An Improved Anonymous Authentication Protocol for Wearable Health Monitoring Systems

Wearable health monitoring system (WHMS), which helps medical professionals to collect patients’ healthcare data and provides diagnosis via mobile devices, has become increasingly popular thanks to the significant advances in the wireless sensor network. Because health data are privacy-related, they should be protected from illegal access when transmitted over a public wireless channel. Recently, Jiang et al. presented a two-factor authentication protocol on quadratic residues with fuzzy verifier for WHMS. However, we observe that their scheme is vulnerable to known session special temporary information (KSSTI) attack, privileged insider attack, and denial-of-service (DoS) attack. To defeat these weaknesses, we propose an improved two-factor authentication and key agreement scheme for WHMS. Through rigorous formal proofs under the random oracle model and comprehensive informal security analysis, we demonstrate that the improved scheme overcomes the disadvantages of Jiang et al.’s protocol and withstands possible known attacks. In addition, comparisons with several relevant protocols show that the proposed scheme achieves more security features and has suitable efficiency. Thus, our scheme is a reasonable authentication solution for WHMS.


Introduction
At present, electronic-health (e-health) services are greatly promoted with the significant advances in computer science, wireless communication technologies, low-power sensors, and various security solutions [1][2][3][4][5][6][7][8] have been developed to build secure e-health systems. Wireless sensor network (WSN) plays an important role in e-health via sensing, measuring, gathering patient's information for doctor's diagnosis, or recording in the medical server. Wearable health monitoring system (WHMS), one of the most popular application of e-health notation, has attracted extensive attention in academia and industry for its mobility, flexibility, and low cost [9][10][11][12]. WHMS is a WSN, with wearable sensors installed or implanted in the body of the patient, monitors the health conditions of patients by sensing, measuring, and gathering their physiological data and sends them to the medical professional or medical center via a wireless channel for proper diagnosis and further medical treatment. With data like heart rate, blood pressure, and body temperature, doctors in distance can assess the patient's health status. Figure 1 illustrates a typical scenario of WHMS. Advantages of providing healthcare services using WHMS are as follows: (1) Enhance medical care quality (2) Continuous monitoring of patients (3) Save money and time for patients (4) Real-time physician diagnosis and intervention 1.1. Related Works. Although WHMS provides efficiency and simplicity for medical professionals, and patients can benefit greatly from WHMS, security and privacy cannot be overlooked since the sensed data are transmitted via insecure wireless channels. Thus, it is necessary to design a robust authenticated mechanism to protect the patient's physiological data which are sensitive and should be a secret. If the patient's data are illegally captured and tampered by the attacker, medical professionals will make wrong diagnosis based on these data. Furthermore, the leaked data may be used for commercial purpose or other horrible purposes. Specifically, medical professionals should be authenticated before accessing the physiological data from the wearable sensors on the patient, and their identity and password should not be revealed if the malicious attacker eavesdrops the messages through the gateway in WHMS, and vice versa. In the meantime, a shared session key should be generated between medical professionals and the sensor node deployed on the patient's body to protect secure communication among the communicating parties.
To address this issue, some user authentication protocols have been proposed for patient's health monitoring [13][14][15][16][17][18][19][20][21][22][23]. Several authentication schemes [16][17][18] based on elliptical curve cryptography (ECC) have been presented because ECC can reach the identical RSA security level with faster computation and smaller key size. Although the security of these ECC-based schemes are continuously enhanced, these schemes are still not lightweight enough for WHMS since point multiplication consumes a large computation response, while the computation capability and energy of the mobile device and sensors are limited.
Kumar et al. [24] suggested a user authentication protocol named E-SAP to monitor patient's physiological data in wireless medical sensor network in 2012, claiming that their protocol was secure against known attacks. However, both He et al. [25] and Khan and Kumari [26] scrutinized Kumar et al.'s scheme and found some security defects like password guessing attack and lack of user anonymity and put forward their improved versions, respectively. Unfortunately, Wu et al. [20], Mir et al. [21], and Li et al. [22] independently pointed out that He et al.'s scheme [25] was vulnerable to security weaknesses, including denial-of-service attack, impersonation attack, offline guessing attack, and sensor node capture attack. To fix these loopholes, they suggested an improved version and declared that their new proposal was more secure than the previous ones. In 2016, Das et al. [27] identified the security defects in Li et al.'s protocol [28], i.e., privileged insider attack, sensor capture attack, and lack of user anonymity, and suggested an enhanced scheme based on biometrics. Later, Amin et al. [19] introduced a mutual authenticated protocol with user anonymity in WHMS and declared that their scheme was robust against the known threats. However, it was revealed by Jiang et al. [29] that this protocol suffers from several weaknesses, such as stolen mobile device attack, desynchronization attack, and sensor key exposure. To secure Amin et al.'s scheme, Jiang et al. suggested an improved two-factor (password and smartcard) scheme using quadratic residues [29,30], fuzzy verifier [31], and timestamp mechanism. Further, security analysis showed that their scheme achieved the desired security features; thus, they had confidence in the security of their solution.
Independently, Challa et al. [32] proposed an improved three-factor (password, smartcard, and biometrics) authenticated protocol for wireless healthcare sensor network to improve the security of Liu and Chung's scheme [23]. However, in their scheme the user communicates with the remote sensor directly which means power consumption of the sensor increases greatly, and the sensor's lifetime will reduce rapidly. Thus, their scheme is inapplicable to the wireless healthcare sensor network. Ali et al. [33] devised an anonymous three-factor-based protocol to thwart security threats like offline password guessing attack, user impersonation attack, and known session key temporary information attack in Amin et al.'s scheme [19]. Shen et al. [34] put forward a multilayer authenticated protocol using ECC for the wireless body area network to implement secure authentication and group key generation between the sensor and the mobile device. Li et al. [35] suggested a lightweight authentication protocol for centralized WBAN with two hops while preserving anonymity and unlinkability of data transmission. Shen et al. [36] presented an efficient ECC-based pairingfree certificateless public key signature authentication protocol for WBAN with two round messages. However, according to [37,38], these kinds of authentication protocol with just two round messages are prone to failure of perfect forward secrecy.

