2590 IEEE SYSTEMS JOURNAL, VOL. 11, NO.

4, DECEMBER 2017

Anonymous Authentication for Wireless Body Area

Networks With Provable Security
Debiao He, Sherali Zeadally, Neeraj Kumar, Member, IEEE, and Jong-Hyouk Lee, Senior Member, IEEE

Abstract—Advances in wireless communications, embedded 78.2 years from 69.8 years during the past 50 years [1]. It
systems, and integrated circuit technologies have enabled the is expected that about 81 million people will be 60 or older
wireless body area network (WBAN) to become a promising net- in 2050 [1]. The rapid growth in the number of aged people
working paradigm. Over the last decade, as an important part
of the Internet of Things, we have witnessed WBANs playing an creates many economic and societal challenges as more aged
increasing role in modern medical systems because of its capabili- people will suffer from chronic diseases and will not be able to
ties to collect real-time biomedical data through intelligent medical take care of themselves. To take better care of aged people and
sensors in or around the patients’ body and send the collected reduce the burden on society, real-time monitoring of patients
data to remote medical personnel for clinical diagnostics. WBANs and remote medical clinical diagnostics are going to be a crucial
not only bring us conveniences but also bring along the chal-
lenge of keeping data’s confidentiality and preserving patients’ part of the healthcare system.
privacy. In the past few years, several anonymous authentication The wireless body area network (WBAN), initially proposed
(AA) schemes for WBANs were proposed to enhance security by by Zimmerman [2], is a promising networking paradigm, which
protecting patients’ identities and by encrypting medical data. uses wireless personal area network (WPAN) technology. In
However, many of these schemes are not secure enough. First, we recent years, the WBAN has attracted a lot of attention from
review the most recent AA scheme for WBANs and point out that
it is not secure for medical applications by proposing an imperson- both the research community and industry as an important part
ation attack. After that, we propose a new AA scheme for WBANs of the Internet of Things (IoT). A WBAN consists of many
and prove that it is provably secure. Our detailed analysis results low power intelligent sensors, which are placed in or around
demonstrate that our proposed AA scheme not only overcomes the human body. Through these sensors, real-time monitor-
the security weaknesses in previous schemes but also has the same ing could be implemented remotely. Fig. 1 illustrates a typical
computation costs at a client side.
WBAN application scenario where the WBAN collects real-
Index Terms—Attack, authentication, security, wireless body time biomedical data such as heart rate, blood pressure, and
area network (WBAN). pulse and then sends the data to a remote medical server through
mobile devices such as a personal digital assistant (PDA) or
I. I NTRODUCTION a smart phone. Based on this data, doctors and other medical
personnel could get a patient’s status and provide the appropri-
T ECHNOLOGICAL advances in various fields have led to
significant improvements in the lives of people all over
the world resulting in their increased life expectancy. For exam-
ate clinical diagnostics. Therefore, the use and deployment of
WBANs could help us to take care of aged people and patients
ple, the life expectancy in the United States has prolonged to by providing a reliable and robust health-monitoring service in
the IoT environment.
Manuscript received December 09, 2014; revised February 06, 2016; The data collected or transmitted in WBANs are very sen-
accepted March 13, 2016. Date of publication April 22, 2016; date of sitive and important because these are the basis of clinical
current version November 22, 2017. The work of D. He was supported in part
by the National Natural Science Foundation of China under Grant 61572379, diagnostics. Besides, privacy is also an important issue from
Grant 61501333, and Grant U1536204; in part by the National High-tech R&D the patient’s perspective because biomedical data are highly
Program of China (863 Program) under Grant 2015AA016004; in part by the confidential and should be handled, transmitted, and stored
Research Fund of the Guangxi Key Laboratory of Trusted Software under Grant with care to prevent information leakage to unauthorized users.
kx201529; and in part by the Natural Science Foundation of Hubei Province of
China under Grant 2015CFB257. The work of J.-H. Lee was supported by the Therefore, authentication, data confidentiality, integrity, non-
Basic Science Research Program through the National Research Foundation of repudiation, and privacy preservation should be guaranteed
Korea (NRF) funded by the Ministry of Science, ICT & Future Planning under during all communications within the WBAN environment. To
Grant NRF-2014R1A1A1006770. (Corresponding author: Jong-Hyouk Lee.)
generalize the applications based on WBANs, IEEE 802.15.6
D. He is with the State Key Laboratory of Software Engineering, Computer
School, Wuhan University, Wuhan 430072, China, and also with Guangxi Key has been proposed to provide an international standard for reli-
Laboratory of Trusted Software, Guilin University of Electronic Technology, able wireless communication in WBANs and the standard could
Guilin 541004, China (e-mail: [email protected]). support data rates ranging from 75.9 kb/s to 15.6 Mb/s. The
S. Zeadally is with the College of Communication and Information,
University of Kentucky, Lexington, KY 40506 USA (e-mail: szeadally@
standard describes security requirements and various security
uky.edu). levels in WBANs. The standard also recommends four elliptic
N. Kumar is with the Department of Computer Science and Engineering, curve-based security schemes to achieve those goals. However,
Thapar University, Patiala 147004, India (e-mail: [email protected]). recent works show that those four security protocols are vul-
J.-H. Lee is with the Department of Computer Science and Engineering,
Sangmyung University, Cheonan 31066, South Korea (e-mail: jonghyouk@
nerable to several attacks [3], [4]. Therefore, the standard is
smu.ac.kr). not secure enough for some practical applications. To enhance
Digital Object Identifier 10.1109/JSYST.2016.2544805 security, anonymous authentication (AA) schemes for WBANs
1937-9234 © 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
HE et al.: AA FOR WBANS WITH PROVABLE SECURITY 2591

To guarantee secure communication in WBANs, Poon et al.

