Computers and Electrical Engineering 69 (2018) 534–554

Contents lists available at ScienceDirect

Computers and Electrical Engineering

journal homepage: www.elsevier.com/locate/compeleceng

An efficient ECC-based provably secure three-factor user

authentication and key agreement protocol for wireless
healthcare sensor networksR
Sravani Challa a, Ashok Kumar Das a,∗, Vanga Odelu b, Neeraj Kumar c,
Saru Kumari d, Muhammad Khurram Khan e, Athanasios V. Vasilakos f
a
Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500 032, India
b
Department of Computer Science and Engineering, Indian Institute of Information Technology Chittoor, Sri City 517 588, India
c
Department of Computer Science and Engineering, Thapar University, Patiala 147 004, India
d
Department of Mathematics, Ch. Charan Singh University, Meerut 250 005, India
e
Center of Excellence in Information Assurance, King Saud University, Riyadh, Kingdom of Saudi Arabia
f
Department of Computer Science, Electrical and Space Engineering, Lulea University of Technology, Lulea 971 87, Sweden

a r t i c l e i n f o a b s t r a c t

Article history: We first show the security limitations of a recent user authentication scheme proposed for
Received 9 September 2016 wireless healthcare sensor networks. We then present a provably secure three-factor user
Revised 4 August 2017
authentication and key agreement protocol for wireless healthcare sensor networks. The
Accepted 7 August 2017
proposed scheme supports functionality features, such as dynamic sensor node addition,
Available online 18 August 2017
password as well as biometrics update, smart card revocation along with other usual fea-
Keywords: tures required for user authentication in wireless sensor networks. Our scheme is shown to
Wireless healthcare sensor networks be secure through the rigorous formal security analysis under the Real-Or-Random (ROR)
User authentication model and broadly-accepted Burrows-Abadi-Needham (BAN) logic. Furthermore, the simu-
Session key lation through the widely-known Automated Validation of Internet Security Protocols and
Elliptic curve cryptography Applications (AVISPA) tool shows that our scheme is also secure. High security, and low
AVISPA communication and computation costs make our scheme more suitable for practical appli-
BAN logic cation in healthcare applications as compared to other related existing schemes.
Formal security
© 2017 Elsevier Ltd. All rights reserved.

1. Introduction

Developments in telecommunication and information technology helped in eliminating distance barriers while providing
health care. Over the years, telemedicine using radio and telephone has been replaced with video-telephony, distributed
client/server applications and devices that support home-care. This has facilitated remote monitoring of patients and thus
has improved medical facilities in rural communities. Technology also allows doctors in multiple locations to share infor-
mation and discuss cases. Apart from decreasing the number of required outpatient visits, use of telemedicine reduces the

R
Reviews processed and recommended for publication to the editor-in-chief by area editor Dr. G. Martinez Perez.
∗
Corresponding author.
E-mail addresses: c.sravani@research.iiit.ac.in (S. Challa), iitkgp.akdas@gmail.com, ashok.das@iiit.ac.in (A.K. Das), odelu.vanga@gmail.com,
odelu.vanga@iiits.in (V. Odelu), neeraj.kumar@thapar.edu (N. Kumar), saryusiirohi@gmail.com (S. Kumari), mkhurram@ksu.edu.sa (M.K. Khan),
th.vasilakos@gmail.com (A.V. Vasilakos).

http://dx.doi.org/10.1016/j.compeleceng.2017.08.003
0045-7906/© 2017 Elsevier Ltd. All rights reserved.
 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554 535

Fig. 1. A typical healthcare-monitoring scenario (Source: [1]).

overall cost of medical care. Telemedicine can be delivered using networks linking hospitals with community health centers
in rural areas.
Wireless Sensor Networks (WSNs) for medical applications has been garnering a lot of attention in recent years due to
advantages over wired alternatives such as enhanced mobility, reduced risk of infection, low cost etc. An emerging aspect
of the telemedicine is the Wireless Body Area Network (WBAN), where each patient belonging to the system is provided
with the body sensor nodes that collect and monitor vitals such as temperature, heart beat, blood pressure etc., irrespective
of the patient’s condition and location. The collected information is then received by a smart mobile device using any one
of bluetooth, wi-fi, etc. The smart device forwards the information to a remote health care facility over a wi-fi or 3G/4G
network. A typical healthcare-monitoring scenario is demonstrated in Fig. 1, which is adapted from the scheme [1]. Along
with providing continuous monitoring by instantly updating patient’s vitals for hospitals to store and process using wearable
sensor devices, WSNs also help to detect emergencies sooner.
Multiple technical challenges need to be faced while setting up a WSN for health care. Along with the obvious limitations
in a WSN, such as scarce energy reserves, processing and memory constraints, limited network capacity etc., any health care
network imposes a definite requirement of quality of service, system reliability and above all, privacy and security. Since
most sensor network deployment consists of stationery nodes that transmit data with focus on best effort data collection
at the base station at a relatively low rate, there is a huge gap between the design of such networks and requirements
of telemedicine. Also, as the sensor nodes are usually deployed over an unattended area, it may lead to a compromise of
patient privacy either due to eavesdropping attacks or sensor node capture physically by an adversary.

1.1. Related work

This section outlines various authentication schemes proposed to secure health care sensor networks. Over the years,
many researchers have come up with schemes to strengthen the security of wireless medical care networks. Malasri and
Wang [2] implemented a secure key exchange protocol using Elliptic Curve Cryptography (ECC) to establish a shared key
between sensor node and base station along with a two-tier architecture for user data authentication with the help of
biometrics. Hu et al. [3] proposed a real-time hardware and software based protocol for monitoring cardiac patients. Wire-
less ECG communication unit, called a mobile platform, is integrated together. Although the scheme provides privacy and
integrity, it does not include strong user authentication. Huang et al. [4] proposed a three-tiered sensor-based hierarchical
architecture for monitoring health. Wireless Sensor Motes (WSM) and Wearable Sensor Systems (WSS) were placed strate-
gically in each tier to broadcast data. Advanced Encryption Standard (AES)-based authentication and encryption is used at
the WSS, while a polynomial-based encryption is used at the WSM to establish point-to-point secure communication.
In recent years, Le et al. [5] came up with a scheme supporting access control and mutual authentication using ECC. Also,
they argue that the scheme is secure against known attacks like replay and denial-of-service attack. However, it has been
proved that this scheme is vulnerable to eavesdropping compromising patient privacy. Das [6] proposed a two-factor user
authentication protocol for WSNs claiming that the scheme is secure against known attacks like password-guessing, user
impersonation, replay, node compromise and stolen-verifier attacks. However, Khan and co-workers [7,8] showed that this
protocol is not secure against user impersonation and insider attack. Also, the scheme does not support mutual authentica-
tion and message confidentiality between the user and the sensor.
536 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554

In [9], Kumar and Lee established that the schemes in [7,8] had security vulnerabilities and high computation costs
making them unsuitable for wireless health care applications. A major drawback of all the above schemes is the absence of
a strong user authentication, which is a primary concern in such networks.
Wu et al. [10] pointed out weaknesses of existing authentication schemes and then presented a three-factor remote au-
thentication scheme. Their scheme provides forward security as well as the user’s privacy. However, Xie et al. [11] showed
that Wu et al.’s scheme [10] is vulnerable to an impersonation attack as the de/encryption key of the server and the user
can be computed by an adversary. Furthermore, Arshad and Nikooghadam [12] proposed an efficient three-factor anonymous
authentication and key agreement scheme for the telecare medicine information systems.
Nam et al. [13] proposed a smart-card based provably secure authentication scheme for wireless sensor networks. Their
scheme is based on ECC and uses user password in the proposed scheme. Turkanovic et al. [14] proposed a user authentica-
tion and key agreement scheme for heterogeneous WSN (HWSN). Their scheme was adapted to the Internet of Things (IoT)
notion. Later, Farash et al. [15] showed that Turkanovic et al. [14] is suspected to some security shortcomings, such as (1) it
does not provide user traceability, (2) it does not provide sensor node anonymity, (3) it is insecure against stolen smart card
attacks, sensor node impersonation attack and man-in-the-middle attack and (4) the secret parameters and session key are
disclosed to an attacker. To overcome the security limitations of Turkanovic et al.’s scheme, they proposed improved user
authentication and key agreement scheme for HWSN.
In 2016, Liu and Chung [16] proposed a user authentication scheme using bilinear pairing and a trusted authority to au-
thenticate the user, and also to establish secure communication between a user and a sensor node. In this paper, we discuss
the security limitations in Liu–Chung’s scheme [16] and show it is vulnerable to many known attacks. To counter these limi-
tations, we present a provably secure three-factor authentication and key agreement scheme suitable for wireless healthcare
sensor networks, which is based on lightweight ECC point multiplications as compared to costly bilinear operations as in
Liu–Chung’s scheme [16].

1.2. Threat model

The Dolev–Yao threat model [17] is used, where communication between two entities is over an open (public) channel.
An adversary can then modify, delete or eavesdrop on the messages being transmitted. We further assume that an adversary
can physically capture one or more sensors equipped in a patient’s body, and can extract all the sensitive information stored
in the captured sensors using the power analysis attacks [18].

1.3. Our contributions

The contribution of this paper is manyfold:

• The scheme proposed by Liu and Chung [16] is reviewed to show that it is indeed susceptible to attacks, such as
stolen smart card, password guessing, privileged insider and user impersonation attacks. In addition, Liu–Chung’s scheme
[16] fails to provide proper mutual authentication.
• A provably secure three-factor authentication and key agreement protocol has been proposed to counter the security lim-
itations found in Liu–Chung’s scheme. The three factors used in the proposed scheme are the smart card, user password
and user biometrics. Note that biometric authentication enhances security of the system.
• The proposed scheme is proved to be secure against various known attacks using the broadly-accepted BAN logic and
formal security analysis under the standard model, and also through the rigorous informal security analysis. Note that
AVISPA tool has been used to simulate the formal verification of the security of the proposed scheme.
• Finally, it is shown that the proposed scheme ensures low computation and communication costs while proving high
security as compared to that for Liu–Chung’s scheme and other existing schemes.

