Attacks and Solutions for a Two-Factor Authentication Protocol for Wireless Body Area Networks

As an extension of the 4G system, 5G is a new generation of broadband mobile communication with high speed, low latency, and large connection characteristics. It solves the problem of human-to-thing and thing-to-thing communication to meet the needs of intelligent medical devices, automotive networking, smart homes, industrial control, environmental monitoring, and other IoT application needs.'is has resulted in new research topics related to wireless body area networks. However, such networks are still subject to significant security and privacy threats. Recently, Fotouhi et al. proposed a lightweight and secure two-factor authentication protocol for wireless body area networks in medical IoT. However, in this study, we demonstrate that their proposed protocol is still vulnerable to sensor-capture attacks and the lack of authentication between users and mobile devices. In addition, we propose a new protocol to overcome the limitations mentioned above. A detailed comparison shows that our proposed protocol is better than the previous protocols in terms of security and performance.

Owing to rapid advancements in life informatization, people's requirements for medical monitoring are constantly improving. ere is also a high demand for more convenient and effective telemedicine and health-sign monitoring. A wireless body area network (WBAN) [14,15] is a network composed of different intelligent components, such as sensors, nodes, and actuators. e network is designed for collecting and monitoring data from the human body and its surrounding environment. Its typical architecture is shown in Figure 1. For the elderly, sensors/wearable devices on the elderly send the information collected to a gateway node. For the patient, the sensor acquires the patient's body monitoring data, connects it to a bedside monitor or other receiver, and transmits it wirelessly to a doctor for monitoring or diagnosis. e gateway acts as a local server which analyzes, stores, and manages the data sent by the sensor or monitor. Users, who can be doctors, nurses, or other medical professionals, can communicate with the gateway and access the data they want to know via mobile devices or computerbased devices on a LAN with the gateway. For example, a nurse can specifically track and check a patient's body data, so that if an abnormality is detected, the patient's condition can be checked and dealt with in a timely manner.
Because data transmission over a WBAN takes place over a public channel, attackers can access highly sensitive health information of patients. To ensure the security of a WBAN, a secure authentication and key agreement (AKA) protocol should be implemented before communication. Numerous AKA protocols have been proposed [16][17][18][19][20][21]. However, many of these AKA protocols have proven to be insecure against many types of attacks. Recently, Fotouhi et al. [22] proposed a lightweight and secure two-factor AKA protocol for WBANs in the healthcare-based IoT. ey claimed that their proposed protocol is secure against many attacks, such as key disclosure simulation attacks, special session temporary information attacks, and offline password guess attacks.
In this study, we first demonstrate that Fotouhi et al.'s proposed protocol [22] is still vulnerable to sensor-capture attacks. Additionally, their proposed protocol fails to provide authentication between users and mobile devices. To overcome these security pitfalls, we propose a secure and efficient AKA protocol for WBANs. e security analysis shows that our proposed protocol is secure. We also provide a detailed comparison to demonstrate that our proposed protocol achieves improved efficiency and security. e remainder of this paper is organized as follows. In Section 2, we briefly review the authentication protocol proposed by Fotouhi et al. In Section 3, we provide a reasonable cryptanalysis of Fotouhi et al.'s proposed protocol. In Section 4, we propose a new protocol for improving the flaws in the old protocol. In Section 5, we perform a security analysis, which includes both formal and informal analyses, to demonstrate the security and stability of our proposed protocol. In Section 6, we analyze the security and performance of our proposed protocol in terms of security, performance, and communication cost. Finally, we provide the conclusions to this study.

Review of Fotouhi et al.'s Protocol
In this section, we briefly review Fotouhi et al.'s authentication protocol.
eir proposed protocol includes four phases: initialization, registration, authentication, and password modification. Here we describe only the first two phases. e detailed steps of their proposed protocol can be found in [22]. e notations used in this study are listed in Table 1.

Sensor Node Registration.
In this phase, the corresponding gateway injects the necessary information into each sensor node. We assume that a gateway GW j is the corresponding gateway of SN k . GW j generates two random numbers, R y and R z , after which it injects {SID k , SG k , QID k , GID j , R y , R z } into the memory of SN k , GW j also stores {SID k , N l , QID k , R y , h(R z )} in its database.

