Content uploaded by Suyel Namasudra
Author content
All content in this area was uploaded by Suyel Namasudra on Mar 15, 2023
Content may be subject to copyright.
Received: 30 April 2022 Revised: 7 November 2022 Accepted: 30 November 2022
DOI: 10.1002/ett.4716
RESEARCH ARTICLE
Lightweight and efficient privacy-preserving mutual
authentication scheme to secure Internet of Things-based
smart healthcare
Sangjukta Das1Suyel Namasudra2
1Department of Computer Science and
Engineering, National Institute of
Technology Patna, Bihar, India
2Department of Computer Science and
Engineering, National Institute of
Technology Agartala, Tripura, India
Correspondence
Suyel Namasudra, Department of
Computer Science and Engineering,
National Institute of Technology Agartala,
Tripura, India.
Email: suyelnamasudra@gmail.com
Abstract
In recent years, Internet of Things (IoT) technology has been adopted in numer-
ous application areas, such as healthcare, agriculture, industrial automation,
and many more. The use of IoT and other technologies like cloud computing
and machine learning has made the modern healthcare system to be smart,
automated,andefficient. However,thecontinuousproliferationofcyber-attacks
on IoT devices has increased IoT challenges like data security, privacy pro-
tection, authentication, and so forth. In smart healthcare systems, due to the
lack of authentication protocols, attackers can undermine the availability, con-
fidentiality, and integrity of both smart healthcare devices and data, which
can be life-threatening in some situations. In this article, a privacy-preserving
mutual authentication scheme for IoT-enabled healthcare systems is proposed
to achieve lightweight and effective authentication of network devices. To sup-
port the processing capabilities of the IoT devices, this proposed authentication
scheme is designed using lightweight cryptographic primitives, namely XOR,
concatenation, and hash operation. The proposed scheme can establish a secure
session between an authorized device and a gateway, and prevent unauthorized
devices from getting access to healthcare systems. The security analysis and per-
formance analysis assess the proposed authentication technique’s effectiveness
over existing well-known schemes.
1INTRODUCTION
The fourth industrial revolution integrates smart devices and communication networks into a single framework
to transform every device into smart, automated, and intelligent. With the advancement in IoT technology,
IoT-enabled healthcare, or smart healthcare has become very popular in recent times. In IoT-enabled healthcare
systems, a huge number of IoT devices or smart devices are interconnected to make a smart healthcare network,
where these devices can communicate and exchange information among themselves. This network surrounds the
patient’s body, so that the patient’s healthcare data can be collected easily, without any workforce. Here, the major
source of healthcare data is the huge number of interconnected smart devices that make the smart healthcare
network.
In an IoT-enabled healthcare system, device-collected healthcare data can be thoroughly analyzed locally or remotely
by authorized organizations to diagnose the health condition of the patient.1,2 Here, IoT, along with cloud computing and
Trans Emerging Tel Tech. 2023;e4716. wileyonlinelibrary.com/journal/ett © 2023 John Wiley & Sons, Ltd. 1of15
https://doi.org/10.1002/ett.4716
2of15 DAS NAMASUDRA
machinelearningtechnology,canprovidemanysmartapplications,suchasvitalsignmonitoringand remotepatientcare.
In these applications, sensors or IoT devices attached to the patient’s body collect sensitive health-related data and after
analyzing the collected data by using machine learning analytics, the required treatments are provided to the patient. For
example, a diabetic patient care application can automatically inject insulin into a patient’s body as soon as the insulin
level in the patient’s body falls below the specified level. Thus, IoT-enabled applications have many uses in the healthcare
field, such as reducing the work of healthcare providers, eliminating medical errors, improving the comfort of patients,
and many more.3However, management and protection of the huge volume of data and the entire healthcare system are
major concerns, wherever smart healthcare networks are adopted at large scales.4,5 The messages transmitted through
the network may contain critical information related to the patient’s physical conditions and the real identity. This infor-
mation is crucial for maintaining patient’s privacy and data confidentiality.6,7 An attacker may get this information by
using traffic analysis of the healthcare network. For example, an attacker can track a patient by linking all the traffic to
a particular sensor node of that patient and launch physical attacks against this patient. Unauthorized access and mod-
ification to patients’ sensitive information may even cause the death of the patient. Here, security in terms of the CIA
triad, that is, confidentiality, integrity, and availability, plays an important role in protecting healthcare data. As a con-
sequence, it also prevents the entire infrastructure from getting breached. These aspects can be achieved by controlling
access to healthcare data and by ensuring the authentication of each communicating entity.8-10 Besides, the sensors in the
IoT network are resource-constrained in terms of computational and communicational capabilities, power, and memory.
Therefore, the security models designed for other networks may not be applied to resource-constrained IoT networks.
Here, it is worth considering that the design of security and privacy mechanisms should be low-cost and lightweight as
much as possible.11-13
As mentioned above, smart healthcare or IoT-enabled healthcare practices are going through a rapid evolution. How-
ever, due to this rapid expansion, the system administrator does not get enough time to assess all security threats present
in the network. This insecure communication network, lack of strong security mechanisms, and cyber intelligence in the
healthcare field result in cyber attacks. Many schemes are proposed in the literature in recent years for authentication
and session key generation to protect healthcare data. Most of these schemes are based on RSA, elliptic curve cryptogra-
phy (ECC), ElGamal cryptosystem, and so forth, which require high computational and computational powers. Since IoT
devices are resource-constrained, lightweight authentication schemes are suitable for them. Thus, lightweight schemes
based on simple operations, such as XOR, concatenation, hash operation, and many more, are very popular nowadays.
