An Efficient User Authentication and User Anonymity Scheme with Provably Security for IoT-Based Medical Care System

Abstract

In recent years, with the increase in degenerative diseases and the aging population in advanced countries, demands for medical care of older or solitary people have increased continually in hospitals and healthcare institutions. Applying wireless sensor networks for the IoT-based telemedicine system enables doctors, caregivers or families to monitor patients’ physiological conditions at anytime and anyplace according to the acquired information. However, transmitting physiological data through the Internet concerns the personal privacy of patients. Therefore, before users can access medical care services in IoT-based medical care system, they must be authenticated. Typically, user authentication and data encryption are most critical for securing network communications over a public channel between two or more participants. In 2016, Liu and Chung proposed a bilinear pairing-based password authentication scheme for wireless healthcare sensor networks. They claimed their authentication scheme cannot only secure sensor data transmission, but also resist various well-known security attacks. In this paper, we demonstrate that Liu–Chung’s scheme has some security weaknesses, and we further present an improved secure authentication and data encryption scheme for the IoT-based medical care system, which can provide user anonymity and prevent the security threats of replay and password/sensed data disclosure attacks. Moreover, we modify the authentication process to reduce redundancy in protocol design, and the proposed scheme is more efficient in performance compared with previous related schemes. Finally, the proposed scheme is provably secure in the random oracle model under ECDHP.

1. Introduction

As more network technologies and smart devices have been developed, many IoT (Internet of Things) applications have been proposed, such as transportation and logistics services, healthcare services and a variety of smart environment (home, office, plant) domains. IoT is going to create a world where physical things can be seamlessly integrated into communication networks in order to provide autonomous and intelligent services for improving human beings’ life. In general, the IoT system involves three components: a sensing unit contains a large number of sensors, actuators and mobile terminals to sense physical environments; a network layer includes all network techniques with heterogeneous network configurations for data transmission; intelligent computing offers expected services or applications to IoT end users by mining and analyzing data processors.

IoT-based wireless sensor networks have been getting considerable attention from a variety of domains, such as environmental monitoring, intelligent appliances in daily living, medical care services, etc. Due to the ranking of the most common diseases in advanced countries having changed to chronic and cardiovascular diseases, the demands for medical care of such patients have increased substantially in hospitals and healthcare institutions. For the development of medical care services in hospitals and healthcare institutions, IoT-based WSNs technology is used to supplement physiological collection and measurement, enabling doctors, caregivers and families to examine the physiological conditions of patients remotely at anytime and anyplace through the Internet [1,2,3,4,5,6]. On the basis of IoT employed for medical care service in hospitals or healthcare institutions, WSNs enable sensing and collecting the physiological parameters of patients periodically, transmitting the acquired data to the authorized medical personnel, enabling professional doctors and medical personnel to monitor patients’ health conditions in real time and providing patients with appropriate medical care and medical treatment.

To apply IoT-based WSNs to medical care services successfully, ensuring the personal privacy of patients and preventing malicious network intrusion are paramount. Undoubtedly, the foundation of security is to authenticate the legitimacy of remote users and ensure the integrity of data transmissions [7,8,9,10,11,12]. In the last decade, a diversity of user authentication schemes in WSNs have been presented. In 2006, Wong et al. [13] introduced an efficient user authentication scheme for WSNs using lightweight hashing functions and XOR operations. In 2007, Tseng et al. [14] pointed out the vulnerability of Wong et al.’s scheme to replay, forgery and password guessing attacks. Furthermore, in 2008, Lee [15] showed that the computational overheads of Wong et al.’s scheme are not suitable for resource-constrained sensor nodes. In 2009, Das [16] suggested a two-factor (namely the password and smart card) authentication mechanism for WSNs, which not only prevents a series of security threats, but also achieves efficiency in terms of computational overheads. However, Huang et al. [17] and Li et al. [18] pointed out the vulnerability of Das’s scheme to off-line password guessing, user impersonation, node impersonation and unknown user attacks and that it does not provide the property of user anonymity. In 2012, Yoo et al. [19] pointed out the vulnerability of Huang et al.’s scheme to insider and parallel session attacks and that it does not provide mutual authentication between system participants. In 2013, Xue et al. [20] presented a temporal-credential-based authentication scheme for resource-constrained WSNs, and the authors claimed that their scheme provides relatively more security criteria without increasing system overheads too much in terms of communication, computation and storage. Parallel to Xue et al.’s work, in the same year, Li et al. [3] cryptanalyzed that Xue et al.’s scheme cannot withstand off-line password guessing, stolen-verifier, privileged insider, many logged-in users’ and stolen smart card attacks, and the above security threats make Xue et al.’s scheme inapplicable to practical WSN applications.

In order to design a secure and two-factor user authentication scheme for wireless healthcare sensor networks, Liu and Chung [21] in 2016 proposed a bilinear pairing-based [22] authentication scheme, and Figure 1 illustrates the comprehensive structure of the IoT-based medical care system, which could be applied in hospitals or healthcare institutions. When patients live in hospitals or healthcare institutions, they wear smart clothes in which body sensors are embedded in the piece of clothing and collect their physiological parameters (such as blood pressure, heartbeat, body pulse, electrocardiography and body temperature). Therefore, the users (such as doctors, caregivers, families and friends) in the medical care system can remotely inquire and monitor physiological information on patients with the help of trust authority. Before accessing the system, users must register with the trusted authority in person. After successful registration, the trusted authority issues a smart card to the user, and he/she can then use his/her smart card and mobile devices (such as smart phone, PDA, laptop and tablet computer) to log into the medical care system. After successful authentication, the user can access the sensed data of patients measured from sensor nodes within a limited time. Nevertheless, in this paper, we present a cryptanalysis of Liu–Chung’s authentication scheme and indicate that their scheme is susceptible to the password disclosure, replay, sensed data disclosure, sensed data forgery, off-line password guessing and stolen smart card attacks. To solve the above-mentioned security problems, we present an improved version of Liu–Chung’s authentication scheme using ECC, and we prove that the proposed scheme is secure under the elliptic curve discrete logarithm problem (ECDLP) and the elliptic curve Diffie–Hellman problem (ECDHP). In addition, by designing the mechanism of dynamic identity in the authentication process, we can build an extended scheme with user anonymity. User anonymity [23,24,25] means that a remote user’s real identity will be masked during the login session, and he/she cannot be linked or traced by any outsiders. Furthermore, the correctness of mutual authentication between participants has been proven in the random oracle model under ECDHP. Finally, the proposed scheme requires lower computational overheads compared with other ECC-based schemes, and this advantage makes our scheme more suitable and practical for IoT-based medical care systems.

The rest of the paper is organized as follows. In Section 2, a brief review of Liu–Chung’s authentication scheme is provided. In Section 3, security weaknesses developed to attack Liu–Chung’s scheme are presented. In Section 4, the improved scheme is proposed. Security and performance analyses of our proposed scheme are presented in Section 5 and Section 6, respectively. Section 7 concludes this paper.

