ieee journal of biomedical and health … · implantable medical devices (imds) ... security of...

2168-2194 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JBHI.2017.2721545, IEEE Journal ofBiomedical and Health Informatics

IEEE JOURNAL OF BIOMEDICAL AND HEALTH INFORMATICS 1

A Novel Authentication and Key AgreementScheme for Implantable Medical Devices

DeploymentMohammad Wazid,Student Member, IEEE, Ashok Kumar Das,Member, IEEE, Neeraj Kumar,Member, IEEE,

Mauro Conti,Senior Member, IEEE, and Athanasios V. Vasilakos,Senior Member, IEEE

Abstract—Implantable medical devices(IMDs)are man-madedevices, which can be implanted in the human body to improvethe functioning of various organs. The IMDs monitor andtreat physiological condition of the human being (for example,monitoring of blood glucose level by insulin pump). The ad-vancement of information and communication technology (ICT)enhances the communication capabilities ofIMDs. In healthcareapplications, after mutual authentication, a user (for example,doctor) can access the health data from theIMDs implantedin a patient’s body. However, in this kind of communicationenvironment, there are always security and privacy issues suchas leakage of health data and malfunctioning ofIMDs by anunauthorized access.

To mitigate these issues, in this paper, we propose a new secureremote user authentication scheme forIMDs communicationenvironment to overcome security and privacy issues in existingschemes. We provide the formal security verification usingthe widely-accepted Automated Validation of Internet SecurityProtocols and Applications (AVISPA) tool. We also provide theinformal security analysis of the proposed scheme. The formalsecurity verification and informal security analysis prove thatproposed scheme is secure against known attacks. The practicaldemonstration of the proposed scheme is performed using thebroadly-accepted NS2 simulation tool. The computation andcommunication costs of the proposed scheme are also comparablewith the existing schemes. Moreover, the scheme provides addi-tional functionality features such as anonymity, untraceabilityand dynamic implantable medical device addition.

Index Terms—Implantable medical devices, user authentica-tion, key agreement, security, anonymity, AVISPA, NS2 simula-tion.

I. I NTRODUCTION

Implantable medical devices(IMDs) monitor and treatphysiological conditions within the body of a patient. Differenttypes ofIMDs such as brain neurosimulator, pacemaker, gas-tric implant and cochlear implant provide remote monitoring

M. Wazid is with the Center for Security, Theory and Algorithmic Research,International Institute of Information Technology, Hyderabad 500 032, India(e-mail: [email protected]).

A. K. Das is with the Center for Security, Theory and Algorithmic Research,International Institute of Information Technology, Hyderabad 500 032, India(e-mail: [email protected], [email protected]).(Corresponding au-thor: Ashok Kumar Das.)

N. Kumar is with the Department of Computer Science and Engineering,Thapar University, Patiala 147 004, India (e-mail: [email protected]).

M. Conti is with the Department of Mathematics, University of Padua,Padua 35122, Italy (e-mail: [email protected]).

A. V. Vasilakos is with the Department of Computer Science, Electrical andSpace Engineering, Lulea University of Technology, Lulea 971 87, Sweden(e-mail: [email protected]).

and treatment to patients with severe medical conditions. Thepervasiveness ofIMDs is growing continuously, for example,25 million US citizens reliant on them for their day to day lifecritical functions [1]. The globalIMDs market was valued at$72, 265 million in 2015, and is projected to reach$116, 300million by 2022, registering a compound annual growth rate(CAGR) of 7.1% from 2016 to 2022 [2]. Information andcommunication technology (ICT) facilitates the informationexchange ofIMDs and provides them capabilities to com-municate with each other.IMDs have the ability to sendthe collected health related data of a patient to the nearbycontroller node(CN) using the communication technologiessuch as bluetooth, zigbee and infrared transmission.CNis more powerful node as compared toIMDs as it hasmore communication range, processing power and storagecapability. CN is connected to the Internet using an accesspoint. A user (for example, a doctor) can access the dataof an IMD via CN after successful mutual authentication.However, in such kind of communication environment, thereare several security and privacy related issues such as replayattack, man-in-the middle attack, impersonation attacks andprivileged-insider attack [3], [4], [5], [6].

A. Motivation

An attacker can exploit the vulnerabilities in theIMDs,which can cause negative medical effects on the health of thepatient. Such effects are commonly known asadverse events[7]. According to the report available in [8], the vulnerabilityin an implanted insulin pump could be exploited by a hacker (aremote malicious user) which can cause an overdose of insulinto the diabetic patients. The overdose of insulin could thencause hypoglycemia (low blood sugar level) which in extremecase becomes a diabetic shock to the patient. Therefore,security ofIMDs becomes a serious concern so that an illegalparty can not attack theIMDs implanted in a patient’s body.Hence, there is a strong need to design a secure remote userauthentication scheme forIMDs by which the controller nodeof a patient’sIMDs and a user (for example, a doctor) canmutually authenticate each other. At the end, both entitiesestablish a secret session key shared between them for theirfuture secure communications. To address such an importantissue forIMDs communication environment, we propose anew secure remote user authentication and key agreementscheme.




B. Main Contributions

The contribution of this paper is manyfold:

• We propose a new lightweight three-factor remote userauthentication scheme for implantable medical devicesin which the controller node of the implantable medicaldevices of a patient and remote user can authenticate eachother.

• The security analysis shows that the proposed scheme issecure. In addition, we test the formal security verifica-tion of the proposed scheme using the widely-acceptedAVISPA tool to show the proposed scheme is also secureagainst the replay and man-in-the middle attacks.

• We provide the practical implementation of the pro-posed scheme using the widely-used NS2 simulationtool to measure the impact of the scheme on networkperformance parameters such as end-to-end delay andthroughput.

C. System Models

The following two models are considered to describe andanalyze the proposed scheme in the paper.

1) Network Model: The network model for the(IMD)scommunication environment shown in Figure1 is used in theproposed scheme. In the given model, we have different typesof IMDs, such as brain neurosimulator and gastric simulator,which are implanted in a patient’s body. There is a controllernode(CN) which collects data from allIMDs using wirelesscommunication technologies (for example, bluetooth, zigbeeand infrared transmission).CN is connected to the Internetthrough an access point. The users can accessIMDs throughCN . Suppose there is a user (for example, a doctor)Ui wantsto access the data from the controller node belonging to aset of implantable medical devices. In this scenario, we needauthentication betweenUi andCN .

Fig. 1. Network model ofIMDs communication environment

2) Threat Model:The well-known Dolev-Yao threat model(DY model) [9] is used in the proposed scheme. Under the DYmodel, the communication takes place over insecure channels.Any two communicating parties can communicate each otherusing a public channel [10], in which the end-point entities,such asIMDl, CN , andUi, are not considered as trusted. An

attackerA can then have the opportunity to eavesdrop, modifyor delete the exchanged messages during the transmission inorder to tamper the communicated data.A can also physicallycaptureCN and can extract the stored information by usingthe power analysis attacks [11], [12] as these devices are non-tamper resistant. However, allIMDs are implanted inside thebody of a patient, and hence, there is a rare possibility ofphysical capturing ofIMDs from a patient’s body. We furtherassume that the trusted authority(TA) is fully trusted partyin the network, which is responsible for pre-deployment ofIMDs and the user registration phase as described in SectionIII .