In References 14,15, two lightweight authentication schemes based on simple operations are proposed. Unfortunately,
these schemes are prone to many security attacks, including stolen verifier attacks, forgery attacks, replay attacks, insider
attacks, and node-capture attacks.16 In Reference 17, one biometric-based user authentication scheme is proposed, where
users can log into the system using their smart cards, which contain the user’s biometric information. In Reference 18,
another user authentication scheme with user anonymity and mutual authentication is proposed for a heterogeneous IoT
device environment. However, this scheme cannot resist security attacks, such as impersonation attacks.19 Even though
the above-mentioned mechanisms are strong and well-known, resource-constrained nodes make it difficult to implement
robust cryptographic protocols in IoT networks.20
In this study, an anonymous and lightweight mutual authentication scheme is designed to support the process-
ing capability of IoT devices and to address the privacy preservation problem faced by these devices. In this proposed
scheme, each IoT device is registered with a gateway device in the offline mode. This offline registration is performed
before the network gets operational. In the authentication phase, each registered device gets verified by the corre-
sponding gateway and a secure session is established. By using this session, the communicating entities can exchange
their data securely. Thus, only registered and authenticated devices can access system resources through a secure
channel.
The main contributions of the article are mentioned below:
1. This work presents a lightweight mutual authentication scheme for devices and gateways in IoT-enabled healthcare
infrastructure.
2. Here, the IoT device is registered with the system in an offline mode. In the operational mode, devices are not allowed
to register. This restriction safeguards the system from the attacker.
3. Moreover, only the registered devices are allowed to initiate a session after a successful authentication process.
4. The proposed work can easily resist many security attacks, namely impersonation, man-in-the-middle (MITM), replay,
and Denial of Service (DoS) attacks, and it also possesses fundamental security features, including privacy-preserving,
untraceability, and anonymity.
DAS NAMASUDRA 3of15
The entire article is structured in seven sections. In Section 2, some existing schemes related to the proposed work
are discussed. In Sections 3and 4, the overview and construction of the proposed scheme are discussed, respectively.
The security analysis and performance analysis are provided in Sections 5and 6, respectively. The last section, that is,
Section 7, concludes the proposed work with future works.
2RELATED WORKS
This section represents the review of works related to the proposed work of this article.
Gupta et al21 have designed a lightweight user device authentication scheme for wearable sensing devices
by using simple cryptographic operations. Here, an authentication server authenticates both gateway and sens-
ing devices, and this server also helps them to establish a secure session. The sensing devices preserve privacy
and maintain anonymity by using a masked identity. However, this scheme cannot provide protection against
many attacks, such as de-synchronization attacks, insider attacks, and offline password-guessing attacks at the
user’s end.
Janetal
22 have proposed a client-server model-based lightweight mutual authentication and secure ses-
sion generation scheme. In this scheme, IoT devices act as client systems and are registered with a server
anonymously. Later on, the client and server mutually authenticate each other before establishing a secure ses-
sion to exchange data. This scheme uses a lightweight symmetric encryption technique to transmit messages
during the registration and authentication phases. However, this scheme cannot deal with the server failure
issue.
Lietal3haveproposed another anonymous mutual authentication protocolforacentralizedarchitecture.This scheme
provides mutual authentication between the wearable sensor device and hub node by using hash operations and XOR
operations. Along with anonymity, this scheme also provides a facility called unlinkability of transmitted data. The secu-
rity analysis of this scheme has shown that it can withstand many security attacks, such as eavesdroppingattacks, replay
attacks, and sensor impersonation attacks.
Izzaetal23 haveproposed a user authenticationandkeyestablishmentscheme.Here,whenauserrequeststoestablish
a communication channel between the user and a sensor device within the network, the system communicates with the
particular node and instructs it to execute the authentication process. Then, the authentication process begins between
the sensor device and the user via a trusted gateway device. Moreover, this scheme uses simple symmetric cryptography
to make the entire system lightweight. Unfortunately, it is prone to some cryptographic attacks and has several security
weaknesses.
Challa et al24 have designed a user authentication model by using ECC-based operation. Here, the user authentica-
tion and session establishment are executed by using the user’s signature. In this scheme, a user can communicate with
both IoT devices and other users via gateways. This scheme can resist many security attacks, such as replay, MITM, and
impersonation attacks. However, the computation cost and communication cost of this approach are extremely high due
to ECC-based operations.
Zhou et al25 have developed an authentication scheme for IoT-enabled cloud infrastructures. This is a two-factor
authentication protocol based on simple exclusive OR and hash operations. These operations make the entire system
lightweight and suitable for resource-constrained devices. However, this approach cannot provide mutual authentica-
tion between communicating entities, and it is not secure against impersonation, replay, MITM, and privileged insider
attacks.
Masud et al26 have developed an authentication scheme for IoT-enabled healthcare systems. This scheme has four
phases, namely device registration, user registration, mutual authentication between device and user, and key generation.
This lightweight scheme can establish a secure session between the user and device, and prevent unauthorized users
from accessing data or resources. However, this scheme incurs high communicational overhead during the registration
and authentication processes.
