See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/327657438

An enhanced three factor based authentication protocol using wireless

medical sensor networks for healthcare monitoring

Article  in  Journal of Ambient Intelligence and Humanized Computing · September 2018

DOI: 10.1007/s12652-018-1015-9

CITATIONS READS

14 248

6 authors, including:

Rifaqat Ali Arup Kumar Pal

National Institute of Technology, Hamirpur Indian Institute of Technology (ISM) Dhanbad
14 PUBLICATIONS   131 CITATIONS    80 PUBLICATIONS   598 CITATIONS   

SEE PROFILE SEE PROFILE

Saru Kumari Arun Kumar

Chaudhary Charan Singh University VIT University
221 PUBLICATIONS   4,651 CITATIONS    298 PUBLICATIONS   4,999 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Pareto Optimal Cost Optimization in Cloud using Joint Allocation of Resources View project

Research on Robustness for Large-Scale Heterogeneous Sensor Networks in Interent of Things View project

All content following this page was uploaded by Rifaqat Ali on 12 December 2018.

The user has requested enhancement of the downloaded file.

Journal of Ambient Intelligence and Humanized Computing
https://doi.org/10.1007/s12652-018-1015-9

ORIGINAL RESEARCH

An enhanced three factor based authentication protocol using

wireless medical sensor networks for healthcare monitoring
Rifaqat Ali1 · Arup Kumar Pal1 · Saru Kumari2 · Arun Kumar Sangaiah3 · Xiong Li4 · Fan Wu5

Received: 19 January 2018 / Accepted: 27 August 2018

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Abstract
With the rapid growth of wireless medical sensor networks (WMSNs) based healthcare applications, protecting both the pri-
vacy and security from illegitimate users, are major concern issues since patient’s precise information is vital for the proper
diagnosis procedure. So, authentication protocol is one of the efficient mechanisms to deal with trustworthy and authentic
users. Several authentication protocols have been proposed in WMSNs environment. However, the most of these protocols are
so susceptible to security threats and not suitable for practical use. In this article, recently proposed Amin et al.’s authentica-
tion scheme is reviewed and some vulnerabilities like off-line password guessing attack, user impersonation attack, known
session-key temporary information attack, the revelation of secret parameters, and identity guessing attack are pointed
out. To overcome all the above mentioned vulnerabilities, we have proposed an enhanced three-factor based remote user
authentication protocol in WMSNs environment. Further, the proposed protocol is validated using Burrows–Abadi–Needham
logic and then simulated using Automated Validation of Internet Security Protocols and Applications tool. Moreover, the
security analysis ensures that the proposed protocol is well protected from various types of malicious attacks. In addition,
the performance evaluation shows better efficiency and suitability of our protocol over other related protocols.

Keywords  Authentication · Cryptanalysis · Security attacks · Wireless medical sensor networks

* Saru Kumari
saryusiirohi@gmail.com 1 Introduction
Rifaqat Ali
rifaqatali27@gmail.com In the present world, the high quality of health care facil-
ity is not available for residents in rural and remote areas
Arup Kumar Pal
arupkrpal@gmail.com due to the scarcity of skilled health care professionals. This
issues was highlighted by the World Health Organization’s
Arun Kumar Sangaiah
sarunkumar@vit.ac.in; arunkumarsangaiah@gmail.com report where the healthcare services are essential for every
human being (World Health Organization 2010). Recently,
Xiong Li
lixiongzhq@163.com wireless medical sensor networks (WMSNs) based patient
monitoring applications are one the appropriate solution for
Fan Wu
conjurer1981@gmail.com residents in remote areas where the patient’s related data can
be collected even by the semi-skilled health care profession-
1
Department of Computer Science and Engineering, Indian als and the same can be available to the skilled health care
Institute of Technology (ISM), Dhanbad 826004, India professionals and they can prescribe to the patient even from
2
Department of Mathematics, Ch. Charan Singh University, anywhere and anytime. The semi-skilled healthcare profes-
Meerut 250004, Uttar Pradesh, India sionals basically collected various patient’s health related
3
School of Computing Science and Engineering, VIT information like blood pressure, ECG and heartbeat rates
University, Vellore, Tamil Nadu 632014, India etc. using sensor devices and send it to the skilled health care
4
School of Computer Science and Engineering, Hunan professionals through a gateway node of the WMSNs. In this
University of Science and Technology, Xiangtan 411201, mechanism, the patient information is shared through pub-
China
lic channels. As a consequence, the deployment of proper
5
Department of Computer Science and Engineering, Xiamen security model is essential between the sender and receiver
Institute of Technology, Xiamen 361021, China

13
Vol.:(0123456789)

side to make the communication secure. The architecture
of WMSNs is described in Fig. 1. The main advantages of
remote patient monitoring using WMSNs are as follows:
• Improved health outcomes and quality of life.
• Ability to continue monitoring patient health, regardless
of the patient’s location.
• Saving human labor, time, and money.
• Reduced liability due to remote care, monitoring and
compliance audit trail.
• Real-time support and interventions.
• Increase the trust level and reliance that physicians place
in data.
1.1 Related work
The involvement of WMSNs in a healthcare applications
require managing many crucial tasks simultaneously. In
WMSNs, the sensors gather the data of patients, which
is very important and sensitive. If data are obtained ille-
gally by somebody, then it may causes serious issues for
patient’s life and confidentiality is lost. If the patient’s data
are modified, the health professionals will do wrong diagno-
ses and fateful results may occur. Thus, providing a secure
Fig. 1  The architecture of WMSNs 
13
R. Ali et al.
communication platform is necessary. Remote user authen-
tication is one of the fundamental security steps which pro-
vides secure communication between two (or multi) parties
(Wang et al. 2015b; Wu and Lin 2014; Lee 2015; Ni et al.
2016; Zhang 2015; Zhang et al. 2015; Rahman et al. 2017;
He et al. 2015b; Wu et al. 2017a). In the last decades, the
three factor security mechanism like password, biometric
and the smart card is widely used for achieving the reli-
able security in the authentication process. Li and Hwang
(2010) proposed a biometric-based remote user authentica-
tion scheme using smart cards and claimed that their scheme
is very efficient and secure against various security attacks.
Unfortunately, Li et al. (2011) and Das (2011) find out the
security and design flaws in Li and Hwang’s scheme. Das
(2011) has described the security weaknesses in Li and
Hwang’s scheme such as incorrect password change phase,
incorrect login and authentication phases and incorrect
biometric verification. To overcome these security weak-
nesses, he proposed an improved biometric based remote
user authentication scheme. Moreover, Li et  al. (2011)
also discussed two security weaknesses in Li and Hwang’s
scheme as follows: (1) does not provide correct authentica-
tion, (2) does not secure against man-in-the-middle attack.
To remove these security attacks, they proposed an improved
An enhanced three factor based authentication protocol using wireless medical sensor networks…
three-factor based authentication scheme. Later on, both Li
et al. (2014b) and An (2012) have also done cryptanalysis
of Das (2011) and identified some serious issues. And then,
both developed a three-factor based mutual authentication
schemes separately. Now, Li et al. (2014a) scrutinized An’s
scheme and pointed out that his scheme suffers from forgery
attack, denial of service attack, inefficient login phase and
does not provide session key agreement. To obviate these
security flaws, they proposed an improved authentication
scheme using biometric.
In recent times, various three-factor based authentication
schemes are developed in the literature, but very few of them
have been devised for patient monitoring using wireless sen-
sor networks (Kumar et al. 2012; Khan and Kumari 2014;
He et al. 2015a; Shin et al. 2016; Li et al. 2015, 2018; Wu
et al. 2015, 2017b; Liu and Chung 2017; Amin et al. 2018;
Wang et al. 2015a). Kumar et al. (2012) proposed a remote
user authentication scheme in WMSNs environment for
monitoring the patient’s health condition and asserted that
their scheme is secure against various security attacks. But,
both Khan and Kumari (2014) and He et al. (2015a) have
done cryptanalysis and specified some security weaknesses
in Kumar et al.’s scheme. Khan and Kumari (2014) recog-
nized the user impersonation attack, lack of user anonymity,
the password guessing attack, insecure session key, the sen-
sor node impersonation attack, lack of mutual authentication
and insider attack in Kumar et al. (2012) and then developed
an improved scheme to resolve aforementioned problems.
However, He et al. (2015a) search out the password guessing
attack, the insider attack and lack of user anonymity prob-
lems and then introduced an extended remote user authenti-
cation scheme for patient monitoring using wireless sensor
networks.
In 2015, both Li et al. (2015) and Wu et al. (2015) have
pointed out the security threats in the scheme (He et al.
2015a). Li et al. (2015) recognized the denial of service
attack, inefficient password change phase, efficient authen-
tication phase and wrong session key establishment problem
in He et al. (2015a) and then devised an improved authenti-
cation scheme to solve these problems. However, Wu et al.
(2015) also pointed out that the scheme He et al. (2015a) is
vulnerable to off-line guessing attack, the user impersona-
tion attack, and the sensor node capture attack. To remedy
these security pitfalls, they introduced an extended remote
user authentication scheme and declared that their scheme
is more secure and practically applicable.
Liu and Chung (2017) developed a remote user authen-
tication scheme for healthcare monitoring with the help of
wireless sensor network and declared that their scheme is
provably secure against various security attacks. In the same
year, Amin et al. (2018) also devised a remote user authenti-
cation scheme for remote patient monitoring using WMSNs.
They affirmed that their scheme is secure against the known
security threats and more robust than existing relevant
schemes. However, we have reviewed Amin et al.’s scheme
carefully and identified that their scheme is vulnerable to
off-line password guessing attack, user impersonation attack,
known session-key temporary information attack and iden-
tity guessing attack. To obviate these security weaknesses,
we develop an enhanced three-factor based authentication
protocol for healthcare applications using wireless medical
sensor networks. We have validated our protocol using BAN
logic and then simulated using AVISPA tool. Moreover, the
security analysis is discussed which ensures that the protocol
is well protected from several malicious attacks.
1.2 Threat model
In this paper, we have described threat model in the context
of some steps.
• An attacker  extracts the values stored in smartcard
using side channel attack (Kocher et al. 1999; Messerges
et al. 2002).
• A privileged insider at the gateway node GW has knowl-
edge of the parameters submitted by the user during the
registration phase. In addition, he also knows the param-
eters provided by the GW to the user during the registra-
tion phase if GW does not store the parameters in any
storage device (like a smartcard or mobile device) and
provided these directly to the user (Chen et al. 2011; Wei
et al. 2014).
•  obstructs all logging messages which are transferred
between the user and server via public channel.
•  can add or subtract something, delete and rerouted of
stolen login messages.
•  may be a legal or an outsider of any system or organi-
zation.
•  can guess a low entropy password and identity easily,
but it is not computationally feasible to guess two hidden
parameters (e.g. password, identity) at one time because
of the rule of polynomial equations.
1.3 Security requirements for WMSNs environment
Security requirements for WMSNs are summarized in the
following way:
1.3.1 Strong user authentication
The major issue in wireless healthcare environments is to
prevent wireless messages from unauthorized users, so it
is worth to be noted that strong user authentication should
be considered, where each user (patient) must check their
authenticity before getting the patient’s physiological infor-
mation. Besides, strong user authentication also called as
13
 R. Ali et al.

three factor authentication which provides a high level of
security for healthcare application using WMSNs.
1.3.2 Mutual authentication
In real-time healthcare applications, the user (patient),
gateway node and sensor node must authenticate each other
and then establish a secure communication connection for
exchanging the information.
1.4 The layout of this paper
The rest of the article is arranged as follows. In Sects. 2
and 3, brief review and security drawbacks of Amin et al.’s
scheme are presented. The proposed protocol is introduced
in Sect. 4. In Sects. 5 and 6, authentication proof using BAN
logic and simulation using AVISPA are done. The security
analysis and performance evaluation are demonstrated in
Sects. 7 and 8. Finally, the conclusion is drawn in Sect. 9.

1.3.3 Confidentiality
2 Brief review of Amin et al.’s scheme
The data of patients are highly sensitive and important.
Therefore, patient physiological data should remain con- In this section, the Amin et al.’s scheme (2018) is briefly
fidential from an attacker and only achieved or used by reviewed. The meaning of all symbols are given in Table 1.
authorized professionals.
2.1 Setup phase
1.3.4 Session key establishment
In this phase, the registration center selects a long-term
A session key should be established among a user (patient), secret key K for the gateway node GW and then calculates a
gateway node and sensor node. So that subsequent commu- secret key SKGW− SNj = h(IDSNj ∥ K) for SNj , where 1 ≤ j ≤ n
nication should become securely.
and n represents a number of sensor nodes.
1.3.5 Low communication and computation cost
2.2 Medical professional registration phase
Since medical sensor nodes are limited resource devices, and
The health-care services are providing by the help of this
the functions of healthcare application also require a place
phase, the medical professional Ui and gateway node GW
for executing their tasks, the protocol must be efficient in the
operate the following steps.
context of communication and computation cost.
Step 1: Ui selects own IDi , PWi and computes HPWi
1.3.6 Data freshness
= h(IDi ⊕ PWi ) and then sends { IDi , HPWi } to GW using
TLS protocol or by off-line mode (Li et al. 2015).
Generally, the patient health related data should provide pro-
Step 2: After getting { IDi  , HPWi  }, GW evalu-
fessionals at the regular time of intervals. So, it should be
ates Regi = h(IDi ∥ Ri ∥ HPWi )  , Ai = Ri ⊕ HPWi  ,
guaranteed that patient’s health data is fresh and also ensures
Bi = h(IDi ∥ Ri ∥ K)   , Ci = Bi ⊕ h(IDi ⊕ Ri ⊕ HPWi )  ,
that an attacker cannot replay the old messages.