User Registration.
Assuming that a user, U i , desires to register to GW j , the following steps are performed: Step 1: U i sends ID i and HPW i to GW j through a secure channel, where Step 2: if U i is an unregistered user, GW j generates a pseudoidentity CID i and a random number R x , and it Step 3:  Step 1: U i generates a random number, R u , after which it calculates Step 2: GW j obtains the corresponding ID i , R x , and HPW i from its database. GW j then calculates which it verifies the correctness of B 4 . GW j then generates two random numbers, R g and R z ′ , obtains SID k with B 3 , obtains R y from its database, and generates a new pseudonym QID k ′ . GW j then calculates Step 3: SN k verifies the correctness of QID k . If it is correct, . GW j then generates {B 13 , B 14 , B 15 , B 16 , B 17 } and transmits it to U i .

Cryptanalysis of Fotouhi et al.'s Protocol
is section shows that Fotouhi et al.'s protocol [22] is vulnerable to sensor-capture attacks and a lack of authentication between users and mobile devices.

reat Model.
e attacker model briefly describes the capabilities of an attacker. In this study, we use the D − Y model [23][24][25] and assume that the attacker is A. e detailed capabilities are as follows: (1) A can eavesdrop and intercept information transmitted by public channels and can forge, delete, replay, and tamper with such information (2) A can extract the information from the captured sensor nodes (3) A can access the information stored in the gateway Step 1: calculate S � h(SG k � � � � � GID j ), and then obtain Step 2: obtain R g by calculating

Lack of Authentication between Users and Mobile Devices.
Assuming that an attacker A captures U i 's mobile device, A performs the following steps: Step 1: because A does not know PW i , A randomly generates PW i ′ and then inputs ID i and PW i ′ to the captured mobile device. e mobile device calculates and transmits M 1 with the fake password PW i ′ to GW j .
Step 2: GW j verifies GID j and CID i , after which it calculates B 1 and R u . Afterwards, GW j attempts to verify the correctness of B 4 , and GW j realizes that M 1 sent from U i is not legal.
Essentially, A does not need to capture a mobile device because the attacker can eavesdrop the M 1 between any user and GW j and then send M 1 to GW j . e scenario mentioned above illustrates two weaknesses in Fotouhi et al.'s proposed protocol. First, the mobile device does not verify the password that a user inputs. Regardless of whether the password or account number entered by U i is correct, the mobile device sends all the necessary messages to GW j . Second, GW j calculates B 1 and R u before verifying B 4 . Owing to the limited computing power of a gateway, if an attacker has been sending a large number of error messages to a gateway through multiple mobile devices, the gateway may be paralyzed and unable to respond to the requests of other users, which will result in immeasurable losses in medical Internet environments.

The Improved Protocol
In this section, we present an enhanced lightweight and secure two-factor authentication protocol (AELSA) for medical IoT and WBANs to address and enhance the outstanding vulnerabilities and fragile shortcomings of Fotouhi et al.'s protocol. AELSA also applies to the WBAN architecture and includes three main participants: (a) the physician or nurse as the user, (b) the gateway node as the server, and (c) as the sensor. e sensors can include the dynamic collection of patient data for real-time data. On the other hand, the gateway represents a server, which acts as an authentication and data-delivery center for ensuring mutual authentication between the physician and the sensor. e physician or nurse, as the user, can access the information from the sensor, which is delivered using the gateway through a device, such as a mobile device or a computer that can log into the system. AELSA comprises four main phases: (a) initialization, (b) registration, (c) login, and (d) mutual authentication and key exchange phases. e registration phase includes the user registration and sensor registration phases. e symbols used are also listed in Table 1.

Initialization Phase.
We assume that all the gateways are considered trusted parts, the gateways are identified through GID j when transmitting messages, and the gateways generate G j as their private key during initialization. In this phase, important parameters and functions of the system are generated and published, such as initializing the stored information within the gateway.

Registration Phase.
is phase comprises a sensor node enrollment phase and a user enrollment phase with the following steps.

Sensor Node Enrollment.
In the sensor registration phase of AELSA, if a new sensor SN k wants to join the WBAN, it must interact with the data and submit registration information to the gateway GW j . First, SN k sends its SID k and N l to GW j over a secure channel. After GW j receives the message, it determines whether SID k is a new identity and generates a new pseudoidentity QID k for SN k if it is a new identity. Next, it computes SG k as a shared key for , and it stores {QID k , N l } into the memory. Afterwards, GW j securely sends {SG k , QID k } to SN k . Once SN k receives the message, it encrypts SG k using its SID k , RSG k � SG k ⊕SID k , and it stores {RSG k , QID k }.