2. Review of Liu–Chung’s Authentication Scheme

This section briefly reviews Liu–Chung’s authentication scheme [21], and their scheme consists of five phases, including: setup phase, registration phase, login phase, verification phase and access control and encryption phase. For convenience of description, the terminology and notations used in the paper are summarized as follows:

• $U_i$: The user.
• $TA$: The trusted authority.
• S: The sensor nodes deployed in hospitals and healthcare institutions.
• $I{D}_i$: The identity of $U_i$.
• $P{W}_i$: The password of $U_i$.
• $h(·)$: A one-way hash function.
• $\widehat{e}(a,b)$: The bilinear pairing function using parameter a and parameter b.
• a: A private parameter generated by $TA$.
• $T_L$: The login time of $U_i$.
• $T_{now}$: The current time.
• $T_u$: The time limit on the legal access to S by the user $U_i$.
• $\mathrm{\Delta }T$: The transmission delay.
• m: The sensed data collected from S.
• $\left|\right|$: The message concatenation.
• ⊕: The XOR operation.

2.1. Setup Phase

In this phase, the trusted authority $TA$ selects a bilinear map $\widehat{e}:G_1\times G_1\to G_2$ and $P_0\in G_1$ and generates two one-way hash functions $H_1:{\{0,1\}}^{*}\to G_2$ and $H_2:G_2\to {\{0,1\}}^{*}$, where $G_1$ is an additive cyclic group of points on an elliptic curve E over $F_p$, $G_2$ is a multiplicative cyclic group of a finite field $F_p^{*}$ and p is a large prime, such that $q|p-1$ for some great prime q. Then, $TA$ selects the secret key $S_0\in Z_q^{*}$ and publishes the parameter $P_{pub}=S_0\times P_0$.

2.2. Registration Phase

In this phase, the user registers with the trusted authority $TA$ through a secure channel to be a legal user. The details of registration phase are as follows:

Step 1:

$U_i$ registers an authenticated identity $I{D}_i$ with $TA$ and sets password $P{W}_i$.

Step 2:

$U_i$ sends $<I{D}_i,P{W}_i>$ to $TA$.

Step 3:

$TA$ computes $Q_{priv}=S_0\times U_{pub}$, where $U_{pub}=U_{priv}\times P_0$ and $U_{priv}\in Z_q^{*}$ are $U_i$’s public parameter and secret key, respectively.

Step 4:

$TA$ stores the parameters $<h(·),Q_{priv},I{D}_i,P{W}_i,a>$ in $U_i$’s smart card, where a represents a private parameter generated by $TA$ and all of the sensor nodes of $TA$ include a.

Step 5:

$TA$ issued the smart card to $U_i$.

2.3. Login Phase

In this phase, the user inserts his/her smart card into the device and inputs $I{D}_i$ and $P{W}_i$. Then, the smart card performs the following steps:

Step 1:

The smart card checks the $I{D}_i$ and $P{W}_i$ entered by $U_i$ matches those stored in the smart card. If yes, the smart card executes Step 2. Otherwise, the smart card terminates this phase.

Step 2:

The smart card computes $r=h\left(I{D}_i\right|\left|P{W}_i\right|\left|a\right)$ and $Sig=r\times Q_{priv}$.

Step 3:

The smart card sends $<Sig,r,T_L,I{D}_i>$ to $TA$ through a public channel, where $T_L$ represents $U_i$’s login time to the $TA$.

2.4. Verification Phase

When $TA$ receives the login request $<Sig,r,T_L,I{D}_i>$ from $U_i$, $TA$ authenticates $U_i$ through the following steps:

Step 1:

$TA$ checks the validity of $I{D}_i$ and verifies if $\widehat{e}(P_0,Sig)=\widehat{e}(P_{pub},r\times U_{pub})$. If yes, $TA$ approves the request of $U_i$ and executes Step 2. If no, $TA$ rejects the request of $U_i$.

Step 2:

$TA$ checks if $T_{now}-T_L<\mathrm{\Delta }T$. If yes, $TA$ executes Step 3. Otherwise, it means that the login time exceeds the transmission delay, and the login request is rejected by $TA$.

Step 3:

$TA$ generates a random number b and computes $E=h(b\oplus U_{pub})$. Then, $TA$ sends E to $U_i$ through a public channel.

Step 4:

$TA$ sends $<T_u,b,I{D}_i>$ to all of the sensor nodes S through a secure channel and notifies S that $U_i$ is legal. Note that $T_u$ represents the time limit on the legal access to sensor node data by $U_i$.

2.5. Access Control and Encryption Phase

When the user $U_i$ is authenticated as legal, $U_i$ can legally access sensed data m in S within a limited time, and $U_i$ and S perform the following steps:

Step 1:

$U_i$ inserts his/her smart card into the device and inputs $I{D}_i$ and $P{W}_i$. Then, the smart card verifies whether $I{D}_i$ and $P{W}_i$ inputted matches the data stored in the card. If yes, the smart card executes Step 2.

Step 2:

The smart card computes $C=h\left(a\right|\left|I{D}_i\right)\oplus E$.

Step 3:

The smart card sends $<C,I{D}_i,T^{\prime }>$ to S through a public channel, where $T^{\prime }$ represents a timestamp.

Step 4:

Upon receiving $<C,I{D}_i,T^{\prime }>$ from $U_i$, S verifies if $T_{now}-T^{\prime }<\mathrm{\Delta }T$ and $T_{now}=T_u$. If yes, S executes Step 4.

Step 5:

S computes $C^{\prime }=h\left(a\right||I{D}_i)\oplus h(b\oplus U_{pub})$ and checks whether $C=C^{\prime }$. If yes, the sensed data m will be transmitted, and S executes Step 5. If no, S terminates this session.

Step 6:

S computes $M=m\oplus H_2\left(\widehat{e}(U_{pub},P_{pub})\right)$.

Step 7:

S sends M to $U_i$ through a public channel.

Step 8:

$U_i$ uses the secret parameter $Q_{priv}$ and the public parameter $P_0$ to perform the following calculation to obtain m:

$$\begin{array}{ccc}\hfill m& =& M\oplus H_2\left(\widehat{e}(Q_{priv},P_0)\right)\hfill \\ & =& m\oplus H_2\left(\widehat{e}(U_{pub},P_{pub})\right)\oplus H_2\left(\widehat{e}(Q_{priv},P_0)\right)\hfill \\ & =& m\oplus H_2\left(\widehat{e}(U_{pub},P_{pub})\right)\oplus H_2\left(\widehat{e}(S_0\times U_{pub},P_0)\right)\hfill \\ & =& m\oplus H_2\left(\widehat{e}(U_{pub},P_{pub})\right)\oplus H_2\left(\widehat{e}{(U_{pub},P_0)}^{S_0}\right)\hfill \\ & =& m\oplus H_2\left(\widehat{e}(U_{pub},P_{pub})\right)\oplus H_2\left(\widehat{e}(U_{pub},S_0\times P_0)\right)\hfill \\ & =& m\oplus H_2\left(\widehat{e}(U_{pub},P_{pub})\right)\oplus H_2\left(\widehat{e}(U_{pub},P_{pub})\right)\hfill \\ & =& m\hfill \end{array}$$

Figure 2 shows the schematic of Liu–Chung’s authentication scheme for the IoT-based medical care system.