Motivations and Contributions. When cryptanalyzing
Jiang et al.'s scheme [29], regrettably, we find that their protocol is not as robust as they claimed. Although fuzzy verifier is used to thwart offline password guessing attack in Jiang et al.'s scheme, their scheme is still vulnerable to privileged insider attack, which leads to user impersonation attack. Ridiculously, Jiang et al.'s scheme [29] is subject to KSSTI attack, which means that their protocol is vulnerable to sensor key disclosure as the previous one.   [29], we propose an improved two-factor authenticated scheme making use of quadratic residues for WHMS environment.
Our contributions of this work are threefold as listed below: (i) First, we cryptanalyze the recent authentication scheme of Jiang et al. [29] in WHMS and find its vulnerability of KSSTI attack, privileged insider attack, and DoS attack (ii) Second, we propose an improved secure two-factor authentication and key agreement using quadratic residues to address the security weaknesses in Jiang et al.'s protocol (iii) Third, we provide the formal security proof of our proposed scheme under the random oracle model and conduct an informal security analysis to demonstrate that the improved scheme is secure against known attacks. Moreover, we make a performance comparison between the improved protocol and the related schemes Organization of the Paper. The remainder of this paper is sketched as follows: Section 2 explains the preliminaries of quadratic residues and security requirements. We cryptanalyze Jiang et al.'s protocol [29] in Section 3. In Section 4, we present our improved two-factor authentication and key agreement scheme for WHMS. Next, security analysis and performance comparison are given in Section 5. Finally, the paper is concluded in Section 6.

Preliminaries
2.1. Quadratic Residues. According to [29,30], the definition of quadratic residue is described as follows. Let p and q denote two large primes, respectively, and n = pq. If there is a solution for y = x 2 mod n, i.e., y has a square root, then y is called a quadratic residue mod n. Let Q n be a set of quadratic residue numbers in [1, n-1], and y ∈ Q n . Because of the difficulty in factoring n, it is hard to find x without the knowledge of p and q.