User Enrollment.
In this stage, the user completes the registration in GW j based on the generation function of the bioinformation embedded in the mobile device as well as other information. e user enters their identity ID i , password PW i , and bioinformation BIO i on the mobile device. e mobile device then generates σ i and τ i using the generation function Gen. It uses σ i to mask and protect PW i , , the mobile device allows U i to log in. Otherwise, it denies U i to log into the system and sends an alert. Figure 2 shows the detailed process of the user login phase.

Mutual Authentication and Key Exchange Phase.
In the key exchange phase, the user, gateway, and sensor negotiate to create a three-way trusted key for ensuring the correctness and security of future messages. is phase comprises five steps, as described below. Among other things, Figure 3 shows the stages of mutual authentication and key exchange.
Step 1: user U i selects the SID k of the sensor to be accessed, generates a random number R u , and creates a timestamp Step 2: after receiving the message M 1 , GW j verifies the legitimacy of T 1 by determining whether it matches |T 1 − T C |ΔT. GW j searches and obtains the corresponding HPW i and QID k in the memory based on

and it verifies
If the verification fails, GW j aborts the conversation. Otherwise, GW j confirms the legitimacy of the identity of U i , after which it generates a random number R g and a new timestamp T 2 , and it computes Step 3: once M 2 is received, SN k verifies that |T 2 − T C |≦ΔT, and if this is true, then the message M 2 is fresh. Afterwards, SN k obtains the corresponding RSG k in storage based on QID k . It computes to GW j over the public channel.
Step 4: after receiving message M 3 , GW j verifies the freshness of timestamp T 3 using |T 3 − T C |≦ΔT. After verifying that it passes, GW j generates timestamp T 4 and computes , after which it verifies the le- Finally, U i verifies whether B * 10 � ? B 10 , and if this is true, the verification and key exchange phase is complete.

Security Analysis
In this section, we use the random oracle model (ROR) to conduct a rigorous formal security analysis of the improved protocol. In addition, an informal security analysis is carried out to logically analyze the protocol. rough the following security analysis, it is easy to prove the security and robustness of the improved protocol.

Formal Security Analysis.
In this section, the ROR model is mainly used to prove the security and feasibility of our proposed protocol, and we successfully demonstrated that users and sensor nodes can securely establish session keys through the gateway. In the proof process, U represents a user, G represents a gateway, and S represents a sensor node. e detailed proof of the procedure is presented as follows.

ROR Model.
In this section, we will use the ROR model to prove the security and reliability of our proposed new scheme, where A represents the attacker. ere are three participants which are user U, gateway G, and sensor S. Suppose Π x U represents the x-th communication of the user, Π i U * represents the i-th instance of the user, Π j G represents the j-th instance of the gateway, and Π k S represents the k-th instance of the sensor. e attacker has special capabilities and can initiate the following queries: and Π x U returns the current session key SK generated by its partner to A. A can simulate the execution of known session key attacks.
Test(Π x U ): A can perform this query by flipping a coin C. If C results in 1, the attacker will get the correct session key; otherwise, the attacker will receive a random string.

Theorem 1.
In the above ROR model, we redefine the A's capabilities and allow the attacker to execute the above query, so the probability P of our proposed new protocol being broken is expressed as Adv v A (ξ) ≤ q send /2 l−2 + 3q 2 hash / 2 l−1 + 2 max C ′ , q s′ send , q send /2 l , where q hash represents the number of hash queries performed and q send represents the  number of queries performed. e number of bits of biological information is expressed by l, C ′ and s ′ are Zipf ′ s law [26].
Proof. We define GM 0 to GM 5 to mimic and verify the behavior that may be performed by A. Succ GM i A (ξ) is used to denote the probability of success of A's attack on the protocol in GM i . e specific process is as follows: GM 0 : in GM 0 , A does not initiate any queries. erefore, in GM 0 , the probability P that the protocol is broken in this query round is  (4) GM 4 : in GM 4 , whether a session key is secure or not can be seen in the following two cases. e first case is whether the protocol can ensure perfect forward secrecy security when A obtains the long-term private key. e second is whether the protocol can resist the temporary information leakage attack when the temporary information is compromised.
(1) Perfect forward secrecy: using Π j G , A tries to obtain the long-term key SG k between the gateway and the sensor, or A uses Π x U * or Π k S to try to get a certain secret value in the registration phase (2) Known session-specific temporary information attacks: A uses one of Π HPWi is encrypted with biological information, the probability of A guessing the biometric σ i is 1/2 l [27].
A can also guess low-entropy passwords; using Zipf ′ s law [26], we can get Since GM 6 has half the probability of success and failure, Pr Succ To sum up, we can obtain the following conclusions: Finally, we can get erefore, we can use the ROR model to demonstrate that our proposed new protocol can provide perfect forward security against common attacks such as smart card theft Security and Communication Networks attacks, man-in-the-middle attacks, and other more common attacks.

