Blockchain-Based Efficient Device Authentication Protocol for Medical Cyber-Physical Systems

As the background of application in the field of smart health care, the flexible interaction between patients and medical system is provided by medical cyber-physical systems (MCPSs) to realize all-round three-dimensional medical service. According to the controllable and credible requirements of MCPS, it needs a secure and reliable device identity authentication mechanism to build the security barrier. Based on the blockchain technology, a lightweight authentication scheme is designed for sensor/execution devices, users, and gateway nodes in MCPS. &e security analysis and experimental results show that the scheme can resist the existing attacks with better efficiency; thus, our proposed scheme can be efficiently applied to the medical field.


Introduction
We have witnessed the great development of the Internet, as well as the popularity of the Internet of ings (IoT) and IoT devices, including wireless sensors, smart phones, wearable devices, global positioning systems, and laser scanners. ese devices are widely deployed around us to realize intelligent computing and services, such as logistics, retail, medical, intelligent city, and other application fields. However, the trusted authentication in IoTs has become a major issue that has to be considered in the rapid development of IoTs.
Closely related to IoTs, medical cyber-physical systems (MCPSs) [1] are a kind of unique cyber-physical systems (CPSs) in the field of modern medicine, which combines the system operations with independent equipment to provide patients with new monitoring functions, such as controlling the physiological closed loop and alarm process of drug infusion process. In the MCPS, there are many kinds of devices with different performance. With the development of blockchain technology, the blockchain-based authentication schemes can mitigate some attacks, which ensure the security of the system. How to ensure that the security authentication protocol can work efficiently and reliably when using the blockchain technology is the key problem to be solved. Hence, based on the blockchain technology, we propose a device authentication scheme to ensure secure access to medical data among sensor devices nodes, gateway nodes, and users in the medical cyberphysical system. Specifically, our contributions can be summarized as follows: (1) We distinguish the identity of the device nodes in the information physical space and propose a device security authentication model based on blockchain for the medical cyber-physical system.
(2) We design a blockchain-based efficient device authentication protocol. Our scheme is suitable for device nodes with different computing, transmission, and storage capacities and uses blockchain technology to solve the trustworthiness problem of third-party service centers. Meanwhile, we use BAN logic and formal proof to verify the feasibility of our scheme and the security of mutual authentication process and the session key.