1.3.7 Secure against popular attacks

Table 1  Meaning of notations

In real-time healthcare applications, the proposed proto- Notation Description

col should resist different kinds of popular attacks, such as Ui User/the medical professional
replay attack, impersonation attack, stolen-verifier attack, GW Gateway node
password guessing attack, and sensor node capture attack. SNj Sensor node
As a result, the protocol is easily applicable to the real-time  An attacker
healthcare applications. IDi Identity of user
PWi Password of user
1.3.8 User friendliness Bi Biometric
SIDj Identity of sensor node
The architecture of healthcare application should be simple IDg Identity of gateway node
and user-friendly such as patient can update his/her pass- h(⋅) Hash function

word securely, whenever he/she requires. H(⋅) Bio-hash function

⊕ XOR operation
∥ Concatenation

13
An enhanced three factor based authentication protocol using wireless medical sensor networks…
and Di = Ri ⊕ h(TIDi ∥ K) , where TIDi and Ri are the
temporary identity and random number of Ui.
Step 3: GW saves { TIDi , Di } in the table for ahead use
and then transmits { TIDi , Regi , Ai , Ci , h(⋅) } to Ui via trust-
worthy channel. After obtaining { TIDi , Regi , Ai , Ci , h(⋅) },
Ui embeds all these parameters into own mobile device.
2.3 Login and authentication phase
This phase executes for achieving mutual authentication and
session key negotiation between participants involved in this
scheme. The summarization of this phase represented below.
Step 1: Ui keys IDi and PWi into own mobile device and
then computes HPWi∗ = h(IDi ⊕ PWi ) , R∗i = Ai ⊕ HPWi ,
Reg∗i = h(IDi ∥ R∗i ∥ HPWi∗ )  , and checks whether
?
Reg∗i =Regi holds or not. If it does not hold then quits the
login request. Otherwise, proceeds for ahead operations.
Step 2: The mobile device generates a random nonce R1 and
evaluates B∗i = Ci ⊕ h(IDi ⊕ R∗i ⊕ HPWi∗ ) , CIDi = IDi ⊕
h(TIDi ∥ R∗i ∥ T1 ) , M1 = h(IDi ∥ B∗i ∥ R1 ∥ T1 ) , M2 =
h(Ri ∥ T1 ) ⊕ R1 and then put forwards { TIDi , IDSNj , CIDi ,
M1 , M2 , T1 } to GW via public channel.
Step 3: After getting the message from Ui   , GW
checks retrieves Di with the help of TIDi from
the table and computes R∗i = Di ⊕ h(TIDi ∥ K)  ,
ID∗i = CIDi ⊕ h(TIDi ∥ R∗i ∥ T1 ) , B∗i = h(ID∗i ∥ R∗i ∥ K) ,
R∗1 = h(R∗i ∥ T1 ) ⊕ M2 , and M1∗ = h(ID∗i ∥ B∗i ∥ R∗1 ∥ T1 ) .
?
Now, GW checks M1∗ =M1 . If this condition is not true
then GW expires the session. Otherwise, performs next
steps.
Step 4: After checking the legality of Ui , GW generates a
random number R2 and enumerates SKGW− SNj
= h(IDSNj ∥ K)   , M3 = h(h(h(IDi ∥ R∗1 ∥ R2 ) ∥ }}1”)
∥ SKGW− SNj ∥ R2 )   , M4 = h(IDi ∥ R1 ∥ R2 ) ⊕ SKGW− SNj  ,
M5 = R2 ⊕ h(SKGW− SNj ) and then sends { M3 , M4 , M5 } to
SNj via public channel.
Step 5: SNj enumerates R�2 = M5 ⊕ h(SKGW− SNj ) , M6� = M4
⊕SKGW− SNj , M3� = h(h(M6� ∥ }}1”) ∥ SKGW− SNj ∥ R�2 ) and
?
verifies M3� =M3 . If this is true then creates a random num-
b e r R3 a n d c a l c u l a t e s SK = h(M6� ∥ R2 ∥ R3 )  ,
M7 = h(SK ∥ R3 ∥ SKGW− SNj ) , and M8 = R3 ⊕ h(R2 ) . At
last, SNj forwards { M7 , M8 } to GW via public channel.
Step 6: After getting { M7  , M8  } , GW calculates
R�3 = M8 ⊕ h(R2 ) , SK � = h(h(IDi ∥ R1 ∥ R2 ) ∥ R2 ∥ R�3 ) ,
?
M7� = h(SK � ∥ R�3 ∥ SKGW− SNj ) and verifies M7� =M7 is cor-
rect or not. If this is not correct, GW quits the connec-
tion. Otherwise; produces new temporary identity
TID�i (≠ TIDi ) and evaluates M9 = R2 ⊕ h(IDi ∥ R1 ) ,
M10 = h(IDi ∥ SK � ∥ R�3 ) , M11 = TID� ⊕ h(R2 ⊕ R3 ) . At
the end, GW put forwards { M8 , M9 , M10 , M11 } to Ui via
public channel.
Step 7: After obtaining { M8 , M9 , M10 , M11 }, Ui evalu-
ates R∗2 = M9 ⊕ h(IDi ∥ R1 ), R∗3 = M8 ⊕ h(R∗2 )  , SK ∗ =
h(h(IDi ∥ R1 ∥ R∗2 ) ∥ R∗2 ∥ R∗3 ), and M10
∗
= h(IDi ∥ SK ∗ ∥
∗ ?
R3 ) . Now, Ui verifies M10 =M10 is correct or not, if this
∗
is correct then Ui believes that { M8 , M9 , M10 , M11 } is
legitimate and then forwards a acknowledgment to GW.
The mobile device replaces old TIDi with new TID′i and
GW calculates D�i = Ri ⊕ h(TID�i ∥ K) and replaces { TIDi ,
Di } with { TID′i , D′i}.
3 Security drawbacks in Amin et al.’s scheme
In this section, we find out security drawbacks in Amin
et al.’s scheme (2018) which are explained as follows:
3.1 Off‑line password guessing attack
As we explained the threat model in Sect. 1.2, there are
so many schemes in the literature by which demonstrated
that the privileged insider attack is possible (Sutrala et al.
2016; Chen et al. 2011; Wei et al. 2014). Therefore, insider
attack is practically valid and possible in Amin et  al.’s
scheme because in medical professional registration phase,
the Ui put forwards registration request { IDi , HPWi } to GW
securely. Then, a privileged insider or an attacker  of GW
had obtained this information, i.e., { IDi , HPWi } and also
achieved these parameters { TIDi , Regi , Ai , Ci , h(⋅) } from the
side of gateway node.
Algorithm 1 discusses how a privileged insider can guess
the correct password PWi of Ui.
13

3.2 User impersonation attack
In this attack,  can create a new forged login message and
then sends it to GW. If GW accepts this message, then he/
she can succeed to launch user impersonation attack. This
attack is possible in Amin et al.’s protocol which is described
as follows:
Step 1: Firstly,  knows the information { TIDi , Regi , Ai ,
Ci , h(⋅) } from the side of gateway node and also knows
{ IDi , HPWi }. Then he/she computes R∗i = Ai ⊕ HPWi .
Now,  generates a random nonce R1 and calculate
B∗i = Ci ⊕ h(IDi ⊕ R∗i ⊕ HPWi )  , CID∗i = IDi ⊕ h(TIDi
∥ R∗i ∥ T1 )   , M1∗ = h(IDi ∥ B∗i ∥ R1 ∥ T1 )
M2 = h(Ri ∥ T1 ) ⊕ R1 , where T1 is current time stamp.
∗ ∗
Finally,  sends { TIDi , IDSNj , CID∗i  , M1∗ , M2∗ , T1 } to the
GW via public channel.
Step 2: After obtaining this message, the GW first retrieves
Di with the help of TIDi from the table and computes
R∗i = Di ⊕ h(TIDi ∥ K),  ID∗i = CID∗i ⊕ h(TIDi ∥ R∗i ∥ T1 ) ,
B∗i = h(ID∗i ∥ R∗i ∥ K)   , R∗1 = h(R∗i ∥ T1 ) ⊕ M2∗   , a n d
M1∗ = h(ID∗i ∥ B∗i ∥ R∗1 ∥ T1 ) . Now, GW checks the equiv-
?
alence M1∗ =M1 and this equivalence would clearly hold
because of having exact values. Thus,  can succeed to
launch user impersonation attack.
3.3 Known session‑key temporary information
attack
The compromise of session secret values (short-term secret
information) should not compute the generated session-key
13
R. Ali et al.
then that scheme avoids this attack. However, in Amin
et al.’s scheme, if the temporary values like Ri , R1 , and R2
are compromised then  can evaluate session key SK as
follows: first of all,  can eavesdrop public message, i.e.,
{ TIDi  , IDSNj  , CIDi  , M1 , M2  , T1 } and calculates
IDi = CIDi ⊕ h(TIDi ∥ Ri ∥ T1 ) and then computes session-
key SK = h(h(IDi ∥ R1 ∥ R2 ) ∥ R2 ∥ R3 ).
3.4 Revelation of secret parameter
Suppose that  is legal but malicious user who intercepts all
the public transmitted messages such as { TIDi , IDSNj , CIDi ,
M1 , M2 , T1 }, { M3 , M4 , M5 }, { M7 , M8 } and { M8 , M9 , M10 ,
M11 } between GW and SNj via unreliable channel. Addition-
ally, a legal user knows the information { TIDi , Regi , Ai , Ci ,
h(⋅) } which is stored in his mobile devise. Now, we have to
prove that  can achieve the secret parameter SKGW−SNj of
GW and SNj as follows.
Step 1: Firstly,  executes the session as the legal
user between GW, SNj and then generates a login mes-
sage { TIDi  , IDSNj  , CIDi  , M1 , M2  , T1 }, where
CIDi = IDi ⊕ h(TIDi ∥ Ri ∥ T1 )   , Ri = Ai ⊕ HPWi  ,
HPWi = h(IDi ⊕ PWi )   , M1 = h(IDi ∥ Bi ∥ R1 ∥ T1 )  ,
Bi = Ci ⊕ h(IDi ⊕ Ri ⊕ HPWi ) and M2 = h(Ri ∥ T1 )⊕
R1 . Note that: R1 is generated random number and T1
is current time stamp. Now,  sends this login mes-
sage to GW.
Step 2: After that  monitors the session between GW and
SNj and eavesdrops the public messages { M3 , M4 , M5 },
{ M7  , M8 } and { M8  , M9  , M10   , M11  } , where M3 =
and h(h(h(IDi ∥ R∗1 ∥ R2 ) ∥ }}1”) ∥ SKGW− SNj ∥ R2 ) M3 =
h(h(h(IDi ∥ R∗1 ∥ R2 ) ∥ }}1”) ∥ SKGW− SNj ∥ R2 )  , M4 = h
(IDi ∥ R1 ∥ R2 ) ⊕ SKGW− SNj   , M5 = R2 ⊕ h(SKGW− SNj )  ,
M7 = h(SK ∥ R3 ∥ SKGW− SNj )  , M8 = R3 ⊕ h(R2 )  , M9 =
M9 = R2 ⊕ h(IDi ∥ R1 )  , M10 = h(IDi ∥ SK � ∥ R�3 )  , and
M11 = TID� ⊕ h(R2 ⊕ R3 ) . After that,  computes R2 =
M9 ⊕ h(IDi ∥ R1 ) and then SKGW− SNj = h(IDi ∥ R1 ∥ R2 )
⊕M4 , where M4 is intercepted from a public channel.
Therefore,  can succeed to evaluate the secret parameter
SKGW− SNj.
Step 3: Afterwards,  is able to launch Identity and
Password guessing attacks with the help of secret
parameters SKGW− SNj in Amin et al.’s scheme. The detail
description of these two attacks are presented in Algo-
rithms 2 and 3 respectively as follows:
An enhanced three factor based authentication protocol using wireless medical sensor networks…
4 Proposed protocol
This section presents the proposed protocol which con-
sists of five phases, i.e., system setup, user registration,
login, authentication, and password change. All phases are
described serially with complete information in the below
coming subsections.
4.1 System setup phase
First of all, the system administrator SA selects identity SIDj
for each sensor node and calculates XGS = h(SIDj ∥ XG ) ,
Kj = h(XGS ∥ YG ∥ XG ) , where XG and YG are secret keys of
gateway node GW. After that, SA stores { XGS , Kj } in the
sensor node’s memory.
4.2 User registration phase
Firstly, we explained the summary of this phase in Table 2.
Step 1: The Ui picks own IDi , PWi and random num-
ber ri and also imprints own biometric Bi at the sensor
device. Then, Ui computes RPWi = h(IDi ∥ PWi ∥ ri ) ,
Fi = H(Bi ∥ ri ) and sends { IDi , RPWi , Fi } to gateway
node GW via trustworthy channel.
Step 2: Upon obtaining a message from Ui , GW produces
a dynamic identity DIDi and random number Rg and then
calculates Ai = h(DIDi ∥ XG ∥ IDg ) ⊕ h(RPWi ∥ Fi )  ,
Ci = Rg ⊕ h(DIDi ∥ XG ∥ IDg )  , and Di = h(RPWi ∥ Rg
∥ Fi ) . Then, GW issues a smartcard which contains the
information { Ai , Ci , Di , DIDi , H(⋅) , h(⋅) } and forwards it
to Ui via trustworthy channel. Note that: Here, GW main-
tains a database which stores { DIDi , Ci}.
Step 3: After obtaining a smartcard from GW, the Ui cal-
culates Rn = ri ⊕ h(IDi ∥ PWi ∥ H(Bi )) and then stores it
in the smartcard.
4.3 Login phase
First of all, we elaborate the summarization of this phase
in Table 3.
Step 1: The Ui inserts own smartcard into smart-
card reader and keys IDi and PWi and then
imprints Bi at the sensor device. Now, smartcard
r e a d e r c o m p u t e s ri = Rn ⊕ h(IDi ∥ PWi ∥ H(Bi ))  ,
RPWi = h(IDi ∥ PWi ∥ ri ) , Fi = H(Bi ∥ ri ) , h(DIDi ∥ XG
∥ IDg ) = Ai ⊕ h(RPWi ∥ Fi )  , Rg = Ci ⊕ h(DIDi ∥ XG ∥
IDg ) , and D�i = h(RPWi ∥ Rg ∥ Fi ) and then compares
?
D�i =Di . If it does not hold then quits the login request.
Otherwise, proceeds for further operations.
Step 2: The smartcard creates a random nonce Mi and
evaluates M1 = Mi ⊕ h(DIDi ∥ XG ∥ IDg ) , M2 = Eh(Mi ∥Rg )
(IDi ∥ SIDj ∥ T1 ∥ Ai ) , M3 = h(IDi ∥ SIDj ∥ h(RPWi∥ Fi ))
and then forwards { DIDi , M1 , M2 , M3 } to GW via public
channel.
4.4 Authentication phase
Initially, we have elaborated the summarization of this phase
in Table 4.
Step 1: After receiving the message from Ui  , GW
first retrieves Ci with the help of DIDi from the database
and then computes Mi = M1 ⊕ h(DIDi ∥ XG ∥ IDg ) ,
Rg = Ci ⊕ h(DIDi ∥ XG ∥ IDg ) . Thereafter, GW decrypts
M2 and retrieves (IDi ∥ SIDj ∥ T1 ∥ Ai ) = Dh(Mi ∥Rg ) (M2 )
13
 R. Ali et al.

