New Efficient and Secured Authentication Protocol for Remote Healthcare Systems in Cloud-IoT

Recently, Internet of $ings and cloud computing are known to be emerged technologies in digital evolution. $e first one is a large network used to interconnect embedded devices, while the second one refers to the possibility of offering infrastructure that can be used from anywhere and anytime. Due to their ability to provide remote services, IoT and cloud computing are actually integrated in various areas especially in the healthcare domain. However, the user private data such as health data must be secured by enhancing the authentication methods. Recently, Sharma and Kalra projected an authentication scheme for distant healthcare service-based cloud-IoT. $en, authors demonstrated that the proposed scheme is secure against various attacks. However, we prove in this paper that Sharma and Kalra’s protocol is prone to password guessing and smart card stolen attacks. Besides, we show that it has some security issues. For that reason, we propose an efficient and secured authentication scheme for remote healthcare systems in cloud-IoT. $en, we prove informally that our projected authentication scheme is secure against multiple attacks. Furthermore, the experimental tests done using Scyther tool show that our proposed scheme can withstand against known attacks as it ensures security requirements.


Introduction
e Internet of ings (IoT) and cloud computing are revolutionizing many industries such as health and transportation.
e IoT is a large network that interconnects objects, computers, and human individuals. ese devices are able to sense, process, and communicate data from one end to another one. In addition, cloud computing is a system that allows the customers to access computing resources via the network. e cloud computing provider ensures the protection of a given number of servers that can be used according to the customer needs. Indeed, IoT's growth has been particularly dynamic and has truly revolutionized human personal and professional daily activities. Some of the IoT areas include agricultural [1][2][3][4], industrial [5], education [6], healthcare [7][8][9], and environmental fields [10][11][12][13].
Remote patient monitoring relies on computer systems that retrieve health information from individuals in one location and communicate it digitally to health professionals in another location for assessment and advice, as shown in Figure 1. With this kind of service, healthcare provider can continue processing patient's medical data even if the patient stays at home or care facility and reduces the patient readmission rates. e question of health is systematically at the heart of the human race's concern, even though there are technological advancements in health treatment. Recently, healthcare has taken on great significance, as witnessed by the most recent coronavirus epidemic. Indeed, in areas where the epidemic is spreading, it is increasingly wise to monitor people remotely using health monitoring technology. A variety of monitoring platforms which allow collecting a large volume of healthcare data at the site of treatment, such as patient's vital signs, patient's weight, heart rate, blood pressures, blood glucose, blood O2 levels, and electrocardiographs, can be used to monitor the patient's health.
Because of the performance and computing limitations of IoT equipment in handling the massive volume of collected data, it may be appropriate to employ a cloud service to overcome such challenges. Nevertheless, this approach will require warranty of confidentiality, integrity, and security of exchanged data. Subsequently, data are only accessible by authorized entities. e commonly used solution to assure the confidentiality of data is using such authentication protocols. Hence, Sharma and Kalra [14] proposed a trivial authentication protocol for cloud-IoT-based healthcare system. Formerly, they demonstrated that their proposed protocol is efficient, trivial, and secured against various attacks including DoS attack, man in the middle attack, offline password guessing attack, user impersonation attack, replay attack, and parallel session attack. Authors also use AVISPA tool to evaluate their protocol formally. In this research work, we demonstrated that Sharma and Kalra's scheme poses security vulnerabilities, in particular vulnerable to password guessing attacks. Moreover, some private values described in the protocol are not very secured; it can be obtained basically by any attacker. With the aim to improve the security of cloud-IoT-based healthcare, we propose a new efficient and secured authentication protocol. After proving theoretically that our protocol can resist against various attack, we have done simulation tests under Scyther tool. e obtained results confirm that our scheme can deal against famous attacks, and it guarantees security requirements. e remaining part of the paper is organized as follows. Related works have been debated in Section 2. Section 3 is reserved for reviewing Sharma and Kalra's protocol. In Section 4, weaknesses of Sharma and Kalra's protocol are discussed. Our proposed efficient and secured authentication scheme is presented in Section 5. In Section 6, informal and formal analyses are detailed. Section 7 provides the performance and comparative analysis. In Section 8, we conclude our paper.

