ArticlePDF Available

Securing IoT-Based Smart Healthcare Systems by Using Advanced Lightweight Privacy-Preserving Authentication Scheme

June 2023
IEEE Internet of Things Journal IP(IP):1-8

June 2023
IP(IP):1-8

DOI:10.1109/JIOT.2023.3283347

Authors:

Suyel Namasudra

National Institute of Technology, Agartala

Pablo Moreno Ger

Universidad Internacional de La Rioja

Show all 5 authorsHide

In the healthcare network, the Internet of Things (IoT) devices are connected to the network for enabling remote monitoring of patients’ health. IoT device security, however, is a serious concern because typical security measures might not be appropriate for IoT devices, making them naturally vulnerable to physical and copying attacks. Therefore, device authentication is a very essential security concern for IoT networks. Additionally, the storage and processing power of these devices are constrained. To address all these requirements, Physically Unclonable Functions (PUFs) for device authentication is a potential strategy. In this paper, an advanced lightweight authentication scheme for IoT devices is proposed by using PUF. This scheme provides robust authentication without storing any sensitive information on the device’s memory and establishes the session key exchange process simultaneously. Moreover, this scheme preserves device privacy by including a temporary identity, which is updated at the end of each session. The effectiveness of this novel model is assessed, and results demonstrate that it is more effective and secure than many existing schemes.

Content uploaded by Suyel Namasudra

Content may be subject to copyright.

Securing IoT-based Smart Healthcare Systems by

using Advanced Lightweight Privacy-Preserving

Authentication Scheme

Sangjukta Das, Member, IEEE, Suyel Namasudra, Member, IEEE, Suman Deb, Member, IEEE, Pablo Moreno Ger, and Ruben

Gonzalez Crespo, Senior Member, IEEE

Abstract—In the healthcare network, the Internet of Things

(IoT) devices are connected to the network for enabling remote

monitoring of patients’ health. IoT device security, however, is a

serious concern because typical security measures might not be

appropriate for IoT devices, making them naturally vulnerable to

physical and copying attacks. Therefore, device authentication is

a very essential security concern for IoT networks. Additionally,

the storage and processing power of these devices are

constrained. To address all these requirements, Physically

Unclonable Functions (PUFs) for device authentication is a

potential strategy. In this paper, an advanced lightweight

authentication scheme for IoT devices is proposed by using PUF.

This scheme provides robust authentication without storing any

sensitive information on the device’s memory and establishes the

session key exchange process simultaneously. Moreover, this

scheme preserves device privacy by including a temporary

identity, which is updated at the end of each session. The

effectiveness of this novel model is assessed, and results

demonstrate that it is more effective and secure than many

existing schemes.

Index Terms— Untracebility, Key Agreement, Anonymity, PUF.

I. INTRODUCTION

HE Internet of Things (IoT) has recently become one of

the most popular research topics in both industry and

academia. IoT refers to a network of objects, such as

sensors, actuators, embedded technology, and smartphones,

which are connected by Internet connections. Nowadays, IoT

devices are being used by households, workplaces, major

corporations, etc., to have network connectivity and to

exchange data. One of the numerous applications of IoT is the

smart home, which uses IoT along with machine learning

techniques to get cost-efficient solutions for energy

management with great accuracy [1]. Intelligent transportation

system is another application that uses this technology for

traffic management and sustainable transportation planning

S. Das is with the Department of Computer Science and Engineering,

National Institute of Technology Patna, Bihar, India. Email:

sangjukta24@gmail.com

S. Namasudra and S. Deb are with the Department of Computer Science

and Engineering, National Institute of Technology Agartala, Tripura, India.

Email: suyelnamasudra@gmail.com, sumandeb.cse@nita.ac.in.

P. M. Ger and R. G. Crespo are with the Universidad Internacional de La

Rioja, Logroño, Spain. Email: {pablo.moreno, ruben.gonzalez}@unir.net

[2]. IoT is also extensively being used in the healthcare

domain as well as in the agricultural domain and

environmental ecosystems for digital monitoring [3, 4].

However, connecting these devices to the cloud raises data

security risks and makes it possible for any unauthorized user to

access data available on an IoT network. The implementation of

IoT devices on a greater scale also causes many security attacks

on both physical and network levels [5]. For example, if an

attacker is able to access the devices, s/he can perform a variety

of physical attacks to learn the secrets stored in devices and

corrupt both devices and the system as a whole. IoT devices are

vulnerable to cyberattacks as they lack strong security protocols

because of their limited resources to process complex

operations. Therefore, while deploying IoT devices on a

healthcare network, it is crucial to take security and privacy

requirements and problems into account. Different facets of

security for IoT applications have been studied by researchers.

Yet, IoT devices have significant challenges in maintaining data

security and privacy due to device heterogeneity, resource-

constrained nature, etc. To solve these security issues in an IoT-

enabled healthcare network, numerous studies have designed

and deployed effective solutions based on digital certification,

access control, and authentication [6]. In [7], one lightweight

protocol for user authentication is proposed by using

cryptographic operations and biometric information. A mutual

authentication scheme is suggested in [8] for a heterogeneous

IoT environment. This scheme maintains user privacy by

providing anonymity, and it cannot resist security attacks like

impersonation attacks. Although conventional authentication

methods are considered as secure, an attacker can use a variety

of physical attacks to fraudulently capture the data stored on

an IoT device [9]. Here, a two-factor authentication system

can solve the aforementioned issues by ensuring layered

defense, thus, making it more difficult for unauthorized users

to access IoT devices [10].

In the above context, the PUF is one of the most

dependable and robust security functions used to secure IoT

devices [11]. PUFs are designed based on digital logic and

Integrated Circuits (ICs) are acknowledged as a promising

primitive for hardware security. They are hardware modules

that operate as one-way operations. It is difficult to replicate

these operations since they provide different outputs for the

same inputs [12]. The PUFs are very helpful for enhancing

security in devices that cannot support complicated

This article has been accepted for publication in IEEE Internet of Things Journal. This is the author's version which has not been fully edited and

content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2023.3283347

Authorized licensed use limited to: National Institute of Technology Patna. Downloaded on June 13,2023 at 09:34:50 UTC from IEEE Xplore. Restrictions apply.

cryptographic operations. As a result, they are quite beneficial

in IoT networks with limited resources. The PUF can be

carefully embedded inside the IoT device to make it

unclonable and uniquely identifiable. In an area like the

healthcare sector, IoT technology is extensively being used for

both pre and post-operational monitoring, medication, and

medical alerting. Here, PUF-based security can provide

privacy and authorized access to patient data. PUF-based

authentication can support some factors, such as fingerprints

or biometrics along with generic authentication factors like

passwords and tokens [13]. In [14], a PUF-based lightweight

mutual authentication protocol is designed for IoT

applications. The authors have implemented and analyzed the

performance of this scheme in terms of energy, memory, and

power utilization. Another PUF-based mutual authentication

protocol is proposed in [15] for IoT systems. Here, the IoT

device only uses PUF and does not use secret keys for the

authentication process. However, these schemes cannot ensure

the privacy of IoT devices. To solve the privacy issue, one

two-factor lightweight authentication scheme using PUF is

proposed in [16] that preserves the privacy of IoT devices.

However, PUF-based authentication protocols are often

vulnerable to many security threats like message tampering,

mutual authentication threat, key-agreement attacks, physical

and side-channel attack, impersonation attacks, etc. Till date,

many PUF-based protocols are proposed and validated using

various logical methods to address these issues and to protect

IoT devices. As IoT devices in a healthcare system generate

critical and sensitive data, it requires security mechanisms in

order to maintain the anonymity and privacy of its user or

patients.

To address all the above-mentioned issues, a lightweight

and privacy-preserving authentication scheme for the IoT-

based healthcare environment is proposed in this paper. Here,

the pseudonym identity of each device is generated by using

random integers and PUF outputs are used for authentication

purposes. PUFs provide a distinctive hardware fingerprint to

the devices by taking advantage of the natural random changes

present in an integrated circuit. As a result, the proposed work

is anonymous and safe against user identity profiling attacks.

Below are the main contributions of this work:

1) This work presents a lightweight device authentication

scheme by using PUFs to provide security to the data in

healthcare systems.

2) It provides privacy-preserving, anonymous identity and

untraceability to the devices, and enables devices to

authenticate themselves without revealing their details.

3) Here, at the end of each communication, this protocol

updates its credentials, as well as anonymous identities,

which improves data security against cyberattacks.

The rest of the paper is organized as follows. Related works

and preliminary studies are presented in sections II and III.

Sections IV and V present the overview and the construction

of the proposed scheme, respectively. Sections VI and VII

discuss the security and performance analysis of the proposed

technique, respectively. Finally, the entire work is concluded

with future works in section VIII.