3. Weaknesses of Liu–Chung’s Authentication Scheme

In this section, we present the security weaknesses of Liu–Chung’s scheme. We show that their scheme has some security problems and that an attacker $U_a$ can mount different types of attacks on Liu–Chung’s scheme.

3.1. Password Disclosure Attacks

In real environments, the user may register with a number of remote services by using a common password $PW$ and the identity $ID$ for his/her convenience. Thus, the privileged-insider of $TA$ may try to use the knowledge of user’s $PW$ and $ID$ to access another remote services. In the registration phase of Liu–Chung’s scheme, $U_i$ registers to $TA$ by sending $(I{D}_i,P{W}_i)$. Therefore, $U_i$’s sensitive password $P{W}_i$ will be revealed by the privileged-insider of $TA$.

3.2. Replay Attacks

In the login phase of Liu–Chung’s scheme, although the transmitted login message $<Sig,r,T_L,I{D}_i>$ includes timestamp $T_L$, however, the other login parameters $<Sig,r,I{D}_i>$ of $U_i$ are unchanged. Thus, an attacker $U_a$ could replay the eavesdropped messages, such as $U_i$’s login request $<Sig,r,T_L^{\prime },I{D}_i>$ with $U_a$’s current login time $T_L^{\prime }$. Finally, $U_a$ can bypass the timestamp checking and replay attacks cannot prevented in Liu–Chung’s scheme.

3.3. Sense Data Disclosure Attacks

In the access control and encryption phase of Liu–Chung’s scheme, the sensor node S sends the encrypted sensed data M to $U_i$ through an insecure channel. Due to the public $U_{pub}$ of $U_i$ and the public $P_{pub}$ of $TA$, once an attacker $U_a$ eavesdrops the encrypted sensed data M from the public channel, $U_a$ can perform the following calculation to obtain m without knowing $Q_{priv}$:

$$\begin{array}{ccc}\hfill m& =& M\oplus H_2\left(\widehat{e}(U_{pub},P_{pub})\right)\hfill \\ & =& m\oplus H_2\left(\widehat{e}(U_{pub},P_{pub})\right)\oplus H_2\left(\widehat{e}(U_{pub},P_{pub})\right)\hfill \\ & =& m\hfill \end{array}$$

Finally, Liu–Chung’s scheme cannot prevent sensed data disclosure attacks.

3.4. Sense Data Forgery Attacks

In the access control and encryption phase, we found that Liu–Chung’s scheme allows the attacker $U_a$ to forge a fake sensed data $m^{\prime }$ for the user $U_i$, and $U_i$ wrongly believes he/she has received the physiological conditions of the patients. The sensed data forgery attacks on Liu–Chung’s scheme are as follows:

(1)

When the sensor node S sends $M=m\oplus H_2\left(\widehat{e}(U_{pub},P_{pub})\right)$ to the user $U_i$, $U_a$ intercepts the message M.

(2)

$U_a$ maliciously forges a fake sensed data $m^{\prime }$ and computes $M^{\prime }=m^{\prime }\oplus H_2\left(\widehat{e}(U_{pub},P_{pub})\right)$, where $U_{pub}$ and $P_{pub}$ are public parameters of $U_i$ and $TA$, respectively. Then, $U_a$ sends $M^{\prime }$ to the user $U_i$.

(3)

Upon receiving the message $M^{\prime }$, $U_i$ uses the secret parameter $Q_{priv}$ and the public parameter $P_0$ to obtain $m^{\prime }=M^{\prime }\oplus H_2\left(\widehat{e}(Q_{priv},P_0)\right)$.

Therefore, the attacker $U_a$ can control the sensed data that occur between the user $U_i$ and the sensor nodes S.

3.5. Stolen Smart Card Attacks

Usually, the smart card of the user $U_i$ is equipped with tamper-resistant hardware. However, if $U_i$’s smart card is lost or stolen, the attacker $U_a$ may obtain all of the sensitive parameters stored in its memory by monitoring the power consumption of the smart card [26]. Assume that $U_a$ obtains the smart card of $U_i$ and extracts the parameters $<h(·),Q_{priv},I{D}_i,P{W}_i,a>$ stored inside it. $U_a$ then can make a valid login request with ease. For example, $U_a$ uses $h(·)$, $I{D}_i$, $P{W}_i$, a and $Q_{priv}$ and computes $r=h\left(I{D}_i\right|\left|P{W}_i\right|\left|a\right)$ and $Sig=r\times Q_{priv}$. Finally, $U_a$ can make a valid login request to impersonate $U_i$ by sending $<Sig,r,T_L^{\prime },I{D}_i>$ to the trusted authority $TA$, where $T_L^{\prime }$ is the current login time of $U_a$.

3.6. Off-Line Password Guessing Attacks

Since Liu–Chung’s authentication scheme is executed in the open network environment, then we assumed that an attacker $U_a$ can eavesdrop the communication channels between $U_i$ and $TA$ in the login phase. Moreover, we assumed that $U_a$ was a legitimate user in the medical care system, and he/she can extract the parameter a by launching power analysis attack [26]. Thus, $U_a$ could guess $U_i$’s password through the following steps.

(1)

$U_a$ eavesdrops the message $<Sig,r,T_L,I{D}_i>$ sent by a legal user $U_i$, where $r=h\left(I{D}_i\right|\left|P{W}_i\right|\left|a\right)$.

(2)

$U_a$ guesses a password $P{W}_a$ and computes $r_a=h(I{D}_i\left|\right|P{W}_a\left|\right|a)$ in an off-line manner.

(3)

$U_a$ checks whether $r_a$ is equal to r or not. If it is equal, $U_i$’s sensitive password is successfully guessed. Otherwise, $U_a$ repeats Steps (1) and (2) until the correct password is found.

From the above descriptions, we conclude that $U_a$ could derive $U_i$’s password through an off-line manner, and Liu–Chung’s authentication scheme could not succeed against the off-line password guessing attacks.

4. The Proposed Scheme

This section proposes the new and improved lightweight user authentication scheme for medical care tailored for the Internet of Things environment. The proposed scheme is based on Liu–Chung’s scheme; thus, it tackles and eliminates all of the previously-mentioned security problems and vulnerabilities of their scheme. As Liu–Chung’s scheme, the proposed scheme also consists of five phases: setup, registration, login, verification and access control and encryption. Figure 3 shows the schematic of our proposed scheme for the IoT-based medical care system.