1.4. Organization of the paper

The paper is organized as follows. Section 2 explains the required mathematical preliminaries and definitions. In Section 3,
the scheme proposed by Liu–Chung [16] is reviewed, and its cryptanalysis is also done. The proposed authentication scheme
and its security analysis are detailed in Sections 4 and 5, respectively. AVISPA simulation is shown in Section 6 for the pro-
posed scheme. A comparative analysis of communication and computation costs has been done in Section 7. The paper is
finally concluded in Section 8.

2. Mathematical background

This section discusses the useful cryptographic primitives needed to describe and analyze both Liu–Chung’s scheme and
the proposed scheme.
 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554 537

2.1. Elliptic curve cryptography

Let p > 3 be a prime. The elliptic curve y2 = x3 + ax + b over the finite field Z p = {0, 1, . . . , p − 1} is the set Ep (a, b) of
solutions (x, y) ∈ Zp × Zp to the congruence y2 = x3 + ax + b (mod p), where a, b ∈ Zp are constants with the non-singularity
of the elliptic curve property 4a3 + 27b2 = 0 (mod p), together with a special point O, called the point at infinity (or zero
point). Note that Ep (a, b) constitutes an abelian or commutative group under addition modulo p operation.
Let G be the base point on Ep (a, b) whose order be n, that is, nG = G + G + . . . + G(n times ) = O. If P = (xP , yP ) and Q =
(xQ , yQ ) be two points on elliptic curve y2 = x3 + ax + b ( mod p), R = (xR , yR ) = P + Q is computed as follows [19]: xR =
yQ −yP 3xP 2 +a
(λ2 − xP − xQ ) (mod p) and yR = (λ(xP − xR ) − yP ) (mod p), where λ = xQ −xP (mod p) if P = −Q and λ = 2yP (mod p)
if P = Q.
In elliptic curve cryptography, multiplication is defined as repeated additions. For example, if P ∈ Ep (a, b), then 5P is
computed as 5P = P + P + P + P + P (mod p) is known as ECC point or scalar multiplication.

Definition 1 (Elliptic Curve Discrete Logarithm Problem (ECDLP)). Suppose k is a positive integer and P, Q ∈ Ep (a, b) be two
points on the elliptic curve such that Q = k.P . Then, the Elliptic Curve Discrete Logarithm Problem (ECDLP) is to determine
k given P and Q. It is computationally easy to calculate Q given k and P, but it is computationally infeasible to determine
k given Q and P, when the prime p is large. In other words, ECDLP can be also formally defined as follows. For any Proba-
bilistic Polynomial Time (PPT) algorithm, say A (in the security parameter l), P r[A(P, Q ) = k] <  (l ), where  (l) is a negligible
function depending on l and Pr[B] is the probability of a random event B.

2.2. Collision resistant one-way hash function

A one-way hash function h: {0, 1}∗ → {0, 1}n that takes an arbitrary length binary string x ∈ {0, 1}∗ as input, and then
outputs a binary string of fixed length n, say y ∈ {0, 1}n such that y = h(x ). Here, y is known as the hash digest of input x.

Definition 2 (Collision resistant one-way hash function). Let AdvHASH (A ) (t ) denote the advantage that an adversary A can find
a collision in hash digest. Then, AdvHASH (t ) = P r[ ( x, x  ) ∈ A : x = x , h (x ) = h (x )], where the pair (x, x ) ∈ A is selected
(A ) R R
randomly by A. By an (ψ , t)-adversary A attacking the collision resistance of h( · ), it means that the runtime of A is at
(A ) (t ) ≤ ψ .
most t and that AdvHASH

2.3. Bilinear pairing

Let q be a large prime and p be a prime such that q | p − 1. Let G1 and G2 be two cyclic groups of prime order q, where
G1 be an additive cyclic group over an elliptic curve Ep (a, b) and G2 a multiplicative cyclic group over a finite field Zp .

Definition 3 (Bilinear map). A bilinear map eˆ : G1 × G1 → G2 is a function with the following desirable properties:
Bilinearity: Let P, Q, R ∈ G1 and a, b ∈ Z ∗p . Then, eˆ(P + Q, R ) = eˆ(P, R ).eˆ(Q, R ), eˆ(P, Q + R ) = eˆ(P, Q ).eˆ(P, R ), eˆ(aP, bQ ) =
eˆ(bP, aQ ) = eˆ(P, Q )ab .
Non-degeneracy: Let P be a generator in the group G1 . Then, eˆ(P, P ) becomes a generator in the group G2 such that
eˆ(P, P ) = 1.
Computability: There exists an efficient algorithm to compute eˆ(P, Q ) ∈ G2 in polynomial time for all P, Q ∈ G1 .

3. Review and cryptanalysis of Liu–Chung’s scheme

In this section, we review the recent scheme proposed by Liu and Chung [16] along with a brief cryptanalysis of it to
prove that it is vulnerable to several known attacks. The notations used in this paper are listed in Table 1.

3.1. Overview of Liu-Chung’s scheme

There are three main participants in this scheme - the trusted authority (TA), sensor nodes and the patients. The system
architecture considered here has been illustrated in Fig. 2 . In this scenario, the patients in hospitals or health-care institu-
tions are fitted with wireless monitoring devices that record their vitals continuously. The base station requests the sensors
on patients for periodic updates of physiological data. This data is then uploaded to the care center servers to be analyzed
by medical professionals. To ensure authorized access to data, each user (medical personnel) must register with the TA and
procure valid credentials. To ensure secure communication, this scheme comprises of four phases, each of which is described
briefly in the following subsections.

3.1.1. Setup phase

The steps involved in this phase are as follows:
538 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554

Table 1
Notations used in this paper.

Symbol Description

Ui , SNj , TA ith user, jth sensor node & trusted authority, respectively
SCi Ui ’s smart card
IDi , PWi , BIOi Ui ’s identity, password & personal biometrics template, respectively
Gen( · ), Rep( · ) Probabilistic generation & deterministic reproduction procedures in fuzzy extractor, respectively
t Error tolerance threshold used by fuzzy extractor
σ i, τ i Biometric secret key & public reproduction parameter, respectively
h( · ) Collision-resistant one-way cryptographic hash function
So 1024-bit master secret key only known to the TA
Po Large prime number
P = (xP , yP ), k.P An elliptic curve (ECC) point in elliptic curve Ep (a, b) and ECC point multiplication, respectively
Ti , Ts Current system timestamps
T Maximum transmission delay
SK Session key between Ui and S
, || Bitwise XOR and concatenation operations, respectively

Fig. 2. System architecture used in Liu–Chung’s scheme [16].

Step S1. Let q be a large prime and p be a prime such that q | p − 1. Let G1 and G2 be two cyclic groups of prime order q,
where G1 be an additive cyclic group over an elliptic curve Ep (a, b) and G2 a multiplicative cyclic group over a finite
field Zp . A bilinear map eˆ : G1 × G1 → G2 and Po ∈ G1 are selected by the TA.
Step S2. One-way hash functions H1 , H2 are also selected by the TA, where H1 : {0, 1}∗ → G2 and H2 : G2 → {0, 1}∗ .
Step S3. The TA then chooses a random number So ∈ Zq∗ to calculate the public parameter Ppub = So .Po , which is an elliptic
curve point in Ep (a, b).

3.1.2. Registration phase

Since the purpose of this scheme is to use the healthcare facilities with wireless sensor networks, it requires the user to
place a request for registration at the institution with proper identification. After identity verification, the system manager
permits the user to execute this phase with the following steps:

Step R1. Ui chooses IDi and PWi , and sends these to TA securely.
 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554 539

Step R2. TA computes Upriv = So.U pub .

Step R3. TA selects a private parameter a. It then stores {h( · ), Upriv , IDi , PWi , a} on the smart card SCi and sends it to Ui
over a secure channel.

3.1.3. Login phase

SCi executes the following steps after Ui inserts it and enters the credentials, such as the identity IDi and password PWi :

Step L1. SCi checks if IDi and PWi entered by Ui match with those already stored in it, and proceeds if the verification
holds.
Step L2. SCi computes Sig = r.Upriv , where r = h(IDPWa).
Step L3. SCi then sends the message Sig, IDi , r, TL to TA over a public channel, where TL is the time during the login.

3.1.4. Verification phase

After receiving the login request Sig, IDi , r, TL from Ui , TA executes the following authentication steps:

Step V1. TA permits Ui ’s request, if the IDi in the login request message matches that stored at TA and eˆ(Po, Sig) = eˆ(Ppub ,
r.Upub ).
Step V2. TA proceeds to Step V3 if the condition Tnow − TL < T holds, where Tnow is the current time at TA.
Step V3. TA chooses a random number b, and computes E = h(b Upub ) which is sent to Ui .
Step V4. TA also sends the message Tu , b, IDi to all sensor nodes and confirms that Ui is legal. Here, Tu is the time limit
within which Ui can legally access data from a sensor node.

3.1.5. Access control and encryption

A legal user Ui is permitted to access sensor node data within a set time limit after being authenticated. The following
steps are executed for secure transmission of data:

Step AE1. Ui inserts SCi , and enters IDi and PWi . SCi compares them to the stored values to authenticate Ui and then
proceeds.
Step AE2. SCi computes C = h(a  IDi ) E and sends the message C, IDi , T to an accessed sensor node SN, where T is
the current time stamp.
Step AE3. After receiving the message C, IDi , T , SN verifies if Tnow − T  < T and Tnow = Tu .
Step AE4. SN uses b received from TA and Upub of Ui to compute C = h(a  IDi ) h(bUpub ) and verifies if C = C. It then
proceeds if the check holds.
Step AE5. The data M requested by Ui is sent by SN using the computation M = m H2 (eˆ(U pub , Ppub )).
Step AE6. Ui retrieves M by computing M = m H2 (eˆ(U priv , W)), where W is a public parameter.

3.2. Cryptanalysis of Liu–Chung’s scheme

In the following subsections, we discuss several security limitations of the recently proposed Liu–Chung’s scheme for
wireless healthcare sensor networks.

3.2.1. Stolen smart card attack

Liu-Chung’s scheme involves the storing of privileged information on the smart card SCi of a user Ui . The TA personalizes
SCi for every Ui by including Upriv , IDi , PWi and the TA’s private parameter a, which are stored in the smart card SCi . Any
adversary A who steals the smart card can get all the privileged information from it including the user password PWi using
the power analysis attacks [18] as described in the threat model given in Section 1.2. Ui could be using the same password
to login to other applications which is a breach of security.