Related Works
Due to the quick growth and development of various new technologies, personal security, the system for controlling access and the procedures for checking the authenticity of data are gaining significance everyday, particularly since the birth of the IoT. As a consequence, in this section, we discuss some authentication protocols that have been previously presented in literature.
Watro et al. [15] proposed a secured authentication scheme based on RSA for WSNs. Wong et al. [16] proposed authentication scheme that is funded on one way hash functions. is protocol was considered to be secure against many possible attacks, including replay attack, man-in-themiddle attack, forgery attack, and key impersonation attack. Nonetheless, this protocol is proved prone to insider attack and man-in-the-middle attack. As result, Das et al. [17] planned an enhance protocol for gaining more security. Moreover, Xu et al. [18] and Song [19] proposed independently two authentication protocols in 2009 and 2010, respectively. e two proposed protocols are both based on RSA cryptography.
Based on elliptic curve cryptography (ECC), Xu et al. [20] proposed mutual authentication and key convention scheme as a solution of computational problem. en, he demonstrated that the proposed protocol guarantees confidentiality by using a dynamic identity. Hence, Yan et al. [21] proposed a user authentication system based on biometric detection. However, this protocol cannot resist against replay attacks and is not able to guarantee user anonymity. Furthermore, Mishra et al. proved that Yan's protocol is vulnerable against offline password guessing attacks. Based on those issues, Mishra et al. [22] suggested a new reinforced biometric authentication protocol that uses random digits. Afterword, Tan [23] proposed threefactor mutual authentication protocol.
Yoon and Kim [24] presented user authentication protocol based on a biometric parameter to enhance security of wireless sensors' networks. e proposed scheme is demonstrated secure against some attacks such as DoS attack and sensor impersonation attack. In 2012, He et al. [25] proposed an authentication protocol, which is efficient for actual medical applications that are based on sensor network. Nevertheless, the scheme is prone to forgery attack and password guessing attack. In addition, it is not capable to offer forward privacy service. In 2014, Mishra et al. [26] rely on chaotic map computation for presenting an authentication and key exchanging protocol for healthcare information organisms. However, this scheme is vulnerable to against password guessing attack.
In 2015, Jiang et al. [27] proved that the protocol proposed by Chen et al. [28] is not secured against password guessing attack. Consequently, with the goal to resolve this issue, Jiang et al. projected a different authentication scheme. Nonetheless, the planned solution is still vulnerable to password guessing and user impersonation attack.
In 2019, Azrour et al. [29] demonstrated that Ye et al.'s [30] protocol is not secured and it has some security issues. In the same year, Cheng et al. [31], based on elliptical curve cryptography and biometrics, proposed a public node identity authentication scheme for numerous categories of devices. In 2020, Azrour et al. [32] proposed a new authentication protocol for IoT devices. en, authors proved formally and informally that their protocol is efficient and can resist against several attacks.

Evaluation of Sharma and Kalra's Protocol
In the present section, we present a brief review of three main phases of Sharma and Kalra's scheme, namely, registration, login, and authentication phases. Used notations and their significations are described in Table 1.

Registration Phase
Step 1: user U i selects her/his identity I d, password pw, and arbitrary number R. He/she computes MPS � h(pw � � � �R) and sends 〈I d, MPS〉to the server via secured channel.
Step 2: server checks received Id. If it exists in database, the server requests a new Id. In other case, the server computes (MPS‖b), and d � b⊕H(MPS‖a). Afterwards, server sends back to user a, c, and d.
Step 3: user saves 〈a, c, d, R〉 in it smart card.

Login Phase.
Sharma and Kalra's scheme login phase contains three steps: Step 1: user U i inserts her/his identity I d and password pw in the smart device.
Step 2: the smart device calculates MPS � h(pw � � � � R)based on input pw and stored R.
Step 3: the smart device computes a ′ � H(MPS ‖Id) and compares its value with stored a. In this case, it equals the login phase which is a success.