4.1. Setup Phase

In this phase, the trusted authority $TA$ selects an elliptic curve E over $F_p$ and a base point $P_0$ over the E and chooses a secure one-way hashing function $h(·):{\{0,1\}}^{*}\to {\{0,1\}}^l$, where p is a large prime such that $q|p-1$ for some great prime q and l means the length of the output. In addition, $TA$ chooses the secret key $S_0\in Z_q^{*}$ and computes its public key $P_{pub}=S_0\times P_0$. Finally, $TA$ keeps $S_0$ securely and publishes $<E,q,P_0,P_{pub},h(·)>$ as system parameters.

4.2. Registration Phase

In this phase, the user registers with the trusted authority $TA$ through a secure channel to be a legal user, and the details of registration phase are as follows:

Step 1:

$U_i$ registers an authenticated identity $I{D}_i$ and password $P{W}_i$ with $TA$ and chooses a random number r for computing $R_i=h(I{D}_i\left|\right|P{W}_i\left|\right|r)$.

Step 2:

$U_i$ sends the registration request $<I{D}_i,R_i>$ to $TS$ through a secure channel.

Step 3:

$TA$ checks whether $I{D}_i$ has been registered or not. If $I{D}_i$ has not been registered, $TA$ computes $V_i=h(I{D}_i\left|\right|S_0\left|\right|a)$ and $W_i=V_i\oplus R_i$. Then, $TA$ stores the parameters $<W_i,a,E,q,P_0,P_{pub},h(·)>$ in $U_i$’s smart card and issued the smart card to $U_i$, where a represents a private parameter generated by $TA$ and all the sensor nodes of $TA$ include a.

Step 4:

$U_i$ computes $V_i=W_i\oplus h(I{D}_i\left|\right|P{W}_i\left|\right|r)$, $X_i=r\oplus h(I{D}_i\left|\right|P{W}_i)$ and $Y_i=h(V_i\left|\right|r\left|\right|h(I{D}_i\left|\right|P{W}_i\left)\right)$ and stores $<X_i,Y_i>$ into the smart card. Finally, $U_i$’s smart card contains the parameters $<Y_i,X_i,W_i,a,E,q,P_0,P_{pub},h(·)>$.

4.3. Login Phase

In this phase, the user inserts his/her smart card into the device and inputs $I{D}_i$ and $P{W}_i$. Then, the smart card executes the following steps:

Step 1:

The smart card checks the $I{D}_i$ and $P{W}_i$ entered by $U_i$ matches those stored in the smart card. First, the smart card computes $r^{\prime }=X_i\oplus h(I{D}_i\left|\right|P{W}_i)$, $V_i^{\prime }=W_i\oplus h(I{D}_i\left|\right|P{W}_i\left|\right|r^{\prime })$ and $Y_i^{\prime }=h(V_i^{\prime }\left|\right|r^{\prime }\left|\right|h(I{D}_i\left|\right|P{W}_i\left)\right)$ and verifies whether $Y_i=Y_i^{\prime }$. If it holds, the smart card executes Step 2. Otherwise, the smart card terminates this phase.

Step 2:

The smart card generates a random number $\alpha$ and computes $M_i=\alpha \times P_0$, $N_i=\alpha \times P_{pub}$, $O_i=h(I{D}_i\left|\right|V_i^{\prime }\left|\right|T_L)$ and $Q_i=h\left(N_i\right)\oplus (I{D}_i\left|\right|O_i)$ and sends $<M_i,Q_i,T_L>$ to $TA$ through a public channel, where $T_L$ represents $U_i$’s login time to the $TA$.

4.4. Verification Phase

When $TA$ receives the login request $<M_i,Q_i,T_L>$ from $U_i$, $TA$ authenticates $U_i$ through the following steps:

Step 1:

$TA$ checks if $T_{now}-T_L<\mathrm{\Delta }T$. If yes, $TA$ executes Step 2. Otherwise, it means that the login time exceeds the transmission delay, and the login request will be rejected by $TA$.

Step 2:

$TA$ computes $N_i^{\prime }=S_0\times M_i$ and $(I{D}_i\left|\right|O_i)=Q_i\oplus h\left(N_i^{\prime }\right)$ and checks if user’s $I{D}_i$ is recorded by $TA$. If yes, $TA$ executes Step 3. Otherwise, the login request is denied by $TA$.

Step 3:

$TA$ goes on to compute $V_i=h(I{D}_i\left|\right|S_0\left|\right|a)$ by using the identity $I{D}_i$ and checks that the decrypted $O_i$ is the same as computed $O_i^{\prime }=h(I{D}_i\left|\right|V_i\left|\right|T_L)$. If no, the session is aborted by $TA$. Otherwise, $TA$ computes $E=h(b\oplus TI{D}_i)$ and $RM=h\left(N_i^{\prime }\right)\oplus (I{D}_i\left|\right|TI{D}_i\left|\right|T_u\left|\right|E)$ sends the response message $<RM>$ to $U_i$ through a public channel, where b represents a random number and $TI{D}_i$ represents a temporary identity for the user $U_i$.

Step 4:

$TA$ sends $<T_u,b,TI{D}_i>$ to all of the sensor nodes S via a secure channel and notifies S that the temporary identity $TI{D}_i$ is legal in the next access control and encryption phase.

Step 5:

When $U_i$ receives $<RM>$ from $TA$, $U_i$ authenticates $TA$ by computing $(I{D}_i\left|\right|TI{D}_i\left|\right|T_u\left|\right|E)=h\left(N_i\right)\oplus RM$ and checks that the decrypted $I{D}_i$ is involved in $RM$ or not. If yes, $U_i$ confirms that $TA$ is legal and the parameters $TI{D}_i$, $T_u$ and E will be used in access control and encryption phase. Otherwise, $U_i$ ends this session. Note that $TI{D}_i$ and E must be kept secret by $U_i$ and temporarily stored into $U_i$’s smart card until the end of the access control and encryption phase.

4.5. Access Control and Encryption Phase

When the user $U_i$ is authenticated as legal, $U_i$ can legally access sensed data m in S within a permitted time $T_u$, and $U_i$ and S perform the following steps:

Step 1:

In this step, the executed operations are the same as Step 1 of the login phase.

Step 2:

The smart card calculates $C=h\left(a\right|\left|TI{D}_i\right|\left|T^{\prime }\right)\oplus h\left(E\right)$ and sends $<C,TI{D}_i,T^{\prime }>$ to S through a public channel, where $T^{\prime }$ represents a timestamp.

Step 3:

Upon receiving $<C,TI{D}_i,T^{\prime }>$ from $U_i$, S verifies if $T_{now}-T^{\prime }<\mathrm{\Delta }T$ and $T_{now}\subseteq T_u$. If yes, S executes Step 4.

Step 4:

S computes $C^{\prime }=h\left(a\right||TI{D}_i\left|\right|T^{\prime })\oplus h\left(h(b\oplus TI{D}_i)\right)$ by using the b transmitted by $TA$ and the temporary identity $TI{D}_i$ of the user to examine whether $C=C^{\prime }$. If yes, the validity of $U_i$ is authenticated by S, and the sensed data m will be transmitted by S. If no, S terminates this session.