3.2.2. Offline password guessing attack

Suppose an adversary A physically captures a sensor node SN as described in the threat model given in Section 1.2. Thus,
A gets access to the private parameter a of TA, which is stored in SN. Assume that A also intercepts Ui ’s login request
message Sig, r, TL , IDi , where r = h(IDi  PWi  a). A can guess the password using the values r and IDi from the login
request message and a obtained from SN using the following steps:

• Step 1. Guess a password PWi∗ .

• Step 2. Compute r∗ = h(IDi  PWi∗  a).
• Step 3. Verify the condition r ∗ = r. It it holds, the guessed password PWi∗ is correct, that is, PWi∗ = PWi . Otherwise, repeat
from Step 1 by guessing another new password until A is successful.

It is then clear that A can successfully guess a user’s low-entropy password. Note that Ui can sometimes use the same
password to login to other applications. Hence, A will be able to access those applications which use the same password
PWi . As a result, Liu-Chung’s scheme is insecure against offline password guessing attack.
540 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554

3.2.3. Privileged-insider attack

During the registration phase, Ui sends both IDi and PWi to the TA for personalizing the smart card SCi via secure channel.
A privileged user at the TA, being an insider attacker, has thus access to these secret credentials of Ui . Hence, the password
PWi is revealed to the insider attacker. This shows that Liu–Chung’s scheme fails to protect against the privileged-insider
attack.

3.2.4. User impersonation attack

The login message from Ui to TA has the information {Sig, r, IDi , TL }, where r = h(IDi  PWi a) and Sig = r.U priv are fixed
parameters. Any adversary A can obtain this message by eavesdropping, and put its own current time stamp Ta instead of TL
and then send a new valid login message {Sig, r, IDi , Ta } to the TA impersonating Ui . Note that this message will be treated
as valid one as the time stamp validation of Ta also passes. Thus, Liu-Chung’s scheme fails to protect the user impersonation
attack. In other words, Liu-Chung’s scheme also fails to protect the man-in-the-middle attack.

3.2.5. No mutual authentication

Liu–Chung’s scheme does not involve Ui for verifying the authenticity of the TA or the sensor node SN. There is no way
to find out if a sensor node SN is compromised by an attacker A. The TA can simply forward Ui ’s request for information to
the node SN without verifying the node’s integrity. The requested message is encrypted using the Upub and Ppub by the SN.
A at a compromised node SN can craft its own message as M = m  H2 (eˆ(U pub , Ppub )), where m is a fake message being
sent by A with malicious intent compromising Ui ’s system.

3.2.6. Lack of user anonymity

In Liu-Chung’s scheme, the messages Sig, IDi , r, TL , Tu , b, IDi and C, IDi , T directly involve the identity IDi of a legal
user Ui in plaintext. By eavesdropping these messages, an adversary knows IDi . As a result, Liu-Chung’s scheme does not
preserve the user anonymity property.

4. The proposed scheme

This section puts forward a provably secure ECC-based user authentication scheme for wireless healthcare sensor net-
works. The proposed scheme withstands the security limitations of Liu–Chung’s scheme listed in Section 3.2. Various phases
related to our scheme are given in detail in the following subsections.

4.1. System setup phase

The trusted authority TA sets up the system by executing the following steps:

Step S1. TA selects an elliptic curve Ep (a, b) over a finite field Zp , p being a large prime, a base point P of order n over
Ep (a, b), where 4a3 + 27b2 = 0 (mod p) and n.P = O, and a secret master key So ∈ Z ∗p .
Step S2. After that the public key Ppub = So .P is computed by TA, and a one-way cryptographic hash function h( · ) is also
chosen by TA.
Step S3. For biometric authentication, we apply the fuzzy extractor, where the probabilistic (randomized) generation
function Gen( · ) takes the user personal biometrics Bioi as input, and then returns a biometric key of length l bits, say
σ i ∈ {0, 1}l and a public reproduction parameter τ i . Another fuzzy extractor deterministic reproduction function Rep( · )
is used in the authentication phase. It takes the biometrics entered by the user, say Bio and τ i as input, provided the
hamming distance d (Bioi , Bioi ) ≤ t, where t is the error tolerance threshold value. The output of Rep( · ) is the original
biometric key σ i , that is, σi = Rep(Bioi , τi ).
Step S4. Finally, the system parameters {Ep (a, b), p, P, h( · ), Ppub , Gen( · ), Rep( · ), t} are made public, whereas So is kept
secret by the TA.

4.2. Sensor node pre-deployment phase

Along with the aforementioned system setup, all the required sensor nodes are also registered with the TA in offline as
follows:

Step PD1. For each sensor node SNj , the TA chooses a unique identity IDj and a unique master secret key mk j ∈ Z ∗p . The
TA then computes a secret value S j = h(IDj mkj ).
Step PD2. After that IDj and Sj are stored in SNj ’s memory prior to its deployment in the target field. The TA also stores
{IDj , Sj } in its database corresponding to the deployed sensor node SNj .
 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554 541

User (Ui ) Trusted Authority (T A)

Select IDi , K.
Compute RIDi = h(K||IDi ).
RIDi 
−−−−−→
(via secure channel) Compute Ri = h(RIDi  So ).
Smart Card{Ri }
←−−−−−−−−−−−−
Select P Wi . Imprint Bioi . (via secure channel)
Compute RP Wi = h(P Wi  K),
Gen(Bioi ) = (σi , τi ), Xi = h(RP Wi  σi ),
Yi = K ⊕ h(IDi  P Wi  σi ), Ri = Ri ⊕ h(IDi  σi )
Replace Ri with Ri in SCi .
Store {Ri , Xi , Yi , Gen(·), Rep(·), τi , h(·), t} into the smart card.

Fig. 3. Registration phase.

4.3. User registration phase

A user Ui (for example, in our case a patient) registers with the TA after physically presenting his/her identification at the
respective institute and obtaining permission from system manager after verification. At the end of this phase, Ui is supplied
with a smart card SCi securely. The steps involved in this phase are as follows:

Step R1. Ui chooses an identity IDi and a random number K ∈ Z ∗p . Ui then computes RIDi = h(K  IDi ) and sends the
registration request RIDi to the TA via a secure channel.
Step R2. Upon reception of the registration request, the TA computes Ri = h(RIDi So ) and stores it on a smart card SCi ,
and then sends SCi to Ui via a secure channel.
Step R3. After receiving the smart card SCi , Ui chooses a password PWi and imprints biometrics Bioi at the sensor of a
specific terminal. Ui then computes Gen(Bioi ) = (σ i , τ i ), RPWi = h(PWi K), Xi = h(RPWi σ i ), Yi = K h(IDi PWi σ i ),
Ri = Ri  h(IDi σ i ).
Step R4. Ui stores the information {Xi , Yi , Gen( · ), Rep( · ), τ i , h( · ), t} in SCi and also replaces Ri with Ri in it. Hence, SCi
finally contains {Ri , Xi , Yi , Gen( · ), Rep( · ), τ i , h( · ), t}.

This phase is summarized in Fig. 3.

4.4. Login phase

To login to the TA, Ui executes the following steps:

Step L1. Ui inserts SCi , enters his/her identity IDi , password PWi and imprints personal biometrics Bioi at the sensor of a
specific terminal.
Step L2. SCi computes σi = Rep(Bioi , τi ), K  = Yi  h(IDi  PWi  σi ), RPWi = h(PWi  K  ) and Xi = h(RPWi  σi ), and
checks if Xi = Xi holds.
Step L3. If the verification succeeds, Ui chooses a random number m ∈ Z ∗p , generates the current time stamp Ti and
forms a login message {DIDi , DIDj , Mi , Ti , Vi } after computing Mi = m.P = (Mix , Mi ), Ni = m.Ppub = (Nix , Ni ), RIDi =
y y

   y ∗   
h(K  IDi ), DIDi = RIDi  Ni , DID j = ID j  Ni , Ri = Ri  h(IDi  σi ), and Vi = h(DIDi DIDj Ti Mi  Ri ), where IDj is
y ∗
y
the identity of the sensor node SNj that Ui wants to access it and (Mix , Mi ) denotes the x-coordinate and y-coordinate
of an ECC point Mi = m.P, respectively. Finally, Ui sends the login request message DIDi , DIDj , Mi , Ti , Vi to the TA via
open channel.

4.5. Authentication and key agreement phase

In this phase, the TA authenticates a legal user Ui and helps to establish a session key between an accessed sensor node
SNj and Ui using the following steps:

Step A1. After receiving the login message DIDi , DIDj , Mi , Ti , Vi from Ui at time Ti , the TA first checks the validity of the
received timestamp Ti in the message by the condition Ti −Ti ≤ T. If it holds, the TA then calculates NTA = So.Mi =
542 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554

User (Ui ) Trusted Authority (T A) Sensor Node (SNj )

Enter IDi ,P Wi .
Imprint Bioi .
Compute Rep(Bioi , τi ) = σi ,
K  = Yi ⊕ h(IDi  P Wi  σi ),
RP Wi = h(P Wi  K  ),
Xi = h(RP Wi  σi ).
Check if Xi = Xi ?
Choose m ∈ Zp∗ .
Compute Mi = m.P , Check if Ti - Ti ≤ ΔT ?
Ni = m.Ppub = (Nix , Niy ), Compute NT A = So .Mi
Ri∗ = Ri ⊕ h(IDi  σi ), = (NTxA , NTy A ),
DIDi = RIDi ⊕ Niy , RIDi = DIDi ⊕ NTy A ,
DIDj = IDj ⊕ Niy , IDj = DIDj ⊕ NTy A ,
Vi = h(DIDi  DIDj  Ri = h(RIDi  So ),
Ti  Mi  Ri∗ ). Vi∗ = h(DIDi  DIDj  Ti
DIDi , DIDj , Mi , Vi , Ti   Mi  Ri ).
−−−−−−−−−−−−−−−−−−→
(via open channel) Check if Vi∗ = Vi ?
Compute WT A = h(Ri )⊕ Check if TT A -TT A ≤ ΔT ?
h(Sj ||TT A ||Ti ). Compute h(Ri ) = WT A ⊕ h(Sj ||TT A ||Ti ),
WT A , TT A , Ti  skij = h(IDj  h(Ri )  h(Sj )  Ti  Tj ),
−−−−−−−−−−−→
Check if Tj -Tj ≤ ΔT ? (via open channel) VSNj = h(skij  IDj  Tj ),
Compute h(Sj ) = Wj ⊕ h(IDj  h(Ri∗ )), Wj = h(IDj  h(Ri )) ⊕ h(Sj ).

skij = h(IDj  h(Ri∗ )  h(Sj )  Ti  Tj ), Wj , VSNj , Tj 
←−−−−−−−−−−
∗ 
VSNj
= h(skij  IDj  Tj ). (directly to Ui only, via open channel)
∗
Check if VSNj = VSNj ?