Related Works
Based on the extensive application of radio frequency identification (RFID) in medical environment, He et al. [2] analyzed the security requirements of RFID authentication scheme and summarized the performance and security of RFID authentication scheme based on elliptic curve cryptography (ECC). ey found that although most authentication schemes cannot meet all the security requirements and have satisfactory performance, some ECC-based authentication schemes are suitable for medical environment in terms of performance and security. Combined with cloud storage, cryptography, and other technologies, a large number of authentication schemes are also proposed. e wireless body area network (WBAN) plays an indispensable role in MCPS. It is a network composed of multiple wearable devices or embedded devices, using wireless technology for communication. erefore, in WBAN environment, a security and reliable authentication scheme is essential. Xu et al. [3] proposed a safe lightweight authentication scheme for WBAN. With this scheme, forward secrecy can be guaranteed without asymmetric encryption, and the security of the scheme can be verified and analyzed by using ProVerif. Alhayajneh et al. [4] analyzed and evaluated the accuracy, cost, and feasibility of the most prominent biometric authentication technology and proposed to use a variety of biometric authentication schemes to ensure the confidentiality, integrity, and reliability of WBAN. Moosavi et al. [5] proposed an end-to-end security scheme for mobile medical IoTs. eir solutions include a secure and efficient end-user authentication and authorization architecture based on certificate DTLS handshake, end-to-end communication based on session recovery security, and strong mobility based on Internet intelligent gateway. Amin et al. [6] proposed a mutual authentication and key agreement protocol to protect the confidential information in the device in order to prevent unauthorized users from accessing the general device. Aiming at the challenges brought by the electronic health information management system using IoTs, including the communication security of wireless channel, the protocol between authentication key and entity, access control scheme, and other defects, Aghili et al. [7] proposed a new lightweight, secure, and efficient authentication protocol, which is also suitable for access control.
Aiming at the problem of authentication in edge and IoT environments, Ma et al. [8] proposed a blockchain-based decentralized authentication modeling scheme. eir scheme is suitable for multiple types of authentication (such as password-based, certificate-based, biometric-based, and token-based authentication). e edge cloud system also has many devices with limited computing and storage capabilities.
us, Zhang et al. [9] proposed a collaborative authentication scheme among users, edge cloud, and robots, which reduced the computational cost of identity verification and improved the verification efficiency. In order to provide more accurate and effective biometric identification, Zhang et al. [10] proposed a parallel ECG-based authentication called PEA for smart healthcare systems.
According to the survey of Altman Vilandrie and Company [11], due to the lack of security authentication and other security systems, the IoT system of small-and medium-sized enterprises is vulnerable to attacks, resulting in their annual income loss of up to 13%. Chandrasekhar et al. [12] reported that the protocol of Yeh's protocol has some shortcomings, including incomplete forward secrecy, nonmutual authentication, and key agreement between users and sensor nodes. Shi and Gong [13] proposed an ECCbased user authentication protocol for wireless sensor networks, which is more efficient in computing cost, communication cost and security. However, Choi et al. [14] found that the protocol of Shi is vulnerable to session key attack, stolen smart card attack, and sensor energy depletion attack. In addition, an attacker can easily obtain the user's identity because it is transmitted through a public channel without encryption. erefore, Choi et al. improved the protocol by verifying the identification legitimacy of users so as to keep from sensor energy consumption attacks. Compared with the protocol of Shi, the protocol also makes use of ECC to calculate authentication messages without bringing more cost. Both [13,14] transmit user identity and sensor identity in plaintext on the public channel, so that they cannot provide anonymity. Chen et al. [15] proposed transmission protection, storage protection, and access control of infrastructure framework in the context of privacy protection of community medical IoT but did not mention the device security authentication. Shu et al. [16] proposed the aggregate signature algorithm, but it lacks the application background. Xue et al. [17] proposed a wireless sensor network identity authentication and key protocol based on temporary credentials, which only uses hash and XOR calculation. It has relatively more security features and higher security level without generating more communication and computing costs, but the traditional third party is vulnerable to attack. In order to solve the problem that the restricted computing power and storage of the sensors are vulnerable to physical attacks, Liu et al. [18] proposed a lightweight three-factor and anonymous user authentication protocol. e solution uses hash algorithms, XOR operations, and PUF to achieve lightweight and physical security. e wireless sensor network is widely used in medical, military, industrial, security, and other fields. Recently, Kumar et al. [19] discussed a wireless sensor network authentication protocol for coal mine safety monitoring. In the IoT environment, trust has become ubiquitous. It is not enough to just authenticate individual users or devices. e reason is that the cointeraction and cooperation between users and devices are crucial in the IoT environment. In this case, information sharing, data fusion, and other elements, including the integration of people, devices, and environment, are great challenges.
Traditional device authentication methods usually perform authentication when users and devices are separated from each other. At the same time, attackers can eavesdrop on communications, forge authentication tokens [20], or perform replay attacks to simulate actual users or devices. e existing authentication schemes rarely consider the space-time characteristics of IoT computing. In general, authentication usually performs settings at once, and once users or devices are authenticated, they can operate for a long time without any authentication. is kind of timesensitive authentication still needs to be improved so as to realize sufficient long-term trust guarantee, which is continuous authentication. Once an attacker fortunately bypasses the authentication system, various destructive attacks can be carried out. erefore, the system can only respond to the attack passively, and the security network of IoTs is threatened.
Recently, researchers have gradually applied blockchain to the medical field. e combination of MCPS and blockchain can allow us to promote the sharing of services and resources and simplify several time-consuming workflows in an automated manner during the encryption verification [21]. In cloud-assisted telecare medical information system (TMIS), cloud servers are vulnerable to attacks. To solve this problem, Son et al. [22] used blockchain technology to design a secure identity verification protocol. In addition, they used CP-ABE to achieve data access control. Although the blockchain-based authentication scheme can enhance the security of the system, it is necessary to consider the authentication credentials and the accounting method of the authentication process when we use the decentralized blockchain as a third party to achieve authentication. Especially, the existing blockchain consensus algorithms and authentication protocols no longer adapt to the wide range of devices with vastly different performance in MCPS.

MCPS and Its Security Model
In the part of related works, we analyze the existing security risks and threats of device authentication. erefore, we need to further improve the device authentication scheme to ensure the safety and reliability.