[5] used physiological values (such as electrocardiogram,
iris, and fingerprint) to design an authentication scheme for
WBANs. By measuring and comparing physiological values,
their scheme could implement authentication. To improve per-
formance, several improved schemes [6]–[8] based on physio-
logical values have been proposed. However, the physiological
value-based schemes [5]–[8] suffer from the denial-of-service
(DoS) attack because there are differences between any two
measured physiological signals of the same person and are not
Fig. 1. Typical WBAN application scenario.
suitable for practical applications.
The received signal strength (RSS) in WBANs varies accord-
have been extensively studied to provide not only authentication ing to mobility and channel environments. Therefore, channel-
and privacy preservation but also to ensure confidentiality, based authentication schemes [9]–[11] are also considered to
integrity, and nonrepudiation based on a shared key. implement mutual authentication in WBANs. Zheng et al. [9]
We introduce a new AA scheme for WBANs with prov- used temporal RSS variation lists to deal with the identity-based
able security. Specifically, the major contributions of this paper attack. However, their scheme focuses on identification and
are threefold. First, we give a security analysis of a latest AA cannot provide anonymity. Cai et al. [10] proposed a device-
scheme for WBANs. We show that it is not secure for applica- pairing scheme using differential RSS. However, their scheme
tions based on WBANs by demonstrating that it is not secure requires at least two receiver antennas and is not suitable for
against impersonation attacks. Second, our proposed scheme practical applications. Using the heterogeneous channel charac-
not only overcomes the weakness in previous schemes but also teristics among the collection of on-body channels during body
reduces the computation burden on the client. Finally, we per- motion, Shi et al. [11] proposed a lightweight authentication
form an in-depth security analysis to show that our scheme is scheme for WBANs.
provably secure. In addition, we show that our scheme could Several proximity-based authentication schemes [12]–[14]
meet security requirements in medical applications based on were proposed for applications based on WBANs. Varshavsky
WBANs. et al. [12] extended the Diffie–Hellman key exchange with
This paper is organized as follows. We discuss related works the verification of device colocation and proposed an authen-
in Section II. We present security requirements, network model, tication scheme for WBANs. By monitoring the radio envi-
and security model in Section III. We review and analyze a ronment and generating a signature (including its RSS), the
latest AA scheme in Section IV. We describe our proposed device in Varshavsky et al.’s scheme could implement similar-
AA scheme for WBANs in Section V. We perform an analy- ity detection. With pairing devices transmitting and the trusted
sis of our authentication scheme and evaluate its performance in body-worn personal devices receiving, Kalamandeen et al. [13]
Sections VI and VII, respectively. We make concluding remarks proposed an authentication method by monitoring the transmis-
in Section VIII. sions. Later, Mathur et al. [14] proposed a colocation-based
pairing scheme by exploiting environmental signals. The main
weakness of proximity-based authentication methods is that the
II. R ELATED W ORK
devices have to be within half of the wavelength distance of
The IEEE 802.15.6 standard proposed a security framework each other, which is restrictive for medical sensors deployed in
for WBANs. The standard recommends security levels. a BAN. Shi et al. [15] [16] found that an off-body attacker has
1) Level 0—Unsecured Communication: This is the low- distinct RSS variation behavior with an on-body sensor. Using
est level of security, where the data are transmitted in this fact, they proposed a channel-based and a proximity-based
plaintext form and no authentication is provided at all. authentication scheme for WBANs.
2) Level 1—Authentication but no Encryption: With this In contrast to the physiological value-based schemes [5]–[8],
level of security, the data are transmitted in plaintext the channel-based schemes [9]–[11], and the proximity-based
form. However, some measures about authentication are schemes [12]–[14], the cryptography-based schemes require
involved to validate the data. fewer restrictions (such as channel, distance, and location) from
3) Level 2—Authentication and Encryption: This is the high- the applications’ environments. Consequently, cryptography-
est level of security, where the data are transmitted in based authentication schemes have been attracting increas-
plaintext form and authentication is also provided. ing attention recently. The cryptography-based authentication
The standard also recommends four elliptic curve-based scheme could be implemented using the traditional public key
security schemes to achieve those security levels. However, cryptography (TPKC) [17], [18]. For example, Li et al. [19],
recent work shows that those four security protocols are vul- [20] proposed a key management method and used the TPKC
nerable to several attacks [3], [4]. Therefore, the standard is to implement mutual authentication. In the TPKC, the com-
not secure enough for practical applications. The AA scheme is plex modular exponentiation operation is needed. However, the
suitable for ensuring security in WBANs because it could pro- client device in WBANs has very limited computing capability
vide mutual authentication and generate session key to encrypt and battery capacity. Therefore, authentication schemes based
data. Over the last few years, many authentication schemes for on the TPKC are not suitable for WBAN applications. To avoid
WBANs have been proposed for practical applications. the modular exponentiation operation, several authentication
2592 IEEE SYSTEMS JOURNAL, VOL. 11, NO. 4, DECEMBER 2017

schemes [21]–[23] based on the elliptic curve cryptography III. N ETWORK M ODEL AND S ECURITY M ODEL
(ECC) have been proposed. A. Security Requirements
The concept of the ECC was first introduced by Miller [24]
and Koblitz [25] separately. Compared to TPKC, ECC could In the WBAN environment, the client and the application
provide the same security with a much smaller key size [26]. provider communicate wirelessly. Therefore, the authentica-
Therefore, ECC is more suitable for environments with limited tion scheme for WBANs is susceptible to many attacks. To
computing capabilities and battery capacity. However, public guarantee secure communication in WBANs, the authentication
key infrastructure (PKI) is needed in the practical implemen- scheme should be able to withstand various attacks. According
tation of the ECC. With PKI, every user has a certificate, to previous works [1], [10]–[12], [17], [18], [32], the authenti-
generated by the certificate authority (CA), to bind his/her iden- cation scheme for WBANs should satisfy the following security
tity and public key. The management of certificates becomes requirements.
more tedious as the number of users grows. Therefore, authen- 1) Mutual Authentication: To ensure only authorized
tication schemes [21]–[23] based on ECC are not suitable for clients could access medical services. It is necessary that the
WBANs. authentication scheme for WBANs provides mutual authenti-
The idea of the Identity-based public key cryptography (ID- cation between the client and the application provider.
based PKC) was proposed by Shamir [27]. In the ID-based 2) Anonymity: To protect the client’s privacy, it is nec-
PKC, the key generation center (KGC) uses its secret key to cal- essary that no one including the application provider and
culate the user’s secret key according to his/her identity and the the network manager could get the client’s identity from the
identity plays the role of the public key. Therefore, the ID-based intercepted message.
PKC could address the problem of certificates management in 3) Nontraceability: Only anonymity is not enough for pro-
the TPC. Yang and Chang [28] proposed an efficient authenti- tecting the client’s privacy because location privacy is equally
cation scheme based on the ID-PKC. However, Yoon and Yoo important. Therefore, it is necessary that the authentication
[29] demonstrated that their scheme had serious security vul- scheme could provide nontraceability, i.e., no one including the
nerability by proposing an impersonation attack. Based on the application provider and the network manager should be able to
ID-PKC, He et al. [30] used ECC to design a new authenti- trace the client’s action.
cation scheme and proved their scheme was provably secure. 4) No Verification Table: The verification table has been
Unfortunately, Wang and Ma [31] found that their scheme [30] used in some previous authentication schemes including Liu
could not resist the reflection attack. They also pointed out that et al.’s schemes [32]. It brings a lot of inconvenience to system
He et al.’s scheme could not provide mutual authentication. management because the application provider has to update the
Later, Islam and Biswas [32] used ECC to construct another verification table when a new client joins the system or an old
authentication to solve security vulnerability in Yoon and Yoo’s client is removed from the system. Therefore, it is required that
scheme. Unfortunately, Truong et al. [33] pointed out that their no verification table is used by the system.
scheme could not resist the denial of service attack. Although 5) Session Key Agreement: To ensure confidentiality,
the above ID-based authentication schemes [28]–[33] have bet- integrity, and nonrepudiation of medical data transmitted in
ter performance than previous schemes, they are not suitable WBANs, it is necessary to generate a shared session key
for applications based on WBANs because they are designed between the client and the application provider.
for the client–server environment. 6) Perfect Forward Secrecy: The adversary may get the
To ensure secure communication in WBANs, Liu et al. [34] shared key between the client and the application provider in
used the bilinear pairing defined on the elliptic curve to design WBANs when the adversary gets their secret keys. In this case,
a new certificateless signature scheme. Then, they presented a access to medical data transmitted in WBANs is possible by
preliminary version authentication scheme for WBANs using decrypting the intercepted messages. To protect the client’s
their signature scheme. However, the scheme provides non- privacy, it is required that the authentication for WBANs sup-
traceability because the user’s identity is a constant value and ports perfect forward secrecy, i.e., the adversary cannot get the
the adversary could trace the client by observing the constant session key even if the secret keys of both the client and the
value. To enhance security, they also presented a security- application provider are obtained.
enhanced authentication scheme using their signature scheme 7) Attack Resistance: Due to the open environment, the
and demonstrated that it could withstand various attacks. authentication for WBANs is susceptible to various attacks
However, in most of the practical applications, there is a priv- such as the impersonation attack, the reply attack, the mod-
ileged insider of the system, who is responsible for ensuring the ification attack, the stolen verifier table attack, and the man-
device’s normal functions. This insider can access the database in-the-middle attack. To ensure security, it is required that
of the system and modify database entries when required. the authentication scheme should be able to withstand those
Besides, a powerful adversary can actually penetrate the system aforementioned attacks.
and has ability to modify the database. In other words, it is real-
istic and reasonable to assume that there is such adversary who
has ability to modify the database of the system. Based on the B. Network Model
above observation, we found that Liu et al.’s security-enhanced We consider the generalized network model shown in Fig. 2,
authentication scheme is not secure for practical applications in which three participants such as the WBAN client (C), the
by presenting an impersonation attack. The detailed attack is Network Manager (NM), and the Application Provider (AP) are
presented in Section IV. involved. In contrast to Fig. 1, Fig. 2 simplifies the complexity
HE et al.: AA FOR WBANS WITH PROVABLE SECURITY 2593

responsible for providing medical services (as shown in Fig. 1).