Store session key skij (= skij ) shared with SNj . Store same session key skij shared with Ui .

Fig. 4. Login and authentication phases.

x , N y ), RID = DID  N y , ID∗ = DID  N y , R = h(RID S ) and V ∗ = h(DID DID T M R ). The TA proceeds
(NTA TA i i TA j j TA i i o i i j i i i
to check if Vi∗ = Vi and ID∗j is registered with its database. If any one of these checks fails, the session is immediately
terminated.
Step A2. The TA generates the current time stamp TTA , computes WTA = h(Ri ) h(Sj || TTA ||Ti ), and sends the message
WTA , TTA , Ti to SNj via open channel.
 . SN verifies the condition T  −T
Step A3. Let the message WTA , TTA , Ti be received by SNj at time TTA j TA TA ≤ T for the
purpose of validating the received timestamp TTA . It it is valid, SNj generates the current time stamp Tj and computes
h(Ri ) = WTA  h(Sj || TTA || Ti ), ski j = h(IDj h(Ri ) h(Sj ) Ti Tj ), VSN j = h(skij IDj Tj ) and W j = h(IDj h(Ri )) h(Sj ). SNj
then sends the authentication response message Wj , VSN j , Tj to Ui directly via open channel.
Step A4. On receiving the authentication response message Wj , VSN j , Tj at time T j , Ui verifies T j − Tj ≤ T for validating
the received time stamp Tj in the message, and then computes h(S j ) = Wj  h(IDj  h(R∗i )), ski j = h(IDj  h(R∗i ) h(Sj )
∗ = h (sk ID T ). U verifies if V ∗
Ti Tj ) and VSN = VSN j . If it is valid, Ui then starts secure communication with
j ij j j i SN j
SNj with the session key ski j (= ski j ).

The login and authentication phases are finally summarized in Fig. 4.

4.6. Password and biometric update phase

This phase is executed internally by Ui by avoiding communication with the TA to reduce the communication and com-
putation overheads. The steps involved are as follows:
 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554 543

Step PB1. After Ui enters the identity IDi , present password PWiold and imprints present biometrics Bioold i
at the sensor
of a specific terminal, SCi computes σiold = Rep(Bioold , τ ) ; K  = Y  h (ID  PW old  σ old ); RPW old = h (PW old  K  );
i i i i i i i i
Xiold = h(RPWiold  σiold ). SCi then verifies if Xiold = Xi and terminates the request if they do not match. Otherwise, the
credentials entered by Ui are authentic.
Step PB2. SCi permits Ui to enter new password PWinew and imprint new biometrics Bionew i
at the sensor of a specific
terminal. SCi then computes Gen(Bionew ) = ( σ new , τ new ); RPW new = h (PW new  K  ); X new = h (RPW new  σ new ); Y new =
i i i i i i i i i
K   h(IDi  PWinew  σinew ), Rnew
i
= (Ri  h(IDi  σiold ))  h(IDi  σinew ) = Ri  h(IDi  σinew ).
Step PB3. The values of Ri , Xi , Yi and τ i on SCi are replaced with Rnew i
, Xinew , Yinew and τinew , respectively. Hence, the
smart card SCi contains the information {Rnew i
, Xi
new , Y new , Gen( · ), Rep( · ), τ new , h( · ), t}.
i i

4.7. User revocation and re-registration phase

If a legitimate user Ui has lost his/her smart card SCi or his/her smart card SCi is stolen by an adversary, he/she can
request to the TA for re-registration through the following steps:
Step RV1. Using the same identity IDi , Ui sends a registration request containing RIDnew i
= h(Knew  IDi ) to the TA via
secure channel, where K new ∈ Z ∗p is a new random number chosen by Ui .
Step RV2. Upon getting the registration request from Ui , the TA computes Rnew i
= h(RIDnewi
So ) and sends a new smart
card SCinew to Ui with Rnew
i
stored in it via secure channel.
Step RV3. Ui chooses a new password PWinew and imprint new biometrics Bionew i
at the sensor of a specific terminal.
Ui then computes RPWinew = h(Knew  PWinew ), Gen(Bionew i
) = (σinew , τinew ), Xinew = h(RPWinew  σinew ), Yinew = Knew 
h(IDi  PWinew  σinew ), Ri = Rnew
i
 h(IDi  σinew ).

Step RV4. Finally, the values {Ri , Xi , Yinew , τ i , t, h( · ), Gen( · ) and Rep( · )} are stored in Ui ’s new smart card SCinew and
new

the TA delivers SCinew to Ui via secure channel.

4.8. Dynamic sensor node addition phase

It is required sometimes to add dynamically some sensor nodes in the existing network because they may be exhausted
due to battery power or may be physically captured by an adversary. Suppose a new sensor node SN new
j
needs to be deployed
in the sensor network. For this purpose, the TA executes the following steps:
Step DA1. For SN new
j
, the TA chooses a unique identity IDnewj
and a master secret key mknew j
∈ Z ∗p . It then computes a
secret value S j = h(ID j  mk j ).
new new new

Step DA2. IDnewj

and Snew
j
are then stored in SN new
j
’s memory prior to its deployment in the sensor network. The TA also
new
stores ID j new
and S j in its database corresponding to newly deployed node SN new .
j
Step DA3. The TA also broadcasts the new sensor node SN new j
’s identity ID new to all the users so that they can access the
j
newly deployed sensor node SN new j
.

4.9. New user addition phase

For wireless healthcare sensor networks, a registered user may not be working with the system after some period, and
a new user, say Uinew may also join in the network. The steps involved in this phase are as discussed below:
Step UA1. Uinew selects a unique new identity IDnew i
and a random number K new ∈ Z ∗p . Uinew then computes RIDnew i
=
h(K new  IDnew
i
) and sends the registration request RID new to the TA via a secure channel.
i
Step UA2. Upon reception of the registration request, the TA computes Rnew i
= h(RIDnew
i
So ) and stores it on a smart card
new
SCi , and then sends SCi new to Uinew via a secure channel.
Step UA3. After receiving the smart card SCinew , Uinew chooses a password PWinew and imprints biometrics Bioi at the
sensor of a specific terminal. Uinew then computes Gen(Bioi ) = (σi , τi ), RPWinew = h(PWinew  K new ), Xinew = h(RPWinew
 σi ), Yinew = Knew  h(IDnew
i
 PWinew  σi ) and Ri = Rnew i
 h(IDnewi
 σi ).
Step UA4. Ui new new new 
stores the information {Xi , Yi , Gen( · ), Rep( · ), τi , h( · ), t} in SCinew and also replaces Rnew with Ri in
i
it. Hence, SCinew finally contains {Ri , Xinew , Yinew , Gen( · ), Rep( · ), τi , h( · ), t}.
Remark 1. In the proposed scheme, during the login and authentication phases, a resource constrained sensor node SNj
requires only five hash functions computation to verify the authentication request message WTA , TTA , Ti and send the
authentication reply message Wj , VSN j , Tj to the user Ui . Due to efficient hash computation, the proposed scheme supports
a large-scale sensor network and it is also flexible against substantial increase in the size of the network even after initial
deployment of the sensor nodes. As a result, the proposed scheme is highly scalable.

5. Security analysis of the proposed scheme

This section discusses the rigorous security analysis of the proposed scheme using both the formal and informal security
analysis.
544 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554

5.1. Formal security analysis using random oracle model

The security of the proposed scheme is formally analyzed in the standard model using the widely-accepted Real-Or-
Random (ROR) model by Abdalla et al. [20].

5.1.1. Real-Or-Random (ROR) model

There are three participants in the network: the TA, user Ui and sensor node SNj . The following are the terms used in
this model:
Participants. tSN , Uu and vTA are the tth , uth and vth instances of SNj , Ui and TA, respectively, which are also referred
j i
to as oracles.
Accepted state. An instance t is in the accepted state, if upon receiving the last expected protocol message, it goes
into an accept state. The ordered concatenation of all communicated sent and received messages by t forms the session
identification (sid) of t for the current session.
Partnering. Two instances t1 and t2 are called partnered if the following three conditions are fulfilled simultaneously:
1) both t1 and t2 are in accept state; 2) both t1 and t2 mutually authenticate each other and share identical session
identification (sid); and 3) t1 and t2 are mutual partners of each other.
Freshness. Uu or tSN is fresh, if the session key SK between SNj and Ui is not revealed to A using the RL(t ) query
i j
given below.
Adversary. An adversary A, in the ROR model, is given complete access to all communication. The following queries can
be accessed by A:
• ET(t , u ): The messages exchanged between two legitimate participants are obtained by A using this execute query,
which is modeled as an eavesdropping attack.
• RL(t ): This query reveals the current session key SK generated by t (and its partner) to an adversary A.
• SD(t , m): A launches an active attack on a participating instance, say t , using this send query by sending a message
m to receive a reply.
• Cor r uptMD(Ut ) : This is modeled after the stolen smart card attack, where the information stored in the card SCi are
i
available to A.
• TS(t ): Taking indistinguishability in the ROR model [20] into consideration, the semantic security of the session key
is modeled in this test query. The query begins with the tossing of an unbiased coin c, and the outcome of which is
kept secret. A begins the game by executing the test query TS(t ), and a new session key is established. t returns the
session key if c = 1 or a random number in the same domain if c = 0; otherwise, a null result (⊥) is returned.
Semantic security of session key. A needs to differentiate between an instance’s original session key SK and a random
key as part of the experiment. A can execute many TS queries to either tSN or Uu . The result of TS query must be
j i
consistent with respect to c. A bit c is returned at the end of the experiment. A can win the game if c = c. If W denotes
an event wherein A wins the game, A’s advantage in breaking the semantic security of the proposed authenticated key
agreement (AKE) protocol, say P becomes AdvAKE P = |2.P r[W ] − 1|. Therefore, P is secure in the ROR sense if AdvAKE
P ≤ η, for
any sufficiently small η > 0.
Random oracle. All the participants and A will have access to a one-way hash function h( · ), which is further modeled
as the Hash oracle.