Security Requirements.
It is important to understand the security requirements in designing or cryptanalyzing an authentication protocol. Hence, according to the previous works [38,39], the security requirements of authentication protocol for WHMS are summarized as follows.
(1) Resisting Stolen Mobile Device Attack. If an unauthorized person obtains the lost/stolen mobile device, it is impossible for him to impersonate a valid user with a counterfeit login request by using the information extracted from the mobile device

Cryptanalysis on Jiang et al.'s Protocol
In this section, we cryptanalyze Jiang et al.'s protocol [29]. Due to the space limitation, the review of protocol [29] is omitted. The symbols involved are listed in Table 1. Jiang et al. [29] criticized Amin et al.'s scheme [19] for its vulnerability of stolen mobile device attack, desynchronization attack, and sensor key exposure. To eliminate these security risks, they put forward countermeasures like public key primitive quadratic residue, the concept of fuzzy verifier, hash function, and timestamp mechanism to enhance the security of Amin et al.'s scheme. Unfortunately, we point out several security vulnerabilities in Jiang et al.'s protocol. More specifically, it is susceptible to KSSTI attack, privileged insider attack, and DoS attack. Before elaborating a security analysis, we summarize the following adversary model used in this work.

Adversary Model
(1) The attacker can fully control the open communication channel. In other words, he may eavesdrop, intercept, insert, delete, and modify messages exchanged over an open channel [40,41] (2) The attacker can extract all the secret data stored in MD if the lost/stolen mobile device is obtained by him [42,43] (3) The attacker can guess the user's identity and password offline by enumerating pairs in (ID and PW) from Cartesian product D ID × D PW in polynomial time, where D ID and D PW denote the identity space and the password space [37,44], respectively (4) The random numbers and the secret keys selected by each communication parties are adequately large to prevent the attacker from guessing these data successfully in polynomial time (5) The insider can obtain the registration request message of the user, and the insider can access the verifier and R 2 is a random nonce produced by GWN. After verifying the authenticity of GWN, S j sends fM 6 , M 7 g to GWN, where M 7 = hðR 2 Þ ⊕ R 3 . If R 2 is compromised and the attacker captures the messages fM 3 , M 4 , M 5 , T 2 g and fM 6 , M 7 g from the public channel, he can compute T 2 Þ, and R 3 = M 7 ⊕ hðR 2 Þ and then computes the session key SK = hðM 2 kR 2 kR 3 Þ. Thus, it is not hard to compute the session key if the random number R 2 is disclosed. Therefore, Jiang et al.'s scheme is subject to KSSTI attack.

Privileged Insider Attack.
The similar analysis is mentioned in Das et al. and Das [27,47]. In the medical professional registration phase, a medical professional U i sends his registration fID i , HPW i g to GWN securely, where HP W i = hðr i ⊕ PW i Þ. Suppose the message fID i , HPW i g is known by an insider who is being an attacker, and further suppose that the lost/stolen mobile device containing the secret data ðReg i , A i , C i , m, n, r i , hðÞÞ is obtained by the attacker, he can extract all the secret information from the card using side-channel analysis [43]. Note that Using these information, the attacker can carry out an attack as follows: The attacker selects a random number R 1 ′, and com- Upon receipt of the message, GWN will pass the validation to the attacker and treat the attacker as a valid user and successfully perform the subsequent step of the authentication phase as depicted in Jiang et al.'s protocol. Lastly, GWN sends message fM 7 , M 8 , M 9 g to the user, but the attacker receives the message and computes Obviously, the result is true. Therefore, the attacker has generated a shared session key with S j .
Thus, the attacker can imitate U i to login to GWN successfully. In this regard, Jiang et al.'s scheme is not secure against privileged insider attack.

DoS Attack.
To authenticate U i , GWN maintains a table containing secret data ID i and R i with respect to user U i . When GWN receives the login request from U i , GWN will retrieve R i in light of ID i to perform the subsequent procedure. However, because ðID i , R i Þ is stored in the table, if an insider (being attacker) deletes or modifies all or some entries in the table, GWN will fail to lookup entries related to the user who has successfully registered and sends a login request to GWN, which leads to the legitimate user rejected by the GWN. Therefore, Jiang et al.'s scheme is susceptible to DoS attack.