II. RELATED WORKS

In the literature, some works related to the proposed work

are proposed to authenticate and generate a session key for

protecting data. In [17], one authentication scheme is proposed

for low-power mobile devices. This scheme is susceptible to

password brute-force attacks due to the lack of fundamental

security requirements. Masud et al. [18] have proposed a

lightweight mutual authentication scheme to create a secure

channel between the device and the user. Although this secure

channel between the user and device prevents unauthorized

users from getting access to network data, this scheme cannot

resist attacks like device capture attacks. Another

authentication scheme for network nodes based on biometric

data is proposed by Koya et al. [19]. This gives better security

by combining the patient’s electrocardiogram signals with the

authentication protocol. However, this scheme faces

untraceability and key-escrow issues. This scheme is

improved by Gupta et al. [20] by including an anonymous

authentication and key agreement technique. Still, scalability

issues exist in the scheme of Gupta et al. [20] because of high

communication and computation overheads. Also, there exist

many schemes based on mutual authentication [21-23].

Many Radio Frequency Identification (RFID) systems and

wireless sensor networks use PUFs to achieve secure

authentication methods [24]. A double PUF-based RFID

identity authentication protocol is proposed by Liang et al.

[25]. This scheme is vulnerable to denial-of-service attacks

because the messages in this scheme are not authenticated.

Alladi et al. [26] have designed a mutual authentication

scheme using the Challenge Response Pair (CRP) of the PUF

for IoT-enabled healthcare systems. It is a two-phase

authentication process to increase physical security against

node tampering and node replacement attacks in the healthcare

system. However, this scheme is vulnerable to many attacks as

the CRPs are stored in the database of the device during the

registration process. Another PUF-based authentication for the

Internet of Medical Things (IoMT) is proposed by Yanambaka

et al. [27]. In this scheme, both the server and the IoMTs are

PUF-equipped and the gathered CRPs are stored in a third-

party database. However, the messages are not encrypted in

this scheme, when they are exchanged between different

entities. Due to this reason, this scheme is simple to undertake

modeling attacks. Additionally, PUF response noise correction

is not considered in this scheme. Another authentication and

key agreement technique is suggested by Wang et al. [28] to

ensure secure communication between IoT nodes. This is a

PUF-based technique that uses lightweight cryptographic

operations and the reverse fuzzy extractor to re-produce

responses correctly in a noisy environment. However, the

higher number of cryptographic processes used in this scheme

increases overall computation time. Many PUF-based

authentication schemes are also proposed by researchers that

use computationally expensive public key cryptography [29-

32]. Most of these schemes do not provide the anonymity

feature of IoT security protocol. Many other alternative mutual

This article has been accepted for publication in IEEE Internet of Things Journal. This is the author's version which has not been fully edited and

content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2023.3283347

Authorized licensed use limited to: National Institute of Technology Patna. Downloaded on June 13,2023 at 09:34:50 UTC from IEEE Xplore. Restrictions apply.

authentication systems based on advanced technologies are

found in the literature [33-37].

III. PRELIMINARY STUDIES

A. Physical Unclonable Function

Physical Unclonable Function is an IC that can output an

arbitrary string of bits called the response from a string of bits

known as a challenge. PUF provides a unique CRP due to the

random variances during the fabrication process of ICs [38].

In a CRP,   󰇛󰇜, i.e., PUF P's response  to a challenge

 identifies a PUF. Every PUF responds uniquely to the same

challenge, indicating that each PUF is unique. However, the

output of a PUF may be impacted by environmental

conditions, including temperature and voltage. The use of

fuzzy extractors may circumvent this issue and provide robust

PUF replies suitably for security applications [39].

B. Fuzzy Extractor

The Fuzzy Extractor  generates probabilistic keys by

using two algorithms, namely key Generation (FE.Gen) and

key Reconstruction (FE.Rec) [39]. FE.Gen generates a key 

and helper data 󰇛󰇜, 󰇛 󰇜from an input bit string  as

 󰇛󰇜. FE.Rec can reconstruct  from a noisy input 

by using  as    󰇛 ata).

IV. OVERVIEW OF THE PROPOSED SCHEME

The system model and design goals of the proposed scheme

are discussed in this section.

A. System Model

The system model considered in the proposed scheme is

similar to the system model used in [40]. Here, the goal is to

create mutual authentication and direct communication between

any two communicating entities. In Fig. 1, a simplified

representation of the system model is shown. The two entities

considered in the proposed system model are IoT Device

(IoTD) and Central System (CS). Here, it is also assumed that

IoT devices have resource limitations, while the server does

not have any such limitations and the server is trusted. The

role of each entity is defined below:

1) IoT Device: An IoT device is associated with a patient’s

body, collects real-time data, and sends them to the

server via a gateway device. The device must validate its

authenticity before sending it to the CS. Here, the device

is a resource-constrained node. Through the Internet, IoT

devices interact and send data to the server. It is

considered that every device has a PUF. Any effort to

tamper with the PUF causes the device to behave

functionally differently.

2) Central System: The device shares the collected data

with the CS. The CS initializes the entire system at the

beginning and registers all other entities in the system.

The CS authenticates each device before creating a

secure channel for data exchange.

B. Design Goals

While designing the proposed scheme, a few goals are

considered, which are mentioned below:

1) Privacy Preservation: Sensitive parameters like identity-

related information can be used by attackers to carry out

impersonation attacks, Man-In-The-Middle (MITM)

attacks, or physical attacks. Thus, it is crucial to maintain

privacy, when exchanging data over a network.

2) Lightweight: IoT devices' capacities for computation are

constrained. Therefore, to support the processing

capacity of devices, any security mechanism must be

3) Message Integrity: If any malicious user changes the

healthcare data, the entire system may be compromised.

So, the integrity of healthcare data must be preserved

through some advanced and unbreakable procedures.

4) Mutual Authentication: The healthcare network has

many devices, users, and associated equipment. To

establish a secure communication channel, each device

and user must authenticate themselves with the central

server and agree on a session key.

Fig. 1. System model of the proposed scheme

TABLE I

SYMBOL DESCRIPTION

Symbol

Description





Temporary identity



Device identity

{, }

Initial CRP

󰇝, }

Additional CRP set

{ }

Random nonce

󰇛 󰇜

PUF operation

󰇛 󰇜

Hash operation



Valid time range



Current timestamp





New temporary identity



Intregrity checker for meassage 





Secret session key

, , 

Messages exchanged during registration

, , 

Messages exchanged during Authentication

V. CONSTRUCTION OF THE PROPOSED SCHEME

The proposed scheme using a PUF is presented in this

section for mutual authentication and key exchange. Along

with PUF, the fuzzy extractor is also employed in the

proposed protocol to reproduce the same keys. The proposed

scheme is constructed in four phases, namely system

initialization, device registration, authentication, and update

phase. The workflow during different phases of the proposed

IoT Device

Data Unit

This article has been accepted for publication in IEEE Internet of Things Journal. This is the author's version which has not been fully edited and

content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2023.3283347

Authorized licensed use limited to: National Institute of Technology Patna. Downloaded on June 13,2023 at 09:34:50 UTC from IEEE Xplore. Restrictions apply.

Fig. 2. Proposed scheme’s workflow

scheme is illustrated in Fig. 2 and Table I lists the main

symbols used in this protocol.

A. System Initialization

The central server initializes the system and selects its key

values like a master key, private and public key, and other

parameters. The CS uses this master key during the device

registration process to generate temporary identities of

devices.

B. Device Registration

Initially, each device enrolls itself with the CS by

generating CRP, temporary identity, and other random values.

At the end of this process, the CS stores the primary CRP, 

 ,

and  for each device. Along with this information, the CS

stores another set of CRP to prevent an emergency situation

like DoS attacks. However, the device stores its 

 , ,

primary Challenge , and Challenge set . The device

does not store its response string corresponding to  and .

One of the most important aspects of this scheme is that the

device does not store any secrets, which prevents physical

attacks. The registration process initiated by the device is

described in the below steps. For simplicity, this process is

also shown in Fig. 3, where the messages exchanged during

this process are represented by , where   󰇝   󰇞.

Step 1: The device sends its identity  to the CS through a

registration request , which is the first message during the

registration process.

Step 2: The CS generates 

 by calculating the hash of the

string 󰇛󰇜, where  is the master key of the CS. The

CS selects  and Challenge set . Then, the CS sends the

second message  containing 

 , , and  to the device.

Step 3: The device extracts  and  from  to generate

  󰇛󰇜 and  󰇛󰇜. Finally, the device stores



 , , and , and sends the third registration-related

message  to the CS.