5.1.2. Formal security proof

We apply the difference lemma [21] for our formal security proof.

Lemma 1 (Difference Lemma). Let B1 , B2 and B3 be the events defined in some probability distribution. Assume B1 ∧¬B3
⇔B2 ∧¬B3 . Then, we have,
|Pr[B1 ] − Pr[B2 ]| ≤ Pr[B3 ].
Theorem 1. Assume an adversary A runs against our proposed scheme P in polynomial time t in the random oracle. Let the
biometrics key σ i be of l bits and D be a uniformly distributed password dictionary. The following gives the advantage of A in
breaking P’s session key security (SK-security):
q2h qsend
AdvAKE ≤ + + 2AdvECDLP (t ),
P
|Hash| 2l−1 .|D|
where |D|, |Hash|, AdvECDLP (t), qh and qsend represent, respectively the size of D, the range space of the one-way cryptographic
hash function h( · ), the advantage of A in breaking the ECDLP, the number of Hash queries made, and the number of SD queries
made.

Proof. There are five different games in the formal proof, say Gai (i = 0, 1, 2, 3, 4 ). Let Wi denote an event where A guesses
the bit c in the game Gai and then wins that game. A real attack on P is denoted by Ga0 and the game ends with Ga4
proving that A has negligible advantage of breaking the SK-security in our scheme.
 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554 545

• Ga0 : A begins with this game by launching a real attack on P. Prior to this, the bit c is selected. Hence,

AdvAKE
P = |2.P r[W0 ] − 1|. (1)

• Ga1 : Modifying Ga0 to simulate an eavesdropping attack, this game begins with querying the ET(t , u ) oracle by A.
Subsequently, A sends a query to the TS oracle to determine if the actual session key SK is the outcome or if it is a
random value. The session key is calculated by SNj as skij = h(ID j h(Ri ) h(Sj ) Ti Tj ). Also, Ui calculates the same
session key as ski j = h(IDj  h(R∗i ) h(Sj ) Ti Tj ). To compute RIDi = h(K IDi ) and thus, Ri = h(RIDi So ), A needs to
know K, the random number at Ui and So , the master secret key of the TA. Therefore, A’s chances at winning this game
through eavesdropping are not increased. This shows that Ga0 and Ga1 are equivalent. Hence, we have,

P r[W0 ] = P r[W1 ]. (2)

• Ga2 : Extending Ga1 , the SD and the Hash oracles are queried in this game. Here, A actively attacks a participant by send-
ing a fabricated message. For A to be able to generate an authentic message either DIDi , DIDj , Mi , Vi , Ti or W j , VSN j , T j ,
access to all secret keys and random numbers is needed which cannot be obtained through the queries as the random-
ness in the messages ensures no collision in hash digests. Using the results from the birthday paradox, we get

q2h
|Pr[W1 ] − Pr[W2 ]| ≤ . (3)
2.|Hash|
• Ga3 : Modeling after the stolen smart card attack, this game starts with the CorruptMD oracle being queried. Using the
dictionary attack, A can guess password PWi of Ui from the extracted information in the smart card SCi . Since a strong
fuzzy extractor is used in P, it allows for the retrieval of at most l nearly random bits. The probability of A guessing the
biometric key σ i ∈ {0, 1}l is 1l approximately [22]. As the number of wrong password entries permitted is limited, we
2
get
qsend
|Pr[W2 ] − Pr[W3 ]| ≤ . (4)
2 l .|D|

• Ga4 : A modification of Ga3 , in this game, A attempts to obtain the actual session key skij (= ski j ) by getting information
through eavesdropping. As already mentioned in Ga1 , A has no knowledge of the secret keys for computing RIDi =
h(KIDi ) and thus, for computing Ri = h(RIDi So ) is not feasible. Also, considering computational hardness of ECDLP,
retrieving random number m from Mi in the message DIDi , DIDj , Mi , Vi , Ti is impossible. Hence, we get

|Pr[W3 ] − Pr[W4 ]| ≤ AdvECDLP (t ). (5)

Note that A has no knowledge of the bit c as the session keys are generated independently and randomly by both SNj
and Ui . This leads to the following:

1
P r[W4 ] = . (6)
2
From Eqs. (1), (2) and (6), we obtain

1 1 1
.AdvAKE
P = |P r[W0 ] − | = |P r[W1 ] − |. (7)
2 2 2
Solving Eqs. (3)–(7), applying Lemma 1 and triangular inequality, we have,

|Pr[W1 ] − Pr[W4 ]| ≤ |Pr[W1 ] − Pr[W2 ]| + |Pr[W2 ] − Pr[W4 ]|

≤ |P r[W1 ] − P r[W2 ]| + |P r[W2 ] − P r[W3 ]| + |P r[W3 ] − P r[W4 ]|
q2h qsend
≤ + + AdvECDLP (t ). (8)
2.|Hash| 2 l .|D|
Thus, from Eqs. (6)–(8),

1 q2h qsend
|Pr[W1 ] − | ≤ + + AdvECDLP (t ).
2 2.|Hash| 2 l .|D|
Hence, we have the required result:

q2h qsend
AdvAKE ≤ + + 2AdvECDLP (t ).
P
|Hash| 2l−1 .|D|

546 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554

5.2. Mutual authentication proof using BAN logic

The broadly-accepted BAN logic [23] is used in our scheme to prove that a user Ui and a sensor node SNj mutually
authenticate each other correctly using trustworthy and fresh information. To achieve this, the BAN logic verifies the origin
of the message, the origin’s trustworthiness and its freshness. The notations used in BAN logic are given below.

• A| ≡ X: A believes the statement X.

• AX: A sees X, i.e. A has received a message containing X.
• A| ∼ X: A once said X i.e A| ≡ X when A sent it.
• A|⇒X: A has authority or jurisdiction over X.
• #(X ): X is a fresh message.
K
• A ←→ B: K is shared secret key between A and B.
• XK : X is encrypted with key K.
• X Y : formula X is combined with formula Y.
• (X)K : X is hashed with key K.
• (X, Y) : X or Y is one part of formula (X, Y).

The logical postulates in the BAN logic are described using the below mentioned rules.

Rule (1). Message meaning rule (MMR): If P believes K to be a shared secret between P and Q, and also P sees a message
X is encrypted with K, P believes Q once said X.
K Y
P |≡P ←→Q,P {X }K P |≡P ←→Q,P  X Y
P |≡Q |∼X
; P |≡Q |∼X
.
Rule (2). Nonce verification rule (NVR): If P believes X is fresh, and P believes Q once said X, P believes Q believes X.
P |≡#{X }P |≡Q |∼X
P |≡Q |≡X
.
Rule (3). Jurisdiction rule (JR): If P believes Q has jurisdiction over X and P believes that Q believes X, P believes X.
P |≡Q |≡X,P |≡Q |⇒X
P |≡X
.
Rule (4). Freshness rule (FR): If a part of the formula is believed to be fresh, the entire formula is also believed to be
|≡#{X }
fresh. PP|≡# {X,Y } .
Rule (5). Belief rule (BR): If P believes Q believes a formula, P believes Q believes part of the formula.
P |≡Q |≡(X,Y )
P |≡Q |≡X
.
If P believes X and P also believes Y, P then believes the combined formula (X, Y). PP|≡X,P |≡Y
|≡(X,Y ) .

Generic form of messages: The messages exchanged during the login and authentication phases in our scheme can be
expressed in a generic form as follows:

Message 1. TA → SNj : (h(Ri ) h(Sj TTA Ti ), TTA , Ti ).

Message 2. SNj → Ui : (h(IDj h(Ri )) h(Sj ), h(skij IDj Tj ), Tj ).

Idealized form: The above messages when expressed in their ideal forms give the following:

Message 1. TA → SNj : ( Ri Sj , TTA , Ti ).

TA←→SN j
ski j
Message 2. SNj → Ui : ( ID j , Ri Sj , Ui ←→ SN j , Tj ID j , Tj ).
Ui ←→SN j

Goal: The following two goals need to be proved:

ski j ski j
G1: Ui |≡ Ui ←→ SN j ; G2: SN j |≡ Ui ←→ SN j .
We consider the following assumptions in the proof:
A1. Ui |≡ #(Ti ), Ui |≡ #(T j ); A2. T A |≡ #(Ti ), Ui |≡ #(TTA ); A3. SN j |≡ #(Ti ), SN j |≡ #(TTA ), SN j |≡ #(T j )
Sj Sj
A4. T A |≡ (T A ←→ SN j ); A5. SN j |≡ (T A ←→ SN j ); A6. SNj | ≡ TA|⇒TA| ∼ X
ID j ID j ski j
A7. Ui |≡ (Ui ←→ SN j ); A8. SN j |≡ (Ui ←→ SN j ); A9. Ui |≡ SN j | ⇒ (Ui ←→ SN j ).
The mutual authentication between Ui and SNj is proved using the following steps:

S1. From message 1, we get,

SN j  < (Ri ), (TTA , Ti ) > S j .
TA←→SN j
S2. Using S1, A5 and MMR, we get,
SNj | ≡ TA| ∼ < (Ri ), (TTA , Ti ) > .
S3. Using S2, A3, FR and NVR, we get,
SNj | ≡ TA| ≡ (Ri ).
 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554 547

S4. Using A6, S3 and JR, we get,

SNj | ≡ (Ri ).
S5. Using S4 and BR, we get,
ski j
SN j |≡ Ui ←→ SN j . (Goal G2)
S6. From message 2, we get,
ski j
Ui  Ui ←→ SN j , T j ID j .
Ui ←→SN j
S7. Using S6, A7 and MMR, we get,
ski j
Ui |≡ SN j |∼ Ui ←→ SN j , T j .
S8. Using S7, A1, FR and NVR, we get,
ski j
Ui |≡ SN j |≡ Ui ←→ SN j .
S9. Using S8, A9 and JR, we get,
ski j
Ui |≡ Ui ←→ SN j . (Goal G1)

Thus, the goals G1 and G2 clearly show that Ui and SNj mutually authenticate each other with the help of the TA.