D. Structure of the Paper

The rest of the paper is organized as follows. In SectionII , we discuss the existing related authentication schemesproposed forIMDs. The various phases of the proposedscheme are discussed in SectionIII . The security analysis ofthe proposed scheme is provided in SectionIV. The formalsecurity verification of the proposed scheme using the widely-accepted AVISPA tool is given in SectionV. The performancecomparison of the related existing schemes and the proposedscheme is provided in SectionVI. The practical demonstrationof the proposed scheme using the widely-accepted NS2 sim-ulation tool is also provided in SectionVII. Finally, the paperis concluded in SectionVIII .

I I. RELATED WORK

This section provides a brief review of the existing authen-tication schemes proposed forIMD communication environ-ment.

An ultrasonic distance-bounding based scheme proposedby Rasmussenet al. [13] allows an IMD to give secureaccess to a programmer (reader) within a proximity range.The programmer has no constraint on power or computationalability. However their scheme did not provide non traceabilityproperty, session key security and also vulnerable to replayand man-in-the middle attacks. Ellouzeet al. [14] presenteda scheme to secure cardiacIMDs. A Wireless Identifica-tion and Sensing Platform (WISP) is used in their scheme.They provided a solution to conserve the battery life of theIMD by harvesting energy using radio frequency signalsfrom an UHF RFID reader to perform the key generationand authentication. Furthermore, they have also proposed anauthentication mechanism using biometric keys for regularand emergency cases which facilitates a secure communicationbetween the programmer and the WISP on theIMD. Howevertheir scheme did not provide anonymity and non traceabilityproperties and also vulnerable to replay attack.

Jang et al. [3] provided a hybrid security scheme thatuses two heterogeneous cryptosystems: symmetric and asym-metric. The heterogeneous cryptosystems used to facilitatethe different levels of security required by applications (forexample, medicalversusnon-medical) in the wireless bodyarea networks (WBANs). Their protocol contains two stages.In the first stage, the global authentication between bio-sensor




node (BSN) and certificate authority (CA)/data server are per-formed, whereas in the second stage, the local authenticationbetween BSN and base station (BS) is executed. Howevertheir scheme did not provide anonymity property and somefunctionality features such as dynamic controller node additionandIMD addition.

Several authentication schemes have been proposed in theliterature for the healthcare applications using radio-frequencyidentification (RFID), wireless medical sensor networks andwireless body area networks [15], [16], [17], [18], [19], [20],[21], [22], [23], [24]. He and Zeadally [4] proposed an authen-tication scheme by using the ambient intelligence, specificallyfor an Ambient Assisted Living (AAL) system that helps tomonitor health and also to provide tele-health care services.Their system used the wearable sensors in the wireless bodyarea networks (WBANs) and assistive robotics. The system hasthree levels of communications: 1) Intra-BAN: The wirelessbody sensors communicate with the WBAN controllers; 2)Inter-BAN: The WBAN controllers communicate with externaldevices (for example, home service robots) and 3) Beyond-BAN: The AAL server connects to the Internet.

Xu et al. [25] proposed a secure scheme for implantable car-diac devices, called IMDGuard. It provides two mechanismsfor IMDs protection: the first one is an electrocardiogramsensor (ECG) based key establishment without prior sharedsecrets, and other one is an access control mechanism toprotect spoofing attacks. Rushananet al. [26] provided asurvey of existing techniques, which improve security andprivacy in IMDs and health BANs. A comprehensive surveyof security and privacy issues inIMDs is also provided in[7]. Moreover, Denninget al. [27] discussed the human valuesand security issues associated with theIMDs.

III. T HE PROPOSEDSCHEME

In this section, we present a new three-factor remoteuser authentication protocol for implantable medical devicescommunication environment, which uses the elliptic curvecryptography (ECC).

The network model presented in Figure1 is followed inthe proposed scheme, in which there is a user (for example,a patient) whose body is implanted with implantable medicaldevicesIMDs, such as pacemaker and insulin pump. All theseIMDs monitor the patient’s health.IMDs have their ownfunctionalities and give services to the patient on the basis ofhis/her symptoms.IMDs also have wireless communicationfeature (for example, bluetooth technology) using which theycan send the patient’s monitored data to the nearby controllernode, sayCNj . CNj collects the sensed information securelyfrom IMDls. Suppose there is a user (for example, a doctor)Ui wants to access the real-time data from a particularCNj

for monitoring and diagnosis of the patient remotely. In thisscenario, we require authentication betweenUi andCNj . Af-ter mutual authentication betweenUi andCNj , they establisha session key for the future secure communication. After thissuccessful mutual authentication only,Ui can access the livedata from the implantedIMDls in the patient’s body with thehelp of CNj .

In this work, we use three factors: 1) mobile deviceMDi

of a userUi; 2) passwordPWi of Ui; and 3) biometricsBIOi of Ui. The proposed scheme consists of the followingseven phases: 1) pre-deployment; 2) offline user registration;3) login; 4) authentication and key agreement; 5) passwordand biometric update; 6) dynamic controller node addition;and 7) dynamicIMD addition.

TableI contains the notations which are used for describingand analyzing the proposed scheme. We have used randomnonces and current timestamps to protect against strong replayattack against an active adversary. For this purpose, we assumethat all the network entities are synchronized with their clocks.

TABLE INOTATIONS USED IN THIS PAPER

Notation DescriptionUi, MDi ith user and his/her mobile deviceCNj jth controller nodeIMDl lth implantable medical deviceTA Trusted authorityIDi, PWi, BIOi Ui’s identity, password and biometric informationIDTA, IDCNj

Identities of trusted authority and controller nodeRIDi, RIDCNj

Pseudo identities ofUi andCNj

N 1024-bit secret number ofTAri, rj 160-bit random nonces ofUi andCNj

RTSCNjRegistration timestamp ofCNj

Ti Generated current timestamp∆T Maximum transmission delay associated with a messageGen(·) Probabilistic generation procedure used in fuzzy extractorRep(·) Deterministic reproduction procedure used in fuzzy extractorσi Biometric secret key ofUi

τi Public reproduction parameter ofUi

t Error tolerance threshold used in fuzzy extractorEp(a, b) A non-singular elliptic curve:y2 = x3 + ax + b (mod p)

over a prime finite fieldZp (Galois fieldGF (p)) witha, b ∈ Z∗

p are constants with4a3 + 27b2 6= 0 (mod p)k.P Elliptic curve point multiplication;k ∈ Z∗

p & P ∈ Ep(a, b)h(·) Collision-resistant cryptographic hash function||, ⊕ Concatenation and bitwise XOR operations

In the proposed scheme, we use the elliptic curve pointmultiplication operations. For better presentation of the paper,in the following we present the basic properties of an ellipticcurve, and its two basic operations, such as point addition andpoint multiplication. A non-singular elliptic curvey2 = x3 +ax+b over a finite fieldGF (p) is denoted by the setEp(a, b)consisting of the solutions(x, y) ∈ Zp×Zp to the congruencey2 ≡ x3 +ax+b (mod p). Here,a, b ∈ Zp are constants withthe condition4a3+27b2 6= 0 (mod p), together with a specialpoint O, called the point at infinity or zero point,Zp = {0,1, . . . , p − 1} and p > 3 be a large prime.Ep(a, b) formsan abelian group (commutative group) under addition modulop operation [28] with the additive identityO and the additiveinverse−P ∈ Ep(a, b) of a point P ∈ Ep(a, b) such that ifP = (xP , yP ), we have−P = (xP ,−yP ), wherexP andyP

denote thex and y coordinates of the pointP ∈ Ep(a, b),respectively. If we considerP = (xP , yP ) andQ = (xQ, yQ)as two points on an elliptic curveEp(a, b), R = (xR, yR)= P + Q ∈ Ep(a, b) is computed as follows [28]: xR =(λ2−xP −xQ) (mod p), yR = (λ(xP −xR)−yP ) (mod p),

whereλ =

{

yQ−yP

xQ−xP(mod p), if P 6= Q

3xP2+a

2yP(mod p), if P = Q.