Table 2  Summary of user User Ui Gateway node GW

registration phase of our
proposed protocol
Chooses IDi , PWi and random number ri
Also imprints Bi at the sensor device
Computes RPWi = h(IDi ∥ PWi ∥ ri ),
Fi = H(Bi ∥ ri )
{IDi ,RPWi ,Fi }
�����������������������→
�
Produces a dynamic identity DIDi and Rg
Calculates Ai = h(DIDi ∥ XG ∥ IDg ) ⊕ h(RPWi ∥ Fi ),
Ci = Rg ⊕ h(DIDi ∥ XG ∥ IDg ),
Di = h(RPWi ∥ Rg ∥ Fi )
Issue smartcard { Ai , Ci , Di , DIDi , H(⋅) , h(⋅)}
Smartcard
←�����������������
Compute Rn = ri ⊕ h(IDi ∥ PWi ∥ H(Bi )) and
stores it into smartcard

Table 3  Summary of login phase of our proposed protocol Step 5: Now, SNj computes h(RPWi ∥ Fi ) = M1 ⊕ Mi ⊕ Ai ,
Ni = h(T3 ∥ h(RPWi ∥ Fi )) ⊕ M5  , M6� = h(IDi ∥ Ni ∥ T3
Ui GW ?
∥ IDg ) and compares M6� =M6 . If this comparison holds
Enters IDi , PWi and also imprints Bi, then the SNj generates a random nonce Vi and calculates
Computes ri = Rn ⊕ h(IDi ∥ PWi ∥ H(Bi )), M7 = Vi ⊕ h(Mi ∥ Ni ) , SK = h(h(RPWi ∥ Fi ) ∥ Mi ∥ Ni
RPWi = h(IDi ∥ PWi ∥ ri ), ∥ Vi ))  , M8 = h(SK ∥ IDi ∥ IDg ∥ T5 )  . Finally, SNj for-
Fi = H(Bi ∥ ri ),
h(DIDi ∥ XG ∥ IDg ) = Ai ⊕ h(RPWi ∥ Fi ), wards { M7 , M8 , T5 } to GW via public channel.
Rg = Ci ⊕ h(DIDi ∥ XG ∥ IDg ), Step 6: After receiving the message from SNj , GW first
D′i = h(RPWi ∥ Rg ∥ Fi ) of all checks T6 − T5 ≤ △T  , if this holds then com-
?
If D�i =Di holds, Ok; Else quits putesTi = M7 ⊕ h(Mi ∥ Ni ) , SK � = h(h(RPWi ∥ Fi ) ∥ Mi
Generates a random nonce Mi, ∥ Ni ∥ Vi )) , and M8� = h(SK � ∥ IDi ∥ IDg ∥ T5 ) . Thereaf-
?
Computes M1 = Mi ⊕ h(DIDi ∥ XG ∥ IDg ), ter, the GW compares M8� =M8 , if this comparison holds
M2 = Eh(Mi ∥Rg ) (IDi ∥ SIDj ∥ T1 ∥ Ai ), then continues. Otherwise; aborts the session.
M3 = h(IDi ∥ SIDj ∥ h(RPWi ∥ Fi )), Step 7: The GW produces another dynamic identity
{DIDi ,M1 ,M2 ,M3 } DIDni   , computes Cin = Rg ⊕ h(DIDni ∥ XG ∥ IDg ) and
updates { DIDni  , Cin } in the database. After that, the
�����������������������������→
�

GW evaluates M9 = Eh(RPWi ∥Fi ) (Cin ∥ Ni ∥ Vi ∥ DIDni ) ,

and then checks T2 − T1 ≤ △T  . If this holds, then per-
forms further steps. Otherwise, terminates the session.
Step 2: The GW computes h(RPWi ∥ Fi ) = Ai
⊕h(DIDi ∥ XG ∥ IDg )   , M3� = h(IDi ∥ SIDj ∥ h(RPWi
� ?
∥ Fi )) and compares M3 =M3 . If this is true then Ui is
authenticated by the GW. Otherwise, terminated the ses-
sion.
Step 3: The GW produces a random nonce Ni and evalu-
ates XGS = h(SIDi ∥ XG ) , Kj = h(XGS ∥ YG ∥ XG ) , M4 =
Eh(XGS ∥Kj ) (IDg ∥ IDi ∥ Mi ∥ Ai ∥ T3 )  , M5 = Ni ⊕ h(T3 ∥
h(RPWi ∥ Fi )) , M6 = h(IDi ∥ Ni ∥ T3 ∥ IDg ) and then for-
wards { M1 , M4 , M5 , M6 } to SNj via public channel.
Step 4: After getting the message from GW, the SNj
decrypts M4 using own key XGS   , Kj and retrieves
(IDg ∥ IDi ∥ Mi ∥ Ai ∥ T3 ) = Dh(XGS ∥Kj ) (M4 ) and then
checks T4 − T3 ≤ △T  . If this is true then continued, oth-
erwise; terminated the session.
M10 = h(SK ∥ Cin ∥ DIDni ) and sends { M9 , M10 } to Ui via
public channel.
Step 8: Ui decrypts the message (Cin ∥ Ni ∥ Vi ∥ DIDni )
= Dh(RPWi ∥Fi ) (M9 ) , and computes SK � = h(h(RPWi ∥ Fi )
∥ Mi ∥ Ni ∥ Vi ))  , M10 �
= h(SK � ∥ Cin ∥ DIDni ) and then
� ?
compares M10 =M10 . If this comparison holds, then it
�
replaces DIDi with DIDni and Ci with Cin.
4.5 Password change phase
In this phase, the Ui can alter own password without contact-
ing the GW whenever he/she wants.
Step 1: The Ui inserts smartcard into terminal and keys IDi
and PWi and then imprints Bi at the sensor device. Then,
the smartcard computes ri = Rn ⊕ h(IDi ∥ PWi ∥ H(Bi )) ,
RPWi = h(IDi ∥ PWi ∥ ri )  , Fi = H(Bi ∥ ri )  , h(DIDi ∥
XG ∥ IDg ) = Ai ⊕ h(RPWi ∥ Fi ) , Rg = Ci ⊕ h(DIDi ∥ XG
∥ IDg )  , and D�i = h(RPWi ∥ Rg ∥ Fi ) . Now, smartcard

13
 Table 4  Summary of authentication phase of our proposed protocol
User Ui Gateway node GW Sensor node SNj

Computes Mi = M1 ⊕ h(DIDi ∥ XG ∥ IDg ) , Rg = Ci ⊕ h(DIDi ∥ XG ∥ IDg )

Decrypts M2 as (IDi ∥ SIDj ∥ T1 ∥ Ai ) = Dh(Mi ∥Rg ) (M2 )
If T2− T1 ≤ △T holds, Ok; Else quits.
Computes h(RPWi ∥ Fi ) = Ai ⊕ h(DIDi ∥ XG ∥ IDg ),
M3� = h(IDi ∥ SIDj ∥ h(RPWi ∥ Fi ))
?
If M3� =M3 holds, Ok; Else quits.
Computes XGS = h(SIDi ∥ XG ),
Kj = h(XGS ∥ YG ∥ XG ),
M4 = Eh(XGS ∥Kj ) (IDg ∥ IDi ∥ Mi ∥ Ai ∥ T3 ),
M5 = Ni ⊕ h(T3 ∥ h(RPWi ∥ Fi )),
M6 = h(IDi ∥ Ni ∥ T3 ∥ IDg )
{M1 ,M4 ,M5 ,M6 }
��������������������������→
�
Decrypts M4 using XGS and Kj
As (IDg ∥ IDi ∥ Mi ∥ Ai ∥ T3 ) = Dh(XGS ∥Kj ) (M4 )
If T4− T3 ≤ △T holds, Ok; Else quits.
h(RPWi ∥ Fi ) = M1 ⊕ Mi ⊕ Ai,
Ni = h(T3 ∥ h(RPWi ∥ Fi )) ⊕ M5,
M6� = h(IDi ∥ Ni ∥ T3 ∥ IDg )
?
If M6� =M6 holds, Ok; Else quits.
Calculates M7 = Vi ⊕ h(Mi ∥ Ni ),
SK = h(h(RPWi ∥ Fi ) ∥ Mi ∥ Ni ∥ Vi )) ,
M8 = h(SK ∥ IDi ∥ IDg ∥ T5 ).
{M7 ,M8 ,T5 }
←��������������������
An enhanced three factor based authentication protocol using wireless medical sensor networks…

Checks T6 − T5 ≤ △T ,
Computes Ti = M7 ⊕ h(Mi ∥ Ni ) , SK � = h(h(RPWi ∥ Fi ) ∥ Mi ∥ Ni ∥ Vi )) ,
M8� = h(SK � ∥ IDi ∥ IDg ∥ T5 ) . SNj
?
If M8� =M8 holds, Ok; Else quits.
Computes Cin
= Rg ⊕ h(DIDni ∥ XG ∥ IDg ) and updates the database { DIDni , Cin}
Computes M9 = Eh(RPW ∥F ) (Cin ∥ Ni ∥ Vi ∥ DIDni ) and M10 = h(SK ∥ Cin ∥ DIDni ).
i i
{M9 ,M10 }
←����������������
Decrypts (Cin ∥ Ni ∥ Vi ∥ DIDni )
= Dh(RPWi ∥Fi ) (M9 ) , and
computes SK � = h(h(RPWi ∥ Fi ) ∥ Mi ∥ Ni ∥ Vi )) ,
�
M10 = h(SK � ∥ Cin ∥ DIDni )
� ?�
If M10 =M10 holds, replaces DIDi with DIDni and Ci with Cin.