5.3. Discussion on other attacks

In the following subsections, we show that the proposed scheme is secure against various other known attacks through
an informal security analysis.

5.3.1. Privileged-insider attack

An adversary A, a privileged user at the TA, has access to the registration information of Ui , that is, RIDi . Assume, after
registration, the smart card SCi of Ui is stolen by A. Even with access to all the details stored in SCi like {Xi , Yi , τ i , Ri },
A cannot guess either IDi or PWi . This is because to guess IDi requires the knowledge of Ui ’s secret K, which cannot be
calculated from the available information and it is not stored directly in SCi . Furthermore, to guess PWi correctly, the values
IDi , K and σ i are needed. The one-way property of the hash function h( · ) protects these, and hence, the proposed scheme
is secure against this attack.

5.3.2. Impersonation attacks

Suppose an intruder I gets access to Ui ’s login request message DIDi , DIDj , Mi , Ti , Vi and tries to create its own login
message on behalf of Ui . To do so, I can choose a random number m ∈ Z ∗p and he/she needs to calculate Mi = m .P, Ni =
y y y
m .Ppub = (Nix , Ni ), DIDi = RIDi Ni , DIDj = IDj Ni and Vi = h(DIDi  DIDj  Ti  Mi  R∗i ). Here, I requires knowledge
of IDj of the sensor node SNj that Ui wants to communicate with, Ui ’s own RIDi and finally, the secret key So of the TA
for computing R∗i = h(RIDi  So ), all of which are needed for computing Vi . Thus, it is computationally infeasible for I to
recreate a valid login message by eavesdropping, and hence, our scheme is secure against user impersonation attack. In a
similar way, the proposed scheme is also protected against sensor node and the TA impersonation attacks.

5.3.3. Offline password guessing attack

Assume that an adversary A has knowledge of all the sensitive information in Ui ’s smart card SCi , that is, {Xi , Yi , τ i , Ri ,
h( · )}. It is computationally infeasible for A to derive password PWi of Ui due to the one-way property of the hash function
h( · ), which hides the values IDi , K and σ i from A. Hence, the proposed scheme is safe from this attack.

5.3.4. Stolen smart card attack

Assume a user Ui has lost his/her smart card SCi , and thus, an adversary A has all the sensitive information {Xi , Yi , τ i ,
Ri , h( · )}. However, this does not reveal any secret credentials of Ui as the values IDi , PWi and σ i are protected by h( · ), and
also it does not reveal Ui ’s secret value K. Hence, the proposed scheme is secure from this attack.

5.3.5. Denial-of-service attack

An incorrect entry of IDi or PWi or Bioi by a legal user Ui during the login phase is detected locally using the verification
condition Xi = Xi (Step L2 in Section 4.4). Ui sends a login request only after correct entries of both IDi and PWi . Hence,
denial of service is not possible in the presented scheme.

5.3.6. Replay attack

Any adversary A eavesdropping over the channels cannot replay the previous login or authentication messages because
the current time stamps of Ui , TA and SNj are used in constructing the messages, and the acceptable delay interval T is
sufficiently small to ensure no replay. As a result, the proposed scheme is also secure against replay attack.
548 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554

5.3.7. Mutual authentication

User Ui and sensor node SNj authenticate each other with help of the TA using Vi = h(DIDi  DIDj Ti Mi Ri ) and VSN j =
h(skij IDj Tj ). These cannot be constructed by an adversary A because these require knowledge of Ui ’s Ri and SNj ’s IDj along
with calculation of the session key skij . This shows that the mutual authentication between Ui and SNj is also achieved in
our scheme.

5.3.8. User anonymity

The user identity IDi is masked in various ways in each phase. No login request or authentication message directly
y y
includes IDi . Also, DIDi = RIDi Ni is unique in every session as a random number m ∈ Z ∗p is chosen by Ui to compute Ni ,
which further makes it difficult for an adversary to distinguish the user in various sessions. Hence, anonymity of the user is
guaranteed in the proposed scheme.

5.3.9. TA independent password and biometric update phase

Any change in the password or biometrics for a user Ui can be done locally on the smart card SCi without any contact
with the TA or any sensor node. This reduces communication and computation overheads in the proposed scheme.

6. Simulation for formal security verification using AVISPA tool

This section is aimed at proving that the proposed scheme is secure against man-in-the-middle and replay attacks with
the help of the widely-used AVISPA tool [24]. AVISPA is a popularly used tool to determine if an authentication scheme is
safe or unsafe [22,25–28].
AVISPA consists of four backends: On-the-fly Model-Checker (OFMC), Constraint Logic based Attack Searcher (CL-AtSe),
SAT-based Model-Checker (SATMC) and Tree Automata based on Automatic Approximations for the Analysis of Security
Protocols (TA4SP). The steps involved in the simulation using AVISPA tool are the following:

Step 1. Implementing the protocol in the role-oriented HLPSL (High Level Protocols Specification Language) [24], which
is then translated by the HLPSL2IF translator to the intermediate format (IF).
Step 2. Provide IF to any one of the four backends, which produces the output format (OF) to determine if the protocol
is safe.

Detailed information regarding the AVISPA tool, and its aspects of implementation and various variables used in HLPSL
are described in [24].

6.1. Implementation details in HLPSL

There are three participants, such as the TA, a user Ui and a sensor node SNj in the HLPSL implementation of the reg-
istration, login, and authentication and key agreement phases along with the mandatory roles for the session and goal-
environment (shown in Fig. 6b). The roles of user (shown in Fig. 5a), trusted authority (shown in Fig. 5b) and sensor node
(shown in Fig. 6a) represent Ui , TA and SNj , respectively.
Ui first changes its state maintained by the variable State from 0 to 1 after receiving the begin signal to initiate the
communication. The registration request message RIDi is sent from Ui to TA over a secure channel in the registration phase
with the help of TX( ) operation. The TA responds by sending a smart card with {Ri } securely to Ui , which then changes the
state from 1 to 2. Ui initiates login phase by sending a login message DIDi , DIDj , Mi , Vi , Ti to TA over a public channel. The
TA changes state from 2 to 3 and forwards message with WTA , TTA , Ti to SNj via an open channel to start the authentication
and session key establishment phase. After changing the state from 0 to 3, SNj also sends authentication reply message with
Wj , VSN j , Tj to Ui via open channel.
The declaration for witness(Ui, T A, ui_ta_m, M ) in the user role indicates that Ui has chosen m ∈ Z ∗p freshly for the TA. Ui ’s
acceptance of the value Tj generated for Ui by SNj is indicated by the declaration request (SN j, Ui, sn j_ui_t j, T j ). To indicate
that the value So is being kept secret by the TA, the declaration secret({S0}, sk1, {TA}) is used, where sk1 is the protocol
id that characterizes it. All required secret, request and witness declarations in the three roles have similar formats. Our
implementation requires four secrecy goals and also four authentication goals.
Finally, the environment, goal and session roles of the proposed scheme are summarized in Fig. 6b. The HLPSL specifica-
tion always has the top-level role (environment). The protocol execution also shows the intruder (i) can take a legitimate
role in the protocol execution as a concrete session.

6.2. Simulation result analysis

The simulation results from the widely-used OFMC and CL-AtSe backends are shown in Fig. 7. The sections in the output
format (OF) are as follows:

• SUMMARY: This section indicates if the scheme is secure (safe or unsafe) or if the analysis was inconclusive.
 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554 549

role user (Ui, TA, SNj: agent, role ta (Ui, TA, SNj: agent,
SKuita: symmetric_key, SKuita: symmetric_key,
H : hash_func, H : hash_func,
TX, RX: channel(dy)) TX, RX: channel(dy))
played_by Ui played_by TA
def= def=
local State: nat, local State: nat,
PWi, Bioi, IDi, K, RIDi, M, Mi, K, IDi, S0, PWi, Bioi, M, P, IDj: text,
Ni, DIDi, DIDj: text, Ti, Tta, Wta, Sj, MKj : text,
Vi, Ti, P, IDj, Tj, MKj, S0 : text, F: hash_func
F : hash_func const sk1, sk2, sk3, sk4, ta_snj_tta,
const sk1, sk2, sk3, sk4, ui_ta_m, ui_ta_m, ui_ta_ti: protocol_id
ui_ta_ti, snj_ui_tj: protocol_id % Initialize state State to 0
% Initialize state State to 0 init State := 0
init State := 0 transition
transition % User registration phase
% User registration phase % Receive registration request from user Ui securely
1. State = 0 /\ RX(start) =|> 1. State = 0 /\ RX({H(K’.IDi)}_SKuita) =|>
% Send registration request to TA securely State’ := 2 /\ secret({S0}, sk1, {TA})
State’ := 1 /\ secret({S0}, sk1, {TA}) /\ secret({PWi,Bioi}, sk2, {Ui})
/\ secret({PWi,Bioi}, sk2, {Ui}) /\ secret({IDi}, sk3, {Ui})
/\ secret({IDi}, sk3, {Ui}) /\ secret({MKj}, sk4, {SNj})
/\ secret({MKj}, sk4, {SNj}) % Send smart card to Ui securely
/\ K’ := new() /\ TX({H(H(K’.IDi).S0)}_SKuita)
/\ RIDi’ := H(K’.IDi) % Login and authentication phase
/\ TX({RIDi}_SKuita) % Receive login message from Ui via open channel
% Receive smart card from TA securely 2. State = 2 /\ RX(xor(H(K’.IDi),F(M’.F(S0.P))).
2. State = 1 /\ RX({H(H(K’.IDi).S0)}_SKuita) =|> xor(IDj, F(M’.F(S0.P))).F(M’.P).
% Login and authentication phase H(xor(H(K’.IDi),F(M’.F(S0.P))).
State’ := 2 /\ M’ := new() /\ Ti’ := new() xor(IDj, F(M’.F(S0.P))).Ti’.F(M’.P).
/\ Mi’ := F(M’.P) H(H(K’.IDi).S0)).Ti’) =|>
/\ Ni’ := F(M’.F(S0.P)) State’ := 4 /\ Tta’ := new()
/\ DIDi’ := xor(H(K’.IDi),Ni’) /\ Sj’ := H(IDj.MKj)
/\ DIDj’ := xor(IDj, Ni’) /\ Wta’ := xor(H(H(H(K’.IDi).S0)),
/\ Vi’ := H(DIDi’. DIDj’.Ti’.Mi’.H(H(K’.IDi).S0)) H(Sj’.Tta’.Ti’))
% Send the login message to the TA via open channel % Send the authentication message to SNj via open channel
/\ TX(DIDi’.DIDj’.Mi’.Vi’.Ti’) /\ TX(Wta’.Tta’.Ti’)
% Ui has freshly generated the values m and Ti for TA % TA has freshly generated the value Tta for SNj
/\ witness (Ui, TA, ui_ta_m, M’) /\ witness (TA, SNj, ta_snj_tta, Tta’)
/\ witness (Ui, TA, ui_ta_ti, Ti’) % TA’s acceptance of the values m and Ti generated for TA by Ui
% Ui’s acceptance of the value Tj generated for Ui by SNj /\ request(Ui, TA, ui_ta_m, M’)
/\ request(SNj, Ui, snj_ui_tj, Tj’) /\ request(Ui, TA, ui_ta_ti, Ti’)
end role end role

(a) Role specification for a user Ui (b) Role specification for the T A
Fig. 5. Role specification for Ui and the TA.

