Improved Authenticated Key Agreement Scheme for Fog-Driven IoT Healthcare System

,


Introduction
A wireless sensor network (WSN) [1][2][3][4][5] (also called sensor network) is a multihop self-organizing network system formed by several inexpensive minisensor nodes distributed in the detection region by wireless communication.e aim of WSN is to gather and process the information of the sensing objects in the network coverage area and transmit it to the observer.e WSN is a significant foundation of the Internet of things and has been used in several fields, such as smart healthcare.Wireless medical sensor networks (WMSNs) [6] can be used to build universal medical systems, which can immediately verify patient emergency situations through the remote monitoring function and can increase the quality of patient medical treatment.In a WSNbased healthcare system, medical sensors are physically applied on patients, and then the acquired data are forwarded to authorized entities in a secure manner.However, the sensors deployed in the wireless medical sensor network have limited storage and computing capabilities; therefore, when excessive data are collected, the real-time nature of all the data processing may not be guaranteed.
To resolve the aforementioned critical problems, the concept of a fog-driven IoT healthcare system [7][8][9] (Figure 1) is proposed to move computing functions to users and devices at more remote locations.
e fog-driven IoT healthcare system consists of the three following layers: healthcare device layer, medical fog layer, and medical cloud layer.In fog computing [10][11][12][13][14][15][16], fog nodes (including routers, gateways, switchers, and access points) are distributed at the margin of the network and approach terminal facilities in a geographic location.By expanding cloud services to the margin of the network, fog computing transforms cloud data centers into distributed platforms while preserving cloud services for users.erefore, the waiting time for wireless medical sensor data processing is minimized [17][18][19], improving user experience and service quality.
Generally, sensor nodes are resource-constrained devices with computing, communication, and storage functions.In addition, sensor nodes are usually distributed in a sparsely populated environment.Because the nodes are vulnerable to threats from adversaries, the security of the deployed equipment cannot be guaranteed.Hence, the security of wireless sensor networks has become a significant challenge for researchers, particularly in WMSN because medical data, security, and privacy issues are more serious considering key patient private information.A few challenges need to be overcome to exploit the entire mechanism and run it efficiently.Maintaining the integrity of the medical data gathered from sensor nodes, providing only legitimate users with secure access to these data, and preventing misuse of data transmitted through public channels are the main challenges that need to be addressed and must be handled carefully.e integrity and confidentiality of data transmitted between the parties must be guaranteed [20].
To establish trust between communication parties and prevent counterfeiting, it is necessary to provide a unique identification [21] and authentication [22] to each user or fog node in the system.In addition, data transmitted through public channels and stored in fog nodes or cloud servers need to be encrypted to ensure data security and privacy [23][24][25].However, owing to the mobility of deployed fog nodes and terminal devices, it is not practical to share session keys between them in advance.e authenticated key agreement (AKA) [26][27][28][29] is a sufficient scheme for user or node authentication and generating public session keys; however, it is rarely used for fog computing.
Recently, numerous AKA protocols [28][29][30][31][32][33][34][35][36][37][38][39][40][41] have been proposed in WSN, fog computing, and IoT environments.Turkanovic et al. [31] proposed an effective AKA scheme for heterogeneous WSNs, in which the user authenticates through the sensor node without communicating with the gateway node.However, Farash et al. [33] found that their protocol is vulnerable to theft attacks of smart cards and does not provide the untraceability and anonymity of sensor nodes to the user.Wang and Wang [32] indicated that the realization of anonymous authentication cannot be accomplished only through a symmetric cryptographic system.erefore, it has always focused on designing AKA schemes based on asymmetry.Hayajneh et al. [34] proposed a lightweight authentication scheme based on the Rabin signature, which is used for the remote monitoring of patients by wireless sensor networks.In 2018, Amin et al. [35] proposed a lightweight AKA protocol that is applied to IoT devices in a distributed cloud computing environment.e mutual authentication between the user, service provider, and control server is implemented in their protocol, and a common session key is shared between the user and the server provider.In the scheme indicated above, only a symmetric cryptographic system is used to make the scheme highly efficient.Yeh et al. [30] proposed the first AKA elliptic curve cryptography (ECC) wireless sensor network solution, leading to other researchers proposing an increasing number of ECC-based AKA protocols [36,[41][42][43][44][45][46].
Although several AKA schemes have been proposed for IoT environments, these protocols are rarely suitable for directly deployed fog computing environments.Hamid et al. [45] proposed a third-party single-round AKA protocol with bilinear pairing for this feature and indicated that it can ensure the privacy of medical data of the fog-based medical system.However, because the session key generated by this scheme is static, it cannot provide forward privacy.e key exchange mechanism of this scheme is based on Joux's three-party Diffie-Hellman key exchange algorithm [43]; thus, it is also vulnerable to man-in-the-middle attacks.Recently, Jia et al. [46] proposed an AKA scheme for a fogdriven IoT healthcare system using bilinear pairs, in which the cloud server authenticates the IoT device as well as the fog node and generates a shared common session key between them.Based on the Bellare-Rogaway-Pointcheval (BRP) security model [42], they claim that the proposed scheme can resist various known attacks.Informal security analysis also indicates that this scheme retains user anonymity and untractability.Some important related works are summarized in Table 1.
In this study, we first analyzed Jia et al.'s scheme and revealed that it is vulnerable to a random number impersonation attack and key compromise impersonation attack.
en, we proposed an enhancement based on their proposal and remedied the shortcomings of their scheme.In our   Security and Communication Networks proposed scheme, the mutual authentication and key agreement between the three entities can be achieved only by one round of communication.After the cloud server verifies the identity of the IoT devices and fog nodes, it generates shared common session keys between them.For a security analysis, we adopted the BAN logic, ProVerif, and an informal security analysis.ese approaches can provide evidence indicating that our improvement can resist several well-known security threats.