Besides the above-discussed approaches, many advanced techniques are also proposed in the literature for different
application fields, such as mobile cloud environment,27-30 fog computing,31 and vehicular ad-hoc network.32,33 However,
most of the conventional schemes are not directing the processing capability of user/IoT-edge-cloud architecture.34,35
Therefore, new techniques must be developed to match the capabilities of IoT devices, and also, should provide a strong
authentication mechanism.36-38
4of15 DAS NAMASUDRA
3OVERVIEW OF THE SYSTEM
In this section, the system model of the proposed scheme, design goals, network model, and threat model are discussed.
3.1 System model
This subsection presents the proposed scheme’s overview containing three entities, namely IoT device (IoTD), gateway,
and central administrator (CA).
1. IoT device: The IoTD is a resource-constrained device associated with a patient’s body. It collects patients’ real-time
healthcare data and shares this data with a concerned gateway device.
2. Central administrator: The CA is the central entity in the proposed scheme. The CA is responsible for initializing
the entire system and for tracking all the registered entities of the system. It also maintains a list containing registered
devices’ details, which are used for authenticating the devices, whenever a gateway failure occurs.
3. Gateway: The gateway is not a resource-constrained device. It serves as an intermediator between the IoTD and user.
A gateway is responsible for registering every IoT device in the system.
3.2 Design goals
The proposed scheme consists of four main design goals as mentioned below:
1. Mutual authentication: Several devices and gatewayscan be connected to a smart healthcare network. Each device
and gateway need to authenticate each other mutually, and also, need to agree on a session key to establish a secure
communication channel.
2. Message integrity: If the healthcare data is altered by illegitimate users, it may significantly damage the entire sys-
tem, as well as can create critical concerns for patients. Therefore, a healthcare system must preserve the integrity of
healthcare data.
3. Identity anonymity: Attackers can use information related to a device’s identity for conducting impersonation
attacks and MITM attacks. Thus, it is important to keep the device’s identity anonymous, when data are being
exchanged through the network.
4. Lightweight: IoT devices have limited computation capabilities. Consequently, any security mechanism must be
developed based on lightweight cryptographic operations, such as bitwise XOR and hash operations, to support the
computation capabilities of IoT devices.
3.3 Network model
In this article, a healthcare center is considered as a case study. This healthcare center can provide different types of
facilities, such as patient care, emergency unit, dispensary, laboratory, and many other medical facilities to its clients.
For simplicity, only the entities involved in the patient care unit are discussed in this scheme. For example, this unit has
many interconnected IoT devices, which collect patient data. These devices are further connected to gateway devices to
store data in remote servers and provide remote services on demand. One gateway may have many IoT devices connected
to it within its coverage region. However, to support interoperability and flawless communication between devices and
gateways, a secure communication medium needs to be established.
3.4 Threat model
In this article, the Dolev-Yao security model is considered for security analysis.39 This model defines the capabilities of
an attacker to hack any cryptosystem by considering the following assumptions:
DAS NAMASUDRA 5of15
1. All parties involved in communication can send messages across an unprotected channel.
2. An attacker is aware of the authentication mechanism and has complete control over the public channel.
3. An attacker can capture, modify, corrupt, redirect, delete, or replay all messages sent via an insecure channel.
4. An attacker may be able to attack IoT devices physically and use a power analysis attack to capture the stored data
from memory.
5. However, an attacker cannot get any message sent through a secured channel.
4CONSTRUCTION
This section represents the construction of the proposed scheme containing four main algorithms, namely, offline regis-
tration, authentication, and recovery from gateway failure. Here, Diand Gjrepresent IoT device and gateway, respectively,
where i={1,2,…,I},j={1,2,…,J},andI>J.Figure1illustrates the workflow of the proposed scheme and Table 1
represents all the notations used in this article.
4.1 Offline registration
Initially, both Diand Gjare unauthenticated. In order to begin communication, they need to be authenticated. Prior to
this authentication process, one offline registration phase is considered in this proposed scheme. The registration process
of each Diwith a concerned Gjis performed in the offline phase before the healthcare IoT network gets operational.
In this phase, each Disends a registration request to a gateway Gjwithin its range. This RReq contains Di’s identity
(MAC address). After receiving the request, the concerned Gjcomputes device’s anonymous identity AID by performing
an XOR operation between DID and randomly chosen value x, and adds this AID to its registered device list (RDevice).
Then, after completing the registration process, Gjsends a registration confirmation acknowledgment and a pre-shared
key (PKi)to the Di.Gjalso periodically shares its updated registered device list (RUpdate)with the CA. This list can be
used in a situation, where a gateway failure occurs and devices need to move to other active gateways. To ensure secure
communication, all the messages in this offline phase are transmitted in encrypted form. The offline registration phase
isshowninFigure2.
FIGURE 1 Proposed scheme’s workflow
6of15 DAS NAMASUDRA
TABLE 1 Description of notations
Notation Description
DID Device identity
SReq Session initiation request
⊕, ‖
‖
‖Bit-wise XOR and concatenation operator
n1,g1Secret key values chosen by IoTD and gateway
RReq Registration request
AID Device’s anonymous identity
RDevice Gateway’s registered device list
RUpdate Gateway’s updated registered device list
Gch Gateway’s challenge message
SHash Hash of SReq
ID
Req ID ID
ID
ID
Hash
Update
Device
Req
FIGURE 2 Offline device registration process
4.2 Mutual authentication
The mutual authentication process begins, when a device Disends an authentication request to Gjto start a com-
munication session. Before starting a session, both Diand Gjneed to verify and authenticate themselves. This
process is executed by sending challenge and response messages from the device to gateway and vise-verse. When
aDisends SReq to the concerned Gj,Gjretrieves the device’s anonymous identity from SReq and searches for
a match in its device registration list (RDevice). If the device identity is not listed in the gateway’s RDevice list,
then, the SReq is declined by Gj. Otherwise, Dican communicate with the intended Gjby establishing a secure
session.