Step 4: On receiving the response strings corresponding to the

challenges sent through , the CS finally stores , 

 , the

primary CRP, and the additional CRP set for the device.

The device registration is an offline process, and the device

does not store  and . Both of these factors reduce the

possibility for an attacker to obtain crucial information about

the device.

Fig. 3. Device registration process

C. Authentication

In this subsection, the device authentication process is

explained in detail. To create a secure communication channel

for data transfer, the device initiates the authentication process

by sending an authentication request message. The pictorial

representation of the interaction between the device and the

central system is given in Fig. 4. In Fig. 4, the messages

exchanged during the authentication phase are represented by

, where   󰇝   󰇞. The device authentication process

is executed by the following steps.

Step 1: The IoT device takes its 

 and  from its secure

memory to generate the PUF response corresponding to  as

  󰇛󰇜. Then, it encrypts  by using  and forms a

message  󰇝

 󰇝󰇞󰇞. The integrity checker  of 

is also computed as  󰇛󰇜, where  is the

current timestamp. The device sends the authentication request

 to the server.

Step 2: The CS receives  and checks the validity of .

Then, the CS searches for the 

 in its database and takes the

R1. Registration request

R2. Challenge, Temporary Id

R3. Response

1. Device registered

IoT Device

A1. Authentication request

A2. Response parameters

A3. Confirmation

2. Device Authenticated

Device

  󰇛󰇜

 󰇛󰇜

 󰇝 󰇞

Store 

   





 󰇛



󰇜

 󰇝

   󰇞





 󰇝



󰇞







Store 



,{ 󰇞,

{ 󰇞

This article has been accepted for publication in IEEE Internet of Things Journal. This is the author's version which has not been fully edited and

content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2023.3283347

Authorized licensed use limited to: National Institute of Technology Patna. Downloaded on June 13,2023 at 09:34:50 UTC from IEEE Xplore. Restrictions apply.

Fig. 4. Authentication process

primary CRP, i.e., {, } pair. Again, the CS checks the

integrity of the message by calculating the integrity checker

 of . If any of these validation processes are failed, the

subsequent steps are not executed and the entire process is

terminated. The CS selects random  and calculates the

message  after encrypting { } by . The CS forms

the second message  󰇝  󰇞 after computing the

integrity checker  as 󰇛󰇜 and sends it to the

device. Here, the  used in  and  is a new timestamp

selected by the CS.

Step 3: The device verifies the validity of 

. If 

 is valid, the

device obtains the random nonce  from the message  by

using , and again, checks the integrity message  by

calculating 󰇛󰇜. Then, the device calculates the

secret session key , 

 , , and . The device sends

the third authentication message  to the CS.

Step 4: After receiving , the CS, checks the validity of 

.

Then, it verifies the third integrity  by verifying  

󰇛󰇜  󰇛󰇜 and 

= 󰇛

󰇜. If

 is valid, the CS stores 

  and  of the device.

Here,  is the shared secret session key between the device

and the server. This key is valid for only this session. Once the

data exchange is completed, the session ends and  is

discarded. Thus, the mutual authentication and key agreement

processes are completed, which are also shown in Fig. 4.

D. Credential Update

To maintain the freshness assurance of the authentication

protocol [34], the server may update the related CRPs for each

device by acquiring new CRPs. The CRP updating process is

shown in Fig. 5 and the steps are discussed below:

Step 1: The server sends an update request with the new

challenge  to the device to change the current CRP. During

this phase, 

 of the device can also be updated.

Step 2: On receiving the update request , the device

calculates a new response  corresponding to  and

second update message . Then, the device sends  and 

to the CS. At this stage, the device changes the challenge

stored in its memory.

Fig. 5. Credential update phase

Step 3: On receiving  and , the CS verifies the

timestamp and recalculates . If it matches with the received

, then, the CS updates its CRP list with { 󰇞.

VI. SECURITY ANALYSIS

This section begins with briefly introducing a number of

attacks against PUF-based IoT authentication methods. Then,

the proposed protocols’ informal and formal security analyses

are presented. The robustness of the proposed scheme, i.e.

Advanced Lightweight Privacy-Preserving Authentication

(ALPAS) is assessed against some well-known attacks.

A. Formal Analysis

This section formally analyses the security of ALPAS by

using Dolev-Yao (DY) and Canetti-Krawczyk (CK) adversary

models, and their assumptions mentioned in [40]. ALPAS has

two main entities, namely Device and CS. According to the

threat model, an adversary  has capability to capture,

corrupt, alter, delete, or replay all messages sent over the

Device

Verify 



 󰇛



 󰇜

Verify 󰇛

 󰇜 

󰇝

󰇝 󰇞󰇞

 󰇛󰇜

 󰇝  󰇞





 󰇝



 󰇝



󰇞



󰇞

 󰇛

󰇜

 󰇝

   󰇞





Verify 



 󰇛



 󰇜

Verify 󰇛 󰇜 

  󰇛󰇜  󰇛󰇜



  󰇛

󰇜

 󰇛

  󰇜

 󰇝 



󰇞



Verify 



 󰇛



 󰇜

  󰇛󰇜  󰇛󰇜



  󰇛

󰇜

Verify 󰇛

  󰇜



Store 

  





, 

Data exchange by using 

Device





 󰇛



󰇜

 󰇝  󰇞

 󰇛󰇜

Store 





󰇝



󰇝



 



󰇞



󰇞

 󰇛󰇜

{,}

Verify-

 󰇛 󰇜

󰇛󰇜  

Store { 󰇞

{, }

This article has been accepted for publication in IEEE Internet of Things Journal. This is the author's version which has not been fully edited and

content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2023.3283347

Authorized licensed use limited to: National Institute of Technology Patna. Downloaded on June 13,2023 at 09:34:50 UTC from IEEE Xplore. Restrictions apply.

communication channel.  can perform the following queries:

1) 󰇛󰇜:  can eavesdrop over the

communication channel between a device and the CS to

get all the messages exchanged by executing this query.

2) 󰇛󰇜: By executing this query,  can send

messages to a device and the CS, and can also receive a

reply from them.

3) 󰇛󰇜  can execute 󰇛󰇜 query

to capture all the parameters stored in the device and

CS’s memory. However,  can execute only a limited

number of 󰇛󰇜 query.

4) 󰇛󰇜  runs this query to reveal the secrets stored

in the device’s memory using a physical attack.

Considering  is the event, where  wins a game, then,

’s advantage to break ALPAS is 󰇛󰇜 .

If  , ALPAS is secure, where   .

Lemma 1. The output of a PUF cannot be guessed.

Proof. According to [29], a PUF cannot be replicated and it

generates unique responses. A PUF produces a response of n

bits for a challenge of m bits such that 󰇝󰇞 󰇝󰇞. A

security game between an adversary and challenger can be

performed as follows.  can send a query to the PUF using

challenge polynomial times. At first,  sends a challenge 

to .  reveals as PUF() to  and sends another

challenge  to get  as PUF(). Then, the

adversary  wins the game, if its guess response 󰆒

 for 

is the same as . This indicates ’s advantage in this game

is 

 󰇟󰆒

󰇠.  can only guess the output of a

PUF to a given challenge. Therefore, 

 

.

Lemma 2. The secrets used in ALPAS cannot be revealed

by the Reveal oracle. The temporary identities of devices also

cannot be correlated by the Reveal oracle.

Proof: In ALPAS, IoT devices do not store any secret or

sensitive data in their local memory. The device stores only its



 , , and . According to the assumptions in the threat

model [40],  cannot get  by using  or invoking the

Reveal oracle. Initially, the temporary identity 

 of a device

is calculated as 󰇛 󰇜, which is updated at each new

round. Each 

 is therefore only valid for a single session. As

a result,  cannot correlate the temporary identities unless 

is able to receive the secret response, which is impossible. In

this case, ’s advantage is 



 󰇟󰇛

  

 󰇜 

󰇠  , where  is the correlation coefficient.

Theorem 1. Mutual Authentication: This protocol can be

successfully executed between the device and the CS only if

both entities are legitimate.

Proof: By impersonating an authentic device,  can try to

establish authentication with the server. To simulate this

attack, a security game between  and  can be performed as

follows. Initially, to perform the proposed authentication with

the CS,  selects any legitimate device, namely .  can

send a polynomial number of query requests to the CS and .

 attempts to authenticate itself as a valid device to the CS. If

 successfully completes the authentication step of ALPAS,

 wins the game. If  is able to produce the third integrity

checker  󰇛

 󰇜, only then, it can properly

authenticate itself.  can try to reveal  embedded within

the . Suppose  is able to reveal 󰆒 bits of , where 󰆒

. Then, the advantage 

 󰇟󰆒

󰇠 is 

󰆓.