First, NM generates the systems parameters and the AP’s pub-
lic/secret keys. Second, C gets his private by registering with
NM. Finally, C and AP could authenticate each other.

C. Security Model
Based on a well-known security model for key exchange
schemes [35], we define the security model for our proposed
Fig. 2. Generalized network model for WBANs. AA scheme as follows.
In the authentication phase of the proposed scheme for
WBANs, every participant is either a client C ∈ Client or an
application provider AP ∈ ApplicationProvider and C gets a
secret key from NM. Let A and Γi denote a probabilistic
polynomial-time adversary and the ith instance of a partic-
ipant Γ, respectively, where Γ is a client or an application
provider. The security of the authentication scheme for WBANs
is defined according to a game between a challenger A and a
simulator S. A could make the following queries.
1) h(m): Upon receiving a query, S first checks whether a
tuple (m, r) is in Lh . If so, S returns r to A; otherwise,
S generates a number r ∈ Zq∗ randomly, inserts the tuple
(m, r) into Lh and returns r to A.
2) H(m): Upon receiving the query, S first checks whether
a tuple (m, R)in LH . If so, S returns R to A; otherwise,
S generates an element R ∈ G1 randomly, inserts (m, R)
into LH and returns R to A.
Fig. 3. Liu et al.’s AA scheme.
3) SymEnc([e, d], k, [m, c]): Upon receiving an encryption
query SymEnc(e, k, m), S first checks if there is a tuple
(k, m, c) in the list Lsym ; If so, S returns c to A; other-
wise, S generates a random number c, records (k, m, c)
into Lsym , and returns c to A. Similarly, upon receiving a
decryption query SymEnc(d, k, c), S first checks if there
is a tuple (k, m, c) in the list Lsym ; If so, S returns m to
A; otherwise, S generates a random number m, records
(k, m, c) into Lsym , and returns m to A.
4) Create(C, right): Upon receiving the query, S generates
the secret key of C with the right parameter.
5) Create(AP): Upon receiving the query, S generates the
private/public key pair of AP and returns the generated
public key to A.
6) Send(Γi , m): Upon receiving the query, S executes steps
in AA scheme for WBANs and outputs corresponding
message.
7) Reveal(Γi ): Upon receiving the query, S returns the
session key of the participant instance Γi to A.
8) Corrupt(Γ): Upon receiving the query, S outputs the
Fig. 4. Proposed AA scheme for WBANs. secret key of Γ to A.
9) Test(Γi ): Upon receiving the query, S chooses a random
bit b ∈ {0, 1}. If b = 1, S returns the session key of Γi to
of a WBAN but still captures the principal entities needed to A; otherwise (b = 0), S generates a random number and
apply a security model that is required to analyze AA schemes. returns it to A.
The WBAN client C denotes a user who could access the An instance Γi is accepted when it receives the final message
WBAN through a smart phone as shown in Fig. 1. The network and turns into some intended mode. The session identification
manager NM denotes a trusted third party, which generates (sid) of the instance Γi is defined as the concatenation of all
system parameters and users’ secret keys. The application messages sent and received by Γi .
provider AP denotes a remote system such as servers and med- Two instances C i and APj are partnered if none of the fol-
ical systems at a hospital, clinic, or physician’s medical office lowing conditions does not hold: 1) both of C i and APj are
2594 IEEE SYSTEMS JOURNAL, VOL. 11, NO. 4, DECEMBER 2017

accepted; 2) both C i and APj have the same sid; and 3) C i and TABLE I
N OTATIONS
APj are partner of APj and C i separately.
An instance Γi is fresh if none of the following conditions
does not hold: 1) Γi is accepted; 2) there is no Reveal that has
been made to Γi or its partner; and 3) there is no Corrupt that
has been made to Γi or its partner.
Let Succ(A) denote the event that A could guess the correct
bit b ∈ {0, 1} involved in Test query. The advantage of A vio-
lates the indistinguishability of the scheme Ψ which is defined
Ψ (A) = |2 Pr[Succ(A)] − 1|.
as AdvAKE
Definition 1: We say that an authentication scheme Ψ
for WBANs is authenticated key agreement (AKA)-secure if
Ψ (A) is negligible.
AdvAKE
We say that A could violate C − to − AP authentication
of an authentication scheme Ψ if A could generate a login
message. We say that A could violate the AP − to − C authen-
tication of an authentication scheme Ψ if A could generate a
response message. Let AdvMA Ψ (A) denote the probability that
A could violate C − to − AP authentication and AP − to − C
order. Suppose P and e : G1 × G1 → G2 are a generator of
authentication of an authentication scheme Ψ.
G1 and a bilinear pairings separately. Let H and h be two
Definition 2: We say that an authentication scheme Ψ for
secure hash functions, where H : {0, 1}∗ × G1 → G1 and h :
WBANs is mutual authentication (MA)-secure if the probabil-
{0, 1}∗ × G2 → Zq∗ . The following steps will be executed to
Ψ (A) is negligible.
ity AdvMA
set up system.
a) Give the security parameter l, NM generates
IV. R EVIEW AND A NALYSIS OF L IU ET AL.’ S AA S CHEME its public/secret key (QNM , sNM ) and publishes
{l, G1 , G2 , q, P, e, H, h, QNM }, where QNM = sNM · P .
A. Mathematical Background b) AP generates its public/secret key (QAP , sAP ), where
Let G1 be an addition group with the prime order q. Let G2 QAP = sAP · P .
be a multiplicative group with the same order. We say a map e : 2) Registration: In this algorithm, the following steps will
G1 × G1 → G2 is a bilinear pairing if it satisfies the following be executed by the client and NM when C wants to access
three conditions. services from AP.
1) Bilinear: For two random points Q, R ∈ G1 and two 1) C chooses an integer s1 ∈ Zq∗ randomly, calculates Q1 =
random elements a, b ∈ Zq , we have e(aQ, bR) = s1 · P , and sends {id, Q1 } to NM.
e(Q, R)ab . 2) NM calculates Q2 = H(idQ1 ), S2 = sNM · Q2 ,
2) Nondegeneracy: There is a point Q ∈ G1 such that indCv = e(Q2 , Q1 ), indCs = e(Q2 , QNM ), and
e(Q, Q) = 1. I = indCv · P and creates an account in the form
3) Computability: Any two random points Q, R ∈ G1 , {C, indCv , indCs , right}. NM issues {I, indCs , right} and
e(Q, R) could be calculated efficiently in polynomial {I, indCv , right} to C and AP, respectively.
time. 3) Authentication: In this algorithm, as shown in Fig. 3,
It is well known that there is no algorithm that could solve C and AP could authenticate each other by executing the
the following two problems in polynomial time. following steps.
Discrete logarithm (DL) problem: For two random points a) C generates two numbers k, t ∈ Zq∗ randomly and cal-
P, Q ∈ G1 , it is difficult to find the integer x ∈ Zq such that culates T = t · P , T  = t · QAP , I  = I + T , r = indkCs ,
Q = xP . v = h(tc , r, T ), U = k · S2 + vs1 · Q2 , where tc denotes
Computational Diffie–Hellman (CDH) problem: For two ran- the current timestamp. At last, C sends the message
dom points Q, R ∈ G1 , anyone cannot calculate the point xyP {v, U, tc , T  , I  }.
in polynomial time, where Q = xP , R = yP and x, y are two b) Upon receiving {v, U, tc , T  , I  }, AP checks the validity
unknown elements in Zq . of tc . AP rejects the request if it is not valid; other-
wise, AP calculates T = s−1  
AP · T and I = I − T . AP
finds the tuple {I, indCv , right} corresponding to I, cal-
B. Review of Liu et al.’s AA Scheme culates r = e(U, P ) · indvCv and checks if the equation
There are three algorithms in Liu et al.’s security-enhanced v = h(tc , r, t) holds. AP rejects the request if it does not
authentication scheme: initialization, registration and authenti- hold; otherwise, AP calculates key = h(v, T ) and Auth =
cation. The details are described as follows. Table I describes MACkey (v). Then, AP sends the message {Auth} to C.
the notations used in this work. c) Upon receiving {Auth}, C calculates key = h(v, T ) and
1) Initialization: Let G1 be an addition group with the verifies the validity of MACkey (v). If not, C terminates
prime order q. Let G2 be a multiplicative group with the same the session; otherwise, AP is authenticated.
HE et al.: AA FOR WBANS WITH PROVABLE SECURITY 2595