Review of Jia et al.'s AKA Scheme.
Here, we briefly review the scheme proposed by Jia et al. [46], which mainly consists of the following four phases: system setup, user registration, and fog node registration, as well as authentication and key agreement.

System Setup.
e cloud service provider (CSP) selects a nonsingular elliptic curve on the finite field F p , where p is a large prime number, and l � log 2 p is the security parameter.Let G be a cyclic group of order n generated by a base point P.
en, CSP selects a random s ∈ Z * n and computes P pub � s • P. (G, P, P pub ) are published as the public system parameters, while s remains hidden.Six secure hash functions h 0 , h 1 , h 2 , h 3 , h 4 , h 5  , are selected by CSP, where h 0 : We assume that the CSP is fully trusted and also holds a database to record registered users and fog nodes.

User Registration. U i inputs respective identity ID i and password PW i , and then computes RID
⊕ r i , where r i ∈ Z * p is a random number chosen by U i .en, U i sends (ID i , RID i ) to CSP via a secure channel.After receiving the U i request, CSP randomly chooses x i ∈Z * p and computes R i � h 2 (ID i ||s||x i ) ⊕ RID i .e CSP then stores R i in the smart card and the (ID i , x i ) in its database and finally sends the smart card to the user over a secure channel.After the user receives the smart card, U i calculates R * i � R i ⊕ r i and replaces R i on the card with R * i .
2.1.3.Fog Node Registration.Each fog node F N must be registered with the CSP before deployment.F N transmits its identity ID j to CSP. en, CSP randomly selects y j ∈Z * p and computes R j � h 2 (ID j ||s||y j ); CSP sends R j to the fog node over a secure channel and stores (ID j , y j ) into its database.

Authentication and Key Agreement.
In this phase, CSP can help U i and F N to authenticate each other and establish a session key SK after executing the following steps: (a) U i randomly chooses a ∈ Z * n and computes where T u is the current timestamp.U i sends Msg 1 � {A, PID i , N i , T u } to F N .(b) Upon receiving Msg 1 , F N first checks that the freshness of the timestamp T u meets the requirements.en, , where T f is the current timestamp.Finally, F N sends Msg 2 � {A, B, PID i , PID j , N i , L j , T u , T f } to the CSP.(c) After receiving Msg 2 , CSP first checks the validity of two timestamps T u , T f and then executes the following steps: ), and ID j ′ � PID j ⊕ h 0 (B ′ ).(ii) CSP searches its database to find entries that match (ID i ′ , x i ) and (ID j ′ , y j ).If there are no matching entries, CSP denies the request and immediately terminates the session.Otherwise, CSP computes and Table 1: e summary of authentication schemes.