Therefore, ’s advantage of the successful authentication

process with the CS is 

   󰇟󰆒

󰇠 

.

However,  can only randomly guess , i.e., 󰆒  by

Lemmas 1 and 2 and  󰇟󰆒

󰇠

. So, 

 

 󰇟󰆒

󰇠 

  .

Theorem 2. Privacy: The proposed ALPAS maintains the

anonymity of the device.

Proof: The ALPAS protocol is said to be untraceable if 

cannot correlate two executions of ALPAS by the same 

with the CS. The following security game can be used to

analyze this attack. Initially, to perform the proposed scheme

with the CS,  selects two valid devices  and . can

send polynomial numbers of query requests to the CS and

devices and . Then,  selects one of the device’s

identity  randomly.  sends a query to the CS and 

polynomial times. Then,  guesses the identity . Now, if

==,  wins the game.

Here, ’s advantage of guessing  successfully can be

presented as 

    󰇛󰇟=󰇠  

󰇜. As IoTD’s



 s cannot be correlated, ’s advantage of correlating 



can be presented as 

 󰇟󰇛

  

󰇜  󰇠.

’s advantage of winning this game can be presented as



  

  

- 

  

. If 

guesses  randomly, then, s/he has no advantage. By

Lemmas 1 and 2, it can be concluded that 

  .

B. Informal Analysis

To analyze ALPAS informally, a few attack scenarios are

considered in this paper.

1) Replay Attack: Since a valid timestamp is assigned to each

transmitted message, even if an attacker replays old

messages, it cannot counterfeit the current transmitted

message. Furthermore, every parameter, including the

temporary identity of devices is updated after every new

session. As a result, replay attacks are successfully

avoided. In this context, to detect replay attacks,

maintaining the freshness of each exchanged message is an

important requirement. To fulfill this requirement, the

ALPAS uses the timestamp concept, and also, allows the

entities to use different credentials during different

sessions, which is done via the credential update phase.

2) Message Analysis Attack: In Message Analysis attacks, an

attacker tries to intercept the transmitted information

between the communication entities. Despite the

possibility of intercepting authentication communications,

in the ALPAS technique, secret keys, session keys, and

responses are private and inaccessible to an attacker. This

This article has been accepted for publication in IEEE Internet of Things Journal. This is the author's version which has not been fully edited and

content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2023.3283347

Authorized licensed use limited to: National Institute of Technology Patna. Downloaded on June 13,2023 at 09:34:50 UTC from IEEE Xplore. Restrictions apply.

is accomplished by not keeping the transferred messages

locally, but, encrypting and hashing them.

3) DOS Attack: In DOS attacks, a device is targeted by an

attacker to temporarily or permanently interrupt its

functionality by overloading it with service requests. In

ALPAS, only two entities are present, namely CS and

IoTD. On the CS’s side, DOS attacks are unfeasible

because of the server's high computing capabilities.

Therefore, only the device is considered for this attack.

The device verifies the integrity of each message after

receiving any message. Due to the secret key contained in

each integrity checker message, the possibility of random

guessing of the hash values to pass the verification

procedure is very less. The DoS attack is therefore

impractical in ALPAS.

4) Physical Attack: In the proposed model, IoT devices do

not keep any secret or sensitive data in their local memory.

Additionally, in the system model, one assumption is that

the communication between the PUF IC and the device is

secure. Therefore, if an adversary gets a device, ALPAS is

secure against physical attacks.

C. Formal Verification

Fig. 6. Summary produced by the AVISPA tool’s two back

ends (OFMC and CL-AtSe)

In this section, the proposed protocol is simulated using the

widely used protocol security analysis and verification tool

AVISPA (Automated Validation of Internet Security Protocols

and Applications). There are four back-ends (OFMC, CL-

AtSe, SATMC, and TA4SP) integrated into AVISPA to create

a single platform for protocol verification. To define the roles

and goals of the proposed protocol, AVISPA uses the formal

language HLPSL (High-Level Protocol Specification

Language). The backends cannot directly detect HLPSL,

therefore, it is converted into Intermediate Format (IF) using

the platform’s HLPSL2IF translator. Then, the IF is directly

built and executed in backends to verify the protocol’s

security.Two different entities, namely device and central

server, are included in the proposed protocol. As a result, two

roles in AVISPA using the HLPSL specification are defined.

The role definition codes contain corresponding operations,

states, and parameters. The role of the session and

environment are also considered. Fig. 6 depicts the output of

CL-AtSe and OFMC backends. It indicates that ALPAS is

SAFE against many attacks, including MITM attacks, replay

attacks, and impersonation attacks, and the confidentiality of

the session key is maintained.

VII. PERFORMANCE ANALYSIS

The performance analysis of ALPAS is shown in this

section in comparison to the relevant protocols [15, 16, 27, 28]

in the literature. These protocols are based on some features,

such as mutual authentication and error correction. Since

SHA-2 is currently used in well-known security applications

like Transport Layer Security (TLS) and Secure Sockets Layer

(SSL), and a number of integrated circuits for commercial

security, ALPAS is implemented by using SHA-2.

Additionally, SHA-2 is easier and quicker to implement than

SHA-3 since a wider range of hardware and software is

supported by it. At first, the security properties are compared.

Then, the storage requirement, computation, and

communication complexities of ALPAS are assessed.

A. Security Feature Comparison

Table II compares ALPAS’s security properties to various

existing schemes. The schemes proposed in [27, 28] do not

provide anonymity and un-traceability properties. Similarly,

the scheme [16] does not provide resistance to reply attacks.

However, ALPAS has all of the properties mentioned in the

table.

B. Storage Requirement Comparison

The overall cost of storage of each entity in ALPAS is

determined based on the size of the parameters given in Table

III. Table IV lists the cost of storage in ALPAS along with

other existing schemes. Each device stores {

 , , } and

the CS stores 󰇝 , 

 , CRP} parameters for each device in

their memory. In Fig. 7, the total storage cost and the

individual storage costs for the CS and the device are shown.

C. Discussion on Experimental Results

In this section, the performance of ALPAS is evaluated in

terms of computational cost and communicational cost.

1) Computation Cost: The computational cost of the

authentication process of ALPAS is computed by

executing a number of operations. The performance of

ALPAS is compared with the existing schemes by

considering the same conditions and operations. The basic

operations that are used in ALPAS and other related

schemes are hash, XOR, concatenation (||), PUF, and noise

correction. For cost evaluation, only PUF and hash

operations are considered since the other operations are

comparatively very less time-consuming. Table V

represents the time taken to execute each operation by

device and server. Then, the number of operations used in

the existing protocols and the proposed scheme is

compared, which is listed in Table VI. The computation

cost comparison is graphically represented in Fig. 8. It can

be seen that ALPAS uses comparatively less operations

than the other schemes, thus, the computation cost is

10+1

. It is seen that ALPAS takes comparatively less

execution time than the other protocols.

This article has been accepted for publication in IEEE Internet of Things Journal. This is the author's version which has not been fully edited and

content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2023.3283347

Authorized licensed use limited to: National Institute of Technology Patna. Downloaded on June 13,2023 at 09:34:50 UTC from IEEE Xplore. Restrictions apply.

TABLE II

COMPARISONS OF SECURITY FEATURES

Security Feature

Aman et al. [15]

Gope et al. [16]

Yanambaka et al. [27]

Wang et al. [28]

Proposed Scheme

Resistance to replay attack

√

Anonymity

√

Traceability

√

PUF security

√

Resistance to physical attack

√

Noise consideration in PUF

√

TABLE III

SIZE OF THE PARAMETERS

Parameter

Length in Bits

Parameter

Length in Bits

Secret keys

160

Timestamp

Hash

256

Challenge

160

Identity parameters

160

Response

160

Random nonce

160

TABLE IV

STORAGE COST COMPARISON (BITS)

Scheme

Device

[16]

1576

1792

[28]

576

480

Proposed scheme

420

1116

Fig. 7. Storage cost in bits

TABLE V

RUNTIME OF EACH OPERATIONS IN MILLISECONDS

Operation

Device

PUF

0.14ms

Hash

0.012ms

0.028ms

XOR

0.003ms

0.005ms

FE.Gen

2.7ms

Fe.Rec

4.23ms

TABLE VI

COMPARISON OF COMPUTATION COST

Scheme

Device

Total

[16]

7+2



7

14+2



[28]

7+2



7

14+2



Proposed scheme

5+1



5

10+1



2) Communication Cost: Here, the communication cost

means the total number of bits sent and received

throughout the authentication procedure. The length of

each message being delivered is determined by using Table

III, which provides the size of the parameters used in these

messages. In Table VII, the communication costs of

ALPAS and the existing schemes are compared. This table

also shows the total number of messages sent and received

by the communicating entities, namely IoT device and CS.