C. Security Analysis of Liu et al.’s AA Scheme V. O UR P ROPOSED AA S CHEME

Suppose the adversary is a privileged insider of AP or a Based on the above analysis, we could get that the proposed
powerful hacker. The adversary could impersonate C to AP by attack is not possible if no data are stored in AP’s database
executing the following process. for verification purposes. To achieve this goal, we store those
1) The adversary chooses a number ω ∈ Zq∗ randomly and data for verification purposes in NM’s database. The locations
calculates indCv = e(P, P )ω , I = indCv · P . The adver- of NM and AP must be considered in practice. NM is located
sary stores the tuple {I, indCv , right} in AP’s database or in a safe and secure place; it is assumed to be a server being
uses it to replace some such a tuple in AP’s database. operated by a trusted third party. However, AP is typically
2) The adversary generates three random numbers k, t, ξ ∈ located in a hospital location. In other words, AP can be phys-
Zq∗ and calculates T = t · P , T  = t · QAP , I  = I + ically accessed by attackers, who can extract data by physical
T , r = e(P, P )ξ , v = h(tc , r, T ), U = ξ · P − ω · v · P , engineering attacks such as firmware modification, parameter
where tc denotes the current timestamp. Finally, the tampering in memory, and so on. We argue that generated secu-
adversary sends the message {v, U, tc , T  , I  }. rity credentials and storing them in NM is the right approach
Next, we demonstrate that the message {v, U, tc , T  , I  } and is more secure than relying on storing them in AP.
could pass AP’s verification. Since indCv = e(P, P )ω , I = As we mentioned previously, our AA scheme consists of
indCv · P , r = e(P, P )ξ , v = h(tc , r, T ) and U = ξ · P − ω · three algorithms: initialization, registration and authentication.
v · P , we could get The details of these algorithms are described as follows.

e(U, P ) · indvCv A. Initialization

= e(ξ · P − ω · v · P, P )(e(P, P )ω )v Let G1 be an addition group with the prime order q. Let
= e((ξ − ω · v) · P, P )e(P, P )ω·v G2 be a multiplicative group with the same order. Suppose P
= e(P, P )ξ−ω·v e(P, P )ω·v and e : G1 × G1 → G2 are a generator of G1 and a bilinear
pairings separately. Let H and h be two secure hash func-
= e(P, P )ξ−ω·v+ω·v = e(P, P )ξ = r. (1) tions, where H : {0, 1}∗ × G1 → G1 and h : {0, 1}∗ × G2 →
Zq∗ . The following steps will be executed to set up the system.
Then, AP will get the equation v = h(tc , r, T ) holds. 1) Given a security parameter l, NM generates its pub-
Therefore, the message {v, U, tc , T  , I  } could pass AP’s ver- lic/secret key (QNM , sNM ) and publishes system param-
ification and the adversary could successfully impersonate the eters {l, G1 , G2 , q, P, e, H, h, QNM }, where QNM =
client to access services provided by AP. sNM · P .
Liu et al.’s claimed that their security-enhanced authenti- 2) AP generates its public/secret key (QAP , sAP ), where
cation scheme is provably secure. However, we reviewed Liu QAP = sAP · P .
et al.’s proof and we discovered a flaw in their proof. According
to the description of their security-enhanced authentication
scheme, the tuple {I, indCv , right} plays the role of a public B. Registration
key for the client. This requires that the tuple be legal and be In this algorithm, the following steps will be executed by the
bound to the client’s identity. However, the AP in their scheme client and NM when C wants to access services from AP.
cannot verify if the tuple is legal. In this case, the adversary 1) C generates his identity id randomly and sends to NM.
could forge such a tuple at his/her will and generate a valid login 2) NM checks the validity of the client and defines his right.
request message according to such a tuple. Liu et al.’s proof NM calculates Qid = H(idright) and Sid = sNM · Qid
assumes that all tuples {I, indCv , right} stored in AP’s database and issues {Sid , right} to C.
are legal, i.e., they are generated by NM. Subsequently, their 3) Upon receiving {Sid , right}, C stores it secretly.
security-enhanced authentication scheme cannot withstand our
proposed attack.
C. Authentication
According to our analysis above, a straightforward fix
may be to ensure that all tuples {I, indCv , right} stored in In this phase, as shown in Fig. 4, C and AP could authenticate
AP’s database are legal, i.e., they are generated by NM. each other by running the below process.
To achieve this goal, we only need to require NM to issue 1) C chooses a number x ∈ Zq∗ randomly and calcu-
{I, indCv , right, σv } instead of {I, indCv , right} to AP in the lates X = x · P , X  = x · QAP , Qid = H(idright), v =
registration algorithm, where σv is a digital signature on the H(id, right, Qid , QNM , X, X  , tc ), k = h(X, X  , tc ), U =
message {I, indCv , right} and σv is generated by NM using Sid + x · v · Qid , W = Ek (id, right, U ), where tc denotes
its secret key sNM and a secure signature scheme. Besides, we the current timestamp. C sends the message {W, X, tc }
require that AP verifies the validity of {I, indCv , right} before to AP.
using it in the authentication algorithm, where AP uses NM’s 2) Upon receiving {W, X, tc }, AP checks the validity of
public key QNM and the signature scheme to verify the legit- tc . AP rejects the request if it is not valid; otherwise,
imacy of {I, indCv , right}. With this simple modification, the AP calculates X  = sAP · X, k = h(X, X  , tc ) and
adversary cannot generate a valid tuple {I, indCv , right, σv }. As gets (id, right, U ) by using k to decrypt W . AP cal-
a result, the adversary cannot impersonate C to AP. culates Qid = H(idright), v = H(id, right, Qid , QNM ,
2596 IEEE SYSTEMS JOURNAL, VOL. 11, NO. 4, DECEMBER 2017

X, X  , tc ), and checks whether the equation e(U, P ) = e(Qid , v  · QNM ) e(a · P, v  · b · P )