The Proposed Scheme
In this section, we propose a secure and efficient authenticated key agreement scheme for WHMS to thwart the security weaknesses found in Jiang et al.'s scheme. Our scheme not only retains the advantages of Jiang et al.'s scheme but

Medical Professional Registration Phase
Step 1. U i keys his ID i and PW i , a random nonce r i , and calculates HPW i = hðr i ⊕ PW i Þ; then, he transmits fID i , HPW i g to GWN via a secure channel.
Step 2. Upon receiving the registration request, GWN selects m ∈ ½2 4 , 2 8 , a random nonce R i , calculates a fuzzy verifier Step 3. After receiving the message,

Patient Registration
Phase. This phase is almost the same as in Jiang et al.'s scheme [29].
Step 1: The patient forwards his ID to the registration center.
Step 2: The registration center selects an appropriate sensor kit and assigns a professional.
Step 3: The registration center computes SK GW−Sj = hðSI D j ‖KÞ for S j as secret key and delivers the relevant information of the patient to the designated professional.

Login and Authentication
Phase. In this phase, a mutual authentication is performed and a session key is generated between U i and sensor S j for subsequent communication.
Step 1. U i selects his ID i and PW i , and MD computes Step 2. On receiving login request msg 1 , GWN decrypts CID i with ðp, qÞ to obtain ðID i * , R i * , R 1 * , T 1 Þ and checks the validity of the timestamp T 1 . If the verification fails, GWN aborts the session. Otherwise, GWN computes B i ′ = hðID i ‖R i ‖KÞ and M 1 * = hðID i ‖B i ′‖R 1 ‖T 1 Þ and then tests M 1 * = M 1 . If inequality holds, GWN aborts the procedure. Otherwise, GWN calculates SK GW−Sj = hðSID j ‖KÞ, selects a random nonce R 2 , and computes M 2 = hðID i Finally, GWN sends msg 2 = fM 3 , M 4 , M 5 , T 2 g to S j .
Step 3. On receiving msg 2 from GWN, S j first checks the freshness of T 2 . If not, S j terminates the procedure. Otherwise, S j computes If it is false, S j aborts the session. Otherwise, S j chooses a random number R 3 and computes SK = hðM 2 ′ ‖R 2 ′‖R 3 Þ, M 6 = hðSK‖R 3 ‖ SK GW−Sj Þ, and M 7 = hðR 2 ′‖T 3 Þ ⊕ R 3 , where T 3 is the current timestamp. S j then forwards msg 3 = fM 6 , M 7 , T 3 g to GWN.
Step 4. On receiving msg 3 from S j , GWN first checks the validity of T 3 . If it is invalid, GWN terminates the procedure. Step 5. After receiving msg 4 from GWN, U i validates the timestamp T 4 . If not, U i aborts the procedure. Otherwise, U i computes R 2 ′ = M 8 ⊕ hðID i ‖R 1 Þ, R 3 ′ = M 9 ⊕ hðID i ‖R 2 ′Þ, and SK * = hðhðID i ‖R 1 ‖R i ′ Þ‖R 2 ′ ‖R 3 ′ Þ and checks whether M 10 ? = hðID i ‖SK * ‖R 3 ′ ‖T 4 Þ holds. If it is false, U i terminates the connection. Otherwise, U i believes that both GWN and S j are credible.
The login and authentication phase is summarized in Figure 2.

Password Change
Phase. This phase is also similar to that in Jiang et al.'s scheme [29], and it is applicable if U i intends to update his password.
Step 1. U i keys ID i and PW i .
and Reg i * = hðhðID i ‖R i * ‖HPW i * Þ mod mÞ and checks the condition Reg i * = Reg i . If it holds, MD quits this procedure.
Step 3. U i keys his new password PW i new ; then, MD com- Step 4. Finally,

Wireless Communications and Mobile Computing
Decrypt CID i with (p, q) to obtain ( , , ,T 1 ); If T 4 is not fresh, abort;

Security Analysis and Performance Comparison
In this section, we evaluate the security of our proposal under the random oracle model [48] and a comprehensive heuristic security analysis. In addition, the performance comparisons with relevant competitive schemes are made.