From Tables III and VII, it can be seen that the transmitted

bits in ALPAS are 1504 bits that are less than [16] and

[28].

Fig. 8. Computation cost in time (ms)

TABLE VII

COMPARISON OF COMMUNICATION COST

Scheme

Total no. of Messages

Total no. of Bits

[16]

1568

[28]

1568

Proposed scheme

1504

VIII. CONCLUSIONS AND FUTURE WORK

In this paper, a device-to-central server mutual

authentication and key exchange protocol has been developed

for IoT devices in healthcare systems. The proposed protocol

aims to establish a secure channel between the communicating

healthcare entities for the secure exchange of sensitive and

confidential healthcare data. Here, each device equipped with

PUF must register itself with the central server system. This

scheme eliminates the requirement to store CRPs in the

device’s local memory, which not only satisfies the resource

limitation of IoT devices, but also reduces the security risk of

device node attacks due to the accessibility to these devices.

The proposed ALPAS also creates a session key, and securely

exchanges it between the device and server at the end of each

successful authentication phase. Furthermore, it is

demonstrated that ALPAS is secure against many advanced

cyber attacks, namely replay, MITM, DoS, and impersonation

attacks. Most importantly, it resists physical attacks by using

the PUF-based authentication technique. As a future work, it is

planned to deploy this PUF-based authentication protocol with

a blockchain architecture scheme to provide security and

automation to IoT-based healthcare systems.

This article has been accepted for publication in IEEE Internet of Things Journal. This is the author's version which has not been fully edited and

content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2023.3283347

Authorized licensed use limited to: National Institute of Technology Patna. Downloaded on June 13,2023 at 09:34:50 UTC from IEEE Xplore. Restrictions apply.

REFERENCES

[1] W. Li, T. Logenthiran, V. -T. Phan, and W. L. Woo, “A novel smart

energy theft system (SETS) for IoT-based smart home”, IEEE Internet

of Things Journal, vol. 6, no. 3, pp. 5531-5539, 2019.

[2] Z. Huang et al., “Survey on vehicle map matching techniques”, CAAI

Transactions on Intelligence Technology, vol. 6, no. 1, pp. 55-71, 2021.

[3] P. Gangwani, A. Perez-Pons, T. Bhardwaj, H. Upadhyay, S. Joshi, and

L. Lagos, “Securing Environmental IoT Data Using Masked

Authentication Messaging Protocol in a DAG-Based Blockchain: IOTA

Tangle,” Future Internet, vol. 13, no. 12, pp. 312, Dec. 2021

[4] S. Das and S. Namasudra, “Multi-authority CP-ABE-based access

control model for IoT-enabled healthcare infrastructure”, IEEE

Transactions on Industrial Informatics, vol. 19, no. 1, pp. 821-829,

2023.

[5] A. Gutub, “Boosting image watermarking authenticity spreading secrecy

from countingbased secretsharing”, CAAI Transactions on Intelligence

Technology, 2022. DOI: 10.1049/cit2.12093

[6] S. Das and S. Namasudra, “A lightweight and anonymous mutual

authentication scheme for medical big data in distributed smart

healthcare systems”, IEEE/ACM Transactions on Computational

Biology and Bioinformatics, 2022. DOI: 10.1109/TCBB.2022.3230053.

[7] X. Li, J. W. Niu, J. Ma, W. D. Wang, and C. L. Liu, “Cryptanalysis and

improvement of a biometrics-based remote user authentication scheme

using smart cards”, Journal of Network and Computer Applications, vol.

34, no. 1, pp. 73–79, 2011.

[8] T. Muhamed, B. Boštjan, and H. Marko, “A novel user authentication

and key agreement scheme for heterogeneous ad hoc wireless sensor

networks based on the internet of things notion”, Ad Hoc Networks, vol.

20, pp. 96–112, 2014.

[9] C. Chang, and H. Le, “A provably secure, efficient, and flexible

authentication scheme for ad hoc wireless sensor networks”, IEEE

Transactions on Wireless Communications, vol. 15, no. 1, pp. 357–366,

2016

[10] M. K. Khan and K. Alghathbar, “Cryptanalysis and security

improvements of twofactor user authentication in wireless sensor

networks”, Sensors, vol. 10, no. 3, pp. 2450–2459, 2020.

[11] A. Lakhan, M. A. Mohammed, J. Nedoma, R. Martinek, P. Tiwari, and

N. Kumar, “Blockchain-enabled cybersecurity efficient IIOHT cyber-

physical system for medical applications”, IEEE Transactions on

Network Science and Engineering, 2022, DOI:

10.1109/TNSE.2022.3213651

[12] C. Herder, M.-D. Yu, F. Koushanfar, and S. Devadas, “Physical

unclonable functions and applications: A tutorial,” Proc. IEEE, vol. 102,

no. 8, pp. 1126–1141, Aug. 2014.

[13] O. Günlü, O. İşcan, V. Sidorenko, and G. Kramer, “Code constructions

for physical u nclonable functions and biometric secrecy systems”, IEEE

Transactions on Information Forensics and Security, vol. 14, no. 11, pp.

2848-2858, 2019.

[14] M. Hossain, S. Noor, R. Hasan, HSC-IoT: A Hardware and software co-

verification based authentication scheme for internet of things, in: The

Proceedings of 2017 5th IEEE International Conference on Mobile

Cloud Computing, Services, and Engineering (MobileCloud), San

Francisco, CA, 2017, pp. 109–116,

[15] M. N. Aman, K. C. Chua, and B. Sikdar, “Mutual authentication in IoT

systems using physical unclonable functions,” IEEE Internet of Things

Journal, vol. 4, no. 5, pp. 1327–1340, 2017.

[16] P. Gope and B. Sikdar, “Lightweight and privacy-preserving two-factor

authentication scheme for IoT devices,” IEEE Internet of Things

Journal, vol. 6, no. 1, pp. 580–589, 2019

[17] X. Li, J. Peng, M. S. Obaidat, F. Wu, M. K. Khan, and C. Chen, “A

secure three-factor user authentication protocol with forward secrecy for

wireless medical sensor network systems”, IEEE Systems Journal, vol.

14, pp. 39–50, 2019.

[18] M. Masud, G. S. Gaba, K. Choudhary, M. S. Hossain, M. F. Alhamid,

and G. Muhammad, “Lightweight and anonymity-preserving user

authentication scheme for IoT-based healthcare”, IEEE Internet of

Things Journal, vol. 9, no. 4, pp. 2649-2656, 2022.

[19] A. M. Koya, and D. P. P., “Anonymous hybrid mutual authentication

and key agreement scheme for wireless body area network”, Computer

Networks, vol. 140, pp. 138–151, 2018.

[20] A. Gupta, M. Tripathi, and A. Sharma, “A provably secure and efficient

anonymous mutual authentication and key agreement protocol for

wearable devices in WBAN”, Computer Communications, vol. 160, pp.

311–325, 2018

[21] S. Das and S. Namasudra, “Lightweight and efficient privacy-preserving

mutual authentication scheme to secure Internet of Things-based smart

healthcare”, Transactions on Emerging Telecommunication Technology,

2023. DOI: 10.1002/ett.4716.

[22] Y. K. Huang, “Design of a smart cabin lighting system based on internet

of things”, Cloud Computing and Data Science, vol. 4, no. 2, pp. 112-

121, 2023.

[23] Z. Chen, “Research on internet security situation awareness prediction

technology based on improved RBF neural network algorithm”, Journal

of Computational and Cognitive Engineering, vol. 1, no. 3, pp. 103-108,

2022

[24] S. Karda¸s, S. Çelik, M. Yıldız, and A. Levi, “PUF-enhanced offline

RFID security and privacy,” Journal of Network and Computer

Applications, vol. 35, no. 6, pp. 2059–2067, 2012.

[25] W. Liang, S. Xie, J. Long, K. Li, D. Zhang, K. Li, “A double PUF-based

RFID identity authentication protocol in service-centric internet of

things environments”, Information Sciences, vol. 503, pp. 129-147,2019.

[26] T. Alladi, V. Chamola and Naren, “HARCI: A Two-Way Authentication

Protocol for Three Entity Healthcare IoT Networks”, IEEE Journal on

Selected Areas in Communications, vol. 39, no. 2, pp. 361-369, 2021.