Classification of Medical Devices.
With the rapid and revolutionary development of medical information, the medical equipment is widely used. e medical devices are classified as follows. e first kind is the diagnostic equipment. It includes physical diagnostic instruments (sphygmomanometers, thermometers, all kinds of physiological recorders, etc.), images (MRI, B ultrasound, CT scanning, etc.), analytical instruments, and electrophysiology (EEG, etc.). ese devices are distributed in each diagnosis and treatment area of the hospital, and the devices connected to the network need strict identity authentication. e second kind is the treatment equipment. It includes ward nursing equipment (sickbed, oxygen bottle, etc.), surgical equipment, radiotherapy equipment, and emergency equipment (ventilator, cardiac defibrillation pacemaker, etc.). is kind of devices needs to be authenticated to ensure the safe use. e third kind is the auxiliary equipment. It includes sterilization devices, refrigeration devices, and so on.

System
Model. In order to study the problem of device security authentication in the MCPS, we first construct the system model of device security authentication based on the blockchain, as shown in Figure 1. e medical institutions are organized in a medical alliance chain to realize medical data sharing. e lower layer of the blockchain is composed of users and some medical equipment, which mainly completes data collection and other work; the blockchain layer is mainly used to realize the storage of medical data and the process of device security authentication.
As shown Figure 1, the device is mainly composed of sensor nodes. Sensor nodes can perceive various characteristics from different environments. In the MCPS, the collection process of medical data is mainly composed of medical professionals (doctors, patients, nurses, pathologists, etc.), sensors, and gateway nodes, as shown in Figure 2. e sensor nodes sense the patient's physical condition and then send the sign data in a certain electronic data format to the trusted gateway nodes of MCPS through the access point. As the core of the model in MCPS, the trusted gateway nodes execute the registration algorithm to provide the registration interface to all medical staffs. Medical staffs collect sensitive sign information of patients from the trusted gateway nodes, analyze them, and monitor patients' physical condition.

3.3.
Architecture. MCPS increasingly relies on software to provide new functions, so that new medical software and devices can be more widely connected with the network to meet the needs of continuous monitoring of patients. e basic architecture of MCPS includes cyber space (including network space) and physical space (including user space), as shown in Figure 3. As the core of MCPS, cyber space includes the processing, storage, security access, and so on. Physical space is the physical basis of MCPS, including medical perception and control devices needed by users, such as electronic sphygmomanometer, heart rate, and pulse Security and Communication Networks collector, which are responsible for the collection and monitoring of user health information. MCPS is composed four layers such as data generation layer, data transport layer, data storage layer, and application service layer.

Data Generation Layer.
At the bottom of MCPS architecture, it is mainly composed of a series of sensing nodes to collect the user's health information and transmit the collected data to the medical data storage space through the tablet or other electronic devices. At the same time, after receiving the feedback information from the sensing nodes, the execution nodes complete the monitoring function of the user through the display or other alarms and execution devices and timely transmit the received information to the outside world, so as to realize the communication and feedback of information.

Data Transport Layer.
It means that after the data collected by the data generation layer is encrypted or processed by other means, it is transmitted to the server by wired Ethernet or wireless transmission for storage. e service of the data transport layer is reflected through the running IPv4 or IPv6 protocol. erefore, the level of data transport layer has a great relationship with the quality of network service, which requires higher network bandwidth, larger transmission range, faster transmission rate, stable transmission process performance, etc.

Data Storage Layer.
e data storage object is the user's health information. e health information includes the user's medical records (sign data, outpatient medical records, hospitalization records, body temperature list, doctor's order list, laboratory test list, medical imaging examination data, special examination consent, operation consent, operation and anesthesia record list, pathological data, nursing records, and other medical records), etc. It uses blockchain and cloud storage technology to realize the secure storage and data sharing of medical records. e chain structure that stores the hash of medical data of each hospital, the digest, and the location index of medical data in cloud storage is called medical chain.