The SReq contains Di’s AID,PKi,andarandomnoncen1. On receiving SReq,Gjretrieves n1and chooses a ran-
dom nonce g1, and calculates Gch as a challenge to Di.Then,Gjsends Gch to Di.FromGch,Diretrieves g1and
calculates response DRes by using g1and n1. After receiving DRes from Di,Gjverifies the response and sends an authen-
tication acknowledgment to the device. Thus, the mutual authentication of the device and concerned gateway gets
completed. Here, it can be noticed that SReq,Gch,andDRes are meaningless to an intruder Ikbecause AID and PKi
are only known to the concerned Gj.Thus,Ikcannot retrieve all the secret nonce used during the authentication
process.
Here, in case any SReq contains an AID, which is not listed in Gj’s RDevice. Then, that particular device is marked as an
intruder by that gateway. The entire mutual authentication process is shown in Figure 3.
DAS NAMASUDRA 7of15
Req
Req
Req
Hash
Hash
Hash
Hash Device
Device
Req
Req
ch
ch
ch
res
Res
Res
Res
Res
ch
ch
res
Res
FIGURE 3 Mutual authentication process between device and gateway
4.3 Recovery from gateway failure
This section provides a solution to recover IoT devices from gateway failure or unavailable status. Considering a situation,
where the gateway device is failed or is unavailable. This situation may arise due to a DoS attack performed by an attacker
in many ways, such as flooding, jamming, and many more. Here, the recovery is done by identifying a failure, and then,
authenticating the devices to another gateway device.
If a gateway Gjis unavailable for its client, the CA shares Gj’s list (RUpdate)with another gateway Gj+1.Gj+1can authen-
ticate all the devices registered with the failed gateway Gj. On the other side, on detection of gateway Gj’s failure, the
device Disends SReq to Gj+1. After receiving SReq,Gj+1searches for the AID associated with SReq in its list (RDevice).Ifthe
AID is not presented in RDevice,Gj+1again searches for that AID in the registration list (RUpdate) received from the CA. If
the AID is presented in (RUpdate), Gj+1can authenticate the device using the proposed authentication process as shown in
Figure 4. Otherwise, Gj+1considers that SReq is from an intruder and marks the AID as an intruder.
4.4 Mobility of any device from one gateway to another
In the proposed scheme, a registered device Dican move from the range of one gateway Gjto another gateway Gj+1. Here,
considering a Diattached to a patient’s body, which is also registered and authenticated with Gj.ThisDimoves its position
from the range of Gjto the range of Gj+1. Then, this Diinforms the corresponding Gjabout its mobility. Gjcancels its
registration and authenticity by simply deleting its entry from RDevice list. Gjalso updates RUpdate list. Next, Disends SReq
to Gj+1to authenticate itself. In this case, Didoes not need to perform the registration process again. Here, Gj+1gets all the
8of15 DAS NAMASUDRA
Req
Req
Hash
Hash Req Hash
Device
Req
ch
Update
Req
ch
ch
ch
Res
ch
ch
res
res
Res
Res
Req
Req
Req
ch
Hash Device
FIGURE 4 Mutual authentication process between a device and a new gateway (Gj+1)
information about Difrom the RUpdate list sent by the CA. On receiving SReq from Di,Gj+1authenticates Diby performing
the same procedure.
5SECURITY ANALYSIS
This section represents the security analysis of the proposed scheme to show the robustness and efficiency of this novel
scheme. At first, a few threat conditions are considered and it is shown that the proposed scheme can withstand these
conditions.
Theorem 1. Only a registered Dican start a session with the concerned Gjby sending a SReq.
Proof. Each valid Diis assigned with a AID and PKiby the corresponding Gjduring the offline registration phase. Gjstores
device identity (DID), anonymous identity (AID), pre-shared key (PKi),andSHash in its RDevice list. Gjstores these details
for each Diregistered with it. Consider that an intruder Ikattempts to initiate a session by sending a SReq to Gj.Now,Gj
verifies the authenticity of the sender by checking SHash in its RDevice list. Gjalso checks SHash in the RUpdate list received
from the CA. If SHash is not found, it means that the AID is not registered with Gj,thatis,AID ∉{AID1,AID2,…,AIDI}.
Gjdeclines this request SReq and marks it as an intruder. On the other hand, if SReq is sent by a registered Di,Gjcan verify
DAS NAMASUDRA 9of15
the authenticity of Diby checking the SHash in either RDevice or RUpdate list. Thus, only a registered Dican establish a session
with the concerned Gj.▪
Theorem 2. Di’s session initiation request SReq can only be processed by the intended Gj,not any intruder Ik.