Step 5:

S computes the session key $SK=h(E\oplus a\oplus T_u)$ and encrypts the sensed data by computing $M=m\oplus SK$. Then, S sends $<M>$ to $U_i$ through a public channel. Note that the session key $SK$ provides a secure channel for protecting data transmission between S and $U_i$.

Step 6:

When $U_i$ receives $<M>$ from S, $U_i$ uses the parameters $(E,a,T_u)$ to calculate the session key $SK=h(E\oplus a\oplus T_u)$ and decrypts the sensed data m by computing $m=M\oplus SK$.

Note that $SK$ should be frequently updated when $U_i$’s $T_u$ is expired. If so, $U_i$ returns to the login and verification phases for requesting a new $T_u$ with $TA$. Finally, a new $SK$ will be established and updated among $U_i$ and S in the access control and encryption phase.

5. Security Analysis of the Proposed Scheme

In this section, we analyze the security of our proposed scheme, and show that it is able to prevent the above-mentioned weaknesses in Liu–Chung’s scheme. The security of the proposed scheme is based on the collision-free one-way hash function and two hard problems: the elliptic curve discrete logarithm problem (ECDLP) and the elliptic curve Diffie–Hellman problem (ECDHP), defined as follows:

ECDLP:

Given a base point P over an elliptic curve E and a random variable $b\in Z_q^{*}$, it is computationally infeasible to find out an integer solution a such that $b=aP$.

ECDLP:

Given three parameters $P,aP,bP\in Z_q^{*}$, it is computationally infeasible to compute $abP\in Z_q^{*}$.

We analyze and summarize the main security advantages of our proposed scheme as follows.

5.1. Resistance to Password Disclosure and Password Guessing Attacks

In the registration phase, the user’s password $P{W}_i$ is used in the message $R_i=h(I{D}_i\left|\right|P{W}_i\left|\right|r)$. Although the privileged-insider of $TA$ can obtain the message $R_i$ and the identity $I{D}_i$ of the user, it is unable to know the user’s sensitive password $P{W}_i$ due to r being randomly selected by the user, and $P{W}_i$ is protected by $h\left(I{D}_i\right|\left|P{W}_i\right|\left|r\right)$. Note that deriving $P{W}_i$ from $h\left(I{D}_i\right|\left|P{W}_i\right|\left|r\right)$ is equal to implementing the brute-force attack to crack the one-way hashing function. Moreover, during the login, verification and access control and encryption phases, neither the smart card nor the transmitted messages include user’s password $P{W}_i$. Hence, the proposed scheme eliminates the possibility of password disclosure and password guessing attacks.

5.2. Resistance to Replay Attacks

The timestamps and random numbers are common countermeasures to prevent replay attacks in the authentication process. Since the messages $<M_i,Q_i,T_L>$ and $<C,TI{D}_i,T^{\prime }>$ contain freshly generated timestamps $T_L$ and $T^{\prime }$ and these timestamps are also embedded in the protected messages $Q_i=h\left(N_i\right)\oplus (I{D}_i\left|\right|h(I{D}_i\left|\right|V_i^{\prime }\left|\right|T_L\left)\right)$ and $C=h\left(a\right|\left|TI{D}_i\right|\left|T^{\prime }\right)\oplus h\left(E\right)$, thus each participant first checks the freshness of timestamps received and verifies whether the same timestamps are present in the transmitted messages. Hence, this design discards the possibility of replay attacks in our proposed scheme.

5.3. Resistance to Sensed Data Disclosure Attacks

In the access control and encryption phase of the proposed scheme, the sensed data m is embedded in the encrypted message $M=m\oplus SK$, and m is well-protected via high-entropy session key $SK=h(E\oplus a\oplus T_u)$. Here, we assume that $U_a$ can obtain the parameter a from a legal smart card and can eavesdrop the transmitted messages $<C,TI{D}_i,T^{\prime }>$ and $<M>$ from the public channels between the user $U_i$ and the sensor nodes S. $U_a$ can use the collected parameters to compute $h\left(a\right|\left|TI{D}_i\right|\left|T^{\prime }\right)$ and $C\oplus h\left(a\right|\left|TI{D}_i\right|\left|T^{\prime }\right)$ and derive $h\left(E\right)$. However, without having the knowledge of secrets E and $T_u$, an attacker $U_a$ cannot derive $SK$ from $h\left(E\right)$ because of the irreversibility of the secure one-way hashing function.

On the other hand, during the login phase of the proposed scheme, we assume that the parameter $M_i=\alpha \times P_0$ and the public key $P_{pub}=S_0\times P_0$ of $TA$ are disclosed. However, the secret parameter $N_i=\alpha \times P_{pub}=\alpha S_0{P}_0$ cannot be calculated by $U_a$ since the random number $\alpha$ is unknown due to the infeasibility of deriving them from $M_i$ by solving ECDLP. Moreover, during the access control and encryption phase, a unique and fresh secret parameter $N_i$ is computed in each new session using the random parameter $\alpha$ and the private key $S_0$. Due to the difficulties of ECDHP, $U_a$ cannot derive $N_i$ from $M_i$ and $P_{pub}$, and thus, the protection of fresh secret parameter $h\left(N_i\right)$ does not allow $U_a$ to gain E and $T_u$ from $RM$. Therefore, $U_a$ cannot successfully derive m from M by computing $m=M\oplus h(E\oplus a\oplus T_u)$, and the confidentiality of the sensed data m is guaranteed in the proposed scheme.

5.4. Resistance to Sensed Data Forgery Attacks

In the access control and encryption phase of the proposed scheme, the sensor node S first authenticates the user $U_i$ by verifying whether $C^{\prime }=h\left(a\right||TI{D}_i\left|\right|T^{\prime })\oplus h\left(h(b\oplus TI{D}_i)\right)=C$. Due to the protection of using timestamp $T^{\prime }$ and the secret parameters a and $h(b\oplus TI{D}_i)$, no one can forge a valid message $<C,TI{D}_i,T^{\prime }>$ to pass S’s verification. In addition, we assume that the attacker $U_a$ intercepts the response message M and tries to generate a legitimate message $M^{\prime }=m^{\prime }\oplus h(E\oplus a\oplus T_u)$ with fake sensed data $m^{\prime }$. However, since $U_a$ does not know the secret parameters E and $T_u$, it cannot generate the legitimate message $<M^{\prime }>$. Thus, the proposed scheme could withstand the sensed data forgery attacks.