= =
e(Qid , QNM + v · X) holds. If it does not hold, it rejects e(Qid , v · QNM ) e(a · P, v · b · P )
the request; otherwise, AP chooses a number y ∈ Zq∗
randomly, calculates Y = y · P , K = y · X = xy · P , e(v  · a · b · P, P )
= = e((v  − v) · a · b · P, P ) (4)
the session key key = h(X, X  , Y, K), and Auth = e(v · a · b · P, P )
h(W, tc , X, X  , Y, K). AP sends {Y, Auth} to C.
3) Upon receiving {Y, Auth}, C calculates K = x · Y = and
xy · P and the session key key = h(X, X  , Y, K). It then
a · b · P = (v  − v)−1 (v  · U − v · U  ). (5)
checks the validity of Auth by checking whether the equa-
tion Auth = h(W, tc , X, X  , Y, K) holds. If it is not valid,
Therefore, for a given instance (P, Qid , QNM ) = (P, a · P, b ·
C rejects the session; otherwise, AP is authenticated.
P ) of the CDH problem, S could use A to solve the problem
with a non-negligible advantage ε0 ≥ ε(1 − 1/q)/qH1 . This
contradicts with the hardness of the CDH problem. Thus, there
VI. S ECURITY A NALYSIS is no adversary that could violate C − to − AP authentication
We prove that the proposed AA scheme is provably secure of our AA scheme for WBANs.
and satisfies the security requirements described in Section II. Lemma 2: Suppose an adversary A could violate the
AP − to − C authentication of our AA scheme with a non-
negligible advantage ε. We could construct a challenger C,
A. Security Theorems which could solve the CDH problem with a non-negligible
advantage.
Lemma 1: Suppose an adversary A could violate the
Proof: Let E C2AP and E AP2C denote events that the
C − to − AP authentication of our AA scheme with a non-
adversary violates the C − to − AP authentication and the
negligible advantage ε. We could construct a challenger C,
AP − to − C authentication of our AA scheme, respectively.
which could solve the CDH problem with a non-negligible
According to the result in the above lemma, we could assume
advantage.
that the event E C2AP does not occur. The event E AP2C means
Proof: Assume that an adversary A could generate that the adversary could forge a response message {Y, Auth}
a legal login request message {W, X, tc } that could be after intercepting the message {W, X, tc }. Then, one of the
accepted by AP with a non-negligible advantage ε, where X = following three events may occur.
x · P , X  = x · QAP , Qid = H(idright), k = h(X, X  , tc ), 1) A could guess the value Auth correctly. Then, the proba-
v = H(id, right, Qid , QNM , X, X  , tc ), U = Sid + x · v · Qid , bility that the event occurs is 1/2k , where k denotes the
and W = Ek (id, right, U ), where tc is the current times- output’s length of the hash function h.
tamp. Through the forking lemma [36], A will output 2) The points X and U have been generated in another ses-
another message {W  , X, tc } if we choose a different choice sion. Let qC denote the number of queries made by A to
of h in the simulation, where X = x · P , X  = x · QAP , the oracle of the client C. Then, the probability that this
v  = h (id, right, Qid , QNM , X, X  , tc ), Qid = H(idright), event occurs is (qC /q) × (qC /q) × (qC − 2) ≤ qC 3
/q 2 .
k = h(X, X  , tc ), U  = Sid + x · v  · Qid , and W = 3) A has made the query to the oracle h(·) with the message

Ek (id, right, U ).  (key, W, X, tc , Y ). Then, we have
Since {W, X, tc } and {W  , X, tc } could pass AP’s verifica-
 
tion, we have the following two equations: Pr E AP2C |E C2AP
≤ Pr[Auth = h(W, tc , X, X  , Y, K)|X, Y ← G1 ]
e(U, P ) = e(Qid , QNM + v · X) (2)
+ 1/2k + qC
3
/q 2 . (6)
and

Let X = a · P and QAP = b · P for some a, b ∈ Zq∗ . For a
e(U  , P ) = e(Qid , QNM + v  · X). (3)
given instance (X, QAP ) = (a · P, b · P ) of the CDH problem,
A could calculate X  = a · QAP = a · b · P . Then, C could use
Let Qid = a · P and QNM = b · P . Then, we have
A to solve the CDH problem. In this case, C could solve
e(v  · U, P ) the CDH problem with a non-negligible advantage ε ≥ ε −
e(v  · U − v · U  , P ) = 1/2k − qC3
/q 2 . This contradicts with the hardness of the CDH
e(v · U  , P )
v v
problem. Thus, there is no adversary that could violate the
e(U, P ) e(Qid , QNM + v · X) AP − to − C authentication of our AA scheme.
=  v = v
e(U , P ) e(Qid , QNM + v  · X) Theorem 1: Our AA scheme for WBANs is MA-secure if
the CDH problem is intractable.
e(Qid , v  · (QNM + v · X))
= Proof: It is well known that there is no polynomial-time
e(Qid , v · (QNM + v  · X))
algorithm that could solve the CDH problem. From Lemmas 1
e(Qid , v  · QNM + v  · v · X) and 2, we could infer that there is noadversary that could violate
=
e(Qid , v · QNM + v  · v · X) the C – to – AP authentication or AP − to − C authentication
HE et al.: AA FOR WBANS WITH PROVABLE SECURITY 2597

of our AA scheme. Therefore, we could conclude that our AA x · v · Qid , and W = Ek (id, right, U ). To get the client’s iden-
scheme for WBANs is MA-secure.  tity, the adversary has to calculate k = h(X, X  , tc ) and
Theorem 2: Our AA scheme for WBANs is AKA-secure in decrypt W = Ek (id, right, U ). Then, the adversary will need
the random oracle if the computation Diffie–Hellman problem to solve the CDH problem because he has to calculate X  =
is intractable. x · QAP from X = x · P and QAP = sAP · P . Therefore, our
Proof: Support that there is an adversary A that could cor- AA scheme for WBANs could provide client anonymity.
rectly guess the value of the random bit b correctly involved in 3) Nontraceability: Suppose the adversary could store
the Test query with the advantage ε, which is non-negligible the login message {W, X, tc } and the response message
advantage. Let E Osk denote the event that the adversary could {Y, Auth} sent between the client and the application provider,
guess the session key correctly. According to the definition of where X = x · P , X  = x · QAP , Qid = H(idright), v =
A’s advantage, we could get Pr[E Osk ] ≥ ε/2.  h(id, right, Qid , QNM , X, X  , tc ), k = h(X, X  , tc ), U = Sid +
Let E Test(C) and E Test(AP) denote events the Test query is x · v · Qid , W = Ek (id, right, U ), Y = y · P , K = y · X =
made by the adversary to the oracle C i and APj , respec- xy · P , key = h(T, T  , K), and Auth = MACkey (W, T, tc , Y ).
tively. Let E C2AP be the event that A violates the C − to − AP The client and the application provider generate new random
authentication of our AA scheme for WBANs. Then, we have numbers x and y separately in each execution of our AA
scheme. Then, there is no constant value in those messages and
Pr[E Osk ] = Pr[E Osk ∧ E Test(C) ] the adversary cannot trace the client’s action by observing some
constant value. Therefore, our AA scheme for WBANs could
+ Pr[E Osk ∧ E Test(AP) ∧ E C2AP ]
provide nontraceability.
+ Pr[E Osk ∧ E Test(AP) ∧ ¬E C2AP ] ≥ ε/2 (7) 4) No Verification Table: In our AA scheme, the appli-
cation provider does not maintain any verification table for
and
achieving mutual authentication between the client and the
Pr[E Osk ∧ E Test(C) ] + Pr[E Osk ∧ E T est(AP) ∧ ¬E C2AP ] application provider.
5) Session Key Agreement: In the execution of our AA
≥ ε/2 − Pr[E Osk ∧ E Test(AP) ∧ E C2AP ] scheme for WBANs, both the client and the application
≥ ε/2 − Pr[E C2AP ]. (8) provider generate the session key key = h(X, X  , Y, K),
where X = x · P , X  = x · QAP , Y = y · P , and K = xy · P .
Since the event E Test(AP) ∧ ¬E C2AP and the event Therefore, our AA scheme for WBANs could provide session
E Test(C)
are equal, then we could get Pr[E Osk ∧ E Test(C) ] ≥ key agreement.
ε/4 − Pr[E C2AP ]/2. Therefore, we deduce Pr[key = h(X, 6) Perfect Forward Secrecy: During the execution of our
X  , Y, K)|X, Y, K ← G1 ] ≥ ε/4 − Pr[E C2AP ]/2. According AA scheme for WBANs, both the client and the application
to Lemma 1, we know that Pr[E C2AP ] is negligible. Then, provider generate the session key key = h(X, X  , Y, K), where
we get Pr[key = h(X, X  , Y, K)|X, Y, K ← G1 ] which is X = x · P , X  = x · QAP , Y = y · P , and K = xy · P . We
non-negligible because ε is non-negligible. assume that if the adversary could get the secret keys of the
Let X = x · P and Y = y · P for two unknown values a, b ∈ client and the application provider, then the adversary could cal-
Zq∗ . For a given CDH problem instance (X, Y ) = (x · P, y · P ), culate X  = sAP · X. However, the adversary cannot get K =
A could be K = x · Y = y · X = x · y · P . Then, C could xy · P from X = x · P and Y = y · P because he has to solve
use A to solve the CDH problem. In this case, C could the CDH problem. Therefore, our AA scheme for WBANs
solve the CDH with a non-negligible advantage ε ≥ ε/4 − could provide perfect forward secrecy.
Pr[E C2AP ]/2. This contradicts with the hardness of the CDH 7) Attack Resistance: We demonstrate that our AA scheme
problem. Thus, we could conclude that our AA scheme is for WBANs could withstand the impersonation attack, the reply
AKA-secure. attack, the modification attack, the stolen verifier table attack,
and the man-in-the-middle attack.
a) Impersonation attack: According to Lemmas 1 and 2
B. Other Discussion
proposed in Section VI-B7, we could infer that any adversary
In this section, we show that our AA scheme for WBANs without the client’s (application provider’s) private cannot gen-
could meet security requirements introduced in Section II. erate a valid login (response) message {W, X, tc } ({Y, Auth}).
1) Mutual Authentication: According to Theorems 1 and 2 Then, the client and the application provider could discover the
given earlier, we know that only the valid client and the valid impersonation attack by checking the validity of {W, X, tc } and
application provider could generate the legal login message {Y, Auth}, respectively. Therefore, our AA scheme for WBANs
{W, X, tc } and response message {Y, Auth}. Then, the client could withstand the impersonation attack.
and the application provider could confirm the validity of the b) Replay attack: If the adversary intercepts the login
other party by checking the validity of the received message. message {W, X, tc } and replays it to the application provider.
Therefore, our AA scheme for WBANs could provide mutual The application provider will check the freshness of tc before
authentication. executing other steps. In this case, the application provider
2) Anonymity: In the execution of our AA scheme, the could find about the replay attack easily. Besides, the client
client’s identity is included in the message {W, X, tc }, generates a new number x ∈ Zq∗ randomly and calculates
where X = x · P , X  = x · QAP , Qid = H(idright), v = X = x · P in each session. Then, the client could find the
h(id, right, Qid , QNM , X, X  , tc ), k = h(X, X  , tc ), U = Sid + reply of response message by checking the correctness of Auth.
2598 IEEE SYSTEMS JOURNAL, VOL. 11, NO. 4, DECEMBER 2017