Authentication Phase.
In this phase, the user U i , the sensor, and the gateway node have to authenticate each other mutually and produce the session key. e steps of this phase are Step Step 2: after receiving user's massage, the GN verifies the timestamp. en, it calculates MID SN � Id SN ⊕H(H(K � � � �z 2 )). It generates random numberNj, which is used for computing Step 3: upon receiving GN message, the SN verifies the timestamp.
en, it calculates . en, it checks the validity of If it is ok, the user was authenticated. erefore, the SN computes its parameters V 6 , V 7 , V 8 , and V 9 that will be sent to GN.
Step 4: once the GN receives SN response, it verifies the timestamp. en, it checks the correctness of Next, the GN sends to the user this message: Step 5: in this step, the user verifies the validity of timestamp. en, he/she checks the authenticity of and Sk � H(Ni⊕Nj ′ ). Finally, the user checks the correctness of

Weaknesses of Sharma and Kalra's Protocol
In this section, we demonstrate that user authentication scheme for cloud-IoT-based healthcare services suggested by Sharma and Kalra is defenceless against offline password guessing attacks, and it has some security issues.

User Password Guessing Attack. Sharma and Kalra
proved that their protocol can resist against offline password guessing attack even if the smart card is stolen. In opposition to this, we can prove her that an adversary can guess user's password. To do that, he/she has to steal the user's smart card and then recover the value of R 1 and a i . Afterword, the adversary runs the dictionary attack to guess the correct password. As it is clear in Figure 2, adversary selects a guessed password from passwords dictionary. en, he/she computes the value of MPS ″ ←h(pw � � � �R 1 ) and the value of if the second value equals a i , the guessed password is correct. Otherwise, the adversary selects another password until discovering the correct one.

Impersonation Attack.
Sharma and Kalra demonstrated that their proposed protocol can resist against numerous attacks including impersonation attack. However, in this section, we demonstrate that the user impersonation attack is still operative in Sharma and Kalra's authentication scheme. Accept that an adversary has obtained the contents of a smartcard. He/she can execute the pervious attack to get user's parameters (login and password); then, he/she makes a forged authentication request. e pirate inserts stolen smart card. Next, he/she enters the deduced ID′ and Pw ′ . Subsequent, the smart device en, it verifies if a ′ � ? a. e equality will be true because the guessed parameters are verified in the previous attack. Afterward, the smart device will execute the authentication phase.
Next, it transfers this message to gateway node e remainder of the protocol will run normally. e gateway node and sensor node will authenticate the pirate as the valid user and then share with them the session key successfully. erefore, the pirate can execute user impersonation attack successfully if he has stolen the smart card contents.

Other Security Issues.
Authentication phase is an essential and main phase in all authentication protocols. Indeed, it is a step that assures verification of user identity, allowing authorization and constructing session keys. In healthcare field, it is a key for establishing a secured connection with the remote server and for protecting patient private data. erefore, it must receive much importance. In our cryptanalysis of Sharma and Kalra authentication protocol for cloud-IoT-based healthcare service, we have observed that there are double serious mistakes. Initially, the sensor node utilizes value of K which is the secret master key of gateway node (GN). Normally, the secret master key of gateway node is a private key. Accordingly, it must be a secret and should not be known to anyone. Otherwise, all systems are at risk and all secret messages will be discovered by any attacker. Secondly, authors propose that the secret shared between the gateway node and sensor node (SN i ) is However, the value of Id SN i is clearly (not encrypted or hashed) in the first message sent by user (U i ) to gateway node (GN). Consequently, if an adversary intercepts this message, he can get easily Id SN i . en, he is able to compute X GN−SN i .

Our Proposed Scheme
In this section, we present our new efficient and secured authentication protocol for remote healthcare systems in cloud-IoT. e proposed scheme entails five phases, including system setup phase, new sensor registration phase, user registration phase, login and authentication phase, and password changing phase.

System Setup Phase.
In this phase, the superadmin chooses secret key of cloud server X s and one way hash function h. Finally, the server publishes h and saves its private key secretly.

New Sensor Registration Phase.
To implement a newly connected sensor node (SN i ) in an already functioning healthcare system, the cloud server has to randomly select both specific Id sn and K CS−SNi as the identification and unique key of the added sensor, respectively. e gateway subsequently uploads Id sn and SK � h(Id sn � � � �K CS−SNi ) data to  the sensor memory before running it. In addition, it saves Id sn and HSK � SK⊕h(X s � � � �Id SN ) in its local database for eventual future utilization.