5.5. Resistance to Stolen Smart Card Attacks

Suppose that the smart card of $U_i$ is lost or stolen. The attacker $U_a$ could get the stored parameters $<Y_i,X_i,W_i,a,E,q,P_0,P_{pub},h(·)>$ and try to impersonate $U_i$ to successfully login to the trusted authority $TA$. $U_a$ can first guess a candidate identity $I{D}_i^{*}$ and password $P{W}_i^{*}$ and compute $r^{*}=X_i\oplus h(I{D}_i^{*}\left|\right|P{W}_i^{*})$$V_i^{*}=W_i\oplus h(I{D}_i^{*}\left|\right|P{W}_i^{*}\left|\right|r^{*})$ and $Y_i^{*}=h(V_i^{*}\left|\right|r^{*}\left|\right|h(I{D}_i^{*}\left|\right|P{W}_i^{*}\left)\right)$. The way for $U_a$ to learn $P{W}_i$ is to find out the correct pair $(I{D}_i^{*},P{W}_i^{*})$ such that $Y_i=Y_i^{*}$. In the proposed scheme, we assume the probability of guessing $I{D}_i$ composed of exact l characters and $P{W}_i$ composed of exact m characters is approximately $\frac{1}{2^{6l+6m}}$. This probability is negligible, and $U_a$ has no feasible way to derive $I{D}_i$ and $P{W}_i$ of the user $U_i$ in polynomial time.

5.6. Resistance to Off-Line Password Guessing Attacks

In the proposed scheme, we assume that an attacker $U_a$ could eavesdrop all of the transmission messages $<M_i,Q_i,T_L>$, $<RM>$, $<C,TI{D}_i,T^{\prime }>$ and $<M>$ between $U_i$, $TA$ and S. However, neither the smart card, nor the transmission messages include $U_i$’s password $P{W}_i$. Therefore, the proposed scheme could withstand the off-line password guessing attack.

5.7. Provision of the Efficient Login Phase

In order to illustrate the verification mechanism during the login phase, three cases are taken into consideration. Case 1 assumed $U_i$ inputs a correct identity $I{D}_i$ and incorrect password $P{W}_i^{*}$. Case 2 assumed $U_i$ inputs an incorrect identity $I{D}_i^{*}$ and correct password $P{W}_i$. Case 3 assumed $U_i$ inputs incorrect identity $I{D}_i^{*}$ and incorrect password $P{W}_i^{*}$.

Case 1:

After the user inputs $(I{D}_i,P{W}_i^{*})$, the smart card computes $r^{*}=X_i\oplus h(I{D}_i\left|\right|P{W}_i^{*})$, $V_i^{*}=W_i\oplus h(I{D}_i\left|\right|P{W}_i^{*}\left|\right|r^{*})$ and $Y_i^{*}=h(V_i^{*}\left|\right|r^{*}\left|\right|h(I{D}_i\left|\right|P{W}_i^{*}\left)\right)$ and verifies $Y_i{}_{=}^{?}h(V_i^{*}\left|\right|r^{*}\left|\right|h(I{D}_i\left|\right|P{W}_i^{*}\left)\right)$. In fact, the verification cannot pass as $Y_i\ne h(V_i^{*}\left|\right|r^{*}\left|\right|h(I{D}_i\left|\right|P{W}_i^{*}\left)\right)$, and the smart card immediately terminates the session.

Case 2:

After the user inputs $(I{D}_i^{*},P{W}_i)$, the smart card computes $r^{*}=X_i\oplus h(I{D}_i^{*}\left|\right|P{W}_i)$, $V_i^{*}=W_i\oplus h(I{D}_i^{*}\left|\right|P{W}_i\left|\right|r^{*})$ and $Y_i^{*}=h(V_i^{*}\left|\right|r^{*}\left|\right|h(I{D}_i^{*}\left|\right|P{W}_i\left)\right)$ and verifies $Y{}_{=}^{?}h(V_i^{*}\left|\right|r^{*}\left|\right|h(I{D}_i^{*}\left|\right|P{W}_i\left)\right)$. Furthermore, the verification cannot pass as $Y\ne h(V_i^{*}\left|\right|r^{*}\left|\right|h(I{D}_i^{*}\left|\right|P{W}_i\left)\right)$, and the smart card immediately terminates the session.

Case 3:

After the user inputs $(I{D}_i^{*},P{W}_i^{*})$, the smart card computes $r^{*}=X_i\oplus h(I{D}_i^{*}\left|\right|P{W}_i^{*})$, $V_i^{*}=W_i\oplus h(I{D}_i^{*}\left|\right|P{W}_i^{*}\left|\right|r^{*})$ and $Y_i^{*}=h(V_i^{*}\left|\right|r^{*}\left|\right|h(I{D}_i^{*}\left|\right|P{W}_i^{*}\left)\right)$ and verifies $Y{}_{=}^{?}h(V_i^{*}\left|\right|r^{*}\left|\right|h(I{D}_i^{*}\left|\right|P{W}_i^{*}\left)\right)$. Similarly, the verification cannot pass as $Y\ne h(V_i^{*}\left|\right|r^{*}\left|\right|h(I{D}_i^{*}\left|\right|P{W}_i^{*}\left)\right)$, and the smart card immediately terminates the session.

5.8. Provision of User Anonymity

Based on the design of our proposed scheme, the excellent property of user anonymity can be guaranteed at every phase. We cleverly mask the real identity of $U_i$ via a public channel, and no attacker can compromise $U_i$’s real identity by launching security attacks. First, in the login phase, $U_i$’s real identity is included in $Q_i=h\left(N_i\right)\oplus (I{D}_i\left|\right|O_i)$. Thus, $U_a$ cannot reveal $Q_i$ without $h\left(N_i\right)$. Additionally, in the verification and access control and encryption phases, the temporary identity $TI{D}_i$ is generated and utilized to replace $U_i$’s identity transmitted among the user and the sensor nodes. That is to say, all of the identities are transmitted in cipher format instead of plaintext, and these temporary identities will be randomized at each new session. As a result, our proposed scheme can provide the property of user anonymity.

5.9. Provision of Mutual Authentication

In the login phase of the proposed scheme, only the legitimate user can know the secret parameter $V_i=h(I{D}_i\left|\right|S_0\left|\right|a)$ to generate a legal $O_i$. Therefore, in Step 3 of the verification phase, $TA$ can authenticate $U_i$ by checking if the decrypted $O_i$ is equal to the computed $O_i^{\prime }$. Moreover, in Step 5 of the verification phase, only the legal $TA$ can own the secret key $S_0$ to compute the common secret parameter $h\left(N_i\right)$. As a result, $U_i$ can authenticate $TA$ by decrypting $RM$ and checking if the revealed $I{D}_i$ is involved in $RM$.

On the other hand, in the access control and encryption phase, only the legal user can obtain the secret parameter $h\left(E\right)$ to generate a legal C. Thus, in Step 4 of the access control and encryption phase, S can authenticate $U_i$ by checking if the received C is equal to the computed $C^{\prime }$. Additionally, in Step 5 of the access control and encryption phase, only the participated S can calculate the common session key $SK=h(E\oplus a\oplus T_u)$ to encrypt the sensed data by computing $M=m\oplus SK$. Finally, $U_i$ can also authenticate S by establishing the common session key $SK$ and checking if the sensed data m are involved in M by decrypting $m=M\oplus SK$.

5.10. Provision of Session Key Security

Since the common session key $SK$ is only shared and established among the user $U_i$ and the sensor nodes S, in order to establish a secure and authenticated channel for late successive transmission, the session key $SK$ not only ensures confidentiality, but also achieves authenticity of participants and messages. Based on the design of session key $SK=h(E\oplus a\oplus T_u)$, E is used for verifying the integrity of the transmitted messages, whereas $T_u$ is used for preventing possible replay and misuse service attacks. As a result, the session key security and data confidentiality can be provided in the proposed authentication scheme.