Proof. Di’sregistration details, namely,DID,AID,PKi,andSHash arestoredinthecorrespondingGj’s RDevice list.Here,these
registration details are only known to Diand the corresponding Gj. Consider that Ikreceives the SReq sent by Di.SinceIk
does not know the AID and PKi, it cannot retrieve the secret value n1from SReq.Thus,Ikcannot compute a valid gateway
challenge message (Gch), which is calculated as {n1⊕g1⊕PKi}for Di.EvenifIkmanagestosendaGch message to Di,Di
can confirm that Gch message is not from the corresponding Gjbecause of the incorrect n1value. However, the intended
Gjcan retrieve n1from SReq by using respective AID and PKi. So, only the intended Gjcan process SReq by computing a
valid Gch message. ▪
Theorem 3. Encrypted challenge Gch and response DRes can only be decrypted by the intended Diand Gj,not any
intruder Ik.
Proof. If any device Dior intruder Ikreceives Gch sent by Gj, it needs to have correct PKiand n1to decrypt Gch.SinceIk
does not know PKi, it cannot retrieve the secret value g1from Gch.Thus,Ikcannot compute the response message (DRes)
by using the correct n1and g1.EvenifIktries to guess the value of PKi, the probability of success is 1
2128 . However, an
intended device Diwith the correct PKiand n1can decrypt Gch within the stipulated time. Similarly, Ikcannot decrypt
DRes sent by Di.ThisisbecauseIkdoes not have the correct n1and g1, which are used to calculate DRes. Thus, only the
intended Diand Gjcan decrypt the challenge Gch and response DRes, respectively. ▪
5.1 Informal analysis
The proposed scheme is secured against many attacks, such as eavesdropping attacks, replay attacks, DoS attacks, and
MITM attacks. In addition, it also maintains anonymity and untraceability.
Eavesdropping attack: According to the threat model considered for the proposed scheme, an adversary or intruder
Ikcan obtain all the transmitted messages between all the entities. Thus, Ikmay know SReq,SHash,Gch,and DRes. Still, Ik
cannot obtain the session key and any other secret value from these parameters as Ikdoes not have the pre-shared secret
key PKiselected by the CA during the offline device registration phase. So, the session key used in the proposed scheme
is secured against eavesdropping attacks.
Replay attack:Inreplayattacks, an intruder replaysthepreviousmessagestogetnetworkaccess.Here,if an Ikreplays
the previous messages, device Dior gateway Gjgets to know that the messages are from Ikbecause of the embedded
timestamp. Since Ikreplays an old message, the timestamp is not within the valid transmission delay range. Thus, Ik
cannot get access to the network by performing a replay attack.
Man-in-the-middle attack: In a MITM attack, intruders intercept messages transmitted between two entities and
modify these messages according to their requirements. If intruders modify these messages perfectly, the communicating
entitiesdonoteven get to know about the modification. However,in the proposedscheme,tomodifytheoriginal messages
transmitted from the device or gateway, the attacker must need to know all the secret values and pre-shared keys of the
device. Since these parameters are not known to attackers, the MITM attack is prevented.
Denial of Service attack: In DoS attacks, an attacker sends excessive requests to the servers to get any service. By
doing this, the attacker deprives legitimate users of exchanging their data with legitimate servers. In the proposed scheme,
the pre-shared key PKirestricts an attacker from launching a DoS attack. Even if gateway failure occurs or a gateway Gjis
unavailable due to DoS attacks or any other reason, all the registered Diof Gjcan authenticate themselves with another
nearest gateway Gj+1.
Anonymity and untraceability: An attacker should not get the device’s real identity DID, and also, should not trace
device Diby eavesdropping on the communicating channel. In the proposed scheme, the device’s DID is masked by using
a secret key value x, and a corresponding anonymous identity AID is assigned to each device. Since DID is not stored
in the device’s memory, Ikcannot get the real identity by performing node capture attack. Even if the attacker gets the
parameter AID, it cannot trace the device because of the secret key value x. Thus, anonymity and untraceability properties
are maintained in the proposed scheme.
10 of 15 DAS NAMASUDRA
5.2 Formal analysis
This subsection gives a brief introduction to the widely used AVISPA tool.27 This tool is a widely adopted push-button
formal verification tool for semi-automated formal security analysis. AVISPA verifies the security aspect of any crypto-
graphic protocol against some known attacks and provides the protocol’s safe or unsafe status against the considered
attacks.27 This tool specifies any security model using high-level protocol specification language (HLPSL) codes. At first,
an HLPSL2IF translator transforms the code written in the HLPSL language into an intermediary form (IF). Then, this
IF is sent to one of the four back-ends of the AVISPA tool, namely tree automata based on automatic approximations for
the analysis of security protocols (TA4SP), constraint-logic-based attack searcher (CL-AtSe), SAT-based model-checker
(SATMC), and on-the-fly-model-checker (OFMC) for security analysis. The verification result provides the output con-
sisting of some fields. Here, the first field is SUMMARY, which indicates the SAFE or UNSAFE status of the security
protocol, or an INCONCLUSIVE analysis. The second field is DETAILS. It depicts the condition under which the safe or
unsafe status of the protocol is tested, and it also shows the reason for which the analysis is inconclusive. The PROTOCOL
field describes the protocol’s name in IF. Next, the GOALS field indicates the goal of the analysis conducted by AVISPA.
After that, the BACKEND field shows the back end’s name for which the protocol is analyzed. At last, the STATISTICS
field depicts the visited nodes, the depth of the nodes analyzed, search-time, and parse-time taken by the back-ends.