In elliptic curve cryptography (ECC), point multiplication




(scalar multiplication) is defined as the repeated point ad-ditions. For example, ifP ∈ Ep(a, b), 5P is computed as5P = P + P + P + P + P .

Given a scalark ∈ Zp and a pointP ∈ Ep(a, b), computingthe scalar multiplicationQ = k.P is relatively easy. However,given P andQ in Ep(a, b), it is computationally infeasible tocompute the scalark ∈ Zp, whereQ = k.P . This problem iscalled the elliptic curve discrete logarithm problem (ECDLP).

For biometric authentication, we use the fuzzy extractortechnique [29], [30]. A fuzzy extractor consists of the fol-lowing two procedures: 1) probabilistic generation functionGen(·) and 2) deterministic reproduction functionRep(·).Upon input as a user personal biometricsBIOi, Gen(·)produces output consisting of a secret biometric key of fixedlength, sayη bits, σi ∈ {0, 1}η and a public reproductionparameterτi. On the other hand,Rep(·) takes the currentbiometrics entered by the user, sayBIO′

i and also the publicreproduction parameterτi as input, provided the Hammingdistance betweenBIO′

i andBIOi is less than or equal to anerror tolerance threshold value,t. The output ofRep(·) is thenthe original biometric keyσi, that is,σi = Rep(BIO′

i, τi).

A. Pre-deployment Phase

In this phase, a trusted authority(TA) is responsible forregistering each controller nodeCNj and each implantablemedical deviceIMDl prior to their deployment in a de-ployment field (for example, a hospital) and the patient’sbody. For this purpose, theTA first selects a unique1024-bit secret numberN for eachCNj and theIMDs attachedwith CNj , and computes its pseudo identity using its ownidentity IDTA as RIDTA = h(IDTA||N). The TA thenchooses a unique identityIDCNj

for eachCNj , and calculatesits corresponding pseudo identityRIDCNj

= h(IDCNj||N)

and the temporary credential ofCNj using its registrationtimestampRTSCNj

asTCCNj= h(IDTA ||RTSCNj

||N).The TA finally stores the information{RIDCNj

, TCCNj,

RIDTA} in the memory of CNj and deploys it in thedeployment field.

For the pairwise key establishment between a deployedCNj and IMDls in a patient’s body, we use the ex-isting polynomial-based key distribution protocol proposedby Blundo et al. [31]. For eachCNj , the TA first se-lects a unique symmetric bivariate polynomialP(x, y) =∑n

i=0

∑nj=0

gi,jxiyj ∈ GF (p)[x, y] of degreen over a finite

field (Galois field)GF (p), where the co-efficientsgi,j ’s aretaken from GF (p). Note that the primep is chosen as alarge number andn is also large, which is much larger thanthe number ofIMDs deployed in a patient’s body attachedwith CNj in order to preserve unconditional security andn-collusion resistant property againstIMD capture attack by anattacker [32]. For example, if a bivariate polynomialP(x, y)= x4+ 3x3+ 2x2y2+ 3y3 + y4 over GF (5) is symmetric asP(y, x) = y4+ 3y3+ 2y2x2+ 3x3+ x4 = P(x, y).

For each deployedIMDl, the TA generates a uniqueidentity IDIMDl

, computes the corresponding pseudo identityRIDIMDl

= h(IDIMDl||N) and the polynomial share

P(RIDIMDl, y) which is a univariate polynomial of degree

n in GF (p), and stores this polynomial share and the pseudoidentity RIDIMDl

in the memory ofIMDl. Note that tostoreP(RIDIMDl

, y), the storage space required inIMDl

is (n + 1) log2(p) bits as the coefficients are fromGF (p). Ina similar way, forCNj theTA also computes the polynomialshareP(RIDCNj

, y) which is a univariate polynomial ofdegree n in GF (p), and stores this polynomial share inthe memory ofCNj . Finally, the information{RIDCNj

,TCCNj

, RIDTA, P(RIDCNj, y)} are stored inCNj ’s mem-

ory.The motivation behind the use of the Blundoet al.’s scheme

[31] for pairwise key establishment between a deployedCNj

andIMDls in a patient’s body is as follows. If an adversaryA is able to compromise(n + 1) or more shares ofP(x, y),he/she can easily reconstruct the originalP(x, y) uniquelyusingLagrange’s interpolation[33]. Hence, the disclosure ofup to n shares does not revealP(x, y) to A, and thus, non-compromised shared keys based onP(x, y) remain completelysecure. Since the degreen of P(x, y) is much larger than thenumber ofIMDs deployed in a patient’s body attached withCNj , the proposed scheme preserves unconditional securityandn-collusion resistant property [32], [34].

B. Post-deployment Phase

Once the IMDs andCNj are deployed, the first task ofCNj and IMDs is to establish pairwise secret keys using thepre-loaded information stored in their memory during the pre-deployment phase described in SectionIII-A .

Suppose deployedIMDl and CNj want to establish apairwise secret key between them.IMDl first sends its pseudoidentity RIDIMDl

to CNj . In a similar manner,CNj alsosends its pseudo identityRIDCNj

to IMDl. After thatIMDl

computes the secret key shared withCNj using its own poly-nomial share asSKIMDl,CNj

= P(RIDIMDl, RIDCNj

). Onthe other hand,CNj also computes the same secret key sharedwith IMDl using its own polynomial share asSKCNj ,IMDl

= P(RIDCNj, RIDIMDl

) = P(RIDIMDl, RIDCNj

) (=SKIMDl,CNj

) since the polynomialP(x, y) is symmetric.Hence, bothIMDl and CNj will communicate securely inorder to bring the information sensed by theIMDl to CNj

using the established shared keySKIMDl,CNj.

C. User Registration Phase

This phase discusses the registration procedure for a user(for example, a doctor)Ui to access the information fromthe controller nodeCNj of a patient’s implantable medicaldevicesIMDs. For this purpose,Ui requires to register at theTA securely either in person or via a secure channel. Thisprocedure is performed by theTA andUi with the followingsteps:

Step REG1. Ui selects an identityIDi and sends it tothe TA securely. After receiving registration request, theTAcomputes pseudo identity ofUi as RIDi = h(IDi ||N)using its corresponding secret numberN andAi = h(RIDTA

||IDi), and sends the registration reply message〈RIDi, Ai,RIDTA〉 to Ui securely.




Step REG2. After receiving registration reply from theTA,Ui chooses a non-singular elliptic curveEp(a, b): y2 = x3 +ax+b (mod p) over a prime finite fieldZp, wherep is a largeprime anda, b ∈ Z∗

p are constants such that4a3 + 27b2 6= 0(mod p). Ui further chooses a base pointP of orderm overEp(a, b) such thatm.P = O, whereO is called the pointat infinity or zero point.Ui then selects a private keyk andcomputes the corresponding public keyQ = k.P , and makesQ as public.