13
 R. Ali et al.

?
compares D�i =Di , if this is true, then continued the pro- Step 1: First of all, we consider authentication goals and
cedure; otherwise terminates the session. then prove for confirming the security.
Step 2: The Ui enters new password PWinew and then
smartcard computes RPWinew = h(IDi ∥ PWinew ∥ ri ) , Goal 1:
Anew = Ai ⊕ h(DIDi ∥ XG ∥ IDg ) ⊕ h(RPWinew ∥ Fi )  , Goal 2:
i
and Dnew = h(RPWinew ∥ Ci ⊕ h(DIDi ∥ XG ∥ IDg ) ∥ Fi ) . Goal 3:
i
Finally, the smartcard replaces { Anew  , Dnew } along with Goal 4:
{ Ai , Di } respectively.
i i
Goal 5:
Goal 6:
Goal 7:
5 Authentication proof using BAN logic Goal 8:

In this section, the security of our protocol is confirmed by
the help of Burrows–Abadi–Needham (BAN) logic (Burrows
et al. 1989; Ali et al. 2017; Ali and Pal 2017, 2018b, c;
Chandrakar and Om 2017c, d). The BAN logic is a model
which used for generating the mutual-authentication and
session-key agreement securely. There are some predefined
notations and basic rules of BAN logic, which are summa-
rized as follows.
• P ∣≡ X ∶ It means that the entities P believes on the mes-
sage X.
• P ⇒ X ∶It means that P has jurisdiction on the statement
X.
• P ∣∼ X ∶ It means that P once said the message X.
• P ⊲ X ∶ It means that P sees the message X.
• {X}k ∶ It means that the X is encrypted by the key K.
• : It means that the key K is shared between both entities
A and B.
• #X  : The message X is freshly generated.
• Message meaning rule:
• Freshness conjuncatenation rule: P|≡#(X)
P|≡#(X,Y)
• Nonce verification rule: P|≡#(X), P|≡Q|∼X
P|≡Q|≡X
• Jurisdiction rule: P|≡Q⇒X, P|≡Q|≡X
P|≡X
• Session key rule:
Step 2: Now, the idealized form of proposed protocol as
follows.
Message 1: {DIDi , M2 , M3 , M1 ∶< Mi >h(DIDi ∥XG ∥IDg ) }
Message 2: {M1 , M4 , M6 , M5 ∶< Ni >h(RPWi ∥Fi ) }
Message 3: {M7 , T5 , M8 ∶< Vi >h(RPWi ∥Fi ) }
Message 4: {M10 , M9 ∶< Ni , Vi >h(RPWi ∥Fi ) }
Step 3: Some initial supposition of proposed protocol
as follows.
A1: Ui | ≡ #{Mi , Ni , Vi }
A2: GW| ≡ #{Mi , Ni , Vi }
A3: SNj | ≡ #{Mi , Ni , Vi }
B1: GW| ≡ Ui ⇒ Mi
B2: SNj | ≡ GW ⇒ Ni
B3: GW| ≡ SNj ⇒ Vi
B4: Ui | ≡ GW ⇒ (Ni , Vi )
C1:
C2:
Step 4: Now, we will prove the mentioned goals by the
help of idealized form, predefined BAN logic rules and
some suppositions. From Message 1, we write
S1: GW ⊲ {DIDi , M2 , M3 , M1 ∶< Mi >h(DIDi ∥XG ∥IDg ) }
From S1, C1 and message meaning rule,
S2: GW| ≡ Ui | ∼ Mi According to S2, A2, freshness
conjuncatenation rule and nonce verification rule,
S3: GW| ≡ Ui | ≡ Mi We can see from S3, B1 and
jurisdiction rule,
S4: GW| ≡ Mi Using S3, A2 and session key rule,
S5: (Goal 1)
From S5, A2 and nonce verification rule,
S6: (Goal 2)
According to Message 2, we write
S7: SNj ⊲ {M1 , M4 , M6 , M5 ∶< Ni >h(RPWi ∥Fi ) }
By the help of S7, C2 and message meaning rule,
S8: SNj | ≡ GW| ∼ Ni

13
An enhanced three factor based authentication protocol using wireless medical sensor networks…
From S8, A3, freshness conjuncatenation rule and
nonce verification rule,
S9: SNj | ≡ GW| ≡ Ni
We can see from S9, B2 and jurisdiction rule,
S10: SNj | ≡ Ni
By using S9, A3 and session key rule,
S11: (Goal 3)
From S11, A3 and nonce verification rule,
S12: (Goal 4)
By using Message 3, we get
S13: GW ⊲ {M7 , T5 , M8 ∶< Vi >h(RPWi ∥Fi ) }
By the help of S13, C2 and message meaning rule,
S14: GW| ≡ SNj | ∼ Vi
From S14, A2, freshness conjuncatenation rule and
nonce verification rule,
S15: GW| ≡ SNj | ≡ Vi
We can see from S15, B3 and jurisdiction rule,
S16: GW| ≡ Vi
By using S15, A2 and session key rule,
S17: (Goal 5)
From S17, A2 and nonce verification rule,
S18: (Goal 6)
By using Message 4, we get
S19: Ui ⊲ {M10 , M9 ∶< Ni , Vi >h(RPWi ∥Fi ) }
By the help of S19, C2 and message meaning rule,
S20: Ui | ≡ GW| ∼ (Ni , Vi )
From S20, A1, freshness conjuncatenation rule and
nonce verification rule,
S21: Ui | ≡ GW| ≡ (Ni , Vi )
We can see from S20, B4 and jurisdiction rule,
S22: Ui | ≡ (Ni , Vi )
By using S21, A1 and session key rule,
S23: (Goal 7)
From S23, A1 and nonce verification rule,
S24: (Goal 8)
6 The simulation our protocol using AVISPA
In this section, the simulation of the proposed protocol is
done using Automated Validation Information Security
Protocols and Applications tool (Chandrakar and Om 2016,
2017a, b, c, 2018a, b; Ali and Pal 2018a). The AVISPA is a
push-button tool and provides an expressive and modular
formal language for identifying protocols and their security
properties. It integrates different back-ends that implement
a several modern techniques. Experimental results reveal
a large library of Internet security protocols, indicate that
AVISPA is a modern tool for automatic security protocols.
No other tool have not the same scope and robustness with
such performance and scalability. The AVISPA tool has four
back-ends, namely On-the-Fly Model-Checker (OFMC),
Constraint-Logic-based Attack Searcher (CL-AtSe), SAT
based Model Checker and Tree Automata based on Auto-
matic Approximations for the Analysis of Security Protocols
(TA4SP). The simulation results confirm that the protocol is
securely protected from active and passive attacks, including
replay as well as man-in-the-middle attacks.
6.1 Brief summary of our protocol in (HLPSL)
The Ui ’s role is implemented in HLPSL specification
which depicted in Fig. 2. Initially, Ui forwards the regis-
tration request { IDi , RPWi , Fi } to the GW by using Snd()
operation and symmetric key SK1. The declaration secret
({Bi , PWi }, subs1, Ui ) expresses that the biometric Bi and
password PWi is only known to Ui . The declaration secret
({RPWi , Fi }, subs2, {Ui , GW}) also expresses that both Ui and
GW know the values of RPWi and Fi . Eventually, Ui receives
a smartcard which contains the parameters { Ai , Ci , Di , DIDi }
using Rcv() operation and SK1. In a login phase, the Ui sends
the message { DIDi , M1 , M2 , M3 } to GW via public chan-
nel. The declaration secret ({Mi , IDi }, subs3, { Ui , GW, SNj })
expresses that the values { Mi , IDi } are known by Ui , GW and
SNj . The declaration witness ({Ui , GW}, user− gateway− mi ,
Mi ) specifies that Ui produces a random number Mi for the
GW. In a authentication phase, the Ui receives { M9 , M10 }
from the GW via same channel. The declaration request
({GW, SNj }, gateway− sensor− ni , Ni ) indicates that the GW
requests to the SNj for checking the value of Ni . The declara-
tion request ( SNj , Ui , sensor− gateway− vi , Vi ) means that the
SNj requests to the Ui for verifying the value of Vi.
In Fig. 3, the role of the GW in HLPSL specification is
implemented. In registration phase, the GW obtains { IDi ,
RPWi , Fi } with the help of Rcv() operation and SK1 via
secure channel. After that, the GW performs some operation
then issues smartcard and sends it to the Ui . The declaration
secret (XG, subs4, GW) states that only the GW knows the
secret key XG. During authentication phase, the GW receives
{ DIDi , M1 , M2 , M3 } from the Ui via public channel. After-
wards, the GW performs some operation and then sends { M1 ,
M4 , M5 , M6 } to the SNj via same channel. The declaration
secrets ( Ni , subs5, { Ui , GW, SNj }) and ({ XGS′ , Kj′ } subs6,
{GW, SNj }) describe that the random nonce Ni is known to
{ Ui , GWNj , SNj } and { XGS′ , Kj′ } is known to {GW, SNj }.
The declaration request ( Ui , GW, user− gateway− mi , Mi )
expresses that the GW accepts Mi , which is generated by
the Ui . After that, the GW receives { M7 , M8 , T5 } from the
SNj and then verifies the legitimacy of the SNj . Subsequently,
the GW creates a message { M9 , M10 } and sends it to the Ui.
The HLPSL code for the SNj is depicted in Fig. 4. In
authentication phase, the SNj receives a message { M1 , M4 ,
M5 , M6 } from the GW using Rcv() operation via public chan-
nel. Upon gaining the message from the GW, the SNj checks
the validity of the GW and then put forwards the message
13
 R. Ali et al.

{ M7 , M8 , T5 } to the GW by the help of Snd() operation via

same channel. role user(Ui,GW,SNj: agent,
SK1: symmetric_key,
H: hash_func,
6.2 Secrecy goals and authentication properties Snd,Rcv:channel(dy))
played_by Ui
def=
In Fig. 5, the key role of session, goal and environment in
local State:nat,
HLPSL is depicted. There are six secrecy goals and three RPWi,PWi,IDi,Ri,Bi,Fi,Ai,Ci,Di,Rn,K,Rg,XG,IDg,Mi,Z,Ni,
authentication properties presented in this figure. Vi,SK,Cin,DIDin,ZZ,ZZZ,XGS,SIDj,Kj,YG,T1,T3,FF,Ti:text,
DIDi,M1,M2,M3,M4,M5,M6,M7,M8,T5,M9,M10:message,
Inc:hash_func
Goals const user_gateway_mi,gateway_sensor_ni,sensor_gateway_vi,
subs1,subs2,subs3,subs4,subs5,subs6:protocol_id
• secrecy− ofsubs1 represents that Bi and PWi are only init State:=0
transition
known by Ui. 1.State=0/\Rcv(start)=|>
• secrecy− ofsubs2 states that the values of RPWi and Fi are State':=1/\RPWi':=H(IDi.PWi.Ri)
known to both Ui and GW. /\Fi':=H(Bi.Ri)
• secrecy− ofsubs3 tells that the parameters { Mi , IDi } are %Send registration request message
/\Snd({IDi.RPWi'.Fi}_SK1)
shared among Ui , GW and SNj. /\secret({Bi,PWi},subs1,Ui)
• secrecy− ofsubs4 expresses that the secret key XG is only /\secret({RPWi',Fi},subs2,{Ui,GW})
known to GW. 2.State=1/\Rcv({Ai.Ci.Di.DIDi}_SK1)=|>
State':=2/\Rn':=xor(Ri,H(IDi.PWi.H(Bi)))
• secrecy− ofsubs5 narrated that the random nonce Ni is
/\Ri':=xor(Rn',H(IDi.PWi.H(Bi)))
shared among Ui , GW and SNj only. /\RPWi':=H(IDi.PWi.Ri')
• secrecy− ofsubs6 describes that the values of {XGS, Kj} /\Fi':=H(Bi.Ri)
are shared between GW and SNj. /\K':=xor(Ai,H(RPWi'.Fi'))
/\Rg':=xor(Ci,H(DIDi.XG.IDg))
/\Di':=H(RPWi'.Rg'.Fi')
Authentications /\Mi':=new()
/\M1':=xor(Mi',H(DIDi.XG.IDg))
/\M2':={IDi.SIDj.T1.Ai}_H(Mi'.Rg')
• authentication− on user− gateway− mi expresses that GW /\M3':=H(IDi.SIDj.H(RPWi'.Fi'))
acquires mi from Ui and then GW authenticates Ui by the /\Snd(DIDi.M1'.M2'.M3')
help of mi. /\secret({Mi',IDi},subs3,{Ui,GW,SNj})
• authentication− on gateway− sensor− ni states that SNj /\witness(Ui,GW,user_gateway_mi,Mi)
3.State=2/\Rcv(M9.M10)=|>
obtains ni from GW and then SNj authenticates GW by State':=3/\Z':={M9}_H(RPWi.Fi)
using ni. /\SK':=H(H(RPWi.Fi).Ni.Mi.Vi)
• authentication− on sensor− gateway− vi expresses that GW /\M10':=H(SK'.Cin.DIDin)
/\request(GW,SNj,gateway_sensor_ni,Ni)
receives vi from SNj and then GW verifies authenticity of /\request(SNj,Ui,sensor_gateway_vi,Vi)
SNj with the help of vi. end role

6.3 Simulation results
In this part, we present the simulation results of HLPSL code
using AVISPA. Figures 6 and 7 illustrate the results in the
terms of OFMC and CL-AtSe respectively. The simulation
results confirm that the proposed protocol is secure against
the passive and active attacks including replay as well as
man-in-the-middle attacks. The verifications of our scheme
are summarized in the following way:
• Executability check on non-trivial HLPSL specifications:
It perhaps probable that the scheme model cannot execute
up to completion due to some modeling mistakes. As a
result also, if suppose the protocol model cannot arrive
to a state where that attack can happen, so the AVISPA
back-ends does not able to find an attack. Therefore,
an executability test is essential (von Oheimb 2005).
Fig. 2  The key role of user Ui in HLPSL 
But, our implementation demonstrates that the protocol
description is well matched with the considered goals as
shown in Figs. 2, 3, 4, and 5 for the executability test.
• Replay attack check: In this replay attack checking, the
AVISPA back-ends (such as OFMC and CL-AtSe) firstly
check the legitimate agents can execute the particular
protocol. Then, they provide the intruder knowledge of
some normal sessions among the legitimate agents. The
test results are shown in Figs. 6 and 7 and indicates that
our protocol is secure against the replay attack.
• Dolev–Yao model check: For the Dolev-Yao model
checker, the OFMC and CL-AtSe back-ends check the
man-in-the-middle attack is possible by an intruder