Authentication Proof Based on Random Oracle Model.
In this section, we use the random oracle model to provide an authentication proof of the proposal. For simplicity, we present our formal security proof based on the security model of the previous works [48,49].

Theorem 1. Suppose
A is a polynomial time-bounded attacker running in time t A and let Adv AKE P,D PW ðAÞ be the advantage of A in breaking the semantic security of the improved authenticated key exchanged (AKE) scheme P and Adv RAE A ðtÞ be the advantage of the attacker A in cracking robust authenticated encryption (RAE) [50] in polynoamial time t. To break the semantic security of the proposed scheme, A asks at most q s times Send queries, q e times Execute queries, and q h times Hash queries. Thus, we have where l s denotes the security parameter, l r denotes the length of the random number, D PW denotes a password dictionary with a frequency distribution following Zipf's law [51], and |D PW | denotes the size of D PW .
Proof. A set of hybrid games Gm i (i = 0, 1, 2, 3, 4, 5) are completed in the proof. S i represents the event that the attacker successfully guesses a correct bit in the Test query in each G m i , and Pr½S i represents the probability of S i . The details of each game are described as follows.
Gm 0 : this starting game is considered identical to a real attack scenario under random oracle model. Thus, we have Gm 1 : according to the improved scheme, this game simulates queries including Test, Execute, Send, Hash, and Corrupt. And three lists L h , L A , and L T are created to store the answer of various oracles. We can see that the simulation of Gm 1 is indistinguishable to execution of Gm 0 . Thus, we have Gm 2 : in this game, we consider the collisions of random oracle query and random numbers in protocol P. If the collision of hash oracle and transcripts msg 1 , msg 2 , msg 3 , and msg 4 occurs, the simulator aborts and lets the attacker win the game. According to the birthday paradox, the collision probability of the hash oracle is q 2 h /2 l s +1 at most, and the collision probability of random numbers R 1 , R 2 , and R 3 is ðq s + q e Þ 3 /2 l r +2 . Thus, we have Gm 3 : in this game, all the oracles are simulated as the previous game. If the attacker guesses M 1 , M 3 , M 6 , and M 10 without making corresponding hðÞ queries, the simulation will terminate. Thus, Gm 3 and Gm 2 are indistinguishable, and we have Gm 4 : in this game, we take into account both online and offline attacks performed by the attacker. This game can be demonstrated as two cases. The first denotes online guessing attack, and the second denotes offline guessing attack. Case 1. The attacker asks CorruptðU i μ , 1Þ to guess PW i and r i . So, two subcases are considered as follows: Case 1.1. The attacker chooses a password from D PW online and simulates SendðU i μ , GWN λ , msg 1 Þ query q s times. Thus, the collision probability is q s /jD PW j.
Case 1.2. We consider the situation that the attacker guesses r i online intentionally or accidentally, and the collision probability is q s /2 l s at most.

Case 2.
To launch offline guessing attack, the attacker asks CorruptðU i μ , 1Þ along with CorruptðU i μ , 0Þ query, as well as Execute and Send queries. Then, Hash oracle will be queried at least q h times, and the simulation will be terminated once an invalid value is returned. Thus, the collision probability is at most q h Adv RAE A ðt A Þ.
According to the analysis of the above cases, we have Gm 5 : in this game, the attacker executes Send, Execute, and Hash oracle queries on transcripts to break strong forward security. After choosing two indices from f1, 2, ⋯, q s + q e g, the attacker executes a Test oracle and asks Cor ruptðU i μ \ GWN λ \ S j ν Þ. The simulation will abort if the Test oracle cannot return the session key for the ith instance of U i and the jth instance of S j . Thus, we have Considering all the games, the attacker has no advantage in surmising the correct bit b. Thus, we have 7 Wireless Communications and Mobile Computing Using equations (2)-(8), the theorem is proved.