Application Service Layer.
It focuses on application management and secure access to medical data. With the help of the platform technology of blockchain, we can provide data addition, deletion, insertion, decision-making, and diversified services. And the user can send the corresponding operation or control commands to the relevant execution nodes according to the access results to realize the feedback and exchange of information.
In the system model, we mainly combine the blockchain technology, build a system model of security authentication, and analyze the collection process of medical data under the blockchain. On the basis of this model, we need to consider how to ensure the security of the device node access. erefore, we propose a secure data transmission protocol based on device authentication and key agreement. e proposed authentication protocol consists of six stages: system setup, user registration, user login, authentication, key change, and sensor node join. e symbols and descriptions used are shown in Table 1.

Authentication Protocol
In this section, we propose a device security authentication scheme based on blockchain technology to ensure the security and reliability of sensor device nodes. e proposal in this section mainly includes the following parts.

Setup
(i) Step 1: the blockchain center BC selects S BC as its private key and ID g as the identifier of the gateway node and calculates where S g is selected as the private key of the gateway node. (ii) Step 2: ID sn is the identifier of the sensor device node selected by the blockchain center BC, which calculates It is the shared key between the gateway node and the sensor device node. (iii) Step 3: ID sn , S sn is saved in SN k by the blockchain center BC. (iv) Step 4: the blockchain center BC saves ID g , S g , ID sn , S sn and sends it to the gateway node GW j in order to register SN k with the gateway node.

User Registration.
In order to access the medical data collected from sensor device nodes, each medical staff needs to register at the corresponding gateway. In the user registration stage, the medical staff sends the registration request to the gateway. After the preliminary verification, the gateway adds the user into its user list and sends one smart card storing user's identification information to the user. e Gateway node identifier SN k e K th sensor device node ID sn Identifier of the sensor device node S sn Shared key of sensor device and gateway node SK i Session key ‖ Connection operation ⊕ Exclusive or operation identification information may include some personalized parameters of the user, such as complex password in a certain length and identity credentials convenient for authentication in encrypted form. e steps of user registration are as follows: (i) Step 1: the user selects a unique ID i and PW i , generates a random number r 1 , and calculates en, the user sends ID i , HPW i to the gateway node GW j . (ii) Step 2: when the gateway node GW j receives ID i , HPW i , the gateway node GW j generates another random number r 2 and calculates it at the timestamp T 1 : Step 3: the gateway node GW j stores r 2 , T 1 , ID g , h(·), R 1 , R 2 , R 3 in the smart card SC and then transmits it to the user U i securely. (iv) Step 4: when the user U i receives r 2 , And it writes it into the smart card.

User Login.
In the login stage, the user U i enters the identity identifier (identity credentials and password) in the device. e system first checks the correctness of the user input value and then sends the login message to the gateway. Once the authentication is successful, the user U i can securely and legally access the remote computer data at any time according to the following steps: (i) Step 1: the user U i inserts the SC into the reader, then enters ID i and PW i . (ii) Step 2: the user U i selects a gateway node GID j to obtain the data required by the user from the nearest sensor node. (iii) Step 3: smart card calculates (iv) Step 4: the smart card checks whether R * 2 and R 2 are equal. If R 2 � R * 2 , the ID i and PW i of the user are verified; otherwise, the session is interrupted.
(v) Step 5: the smart card generates a random number r 3 , and at T 2 , it calculates (vi) Step 6: the smart card sends ID sn , F 2 , F 3 to the gateway node GW j through the public channel.