Step REG3. Ui selects a passwordPWi on his/her choice,and inputs his/her biometricBIOi at the sensor of his/hermobile device, sayMDi. MDi applies the fuzzy extractorprobabilistic generation functionGen(·) to generate the secretbiometric keyσi and the corresponding public parameterτi

as Gen(BIOi) = (σi, τi) as provided in [35], [36], [30].The detailed information about the fuzzy extractor functionsGen(·) andRep(·) can be found in [30].

Step REG4. MDi calculatesRID′i = RIDi⊕ h(PWi||

σi), masked passwordRPWi = h(PWi ||k), Di = k⊕h(IDi ||PWi ||σi), RID′

TA = RIDTA ⊕h(IDi ||k ||σi)and A′

i = Ai⊕ h(k ||σi). After these computations,MDi

also computes the parametersBi = h(Ai ||RPWi) andCi = h(IDi ||RIDTA ||Bi ||σi). Finally, MDi stores theinformation{RID′

i, RID′TA, A′

i, Ci, Di, τi, Gen(·), Rep(·),h(·), t} in its memory, wheret is the error tolerance thresholdvalue used inRep(·) in order to recover the original biometrickey σi.

D. Login Phase

Ui performs the following steps to execute the login phase:Step L1. Ui inputs his/her identityIDi and passwordPWi

into the interface ofMDi, and also imprints his/her biometricsBIO′

i at the sensor ofMDi. MDi then extracts biometric keyσ′

i = Rep(BIO′i, τi) provided that the Hamming distance be-

tween the original biometricsBIOi at the time of registrationand the recent enteredBIO′

i is less than the error tolerancethreshold valuet. Then, MDi computesk′ = Di⊕ h(IDi

||PWi ||σ′i), RPW ′

i = h(PWi ||k′), A∗

i = A′i⊕h(k′ ||σ′

i), B∗i

= h(A∗i ||RPW ′

i ), RID∗TA = RID′

TA ⊕h(IDi|| k′||σ′i) and

RID∗i = RID′

i ⊕h(PWi ||σ′i) and C∗

i = h(IDi ||RID∗TA

||B∗i ||σ′

i). After computing these values,MDi checks whetherthe conditionC∗

i = Ci holds or not. If it holds,Ui passesboth password and biometric verification. Otherwise, the loginprocess is terminated immediately.

Step L2. MDi generates the current timestampT1 and160-bit random nonceri. MDi then computesai = h(ri ||T1

||RID∗i ||RPW ′

i ||σ′i), bi = h(RID∗

TA ||T1), M1 = ai.P andthe ElGamal type signatureM2 = ai+k′.bi (mod p). Finally,MDi sends the login request message〈M1, M2, T1〉 to CNj

via a public channel.

E. Authentication and Key Agreement Phase

After receiving the login request〈M1,M2, T1〉 from Ui attime T ∗

1 by CNj , the following steps are executed for mutualauthentication and key establishment betweenUi andCNj :

Step AKE1. CNj first checks the timeliness ofT1 by thecondition |T1 − T ∗

1 | < ∆T , where ∆T is the maximum

User (Ui)/Mobile device(MDi) Controller node(CNj)

Input IDi, PWi, BIO′i.

Extractσ′i = Rep(BIO′

i, τi).Computek′ = Di ⊕ h(IDi||PWi ||σ′

i),RPW ′

i = h(PWi ||k′),

A∗i = A′

i ⊕ h(k′ ||σ′i),

B∗i = h(A∗

i ||RPW ′i ), Check|T1 − T ∗

1 | < ∆T , if soRID∗

TA = RID′TA ⊕ h(IDi|| k′||σ′

i), computeb′i = h(RIDTA||T1),RID∗

i = RID′i ⊕ h(PWi ||σ′

i), Verify if M2.P = M1 + b′i.Q?C∗

i = h(IDi||RID∗TA ||B∗

i ||σ′i). If holds, chooseT2 andrj .

Check if C∗i = Ci? if so, Compute

chooseT1, ri. Compute cj = h(rj ||T2 ||RIDCNj||TCCNj

),ai = h(ri||T1||RID∗

i ||RPW ′i ||σ

′i), M4 = cj .P ,

bi = h(RID∗TA||T1), M1 = ai.P , kij = cj .M1 = (aicj).P ,

M2 = ai + k′.bi (mod p). SKij = h(kij ||RIDTA ||T1||T2),〈M1,M2, T1〉−−−−−−−−−→

M5 = h(SKij ||T2).

(via open channel) 〈M4,M5, T2〉←−−−−−−−−−(via open channel)

Check if |T2 − T ∗2 | < ∆T?

Computek∗ij = ai.M4 = (aicj).P ,

SK∗ij = h(k∗

ij ||RID∗TA ||T1||T2),

M6 = h(SK∗ij ||T2). Check if |T3 − T ∗

3 | < ∆T?Check if M6 = M5? If so, chooseT3. ComputeM8 = h(SKij ||T3).ComputeM7 = h(SK∗

ij ||T3). Check if M8 = M7?〈M7, T3〉−−−−−−→(via open channel)

Both Ui and CNj store session keySKij (= SK∗ij).

Fig. 2. Summary of login, and authentication and key agreement phases

transmission delay. If timeliness matches,CNj computesb′i =h(RIDTA ||T1) and verifies the signature by the conditionM2.P = M1+ b′i.Q. Note that M2.P = (ai + k.bi).P= ai.P + k.bi.P = M1 + bi.Q = M1 + b′i.Q. If verificationmatches,CNj chooses current timestampT2 and 160-bitrandom noncerj , and computescj = h(rj ||T2 ||RIDCNj

||TCCNj), M4 = cj .P , kij = cj .M1 = (aicj).P . After these

computations,CNj computes the session keySKij = h(kij

||RIDTA ||T1||T2) shared withUi andM5 = h(SKij ||T2).Then,CNj sends the authentication reply〈M4,M5, T2〉 to Ui

via a public channel.

Step AKE2. After receiving the authentication reply〈M4,M5, T2〉 from CNj at timeT ∗

2 , Ui checks the timelinessof T2 by the verification condition|T2 − T ∗

2 | < ∆T . Ifit does not hold,Ui immediately terminates the connection.Otherwise,Ui computesk∗

ij = ai.M4 = (aicj).P and sessionkey SK∗

ij = h(k∗ij ||RID∗

TA ||T1||T2) shared withUi, andM6 = h(SK∗

ij ||T2). Ui then checks whether the conditionM6 = M5 holds. If it is so, CNj is authenticated byUi. Furthermore,Ui generates the current timestampT3 andcomputesM7 = h(SK∗

ij ||T3) and sends acknowledgmentmessage〈M7, T3〉 to CNj via an open channel.

Step AKE3. After receiving the message〈M7, T3〉 from Ui

at timeT ∗3 , CNj checks the timeliness ofT3 by the condition

|T3 − T ∗3 | < ∆T . If this condition holds,CNj calculatesM8

= h(SKij ||T3) and checks ifM8 = M7 holds. If it does notmatch, it immediately terminates the connection. Otherwise,it is considered that the calculated session keySK∗

ij by Ui

is correct, and bothUi andCNj stores the same session keySKij = (SK∗

ij) for future secure communication.