Analysis of Security Features.
This section provides an informal security analysis, which demonstrates that the proposed scheme not only overcomes the security weaknesses in Jiang et al.'s scheme but also withstands various attacks.
(1) Resistance to Stolen Mobile Device Attack. Assume that MD is acquired by the attacker, and he extracts the secret data fReg i , A i , C i , D i , m, n, hðÞg by power analysis [42] or side-channel technique [43]. From the medical professional registration phase, we can see that If the attacker tries to guess the ID i and PW i via Reg i = hðhðID i ‖R i ‖ hðr i ⊕ PW i ÞÞ mod mÞ, he will not succeed since R i and r i are sufficiently large and he cannot guess them in polynomial time according to item 4 of the adversary model in Section 3.1. Furthermore, the attacker can KÞ, but he will also fail when he launches an offline dictionary attack on ID i and PW i because R i and K are sufficiently large. Therefore, the proposal can withstand stolen mobile device attack (2) Resistance to Privileged Insider Attack. Suppose that a privileged insider has obtained the user's registration request fID i , HPW i g, and he also gets the user's mobile device that contains secret informa- mod mÞ, and B i = hðID i ‖R i ‖KÞ. If the attacker chooses a pair (ID i , PW i ) from D ID × D PW to perform offline password guessing attack via r i = D i ⊕ hðhðID i ‖PW i Þ mod mÞ and HPW i = h ðr i ⊕ PW i Þ, and we set |D PW | = |D ID | = 10 6 and m = 2 8 [51,52], it can be assured that there are |D ID | * | D PW |/m ≈ 2 32 candidates (ID i , PW i ) to prevent the attacker from guessing out the correct password. Moreover, if the insider attacker tries to compromise PW i from A i * or C i , he will still fail since he does not know random numbers r i and R i and the long-term key K. Therefore, the proposal can resist privileged insider attack (3) Resistance to KSSTI Attack. In our scheme, the session key SK = hðM 2 ‖R 2 ‖R 3 Þ = hðhðID i ‖R 1 ‖R i Þ‖R 2 ‖R 3 Þ is generated with the parameters ID i , R i , R 1 , R 2 , and R 3 , which are provided by the mobile device, GWN, and sensor, respectively. If the attacker captures messages msg 2 = fM 3 , M 4 , M 5 , T 2 g and msg 3 = fM 6 , M 7 , T 3 g, we discuss that the proposed scheme can resist KSSTI attack in three cases.
Case 1. Suppose R 2 is compromised. It is clear that the attacker can calculate R 3 = M 7 ⊕ hðR 2 ‖T 3 Þ. To obtain M 2 , the attacker intends to compute M 2 = M 4 ⊕ hðSK GW−Sj ‖T 2 Þ. However, the attacker knows nothing about SK GW−Sj , SID j , and K, resulting in failure of computing M 2 by M 2 = M 4 ⊕ hðS K GW−Sj ‖T 2 Þ. Thus, the attacker cannot compute the session key if R 2 is compromised.
Case 2. Suppose R 3 is compromised. To get R 2 , the attacker first computes hðR 2 kT 3 Þ = M 7 ⊕ R 3 , and hðID i kR 2 Þ = M 9 ⊕ R 3 and then mounts an offline guessing attack. However, he will be unsuccessful according to item 4 of the adversary model in Section 3.1. Moreover, he cannot compute M 2 by M 2 = M 4 ⊕ hðSK GW−Sj kT 2 Þ as we analyzed in Case 1. Thus, his dream will not come true in computing the session key SK = hðM 2 kR 2 kR 3 Þ.
Case 3. Suppose R 1 is compromised. In our protocol, if the attacker attempts to derive R 2 by computing R 2 = M 8 ⊕ h ðID i kR 1 Þ, the attacker has to know the identity ID i of the user. However, it is impossible for him to retrieve ID i from other components in the public messages. Thus, the attacker cannot calculate the session key if he only knows R 1 .
(4) Resistance to GWN Impersonation Attack. During the authentication protocol execution, if the attacker makes an effort to masquerade GWN, he has to generate messages fM 3 , M 4 , M 5 , T 2 g and fM 8 , M 9 , M 10 , T 4 g and transmit them to S j and However, without the knowledge of ðSID j , K, ID i Þ and ðR 1 , R 2 , R 3 , SKÞ, the attacker is unable to generate these two messages to cheat the sensor and the user. Hence, the proposal can withstand GWN impersonation attack (5) Resistance to Desynchronization Attack. There are two conditions that may lead to desynchronization attack. First, both parties of communication stored authentication data that needs to be updated simultaneous, and if the message sent from one party to the other is intercepted by the attacker, the result is that the authentication data in one party has been updated whereas the other party's is still