• DETAILS: This section provides information on the conditions in which the scheme is safe or the attack determining
conditions or finally, why the analysis was inconclusive.
• GOAL, PROTOCOL and BACK-END are the names of the analysis’s goal, the protocol’s name and the back-end being used
for analysis, respectively.
• The standard Alice-bob format prints the trace of an attack (if found) along with few comments and statistics.

The proposed is simulated for formal security verification using the OFMC and CL-AtSe backends under the SPAN, the
Security Protocol ANimator for AVISPA [24]. From Fig. 7, it is clear that our scheme is secure against replay and man-in-the-
middle attacks, which are proved using three verifications, such as replay attack checking, Dolev-Yao model checking and
executability checking on non-trivial HLPSL specifications as specified in [22].

7. Performance comparison

In this section, we have done a comparison of our scheme with some recently proposed schemes, such as Liu-Chung’s
scheme [16], Wu et al.’s scheme [10] and Arshad-Nikooghadam’s scheme [12], using the communication and computation
overheads, and functionality features as parameters to show that our scheme is significantly better.
550 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554

role sensor (Ui, TA, SNj: agent, role session (Ui, TA, SNj: agent,
H : hash_func, SKuita: symmetric_key,
TX, RX: channel(dy)) H : hash_func)
played_by SNj def=
def= local T1, R1, T2, R2, T3, R3: channel (dy)
local State: nat, composition
K, IDi, S0, PWi, Bioi, M, P, IDj: text, user(Ui, TA, SNj, SKuita, H, T1, R1)
Ti, Tta, Wta, Sj, MKj, Tj, SKij, Vsnj, Wj : text, /\ ta (Ui, TA, SNj, SKuita, H, T2, R2)
F: hash_func /\ sensor (Ui, TA, SNj, H, T3, R3)
const sk1, sk2, sk3, sk4, ta_snj_tta, snj_ui_tj: protocol_id end role
% Initialize state State to 0
init State := 0 role environment()
transition def=
% Login and authentication phase const ui, ta, snj : agent,
% Receive authentication request from TA via open channel skuita: symmetric_key,
1. State = 0 /\ RX(xor(H(H(H(K’.IDi).S0)),H(H(IDj.MKj).
h, f : hash_func, ti, tj, tta, p : text,
Tta’.Ti’)).Tta’.Ti’) =|>
sk1, sk2, sk3, sk4, ui_ta_m,
State’ := 3 /\ secret({S0}, sk1, {TA})
ui_ta_ti, snj_ui_tj, ta_snj_tta: protocol_id
/\ secret({PWi,Bioi}, sk2, {Ui})
intruder_knowledge = {h, f, p, ti, tta, tj}
/\ secret({IDi}, sk3, {Ui})
composition
/\ secret({MKj}, sk4, {SNj})
% Send authentication reply to Ui via open channel session(ui, ta, snj, skuita, h)
/\ Tj’ := new() /\ session(i, ta, snj, skuita, h)
/\ SKij’ := H(IDj.H(H(H(K’.IDi).S0)). /\ session(ui, i, snj, skuita, h)
H(H(IDj.MKj)).Ti’.Tj’) /\ session(ui, ta, i, skuita, h)
/\ Vsnj’ := H(SKij’.IDj.Tj’) end role
/\ Wj’ := xor(H(IDj.H(H(H(K’.IDi).S0))),H(H(IDj.MKj)))
/\ TX(Wj’.Vsnj’.Tj’) goal
% SNj has freshly generated the value Tj for Ui secrecy_of sk1, sk2, sk3, sk4
/\ witness (SNj, Ui, snj_ui_tj, Tj’) authentication_on ui_ta_m, ui_ta_ti
% SNj’s acceptance of the value Tta generated for SNj by TA authentication_on ta_snj_tta, snj_ui_tj
/\ request(TA, SNj, ta_snj_tta, Tta’) end goal
end role environment()

(a) Role specification for a sensor node SNj (b) Role specification of session, goal and
environment
Fig. 6. Role specification for SNj , and session, goal and environment.

% OFMC SUMMARY
% Version of 2006/02/13 SAFE
SUMMARY DETAILS
SAFE BOUNDED_NUMBER_OF_SESSIONS
DETAILS TYPED_MODEL
BOUNDED_NUMBER_OF_SESSIONS PROTOCOL
PROTOCOL C:\progra~1\SPAN\testsuite
C:\progra~1\SPAN\testsuite \results\auth.if
\results\auth.if GOAL
GOAL As Specified
as_specified BACKEND
BACKEND CL−AtSe
OFMC
COMMENTS STATISTICS
STATISTICS
parseTime: 0.00s Analysed : 3 states
searchTime: 0.04s Reachable : 0 states
visitedNodes: 8 nodes Translation: 0.09 seconds
depth: 3 plies Computation: 0.00 seconds

Fig. 7. Simulation results using OFMC and CL-AtSe backends of our scheme.
 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554 551

Table 2
Approximate time required for various operations [29].

Notation Description (time to compute) Approximate computation time (in seconds)

Th Hash function 0.0 0 032

Tecm ECC point multiplication 0.0171
Tsym Symmetric encryption/decryption 0.0056
Tinv Modular inverse 0.0 0 0 04275
Tm Modular multiplication 0.0 0 0 01425
Tbp Bilinear pairing 0.0045
Tfe Fuzzy extractor function 0.0171

Table 3
Comparison of computation overhead during the login and authentication phases.

Protocol User side TA/Server side Sensor node side Total overhead

Liu–Chung [16] 3Th + 1Tbp +2Tecm 1Th + 2Tbp 3Th + 1Tbp 2Tecm + 7Th + 4Tbp
≈ 0.00546 s ≈ 0.5444 s
Wu et al. [10] 2Tecm + 2Tsym 2Tecm + 2Tsym – 4Tecm + 4Tsym +11Th
+5Th + 1T f e +6Th +1T f e ≈ 0.11142 s
Arshad–Nikooghadam [12] 2Tecm + 1Tm 2Tecm + 1Tm + – 4Tecm + 2Tm +
+8Th 1Tinv + 7Th 1Tinv + 15Th
≈ 0.07327 s
Our 2Tecm + 10Th + 1T f e 1Tecm +4Th 5Th 3Tecm + 19Th + 1T f e
≈ 0.0016 s ≈ 0.07448 s

Table 4
Comparison of communication overhead during the login and authentica-
tion phases.

Scheme Number of messages Number of bits

Liu–Chung [16] 4 1408

Wu et al. [10] 2 1712
Arshad–Nikooghadam [12] 3 1792
Our 3 1428

7.1. Computation overhead comparison

The approximate time needed for each cryptographic operation and it’s notation are mentioned in Table 2. As discussed
in [19], computation time required for one ECC point multiplication operation is equal to that required for 1200 modular
multiplication operations or for 400 modular inverse operations. Therefore, Tm ≈ Tecm /1200 and Tinv ≈ Tecm /400. In addition,
we assume that the time taken for the fuzzy extractor Gen( · ) or Rep( · ) function is same as that for Tecm , that is, Tfe ≈ Tecm =
0.0171s [29]. In Table 3, we have compared the proposed scheme with some related schemes during login and authentication
phase. As can be observed, the computation time required by our scheme is less among all existing schemes except Arshad-
Nikooghadam’s scheme [12], which has almost same cost as our scheme. In addition, our scheme needs the computation
cost for a sensor node of 5Th ≈ 0.0016 s, whereas Liu-Chung’s scheme requires the cost for a sensor node of 3Th + 1Tbp
≈ 0.00546 s. Table 3 clearly shows that our scheme provides a significant improvement over other schemes, especially in the
computation overhead at the resource-constrained sensor nodes.

7.2. Communication overhead comparison

Table 4 shows the communication overhead comparison of our scheme with some related schemes. For communication
cost comparison, we assume that the user identity, sensor node identity, random number, timestamp, hash digest (if we
apply the Secure Hash Standard (SHA-1) hash algorithm) and ECC point P = (Px , Py ) are 128 bits, 16 bits, 128 bits, 32 bits, 160
bits and (160 + 160 ) = 320 bits, respectively. We have considered the security level of 1024-bit RSA public key cryptosystem
is equivalent to that for 160-bit ECC. Under these considerations, the messages DIDi , DIDj , Mi , Ti , Vi , WTA , TTA , Ti and
Wj , VSN j , Tj need 832 bits, 244 bits and 352 bits, respectively. Summing all these costs, the total communication cost in
our scheme during the login and authentication phases becomes 1428 bits which is better than all schemes except Liu–
Chung’s where the cost is 1408 bits. Though our scheme requires little more communication cost as compared to Liu–
Chung’s scheme, it is justified as our scheme is computationally efficient and it provides better security and functionality
features as compared to other schemes as listed in Table 5.
552 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554

Table 5
Comparison of functionality features.