The login, and authentication and key agreement phases ofthe proposed scheme are summarized in Figure2.




F. Password and Biometric Update Phase

In this phase, we provide the password & biometric updatefacility in which a legitimate userUi can change his/herpassword as well as biometrics at any time without involvingthe TA for security reasons. The following steps are requiredfor this phase:

Step PB1. Ui inputs his/her identityIDi, old passwordPW old

i to the interface ofMDi, and also imprints his/herold biometricsBIOold

i to the sensor ofMDi. MDi thenextracts biometric keyσold

i = Rep(BIOoldi , τi) provided

that the Hamming distance between the original biometricsBIOi at the time of registration and the enteredBIOold

i isless than the error tolerance threshold valuet. In addition,MDi calculatesk = Di⊕ h(IDi ||PW old

i ||σoldi ), RPW old

i

= h(PW oldi ||k), Aold

i = A′i⊕ h(k ||σold

i ), Boldi = h(Aold

i

||RPW oldi ), RIDTA = RID′

TA ⊕ h(IDi|| k||σoldi ), RIDi

= RID′i ⊕h(PW old

i ||σoldi ) and Cold

i = h(IDi ||RIDTA

||Boldi ||σold

i ). After computing these values,MDi checks thecondition Cold

i = Ci. If it holds, Ui is treated as an actualuser who passes both password and biometric verification, andhe/she can proceed for the password and biometric updateprocedure. Otherwise, the password and biometric updateprocess is terminated immediately.

Step PB2. Ui provides a new passwordPWnewi , and

also imprints new biometricsBIOnewi , if Ui is desired to

changeBIOoldi . It is also noted that ifUi does not want

to change his/her biometrics, he/she still can keep the sameold biometrics BIOold

i , and in this situation,BIOnewi is

considered asBIOoldi . After these inputs,MDi computes

σnewi = Rep(BIOnew

i , τnewi ), RPWnew

i = h(PWnewi ||k),

Anewi = Aold

i ⊕h(k ||σnewi ), Bnew

i = h(Anewi ||RPWnew

i ),RID′′

TA = RIDTA ⊕h(IDi|| k|| σnewi ), RID′′

i = RIDi⊕h(PWnew

i ||σnewi ), Cnew

i = h(IDi ||RID′′TA ||Bnew

i ||σnewi )

andD′′i = k⊕ h(IDi ||PWnew

i ||σnewi ).

Step PB3. Finally, MDi replacesRID′i, RID′

TA, A′i, Ci,

Di andτi with RID′′i , RID′′

TA, Anewi , Cnew

i , D′′i andτnew

i ,respectively.

We summarize the password and biometric update phaserelated to the proposed scheme in Figure3.

G. Dynamic Controller Node Addition Phase

This phase is required to deploy a new controller scheme,say CNnew

j in the existing network. TheTA performs thefollowing steps for the dynamic controller node addition:

Step 1. TheTA first assigns a new unique identityIDnewCNj

,which is different from the identities of the already deployedcontroller nodes. TheTA then computes the pseudo identityfor CNnew

j as RIDnewCNj

= h(IDnewCNj

||N) and TCnewCNj

=h(IDTA|| RTSnew

CNj||N), whereRTSnew

CNjis newly generated

registration timestamp forCNnewj . TA also computes polyno-

mial shareP(RIDnewCNj

, y), which is a univariate polynomialin GF (p).

Step 2. Finally, the TA stores the credentials{RIDnewCNj

,TCnew

CNj, RIDTA, P(RIDnew

CNj, y)} into the memory of

CNnewj prior to its deployment.

User (Ui) Mobile device(MDi)

Input identityIDi,old passwordPW old

i , andimprint biometricsBIOold

i . Extractσoldi = Rep(BIOold

i , τi).Calculatek = Di⊕ h(IDi ||PW old

i ||σoldi ),

RPW oldi = h(PW old

i ||k),Aold

i = A′i⊕ h(k ||σold

i ),Bold

i = h(Aoldi ||RPW old

i ),RIDTA = RID′

TA ⊕ h(IDi|| k||σoldi ),

RIDi = RID′i ⊕h(PW old

i ||σoldi )

Coldi = h(IDi ||RIDTA ||Bold

i ||σoldi ).

Check if Coldi = Ci?

If so, askUi to enter new passwordand imprint new biometrics.

Input new passwordPWnewi .

Imprint newBIOnewi . Calculateσnew

i = Rep(BIOnewi , τnew

i ),RPWnew

i = h(PWnewi ||k),

Anewi = Aold

i ⊕h(k ||σnewi ),

Bnewi = h(Anew

i ||RPWnewi ),

RID′′TA = RIDTA ⊕h(IDi|| k|| σnew

i ),RID′′

i = RIDi⊕ h(PWnewi ||σnew

i ),Cnew

i = h(IDi ||RID′′TA ||Bnew

i ||σnewi ),

D′′i = k⊕ h(IDi ||PWnew

i ||σnewi ).

ReplaceRID′i, RID′

TA, A′i, Ci, Di

andτi with RID′′i , RID′′

TA, Anewi ,

Cnewi , D′′

i andτnewi , respectively.

Fig. 3. Summary of password and biometric update phase

H. Dynamic IMD Addition Phase

To deploy a newIMD or to replace an existingIMD byanother newIMD, sayIMD′

l, theTA executes the followingsteps:

Step 1. The TA generates a unique identityID′IMDl

, andcomputes the corresponding pseudo identityRID′

IMDl=

h(ID′IMDl

||N) and the polynomial shareP(RID′IMDl

, y).Step 2. TheTA then storesP(RID′

IMDl, y) andRID′

IMDl

in the memory ofIMD′l.

Note that there is no need to update any polynomial sharein CNj . TheTA only needs to informCNj about the deploy-ment of IMD′

l. After deployment ofIMD′l, it can establish

pairwise key withCNj as SKIMD′

l,CNj

= P(RIDIMD′

l,

RIDCNj) = P(RIDCNj

, RIDIMD′

l) and start secure com-

munication using the established keySKIMD′

l,CNj

with thehelp of the post-deployment phase given in SectionIII-B .

IV. SECURITY ANALYSIS

In this section, we show that the proposed scheme is secureagainst the following possible known attacks:

Replay attack:In the proposed scheme, during the login,and authentication and key agreement phases, the messagesMsg1 = 〈M1,M2, T1〉, Msg2 = 〈M4, M5, T2〉 andMsg3 =〈M7, T3〉 are exchanged between a userUi and a controllernode CNj . These messages involve different current times-tamps T1, T2 and T3. If an adversaryA intercepts thesemessages and tries to replay these messages later, the validityof timestamps in these messages will fail, and as a result,the messages will be treated as the old messages. Hence, ourscheme provides protection against replay attack.

Man-in-the-middle attack:SupposeA intercepts the mes-sageMsg1 and attempts to modify this message to create avalid login message. For creating the valid login message,A




can generate a random nonceria and current timestampT1a.Then,A is not able to computeM ′

1 = aia.P , aia = h(rai ||T1a

||RID∗i ||RPW ′

i ||σi) becauseA does not know the values ofRID∗

i , RPW ′i and the biometric secret keyσi of the userUi.