13
An enhanced three factor based authentication protocol using wireless medical sensor networks…

role gateway(Ui,GW,SNj: agent, role sensor(Ui,GW,SNj: agent,

SK1: symmetric_key, SK1: symmetric_key,
H: hash_func,
Snd,Rcv:channel(dy)) H: hash_func,
played_by GW Snd,Rcv:channel(dy))
def=
local State:nat, played_by SNj
RPWi,PWi,IDi,Ri,Bi,Fi,Ai,Ci,Di,Rn,K,Rg,XG, def=
IDg,Mi,Z,Ni,Vi,SK,Cin,DIDin,ZZ,ZZZ,XGS,
SIDj,Kj,YG,T1,T3,FF,Ti:text, local State:nat,
DIDi,M1,M2,M3,M4,M5,M6,M7,M8,T5,M9, RPWi,PWi,IDi,Ri,Bi,Fi,Ai,Ci,Di,Rn,K,Rg,
M10:message,
Inc:hash_func XG,IDg,Mi,Z,Ni,Vi,SK,Cin,DIDin,ZZ,ZZZ,
const user_gateway_mi,gateway_sensor_ni, XGS,SIDj,Kj,YG,T1,T3,FF,Ti:text,
sensor_gateway_vi,subs1,subs2,subs3,subs4,subs5,
subs6:protocol_id DIDi,M1,M2,M3,M4,M5,M6,M7,M8,T5,
init State:=0 M9,M10:message,
transition
1.State=0/\Rcv({IDi.RPWi.Fi}_SK1)=|> Inc:hash_func
State':=1/\DIDi':=new() const user_gateway_mi,gateway_sensor_ni,
/\Rg':=new()
/\K':=H(DIDi.XG.IDg) sensor_gateway_vi,subs1,subs2,subs3,subs4,
/\Ai':=xor(K',H(RPWi.Fi)) subs5,subs6:protocol_id
/\Ci':=xor(Rg',K')
/\Di':=H(RPWi.Rg.Fi) init State:=0
/\Snd({Ai.Ci.Di.DIDi}_SK1) transition
/\secret({XG},subs4,GW)
2.State=1/\Rcv(DIDi.M1.M2.M3)=|> 1.State=0/\Rcv(M1.M4.M5.M6)=|>
State':=2/\Mi':=xor(M1,K) State':=1/\FF':=(IDg.IDi.Mi.T3)
/\Rg':=xor(Ci,K) /\FF':={M4}_H(XG.Kj)
/\ZZ':={M2}_H(Mi'.Rg')
/\ZZZ':=xor(Ai,K) /\ZZZ':=xor(M1,Mi)
/\M3':=H(IDi.SIDj.ZZZ') /\Ni':=xor(M5,H(T3.H(ZZZ')))
/\Ni':=new()
/\XGS':=H(SIDj.XG) /\M6':=H(IDi.IDg.T3.Ni')
/\Kj':=H(XGS'.YG.XG) /\Vi':=new()
/\M4':={IDg.IDi.Mi.T3}
/\M5':=xor(Ni',H(T3.ZZZ')) /\M7':=xor(Vi',H(Mi.Ni))
/\M6':=H(IDi.Ni'.T3.IDg) /\SK':=H(H(ZZZ').Mi.Ni'.Vi')
/\Snd(M1.M4.M5.M6)
/\secret({Ni'},subs5,{Ui,GW,SNj}) /\M8':=H(SK'.IDi.IDg.T5)
/\secret({XGS',Kj'},subs6,{GW,SNj}) /\Snd(M7.M8.T5)
/\request(Ui,GW,user_gateway_mi,Mi)
3.State=2/\Rcv(M7.M8.T5)=|> end role
State':=3/\Ti':=xor(M7,H(Mi,Ni))
/\SK':=H(ZZZ.Mi.Ni.Ti')
/\M8':=h(SK'.IDi.IDg.T5)
/\DIDin':=new() Fig. 4  The key role of sensor node SNj in HLPSL 
/\Cin':=xor(Rg,H(DIDin',XG,IDg))
/\M9':={Cin'.Ni.Ti.DIDin'}_H(ZZZ)
/\M10':=H(SK'.Cin'.DIDin') demonstrate that our proposed scheme accomplishes the
/\Snd(M9.M10)
end role design properties and is safe under these back-ends.

Fig. 3  The key role of gateway node GW in HLPSL  7 Security analysis

This section presents the security analysis of our scheme

(i). Under OFMC, visited nodes are 256, the depth is 8
plies and the search time is 1.15 s. Under CL-AtSe, the
translation and computation times are 0.18 s and 0.00 s,
respectively. The results depicted in Figs. 6 and 7 and
which shows that the proposed scheme withstands several
kinds of wicked attacks.
Theorem 1  The proposed protocol withstands to password
guessing attack.

13
 R. Ali et al.

role session(Ui,GW,SNj: agent, SUMMARY

SAFE
SK1: symmetric_key, DETAILS
H: hash_func) BOUNDED_NUMBER_OF_SESSIONS
def= PROTOCOL
/home/rifaqat/documents/span/testsuite/results/WMSN.if
local SI,SJ,RI,RJ,PI,PJ:channel(dy) GOAL
composition as_specified
user(Ui,GW,SNj,SK1,H,SI,SJ) BACKEND
/\gateway(Ui,GW,SNj,SK1,H,RI,RJ) OFMC
COMMENTS
/\sensor(Ui,GW,SNj,SK1,H,PI,PJ) STATISTICS
end role parseTime: 0.00s
role environment() searchTime: 1.15s
visitedNodes: 256 nodes
def=
depth: 8 plies
const ui,gw,snj:agent,
sk1:symmetric_key,
h:hash_func,
rpwi,pwi,idi,ri,bi,fi,ai,ci,di,rn,k,rg,xg,idg,mi,z,ni,vi,sk,cin, Fig. 6  Simulation result of OFMC back-end
didin,zz,zzz,xgs,sidj,kj,yg,t1,t3,t5,ff,ti,didi:text,
user_gateway_mi,gateway_sensor_ni,sensor_gateway_vi,
subs1,subs2,subs3,subs4,subs5,subs6:protocol_id • F r o m M3 = h(IDi ∥ SIDj ∥ h(RPWi ∥ Fi )) = h(IDi ∥
intruder_knowledge={ui,snj,gw,ai,ci,di,didi,rn}
composition SIDj ∥ h(h(IDi ∥ PWi ∥ ri ) ∥ H(Bi ∥ ri ))) , for guessing
session(ui,snj,gw,sk1,h) PWi ,  has to know three unknown parameters such as
/\session(ui,snj,gw,sk1,h) SIDj , IDi , and ri at one time which is not feasible in poly-
/\session(ui,snj,gw,sk1,h)
nomial time.
end role
goal • Similarly,  can not break or guess PWi from M5 , M8 ,
secrecy_of subs1 and M10 because of same above mentioned reason.
secrecy_of subs2
secrecy_of subs3
secrecy_of subs4
Therefore, we can say that our protocol withstands to pass-
secrecy_of subs5 word guessing attack even if  has compromised biometric
secrecy_of subs6 and smartcard.
authentication_on user_gateway_mi
Theorem 2  The proposed protocol withstands to identity
authentication_on gateway_sensor_ni
authentication_on sensor_gateway_vi guessing attack.
end goal
environment() Proof  Assume that the Ui uses a low entropy identity IDi
which is easily breakable or guessable with the help of
smartcard’s parameters { Ai , Ci , Di , DIDi , Rn , H(⋅) , h(⋅) }
Fig. 5  The key role of session, goal and environment in HLPSL  and all public communicated messages { DIDi , M1 , M2 , M3 ,
M4 , M5 , M6 , M7 , M8 , T5 , M9 , M10 } among Ui , GW and SNj .
Proof  Assume that an attacker  has compromised a smart- However, in our protocol,  cannot guess IDi of Ui into three
card and biometric Bi then she/he can extricates all smart- different cases as follows:
card’s parameters { Ai , Ci , Di , DIDi , Rn , H(⋅) , h(⋅) } by using
power analysis (Kocher et al. 1999; Messerges et al. 2002)
and also eavesdrops all public communicated messages Case 1: An attacker has user’s password and biometric.
{ DIDi , M1 , M2 , M3 , M4 , M5 , M6 , M7 , M8 , T5 , M9 , M10 } from
a public channel. However, in our protocol,  cannot break
or guess PWi of the Ui by the following reasons. SAFE
DETAILS
BOUNDED_NUMBER_OF_SESSIONS
• From the value Ai = h(DIDi ∥ XG ∥ IDg ) ⊕ h(RPWi ∥ Fi ) , TYPED_MODEL
PROTOCOL
where RPWi = h(IDi ∥ PWi ∥ ri ) and Fi = H(Bi ∥ ri ) . /home/rifaqat/documents/span/testsuite/results/WMSN.if
GOAL
Here, for guessing PWi ,  has to know these unknown As Specified
parameters, i.e., DIDi , XG , IDg , and ri at one time even if BACKEND
CL-AtSe
he/she has compromised user’s biometric and smartcard. STATISTICS
Analysed : 0 states
• From the parameter Di = h(RPWi ∥ Rg ∥ Fi )  , where Reachable : 0 states
RPWi = h(IDi ∥ PWi ∥ ri ) and Fi = H(Bi ∥ ri ) . Here, Di Translation: 0.18 seconds
Computation: 0.00 seconds
depends on IDi , PWi , Bi , Rg , and ri . As we know  has
compromised biometric and smartcard while four values,
i.e., IDi , PWi , Rg , and ri are still unknown for him/her. Fig. 7  Simulation result of CL-AtSe back-end

13
An enhanced three factor based authentication protocol using wireless medical sensor networks…
• The value of Ai is written as Ai = h(DIDi ∥ XG ∥ IDg )⊕
h(RPWi ∥ Fi ) , where RPWi = h(IDi ∥ PWi ∥ ri ) and
Fi = H(Bi ∥ ri ) . Here, for guessing IDi ,  has to know
DIDi , XG , IDg , and ri at one time which is against of
polynomial rule.
• The value Di is computed as Di = h(RPWi ∥ Rg ∥ Fi ) ,
where RPWi = h(IDi ∥ PWi ∥ ri ) and Fi = H(Bi ∥ ri ) . To
guess IDi ,  has to know Rg and ri at one time which is
against of polynomial rule.
• The  cannot compute IDi from M2 = Eh(M ∥R ) (IDi ∥
i g
SIDj ∥ T1 ∥ Ai ) because he/she has to know four unknown
parameters Mi , Rg , SIDj , and T1 at the same time which
violates the rule of polynomial equation.
• F r o m M3 = h(IDi ∥ SIDj ∥ h(RPWi ∥ Fi ))   , w h e r e
RPWi = h(IDi ∥ PWi ∥ ri ) and Fi = H(Bi ∥ ri ) . For guess-
ing IDi ,  has to know SIDj , and ri at one time which is
not feasible in polynomial time.
• Similarly,  can not guess IDi from remaining param-
eters like M4 , M5 , M6 , M8 , and M10 by the same above
reason.
Case 2: An attacker has user’s smartcard and biometric.
• From Ai = h(DIDi ∥ XG ∥ IDg ) ⊕ h(RPWi ∥ Fi ) , where
RPWi = h(IDi ∥ PWi ∥ ri ) and Fi = H(Bi ∥ ri ) . Here, to
calculate IDi ,  has to know DIDi , XG , IDg , PWi and ri
at one time which is against of polynomial rule.
• The value Di is computed as Di = h(RPWi ∥ Rg ∥ Fi ) ,
where RPWi = h(IDi ∥ PWi ∥ ri ) and Fi = H(Bi ∥ ri ) . To
guess IDi ,  has to know the values of Rg , PWi and ri at
one time which violates the rule of polynomial rule.
• The  cannot compute IDi from M2 = Eh(M ∥R ) (IDi ∥
i g
SIDj ∥ T1 ∥ Ai ) because he/she has to know four unknown
parameters, i.e., Mi , Rg , SIDj , and T1 at the same time
which violates the rule of polynomial equation.
• F r o m M3 = h(IDi ∥ SIDj ∥ h(RPWi ∥ Fi ))   , w h e r e
RPWi = h(IDi ∥ PWi ∥ ri ) and Fi = H(Bi ∥ ri ) . For guess-
ing IDi ,  has to know three unknown parameters such
as SIDj , PWi , and ri at one time which is not feasible in
polynomial equation rule.
• Similarly,  can not guess IDi from M4 , M5 , M6 , M8 , and
M10 by the same above reason.
Case 3: An attacker has user’s password and smartcard.
• F r o m Ai = h(DIDi ∥ XG ∥ IDg ) ⊕ h(RPWi ∥ Fi ) =
h(DIDi ∥ XG ∥ IDg ) ⊕ h(h(IDi ∥ PWi ∥ ri ) ∥ H(Bi ∥ ri )) .
Here, for guessing IDi ,  has to know DIDi , XG , IDg , Bi
and ri at one time which is against of polynomial rule.
• The value Di is written as Di = h(RPWi ∥ Rg ∥ Fi ) =
h(h(IDi ∥ PWi ∥ ri ) ∥ Rg ∥ H(Bi ∥ ri )) . To guess IDi , 
has to know the parameters like Rg , Bi and ri at one time.
•  cannot compute IDi from M2 = Eh(M ∥R ) (IDi ∥ SIDj
i g
∥ T1 ∥ Ai ) because he/she has to know four unknown
parameters Mi , Rg , SIDj , and T1 which violates the rule of
polynomial equation.
• From the value M3 = h(IDi ∥ SIDj ∥ h(RPWi ∥ Fi )) =
h(IDi ∥ SIDj ∥ h(h(IDi ∥ PWi ∥ ri ) ∥ H(Bi ∥ ri )))  . For
guessing IDi ,  has to know three unknown parameters
such as SIDj , Bi , and ri at one time which is not feasible
in polynomial equation rule.
• Similarly, from the parameters M4 , M5 , M6 , M8 , and M10 ,
 can not break or guess IDi because of same above men-
tioned reason.
On the basis of three cases, we can conclude that our proto-
col withstands to identity guessing attack.
Theorem 3  The proposed protocol withstands to user imper-
sonation attack.
Proof  Suppose that an attacker  obstructs a login message
{ DIDi , M1 , M2 , M3 } and modifies it and then tries to imi-
tate as a legitimate Ui . However, in our scheme,  cannot
impersonate as an authorized user into three different cases
as follows.
Case 1: An attacker has user’s password and biometric.
•  can not calculate M1 = Mi ⊕ h(DIDi ∥ XG ∥ IDg )
because M1 depends on gateway’s secret key XG and a
random nonce Mi.
• For M2 = Eh(M ∥R ) (IDi ∥ SIDj ∥ T1 ∥ Ai ) ,  has to know
i g
IDi which already proved in Theorem 2. Besides, s/he
must be know these parameters Mi , Rg , SIDj , T1 , and Ai
for evaluatin M2.
• To c o m p u t e M3 = h(IDi ∥ SIDj ∥ h(RPWi ∥ Fi )) =
h(IDi ∥ SIDj ∥ h(h(IDi ∥ PWi ∥ ri ) ∥ H(Bi ∥ ri ))) ,  has
to know IDi and ri at one time.
Case 2: An attacker has user’s smartcard and biometric.
•  tries to calculate M1 = Mi ⊕ h(DIDi ∥ XG ∥ IDg ) , but
M1 relies on gateway’s secret key XG and a random nonce
Mi.
• For computing M2 = Eh(M ∥R ) (IDi ∥ SIDj ∥ T1 ∥ Ai ) , 
i g
has to know IDi which violates of Theorem 2. In addition,
s/he also has to know these parameters Mi , Rg , SIDj , and
T1 for calculating M2.
13