Informal Security Analysis.
In this section, we prove that our proposed protocol is secure against common attacks. e security of our proposed protocol and the reasons it can withstand attacks are analyzed.

Resisting Sensor Node Capture Attacks.
If an attacker captures a sensor node and obtains its memory information, although the attacker already knows the parameters RSG k and QID k , to obtain SK, the attacker must also know SID k and the long-term key SG k between the gateway and the sensor node, which is obtained from RSG k and SID k through heterodyning. However, SID k is not stored in the memory of the sensor node. erefore, our proposed protocol is improved to effectively prevent sensor node capture attacks.

Ensuring Authentication between Users and Mobile
Devices. An attacker can replay eavesdropped messages and obtain valuable information through replay and feedback. For example, an attacker can replay message M 1 by imitating the user. However, our improved protocol does not provide this opportunity to the attacker. is is because we add a timestamp T to verify the freshness of the message, and we set a reasonable timestamp threshold. Moreover, we add biometric authentication to ensure accurate authentication between users and mobile devices, thereby preventing attackers from attacking the gateway using large amounts of useless information resulting from the lack of authentication between users and devices.

Perfect Forward Secrecy.
If an attacker cannot obtain the previous session key when the private long-term key is destroyed, the authentication protocol has perfect forward confidentiality [28,29]. Assuming that an attacker has obtained the long-term key SG k between the gateway and the sensor, although it can be obtained through the message B 4 of the common channel (R u ⊕HPW i ), R g and R s are protected by the long-term key SG k in addition to SID k . erefore, an attacker cannot obtain SID k while obtaining the long-term key. As such, it can be inferred that the attacker cannot crack the long-term key in the case of obtaining the past session key. us, our proposed protocol demonstrates perfect forward security.

Resisting Session-Specific Temporary Information
Attacks. If short-term secret information, such as random numbers, is cracked and obtained by an attacker, the attacker cannot calculate the key SK. Because the improved protocol uses a three-way random number and the encrypted value of the user's password information composition, an attacker cannot obtain the user's password information through the knowledge of the random number. erefore, our proposed protocol can resist temporary information leakage attacks.

Resisting Offline Password-Guessing Attacks.
In the authentication stage, we use the pseudo-password HPW i as a substitute for the user password to ensure the security and privacy of the password. Because the user password is obtained through the user's biological information and password encryption, assuming that the attacker obtains HPW i , the user password cannot be calculated. In the login phase, assuming that the attacker obtains A 3 and ID i , the attacker cannot calculate PW i from these data. erefore, our proposed protocol can resist offline password-guessing attacks.

Resisting Privileged Insider Attacks.
Assuming that an attacker is an insider of the gateway and has access to the gateway's memory information [30], the attacker can obtain CID i , HPW i , and QID i . After obtaining this internal information, the attacker cannot compute any valuable information, and thus, the exact protocol is completely resistant to privileged insider attacks.

Resisting Relay Attacks.
In the general three-party authentication protocol, the general steps involve authenticating communications between the user and the server. e server then communicates with the sensor or other devices for authentication, after which the sensor and other devices pass the information to the user through the server, and the information finally reaches the user, server, sensors, and other devices involved in the three-party authentication process. However, the transmission process is prone to relay attacks [30,31], where information can easily be intercepted by the attacker using disguised devices to obtain the correct information sent by the official server or the user, so that they can disguise themselves as legitimate servers and send instructions to the user or disguise themselves as legitimate users to obtain valuable information. However, in our proposed protocol, the server GW j properly verifies the legitimacy of user U i and sensor SN k by comparing A 1 and B 8 . Additionally, the sensors and users verify the legitimacy of the server, and they employ a timestamp to verify the freshness of the message. us, our proposed protocol is resistant to relay attacks.