unchanged. In our protocol, MD and the sensor are not required to update their authentication data simultaneously. Second, the authenticated protocol needs to maintain verification tables in GWN, or the server is subject to this attack. However, our improved scheme is not required to store a verification table in GWN. In short, our improved scheme is free from desynchronization attack 8 Wireless Communications and Mobile Computing (6) Resistance to Sensor Impersonation Attack. In this attack, the attacker generates a valid message fM 6 , M 7 , T 3 g to cheat the GWN. However, because S K GW−Sj is carefully protected by the GWN and the attacker has no knowledge of R 2 and R 3 , the attacker cannot succeed in forging the message fM 6 , M 7 , T 3 g. Therefore, the improved scheme is able to resist sensor impersonation attack (7) Resistance to Replay Attack and Man-in-the-Middle Attack. Generally, random nonce and timestamp are the two main techniques to prevent replay attack in authentication protocol. In our improved scheme, if the attacker captures the login message fCID i , M 1 , T 1 g and replays it to GWN, he cannot be authenticated by GWN because GWN will check the freshness of T 1 and verify the hash value M 1 which is computed with secret random numbers R i and R 1 shared between mobile device and the sensor. In addition, if the attacker generates an imitated login message with a new timestamp T 1 ′ , the GWN will reject it because T 1 ′ should be a parameter of M 1 , and M 1 cannot pass the verification of GWN. Thus, the improved scheme is secured from replay attack. Moreover, without knowing ðID i , R i , R 1 , R 2 , R 3 Þ, the attacker is unable to compute the session key SK = hðM 2 ‖R 2 ‖R 3 Þ. Hence, the attacker will fail in passing the authentication of the sensor S j , which means he cannot produce a valid session with S j via retransmitting the request message of U i . Thus, the proposal can thwart man-in-the-middle attack (8) Perfect Forward and Backward Secrecy. As can be seen from the login and authentication phase, the session key SK = hðM 2 ‖R 2 ‖R 3 Þ = hðhðID i ‖R 1 ‖R i Þ‖ R 2 ‖R 3 Þ is computed by U i and S j , and it relies on ðID i , R i , R 1 , R 2 , R 3 Þ, where the parameters ðR i , R 1 , R 2 , R 3 Þ are randomly generated and unpredictable. Even if the attacker knows the leaked longterm key K of GWN, it is still impossible for him to calculate the session key because he has no knowledge of these random numbers provided by each communication party, i.e., U i , GWN, and S j . That is to say, the improved protocol can provide perfect forward and backward secrecy (9) Resistance to User Impersonation Attack. Assume that the attacker obtains the mobile device and extracts the secret information fReg i , To generate a valid login request fCID i , M 1 , T 1 g, the attacker should first derive both password and mobile device of the medical professional. In particular, GWN validates the legitimacy of the medical professional by checking M 1 ? = hðID i ‖B i ‖ R 1 ‖T 1 Þ, and the key to compute M 1 is to get the value of B i . However, without the knowledge of parameters (ID i , PW i , R i , and K), the attacker cannot compute B i , which means the attacker's legitimacy will not be corroborated by GWN. Hence, the improved scheme is secure from user impersonation attack (10) User Anonymity. User anonymity is extremely important in preserving the patient's privacy. Suppose that the attacker intercepts all the messages of the parties involved during the protocol execution, and in these messages, the component CI D i = ðID i ‖R 1 ‖R i * ‖SID j Þ 2 mod n is related to the identity of the medical professional directly. However, the attacker cannot decrypt CID i to get ID i because he has no knowledge of n or ðp, qÞ. Besides, if the attacker attempts to mount identity guessing attack on M 8 , M 9 , and M 10 , respectively, where : resisting privileged insider attack; S10: resisting man-inthe-middle attack; S11: user anonymity; S12: sensor anonymity; S13: mutual authentication and key agreement.