• To calculate M3 = h(IDi ∥ SIDj ∥ h(RPWi ∥ Fi )) =
h(IDi ∥ SIDj ∥ h(h(IDi ∥ PWi ∥ ri ) ∥ H(Bi ∥ ri ))) ,  has
to know IDi , ri and PWi at one time.
Case 3: An attacker has user’s password and smartcard.
•  attempts to calculate M1 = Mi ⊕ h(DIDi ∥ XG ∥ IDg ) ,
but M1 depends on gateway’s secret key XG , and a ran-
dom nonce Mi . So, he/she cannot calculate the value of
M1 without knowing these unknown parameters even if
user’s has smartcard and password.
• For computing M2 = Eh(M ∥R ) (IDi ∥ SIDj ∥ T1 ∥ Ai ) , 
i g
has to know IDi which is against of Theorem 2. In addi-
tion,  also has to know these parameters Mi , Rg , and
SIDj for calculating M2.
• To eva l u a t e M3 = h(IDi ∥ SIDj ∥ h(RPWi ∥ Fi )) =
h(IDi ∥ SIDj ∥ h(h(IDi ∥ PWi ∥ ri ) ∥ H(Bi ∥ ri ))) ,  has
to know IDi , ri and SIDj at one time which violates the
polynomial rule.
Therefore, on the basis of above explanation of three cases,
our scheme withstands to user impersonation attack.
Theorem 4  The proposed protocol withstands to the gateway
node impersonation attack.
Proof  In this attack,  obstructs communicated messages
from the public channel and tries to imitate as gateway
node GW. But, in our scheme,  is unable to execute this
attack because if  intercepts the messages { M1 , M4 , M5 ,
M6 } and { M9 , M10 }, where M1 = Mi ⊕ h(DIDi ∥ XG ∥ IDg ) ,
M4 = Eh(XGS ∥Kj ) (IDg ∥ IDi ∥ Mi ∥ Ai ∥ T3 )   , M5 = Ni ⊕
h(T3 ∥ h(RPWi ∥ Fi ))  , M6 = h(IDi ∥ Ni ∥ T3 ∥ IDg )  , M9 =
Eh(RPWi ∥Fi ) (Cin ∥ Ni ∥ Vi ∥ DIDni ) , M10 = h(SK ∥ Cin ∥DIDni ) .
Now, for evaluating these above messages,  has to know
IDi , XGS , XG and RPWi which are very difficult to guess at
one time. Therefore, our protocol resists to the gateway node
impersonation attack.
Theorem 5  The proposed protocol withstands to sensor node
impersonation attack.
Proof As like the gateway impersonation attack, 
steals the public messages and then tries to imper-
sonate as a sensor node SNj  . But in our scheme,
 is not able to execute this attack because if sup-
pose  intercepts the message { M7  , M8  , T5 }, where
M7 = Vi ⊕ h(Mi ∥ Ni )  , M8 = h(SK ∥ IDi ∥ IDg ∥ T5 )  , and
SK = h(h(RPWi ∥ Fi ) ∥ Mi ∥ Ni ∥ Vi )) . To compute these
values,  has to know IDi and SK at the same time which
is not feasible in polynomial time. Therefore, our protocol
resists to the sensor node impersonation attack.
13
R. Ali et al.
Theorem 6 The proposed protocol withstands to smartcard
stolen attack.
Proof Suppose  theft user’s smartcard and extracts all
parameters { Ai , Ci , DIDi , Di , Rn , H(⋅) , h(⋅) } from it by using
side channel attack (Kocher et al. 1999; Messerges et al.
2002). Then,  tries to guess PWi of Ui but we have already
proved in Theorem 1 that our scheme is fully protected from
password guessing attack. In addition,  tries to compute
valid login message for imitating as a genuine user but he/
she can not impersonate because alresdy proved in Theo-
rem 3. Thus, by this summarization, our protocol is secure
from smartcard stolen attack.
Theorem 7  The proposed protocol withstands to replay
attack.
Proof Suppose  eavesdropped a login message { DIDi , M1 ,
M2 , M3 } and all other public communicated messages { M1 ,
M4 , M5 , M6 }, { M7 , M8 }, and { T5 , M9 , M10 } and then replays
a public messages after some time. But, our scheme is able
to defend a replay attack by the following reasons.
• In our protocol’s login message, i.e., { DIDi , M1 , M2 , M3 },
where M1 = Mi ⊕ h(DIDi ∥ XG ∥ IDg )  , M2 = Eh(Mi ∥Rg )
(IDi ∥ SIDj ∥ T1 ∥ Ai ),  and M3 = h(IDi ∥ SIDj ∥ h(RPWi ∥ Fi )) .
The login message consists of random nonce Mi , times-
tamp T1 which follow the rule of uniqueness property. So,
this message is peculiar and valid for one session only.
Besides, login message also made with IDi which is not
guessed or break because already demonstrated in Theo-
rem 2.
• The communicating messages, i.e., { M4 , M5 , M6 }, where
M4 = Eh(XGS ∥Kj ) (IDg ∥ IDi ∥ Mi ∥ Ai ∥ T3 ) , M5 = Ni ⊕ h
(T3 ∥ h(RPWi ∥ Fi )) , M6 = h(IDi ∥ Ni ∥ T3 ∥ IDg ) . This
message also includes timestamps, identity IDi.
• Similarly, all other communicated messages such as { M7 ,
M8 }, and { T5 , M9 , M10 } also have random nonces and
timestamps, which will be not repeated and unique for
one session only.
Theorem 8  The proposed protocol withstands to insider
attack.
Proof  Several schemes are broken by this attack because
if the user uses the same password to access the various
applications for his/her convenience, then wicked adminis-
trator  knows the password of the user and hacks another
account of the same user. But, in our scheme, the Ui sends
{ IDi , RPWi , Fi } to the GW, where RPWi = h(IDi ∥ PWi ∥ ri )
and Fi = H(Bi ∥ ri ) . Here, the Ui sends RPWi along with
An enhanced three factor based authentication protocol using wireless medical sensor networks…
a random number ri and IDi using hash function which is
secure and resists to insider attack. Besides, the GW has no
knowledge of the password of the user directly. Thus, our
scheme withstands to insider attack.
Theorem 9  The proposed protocol withstands to user un-
traceability attack.
Proof  Consider that  obstructs two login messages { DIDi ,
M1 , M2 , M3 } and { DID′i , M1′ , M2′  , M3′  } and tries to find out
the similarity on the basis of any parameters of both login
messages respectively. However, in our protocol, this type
of situation will never happen because of some reasons as
follows.
• DIDi and DID′i are a dynamic identities, generated by the
GW in different sessions and store by the Ui at end of each
session of authentication phase.
• Both M1 = Mi ⊕ h(DIDi ∥ XG ∥ IDg ) , and M1� = Mi� ⊕ h
(DID�i ∥ XG ∥ IDg ) are consisting of dynamic identities
which are different in each session and also valid for one
session.
• Similarly, the messages { M2 , M3 } and { M2′  , M3′  } are
also different correspondingly because of using random
nonces and random numbers.
Therefore, by this above-reasons, our protocol withstands
user un-traceability attack.
Theorem 10  The proposed protocol withstands to sensor
node capture attack.
Proof Suppose  captures a sensor node SNj from the
network where Ui accesses the real-time data from SNj .
Since sensor nodes are not made to tamper-resistant
hardware, therefore the attacker can easily compro-
mise all the confidential information, including the cap-
tured sensor node’s master secret key and shared ses-
sion key among participant entities. But in our scheme,
the secret session key among the Ui  , the GW and the
SNj i s SK = h(h(RPWi ∥ Fi ) ∥ Mi ∥ Ni ∥ Vi ))   , w h e r e
RPWi = h(IDi ∥ PWi ∥ ri ) , Fi = h(Bi ∥ ri ) and Mi , Ni , Vi are
random nonces, generated by the Ui , the GW and the SNj
respectively. Since, all the parameters of session key are
protected by the hash function so each established session
key between Ui , GW and SNj is distinct over the network.
Note that: each node is installed in the target field with
unique randomly generated master key. Thus, the attacker
is able to compromise the master key of that captured node
only. Using this compromised master key,  can not com-
pute the secret information of SK like IDi , PWi , ri , and Bi
which are only known to Ui . As a result, the attacker can
only communicate with false data to the legitimate Ui only.
Other non capture sensor nodes can still respond securely
with real-time data to their corresponding legal users.
Hence, compromised sensor node is unable to reveal any
other information about other sensor nodes. In this way,
our scheme is unconditionally withstands to sensor node
capture attack.
Theorem 11  The proposed protocol achieves mutual authen-
tication property.
Proof  The proposed protocol provides proper mutual
authentication property because the Ui sends a login mes-
sage, i.e., { DIDi , M1 , M2 , M3 } to the GW via public channel.
After receiving the message from the Ui , the GW computes
Mi = M1 ⊕ h(DIDi ∥ XG ∥ IDg ) and retrieves Ci from the
database corresponding DIDi and then computes
Rg = Ci ⊕ h(DIDi ∥ XG ∥ IDg ) . Next, the GW decrypts the
message M2 and retrieves (IDi ∥ SIDj ∥ T1 ∥ Ai ) = Dh(Mi ∥Rg )
(M2 ) and then checks T2 − T1 ≤ △T  . If this is true then per-
forms further steps. Otherwise, session terminated. Further,
GW computes h(RPWi ∥ Fi ) = Ai ⊕ h(DIDi ∥ XG ∥ IDg ) ,
?
M3� = h(IDi ∥ SIDj ∥ h(RPWi ∥ Fi )) and compares M3� =M3 .
If this is true then the Ui is authenticated by the GW and
accepts the login message. Otherwise, terminated the ses-
sion. Here, any fabricated login message i.e., { DIDi , M1′ , M2′  ,
M3′  } cannot pass authentication because the verification
equation depends on the one-way hash function.
After that, the GW performs some calculations and com-
putes some parameters and then put forwards { M1 , M4 , M5 ,
M6 } to the SNj via public channel. After getting the message
from GW, the SNj decrypts M4 using own key XGS , Kj and
retrieves (IDg ∥ IDi ∥ Mi ∥ Ai ∥ T3 ) = Dh(XGS ∥Kj ) (M4 ) and
then checks T4 − T3 ≤ △T  . If this is true then continued,
otherwise; terminated the session. Further, the SNj computes
h(RPWi ∥ Fi ) = M1 ⊕ Mi ⊕ Ai  , h(T3 ∥ h(RPWi ∥ Fi )) = Ni
⊕M5 , M6� = h(IDi ∥ Ni ∥ T3 ∥ IDg ) and compares M6� =M6 . If
?
this comparison holds then SNj computes some parameters
and forwards { M7 , M8 , T5 } to the GW via same channel, oth-
erwise; terminated the session. Here also, any modified mes-
sage { M1′ , M4′  , M5′ , M6′  } cannot pass authentication because of
verification which depends on hash function.
After receiving the message from the SNj , the GW first
of all checks T6 − T5 ≤ △T  , if this holds then computes
Ti = M7 ⊕ h(Mi ∥ Ni ) , SK � = h(h(RPWi ∥ Fi ) ∥ Mi ∥ Ni ∥ Vi )) ,
and M8� = h(SK � ∥ IDi ∥ IDg ∥ T5 ) . The SNj now compares
?
M8� =M8 , if this comparison holds then continued. Otherwise;
aborts the session. Further, the GW produces another dynamic
identity DIDni and computes Cin = Rg ⊕ h(DIDni ∥ XG ∥ IDg )
and updates the database { DIDni , Cin } and then evaluates
M9 = Eh(RPWi ∥Fi ) (Cin ∥ Ni ∥ Vi ∥ DIDni ) , M10 = h(SK ∥ Cin ∥
DIDni ) and finally sends { M9 , M10 } to Ui via public channel.
13
 R. Ali et al.