6. Security Proof of the Proposed Scheme

Here, we follow similar techniques to demonstrate the security of our scheme in the random oracle model [27,28,29,30] and under the elliptic curve Diffie–Hellman problem (ECDHP).

6.1. Adversarial Model

We assume an adversary $\mathcal{A}$ is a probabilistic polynomial time algorithm and allowed to issue the following queries to some oracles. Note that an oracle has multiple instances ${\prod }_{\mathcal{U}}^j$, where $\mathcal{U}$ denotes participants and $j\in \mathbb{N}$. Here, we set $\mathcal{U}\in \{U_i,TA,S\}$ and may use $\mathcal{A}$ to simulate the proposed scheme via issuing queries.

• $Send({\prod }_{\mathcal{U}}^j,m)$ query: Upon receiving this query with message m, instance ${\prod }_{\mathcal{U}}^j$ follows the proposed scheme and then returns the result to $\mathcal{A}$.
• $Hash({\prod }_{\mathcal{U}}^j,m)$ query: Upon receiving this query with message m, instance ${\prod }_{\mathcal{U}}^j$ returns a random value to $\mathcal{A}$.
• $Corrupt({\prod }_{U_i}^j,U)$ query: $\mathcal{A}$ may query user U’s password. Upon receiving this query, instance ${\prod }_{U_i}^j$ returns a password $P{W}_U$ to $\mathcal{A}$. Note that this query models the forward secrecy of session key.
• $Reveal\left({\prod }_{\mathcal{E}\in \{U_i,S\}}^j\right)$ query: $\mathcal{A}$ may query the previous established session keys. Upon receiving this query, instance ${\prod }_{\mathcal{E}\in \{U_i,S\}}^j$ returns a previous session key to $\mathcal{A}$, if it has accepted. Otherwise, ${\prod }_{\mathcal{E}\in \{U_i,S\}}^j$ returns a random string to $\mathcal{A}$. Note that this query models the knowing the session key attack of session key.
• $Test\left({\prod }_{\mathcal{E}\in \{U_i,S\}}^j\right)$ query: $\mathcal{A}$ may only issue this query once. Upon receiving this query, instance ${\prod }_{\mathcal{E}\in \{U_i,S\}}^j$ flips an unbiased coin b. If $b=1$, it returns a session key. Otherwise, it returns a random string. Note that this query models the semantic security of session key.

6.2. Mutual Authentication between $U_i$ and $TA$

Theorem 1.

In the random oracle model, assume that there exists an adversary $\mathcal{A}$ with a non-negligible advantage ${ϵ}_0$ that can impersonate $U_i$ to communicate with $TA$. Then, there is a challenger $\mathcal{C}$, which can solve the elliptic curve Diffie–Hellman problem (ECDHP) with advantage $q·{ϵ}_0<ϵ\le \frac{q_H}{2^k}$, where $q_S$ denotes the maximum number of send queries issued by $\mathcal{A}$, $q_H$ denotes the maximum number of hash queries issued by $\mathcal{A}$ and k denotes the length of the hash value.

Proof. 

Note that we say that $\mathcal{A}$ successfully impersonates $U_i$ to communicate with $TA$. This means that $TA$ accepts $(M_i,Q_i,T_L)$, but it has not been produced by $U_i$. In this case, it could be that $\mathcal{A}$ guessed $(M_i,Q_i,T_L)$. Then, this leads to:

$${ϵ}_0<\frac{q_S}{q}\times Pr[O_i=h(I{D}_i\left|\right|V_i\left|\right|TL\left)\right|I{D}_i\left|\right|O_i=Q_i\oplus h\left(N_i^{\prime }\right);V_i=h(I{D}_i\left|\right|S_0\left|\right|a\left)\right]\times \frac{1}{q_S}\le \frac{q_S}{q}\times \frac{q_H}{2^k}\times \frac{1}{q_S}.$$

(1)

Given that $M_i=a·P$ and $P_{pub}=b·P$ to $\mathcal{A}$ for a, $b\in {\mathbb{Z}}_q^{*}$ are unknown, then, $\mathcal{A}$ can compute $N_i^{\prime }=abP$. Thus, given $(P,M_i,P_{pub})=(P,aP,bP)$, $\mathcal{C}$ can use $\mathcal{A}$ as a subroutine to compute $abP$. In other words, $\mathcal{C}$ can solve ECDLP with the advantage $q·{ϵ}_0<ϵ\le \frac{q_H}{2^k}$. ☐

Theorem 2.

In the random oracle model, assume that there exists an adversary $\mathcal{A}$ with a non-negligible advantage ${ϵ}_1$ that can impersonate $TA$ to communicate with $U_i$. Then, there is a challenger $\mathcal{C}$, which can solve the elliptic curve Diffie–Hellman problem (ECDHP) with advantage $ϵ\ge {ϵ}_0-\frac{1}{2^k}-\frac{q_S^2·q_H^2}{q·2^k}$, where $q_S$ denotes the maximum number of send query issued by $\mathcal{A}$, $q_H$ denotes the maximum number of hash query issued by $\mathcal{A}$ and k denotes the length of the hash value.

Proof. 

Without of loss generality, we assume that the event that violates $U_i$-to-$TA$ authentication denoted by $Even{t}^{U_{i}2TA}$ does not occur. Similarly, we use the symbol $Even{t}^{TA2U_i}$ to define the event that violates $TA$-to-$U_i$ authentication. We say that $\mathcal{A}$ successfully impersonates $TA$ to communicate with $U_i$. This means that at some point, $U_i$ accepts $RM$ after sending $(M_i,Q_i)$. However, $RM$ has not been produced by $TA$. In this case, it could be the following three cases:

• $\mathcal{A}$ guessed $RM$. The probability of this case is $\frac{1}{2^k}$.
• $M_i$ and $Q_i$ were obtained in other session. The probability of this case is $\frac{q_S·(q_S-1)}{q}\times \frac{q_H·(q_H-1)}{2^k}$ less than $\frac{q_S^2·q_H^2}{q·2^k}$.
• $\mathcal{A}$ had issued the hash query for $N_i^{\prime }$.

Thus, we have:

$$Pr\left[Even{t}^{TA2U_i}\right|\neg Even{t}^{U_{i}2TA}]\le Pr[RM=h\left(N_i^{\prime }\right)\oplus (I{D}_i\left|\right|TI{D}_i\left|\right|T_u\left|\right|E\left)\right]+\frac{1}{2^k}+\frac{q_S^2·q_H^2}{q·2^k}.$$

(2)

Given $M_i=a·P$ and $P_{pub}=b·P$ to $\mathcal{A}$ for a, $b\in {\mathbb{Z}}_q^{*}$ are unknown, then, $\mathcal{A}$ can compute $N_i^{\prime }=abP$. Thus, given $(P,M_i,P_{pub})=(P,aP,bP)$, $\mathcal{C}$ can use $\mathcal{A}$ as a subroutine to compute $abP$. In other words, $\mathcal{C}$ can solve ECDLP with the advantage $ϵ\ge {ϵ}_0-\frac{1}{2^k}-\frac{q_S^2·q_H^2}{q·2^k}$.