User Registration Phase.
In order to create a count in the cloud server, a medical professional has to perform registration steps with the cloud server. e details of this phase are illustrated in Figure 3.
Step 1: the medical professional selects freely appropriate identity Id i and suitable password pw i . Afterword, he picks arbitrarily two numbers a and b. Next, he calculates MID � h(Id i � � � �a) and MPW � h(Id i |i|b).
e two last values are transferred to the cloud server using a secured canal.
Step 2: the cloud server CS picks c randomly and computes V � h(MID � � � �X s )⊕h(MPW‖c). Next, the CS saves MID and c in local database and transmits V to medical professional.
Step 3: the medical professional memorizes that information (V, a, b, MID) in a smart card.

Login and Authentication Phase.
Once medical professional has accomplished successfully the registration process, he can connect to any sensor node. For doing that, the medical professional must accomplish the login phase by inserting his smart card. Subsequently, the authentication phase is executed. After successful login and authentication, the medical professional is allowed to interact with medical sensor nodes in real time. e steps of login and authentication phase are described below and are depicted in Figure 4.

Password
Changing Phase. Naturally, our proposed authentication protocol gives to the medical professional user the possibility to alter his/her password spontaneously. is operation can be completed in a public channel. e steps of this phase are illustrated in Figure 5. Besides, they are detailed in the following.
Step_Chang1: U ⟶ CS : M u In this step, medical professional user U types in it login and password (Id i and pw i ) . Afterwards, he/she verifies MID� ? h(Id i � � � �a). If it is all right, the user selects freely his/her new password pw * i and chooses two arbitrary numbers a * and b * . Next, he/she computes MID * � h(Id i ‖a * ) and MPW * � h(Id i ||pw * i |b * |). Finally, he/she encrypts the message M u � E SK (MPW||MPW * || MID||MID * ||V) which will be sent to the cloud server.
en, it checks whether V� ? h(MID � � � � X s )⊕h(MPW‖c) is correct or not. If it is OK, the server selects randomly c * . en, it replaces MID and c by MID * and c * , respectively. Next, it computesV * � h(MID * � � � �X s )⊕h(MPW * ‖c * ) and M s � E SK (V * ). Finally, the server sends back to the user the message M s . Step_Chang3 Once the server response was received by the user, this last one decrypts the message M s ′ � D SK (V * ) and replaces V, a, b, and MID by V * , a * , b * and MID * respectively.

Informal and Formal Analyses
In this section, we will analyze the security of our proposed protocol against numerous security attacks. As well as, we present its security properties, including mutual authentication, data integrity, user anonymity, session key exchanging, and forward secrecy (Table 2). e security of our proposed scheme is proved by both informal and formal analysis.

Informal Analyses
6.1.1. Session Key Exchanging. In our proposed protocol, the session key is generated by the user and cloud server as anks to the reason that X s and MID are secret, and the session key cannot be known at the end of login and authentication phase except for the medical professional user and the cloud server. As a result, we can say that the proposed scheme guarantees session key secrecy.

Mutual Authentication.
In a public unsecured channel, each entity has authenticated each other before authentic communication takes place. So, owing to the advantages of mutual authentication in a network environment, our planned protocol reassures mutual authentication. Hence, the cloud server authenticates both the medical professional user and the sensor node. To verify users authenticity in Step 2, the server checks the correctness of receivedV 1 . For checking the sensor identity, in Step 4, the cloud server verifies the exactness of Additionally, the medical professional user is able to authenticate the cloud server identity in Step 5, through examination of the legitimacy of Hereafter, in Step 3, the sensor node also authenticates cloud servers' message by checking the accuracy of V 2 � ? h(HID ′ � � � �SK‖T 2 � � � �B).

Data Integrity.
It is very essential, while forwarding information between the various IoT terminals, to ensure that the data are correct and belong to the authenticated sender. Besides, it is very indispensable to ensure that the data have not been falsified by the authorities during the transfer by invoking fraudulent acts or forgery attacks. In the proposed protocol, if we suppose that an attacker captures V 1 , V 2 , V 3 , or V 4 . en, he tries to alter their values. However, the receivers will detect this modification using the timestamp. In addition, the modification timestamps will be identified since the timestamps are embedded into V 1 , V 2 , V 3 , and V 4 .