After receiving the message from the GW, the Ui decrypts continued procedure for changing the password; otherwise
the message (Cin ∥ Ni ∥ Vi ∥ DIDni ) = Dh(RPWi ∥Fi ) (M9 ) , terminates the session.
SK � = h(h(RPWi ∥ Fi ) ∥ Mi ∥ Ni ∥ Vi ))  , M10
�
= h(SK � ∥ Cin
∥ DIDni ) and compares M10� ?�
=M10  . If this comparison holds Theorem 14  The proposed protocol withstands to session
key temporary information attack.
then the Ui replaces DIDi with DIDni and Ci with Cin and then
mutual authentication holds.
Proof  If suppose temporary secrets Mi  , Ni  , and Vi are
compromised then  cannot compute session-key
Theorem 12  The proposed protocol provides correct session
SK = h(h(RPWi ∥ Fi ) ∥ Mi ∥ Ni ∥ Vi )) because he/she has
key establishment.
to know RPWi = h(IDi ∥ PWi ∥ ri ) and Fi = h(Bi ∥ ri ) at one
time which is against the rule of polynomial time.
Proof  The proposed protocol facilitates session key agree-
ment when the Ui , GW and SNj achieve mutual authen-
tication. After the mutual authentication process, the
8 Performance evaluation
Ui   , GW and SNj compute session key SK = h(h(RPWi
∥ Fi ) ∥ Mi ∥ Ni ∥ Vi )) . The security of the SK is analyzed
In this section, we compare the performance of the pro-
as follows:
posed scheme with the other surviving relevant schemes
(Amin et al. 2016, 2018; Wu et al. 2015; Shin et al. 2016;
• Known-key secrecy: The known-key secrecy means
Li et al. 2015; Kumar et al. 2012; Khan and Kumari 2014;
that compromise of one session key should not com-
Turkanović et al. 2014) in the context of various security
promise other session keys. In our scheme, the session
aspects, smart card storage overhead, communication over-
key SK = h(h(RPWi ∥ Fi ) ∥ Mi ∥ Ni ∥ Vi )) is related to
head, computation overhead and execution time. Besides,
RPWi = h(IDi ∥ PWi ∥ ri ) , Fi = h(Bi ∥ ri ) , Mi , Ni and Vi .
we compute the percentage of sensor node’s communication
Here all the parameters of session key are protected by
cost over total communication costs.
the one-way hash function. Instead of that, the SK will be
different for each login session due to different random
8.1 Communication and smartcard storage costs
nonces Mi , Ni and Vi for each session. So, if suppose 
obtains a previous SK then he/she cannot obtain the other
In Table 5, we have provided the communication cost of pro-
SK because of random nonces. So, the proposed scheme
posed scheme and other relevant schemes (Amin et al. 2016,
ensures the known-key secrecy.
2018; Wu et al. 2015; Shin et al. 2016; Li et al. 2015; Kumar
• Forward secrecy: The forward secrecy means if the mas-
et al. 2012; Khan and Kumari 2014; Turkanović et al. 2014).
ter or private key of the system is breached then the previ-
For computing the communication cost, we assume that the
ously established session keys should not be affected. In
length of identity, password, random number, timestamp
our scheme, suppose the master secret key XG and YG are
all are 64 bits for each. The length of hash function (SHA-
compromised by some means. Besides,  may get some-
1) takes 160 bits and symmetric encryption or decryption
how random nonces Mi , Ni and Vi , but she/he cannot eval-
(AES) takes 512 bits. Therefore, Table 5, presents the com-
uate any previous SK = h(h(RPWi ∥ Fi ) ∥ Mi ∥ Ni ∥ Vi ))
munication cost for the user Ui , gateway node GW and sen-
without knowing RPWi and Fi . So, our scheme provides
sor node SNj , which depends on the length of received and
forward secrecy.
transmitted messages. In the proposed scheme, Ui transmits
640 bits and receives 320 bits; GW transmits 960 bits and
Theorem 13  The proposed protocol provides accurate pass-
receives 992 bits; and SNj transmits 352 bits and receives
word change phase.
640 bits. Thus, the total transmitted and received communi-
cation cost of Ui , GW and SNj are 960 bits, 1952 bits and 992
Proof  Our scheme provides accurate password change
bits respectively. Besides that, the smartcard storage cost
phase because some confidential parameters such as
of our scheme is lesser than the schemes (Shin et al. 2016;
IDi   , PWi and Bi checked by the smartcard properly.
Li et al. 2015; Kumar et al. 2012; Khan and Kumari 2014;
The procedure is explained as follows: the Ui firstly
Turkanović et al. 2014) but slightly higher than the schemes
enters IDi , PWi into smartcard reader and also imprints
(Amin et al. 2016; Wu et al. 2015). As a results, the smart-
Bi at the sensor device. Then, smartcard computes
card storage cost of our proposed scheme with other related
ri = Rn ⊕ h(IDi ∥ PWi ∥ H(Bi )) , RPWi = h(IDi ∥ PWi ∥ ri ) ,
schemes (Amin et al. 2016; Wu et al. 2015; Shin et al. 2016;
Fi = H(Bi ∥ ri ) , h(DIDi ∥ XG ∥ IDg ) = Ai ⊕ h(RPWi ∥ Fi ) ,
Li et al. 2015; Kumar et al. 2012; Khan and Kumari 2014;
Rg = Ci ⊕ h(DIDi ∥ XG ∥ IDg ),  and D�i = h(RPWi ∥ Rg ∥ Fi ) .
? Turkanović et al. 2014) are 1120 bits, 960 bits, 992 bits,
Now, smartcard compares D�i =Di , if this is true, then
1152 bits, 1216 bits, 1856 bits, 1152 bits and 1568 bits.

13
An enhanced three factor based authentication protocol using wireless medical sensor networks…

8.2 Computation cost and execution time
In Table 6, we have delineated the computation cost and exe-
cution time comparison of the proposed scheme with other
relevant schemes (Amin et al. 2016, 2018; Wu et al. 2015;
Shin et al. 2016; Li et al. 2015; Kumar et al. 2012; Khan
and Kumari 2014; Turkanović et al. 2014). The computation
cost of the proposed protocol and other schemes (Amin et al.
2016, 2018; Wu et al. 2015; Shin et al. 2016; Li et al. 2015;
Kumar et al. 2012; Khan and Kumari 2014; Turkanović et al.
2014) are 33TH + 6TS , 33TH  , 20TH + 8TS , 15TH +8TE+3TS ,
18TH +10TS , 6TH + 7TS , 21TH + 3TS , 19TH and 36TH respec-
tively, where TH represents the hash function, TS denotes
the symmetric key encryption or decryption operation and
TE denotes modular exponentiation operation. As suggested
in Jiang et al. (2014), we have presumed that the execution
time for hash function, symmetric-key encryption or decryp-
tion and modular exponentiation operation are 0.0005,
0.0087 and 0.522 s respectively. The proposed scheme
takes 33TH + 6TS = 33 × 0.0005 + 6 × 0.0087 = 0.0687 s,
whereas other relevant schemes (Amin et al. 2016, 2018;
Wu et al. 2015; Shin et al. 2016; Li et al. 2015; Kumar et al.
2012; Khan and Kumari 2014; Turkanović et al. 2014) take
0.0165, 0.0796, 4.2096, 0.096, 0.0639, 0.0366, 0.0095, and
0.018 s respectively. It has been noticed that the compu-
tation cost and execution time of our scheme is less com-
pare to other schemes (Wu et al. 2015; Li et al. 2015; Shin
et al. 2016). However, the schemes (Amin et al. 2016, 2018;
Turkanović et al. 2014) takes less computation cost and exe-
cution time compare to proposed scheme. But in the security
features subsection, we have found that the scheme Amin
et al. (2016) suffers from identity guessing attack and also
does not provide correct authentication phase. Moreover, the
scheme Turkanović et al. (2014) is vulnerable to password
guessing attack, identity guessing attack, impersonation
attack, smart card stolen attack and also not provide efficient
authentication phase. In addition, the scheme Amin et al.
(2018) is not secure against insider attack. Therefore, our
proposed scheme provides comparatively good performance
in the context of computation cost and execution time.
8.3 Sensor node’s performance comparison
In Table 7, we provide the sensor node’s performance com-
parison of our scheme along with other relevant schemes
(Amin et  al. 2016; Wu et  al. 2015; Shin et  al. 2016; Li
et al. 2015; Kumar et al. 2012; Khan and Kumari 2014;
Turkanović et al. 2014; Amin et al. 2018) in terms of com-
putation cost and execution time. In wireless sensor network,
the main issue is to minimize the energy consumption of
the sensor node. Basically, the sensor nodes have limited
computing resources, energy and transmission capacity and
the lifetime of the sensor nodes rely on (1) cryptographic
operation computation (2) length of transmitting information
(in bits) (3) length of obtaining information (in bits). From
Table 7, we can observe that our protocol’s sensor node
consume less energy (computation cost and execution time)
compare to schemes in (Amin et al. 2016; Wu et al. 2015;
Shin et al. 2016; Li et al. 2015; Kumar et al. 2012). There-
fore, the proposed protocol achieves better performance in
terms of energy consumption of the sensor node. In Table 8,
we present sensor node’s communication cost and its per-
centages. As a result, the percentage of communication cost
of the sensor node with respect to total communication cost
is less of our protocol, which is very important to save the
capacity (battery life) of the sensor node and used in real
time applications.
8.4 Security features
In Table 9, we present the security features comparison of
the proposed scheme with other surviving relevant schemes
(Amin et al. 2016, 2018; Wu et al. 2015; Shin et al. 2016;
Li et al. 2015; Kumar et al. 2012; Khan and Kumari 2014;
Turkanović et al. 2014). We observe some important point
from the Table 9 as follows:

Table 5  Communication cost Schemes Ui GW SNj TCC​ SCSC

(in bits) comparison
T R T R T R

Amin et al. (2016) 1024 480 1088 1408 384 608 4992 960
Wu et al. (2015) 1184 800 832 1184 800 832 5632 992
Shin et al. (2016) 672 2368 2368 992 1504 1184 9088 1152
Li et al. (2015) 1088 576 1152 1664 576 576 5632 1216
Kumar et al. (2012) 576 576 576 576 576 576 3456 1856
Khan and Kumari (2014) 1088 480 2272 224 448 928 5440 1152
Turkanović et al. (2014) 704 576 672 992 1568 1376 5888 1568
Amin et al. (2018) 672 640 1120 992 320 480 4224 –
Proposed 640 320 960 992 352 640 3904 1120

T, transmit; R, receive; TCC​, total communication cost; SCSC, smartcard storage cost

13
 R. Ali et al.

Table 6  Computation cost and Schemes  Ui GW SNj TCC∗ ET

execution time (in s)
Amin et al. (2016) 12TH 16TH 5TH 33TH 0.0165
Wu et al. (2015) 10TH + 2TS 6TH + 5TS 4TH + 1TS 20TH + 8TS 0.0796
Shin et al. (2016) 3TH + 2TE + 1TS 7TH + 3TE + 2TS 5TH + 3TE 15TH + 8TE + 3TS 4.2096
Li et al. (2015) 6TH + 2TS 7TH + 6TS 5TH + 2TS 18TH + 10TS 0.096
Kumar et al. (2012) 4TH + 2TS 1TH + 3TS 1TH + 2TS 6TH + 7TS 0.0639
Khan and Kumari (2014) 6TH + 1TS 8TH + 2TS 7TH 21TH + 3TS 0.0366
Turkanović et al. (2014) 7TH 5TH 7TH 19TH 0.0095
Amin et al. (2018) 12TH 18TH 6TH 36TH 0.018
Proposed 11TH + 2TS 16TH + 3TS 6TH + 1TS 33TH + 6TS 0.0687