Similarly, if A tries to compute the signatureM ′2 = aia +k.b′i

(mod p), he/she needsaia andb′i = h(RID′TA ||T1a). A can

not also computeM ′2 because he/she does not knowRID′

TA

andk, which is the secret key ofUi. Therefore,A is not ableto modify Msg1. In a similar way,A can not modify othermessagesMsg2 and Msg3. Therefore, our scheme providesprotection against man-in-the-middle attack.

Privileged-insider and offline password guessing attacks:Aprivileged user of theTA, who may be an internal adversaryA, can obtainRIDi during the userUi’s registration phase.In addition, suppose the mobile deviceMDi of Ui is lostor stolen byA after the registration process is finished.MDi

contains information{RID′i, RID′

TA, A′i, Ci, Di, τi, Gen(·),

Rep(·), h(·), t}. Even by retrieving all stored information fromMDi using the power analysis attacks [11], [12], A can notguess the correct passwordPWi because he/she does not knowthe private keyk of Ui and his/her secret biometric keyσi fromCi and Di. Therefore, the correct guess ofPWi will not besuccessful byA. Hence, the proposed scheme is secure againstboth privileged-insider and offline password guessing attacks.

User impersonation attack:SupposeA intercepts the mes-sageMsg1 = 〈M1, M2, T1〉 during the login phase, and triesto impersonate as a legal userUi by sending a valid loginrequest message toCNj . A can not compute the secretai fromM1 = ai.P due to hardness of the ECDLP problem (discussedin SectionIII ). In order to perform user impersonation attack,A can generate the current timestampT ′

1 and a random nonceria. To generate valid login request message, sayMsg′1 =〈M ′

1,M′2, T ′

1〉, A requires to computeM ′1 = aia.P andM ′

2 =aia+ k.bia (mod p), whereaia = h(ria ||T ′

1 ||RID∗i ||RPW ′

i

||σi) and bia = h(RID∗TA ||T ′

1). A can not computeMsg′1as he/she does not knowRID∗

i , RID∗TA, RPW ′

i , σi and thesecret keyk of Ui. Therefore, the user impersonation attackis protected in our scheme.

Controller node impersonation attack:SupposeA interceptsthe messageMsg2 = 〈M4, M5, T2〉 during the authenticationand key establishment phase, and tries to impersonate as acontroller nodeCNj by sending a valid authentication replymessage toUi. A can not compute the secretcj from M4 =cj .P due to hardness of the ECDLP problem.A can generatethe current timestampT ′

2, and random noncesria andrja. Togenerate a valid message, sayMsg′2 = 〈M ′

4,M′5, T ′

2〉, A needsto computeM ′

4 = cja.P , M ′5 = h(SK ′

ij ||T ′2), wherecja =

h(rja ||T ′2 ||RIDCNj

||TCCNj), k′

ij = cja.M ′1 = (aiacja).P ,

aia = h(ria ||T1|| RID∗i ||RPW ′

i ||σi), andSK ′ij = h(k′

ij

||RIDTA ||T1 ||T ′2). A can not computeMsg′2 as he/she does

not knowRIDCNj, TCCNj

, RID∗i , RID∗

TA, RPW ′i andσi.

Thus, our scheme is secure against such an attack.Session key security:During the login and authentication &

session key agreement phases,Ui sends the messageMsg1

= 〈M1,M2, T1〉 to CNj . Then CNj replies to Ui withthe messageMsg2 = 〈M4,M5, T2〉. Further,Ui sends theacknowledgment messageMsg3 = 〈M7, T3〉 to CNj . In allthese messages session keySKij (= SK∗

ij) is protected by the

one-way hash functionh(·). Moreover, without the knowledgeof short term secrets such as random noncesri and rj , andlong term secrets, such as identitiesRIDTA, RIDi, RIDCNj

andTCCNj, A can not compute session keySKij . Therefore,

due to the use of these short term and long term secrets, andalso the collision resistance property ofh(·), the computationof SKij is computationally infeasible forA. As a result, theproposed scheme provides session key security.

Anonymity and untraceability:Suppose an adversaryAintercepts the messagesMsg1 = 〈M1,M2, T1〉, Msg2 =〈M4,M5, T2〉 andMsg3 = 〈M7, T3〉 during the login and au-thentication & key agreement phases. Due to usage of randomnoncesri, rj and current timestamps, each ofai, bi, cj andkij becomes dynamic and “unique” in all messages for eachsession. Moreover, none of these messages directly includesIDi andIDCNj

. Hence, the proposed scheme preserves bothanonymity and untraceability properties.

Resilience against controller node physical capture attack:As in [37], [38], the resilience against controller node physicalcapture attack of the proposed scheme in the IMD communi-cation environment is as follows. Assume thatc controllernodes are physically captured by an adversaryA. It is thenmeasured as the total secure communications compromisedby a capture ofc controller nodesnot including the com-munication in which the compromised controller nodes aredirectly involved. Let Pe(c) denote the probability thatAcan decrypt the secure communication between a userUi anda non-compromised controller nodeCNj when c controllernodes are already compromised. IfPe(c) = 0, a user authen-tication scheme is known as unconditionally secure againstcontroller node capture attack. By physically capturing a con-troller nodeCN ′

j , A can extract the information{RIDCNj,

TCCNj, RIDTA, P(RIDCNj

, y)} from its memory usingpower analysis attacks [11], [12]. Note that allRIDCNj

,TCCNj

andP(RIDCNj, y) are distinct for all the controller

nodes, and these are generated by theTA. Therefore, bycapturing CN ′

j , A can only compromise the session keybetween that the userUi andCN ′

j . However, the session keysbetween that userUi and other non-compromised controllernodesCNjs can not be compromised byA. Then, compromiseof a controller node does not lead to compromise securecommunications among the user and other non-compromisedcontroller nodes. Hence, our scheme is unconditionally secureagainst controller node physical capture attack.

Denial-of-service attack (DoS):Even if a legal userUi

enters incorrectIDi and/or PWi during login phase, it islocally checked through the verificationC∗

i = Ci (Step L1in Section III-D ). The login request of the userUi is sentto the controller node only after successful verification. As aresult, the proposed scheme is secure against such DoS attack.

Stolen mobile device attack:Suppose the mobile deviceMDi of a legal userUi is lost or stolen by an attackerA.A can then extract all information{RID′

i, RID′TA, A′

i, Ci,Di, τi, Gen(·), Rep(·), h(·), t} stored in MDi using thepower analysis attacks. To correctly guessIDi andPWi fromthe extracted informationCi and Di, A needs to know boththe secretsk and σi. Thus, it is computationally infeasiblefor A to correctly guess bothIDi and PWi. Therefore, the




proposed scheme is secure against stolen mobile device attack.

V. FORMAL SECURITY VERIFICATION USING AVISPA

In this section, we provide the formal security verificationof the proposed scheme using the widely-accepted AVISPAtool [39], [40].