The HLPSL specification of the proposed protocol is analyzed by using the Security Animator for AVISPA (SPAN)
simulation tool in Ubuntu 10.10 (32-bit) operating system. The proposed scheme’s HLPSL specification describes two
roles, namely role_D for device and role_G for gateway, as depicted in Figure 5. The output of two back-ends (CL-AtSe
FIGURE 5 HLPSL specification of the proposed scheme
DAS NAMASUDRA 11 of 15
FIGURE 6 Output summary generated by two back ends (OFMC and CL_AtSe) of AVISPA tool
and OFMC) is shown in Figure 6. The SUMMARY shows that the proposed protocol is SAFE against some well-known
attacks, namely MITM, replay, and impersonation attacks. It also shows that the secrecy of the session key is satisfied.
Hence, the proposed model is suitable for practical use cases like smart agriculture, smart healthcare, banking sector, and
many more, where authentication is a major requirement.
6PERFORMANCE ANALYSIS
In this section, the performance of the proposed scheme is analyzed and compared to other existing schemes.3,21-23,40 The
performance is evaluated in terms of security features, computation cost, communication cost, and execution time.
6.1 Security feature comparison
In this subsection, the security features of the proposed scheme are compared to other existing schemes. Here, to perform
the comparison, a few security attacks, namely MITM, replay, denial of service, eavesdropping, and node impersonation
attacks are considered, which are shown in Table 2. It can be noticed that the device impersonation attack cannot be
resisted by the schemes of References 3,40. However, in the proposed scheme, to impersonate as an authorized device
Di, an attacker needs Di’s pre-shared key (PKi).SinceIkdoes not have valid PKi,itfabricatesitsownpre-sharedkey,and
the corresponding gateway does not contain this fabricated pre-shared key. Thus, the proposed scheme can resist device
impersonation attacks. Similarly, in the proposed scheme, the pre-shared key restricts an attacker from launching a DoS
attack, which cannot be resisted by most of the existing schemes.3,21,23,40 The security feature, that is, anonymity is also
TABLE 2 Proposed scheme’s security features
Scheme Forward
secrecy MITM IoTD
impersonation Evasdroping DoS Replay Anonymity Recovery from
gateway failure
Gupta et al21 YYY Y NYY N
Jan et al22 Y Y Y Y Y Y Y N
Li et al3YYN Y NYN N
Izza et al23 Y Y Y Y N Y Y N
Naeem et al40 YYN Y NYN N
Proposed scheme Y Y Y Y Y Y Y Y
12 of 15 DAS NAMASUDRA
not maintained in the schemes of References 3,40 as these schemes do not use an anonymous identity to authenticate
themselves. However, the proposed scheme can resist all of these attacks as discussed in Section 5.1. In addition, the
proposed scheme has a recovery feature in case any gateway failure occurs.
6.2 Storage requirement comparison
In the proposed scheme, the SHA-1 hash operation, which produces 160-bit output, is used for maintaining message
integrity. The size of the secret key values and identity parameters is 128 bits. Based on these parameters’ size, the total
storage cost of each entity in the proposed scheme is calculated. The proposed scheme’s storage cost in comparison to the
other existing schemes is mentioned in Table 3.EachdeviceDistores AID and PKiin its memory. Similarly, the gateway
andCAalso storesomeparametersintheirmemory.However,as the number of registered devices increases in the system,
the storage cost of gateway and CA also increases.
6.3 Results and discussion
In this subsection, the performance of the proposed scheme is analyzed by computing computation and communication
costs, and the obtained results are also discussed.
1. Computationcost:Tocomputethe computation cost of all the existingschemes,3,21-23 includingtheproposed scheme,
XOR, concatenation (||), and hash operations are used. The proposed scheme’s computation costs are computed in
terms of the number of hash and XOR operations. The number of operations performed by IoTD and gateway during
the device registration and authentication phase is shown in Table 4. This table represents a comparison of the number
of operations used in the proposed protocol and existing protocols. Here, the time taken to perform hash and XOR
operations is represented by HTand XT, respectively. It can be noted that the proposed scheme performs two hash
operations and six XOR operations in total, which is very less compared to other existing works.3,21-23,40 The schemes
of References 23,40 use ECC-based operations along with hash operations. This ECC-based operation is represented
by ECCTin Table 4.
TABLE 3 Proposed scheme’s storage cost in bits
Scheme IoTD Gateway CA
Gupta et al21 - - 160
Jan et al22 256 I*(256) 1792
Li et al3512 I*(512) 480
Izza et al23 1088 320 320
Proposed scheme 256 I*(416) 416
TABLE 4 Comparison of computation cost
Scheme IoTD Gateway Total
Gupta et al21 4HT+4XT5HT+3XT9HT+7XT
Jan et al22 2HT+2XT2HT+2XT4HT+4XT
Li et al33HT+7XT4HT+12XT7HT+19XT
Izza et al23 - - 20HT+10ECCT
Naeem et al40 -- 4HT+9ECCT
Proposed scheme 1HT+3XT1HT+3XT2HT+6XT
DAS NAMASUDRA 13 of 15
TABLE 5 Comparison of communication cost
Scheme No. of message exchanged Total no. of bits
Gupta et al21 5 3808
Jan et al22 4896
Li et al34 4672
Izza et al23 51984
Naeem et al40 3 832
Proposed scheme 3544
(A) (B)
Gupta et al21 Gupta et al21
Izza et al23 Proposed ProposedIzza et al23
Li et al3 Li et al3
Jan et al22 Jan et al22
FIGURE 7 Comparisons of execution time taken in the in registration and authentication phase by (A) device and (B) gateway
2. Communication cost: The communication cost of the proposed scheme and existing schemes are compared in
Table 5. The number of messages and the number of bits exchanged between the communicating entities are shown in
this table. It can be noticed that the proposed scheme exchanges a very less number of messages and bits than the other
existing schemes. The proposed scheme requires only three messages for the authentication process. These messages
incur a communication overhead of total of 544 bits.