Authentication.
In the authentication stage, the gateway node first verifies the validity of the user's identity and then transmits the authentication message to the sensor device. After receiving the authentication message, the sensor device verifies the identification authenticity of the gateway node and then sends another message back to the gateway node so as to further prove its authenticity. After that, the gateway node sends a new message to the user node. In addition, the session key is calculated by each participant, including user nodes, gateway nodes, and sensor device nodes. In this stage, the following steps are performed to establish mutual authentication between the caregiver user node and the sensor device node.
(i) Step 1: when gateway node GW j receives the login request ID sn , F 2 , F 3 at time T 3 , GW j calculates (ii) Step 2: the gateway node GW j checks whether (T 3 − T 2 ) is less than ΔT, where ΔT is the maximum allowable transmission delay of the sender and receiver. If the condition is not met, terminate the session; otherwise, continue to the next step. (iii) Step 3: the gateway node GW j calculates And it checks whether F * 2 � F 2 . If met, the user U i is authenticated; otherwise, the session is terminated. (iv) Step 4: the gateway node GW j generates a random number r 4 and calculates (v) Step 5: gateway node GW j sends ID sn , R 4 , R 5 , R 6 to sensor node SN k . (vi) Step 6: after the SN k receives ID sn , R 4 , R 5 , R 6 , then at time T 4 , it calculates (vii) Step 7: sensor device node SN k checks whether (T 4 − T 3 ) is less than ΔT. If the condition is not met, terminate the session; otherwise, continue to the next step. (viii) Step 8: sensor device node SN k calculates (ix) Step 9: the SN k checks whether R * 4 � R 4 . If met, it continues to the next step; otherwise, terminate the session. (x) Step 10: the SN k generates a random number r 5 and calculates (xi) Step 11: the SN k sends B 1 , B 2 to the gateway node GW j . (xii) Step 12: the GW j receives the message B 1 , B 2 at time T 5 and calculates And it checks whether (T 5 − T 4 ) is less than ΔT. If not met, the session is terminated; otherwise, continue to the next step. (xiii) Step 13: the GW j verifies whether B * 1 � B 1 ; if met, the SN k is verified. (xiv) Step 14: the GW j continues to calculate And it checks whether (T 6 − T 5 ) ≤ ΔT; if not met, then terminate the session; otherwise, continue to the next step. (xvii) Step 17: smart card calculates If R * 7 � R 7 , then both GW j and SN k authenticate with user U i ; otherwise, the session is terminated.
Among them, security authentication and key agreement phase is shown in Figure 4.

Password Change.
is stage provides the user with the operation to change the password. An effective password change process can make the protocol friendly. In order to achieve this goal, the password change should not involve any other unnecessary participants, which can reduce communication costs and resist Denial of Service (DoS) attacks. Here are the steps to change the password: (i) Step 1: the user U i first inserts the SC into the reader device and then enters ID i and PW i . (ii) Step 2: SC calculates (vi) Step 6: the SC replaces R 2 , R 3 and HID with the corresponding new values: R new 2 , R new 3 , and HID new . en, the password is changed successfully. 4.6. Sensor Node Join. When a new sensor device node needs to join the MCPS, the system will perform the following steps: (i) Step 1: the blockchain center BC selects the new sensor node SN k , uses ID sn as its identifier, and calculates And it stores SN k , S sn . (ii) Step 2: BC sends SN k , S sn to the gateway node. (iii) Step 3: the gateway node stores this value and updates the information in the database.

Formal Verification Process.
All certification protocols need to achieve Goal 1, 2, . . ., 8. Here, the variables U i , GW j , and SN k represent three subjects: Make the following assumptions and analyze the initial state of the agreement: Based on BAN logic rules and assumptions, we can analyze the ideal form of the protocol: Using P ⊲X rule: , R 1 and MM rule: Using A 1 , R 2 and FC rule: Using A 8 , R 3 and J rule, B rule, NV rule: R 4 : GW j | ≡ r 3 Using A 2 , R 4 and SK rule: Using A 2 , R 5 and NV rule: (ii) Message 2: GW j ⟶ SN k : 〈ID sn , R 4 , R 5 , R 6 〉 Using P⊲ X rule: R 7 : 〈〈ID sn , R 4 , R 5 : 〈r 3 , r 4 , T 3 〉 S s n , R 6 〉〉: Using A 6 , R 7 and MM rule: Using A 2 , R 8 and NV rule: Using A 2 , R 8 and J rule, FC rule: Using R 10 and B rule: Using A 3 , R 11 and SK rule: Using A 3 , R 12 and NV rule:  15 and J rule, FC rule, NV rule: Using R 16 and B rule: R 17 : GW j | ≡ r 5 Using A 2 , R 17 and SK rule: Using A 2 , R 18 and NV rule: 20 and MM rule: Using A 1 , R 21 and FC rule, NV rule: Using A 11 , R 22 , B rule and J rule: Using A 1 , R 23 and SK rule: Using A 1 , R 24 and NV rule: e above BAN logic discussion clearly proves the effectiveness and feasibility of the mutual authentication and session key protocol among user U i , gateway node GW j , and sensor device node SN k .

Security Analysis and Discussion
6.1. Security Analysis. In this section, we mainly discuss the security issues to prove that our protocol is secure for all related security attacks.