In AVISPA, we first implement the security protocol inthe role-based expressive formal language, called the HighLevel Protocol Specification Language (HLPSL). HLPSL istranslated into the intermediate format (IF) using the translator,called HLPSL2IF. IF is a lower-level language than HLPSLand is read directly by the back-ends to the AVISPA tool.There are four backends in AVISPA tool: 1) On-the-fly Model-Checker (OFMC); 2) Constraint-Logic-based Attack Searcher(CL-AtSe); 3) SAT-based Model-Checker (SATMC) and 4)Tree Automata based on Automatic Approximations for theAnalysis of Security Protocols (TA4SP). Finally, the backendsproduce the output format (OF), which precisely tells whetherthe protocol is safe or unsafe. If it is unsafe, the OF also liststhe attack trace. In AVISPA, the communication channel ispublic and it is modeled using the Dolev-Yao threat model [9].Thus, the intruder (which is always denoted byi in HLPSL)can also take a legitimate role in the protocol run. The detaileddescription of the AVISPA tool and the HLPSL is available in[39], [40].

% OFMC% Version of 2006/02/13SUMMARY SAFEDETAILS BOUNDED_NUMBER_OF_SESSIONSPROTOCOL C:\progra~1\SPAN\testsuite \results\auth_imd.ifGOAL as_specifiedBACKEND OFMCCOMMENTSSTATISTICS parseTime: 0.00s searchTime: 21.09s visitedNodes: 315 nodes depth: 12 plies

SUMMARY SAFEDETAILS BOUNDED_NUMBER_OF_SESSIONS TYPED_MODELPROTOCOL C:\progra~1\SPAN\testsuite \results\auth_imd.ifGOAL As SpecifiedBACKEND CL−AtSe

STATISTICS

Analysed : 1111 states Reachable : 1108 states Translation: 0.13 seconds Computation: 8.69 seconds

Fig. 4. The result of the analysis using OFMC and CL-AtSe backends

In HLPSL, each entity in the network (userUi, theTA andcontroller nodeCNj) is implemented in a role. Apart fromthese basic roles, we have other two mandatory roles, calledsession, and goal and environment. Each role contains globalconstants and a composition of one or more sessions, wherethe intruder may play some roles as legitimate user. For thereplay attack checking, OFMC checks whether the legitimateagents can execute the specified protocol by performing asearch of a passive intruder. For the Dolev-Yao model check,this back-end also checks whether there is any man-in-the-middle attack possible by the intruder. We have simulated theproposed scheme using the Security Protocol ANimator forAVISPA (SPAN) [41] for the OFMC and CL-AtSe back-endssince these backends supports bitwise XOR operation. Thesimulation results of the analysis provided in Figure4 showthat the proposed scheme is secure against replay and man-in-the-middle attacks.

VI. COMPARATIVE STUDY

In this section, we compare the computation and communi-cation costs, and functionality features of the proposed schemewith other related existing schemes, such as the schemes ofRasmussenet al. [13], Ellouzeet al. [14], Janget al. [3] andHe-Zeadally [4].

The comparison of functionality features of the existingschemes and our scheme is given in TableII. It is evidentfrom the table that Rasmussenet al.’s scheme does not provideFNF3, FNF5, FNF8, FNF9, FNF14 andFNF17; Jangetal.’s scheme does not provide the featuresFNF2, FNF13,FNF14 andFNF17; Ellouzeet al.’s scheme does not provideFNF2, FNF3, FNF8, FNF14, FNF15 and FNF17; andHe-Zeadally’s scheme does not also provideFNF13, FNF14

andFNF17. On the other hand, the proposed scheme providesall the functionality features listed in the table.

TABLE IICOMPARISON OF FUNCTIONALITY FEATURES

Feature Rasmussen Jang Ellouze He- Ouret al. et al. et al. Zeadally

FNF1 X X X X X

FNF2 X × × X X

FNF3 × X × X X

FNF4 X X X X X

FNF5 × X X X X

FNF6 X X X X X

FNF7 X X X X X

FNF8 × X × X X

FNF9 × X X X X

FNF10 N/A N/A N/A X X

FNF11 N/A N/A N/A N/A X

FNF12 N/A N/A N/A N/A X

FNF13 N/A × N/A × X

FNF14 × × × × X

FNF15 X N/A × X X

FNF16 X X X X X

FNF17 × × × × X

Note: FNF1: mutual authentication;FNF2: anonymity; FNF3: non-traceability; FNF4: session-key agreement;FNF5: session key security;FNF6: confidentiality; FNF7: integrity; FNF8: strong replay attack;FNF9: man-in-the-middle attack;FNF10: efficient login phase;FNF11:password update phase;FNF12: biometric update phase;FNF13: dynamiccontroller node addition;FNF14: dynamic IMD addition; FNF15: pro-tection against stolen mobile device/programmer attack;FNF16: protectionagainst impersonation attack;FNF17: formal security verification usingAVISPA tool.×: a scheme is insecure against a particular attack or does not support aparticular feature;X: a scheme is secure against a particular attack or supportsa particular feature; N/A: not applicable in a scheme.

For computation costs comparison, we have listed the ap-proximate time needed for various cryptographic operationsin Table III . We use the existing experimental results forthese operations [42]. The comparison of computation costs ofexisting related schemes [13], [14] (for regular mode), [3] (forglobal authentication), [4] and the proposed scheme is given inTableIV. Though the computation cost of our scheme is morethan that for the schemes of Rasmussenet al. and Ellouzeetal., it can be considered as our scheme provides more securityand functionality features as compared to those schemes.

For communication costs comparison, we have taken thetimestamp, sequence number or random nonce is of32 bitseach. If the SHA-1 [43] hash function is used, the size of




TABLE IIIAPPROXIMATE TIME REQUIRED FOR VARIOUS OPERATIONS[42]

Notation Description Approx. computation(time to compute) time (seconds)

Th One-way hash function 0.00032Tecm ECC point multiplication 0.0171Teca ECC point addition 0.0044Tsenc Symmetric encryption 0.0056Tsdec Symmetric decryption 0.0056Tme Modular exponentiation 0.0192Tfe ≈ Tecm [42] Fuzzy extractor function 0.0171

TABLE IVCOMPUTATION COSTS COMPARISON

Scheme Computation costRasmussenet al. 2Tme + 1Th ≈ 0.03872sJanget al. 25Tecm + 15Teca + 5Th ≈ 0.4951sEllouzeet al. 6Th + 2Tsenc/Tsdec ≈ 0.01312sHe-Zeadally 6Tecm + 8Tsenc/Tsdec+ 4Th ≈ 0.1487sProposed scheme Tfe + 6Tecm + 17Th ≈ 0.12514s

hash digest is160 bits. All identities are assumed to be160bits each. We further assume that the1024-bit Diffie-Hellmankey is used in Rasmussenet al.’s protocol, since an160-bitECC cryptosystem provides the same security as1024-bit RSAcryptosystem [44]. Thus, each elliptic curve point of the formP = (xP , yP ) requires(160 + 160) = 320 bits. The publickey cryptosystem used in Janget al.’s [3] hybrid protocol isconsidered as ECC. Therefore, in that case ECC encryptionof a plaintext, which is an ECC pointPm, using the publickey produces the ciphertext(C1, C2), where bothC1 andC2

are ECC points and the ciphertext requires(320+320) = 640bits. Additionally, symmetric encryption/decryption is of128bits (if we apply the Advanced Encryption Standard (AES)[45]). TableV shows the comparison of communication costsof the related existing schemes [13], [14] (for regular mode),[3] (for global authentication), [4] and our scheme in termsof the number of messages and number of bits. The results inthis table show that though the communication cost of Ellouzeet al.’s scheme is less than our scheme, but it can be acceptedas our scheme provides more security and more functionalityfeatures as compared to other schemes.