TABLE II TABLE III

S ECURITY C OMPARISON OF O UR AA S CHEME AND L IU et al.’ S S CHEME S TORAGE OVERHEAD C OMPARISON

singular curve E(Fp ) with order q over the finite field Fp , where
p and q two large prime numbers with 512 and 160 bits, respec-
tively. The lengths of elements in G1 and G2 are 1024 and
Therefore, our AA scheme for WBANs could withstand the 512 bits separately. We assume that the lengths of the client’s
replay attack. identity, the right and the timestamp are 32, 64, and 32 bits,
c) Modification attack: The login message respectively.
{W, X, tc }, (X, U ) contains the signature of the message
(id, right, Qid , QNM , X, X  , tc ), where X = x · P , X  = x · A. Storage Overhead
QAP , Qid = H(idright), v = h(id, right, Qid , QNM , X, X  , tc ),
The storage overhead is an important fact of any authen-
k = h(X, X  , tc ), U = Sid + x · v · Qid , and W =
tication scheme for WBANs because both the client and the
Ek (id, right, U ). The application provider could detect
application provider must store secret keys or verification tables
any modification of the message {W, X, tc } by checking the
to achieve mutual authentication.
validity of the signature. Besides, Auth in the response message
The client in Liu et al.’s preliminary version scheme stores
{Y, Auth} is the message authentication code of the message
(m, σ) in his mobile device, where σ and indCs are the corre-
(W, X, tc , Y ). The client could detect any modification of the
sponding signature of the message m and an element of G1 ,
message {Y, Auth} by checking the validity of the message
respectively, and m = rightindCs . Then, the client’s storage
authentication code. Therefore, our AA scheme for WBANs
overhead is 64 + 1024 + 1024 = 2112 bits. The application
could withstand the modification attack.
provider in Liu et al.’s preliminary version scheme stores his
d) Stolen verifier table attack: In our AA scheme, none
secret key sAP ∈ Zq∗ and the verification information indCv ∈
of the network manager, the application provider, and the
G2 for every client. The application provider’s storage over-
client maintains a table for achieving mutual authentication.
head is (160 + 512n) bits, where n denotes the client’s number
Therefore, our AA scheme for WBANs could withstand the
in the WBAN.
stolen verifier table attack.
The client in Liu et al.’s security-enhanced scheme stores
e) Man-in-the-middle attack: According to the above
(I, indCs , right) in his mobile device, where I and indCs is an
analysis, we know that our AA scheme could provide mutual
element of G1 . Then the client’s storage overhead is 1024 +
authentication between two participants. Therefore, our AA
64 + 1024 = 2112 bits. The application provider in Liu et al.’s
scheme for WBANs could resist the man-in-the-middle attack.
preliminary version scheme needs to store his secret key sAP ∈
Zq∗ and the verification information (I, indCv ) for every client,
C. Security Comparisons where I and indCv are elements of G1 and G2 separately.
The application provider’s storage overhead is 160 + (1024 +
We compare the security of our AA scheme for WBANs with 512) × n = (160 + 1536n) bits, where n denotes the client’s
that of Liu et al.’s preliminary and enhanced schemes in this number in the WBAN.
section. Let SR1, SR2, SR3, SR4, SR5, SR6, and SR7 denote The client in our AA scheme needs to store {Sid , right},
mutual authentication, anonymity, nontraceability, no verifica- where Sid is an element of G1 . The client’s storage overhead
tion table, session key agreement, perfect forward secrecy, and is 1024 + 64 = 1088 bits. The application provider in our AA
attack resistance, respectively. scheme just needs to store his secret key sAP ∈ Zq∗ . Then the
The comparisons among those schemes are listed in Table II. application provider’s storage overhead is 160 bits.
According to Table I, Liu et al.’s preliminary version scheme The storage overhead comparisons among related schemes
cannot meet SR3, SR4, SR6, and SR7. Liu et al.’s security are listed in Table III. According to Table III, we know that
enhanced scheme cannot meet SR1, SR4, SR6, and SR7. both the client and the application provider in our scheme
Our AA scheme could meet all seven security requirements need less storage overhead than that in both of two schemes of
introduced in Section II. Liu et al.

VII. P ERFORMANCE A NALYSIS B. Communication Cost

We give a detailed analysis of our AA scheme’s performance The client in Liu et al.’s preliminary version scheme sends
in this section. We also compare the performance of our AA the message (v, U, m, σ, tC , T  ) to the application provider,
scheme with Liu et al.’s schemes’ performance. where v, U , σ, tC , T  , and indCs are a digest generated by the
The Ate pairing has been widely used in modern public key hash function, an element of G1 , a signature on m, the times-
cryptography. To achieve a trusted security level, we use a super tamp, and an element of G2 , respectively, and m = rightindCs .
HE et al.: AA FOR WBANS WITH PROVABLE SECURITY 2599