Replay Attack.
Assuming that the device authentication protocol maintains a global clock to synchronize timestamps against clock synchronization, we can verify whether it can effectively resist replay attacks and work smoothly or not. Affected by replay attack, the performance of the system will decline dramatically. Attackers usually capture the previously transmitted messages by the sender entity and resend them to the receiver entity to prove that the message was sent from the legitimate sender entity. Because the system timestamp is used in the protocol and the transmission delay time ΔT will be checked, the protocol always rejects the replay messages captured by the attacker due to the invalid transmission delay time. In the protocol, new random numbers are also used to identify duplicate messages. erefore, the protocol proposed in this paper is resistant to replay attacks.

User Impersonation Attack.
According to the attacker's ability, the attacker can eavesdrop all the transmitted messages through the public channel during the execution of the protocol. e attacker can modify the bugged message and retransmit it to the user in order to impersonate a valid user. e following will prove that the protocol in this paper provides strong security protection against user simulated attacks.
We suppose that the attacker eavesdrops on the message ID sn , F 2 , F 3 and tries to generate another valid message, which will be authenticated by the gateway. In order to generate a forged message, the attacker must calculate the following valid parameters: However, the attacker could not calculate the effective F 1 � R 3 ⊕h(HPW i ‖ T 1 ), where HPW i � h(r 1 ⊕PW i ) as PW i and r 1 are unknown to the attacker. In addition, it is not feasible to simulate and guess all unknown constraints in polynomial time. As a result, attackers cannot generate or guess other valid messages in polynomial time.

Offline User Identity and Password Guessing Attacks.
Assuming that most users use simple ID i and PW i for identity recognition, it is easy to guess ID i and PW i in polynomial time. However, during the execution of the protocol in this paper, the user's ID i and PW i are protected by an irreversible one-way hash function. erefore, the attacker cannot extract user information ID i , PW i . An attacker may try to extract multiple parameters such as R 2 , R 3 , F 2 , F 3 , R 4 , R 5 , B 1 , and B 2 from the offline state of the user and then guess and verify user's ID i and PW i . All these parameters are known to the attacker as follows. e attacker finds the constraint parameters F 2 and F 3 of the smart card. e constraint parameters F 2 and F 3 of the smart card are defined as where HPW * i � h(r * 1 ⊕PW i ). From these relationships, it can be clearly seen that PW i is protected by an irreversible one-way function, and an attacker cannot extract ID i , PW i , r * 1 , and S g . If an attacker tries to guess the constraint parameters, he must guess all unknown values to verify whether the guessed value is not feasible in polynomial time. If the identity, password, and random number are all N characters and the key of the gateway S g is M characters, then the probability of guessing the parameters at the same time is about (1/2 12N+M ) [26].

Sensor Device Node Simulated
Attack. According to our assumption, an attacker can intercept messages during the execution of the protocol B 1 B 2 . After intercepting this message, the attacker attempts to generate another valid message that will be verified by the gateway node GW j , However, an attacker cannot calculate effective intercepted messages without knowing the valid SK i and r 5 , and these messages are protected by the one-way hash function. erefore, the attacker cannot generate valid other messages. erefore, our protocol can resist simulated attacks on sensor nodes. 6.1.5. Gateway Node Simulation Attack. In the proposed protocol, the gateway node sends ID sn , R 4 , R 5 , R 6 and R 4 , R 7 , R 8 to the sensor and the user. Using these messages, both the sensor node and the user can verify the legitimacy of the gateway node. It is now assumed that an attacker can intercept these two messages.
(i) Case 1: if the attacker intercepts the message between GW j and SN k , namely, ID sn , R 4 , R 5 , R 6 , through the public channel, where R 4 � h(ID sn ‖R 1 ‖S sn ‖r 4 ‖ T 3 ), R 5 � (r * 3 ‖T 3 ‖r 4 )⊕S sn , and R 6 � R 1 ⊕h(ID sn ‖h (r 4)‖r * 3 ), the attacker attempts to generate another message and send it to the sensor node to simulate as a legitimate gateway. However, the calculation of R 4 , R 5 , and R 6 , respectively, depends on the random number r 4 . It should be noted that due to the irreversible properties of the one-way hash function, an attacker cannot extract this value. Since S sn is a shared key parameter between the gateway node and the sensor device node, an attacker cannot guess it in polynomial time.
(ii) Case 2: if the attacker intercepts the message between GW j and U i through the public channel, that is, R 4 , R 7 , R 8 , where R 7 � h(SK i ‖R 1 ‖r 4 ‖T 5 ‖R 4 ) and R 8 � (r * 5 ‖r 4 ‖T 5 ‖ )⊕r * 3 , then the attacker tries to generate another message and transmit it to the user U i to impersonate legal gateway. However, the calculation of R 7 and R 8 depends on R 1 and r 4 . Also, it should be noted that the attacker cannot extract the values generated due to the irreversibility of the one-way hash function, and these values cannot be guessed in polynomial time. In addition, the user terminated the connection due to an invalid message. erefore, if an attacker initiates a gateway simulation attack, it may be captured.