6.3. S Authenticates $U_i$ and Key Agreement

Theorem 3.

Under the elliptic curve computational Diffie–Hellman problem (ECDHP), no adversary can impersonate user $U_i$ to communicate with sensor node S after $U_i$ is authenticated as a legal user by $TA$.

Proof. 

No one can forge $C=h\left(a\right|\left|TI{D}_i\right|\left|T^{\prime }\right)\oplus E$ except legal user $U_i$ because a is a secret value stored in $U_i$’s smart card, and E is obtained from the procedures of $U_i$ authenticating $TA$. By Theorem 2, we have proved that no one can impersonate $TA$ to communicate with $U_i$ under the ECDHP. Even if the $U_i$’s smart card is broken, the adversary is still unable to forge E. ☐

Theorem 4.

Under the elliptic curve computational Diffie–Hellman problem (ECDHP), only user $U_i$ and sensor node S can establish a session key $SK$ after $U_i$ is authenticated as a legal user by $TA$. In other words, no adversary can compute $SK$ except $U_i$ and S.

Proof. 

According to the proofs of Theorems 2 and 3, no one can compute $SK=h(E\oplus a\oplus T_u)$ except $U_i$, an authenticated legal user. In another aspect, only S can compute $SK$ because $TA$ sends a and $(T_u,b,TI{D}_i)$ to S via a secure channel, and E is computed by $h(b\oplus TI{D}_i)$. ☐

7. Performance Analyses and Comparisons

In this section, we provide a performance comparisons among our scheme and two existing ECC-based authentication schemes [5,21] for wireless healthcare sensor networks in terms of computation costs in the authentication process (which includes the login, verification, and access control and encryption phases). According to the experimental results of He [31], the execution times are given in

Table 1. Execution time (in milliseconds; ms) of various cryptographic operations.

Notations	Descriptions
$T_{EM}$	The time of executing an elliptic curve scalar point multiplication, 1$T_{EM}\approx$ 1.17 ms
$T_{BP}$	The time of executing a bilinear pairing operation, 1$T_{BP}\approx$ 3.16 ms
$T_{EA}$	The time of executing an addition operation of points, 1$T_{EA}<0.1$ ms, which is negligible
$T_{MH}$	The time of executing a map-to-point hash function, 1$T_{MH}<1$ ms, which is negligible
$T_H$	The time of executing a one-way hash function, 1$T_H<0.01$ ms, which is negligible

, where the hardware platform is a Pentium IV 3-GHz processor with library MIRACL [32]. As shown in Table 1, it is clear that the elliptic curve scalar point multiplication and the bilinear pairing operation are more complicated than other operations, and the running time of the addition operation of points, the map-to-point hash function and the one-way hash function could be ignored. Therefore, we only need to count the execution time of the elliptic curve scalar point multiplication and the bilinear pairing operation.

In

Table 2. Performance comparisons among the proposed scheme and other related schemes.

	Yeh et al. [5] (2011)	Liu–Chung [21] (2016)	The Proposed Scheme
Computation cost ($U_i$)	2$T_{EM}$ + 1$T_{EA}$ + 1$T_{MH}$ + 3$T_H$	1$T_{EM}$ + 1$T_{BP}$ + 1$T_{MH}$ + 2$T_H$	2$T_{EM}$ + 8$T_H$
Computation cost ($TA$)	5$T_{EM}$ + 3$T_{EA}$ + 4$T_{MH}$	2$T_{BP}$ + 1$T_H$	1$T_{EM}$ + 4$T_H$
Computation cost (S)	2$T_{EM}$ + 2$T_{EA}$ + 3$T_{MH}$	1$T_{BP}$ + 1$T_{MH}$ + 2$T_H$	4$T_H$
Total execution time	10.53 ms	13.81 ms	3.51 ms

, we summarize the efficiency comparisons among our proposed scheme and other previous WSN-based authentication schemes in terms of computational complexity and the execution time, where the total execution times are measured using Table 1. From Table 2, we can see that the computation cost of our scheme is lower than that of Yeh et al.’s and Liu–Chung’s schemes on both the user, the trusted authority and the sensor node side. Therefore, our proposed scheme is the most efficient compared to the other two related schemes in terms of overall computation costs, and it can be claimed that the execution time of the proposed scheme is suitable for different real-life applications, including medical care systems.

Lastly, the security criteria and functional properties of three ECC-based authentication schemes are summarized in

Table 3. Functionality comparisons among the proposed scheme and other related schemes.

	Yeh et al. [5] (2011)	Liu–Chung [21] (2016)	The Proposed Scheme
F1	$\chi$	$\chi$	√
F2	√	$\chi$	√
F3	√	√	√
F4	√	$\chi$	√
F5	$\chi$	$\chi$	√
F6	√	$\chi$	√
F7	−	$\chi$	√
F8	−	$\chi$	√
F9	√	$\chi$	√
F10	√	$\chi$	√

F1: Provision of user anonymity; F2: provision of efficient login phase; F3: provision of mutual authentication; F4: provision of session key security; F5: prevention of password disclosure attack; F6: prevention of replay attack; F7: prevention of sensed data disclosure attack; F8: prevention of sensed data forgery attack; F9: prevention of stolen smart card attack; F10: prevention of off-line password guessing attack; √: yes; $\chi$: no; −: not mentioned.

. It is visible from Table 3 that Yeh et al.’s scheme [5] is vulnerable to password disclosure attack in the registration phase and also does not provide the user anonymity property, where Liu–Chung’s scheme [21] does not support this property. The proposed scheme can prevent all of the security weaknesses of the former scheme and provide mutual authentication and user anonymity to protect data integrity and user privacy. From Table 2 and Table 3, the proposed scheme not only keeps lower computational cost, but also possesses more security requirements along with strong security protection on the relevant security attacks for IoT-based medical care systems.

8. Conclusions

In this paper, we first give a brief review of Liu–Chung’s authentication scheme combined with its basic security analysis and find that their scheme is vulnerable to password disclosure, off-line password guessing, sensed data disclosure, sensed data forgery, replay attacks and the stolen smart card problem. Furthermore, their scheme cannot achieve user anonymity and session key security, and it has unnecessary redundancy in protocol design. In order to repair their security flaws and improve the system performance, an improved efficient scheme is proposed. The security analysis indicates that the proposed authentication scheme is able to withstand those attacks mentioned and satisfies all desirable security attributes, such as user anonymity, mutual authentication, session key security and an efficient verification mechanism during the login phase. Comparing the efficiency with other ECC-based authentication schemes, the proposed scheme is comparable in terms of the computational overheads and practical as the secure authentication mechanism for the IoT-based medical care system.