Scheme Cryptographic techniques Limitations
Ref. [31] Smart card Vulnerable to smart card theft attacks One-way hash function Does not support anonymity Does not support untraceability Ref. [35]

Symmetric encryption
Does not support anonymity One-way hash function Vulnerable to impersonation attacks Elliptic curve cryptography Ref. [36] Bilinear pairing Vulnerable to replay attacks One-way hash function Does not support mutual authentication Smart card Ref. [46] Elliptic curve cryptography Insecure session key establishment Bilinear pairing Does not support anonymity Identity-based cryptography Ref. [41] Bilinear pairing Vulnerable to impersonation attacks One-way hash function Security and Communication Networks (iii) CSP checks whether N i � N i ′ and L j � L j ′ .If one of these equations is not true, the CSP rejects the request and terminates.Otherwise, it randomly chooses c ∈ Z * n and computes  [47].We allow an attacker E to fully control the communications over the user, fog node, and CSP for "authentication and key agreement phase."us, E can intercept the messages and obtain the hidden information of a current session from either side over a public channel, which enabled the recovery of key information from the session, such as the session key and the entity's identity.
(a) Session key recovery.Based on the CK adversarial model, we may assume that an attacker E can obtain a random number a of users U i .Note, E can also be intercepted

Lack of Per-Verification.
Step (a) of the authentication and key agreement phase lacks verifying the user input ID i and PW i . is will increase the redundant computational cost, while the user inputs an incorrect ID i or PW i .e incorrect input will be identified by CSP in step (c) of the authentication and key agreement phase.

Our Improved Scheme
In this section, we propose an improvement based on Jia et al.'s scheme to overcome the previously indicated security weaknesses in Section 2. In our improvement, the system setup is the same as in Jia et al.'s scheme.

Modified User Registration.
is phase is depicted in Figure 2.
(a) U i randomly chooses r i ∈Z * p , inputs the password PW i and the identity ID i to compute stores (R i , D i ) in the smart card and the (ID i , x i ) in its own database and finally sends the smart card to the user over a secure channel.(c) After the user receives the smart card,

Modified Fog Node
Registration.F N transmits its identity ID j to the CSP.It randomly selects y j ∈Z * p and computes g j � h 2 (ID j ||s||y j ).en, CSP sends g j to the fog node via a secure channel and stores (ID j , y j ) in its own database.is phase is shown in Figure 3.

Modified Authentication and Key Agreement.
is phase is depicted in Figure 4.
(a) U i inputs ID i and PW i and computes where T f is the current timestamp.Finally, ) and then searches for (ID i ′ , x i ) and (ID j ′ , y j ) in its database.If there are no matching entries, CSP denies the request and immediately terminates the session. and If one of these equations is not true, the CSP rejects the request and terminates.(iii) CSP randomly chooses c ∈ Z * n and computes , F N checks the freshness of T c and verifies whether Auth j

Security Analysis of Our Improved Scheme
In this section, the security of our scheme is illustrated by the BAN logic, ProVerif, and an informal security analysis.

Formal Security Analysis Using BAN Logic.
In this subsection, the sharing session SK calculated by CSP between U i , F N , and CSP is presented, which can be used to send request information to the server when the user wants to obtain data from the server.Note, the following notations and rules for the BAN logic can be found in previous studies [33,35,39,48].

Related Rules
Messages meaning rule (A| ≡ A↔ K B, A⊲〈X〉K/A| ≡ B ∼ X): if principal A believes that hidden K value is shared between principals A and B, and A receives the message X enciphered with K and then A believes that B is the sender of X.
Nonce verification rule (A| ≡ #(X), A| ≡ B ∼ X/A| ≡ B| ≡ X): if A believes that message X is fresh and that B has sent X, then A believes that B also believes in message X. Jurisdiction rule (A| ≡ B|⇒X, A| ≡ B| ≡ X/A| ≡ X): if A believes that B has jurisdiction over X and that B believes on statement X, then A believes on X.
Session key introduction rule A| ≡ #(X), A| ≡ B| ≡ X/ A| ≡ A↔ K B: if A believes that message X is fresh and that B also believes on X, then A believes they share the session key.