Long-Term Key Security.
e authentication protocol uses several keys, such as S BC (private key of BC), S g (the private key of gateway node), and S sn (the shared key between gateway node and sensor device node). It is worth noting that in the setup stage, S g � h(ID g ‖S BC ) and S sn � h(ID sn ‖S BC ). Because the keys are protected by a oneway hash function, attackers cannot retrieve them. Similarly, the key of the gateway node S g cannot be retrieved. erefore, in the protocol of this chapter, all keys are highly protected.
6.1.7. Mutual Authentication. In this protocol, all entities will authenticate each other to verify the validity of their identities before the actual information sharing or retrieval occurs. During the implementation of the protocol, the gateway node first authenticates the user's identity according to the received login message ID sn , F 2 , F 3 , and then the sensor node uses the message ID sn , R 4 , R 5 , R 6 received from the gateway device node to verify the identity of the gateway node. Similarly, the gateway uses the message B 1 , B 2 to authenticate the sensor node, and the user uses the message R 4 , R 7 , R 8 to authenticate the gateway node. As a result, all participants involved use their own messages to authenticate with each other.

Perfect Forward Confidentiality.
is protocol provides perfect forward secrecy, which means that even if one of the long-term keys is disclosed, the session key will not be disclosed. For example, we suppose that the long-term key of the gateway node is disclosed to the attacker in some way. e attacker then attempts to calculate the session key used in the protocol. Even if the secret key is known, the attacker cannot calculate the random number used in the protocol and will not know the shared secret key between the gateway node and the sensor device node. Because the session key depends on a random number, the attacker cannot calculate it. If we assume that the session key used in the protocol has been destroyed by the attacker, the attacker will try to calculate the previous session key. e attacker was unable to calculate the previous session key because he could not extract any confidential information from the compromised session key SK i � h(R * 1 ‖r * * 3 ‖r * 4 ‖ r 5 ). erefore, our protocol has perfect forward confidentiality.
6.1.9. Effective Authentication. In order to prolong the service life of sensor devices, we hope to reduce the computation cost of sensor and the number of bits it must transmit. In this paper, we also prove that the computation cost of authentication messages of sensor nodes is very low as shown in Table 2. e bits of transmitted message are also less as shown in Table 3. In addition, the sensor node first checks the legitimacy of the user and gateway node by comparing R * 4 with the received R 4 and then performs further calculation and communication processes, which prevent the attacker from repeatedly sending false messages to harm the sensor device node. If the sensor device node participates in the calculation and communication messages as the response of the false message, it will cause unnecessary battery consumption of the sensor device node. erefore, the protocol provides effective authentication.

Valid Key Changes.
When a user suspects that his password has been leaked, the registered user will change their password. erefore, the protocol proposed in this paper needs the password change function. Registered users can change their passwords in the agreement. Users do not need any support from the gateway node or the registry during the password change process, which reduces the load on the channel and also can resist the DoS attack. In addition, in order to reduce the computation cost, the system will verify the correctness of the personal information such as the identity and password before calculating the new value with the new password. erefore, the password change stage is effective and practical.

Comparison of Security Performance.
We compare the security performance of the proposed scheme with the protocols Shi [13], Choi [14], Xue [17], and Kumar [19]. In Table 4, it can be seen that the protocols of Shi [13] are vulnerable to several attacks, such as smart card theft and session key attack. In addition, the protocol of Shi is easy to expose the anonymity of users. From this table, it is clear that our proposed protocol provides strong security protection against related attacks, including user anonymity, password guessing attack, user sensor simulation attack, internal attack, smart card theft attack, and session key disclosure attack. Our improved protocol can provide more adequate security protection, because it can meet all the security requirements. Our protocol is the only one that can resist all known attacks and provide all required security functions. Table 2, H, S, and ECC represent the execution time of hash function, symmetric encryption/decryption, and ECC dot product, respectively. e computation amount of user registration is one-time. erefore, we do not pay attention to this time.