TCC∗ , total computation cost; ET, execution time

• The protocols (Shin et al. 2016; Kumar et al. 2012; Khan Table 7  Computation cost and execution time (in s) comparison of
and Kumari 2014; Turkanović et al. 2014) are vulnerable sensor nodes
to password guessing attack, impersonation attack and Schemes  CC∗ ET
no user anonymity property. Next, the protocols (Kumar
et al. 2012; Turkanović et al. 2014) suffer from identity Amin et al. (2016) 5TH 0.0025
guessing attack and smart card stolen attack. Whereas the Wu et al. (2015) 4TH + 1TS 0.0107
Shin et al. (2016) 1.568
protocols (Amin et al. 2016; Kumar et al. 2012; Wu et al. 5TH + 3TE
Li et al. (2015) 0.0199
2015; Li et al. 2015; Khan and Kumari 2014; Turkanović 5TH + 2TS
Kumar et al. (2012) 0.0179
et al. 2014; Shin et al. 2016) are not defending the imper- 1TH + 2TS
Khan and Kumari (2014) 0.0035
sonation attack. 7TH
• The protocols (Amin et al. 2018; Kumar et al. 2012) are Turkanović et al. (2014) 7TH 0.0035
Amin et al. (2018) 6TH 0.003
not secure from insider attack.
• The schemes (Amin et  al. 2016; Shin et  al. 2016; Proposed 6TH + 1TS 0.0117
Turkanović et al. 2014) and scheme Shin et al. (2016) do CC∗ , computation cost; ET, execution time
not provide accurate authentication and password change
phase respectively.
• The protocols (Wu et al. 2015; Shin et al. 2016; Khan Table 8  Communication cost (in bits) of sensor node
and Kumari 2014) are vulnerable to sensor node cap- Schemes  CC of SNj TCC​ Percentage
ture attack. Moreover, the protocol Kumar et al. (2012)
does not provide accurate session key establishment and Amin et al. (2016) 992 4992 19.87
mutual authentication property. Wu et al. (2015) 1632 5632 28.97
Shin et al. (2016) 2688 9088 29.57
As a results, we can observe from Table 9 that most of the Li et al. (2015) 1152 5632 20. 45
protocols are not completely secure against various secu- Kumar et al. (2012) 1152 3456 33.33
rity threats and also not facilitating all the security features. Khan and Kumari (2014) 1376 5440 25.29
However, our protocol is secure against these various secu- Turkanović et al. (2014) 2944 5888 50
rity threats and also provides more security features compare Amin et al. (2018) 800 4224 18.93
to other schemes. Proposed 992 3904 25.40

CC of SNj , communication cost of sensor node; TCC​, total communi-

cation cost
9 Conclusion

In this paper, firstly we have briefly investigated Amin et al.’s
scheme and then observed some security weaknesses such
as off-line password guessing attack, user impersonation
attack, known session key temporary information attack, and
identity guessing attack. To remedy these above-mentioned
security attacks, the authors propose an enhanced three-fac-
tor based authentication schemes in WMSNs environment.
The formal security analysis is done using BAN logic and
AVISPA tool. The informal security analysis ensures that our
protocol is able to protect various kinds of wicked attacks.
Moreover, performance evaluation of our scheme along with
other related existing schemes provides better complexities
in the context of communication and computation costs. In
the future, we aim to reduce the complexities of the proposed

13
An enhanced three factor based authentication protocol using wireless medical sensor networks…

Table 9  Security features Schemes Security features

comparison
A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 A12 A13 A14

Amin et al. (2016) Y Y N Y Y Y Y Y N Y Y Y Y Y

Wu et al. (2015) Y Y N Y Y Y N Y Y N Y Y Y Y
Shin et al. (2016) N Y N Y Y Y Y Y N N Y Y N N
Li et al. (2015) Y Y N Y Y Y Y Y Y Y Y Y Y Y
Kumar et al. (2012) N N N Y N Y Y N N N Y N Y Y
Khan and Kumari (2014) N Y N Y Y Y Y Y Y N Y Y Y Y
Turkanović et al. (2014) N N N Y N Y Y Y N N Y Y Y N
Amin et al. (2018) N N N Y Y Y Y N Y Y Y Y Y N
Proposed Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Y, Yes; N, No; A1 , Resist password guessing attack; A2 , Resist identity guessing attack; A3 , Resist user
impersonation attack; A4 , Resist gateway node impersonation attack; A5 , Resist sensor node impersonation
attack; A6 , Resist smart card stolen attack; A7 , Resist replay attack; A8 , Resist insider attack; A9 , Accu-
rate authentication phase; A10 , Resist sensor node capture attack; A11 , Correct session key establishment;
A12 , Achieve mutual authentication property; A13 , Accurate password change phase; A14 , Resist session-key
temporary information attack

protocol without compromising security attributes. In addi-
tion, we would also extend this work for cloud environments.
References
Ali R, Pal AK (2017) A secure and robust three-factor based authenti-
cation scheme using RSA cryptosystem. Int J Bus Data Commun
Netw 13(1):74–84
Ali R, Pal AK (2018a) Cryptanalysis and biometric-based enhancement
of a remote user authentication scheme for e-healthcare system.
Arab J Sci Eng. https​://doi.org/10.1007/s1336​9-018-3220-4
Ali R, Pal AK (2018b) An efficient three factor-based authentication
scheme in multiserver environment using ECC. Int J Commun
Syst 31:4
Ali R, Pal AK (2018c) A secure three-factor remote user authentica-
tion scheme using elliptic curve cryptosystem. In: Proceedings of
the international conference on microelectronics, computing and
communication systems. Springer, pp 9–24
Ali R, Pal AK, Kumari S, Karuppiah M, Conti M (2017) A secure user
authentication and key-agreement scheme using wireless sensor
networks for agriculture monitoring. Futur Gener Comput Syst.
https​://doi.org/10.1016/j.futur​e.2017.06.018
Amin R, Islam SH, Biswas G, Khan MK, Kumar N (2018) A robust
and anonymous patient monitoring system using wireless medical
sensor networks. Futur Gener Comput Syst 80:483–495
Amin R, Islam SH, Biswas G, Khan MK, Leng L, Kumar N (2016)
Design of an anonymity-preserving three-factor authenticated key
exchange protocol for wireless sensor networks. Comput Netw
101:42–62
An Y (2012) Security analysis and enhancements of an effective biom-
etric-based remote user authentication scheme using smart cards.
BioMed Res Int
Burrows M, Abadi M, Needham RM (1989) A logic of authentication.
Proc R Soc Lond A Math Phys Eng Sci 426:233–271
Chandrakar P, Om H (2016) A secure two-factor remote user authen-
tication and session key agreement scheme. Int J Bus Data Com-
mun Netw 12(2):62–79
Chandrakar P, Om H (2017a) Cryptanalysis and extended three-factor
remote user authentication scheme in multi-server environment.
Arab J Sci Eng 42(2):765–786
Chandrakar P, Om H (2017b) Cryptanalysis and improvement of a
biometric-based remote user authentication protocol usable in
a multiserver environment. Trans Emerg Telecommun Technol
28:12
Chandrakar P, Om H (2017c) Cryptanalysis and security enhancement
of three-factor remote user authentication scheme for multi-server
environment. Int J Bus Data Commun Netw 13(1):85–101
Chandrakar P, Om H (2017d) A secure and robust anonymous three-
factor remote user authentication scheme for multi-server environ-
ment using ECC. Comput Commun 110:26–34
Chandrakar P, Om H (2018a) An efficient two-factor remote user
authentication and session key agreement scheme using Rabin
cryptosystem. Arab J Sci Eng 43(2):661–673
Chandrakar P, Om H (2018b) An extended ecc-based anonymity-pre-
serving 3-factor remote authentication scheme usable in TMIS.
Int J Commun Syst. https​://doi.org/10.1002/dac.3540
Chen T-H, Chen Y-C, Shih W-K, Wei H-W (2011) An efficient anony-
mous authentication protocol for mobile pay-tv. J Netw Comput
Appl 34(4):1131–1137
Das AK (2011) Analysis and improvement on an efficient biometric-
based remote user authentication scheme using smart cards. IET
Inf Secur 5(3):145–151
He D, Kumar N, Chen J, Lee C-C, Chilamkurti N, Yeo S-S (2015a)
Robust anonymous authentication protocol for health-care appli-
cations using wireless medical sensor networks. Multimed Syst
21(1):49–60
He D, Kumar N, Chilamkurti N (2015b) A secure temporal-creden-
tial-based mutual authentication and key agreement scheme with
pseudo identity for wireless sensor networks. Inf Sci 321:263–277
Jiang Q, Ma J, Li G, Yang L (2014) An efficient ticket based authen-
tication protocol with unlinkability for wireless access networks.
Wirel Person Commun 77(2):1489–1506
Khan MK, Kumari S (2014) An improved user authentication protocol
for healthcare services via wireless medical sensor networks. Int
J Distrib Sens Netw 10(4):347169
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Annual
international cryptology conference. Springer, pp 388–397
Kumar P, Lee S-G, Lee H-J (2012) E-sap: efficient-strong authentica-
tion protocol for healthcare applications using wireless medical
sensor networks. Sensors 12(2):1625–1647
Lee T-F (2015) Enhancing the security of password authenticated key
agreement protocols based on chaotic maps. Inf Sci 290:63–71

13

Li C-T, Hwang M-S (2010) An efficient biometrics-based remote user
authentication scheme using smart cards. J Netw Comput Appl
33(1):1–5
Li X, Niu J, Khan MK, Liao J, Zhao X (2014a) Robust three-factor
remote user authentication scheme with key agreement for multi-
media systems. Secu Commun Netw 9(13):1916–1927
Li X, Niu J, Kumari S, Liao J, Liang W, Khan MK (2015) A new
authentication protocol for healthcare applications using wireless
medical sensor networks with user anonymity. Secu Commun
Netw 9(15):2643–2655
Li X, Niu J, Kumari S, Wu F, Sangaiah AK, Choo K-KR (2018) A
three-factor anonymous authentication scheme for wireless sen-
sor networks in internet of things environments. J Netw Comput
Appl 103:194–204
Li X, Niu J, Wang Z, Chen C (2014b) Applying biometrics to design
three-factor remote user authentication scheme with key agree-
ment. Secur Commun Netw 7(10):1488–1497
Li X, Niu J-W, Ma J, Wang W-D, Liu C-L (2011) Cryptanalysis and
improvement of a biometrics-based remote user authentication
scheme using smart cards. J Netw Comput Appl 34(1):73–79
Liu C-H, Chung Y-F (2017) Secure user authentication scheme
for wireless healthcare sensor networks. Comput Electr Eng
59:250–261
Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card
security under the threat of power analysis attacks. IEEE Trans
Comput 51(5):541–552
Ni L, Chen G, Li J, Hao Y (2016) Strongly secure identity-based
authenticated key agreement protocols without bilinear pairings.
Inf Sci 367:176–193
von Oheimb D (2005) The high-level protocol specification language
HLPSL developed in the EU project AVISPA. In: Proceedings of
APPSEM workshop, pp 1–17
Rahman F, Hoque ME, Ahamed SI (2017) Anonpri: a secure anony-
mous private authentication protocol for RFID systems. Inf Sci
379:195–210
Shin S, Lee SW, Kim H (2016) Authentication protocol for healthcare
services over wireless body area networks. Int J Comput Commun
Eng 5(1):50
Sutrala AK, Das AK, Odelu V, Wazid M, Kumari S (2016) Secure
anonymity-preserving password-based user authentication and
13
View publication stats
R. Ali et al.
session key agreement scheme for telecare medicine information
systems. Comput Methods Programs Biomed 135:167–185
Turkanović M, Brumen B, Hölbl M (2014) A novel user authentica-
tion and key agreement scheme for heterogeneous ad hoc wireless
sensor networks, based on the internet of things notion. Ad Hoc
Netw 20:96–112
Wang D, He D, Wang P, Chu C-H (2015a) Anonymous two-factor
authentication in distributed systems: certain goals are beyond
attainment. IEEE Trans Depend Secur Comput 12(4):428–442
Wang D, Wang N, Wang P, Qing S (2015b) Preserving privacy for free:
efficient and provably secure two-factor authentication scheme
with user anonymity. Inf Sci 321:162–178
Wei J, Liu W, Hu X (2014) Cryptanalysis and improvement of a robust
smart card authentication scheme for multi-server architecture.
Wirel Person Commun 77(3):2255–2269
World Health Organization (2010) Increasing access to health work-
ers in remote and rural areas through improved retention: global
policy recommendations. World Health Organization, Geneva
Wu T-S, Lin H-Y (2014) Provably secure proxy convertible authen-
ticated encryption scheme based on RSA. Inf Sci 278:577–587
Wu F, Li X, Xu L, Kumari S, Karuppiah M, Shen J (2017a) A light-
weight and privacy-preserving mutual authentication scheme for
wearable devices assisted by cloud server. Comput Electr Eng
63:168–181
Wu F, Xu L, Kumari S, Li X (2015) An improved and anonymous two-
factor authentication protocol for health-care applications with
wireless medical sensor networks. Multimed Syst 23(2):195–205
Wu F, Xu L, Kumari S, Li X, Shen J, Choo K-KR, Wazid M, Das AK
(2017b) An efficient authentication and key agreement scheme
for multi-gateway wireless sensor networks in IOT deployment. J
Netw Comput Appl 89:72–85
Zhang L (2015) Certificateless one-pass and two-party authenticated
key agreement protocol and its extensions. Inf Sci 293:182–195
Zhang J, Zhao X, Ji C (2015) A novel authenticated encryption scheme
and its extension. Inf Sci 317:196–201
Publisher’s Note Springer Nature remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.