 cannot successfully calculate 4 , id j , T 2 ) without knowing A * 4 . Terefore, the protocol achieves perfect forward secrecy.

Impersonation Attack.
Tis attack means that AR can impersonate a legal user to generate and send a message, and the message can be passed through the authentication by the receiver. Tat is to say, the receiver confrms that the message is initiated by a legitimate user. In our protocol, AR impersonates the sensor node SN j to generate and send x Nj , y Nj , Vid j , A 1 , T j , T 1 to RN, where x Nj � a j ⊕ h(K MS , T j ), y Nj � id j ⊕ h(K MS , a j , T j ), Vid j � h(id j , x Nj , y Nj , A 1 , A 2 , h(A 2 , MH j )T j , T 1 ), K MS is MS's secret key, and T 1 is the timestamp. Te adversary cannot forge x Nj and y Nj without knowing K MS . On the other hand, the adversary cannot compute MH j even if he/she can obtain all data stored in MH j due to the property of PUF. Terefore, the adversary cannot generate the valid Vid j .

Replay Attack.
If AR can obtain a message and replay it to the receiver, the message can be passed through the authentication of the receiver. In the proposed scheme, the timestamps and random nonce are used, so the protocol defends against the replay attack.

Formal Security Analysis
6.1. Formal Verifcation Using ProVerif. As an automated verifcation cryptographic scheme tool, ProVerif [37] is founded on the Dolev-Yao model and Prolog language. It verifes many cryptographic primitives, for example, publickey cryptography, hash function, and equations. When using ProVerif tool for verifying insecure cryptographic protocols, the tool will give a corresponding attack sequence.
Te open channel, types, constants, variables, constructors, and destructors of our proposed protocol are represented in Figure 3. We designed four events for the improved protocol, which are BeginSNj(), BeginMS(), EndSNj(), and EndMS() as depicted in Figure 4. BeginSNj() represents that the sensor node SN j begins the key agreement session with MS. BeginMS() represents that MS starts the key agreement session with SN j . SN j successfully established a session key with MS, which is indicated as EndSNj(). EndMS() represents MS successfully established a session key with the sensor node SN j .
Queries are shown in Figure 5. Figures 6 and 7 are exhibiting the processes of the sensor node SN j and MS. Te main process is represented in Figure 8.
For testifying the improved scheme's correctness, we propose some queries and fnally implement them through simulation, as shown in Figure 9.
Results (1)-(4) proved that the secret parameters and session key are secure, and sensor nodes are anonymous in our protocol. Results (5)- (7) showed that the two processes began and terminated successfully in sequence.

Formal Security Proof.
After identifying the random oracle model (ROM), we calculate the advantage of breaking our protocol P by the adversary A. Te notions of ROM are clarifed as follows.    SN )this query produces a random bit r, which is performed no more than once. If r � 1 and the session key has been agreed, the real session key is returned to A, else, the query returns a random session key.    Journal of Healthcare Engineering CDHP: the CDHP is specifed that given P, aP, and bP, computing abP is computationally infeasible in probabilistic polynomial time (PPT). P is the generator point, a, b ∈ Z p . Subsequently, the advantage of solving CDHP is Adv CDHP Theorem 1. Suppose the adversary A tends to break the proposed scheme P in PPT. Te queries Execute, Send, and Hash are executed q E , q S , and q H times, respectively. Query Test is allowed to be executed at most once. l h is the bit-length of the hash operation's the output. n � 2 l t , where l t is the average length of other transcripts. Te advantage of breaking P by A in PPT can be expressed as follows: Proof. To simulate the attacks on P, we defne various games Game i (0 < i < 3). Te event Success i A (0 < i < 3) corresponding to Game i means that A completes his/her goal in Game i . Game 0 : which simulates the real attack, at the frst, the probability of A cracking P is Te random bit r ∈ (0, 1), the probability of guessing r is 1/2, which is equal to guessing the session key. Tat is, Combining (1) with (6), we got (8) can be expressed as follows: □

Performance Analysis
We study and compare security and performance efciency between ours with others. According to the comparison of the security attributes which are given in Table 2, we earn better security. In Windows 10 professional 64-bit, Intel(R) Core(TM) i5-4590, we earn T HS � 0.068ms (millisecond), T EA � 2.501ms, T SE � 0.56ms [36], where T HS is hash operation, T EA represents ECC operation, and T SE is symmetric key encryption. As Table 3 revealed, we describe the computational cost comparison between other protocols and the proposed protocol. In [14], the server's and sensor's total computation cost is 5T HS + 3T HS � 8T HS (0.544ms). Accordingly, the schemes [29,30] both need 6T HS + 4T HS � 10T HS (0.544ms), and scheme [25] needs 5T HS + 5T EA + 3T SE (14.525ms), and ours is 18T HS + 6T EA (16.230ms). Because our protocol is safer than others and achieves perfect forward secrecy, so ours achieve both high computational efciency and security.
According to [38], outputs of identity, timestamp, and password are 32 bits, and a random integer, hash function, or block encryption is 256 bits, and a point in the elliptic curve is 160 bits. We calculate the storage overhead of the devices participating in authentication. Storage costs comparison is indicated in Table 4, ours maintain the lowest storage overhead. In addition, messages in login and mutual authentication are transmitted 4 times in our scheme. We calculate our communication costs and others, and ours is equivalent to other schemes from Table 5.

Conclusion
We frst point out that Alzahrani et al.'s protocol can't defend against stolen-verifer attacks, desynchronization attacks, known-key attacks, and of-line identity guessing attacks and has no perfect forward secrecy. After that, we design a patient monitoring scheme based on ECC for WBAN in IoHT. We use verifcation tool ProVerif and formal security proof to demonstrate the security of our scheme. Trough comparative analysis, our protocol is safer and more efcient to suit the lightweight and secrecy in medical scenarios. In the future, we will research more pragmatic and anonymous authentication protocol for more complex WBAN scenarios.

Data Availability
All data are included in manuscript.

Conflicts of Interest
Te authors declare that there are no conficts of interest.