DoS Attack.
Our proposed authentication protocol can resist against DoS attack. Accordingly, the user is able to know if her/his message has passed the authentication phase or not, especially, after getting server's response which can be validated or rejected message. With goals to verify the freshness of received message, our protocol uses timestamps. Furthermore, arbitrary numbers are produced in every stage and in every session. Besides, since the duplicated messages are unacceptable, the attacker is not able to perform the DoS attack. us, our suggested method can resist against DoS attack. Table. According to the proposed protocol, the confidential information of each user, including the password, is not stored by the cloud server or the sensors. In case an attacker succeeds in the hacking cloud server or node, he/she would not be actually capable of obtaining the password checking data. erefore, the hacker will not be able to retrieve any authenticating details.

No Verification
6.1.6. Off-Line Password Guessing Attack. Assume that an attacker has got the smart card. en, he/she extracts all stored parameters in it. If he/she wants to guess the password, he/she cannot, since the only value that contains password is V � h(MID � � � �X s )⊕h(MPW‖c). erefore, the attacker has to know the value of X s and Id i . However, Id i is encrypted using one-way hash function, and X s is server's private key. Consequently, we can conclude that our proposed scheme is secure against offline password guessing attack. 6.1.7. Replay Attack. Assume that an adversary replays the old message to the server. In our proposed protocol, the cloud server discovers that this message is not fresh. Originally, the cloud server checks the validity of timestamp T 2 − T 1 ≤ ΔT; in the case that it is noted valid, the session stops. e same thing happens after receiving sensor node's message T 4 − T 3 ≤ ΔT. e sensor node and user use T 3 − T 2 ≤ ΔT and T 5 − T 4 ≤ ΔT, respectively, to check the newness of cloud server's message. Consequently, our proposed protocol can withstand against replay attack.

Insider Attack.
Our proposed scheme can resist against privileged insider attack. Assume that a malicious or pirate has an access the registration data {MID,c }. Even if we have those data, the attacker can neither guess the password nor initiate any kind of counterfeit attack. Furthermore, he/ she must fight the secrecy of one way hash function if he/she wants to have just the user Id. On the contrary, for initiating impersonation attack, the attacker must have access to cloud server's secret key. Consequently, our proposed protocol can resist against privileged insider attack.
Select randomly D Compute

Security and Communication Networks
Id i . In other words, the session key S Key depends on secure parameters which are not accessible to the attacker. Consequently, our proposal assures perfect forward secrecy.

Security Examination Using Scyther.
In this section, we initially clarify the usefulness of Scyther tool [36], which was useful for formal security examination of our proposed scheme. Formerly, we showed gained outcomes by using this tool. Absolutely, it is software for automatically checking of security protocols. It is based on a reverse analysis method. e requests correspond to the knowledge of the participants (source and destination) and also to the wishes of a possible hacker. Symmetric and asymmetric encryption, hash functions, and encryption keys are also embedded in Scyther.
Our planned protocol is then written in the security protocol description language (SPDL).
is specification allows us to specify different roles of the medical professional user, the cloud server, and the sensor node. In each role, event sequences are embedded including sending, receiving, declarations, and complaints. According to Figure 6, which details the obtained results, we can notice that our protocol is secure against many attacks. Besides, it meets the necessary security-related fundamentals.
Proof. Suppose that the attacker A has obtained user's parameters Id and Pw by using smart card data V, a, b, { MID} and the intercepted messages V 1 − V 4 , T 1 − T 4 , Id SN , MID}, and the tentative algorithm Tent1 hash A,RPMAP defines the possibility of achievement Ach 1 for Exp1 hash A,RPMAP by means of the following specified function: Pb[E] denotes the probability for a given event E. In this experiment, we define the advantageous condition as where Max is determined based on totally adversaries taking the execution time t 1 and rq 1 is the total maximum requests transmitted to the reveal oracle. Our presented protocol is secure against the adversary to discover Id, Pw, and V 1 if F Av1 (t 1 , rq 1 ) ≤ ε for a small value of ε > 0. e trial model Tent 1 hash A,RPMAP indicates that if the hacker is able to compute the inverse of the hash function, it can recover user's parameters Id, Pw, and V 1 . Nevertheless, it is impossible to determine the reverse of this one-way hash function in polynomial period, such that F Av1 (t 1 , rq 1 ) ≤ ε for a small value of ε > 0. Accordingly, we can say that our proposed scheme is safe from the attacker for obtaining Id, Pw, V 1 , and S Key . □ Formula 2. If we suppose that the hash function behaves as random oracle and the attacker have intercepted the message forwarded on unsecured channel V 1 − V 4 , T 1 − T 4 , Id SN , MID}, the attacker may not be able to calculate user's session key S Key .
Proof. If an attacker that intercepts the transferred message V 1 − V 4 , T 1 − T 4 , Id SN , MID tries to generate user's session key S Key , the probability of achievement Ach 1 in this calculation is defined by the tentative algorithm Tent2 hash A,RPMAP as Ach 2 � Pb · Tent 2 hash A,RPMAP � 1 − 1 . (2) Pb[E]denotes the probability for a given event E. In this experiment, we define the advantageous function as where Max is determined based on totally adversaries taking the execution time t 1 and rq 1 is the total maximum requests transmitted to the reveal oracle. Our presented protocol is secure against the adversary to discover S Key if F Av2 (t 2 , rq 2 ) ≤ ε for a small value of ε > 0. e trial model Tent2 hash A,RPMAP indicates that if the hacker is able to compute the inverse of the hash function, it can recover user's parameters Id, Pw, and V 1 . Nevertheless, it is impossible to determine the reverse of this one-way hash function in legal period, such that F Av2 (t 2 , rq 2 ) ≤ ε for a small value of ε > 0. Accordingly, we can close that our proposed scheme is safe from the attacker for computing S Key (Algorithm 1 and 2 ).