[27] V. P. Yanambaka, S. P. Mohanty, E. Kougianos, and D. Puthal, “Pmsec:

Physical unclonable function-based robust and lightweight

authentication in the internet of medical things”, IEEE Transactions on

Consumer Electronics, vol. 65, no. 3, pp. 388–397, 2019.

[28] H. Wang, J. Meng, X. Du, T. Cao, and Y. Xie, “Lightweight and

anonymous mutual authentication protocol for edge iot nodes with

physical unclonable function,” Security and Communication Networks,

vol. 2022, 2022.

[29] U. Chatterjee, R. S. Chakraborty and D. Mukhopadhyay, “A PUF-based

secure communication protocol for IoT”, ACM Transactions on

Embedded Computing Systems, vol. 16, no. 3, pp. 1-25, 2017

[30] H. Jennath, V. S. Anoop, and S. Asharaf, “Blockchain for healthcare:

securing patient data and enabling trusted artificial intelligence”,

International Journal of Interactive Multimedia and Artificial

Intelligence, vol. 6, pp. 15-23, 2020.

[31] Kumar, and S. Chand, “A provable secure and lightweight smart

healthcare cyber-physical system with public verifiability”, IEEE

Systems Journal, 2021. DOI: 10.1109/JSYST.2021.312055.

[32] S. Khasim and S. S. Basha, “An improved fast and secure CAMEL

based authenticated key in smart health care system”, Cloud Computing

and Data Science, vol. 3, no. 2, pp. 77-91, 2022.

[33] A. Kishor, C. Chakraborty, and W. Jeberson, “A novel fog computing

approach for minimization of latency in healthcare using machine

learning”, International Journal of Interactive Multimedia and Artificial

Intelligence, vol. 6, pp. 7-17, 2020.

[34] K. Lam and D. Gollmann, “Freshness assurance of authentication

protocols”, Proceedings of the European Symposium on Research in

ComputerSecurity, pp. 261-272, 1992.

[35] A. Lakhan et al., “Restricted boltzmann machine assisted secure

serverless edge system for Internet of Medical Things”, IEEE Journal of

Biomedical and Health Informatics, vol. 27, no. 2, pp. 673-683, 2023.

[36] Y. Guo, Z. Mustafaoglu, and D. Koundal, “Spam Detection Using

Bidirectional Transformers and Machine Learning Classifier

Algorithms”, Journal of Computational and Cognitive Engineering, vol.

2, no. 1, pp. 5–9, Apr. 2022.

[37] A. Lakhan et al., “Federated-learning based privacy preservation and

fraud-enabled blockchain IoMT system for healthcare”, IEEE Journal of

Biomedical and Health Informatics, vol. 27, no. 2, pp. 664-672, 2023.

[38] Dimitrios Schinianakis. Lightweight security for the internet of things: A

soft introduction to physical unclonable functions. IEEE Potentials,

38(2):21–28, 2019.

[39] Y. Dodis, J. Katz, L. Reyzin, and A. Smith, “Robust fuzzy extractors

and authenticated key agreement from close secrets,” in Advances in

Cryptology (CRYPTO) (Lecture Notes in Computer Science), vol. 4117.

Heidelberg, Germany: Springer, 2006, pp. 232–250

[40] Y. Zheng, W. Liu, C. Gu, and C. H. Chang, “PUF-based Mutual

Authentication and Key Exchange Protocol for Peer-to-Peer IoT

Applications”, IEEE Transactions on Dependable and Secure

Computing, 2022, DOI:10.1109/TDSC.2022.3193570.

This article has been accepted for publication in IEEE Internet of Things Journal. This is the author's version which has not been fully edited and

content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2023.3283347

Authorized licensed use limited to: National Institute of Technology Patna. Downloaded on June 13,2023 at 09:34:50 UTC from IEEE Xplore. Restrictions apply.

A New PUF-Based Protocol for Mutual Authentication and Key Agreement Between Three Layers of Entities in Cloud-Based IoMT Networks

Article

Full-text available

Jan 2024

The Internet of Medical Things (IoMT) is a promising framework for expanding and improving telemedicine services. A common cloud-based IoMT architecture consists of three layers of entities, the first layer (such as smart sensors and devices), the second layer (such as gateways), and the third layer (such as cloud servers). Obviously, in these networks, the protection of sensitive information against security threats as well as authentication between the entities is a key issue. On the other hand, the devices involved in the first and second layers usually suffer from poor computational capabilities as well as a lack of physical protection, which should be considered in the design of security protocols. Recently, Alladi et al. have proposed a lightweight authentication protocol for the cloud-based IoMT that addresses these challenges, using Physically Unclonable Function (PUF). In this paper, we first provide thorough cryptanalysis of their scheme and clarify its important vulnerabilities that lead to protocol collapse. Then, we propose a new lightweight protocol based on PUF to perform strong mutual authentication and key agreement between parties in the IoMT networks. The formal (using BAN logic) and informal security analysis demonstrate that our scheme is resistant to several well-known attacks, including physical attacks. Also, our evaluation of computational cost and security features clearly shows that the proposed scheme outperforms similar schemes in security and efficiency. Another important advantage of our protocol is that it performs the authentication and key agreement process separately for each pair of layers in the three-layer cloud-based IoMT architecture.

Cybersecurity for Sustainable Smart Healthcare: State of the Art, Taxonomy, Mechanisms, and Essential Roles

Article

Full-text available

May 2024

Cutting-edge technologies have been widely employed in healthcare delivery, resulting in transformative advances and promising enhanced patient care, operational efficiency, and resource usage. However, the proliferation of networked devices and data-driven systems has created new cybersecurity threats that jeopardize the integrity, confidentiality, and availability of critical healthcare data. This review paper offers a comprehensive evaluation of the current state of cybersecurity in the context of smart healthcare, presenting a structured taxonomy of its existing cyber threats, mechanisms and essential roles. This study explored cybersecurity and smart healthcare systems (SHSs). It identified and discussed the most pressing cyber threats and attacks that SHSs face, including fake base stations, medjacking, and Sybil attacks. This study examined the security measures deployed to combat cyber threats and attacks in SHSs. These measures include cryptographic-based techniques, digital watermarking, digital steganography, and many others. Patient data protection, the prevention of data breaches, and the maintenance of SHS integrity and availability are some of the roles of cybersecurity in ensuring sustainable smart healthcare. The long-term viability of smart healthcare depends on the constant assessment of cyber risks that harm healthcare providers, patients, and professionals. This review aims to inform policymakers, healthcare practitioners, and technology stakeholders about the critical imperatives and best practices for fostering a secure and resilient smart healthcare ecosystem by synthesizing insights from multidisciplinary perspectives, such as cybersecurity, healthcare management, and sustainability research. Understanding the most recent cybersecurity measures is critical for controlling escalating cyber threats and attacks on SHSs and networks and encouraging intelligent healthcare delivery.

DeepMetaDroid: Real-Time Android Malware Detection Using Deep Learning and Metadata Features

Article

Full-text available

May 2024

The increasing prevalence of Android malware poses significant risks to mobile devices and user privacy. The traditional detection methods have limitations in keeping up with the evolving landscape of malware attacks, necessitating the development of more effective solutions. In this paper, we present DeepMetaDroid, a real-time detection approach for Android malware that leverages metadata features. By analyzing crucial metadata, including APK size, download size, permissions, certificates, and DEX files, the proposed method enables effective identification of malware and enhances mobile security. Using deep learning techniques, a lightweight Android real-time monitoring system is equipped with the trained model. These methods include long short-term memory (LSTM), gated recurrent units (GRU), convolutional neural networks (CNN), deep neural networks (DNN), and other ensemble models. Utilizing the rectified linear unit (ReLU) as the activation function, the DNN model is constructed with 32 neurons in the input layer. A one-dimensional convolutional layer with 32 neurons and a filter size of three is used as the input layer in the CNN model. The LSTM model is designed with an input layer consisting of 16 neurons. The GRU model with 32 neurons is employed in the input layer. Additionally, ensemble models that combined several architectures were developed. The proposed method offers a faster and more scalable solution for malware detection by consuming fewer resources like memory and CPU. This work ensures device security by providing real-time monitoring on Android devices to prevent users from installing malicious applications and, thus, enhance user privacy and security.