TABLE IV TABLE V
C OMMUNICATION C OST C OMPARISON RUNNING T IME OF PAIRING -BASED O PERATIONS

TABLE VI
C OMPUTATION C OST C OMPARISONS
The application provider in Liu et al.’s preliminary version
scheme sends the response message {Auth} to the client,
where Auth = MACkey (v). Then, the communication cost of
Liu et al.’s preliminary version scheme is 160 + 1024 + 64 +
512 + 1024 + 32 + 1024 = 3840 bits.
The client in Liu et al.’s security-enhanced scheme sends the
message (v, U, tC , T  , I  ) to the application provider, where U ,
T  , and I  are three elements of G1 ; v and tC are a digest gener-
ated by the hash function and the timestamp, respectively. The Many implementations making use of pairing-based oper-
application provider in Liu et al.’s preliminary version scheme ations have been reported in last decade [37]–[39]. Recently,
sends the response message {Auth} to the client, where Auth = Xiong et al. [40] implemented bilinear pairing on the MICAz,
MACkey (v). Then, the communication cost of Liu et al.’s pre- which has been used extensively in wireless sensor networking
liminary version scheme is 160 + 1024 + 32 + 1024 + 1024 = research and has only 4 KB RAM,128 KB ROM, and a
3264 bits. 7.3828-MHz ATmega128L microcontroller. In Xiong et al.’s
The client in our AA scheme sends the login message implementation, the RAM and ROM usage by each operation
{W, X, tc } to the application provider, where U , tc , and X was obtained using the TinyOS toolchain. We use their imple-
are an element of G1 , the current timestamp and an element mentation to evaluate the computation cost of the client and
of G1 separately and W = Ek (id, right, U ). The application the application provider separately. According to Xiong et al.’s
provider sends the response message {Y, Auth} to the client, experiment and the relationship among different operations,
where Y = y · P and Auth = MACkey (W, X, tc , Y ). Then, the the running time of different pairing-based operations is listed
communication cost of Liu et al.’s preliminary version scheme in Table V [40]. Besides, the running time of a symmetric
is 32 + 64 + 1024 + 1024 + 32 + 1024 + 160 = 3360 bits. encryption/decryption operation and a message authentication
The communication cost comparisons among related code operation is the same with that of a hash function
schemes are listed in Table IV. According to Table IV, we know operation [41].
Liu et al.’s security-enhanced scheme and our AA scheme The client in Liu et al.’s preliminary version scheme cal-
has lighter communication cost. Besides, our AA scheme has culates four scalar multiplication operations, one map-to-point
slightly heavier communication cost than Liu et al.’s security- hash function operation, one-point addition operation, one
enhanced scheme. modular exponentiation operation, and one general hash func-
tion operation. The computation cost at the client side is
4 TGmul + 1 TGH + 1 Texp + 1 TGadd + 3 Th ≈ 11.95 s.
C. Computation Cost The client in Liu et al.’s preliminary version scheme cal-
In this section, we analyze the computation cost of our culates four scalar multiplication operations, one map-to-point
AA scheme. We also compare the computation cost of our hash function operation, two-point addition operations, one
AA scheme with that of Liu et al.’s schemes. The computing modular exponentiation operation, and three general hash func-
capability and memory of the client’s mobile device are very tion operations. The computation cost at the client side is
limited. However, the application provider has enough capa- 4 TGmul + 1 TGH + 2 TGadd + 1 Texp + 3 Th ≈ 11.95 s.
bility to execute all related operations because it is equipped The client in our AA scheme calculates four scalar multi-
with very powerful coprocessor. Therefore, we just need to con- plication operations, one map-to-point hash function operation,
sider the computation cost of the client. For convenience, some one-point addition operations, and four general hash function
notations used in this section are defined as follows. operations. Then, the computation cost at the client side is
1) TGe : The execution time of executing a bilinear map 4 TGmul + 1 TGH + 1 TGadd + 4 Th ≈ 10.69 s.
operation. The computation cost comparisons among related schemes
2) TGmul : The execution time of a scalar multiplication are listed in Table VI. According to Table VI, our AA scheme
operation. has lower computation cost than both Liu et al.’s scheme.
3) TGH : The execution time of a map-to-point hash function
operation.
4) TGadd : The execution time of a point addition operation. VIII. C ONCLUSION
5) Texp : The execution time of a modular exponentiation Recently, Liu et al. [34] presented a new certificateless sig-
operation. nature scheme to construct two efficient remote AA schemes
6) Th : The execution time of a general hash function for WBANs. They demonstrated that their AA schemes were
operation. secure against various attacks. After a careful review on their
2600 IEEE SYSTEMS JOURNAL, VOL. 11, NO. 4, DECEMBER 2017