Performance and Comparative Analysis
is section details the results of the performance analysis of our protocol. In the first place, we display the performance of our proposed protocol in point of view of the ability to resist against security attacks. Secondly, our protocol is compared to other related ones according to the computational complexity. Hence, the results of the first comparison are illustrated in Table 2. As it is very clear, we can realize that our protocol can resist against various attacks, and it is able to guarantee several security requirements including perfect forward secrecy, session key exchange, and mutual authentication.
As we have mentioned above, the calculation charges of our proposed scheme is compared to other correlated protocols specifically Alzahrani et al. [40], Li et al. [41], Azrour et al. [32], and Sharma and Kalra [14]. In this calculation, very weedy procedures such as string concatenation operation and XoR procedure are ignored. e sign T h personifies the time charge of one way hash operation, whereas T ED characterizes the time complexity of symmetric key operations and T pm denotes the computational charge of elliptic curve point multiplication.
In our protocol, the medical professional user calculates 6T h and the cloud server computes 8T h , while the sensors node calculates 3T h . Consequently, the whole calculation complexity of our scheme is only 17T h . As displayed in Table 3, one can remark that our scheme is based only on one-way hash functions which do not consume much time if it is compared to the symmetric key operations. In case we compare the number of time that T h uses, we will find that our protocol uses only 17. Hence, we confirm that our proposed protocol is appropriate for remote healthcare applications based one cloud-IoT. Begin (1) Intercept the transmitted values V 1 , V 4 , MI D, A, Id SN , T 1 , T 4 (2) Call reveal oracle on V 4 for getting value of (x‖MI D‖Id SN ‖T 4 ‖D) as (x‖MID‖Id SN ‖T 4 ‖D)) ←reveal1 (V 4 ) (3) Call reveal oracle on V 1 for getting value of (x‖A) { } as (x‖A)← reveal1 (V 1 ) (4) Calculate x' � V⊕h((h(Id i � � � �pw i � � � �b)‖c))

Conclusions
Modern technologies are currently having a great impact on the healthcare world. us, healthcare professionals can have access to patient confidential data online, which mandates strong authentication protocols for home patient monitoring. So, it is necessary to consider a lightweight authentication scheme to guarantee secure communication between the healthcare system-based cloud-IoT. In the present study, we firstly demonstrated that the protocol proposed by Sharma and Kalra is vulnerable and exposes some security issues. en, we have proposed our authentication protocol to mitigate the prior work vulnerable issues. Afterwards, we have demonstrated informally that our protocol can resist against various attacks and can provide security requirement. In addition, the simulation done under Scyther tools confirms that our protocol is formally secured and meets security fundamentals.