Figure 7shows the execution time taken by device and gateway in two phases, namely device offline registration and
authentication phases. Figure 7A,B show the execution time taken by the device and gateway, respectively, in the regis-
tration and authentication phases. The experimental results show that one hash function takes 0.00088ms (milliseconds)
to execute. It can be noted that the proposed scheme takes comparatively less time than the existing schemes.3,21-23 This
is because the proposed scheme uses less number of operations than the other existing schemes.
7CONCLUSION AND FUTURE WORKS
In any IoT-enabled healthcare system, it is very important to authenticate every entity before establishing a secure session
and to maintain the device’s anonymity and untraceability. In this article, a lightweight anonymous device authentica-
tion process for an IoT-enabled healthcare system is proposed. This scheme is designed to perform mutual authentication
between the device and gateway using lightweight symmetric cryptographic operations, namely XOR, concatenation,and
hash operations. These operations made the entire scheme very lightweight and feasible for low-resourced IoT devices.
The proposed scheme can provide all the above-mentioned services. Along with these, it can also resist cryptographic
attacks, such as man-in-the-middle, replay, denial of service, eavesdropping, and node impersonation attacks. The secu-
rity and performance analysis validate the efficiency and robustness of the proposed scheme. It is also shown that the
14 of 15 DAS NAMASUDRA
proposed scheme outperforms many existing schemes. The proposed scheme can be further enhanced in the future by
using machine learning approaches to detect and prevent different types of adversarial attacks. Moreover, there is a huge
scope to solve the anonymous user registration problem in the IoT-enabled healthcare infrastructure.
DATA AVAILABILITY STATEMENT
Data sharing not applicable to this article as no datasets were generated or analysed during the current study.
ORCID
Sangjukta Das https://orcid.org/0000-0002-6952-086X
Suyel Namasudra https://orcid.org/0000-0002-0191-0175
REFERENCES
1. Gao J, Nguyen TN, Manogaran G, Chaudhary A, Wang GG. Redemptive resource allocation scheme for IoT-assisted smart healthcare
systems. IEEE J Biomed Health Inform. 2022;26:4238-4247. doi:10.1109/JBHI.2022.3169961
2. Kishor A, Chakraborty C, Jeberson W. A novel fog computing approach for minimization of latency in healthcare using machine learning.
Int J Interact Multimed Artif Intell. 2020;6:7-17.
3. Li X, Ibrahim MH, Kumari S, Sangaiah AK, Gupta V, Choo KR. Anonymous mutual authentication and key agreement scheme for
wearable sensors in wireless body area networks. Comput Netw. 2017;129(2):429-443.
4. Pavithran P, Mathew S, Namasudra S, Srivastava G. A novel cryptosystem based on DNA cryptography, hyperchaotic systems and a
randomly generated Moore machine for cyber physical systems. Comput Commun. 2022;188:1-12.
5. Chen Z. Research on internet security situation awareness prediction technology based on improved RBF neural network algorithm.
J Comput Cogn Eng. 2022;1(3):103-108.
6. Das S, Namasudra S. Multi-authority CP-ABE-based access control model for IoT-enabled healthcare infrastructure. IEEE Trans Industr
Inform. 2022;19:821-829. doi:10.1109/TII.2022.3167842
7. Chakraborty A, Alam M, Dey V, Chattopadhyay A, Mukhopadhyay D. A survey on adversarial attacks and defences. CAAI Trans Intell
Technol. 2021;6(1):25-45.
8. Liu GY et al. Secure and fine-grained access control on e-healthcare records in mobile cloud computing. Future Gener Comput Syst.
2018;78:1020-1026.
9. Rizwan M, Shabbir A, Javed AR, et al. Risk monitoring strategy for confidentiality of healthcare information. Comput Electr Eng.
2022;100:1-17.
10. Gutub A. Boosting image watermarking authenticity spreading secrecy from counting-based secret-sharing. CAAI Trans Intell Technol.
2022. doi:10.1049/cit2.12093
11. Moqurrab SA, Anjum A, Tariq N, Srivastava G. Instant_Anonymity: a lightweight semantic privacy guarantee for 5g-enabled IIoT. IEEE
Trans Industr Inform. 2022;19:951-959. doi:10.1109/TII.2022.3179536
12. Sowjanya K, Dasgupta M, Ray S. A lightweight key management scheme for key-escrow-free ECC-based CP-ABE for IoT healthcare
systems. J Syst Archit. 2021;117:1-10.
13. Das S, Namasudra S. A novel hybrid encryption method to secure healthcare data in IoT-enabled healthcare infrastructure. Comput Electr
Eng. 2022;101:1-15.
14. Das ML. Two-factor user authentication in wireless sensor networks. IEEE Trans Wirel Commun. 2009;8(3):1086-1090.
15. Khan MK, Alghathbar K. Cryptanalysis and security improvements of two factor user authentication in wireless sensor networks. Sensors.
2020;10(3):2450-2459.
16. Vaidya B, Makrakis D, Mouftah HT. Improved two-factor user authentication in wireless sensor networks. Paper presented at: Proceedings
of the IEEE 6th International Conference on Wireless and Mobile Computing, Networking and Communications; 2010:600-606; IEEE.