schemes, we demonstrated that the schemes cannot withstand [20] M. Li, S. Yu, J. Guttman, W. Lou, and K. Ren, “Secure ad hoc trust ini-
the impersonation attack. To enhance security, we presented an tialization and key management in wireless body area networks,” ACM
Trans. Sensor Netw., vol. 9, no. 2, pp. 1–35, Article ID: 18, 2013.
AA scheme for WBANs. A security analysis shows that our [21] C. Jiang, B. Li, and H. Xu, “An efficient scheme for user authentication
AA scheme is provably secure while satisfying security require- inwireless sensor networks,” in Proc. 21st Int. Conf. Adv. Inf. Netw. Appl.
ments in WBANs. A performance analysis shows that our AA Workshops, pp. 438–442, 2007.
[22] P. Guo, J. Wang, B. Li, and S. Lee, “A variable threshold-value authen-
scheme has the same computation cost at the client side with tication architecture for wireless mesh networks,” J. Internet Technol.,
Liu et al.’s schemes. Due to overcoming security vulnerability vol. 15, no. 6, pp. 929–936, 2014.
in previous schemes and meeting seven security requirements in [23] J. Shen, H. Tan, J. Wang, J. Wang, and S. Lee, “A novel routing protocol
providing good transmission reliability in underwater sensor networks,”
WBANs, our AA scheme is more suitable for practical WBAN J. Internet Technol., vol. 16, no. 1, pp. 171–178, 2015.
application scenarios. [24] V. Miller, “Use of elliptic curves in cryptography,” in Proc. Adv. Cryptol.
(CRYPTO’85), 1985, pp. 417–426.
[25] N. Koblitz, “Elliptic curve cryptosystem,” Math. Comput., vol. 48,
pp. 203–209, 1987.
R EFERENCES [26] D. Hankerson, A. Menezes, and S. Vanstone, Guide to Elliptic
Curvecryptography. Berlin, Germany: Springer-Verlag, 2004.
[1] M. Samaneh, A. Mehran, L. Justin, S. David, and J. Abbas, “Wireless [27] A. Shamir, “Identity based cryptosystems and signature schemes,” in
body area networks: A survey,” IEEE Commun. Surv. Tuts., vol. 16, no. 3, Proc. Adv. Cryptology (CRYPTO’84), Berlin, Germany: Springer-Verlag,
pp. 1658–1686, Aug. 19, 2014. 1984, p. 47–53.
[2] T. G. Zimmerman, “Personal area networks: Near-field intra body com- [28] J. Yang and C. Chang, “An ID-based remote mutual authentication with
munication,” IBM Syst. J., vol. 35, no. 3/4, pp. 609–617, 1996. keyagreement scheme for mobile devices on elliptic curve cryptosystem,”
[3] M. Toorani, “On vulnerabilities of the security association in the IEEE Comput. Secur., vol. 28, no. 3–4, pp. 138–143, 2009.
802.15. 6 Standard,” arXiv preprint arXiv:1501.02601, 2015. [29] E. Yoon and K. Yoo, “Robust ID-based remote mutual authentication with
[4] M. Toorani, “Cryptanalysis of two PAKE protocols for body area net- key agreement protocol for mobile devices on ECC,” in Proc. Int. Conf.
works and smart environments, Int. J. Netw. Secur., vol. 17, no. 5, Comput. Sci. Eng., Vancouver, Canada, 2009, pp. 633–640.
pp. 629–636, 2015. [30] D. He, J. Chen, and J. Hu, “An ID-based client authentication with key
[5] C. Poon, Y. Zhang, and S. Bao, “A novel biometrics method to secure agreement protocol for mobile client-server environment on ECC with
wireless body area sensor networks for telemedicine and mhealth,” IEEE provable security,” Inf. Fusion, vol. 13, no. 3, pp. 223–230, 2012.
Commun. Mag., vol. 44, no. 4, pp. 73–81, Apr. 2006. [31] D. Wang and C. Ma, “Cryptanalysis of a remote user authentication
[6] K. Singh and V. Muthukkumarasamy, “Authenticated key establishment scheme for mobile client-server environment with provable security based
protocols for a home health care system,” in Proc. 3rd Int. Conf. Intell. on ECC,” Inf. Fusion, vol. 41, no. 4, pp. 498–503, 2013.
Sensor, Sensor Netw. Inf. (ISSNIP’07), Dec. 2007, pp. 353–358. [32] S. Islam and G. Biswas, “A more efficient and secure ID-based remote
[7] K. Venkatasubramanian and S. Gupta, “Physiological valuebasedefficient mutual authentication with key agreement scheme for mobile devices on
usable security solutions for body sensor networks,” ACM Trans. Sensor elliptic curve cryptosystem,” J. Syst. Softw., vol. 84, no. 11, pp. 1892–
Netw., vol. 6, pp. 31:1–31:36, Jul. 2010. 1898, 2011.
[8] K. Venkatasubramanian, A. Banerjee, and S. Gupta, “Pska: Usable and [33] T. Truong, M. Tran, and A. Duong, “Improvement of the more efficient
secure key agreement scheme for body area networks,” IEEE Trans. Inf. and secure ID-based remote mutual authentication with key agreement
Technol. Biomed., vol. 14, no. 1, pp. 60–68, Jan. 2010. scheme for mobile devices on ECC,” in Proc. 26th Int. Conf. Adv. Inf.
[9] K. Zeng, K. Govindan, and P. Mohapatra, “Non-cryptographic authen- Netw. Appl. Workshops, 2012, pp. 698–703.
tication and identification in wireless networks [security and privacy in [34] J. Liu, Z. Zhang, X. Chen, and K. Kwak, “Certificateless remote anony-
emerging wireless networks],” IEEE Wireless Commun., vol. 17, no. 5, mous authentication schemes for wireless body area networks,” IEEE
pp. 56–62, Oct. 2010. Trans. Parallel Distrib. Syst., vol. 25, no. 2, pp. 332–342, Feb. 2014.
[10] L. Cai, K. Zeng, H. Chen, and P. Mohapatra, “Good neighbor: Ad hoc [35] M. Bellare, D. Pointcheval, and P. Rogaway, “Authenticated key
pairing of nearby wireless devices by multiple antennas,” in Proc. Netw. exchange secure against dictionary attacks,” in Proc. Adv. Cryptology
Distrib. Syst. Secur. Symp., 2011, pp. 1–15. (EUROCRYPT’00), 2000, pp. 139–155.
[11] L. Shi, J. Yuan, S. Yu, and M. Li, “ASK-BAN: Authenticated secret [36] D. Pointcheval and J. Stern, “Security arguments for digitalsignatures and
key extraction utilizing channel characteristics for body area networks,” blind signatures,” J. Cryptogr., vol. 13, no. 3, pp. 361–396, 2000.
in Proc. 6th ACM Conf. Secur. Privacy Wireless Mobile Netw., 2013, [37] M. Scott, N. Costigan, and W. Abdulwahab, “Implementing cryptograph-
pp. 155–166. icpairings on smartcards,” Cryptogr. Hardware Embedded Syst. (CHES),
[12] A. Varshavsky, A. Scannell, A. LaMarca, and E. DeLara, “Amigo: pp. 134–147, 2006.
Proximity-based authentication of mobile devices,” in Proc. 9th Int. Conf. [38] T. Wu and Y. Tseng, “An efficient user authentication and key exchange
Ubiq. Comput., Berlin, Germany: Springer-Verlag, 2007, pp. 253–270. protocol for mobile client–server environment,” Comput. Netw., vol. 54,
[13] A. Kalamandeen, A. Scannell, E. DeLara, A. Sheth, and A. LaMarca, no. 9, pp. 1520–1530, 2010.
“Ensemble: Cooperative proximity-based authentication,” in Proc. 8th [39] D. He, S. Zeadally, B. Xu, and X. Huang, “An efficient identity-based
Int. Conf. Mobile Syst., Appl., Serv. New York, NY, USA: ACM, 2010, conditional privacy-preserving authentication scheme for vehicular ad-
pp. 331–344. hoc networks,” IEEE Trans. Inf. Forensics Secur., vol. 10, no. 12,
[14] S. Mathur, R. Miller, A. Varshavsky, W. Trappe, and N. Mandayam, pp. 1681–2691, 2015.
“Proximate: Proximity-based secure pairing using ambient wireless sig- [40] X. Xiong, D. Wong, and T. Deng, “TinyPairing: A fast and lightweight
nals,” in Proc. 9th Int. Conf. Mobile Syst., Appl., Serv., 2011, pp. 211– pairing-based cryptographic library for wireless sensor networks,” in
224. Proc. Wireless Commun. Netw. Conf. (WCNC’10), 2010, pp. 1–6.
[15] L. Shi, M. Li, S. Yu, and J. Yuan, “BANA: Body area network authenti- [41] S. Chatterjee, A. Das, and J. Sing, “An enhanced access control scheme
cation exploiting channel characteristics,” in Proc. 5th ACM Conf. Secur. in wireless sensor networks,” Ad-Hoc Sensor Wireless Netw., vol. 21, nos.
Privacy Wireless Mobile Netw., Tucson, AZ, USA: ACM, 2012, pp. 1–12. 1–2, pp. 121–149, 2014.
[16] L. Shi, M. Li, S. Yu, and J. Yuan, “BANA: Body area network authentica-
tion exploiting channel characteristics,” IEEE J. Select. Areas Commun.,
vol. 31, no. 9, pp. 1803–1816, Sep. 2013. Debiao He received the Ph.D. degree in applied
[17] T. ElGamal, “A public key cryptosystem and a signature protocol based mathematics from the School of Mathematics and
on discrete logarithms,” IEEE Trans. Inf. Theory, vol. 31, no. 4, pp. 469– Statistics, Wuhan University, Wuhan, China, in 2009.
472, Jul. 1985. Currently, he is an Associate Professor with
[18] R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital the State Key Laboratory of Software Engineering,
signatures and public key cryptosystems,” Commun. ACM, vol. 21, no. 2, Computer School, Wuhan University. His research
pp. 120–126, 1978. interests include cryptography and information secu-
[19] M. Li, S. Yu, W. Lou, and K. Ren, “Group device pairing based secure rity, in particular, cryptographic protocols.
sensor association and key management for body area networks,” in Proc.
IEEE. INFOCOM, 2010, 1–9.
HE et al.: AA FOR WBANS WITH PROVABLE SECURITY 2601

Sherali Zeadally received the Bachelor’s degree Jong-Hyouk Lee (M’07–SM’12) received the M.S.
from the University of Cambridge, Cambridge, U.K., and Ph.D. degrees in computer engineering from
in 1991 and the Doctorate degree from the University Sungkyunkwan University, Suwon, South Korea in
of Buckingham, Buckingham, U.K., in 1996, both in 2007 and 2010, respectively.
computer science. He was a Researcher at Institut National de
He is an Associate Professor with the College Recherche en Informatique et en Automatique
of Communication and Information, University of (INRIA), Rocquencourt, France, and was an
Kentucky, Lexington, KY, USA. Assistant Professor with TELECOM Bretagne,
Dr. Zeadally is a Fellow of the British Computer Brest, France. Since September 2013, he has been
Society and the Institution of Engineering with the Sangmyung University, Cheonan, South
Technology, U.K. Korea. His research interests include authentication,
privacy, and Internet mobility management.
Dr. Lee was a Tutorial Speaker at the IEEE WCNC 2013 and IEEE VTC
Neeraj Kumar (M’16) received the Ph.D. degree in 2014 Spring. He is an Associate Editor of Wiley Security and Communication
computer science and engineering from Shri Mata Networks and the IEEE T RANSACTIONS ON C ONSUMER E LECTRONICS. He
Vaishno Devi University, Katra, India in 2009. was the recipient of the Best Paper Award at the IEEE WiMob 2012 and the
He is a Post-Doctoral Fellow from the Coventry IEEE VTS 2015 Best Land Transportation Paper Award.
University, Coventry, U.K. He is working as
an Associate Professor with the Department
of Computer Science and Engineering, Thapar
University, Patiala, India. He has authored more than
100 scholarly research publications in top journals
and conferences. His research interests include
vehicular cyber-physical systems, mobile cloud
computing, smart grid, IoT, service oriented computing, security issues in
wired/wireless networks. He has guided many research scholars for Ph.D. and
M.E./M.Tech. His research is supported from University Grant Commission,
Department of Science and Technology, New Delhi, and Tata Consultancy
Services.
Dr. Kumar is an Associate Editor of the International Journal of 1086
Communication Systems.