Idealize the Communication Messages
If a is a random number chosen by U i , we can obtain A1and A2; when Msg1 sends form U i to F N , A22 is obtained.From A22, we obtain A9; when Msg3 sends form U i to CSP, we obtain A27.From A27, we obtain A14.Similarly, because b is a random number chosen by F N , we obtain A6 and A7; when Msg6 sends from F N to U i , we obtain A18.From A18, we obtain A4; when Msg2 sends from F N to CSP, we obtain A26.From A26, we obtain A15.c is a random number chosen by CSP; we obtain A26 and A27; when Msg5 sends from CSP to U i , we obtain A19.From A19, we obtain A5; 6 Security and Communication Networks when Msg4 sends from CSP to F N , we obtain A23.From A23, we obtain A10.
Using A14, S44, and the session key introduction rule, we obtain S45: CSP| Using A15, S44, and the session key introduction rule, we obtain S46:

Informal Security Analysis.
In this section, we demonstrate that our improved scheme can achieve the following well-known security requirements.

Known Session-Specific Temporary Information
Attacks.B, C) can be intercepted on an open channel, but adversaries do not know (q i , g j , z c ) because they are the hidden values of U i , F N , and CSP, respectively, and, thus, cannot calculate (v u , v f , v c ). erefore, despite adversaries determining (a, b, c), they cannot calculate (K u , K f , K c ) without (q i , g j , z c ).
erefore, an opponent cannot recover SK using temporarily leaked session-specific information {a, b, c}.
(q i , g j ) are the hidden values of U i , and F N , respectively; if only (a, b) is found, but not (q i , g j ), the adversaries cannot calculate A, B) on an open channel, they do not know the key s of the CSP and, thus, cannot calculate A ′ � sA and B ′ � sB, or retrieve

Mutual Authentication. CSP authenticates U i by verifying whether ID i
′ equals to the ID i saved in the CSP database and whether N i ′ equals to N i , N i sent from U i .U i authenticates CSP by verifying whether Auth i ′ equals to Auth Similarly, CSP authenticates F N by verifying whether ID j ′ equals to the ID j saved in the CSP database and whether L j ′ equals L j , L j sent from F N .F N authenticates CSP by verifying whether Auth j ′ equals to Auth j � h 4 (A First, the opponent is unable to guess the correct identity and password of U i through "password-guessing attack."Second, to construct {A, PID i , N i }, the adversary has to obtain the key s and parameter x i .However, it cannot compute q i without ID i , s, and x i , which are crucial for computing {A,PID i , N i }. us, the adversary cannot impersonate a legitimate user. Similarly, to mimic a legitimate fog node, the opponent must obtain the identity ID j and q j � h 2 (ID j ||s||x j ) of F N or construct B � v f P,PID j � ID j ⊕ h 0 (B), and ; the adversary can obtain the identity ID j , but it is impossible for the adversary to determine g j � h 2 (ID j ||s||y j ), which is computed and assigned by CSP in F N registration.g j cannot be computed without s and y j , which are crucial for computing {B, PID j , L j }. us, the adversary cannot impersonate a legitimate F N .
e adversary is also unable to impersonate CSP.To compute However, the adversary cannot obtain C unless it obtains all three factors at the same time.is is beyond the capacity of an adversary.us, the adversary cannot impersonate CSP.