17. Li X, Niu JW, Ma J, Wang WD, Liu CL. Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using
smart cards. J Netw Comput Appl. 2011;34(1):73-79.
18. Muhamed T, Boštjan B, Marko H. A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor
networks based on the internet of things notion. Ad Hoc Netw. 2014;20:96-112.
19. Chang C, Le H. A provably secure, efficient, and flexible authentication scheme for ad hoc wireless sensor networks. IEEE Trans Wirel
Commun. 2016;15(1):357-366.
20. Das S, Namasudra S. MACPABE: multi-authority-based CP-ABE with efficient attribute revocation for IoT-enabled healthcare infrastruc-
ture. Int J Netw Manag. 2022. doi:10.1002/nem.2200
21. Gupta A, Tripathi M, Shaikh TJ, Sharma A. A lightweight anonymous user authentication and key establishment scheme for wearable
devices. Comput Netw. 2019;149:29-42.
22. Jan MA, Khan F, Khan R, et al. Lightweight mutual authentication and privacy-preservation scheme for intelligent wearable devices in
industrial-CPS. IEEE Trans Industr Inform. 2021;17(8):5829-5839.
23. Izza S, Benssalah M, Drouiche K. An enhanced scalable and secure RFID authentication protocol for WBAN within an IoT environment.
J Inf Secur Appl. 2021;58:1-15.
DAS NAMASUDRA 15 of 15
24. Challa S, Wazid M, Das AK, Kumar N, Reddy AG. Secure signature-based authenticated key establishment scheme for future IoT
applications. IEEE Access. 2017;5:3028-3043.
25. Zhou L, Li X, Yeh KH, Su C, Chiu W. Lightweight IoT-based authentication scheme in cloud computing circumstance. Future Gener
Comput Syst. 2019;91:244-251.
26. Masud M, Gaba GS, Choudhary K, Hossain MS, Alhamid MF, Muhammad G. Lightweight and anonymity-preserving user authentication
scheme for IoT-based healthcare. IEEE Internet Things J. 2022;9(4):2649-2656.
27. Li X, Peng J, Obaidat MS, Wu F, Khan MK, Chen C. A secure three-factor user authentication protocol with forward secrecy for wireless
medical sensor network systems. IEEE Syst J. 2019;14:39-50.
28. Koya AM, Deepthi PP. Anonymous hybrid mutual authentication and key agreement scheme for wireless body area network. Comput
Netw. 2018;140:138-151.
29. Gupta A, Tripathi M, Sharma A. A provably secure and efficient anonymous mutual authentication and key agreement protocol for
wearable devices in WBAN. Comput Commun. 2018;160:311-325.
30. Gomaa IA, Elrahman EA, Abid M. Virtual identity approaches evaluation for anonymous communication in cloud environments. Inte
J Adv Comput Sci Appl. 2016;7(2):267-276.
31. Vasko FJ, Lu Y, McNally B. A simple methodology that efficiently generates all optimal spanning trees for the cable-trench problem.
J Comput Cogn Eng. 2022;1(1):13-20.
32. Namasudra S, Sharma P. Achieving a decentralized and secure cab sharing system using blockchain technology. IEEE Trans Intell Transp
Syst. 2022;1-10. doi:10.1109/TITS.2022.3186361
33. Wang F, Xu Y, Zhang H, Zhang Y, Zhu L. 2FLIP: a two-factor lightweight privacy-preserving authentication scheme for VANET. IEEE
Trans Veh Technol. 2016;65(2):896-911.
34. Wani A, RS, Khaliq R. SDN-based intrusion detection system for IoT using deep learning classifier (IDSIoT-SDL). CAAI Trans Intell
Technol. 2021;6(3):281-290.
35. Jennath H, Anoop VS, Asharaf S. Blockchain for healthcare: securing patient data and enabling trusted artificial intelligence. Int J Interact
Multimed Artif Intell. 2020;6:15-23.
36. Gao J, Wang W, Liu Z, Billah MFRM, Campbell B. Decentralized federated learning framework for the neighborhood: a case study on resi-
dential building load forecasting. Paper presented at: Proceedings of the 19th ACM Conference on Embedded Networked Sensor Systems,
Portugal; 2021:453-459; ACM.
37. Mahmood T, Ali Z. Prioritized muirhead mean aggregation operators under the complex single-valued neutrosophic settings and their
application in multi-attribute decision-making. J Comput Cogn Eng. 2022;1(2):56-73.
38. Gómez B, Mochón A. Towards blockchain intelligence. international journal of interactive multimedia and artificial. Int J Interact
Multimed Artif Intell. 2022;6:4-5.
39. Dolev D, Yao A. On the security of public key protocols. IEEE Trans Inf Theory. 1983;29(2):198-208.
40. Naeem M, Chaudhry S, Mahmood K, Karuppiah M, Kumari S. A scalable and secure rfid mutual authentication protocol using ecc for
internet of things. Int J Commun Syst. 2019;33:13-17.
How to cite this article: Das S, Namasudra S. Lightweight and efficient privacy-preserving mutual
authentication scheme to secure Internet of Things-based smart healthcare. Trans Emerging Tel Tech. 2023;e4716.
doi: 10.1002/ett.4716
A preview of this full-text is provided by Wiley.
Content available from Transactions on Emerging Telecommunications Technologies
This content is subject to copyright. Terms and conditions apply.