Scheme/Feature I1 I2 I3 I4 I5 I6 I7 I8 I9 I10 I11 I12 I13 I14 I15 I16 I17

Liu–Chung [16] × × × ×  × × ×  × × ×  × × × ×
Wu et al. [10]     ×  ×   ×  × × × ×  ×
Arshad–Nikooghadam [12]            ×   × × ×
Our                 

Note: I1 : user anonymity property; I2 : privileged-insider attack; I3 : off-line password guessing attack; I4 : stolen smart card attack; I5 :
denial-of-service attack; I6 : known session key attack; I7 : impersonation attacks; I8 : man-in-the middle attack; I9 : replay attack; I10 :
mutual authentication; I11 : session key agreement; I12 : stolen/lost smart card revocation; I13 : TA independent password update phase; I14 :
support biometric update phase; I15 : support dynamic sensor node addition phase; I16 : provide formal security analysis under standard
model and BAN logic; I17 : provide formal security verification using AVISPA tool. × : insecure against a particular attack or does not
support a particular feature; : secure against a particular attack or supports a particular feature.

7.3. Functionality features comparison

Finally, we have shown the functionality features comparison of our scheme with some related schemes in Table 5. It is
clear from this table that our scheme provides better security and extra functionality features, such as stolen/lost smart card
revocation, efficient password and biometrics update phase and dynamic sensor node addition phase.

8. Conclusion

In this paper, a new secure authentication scheme for wireless healthcare sensor networks has been designed. By point-
ing out the pitfalls in the existing Liu–Chung’s scheme, a three factor authentication scheme using ECC is designed having
low communication and computation costs. The proposed scheme allows a legal user to modify/update password and bio-
metrics without contacting the trusted authority. In addition, it also allows a revocation mechanism for misbehaving nodes
in the network. A formal security analysis of the proposed scheme is done using BAN logic as well as random oracle model
under the widely-accepted Real-Or-Random model. Moreover, the proposed scheme is secure against man-in-the-middle
and replay attacks with the help of the widely-used AVISPA tool. The low computation and communication costs along with
high security make the proposed scheme suitable for a wide range of healthcare applications.

Acknowledgments

We thank the anonymous reviewers for their valuable feedback on the paper which helped us to improve its quality and
presentation. The authors extend their appreciation to the Deanship of Scientific Research at King Saud University for fund-
ing this work through Research Group Number (RG-288). This work was also supported by the Information Security Educa-
tion & Awareness (ISEA) Phase II Project, Department of Electronics and Information Technology (DeitY), India. Saru Kumari
is sponsored by the University Grants Commission, India through UGC-BSR Start-up grant under Grant no. 3(A)(60)31.

References

[1] He D, Kumar N, Wang H, Wang L, Choo KKR, Vinel A. A provably-secure cross-domain handshake scheme with symptoms-matching for mobile health-
care social network. IEEE Trans Dependable Secure Comput 2016. doi:10.1109/TDSC.2016.2596286.
[2] Malasri K, Wang L. Design and implementation of a secure wireless mote-based medical sensor network. In: Proceedings of the 10th international
conference on ubiquitous computing (UbiComp ’08); 2008. p. 172–81. Seoul, South Korea.
[3] Hu F, Jiang M, Wagner M, Dong DC. Privacy-preserving telecardiology sensor networks: toward a low-cost portable wireless hardware/software code-
sign. IEEE Trans Inf Technol Biomed 2007;11(6):619–27.
[4] Huang YM, Hsieh MY, Chao HC, Hung SH, Park JH. Pervasive, secure access to a hierarchical sensor-based healthcare monitoring architecture in wireless
heterogeneous networks. IEEE J Sel Areas Commun 20 09;27(4):40 0–11.
[5] Le XH, Khalid M, Sankar R. An efficient mutual authentication and access control scheme for wireless sensor networks in healthcare. J Netw
2011;6(3):355–64.
[6] Das ML. Two-factor user authentication in wireless sensor networks. IEEE Trans Wireless Commun 2009;8(3):1086–90.
[7] Khan MK, Alghathbar K. Cryptanalysis and security improvement of two-factor user authentication in wireless sensor networks. Sensors
2010;10(3):2450–9.
[8] He D, Gao Y, Chan S, Chen C, Bu J. An enhanced two-factor user authentication scheme in wireless sensor networks. Ad Hoc Sensor Wireless Netw
2010;10(4):361–71.
[9] Kumar P, Lee HJ. Cryptanalysis on two user authentication protocols using smart card for wireless sensor networks. In: Wireless advanced (WiAd),
2011; 2011. p. 241–5. London, United Kingdom.
[10] Wu F, Xu L, Kumari S, Li X. A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client-server networks.
Comput Electr Eng 2015;45:274–85.
[11] Xie Q, Tang Z, Chen K. Cryptanalysis and improvement on anonymous three-factor authentication scheme for mobile networks. Comput Electr Eng
2017;59:218–30.
[12] Arshad H, Nikooghadam M. Three-factor anonymous authentication and key agreement scheme for telecare medicine information systems. J Med Syst
2014;38(12):136.
[13] Nam J, Kim M, Paik J, Lee Y, Won D. A provably-secure ECC-based authentication scheme for wireless sensor networks. Sensors 2014;14(11):21023–44.
[14] Turkanovic M, Brumen B, Holbl M. A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based
on the internet of things notion. Ad Hoc Netw 2014;20:96–112.
 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554 553

[15] Farash MS, Turkanovic M, Kumari S, Holbl M. An efficient user authentication and key agreement scheme for heterogeneous wireless sensor network
tailored for the internet of things environment. Ad Hoc Netw 2016;36:152–76.
[16] Liu CH, Chung YF. Secure user authentication scheme for wireless healthcare sensor networks. Comput Electr Eng 2017;59:250–61.
[17] Dolev D, Yao A. On the security of public key protocols. IEEE Trans Inf Theory 1983;29(2):198–208.
[18] Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 2002;51(5):541–52.
[19] Koblitz N, Menezes A, Vanstone S. The state of elliptic curve cryptography. Des Codes Cryptogr 20 0 0;19(2):173–93.
[20] Abdalla M, Fouque PA, Pointcheval D. Password-based authenticated key exchange in the three-party setting. In: 8th International workshop on theory
and practice in public key cryptography (PKC’05). Switzerland: Les Diablerets; 2005. p. 65–84.
[21] Lee TF. Provably secure anonymous single-sign-on authentication mechanisms using extended Chebyshev chaotic maps for distributed computer net-
works. IEEE Syst J 2015. doi:10.1109/JSYST.2015.2471095.
[22] Odelu V, Das AK, Goswami A. A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans Inf Forensic Secur
2015;10(9):1953–66.
[23] Burrows M, Abadi M, Needham R. A logic of authentication. ACM Trans Comput Syst 1990;8(1):18–36.
[24] AVISPA. Automated validation of internet security protocols and applications; 2016. http://www.avispa-project.org/. Accessed on April.
[25] Das AK. A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks. Peer-to-Peer Netw Appl
2016;9(1):223–44.
[26] Odelu V, Das AK, Goswami A. SEAP: Secure and efficient authentication protocol for NFC applications using pseudonyms. IEEE Trans Consum Electron
2016;62(1):30–8.
[27] Chatterjee S, Roy S, Das AK, Chattopadhyay S, Kumar N, Vasilakos AV. Secure biometric-based authentication scheme using chebyshev chaotic map for
multi-server environment. IEEE Trans Dependable Secure Comput 2016. doi:10.1109/TDSC.2016.2616876.
[28] Challa S, Wazid M, Das AK, Kumar N, Reddy AG, Yoon EJ, et al. Secure signature-based authenticated key establishment scheme for future iot applica-
tions. IEEE Access 2017;5:3028–43.
[29] He D, Kumar N, Lee JH, Sherratt RS. Enhanced three-factor security protocol for consumer USB mass storage devices. IEEE Trans Consum Electron
2014;60(1):30–7.
554 S. Challa et al. / Computers and Electrical Engineering 69 (2018) 534–554

Sravani Challa received the M.Sc. (Tech) degree in information systems from the Birla Institute of Technology & Science (BITS), Pilani, India. She is currently
pursuing the M.S. degree in computer science and engineering with IIIT, Hyderabad, India. Her research interests include cryptography and network security.
She has published three journal papers in the above areas.

Ashok Kumar Das received Ph.D. degree in computer science and engineering, M.Tech. degree in computer science, and M.Sc. degree in mathematics from
IIT Kharagpur, India. He is currently an Assistant Professor with IIIT Hyderabad, India. He has published more than 140 papers in interenational journals
and conferences in the field of cryptography and network security.

Vanga Odelu received his Ph.D. degree and M.Tech. degree in computer science and data processing from IIT Kharagpur, India. He is currently an assistant
professor with the Department of Computer Science and Engineering, IIIT, Sri City, India. His research interests include cryptography and network security.
He has authored over 40 papers in international journals and conferences.

Neeraj Kumar received the Ph.D. degree in computer science and engineering from Shri Mata Vaishno Devi University, Katra (J&K), India, in 2009. He was
a Post-Doctoral Research Fellow at Coventry University, Coventry, U.K. He is currently an Associate Professor with the Thapar University, Patiala, India. He
has authored more than 160 research papers.

Saru Kumari is currently an assistant professor with the Department of Mathematics, C.C.S. University, Meerut, U.P, India. She received Ph.D. degree in
Mathematics in 2012 from C.C.S. University, Meerut, Uttar Pradesh, India. She has published more than 45 papers in international journals and conferences.

Muhammad Khurram Khan is currently working as a full professor at the Center of Excellence in Information Assurance, King Saud University, Saudi
Arabia. His current research interests include Cybersecurity, biometrics, multimedia security, and digital authentication. He has published about 300 papers
in international journals and conferences and he is an inventor of several U.S./PCT patents.

Athanasios V. Vasilakos is currently professor with the Lulea University of Technology, Sweden. He has served or is serving as an Editor for many technical
journals, such as IEEE Transactions on Cloud Computing, IEEE Transactions on Information Forensics and Security, IEEE Transactions on Cybernetics, IEEE
Transactions on NanoBioscience, and IEEE Journal on Selected Areas in Communications.