Man-in-the-Middle Attacks. If the adversary obtains
Msg1 or Msg2 from the public channel and modifies Msg1 or Msg2 to launch a man-in-the-middle attack, the identity authentication of CSP cannot be passed; the premise of the authentication of CSP is to determine the identity of U i and F N .From "(2),"we know that CSP will compute ID i ′ and ID j ′ and compare the values with ID i and ID j saved in the CSP database; if it is not equal, the session will immediately be terminated.From "(1)," we know that the adversary cannot obtain ID i and ID j .Meanwhile, from "(3)," we also know that the adversary cannot obtain the values of s, x i , and y j .us, the modified messages cannot pass the verification of If the adversary obtains Msg3 or Msg4 from the open channel and modifies Msg3 or Msg4 to launch the man-inthe-middle attack, the authentication from U i and F N will still not be passed.As indicated by "(2)," we can see that if the messages are modified by the adversary, they cannot pass the verification of Auth i ′ � Auth i and Auth j ′ � Auth j from U i and F N .

Known Session Key Attacks.
A scheme is considered vulnerable to known session key attacks if an adversary wants to use the old compromised session key to obtain sensitive parameters and keys for subsequent communication sessions.In our scheme, , is refreshed using random numbers {a, b, c} and the attacker does not know {q i , g j , z c }. us, owing to the computational difficulty of the elliptic curve Diffie-Hellman problem, it is impossible for the attacker to obtain the new SK information from the old SK and extract {a, b, c} from {A, B, C}; thus, the scheme we proposed can withstand the known session key attack.

Compromise Impersonation Attacks.
If the CSP longterm key s is compromised, the adversary may use s to impersonate a legitimate user to determine F N and CSP.However, all attack sessions are terminated immediately, as follows.In a worst case scenario, the adversary may have access to the data stolen smart card SC.Despite knowing s, the adversary does not know the hidden values of {ID i , e adversary may intercept messages sent by U i during authentication and key negotiation and attempt to impersonate the initiator of the session.However, the session will terminate immediately because the attacker cannot calculate K u � e(B, C) v u correctly without knowing the hidden values of a, q i  , despite knowing s.

Parallel Session Attacks.
When the entity is in session, the adversary may try to replay the old messages to launch a new session attack; however, this is impossible.When an attacker replays {M1, M2} to CSP, it can pass the verification of However, because the attacker does not know {a, b} and {q i , g j }, it cannot compute one of , and v u � aq i , v f � bg j , and the attacker session is immediately aborted.

Stolen Smart Card Attacks. If an attacker steals the smart card and extracts
, he/she may impersonate U i to F N and CSP.However, the attacker does not know the sensitive parameter {ID i , PW i , x i , s} to generate the initiator message Hence, the proposed scheme can withstand stolen smart card attacks.

Password-Guessing Attacks. If an adversary obtains information regarding {
} from the open channel, online passwordguessing attacks may be launched.However, the adversary 8 Security and Communication Networks ), and PW i are not included in these values.erefore, PW i remains secure.
If the smart card is compromised by an opponent, the parameter {R * i , V i } in the SC can be obtained through the power analysis attack method, and then off-line dictionary attacks can be made based on the relevant parameter which is randomized using {a, b, c} and {q i , g j , z c }.By ) and obtain (A, B, C) from the public channel.However, (a, b, c) are random numbers independently selected by U i , F N , and CSP, respectively, and are not available to the attacker; therefore, v u and SK u cannot be computed.
Similarly, when the attacker obtains the F N registration information (ID j , y j ) and the key s of CSP, the intent is to compute the session key SK f ; the attacker can compute g j � h 2 (ID j ||s||y j ) and obtain (A, B, C) from the public channel.However, (a, b, c) are random numbers independently selected by U i , F N , and CSP, respectively, and are not available to the attacker; therefore, v f and SK f cannot be computed.
e attacker also cannot compute SK c ; z c � h 2 (y i ||s||x i ) can be computed, but v c � cz c cannot be computed without the c selected by CSP.us, the modified scheme can withstand privileged-insider attacks.