Evaluating Trust Management Frameworks for Wireless Sensor Networks

Article

Full-text available

Apr 2024
SENSORS-BASEL

Wireless Sensor Networks (WSNs) are crucial in various fields including Health Care Monitoring, Battlefield Surveillance, and Smart Agriculture. However, WSNs are susceptible to malicious attacks due to the massive quantity of sensors within them. Hence, there is a demand for a trust evaluation framework within WSNs to function as a secure system, to identify and isolate malicious or faulty sensor nodes. This information can be leveraged by neighboring nodes, to prevent collaboration in tasks like data aggregation and forwarding. While numerous trust frameworks have been suggested in the literature to assess trust scores and examine the reliability of sensors through direct and indirect communications, implementing these trust evaluation criteria is challenging due to the intricate nature of the trust evaluation process and the limited availability of datasets. This research conducts a novel comparative analysis of three trust management models: “Lightweight Trust Management based on Bayesian and Entropy (LTMBE)”, “Beta-based Trust and Reputation Evaluation System (BTRES)”, and “Lightweight and Dependable Trust System (LDTS)”. To assess the practicality of these trust management models, we compare and examine their performance in multiple scenarios. Additionally, we assess and compare how well the trust management approaches perform in response to two significant cyber-attacks. Based on the experimental comparative analysis, it can be inferred that the LTMBE model is optimal for WSN applications emphasizing high energy efficiency, while the BTRES model is most suitable for WSN applications prioritizing critical security measures. The conducted empirical comparative analysis can act as a benchmark for upcoming research on trust evaluation frameworks for WSNs.

Cost-effective Authenticated Solution (CAS) for 6G-Enabled Artificial Intelligence of Medical Things (AIoMT)

Article

Jul 2024

The Internet of Things (IoT) is a network of interconnected objects, which congregate and exchange gigantic amounts of data. Usually, pre-deployed embedded sensors sense this massive data. Soon, several applications of IoT are anticipated to exploit emerging 6G technology. Healthcare is one of them, where the 6G-inspired paradigm may facilitate the users to exchange information through hundreds of sensors under the assumption of Artificial Intelligence of Things (AIoT). Integration of medical sensors with AIoT is known as Artificial Intelligence of Medical Things (AIoMT). The secure and seamless interactions among 6G-enabled AIoMT users should be the primary challenge. Furthermore, resource-constrained wearable sensing devices, with their inability to execute complex security solutions, provide an ideal attraction for malicious entities to launch diverse attacks. These challenges have motivated us to design a cost-effective authenticated solution (CAS) for 6G-enabled AIoMT healthcare applications. Our CAS protocol not only prevents cyber threats like impersonation session key secrecy, but it can also prevent physical threats like hardware tampering. We observe formal and informal security validations to endorse its robustness and effectiveness. Performance comparison reveals that CAS protocol offers maximum security enrichment. Moreover, CAS is cost-effective as it has achieved 33% and 60% reduction in computation and communication overheads, respectively, compared to contemporary competing related protocols.

Multifactor Authentication System

Article

Mar 2024

The multifactor authentication system is a state- of-the-art solution created to improve security protocols across numerous sectors and shield confidential data from unauthorized access. Several layers of authentication are provided by this system, which makes use of cutting-edge technologies, ensuring that only people with the proper authorization can access particular resources or systems. It integrates biometric authentication, including fingerprint, facial, or iris scanning, which ups security because these biological characteristics are personal to each person. This system also uses multi-factor authentication, which combines two or more authentication factors, such as something the user is (a smart card), something they have (a password), or something they know (a password) (biometrics). This combination lessens the possibility of a single point of failure, hence enhancing security. Real-time monitoring, risk-based authentication, and behavioral biometrics are further aspects of the advanced authentication system that help to identify and stop fraudulent actions. Organizations can dramatically reduce security risks, safeguard sensitive data, and adhere to strict regulatory requirements by deploying this solution. The advancedauthentication system, in its whole, is a potent tool in the modern digital environment, protecting important assets with its strong and complex security measures. Keywords: advanced authentication system, security, biometric authentication, multi-factor authentication, real-time monitoring, risk- based authentication

A secure VM Live migration technique in a cloud computing environment using blowfish and blockchain technology

Preprint

Full-text available

Mar 2024

Data centers have proven to be the infrastructure's backbone to deliver cloud services. With the emerging paradigm of cloud computing, VM live migration is the process of migrating a running virtual machine across specific hosts with no client-visible interruption. Security, vulnerability, resource optimization, and maintaining the quality of service are many issues in live VM migration. Maintaining security in VM live migration is one of the important concerns. For creating a secure environment, this paper proposes a secure live migration technique by applying one of the cryptographic algorithms that are blowfish for generating an encryption-decryption-based system, and blockchain technology which provides a solution to address many challenges like decentralization, data privacy, and VM security to prevent from side-channel attack, and a man in the middle attacks. The algorithms namely Key Management Blowfish Encryption (KMBE), Access Control Searchable Encryption (ACSE), Protected Searchable Destination Server (PSDS), and Key Expansion Blowfish Decryption (KEBD) improve security in VM live migration in terms of various parameters like data center request servicing time, response time and data transfer cost. The proposed technique KMBE improves migration cost ($) by 60–70%, ACSE reduces overall energy consumption by 70–80%, PSDS reduces make span by 40–50% and KEBD improves the security in live VM migration by 30–40%.

Providing data security using DNA computing in the cloud computing environment

Article

Full-text available

Jan 2023

Accurate Action Recommendations and Demand Response for Smart Homes via Knowledge Graphs

Conference Paper

Mar 2024

Privacy Leakage in Federated Home Applications Using Gradient Inversion Algorithms

Conference Paper

Mar 2024

Spam Detection Using Bidirectional Transformers and Machine Learning Classifier Algorithms

Article

Full-text available

Apr 2022

Spam email has accounted for a high percentage of email traffic and has created problems worldwide. The deep learning transformer model is an efficient tool in natural language processing. This study proposed an efficient spam detection approach using a pretrained bidirectional encoder representation from transformer (BERT) and machine learning algorithms to classify ham or spam emails. Email texts were fed into the BERT, and features obtained from the BERT outputs were usedto represent the texts. Four classifier algorithms in machine learning were employed to classify the features of the text into ham or spam categories. The proposed model was tested using two public datasets in the experiments. The results of the evaluation metrics demonstrate that the logistic regression algorithm achieved the best classification performance in both datasets. They also justified the efficient ability of the proposed model in detecting spam emails.

Revisiting Shift Cipher Technique for Amplified Data Security

Article

Full-text available

Aug 2022

Ever since manual work is overtaken by technology and the rapid advancement in the technologies for performing all kinds of work online has created new possibilities for the organizations and institutions of all types. But this has also created opportunities for attackers and opponents by reducing the powers of existing controls over data sharing. All private, public and any other sectors are using the internet for sharing their data. Transmission of unencrypted data over the internet is not secure as it poses many privacy concerns as they can be easily hacked and misused by any unintended person. So, everyone is concerned about safe and secure ways of data transmission in order to avoid leak of private data, as hackers always try to chase the transmitted data and to recover it and therefore various different techniques are developed in order to make data transmission more secure. Encryption is essential to protect and prevent such lapses in the transmission of sensitive information over the internet and any other networks. In this paper, the author has worked on a better version of Caesar cipher and invented a method in which modular arithmetic is used to convert plaintext into ciphertext in order to amplify and to bolster up the security of the sensitive data or information, the author composed the decryption method in such a way that it is no way related to encryption by involving the divisibility tests and arithmetic modulo.

Research on Internet Security Situation Awareness Prediction Technology Based on Improved RBF Neural Network Algorithm

Article

Full-text available

Mar 2022

Zhihua Chen

With the increasing scale and complexity of the network, the network attack technology is also changing, such as malicious program attack, Trojan horse, distributed denial of service attack, worm, virus, web code injection, botnet, and other new network attack tools emerge in large numbers. As the core hotspot of network information security, network security situational awareness has received more and more attention. The traditional way of network security situational awareness prediction is relatively single. Usually, only one algorithm is used for perception and prediction, and its prediction accuracy is limited. To explore the application effect of intelligent learning algorithm, this study takes radial basis function (RBF) neural network as the main research object, optimizes RBF by simulated annealing (SA) algorithm and hybrid hierarchy genetic algorithm (HHGA), constructs RBF neural network prediction model based on SA–HHGA optimization, and carries out relevant experiments. The results show that the predicted situation value of the optimized RBF neural network in 15 samples is very close to the actual situation value. The neural network has good prediction effect and can provide assistance for the maintenance of network security.