Comparison of Computation Cost. In
Due to the resource constrained nature of gateway nodes and sensor nodes, we find that Shi et al. [13] used elliptic curve points to calculate authentication messages, and our protocol mainly uses encryption one-way hash function h, XOR"⊕", and connection"‖" operations to provide security identity authentication. Because the cost of exclusive or and concatenation is negligible, we only consider the cost of the hash function. In addition, the computational complexity of Li [27] can be roughly expressed as (ECC > S > h). As described in Li [27], we assume that one-way hash function (H), symmetric key encryption/decryption algorithm, and ECC of scalar point of elliptic curve need 0.0005, 0.0087, and 0.063075 seconds respectively. From Table 2, we find that the computing cost of our protocol is (8H + 7H + 6H) � 21 × 0.0005 � 0.0105 s, while the computing cost of sensor device node is 6H � 6 × 0.0005 � 0.003 s. at is, in our protocol, the computing cost of sensor node is 28% of the total computing cost. Table 2 shows that the computation cost of our protocol is lower than the protocols Shi [13], Choi [14], Xue [17], and Kumar [19]. erefore, our protocol is suitable for the security authentication of sensor nodes in the medical cyber-physical systems, which can save resources and increase service life. Table 3, we compare the communication overhead in this paper with the methods discussed in Shi [13], Choi [14], Xue [17], and Kumar [19]. Communication overhead is the total Shi [13] Choi [14] Xue [17] Kumar [19] Our   number of bits required for transmission during the login and authentication stages. Now, we assume that the participants' identities, random numbers, and timestamps are 32 bits, the results of AES are 512 bits, the ECC points are 320 bits, and the message digests of SHA1 are 160 bits. It can be seen from the results that the total communication cost of our scheme is the lowest, and the cost of sensor devices is low, which can keep the sensor devices active for a long time.

Conclusions and Future Works
In this paper, a security authentication model of medical cyber-physical systems based on blockchain is proposed, and the process of data collection and transmission is described in detail. en, we propose an authentication scheme of sensor devices. e process includes system initialization, user registration, user login, security authentication and key negotiation, password change, and adding sensor nodes. Finally, we analyze the availability and security of the proposed scheme.
Compared with the traditional device identity authentication scheme, this scheme has the following advantages: first, taking the blockchain node as the authentication third party can solve the untrustworthy problem of the third party and also can resist the attacker's attack on the third party's data center to prevent data leakage. Second, the authentication scheme can be adapted to device nodes with different computing, transmission, and storage capacities. At the same time, it can also save the energy consumption of device nodes and increase the service life. ird, the device nodes can be added dynamically. Because the transaction speed of alliance chain is fast, each node has its own private key, the transaction cost is not high, and it cannot be tampered with. However, due to the multiple data types and high complexity of data transactions in the device nodes of the medical cyber-physical systems, and with the needs of the use process, the device nodes need to be added to collect new data. e medical institutions can be connected with the alliance chain, which can provide an innovative way for the medical cyber-physical systems architecture and make the system efficient, safe, and traceable.
Although our scheme has made some progress in the research of device identity authentication, there are still some shortcomings of our work. e following problems need further research: (1) A new security authentication protocol for sensor devices in the medical cyber-physical systems is proposed in this paper, which is used to authenticate legitimate users and sensor devices. e protocol realizes the security requirements of authentication process at a lower cost and saves the cost of devices life. Mutual authentication and key establishment can also be completed. In the future, we hope that the scheme of device security authentication can be extended to other application fields to complete the device security authentication with the blockchain technology.
(2) e security authentication scheme proposed in this paper is based on the blockchain technology.
However, we only analyze the security and effectiveness of the scheme in theory and realizes the simple construction of medical alliance chain. In further, we can use the Hyperledger Fabric to complete more rigorous experimental simulation [28]. e open platform of Hyperledger Fabric, which is open-source and free of charge, provides a modular and scalable architecture and can be used in various industries from banking and health care to supply chain.

Data Availability
No data were used to support the findings of this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.