Replay Attacks.
e adversary may attempt to replay old messages {Msg1, Msg2, Msg3, and Msg4}.However, all communicated messages are refreshed and rely on the timestamp {T u , T f , T c } as well as random numbers {a, b, c}.Upon receiving the authentication request from the sender, the receiver first checks the freshness of the timestamp.If the timestamp is not fresh, the session is terminated immediately.
4.2.12.Perfect Forward Secrecy.Perfect forward secrecy indicates that if a long-term key is revealed to an attacker, the SK between U i , F N , and CSP, cannot be computed and remains secure.If an attacker attempts to calculate the session key, , which is randomized using numbers {a, b, c} and {q i , g j , z c }; . e attacker obtains (A, B, C) from the public channel; however, the attacker needs to compute one of the parameters v u , v f , v c , which cannot be obtained, thus SK cannot be calculated.erefore, the improved scheme can provide perfect forward secrecy.
e details are as follows: (a, b, c) are random numbers independently selected by U i , F N , and CSP, respectively, and (A, B, C) are computed independently by each entity.If U i does not know the values of B and C, which are contributed by F N and CSP, SK u cannot be computed.Similarly, F N and CSP cannot compute SK f and SK c without the values of (A, C) and (A, B). 4.2.14.Unknown Key-Share.From "'(2)," we know that all three entities are mutually identifiable.If U i and entity-1 establish the session key and send the request message of entity-1 by mistake to entity-2, it is impossible to pass the validation ), thus the session terminates immediately.erefore, the proposed scheme can resist unknown key-share attacks.

Evaluation by ProVerif.
In this section, we choose the widely accepted software tool ProVerif [49][50][51][52][53] to perform security simulation and testing of the scheme, which can fully guarantee the characteristics of confidentiality and authenticity.e complete scheme shown in Figure 4 is implemented and validated in ProVerif.During the simulation, we assumed the two channels shown in Figure 5(a).e ch is a common channel used for the transmission of messages between entities in the authentication phase.e sch is a secure channel for user and fog node registration.Variables and constants are also defined in Figure 5(a).ID i and ID j are the identities of users and fog nodes, respectively, SK u , SK f , and SK c are the keys negotiated between the three entities, respectively.
User and fog node are described by starting and ending events, and scheme authenticity is achieved by exposing the respective relationships between the start and end intervals of related events initiated by a particular participant.If no end event is reached, it means the scheme failed to terminate and the scheme is incorrect.Figures 5(b)-5(d) represent the user, fog node, and CSP implementation simulation processes, respectively, which are described in detail in Section 3 and executed in parallel.
e necessary queries are defined in Figure 5(a) to verify the security and correctness of the scheme.
e query attacker simulates an actual attack to obtain the session key and secret random numbers, while the other three query in-events      Security and Communication Networks correspond to the start and end events of the three processes.If any of these queries result in false, it means that the scheme is incorrect.e results of the discussion query are shown in Figure 6.

Security and Communication Networks
It can be seen from the results in Figures 6(a) and 6(b) that the session key negotiated between entities and the secret random number selected by each entity are secure when dealing with security threats, which proves that the authenticity and confidentiality of our are guaranteed during the execution process.e results in Figure 6(c) show that each process started and ended successfully, which proves the correctness of our scheme.

Performance Evaluation
In this section, the security features and defense against various attacks are compared between our scheme and the previous schemes [36,41,46] in Table 2.We can conclude that our scheme is more secure than the compared schemes.Note that "Yes" represents that the scheme can resist the indicated attack, whereas "No" represents that the scheme cannot, and "−" represents that the attack method indicated is not in the scope of the scheme.
Subsequently, we evaluate the performance of the proposed scheme from the perspective of computational and communication costs.e improved scheme was implemented in JAVA with JDK version 1.3, and the simulation of the scheme was based on the JAVA paired cryptography library (JPBC) [54], version JPBC-2.0.0.A Windows 10 computer system was used as the experimental platform, which was configured with a quad-core 2.3 GHz Intel(R) Core i5-8300H processor and 16 GB memory.e software developed is the community version of IntelliJ IDEA 2020.2.1 and uses the widely accepted type A pairing, which is based on the curve y 2 � x 3 + x structure in the field F q of a specific q � 3 mod 4. We have listed the symbols (TG  e , TG m , T h , TG a ) and time used in the performance comparison in Table 3. Table 4 presents the calculation costs for the different phases of the scheme.
As shown by the analysis in Table 4, the computing cost for our scheme is slightly higher than that of schemes [36,46]; however, our scheme provides auxiliary security features, and the mandatory security objectives achieved by this scheme are greater than those achieved by other schemes [36,41,46].Our solution provides security features that other solutions do not have, such as being able to resist replay attacks and impersonation attacks and providing user anonymity, mutual authentication, etc.
To calculate the communication and storage costs, we present that the length of the random nonce, password, and
As shown in Tables 5 and 6, the communication and the storage overhead of our scheme are slightly higher.e slightly higher cost of our scheme is mainly due to the increase in computing overhead while providing stronger security.However, because the primary purpose of a scheme is to ensure the security and privacy of data, it is acceptable to have a slightly higher communication cost but stronger security.After analyzing Tables 4 and 5, our scheme is concluded to be better than the other schemes [36,41,46], which can provide stronger security and withstand various known attacks.