Lightweight and efficient privacy‐preserving mutual authentication scheme to secure Internet of Things‐based smart healthcare

Article

Full-text available

Jan 2023

In recent years, Internet of Things (IoT) technology has been adopted in numerous application areas, such as healthcare, agriculture, industrial automation, and many more. The use of IoT and other technologies like cloud computing and machine learning has made the modern healthcare system to be smart, automated, and efficient. However, the continuous proliferation of cyber‐attacks on IoT devices has increased IoT challenges like data security, privacy protection, authentication, and so forth. In smart healthcare systems, due to the lack of authentication protocols, attackers can undermine the availability, confidentiality, and integrity of both smart healthcare devices and data, which can be life‐threatening in some situations. In this article, a privacy‐preserving mutual authentication scheme for IoT‐enabled healthcare systems is proposed to achieve lightweight and effective authentication of network devices. To support the processing capabilities of the IoT devices, this proposed authentication scheme is designed using lightweight cryptographic primitives, namely XOR, concatenation, and hash operation. The proposed scheme can establish a secure session between an authorized device and a gateway, and prevent unauthorized devices from getting access to healthcare systems. The security analysis and performance analysis assess the proposed authentication technique's effectiveness over existing well‐known schemes.

A Lightweight and Anonymous Mutual Authentication Scheme for Medical Big Data in Distributed Smart Healthcare Systems

Article

Full-text available

Dec 2022

The rapid development of Big Data technology supports the advancement of many fields like industrial automation, smart healthcare, distributed systems, and many more. Big data is large and heterogeneous data generated from different sources, such as Internet of Things (IoT) devices, weather forecasting, traffic management systems, etc. However, in a distributed smart healthcare industry, unauthorized users or devices can illegally access healthcare Big Data, as well as control the sensor or IoT-enabled devices connected to a patient's body. They can even alter patients' healthcare Big Data by inserting false and misleading data, which may even cause death to the patient. This study presents a lightweight privacy-preserving user authentication scheme to solve the above-said problems in a distributed smart healthcare system. The proposed scheme prevents unauthorized users from getting access to the healthcare system by establishing a secure session for the authorized user. Here, the password protection mechanism allows only a legitimate user to access and modify the patient's healthcare Big Data. The security strength and effectiveness of the proposed authentication scheme is evaluated in this paper, which show that it is more efficient and secure than the state-of-the-art schemes.

Aggregation operators and CRITIC‐VIKOR method for confidence complex q‐rung orthopair normal fuzzy information and their applications

Article

Full-text available

Nov 2022

Supply chain management is an essential part of an organisation's sustainable programme. Understanding the concentration of natural environment, public, and economic influence and feasibility of your suppliers and purchasers is becoming progressively familiar as all industries are moving towards a massive sustainable potential. To handle such sort of developments in supply chain management the involvement of fuzzy settings and their generalisations is playing an important role. Keeping in mind this role, the aim of this study is to analyse the role and involvement of complex q‐rung orthopair normal fuzzy (CQRONF) information in supply chain management. The major impact of this theory is to analyse the notion of confidence CQRONF weighted averaging, confidence CQRONF ordered weighted averaging, confidence CQRONF hybrid averaging, confidence CQRONF weighted geometric, confidence CQRONF ordered weighted geometric, confidence CQRONF hybrid geometric operators and try to diagnose various properties and results. Furthermore, with the help of the CRITIC and VIKOR models, we diagnosed the novel theory of the CQRONF‐CRITIC‐VIKOR model to check the sensitivity analysis of the initiated method. Moreover, in the availability of diagnosed operators, we constructed a multi‐attribute decision‐making tool for finding a beneficial sustainable supplier to handle complex dilemmas. Finally, the initiated operator's efficiency is proved by comparative analysis.

Blockchain-Enabled Cybersecurity Efficient IIOHT Cyber-Physical System for Medical Applications

Article

Full-text available

Jan 2022

Cybersecurity issues such as malware, denial of service attacks, and unauthorized access to data for different applications are growing daily. The Industrial Internet of Healthcare Things (IIoHT) has recently been a new healthcare mechanism where many healthcare applications can run on hospital servers for remote medical services. For instance, cloud medical applications offer different services remotely from home. However, the existing IIoHT mechanisms can not handle critical cybersecurity issues and incur many medical care application processing and data security costs. The processing costs associated with security and deadline are the main findings of this proposed work. This work devises a cost-efficient blockchain task scheduling (CBTS) cyber-physical system (CPS) with different heuristics. All tasks are sorted, scheduled, and stored in a secure form in the IIoHT network. The performance evaluation proves that the CBTS framework outperforms the simulation results for the IIoHT application and reduces the cost by 50% of security execution and 33% of cybersecurity data validation blockchain costs compared to existing scheduling and blockchain schemes.

PUF-Based Mutual Authentication and Key Exchange Protocol for Peer-to-Peer IoT Applications

Article

Full-text available

Jan 2022

Peer to Peer (P2P) or direct connection IoT has become increasingly popular owing to its lower latency and higher privacy compared to database-driven or server-based IoT. However, wireless vulnerabilities raise severe concerns on IoT device-to-device communication. This is further aggravated by the challenge to achieve lightweight direct mutual authentication and secure key exchange between IoT peer nodes in P2P IoT applications. Physical unclonable function (PUF) is a key enabler to lightweight, low-power and secure authentication of resource-constrained devices in IoT. Nevertheless, current PUF-enabled authentication protocols, with or without the challenge-response pairs (CRPs) of each of its interlocutors stored in the verifier's side, are incompatible for P2P IoT scenarios due to the security, storage and computing power limitations of IoT devices. To solve this problem, a new lightweight PUF-based mutual authentication and key exchange protocol is proposed. It allows two resource-constrained PUF embedded endpoint devices to authenticate each other directly without the need for local storage of CRPs or any private secrets, and simultaneously establish the session key for secure data exchange without resorting to the public-key algorithm. The proposed protocol is evaluated using the game-based formal security analysis method as well as the automatic security analysis tool ProVerif to corroborate its mutual authenticity, secrecy, and resistance against replay and man-in-the-middle (MITM) attacks. Using two Avnet Ultra96-V2 boards to emulate the two IoT endpoint devices, a physical prototype system is also constructed to demonstrate and validate the feasibility of the proposed secure P2P connection scheme. A comparative analysis shows that the proposed protocol outperforms related protocols in terms of security features, computational complexity as well as communication and storage costs.

Design of a Smart Cabin Lighting System Based on Internet of Things

Article

Apr 2023

Yuan-Ko Huang

With the rapid advancements in mobile devices and wireless network technologies, the Internet of Things (IoT) has become more powerful and popular than ever. The aim of IoT is to efficiently control various types of objects through wireless communications. This paper aims to design an IoT-based smart lighting system that reduces development costs and saves power consumption. Unlike public open spaces, the focus of this paper is on ship cabin spaces. As ship cabins have unique properties, such as requiring gas-based power generation and preferring a wireless environment, designing a smart cabin lighting system is crucial and has significant commercial value. The smart cabin lighting system is designed with four features. Firstly, it can automatically control the lighting devices around people using position-sensitive devices. Secondly, it enables setting on/off and adjusting the luminance for lighting devices through Touch Keypads. Thirdly, the system can be controlled using an app to turn on/off and adjust the luminance of lighting devices. Lastly, the lighting devices equipped with sensors collect specific data on cloud servers for analysis. The underlying communication protocol used to interconnect the smart lighting devices, sensors, and Touch Keypads is Zigbee. The smart cabin lighting system can be applied to marine lighting, thus improving the commercial value of enterprises related to marine lighting.

An Improved Fast and Secure CAMEL Based Authenticated Key in Smart Health Care System

Article

Jul 2022

Seeing as Smart Healthcare Systems provide cloud services for storing patient health records, data security and privacy are critical to the company's success, and patients do not want their identities to be revealed. The authentication procedure requires disclosing users' personal data, such as a username and password, on the authentication server in order to protect their identities. The patient's privacy may be invaded if the patient can be observed or linked to by the patient's unfortunate foes. As a result, we propose in this paper a system that gives patients anonymity, protection, and privacy of sensitive healthcare data from the Authorization Service and enemies. A camel-based rotating panel signature program was used in our proposed work to provide anonymity to health records while also adding extra security to the network layer. The effectiveness of the programs was assessed using theoretical analysis, which revealed that the program has a range of security characteristics and is resistant to multiple attacks.

Securing IoT-Based Smart Healthcare Systems by Using Advanced Lightweight Privacy-Preserving Authentication Scheme

Abstract

Recommended publications

Secure and Anonymous Three-Factor Authentication Scheme for Remote Healthcare Systems

Privacy-Preserving Blockchain-Based Healthcare System for IoT Devices using zk-SNARK

A Novel Lightweight Authentication Scheme for RFID-Based Healthcare Systems

Lightweight and privacy-preserving device-to-device authentication to enable secure transitive commu...

Lightweight and efficient privacy‐preserving mutual authentication scheme to secure Internet of Thin...

A Lightweight Authentication and Key Agreement Protocol for IoT-Based Smart Healthcare System

A Lightweight and Anonymous Mutual Authentication Scheme for Medical Big Data in Distributed Smart H...