Resisting Stolen-Verifier Attacks.
In a stolen authentication attack, we assume that the user authentication value stored on the server side is stolen by an attacker, and the attacker can directly use the authentication value to disguise themselves as a user and log into the system. Further, we assume that the secret information stored on the server side is also stolen, and the attacker can use this information to obtain the public key. Assuming that an attacker obtains the stored information inside the gateway GW j , which is CID i , HPW i , A 1 , QID k , N l , the key to determining SK involves obtaining SG k and obtaining Ru using SG k . However, SG k cannot be obtained using the information in the memory of GW j . erefore, our proposed protocol can resist stolen authentication attacks.

Security and Performance Comparisons
In this section, we discuss the typical costs of the authentication protocols from three aspects: protocol security, computing cost, and storage consumption [22,[32][33][34]. Table 2, we compared the security analysis of the mentioned protocols and used ✓ and ✕ to signify whether the protocol meets the security requirements involved. e security of the protocol proposed by Kumari et al. [32] was disproved by Li et al. [35] in that it cannot resist sensor node capture attacks, sessionspecific temporary information attacks, sensor node impersonation attacks, and man-in-the-middle attacks. erefore, Li et al. designed a mutual authentication and key agreement protocol for wireless sensor networks. However, it was later proved to be unsafe. e protocol proposed by Srinivas et al. [33] cannot resist offline password-guessing attacks. e security of the protocol proposed by Gope and Hwang [34] was disproved by Adavoudi-Jolfaei et al. [36] in that the adversary can obtain the session key between the user and the sensor using the dy model. Compared to the protocols mentioned above, our proposed protocol can resist such attacks and meet the security requirements.

Performance Comparisons.
We performed a performance comparison between the new authentication protocol and the other four authentication protocols listed in Table 4. Additionally, we made the following calculations in terms of the time consumption of cryptographic operations, as shown in Table 3, including hash functions, symmetric key encryption/decryption, chaotic mapping functions, and fuzzy extraction functions, as the most important operations [22]. e meanings of symbols in Table 4 are as follows: T h denotes the time of the regular hash operation, T fe denotes the operation time of the fuzzy function, T s denotes the operation time of symmetric encryption and decryption, and T c denotes the operation time of the chaotic map function.
In the login and mutual authentication phase, we compared the computation times of the user, gateway, and sensor node sides along with other protocols to design our proposed protocol. As shown in Table 4, the newly designed protocols guarantee security and time appropriateness. Although our new protocol takes slightly more time than the protocols proposed in Fotouhi et al.'s [22] and Gope and Hwang's [34], it ensures improved security. is is because the extra time spent is mainly in the user login phase, where the user biometric information needs to be compared, a very important and indispensable step that amounts to a partial performance sacrifice to improve the security of the    [33] proposed protocols, it is evident that our proposed protocol significantly reduces the computational cost.
In addition, we compared the communication costs, as shown in Figure 4. Considering the computational cost and communication in terms of cost and security for the new protocol, it is evident that our proposed protocol can be better adapted to the wireless human medical environment regional network, thereby providing improved service experience for hospital staff and individual patients.

Conclusion
In this study, we improve on the WBAN-based authentication protocol proposed by Fotouhi et al. in medical IoT. e improved protocol compensates for the defects in the original protocol, and it can resist attacks that cannot be resisted by the original protocol. It also improves the authentication speed of the protocol, thereby reducing computational expenditure. Moreover, it is advantageous in that it is lightweight compared to the original protocol. e improved protocol adds biometric authentication and login authentication to significantly increase the security of the user login process, and it also makes extensive use of single hash, heterogeneous, and joint operations to reduce computational cost. Our proposed protocol is highly secure against a range of attacks, such as sensor node capture attacks, replay attacks, and internal privilege attacks. It demonstrates excellent performance in terms of security and efficiency. erefore, it can be considered more suitable for the WBAN-based medical IoT. For every new technology development there are bound to be technical implementation and realization challenges, and the Internet of Healthcare is facing some problems in terms of adoption for the time being. Most of the problems exist because there is no all-in-one healthcare IoT solution; all solutions are tailored to specific challenges and therefore can be too expensive for any organization. e second is the lack of a set of standards for the healthcare industry to protect extremely sensitive healthcare data from security risks and threats. It is hoped that this paper will provide a reference for addressing the security aspects of healthcare data.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.