and M 10 = hðID i * ‖SK′‖R 3 ‖T 4 Þ, he will not succeed because the random numbers R 1 , R 2 , and R 3 are adequately large to prevent him from guessing them out successfully. Therefore, the improved scheme is capable of preserving user anonymity (11) Mutual Authentication and Key Agreement. Due to the insecure nature of the wireless channel, mutual authentication has become one of the essential security features in authentication protocol. In the login and authentication phase, GWN authenticates U i , S j authenticates GWN, GWN authenticates S j , and U i authenticates GWN. Meanwhile, the shared session key SK = hðhðID i ‖R 1 ‖R i Þ‖R 2 ‖R 3 Þ is generated between U i and S j for future secure communication after authenticating each other successfully 5.3. Security and Performance Comparison. In this section, we compare the security features and performances of the improved scheme with the relevant competitive schemes [27,29,33,53,54]. Table 2 shows the comparison results of security features between the improved scheme and the related ones [27,29,33,53,54]. From Table 2, it is evident that our scheme has overcome the security weaknesses existing in Jiang et al.'s scheme [29], while the other protocols have security vulnerabilities more or less, e.g., protocols [27,29,33] suffer from user impersonation attack and cannot preserve user anonymity, protocols [53,54] are vulnerable to stolen mobile device attack, and protocol [54] cannot resist replay and privileged insider attack. Particularly, some protocols [33,53] cannot resist user impersonation attack when the mobile device is obtained by the attacker.
To facilitate the comparison of performances during the login and authentication phase, we use the various time notations of cryptographic operation as shown in Table 3.
To make a comparison of computation cost fairly, we also provide the time cost of various cryptographic calculations as the benchmark [41,44,53] in Table 3. Additionally, we assume that the length of an identity, a random number, a hash value, a timestamp, an elliptic curve point, the block size of AES symmetric encryption/decryption, and the modular exponentiation are 32 bits, 128 bits, 160 bits, 32 bits, 320 bits, 128 bits [55], and 1024 bits [14], respectively. The comprehensive study of the improved scheme and the related schemes [27,29,33,53,54] is given in Table 4. Furthermore, the performances of the sensor node are summarized in Table 5, because energy consumption is vital to evaluate the lifetime of the sensor node. For the convenience of understanding, the comparison graphs of computation cost, communication overhead, and traffic of sensor node are shown in Figures 3, 4, and 5, respectively.
In Table 4, it is evident that the protocol [29] is the most efficient one in terms of computation cost and communication overhead. Our improved scheme requires a little more computation cost and communication overhead than protocol [29]. However, the performance of our improved scheme is more efficient than protocols [27,33,53,54] as justified from Table 4. In particular, protocols [33,54] are the two most inefficient schemes among all the schemes since they employ ECC in which point multiplication needs more time than other operations, and elliptic curve point also needs more length than other symbols in communication.
From Table 5, it can be seen that the traffic length of sensor node in our protocol is 864 bits, which is just slightly higher than that in [29], but much lower than those in [27,33,53,54]. Therefore, the potential energy consumption of our improved scheme is keeping at a manageable level for WMHS that helps to prolong the lifetime of the sensor.
Although our scheme is not the most efficient one, it is worth noting that the security analysis and the comparison results of security features in Table 2 have shown that our improved scheme overcomes the security risks in [27,29,33,53,54]. In a word, our improved scheme has higher security level while its computation cost and communication overhead are within reasonable level for WMHS environment.

Conclusion
To defeat the subtle security weaknesses like KSSTI attack, privileged insider attack, and DoS attack in Jiang et al.'s protocol for WMHS, we propose an improved two-factor authenticated key agreement protocol using quadratic residues. The completeness and validity of the improved scheme is proved under the random oracle model. Additionally, we provide a security analysis to demonstrate that the improved scheme is secure against various known attacks.      Receive  544  512  640  864  640  512  Send  672  320  640  352  640  352  Total  1216  832  1280  1216  1280  864 11 Wireless Communications and Mobile Computing