Conclusion
e usage of fog-driven IoT healthcare systems has brought significant convenience to people.e authentication of the healthcare system is also the most important.Recently, a growing number of scholars have taken a closer look at healthcare systems and developed stronger authentication protocols for their certification environments.In this study, we proposed a secure authenticated and key agreement scheme in fog-driven IoT healthcare systems; the defects of the original scheme were analyzed and security improvements were proposed.An analysis of the performance evaluation and informal security in comparison to other related schemes is also presented in this study, which indicates that our scheme provides more security features.Our solution uses pairing technology, and the time cost is slightly higher than other solutions.Future studies can improve on this limitation, but our solution provides security features that other solutions do not have, which is more suitable for the practical application of medical system based on the IoT.Ref. [36] Ref. [46] Ref. [41] Our scheme Authentication and key agreement 5|G

Figure 1 :
Figure 1: e concept of fog-driven IoT healthcare system.

2
C) a .Note, we may assume that E can obtain b or c from F N and CSP. e session key SK can also be computed by e(A, C) b and e(A, B) c because SK � e(B, C) a � e(A, C) b � e(A, B) c in Jia et al.'s scheme; note, a, b, and c are random numbers chosen by U i , F N , and CSP, respectively.(b) Identity recovery (anonymity violation).By the same assumption in (a), E can recover the

4
Security and Communication Networks (c) After receiving Msg 2 , CSP first checks the validity of two timestamps T u , T f and then executes the following steps:

Figure 4 :
Figure 4: Modified authentication and key agreement phase.

Figure 6 :
Figure 6: Verification result.(a) Query results for SK.(b) Query results for secrecy.(c) Query results for events.

12
B)C, and SK c � h 5 (K c � � � �A‖B‖C); note, the current timestamp is T c .
Using A18, S4, and the jurisdiction rule, we obtain S5:U i | ≡ B.Based on message Msg5 and the seeing rule, we obtain S6:U i ⊲ Auth i , C, T c  .Using the seeing rule, we obtain S7: B‖C‖A ′ ||ID i ′ ||T c ), which includes B calculated by F N .4.2.3.Impersonation Attack.To impersonate a legitimate user, the adversary has to obtain the identity ID i , password PW i , and which includes C calculated by CSP.F N authenticates U i by verifying whether Auth j ′ equals to Auth j which includes A calculated by U i , and U i authenticates to guess the user password.However, because the values {x i , s} are only known by the CSP, the opponent cannot verify the accuracy of the guess value; therefore, all sensitive parameters are safe.4.2.10.Privileged-Insider Attacks.When the attacker obtains U i′ registration information (ID i , RID i , x i ) and the key s of CSP, the intent is to compute the session key SK u 4.2.13.No Key Control.Each entity cannot control the key agreement process to calculate SK individually, where SK u

Table 2 :
Comparison of security.

Table 3 :
Computation time of basic operations.
41] Our scheme Authentication and key agreement 3TG m + 19T h + 1T fe 3TG  e + 7TG m + 18T h 4TG  e + 10TG m + 25T h 3TG  e + 10TG m + 21T h Security and Communication Networks identity is 160 bits, and the length of a point in the G 1 group is 1024 bits, denoted as |G 1 |. e output length of the hash functions h 0 , h 1 , h 2 , h 3 , and h 4 in Z * P is 160 bits, denoted as | q|. e output length of h 5 and the key length are both 256 bits.e length of the timestamp is 32 bits, denoted as |T|.