TABLE VCOMMUNICATION OVERHEADS COMPARISON

Scheme No. of messages No. of bitsRasmussenet al. 6 2210Janget al. 8 5920Ellouzeet al. 3 961He-Zeadally 4 3232Proposed scheme 3 1216

VII. PRACTICAL PERSPECTIVE: NS2 SIMULATION STUDY

In this section, to measure the impact of the proposedscheme on the network performance parameters, such as end-to-end delay (in seconds) and throughput (in bits per second),

we have used widely accepted NS2 2.35 simulator [46], [47]on Ubuntu 14.04 LTS platform.

A. Simulation Parameters

The parameters used in the NS2 simulation are given inTableVI . The network coverage area is taken as80× 80 m2.The communication ranges of implantable medical devicesand controller nodes are taken as25 meters and50 meters,respectively. The medium access control type is the standardIEEE 802.15.4 and the network was simulated for the durationof 1800 seconds (30minutes). Apart from these, all otherstandard parameters are considered for the simulation.

B. Simulation Environment

We have considered the following three network scenarios,in which there are three controller nodesCNjs and threepatients implanted with fiveIMDjs each. Hence, there area total of15 IMDjs are deployed in the simulation.

• Scenario 1.In this scenario, there are three users(Uis),three controller nodes(CNjs) and15 IMDjs.

• Scenario 2.Under this scenario, we have taken five users(Uis), three controller nodes(CNjs) and15 IMDjs.

• Scenario 3.Here, there are nine users(Uis), three con-troller nodes(CNjs) and15 IMDjs.

In each scenario, we have considered the three messages:{M1,M2, T1} from Ui to CNj , {M4,M5, T2} from CNj toUi, and {M7, T3} from Ui to CNj , which are of sizes512bits, 512 bits, 192 bits, respectively.

TABLE VIVARIOUS SIMULATION PARAMETERS

Parameter DescriptionPlatform Ubuntu 14.04 LTSNetwork scenarios 1, 2 and3Number of users 3, 5, 9 for scenarios1, 2, 3Number of controller nodes 3 for all scenariosNumber of implantable medical devices15 for all scenariosSimulation time 1800 seconds

C. Simulation Results and Discussions

In order to measure the impact of the proposed scheme, wehave calculated the network performance parameters, such asend-to-end delay and throughput.

1) Impact on End-to-end Delay:The end-to-end delay(EED) is formulated as the average time taken by the datapackets (messages) to arrive at the destination from the source.The EED is then calculated as

∑npkt

i=1(Treci

− Tsendi)/npkt,

whereTreciandTsendi

are the receiving and sending time of apacketi, respectively, andnpkt is the total number of packets.The EEDs of the proposed scheme for different scenariosare provided in Fig.5(a). The values ofEEDs are0.02719,0.03188 and 0.06765 seconds for the scenarios1, 2 and 3,respectively. Note that the value ofEED increases with theincreasing number of users. The increment in number of usersresults more number of exchanged messages, which furtherincurs congestion, and therefore,EED increases in scenarios2 and3.




2) Impact on Throughput:The throughput is measured asthe number of bits transmitted per unit time. The networkthroughput (in bps) of the proposed scheme under differentnetwork scenarios is provided in Fig.5(b). The throughput isformulated asnr×|pkt|

Td, whereTd is the total time (in seconds),

|pkt| the size of a packet andnr the total number of receivedpackets. Note that the simulation time as1800s, which isconsidered as the total time. The throughput values are4.98,9.10 and 10.99 bps for the scenarios1, 2 and 3, receptively.The throughput also increases in scenarios2 and3.

0

2

4

6

8

10

12

14

16

1 2 3

thro

ug

hp

ut (b

ps)

scenarios

0

0.02

0.04

0.06

0.08

0.1

1 2 3

en

d-t

o-e

nd

de

lay

(se

c)

scenarios

Fig. 5. Network performance: (a) throughput and (b) end-to-end delay

VIII. C ONCLUSION

The use ofIMDs facilitates the remote monitoring of thehealth of a patient. TheIMDs specially improve the quality oflife of elderly people, who other has problem to move easily.A doctor can provide them remote consultation on the basisof their health data, which is collected by the help ofIMDs.However, wireless communication raises serious threats in theIMD deployment. In this paper, we proposed a remote userauthentication scheme through which a user (a doctor) anda controller node can mutually authenticate each other andestablish a session key for their future secure communication.Apart from that the pairwise key establishment between acontroller node and itsIMDs is also provided in the proposedscheme for the secure communication between them. Thecomputation and communication costs of the proposed schemeare comparable with the existing related schemes. In addition,the proposed scheme also provides better security and morefunctionality features, such as password and biometric updatephase, dynamic controller node andIMD addition phases, ascompared to other existing related schemes.

ACKNOWLEDGMENTS

We thank the anonymous reviewers and the Associate Editorfor their valuable feedback on the paper which helped us toimprove its quality and presentation.

REFERENCES

[1] D. Halperin, T. S. Heydt-Benjamin, K. Fu, T. Kohno, and W. H. Maisel,“Security and Privacy for Implantable Medical Devices,”IEEE PervasiveComputing, vol. 7, no. 1, pp. 30–39, 2008.

[2] R. Thakur, “Implantable Medical Devices Market is Expectedto Reach $116, 300 Million by 2022, Globally - Allied MarketResearch,” http://www.prnewswire.com/news-releases/implantable-medical-devices-market-is-expected-to-reach-116300-million-by-2022-globally—allied-market-research-613835833.html.

[3] C. S. Jang, D. G. Lee, J.-w. Han, and J. H. Park, “Hybrid SecurityProtocol for Wireless Body Area Networks,”Wireless Communicationsand Mobile Computing, vol. 11, no. 2, pp. 277–288, 2011.

[4] D. He and S. Zeadally, “Authentication protocol for an ambient assistedliving system,” IEEE Communications Magazine, vol. 53, no. 1, pp.71–77, 2015.

[5] K. B. Rasmussen, C. Castelluccia, T. S. Heydt-Benjamin, and S. Capkun,“Proximity-based Access Control for Implantable Medical Devices,” inProceedings of the 16th ACM Conference on Computer and Communi-cations Security (CCS 2009), Chicago, USA, 2009, pp. 410–419.

[6] N. Ellouze, M. Allouche, H. Ben Ahmed, S. Rekhis, and N. Boudriga,“Securing Implantable Cardiac Medical Devices: Use of Radio Fre-quency Energy Harvesting,” in3rd International Workshop on Trust-worthy Embedded Devices, Berlin, Germany, 2013, pp. 35–42.

[7] C. Camara, P. P. Lopez, and J. E. Tapiador, “Security and privacy issuesin implantable medical devices: A comprehensive survey,”Journal ofBiomedical Informatics, vol. 55, pp. 272 – 289, 2015.

[8] J. Finkle, “J & J warns diabetic patients: Insulin pump vulnerableto hacking,” http://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e-idUSKCN12411L. Accessed on February 2017.

[9] D. Dolev and A. C. Yao, “On the security of public key protocols,”IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–208,1983.

[10] M. L. Das, “Two-factor user authentication in wireless sensor networks,”IEEE Transactions on Wireless Communications, vol. 8, no. 3, pp. 1086–1090, 2009.

[11] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Examining smart-cardsecurity under the threat of power analysis attacks,”IEEE Transactionson Computers, vol. 51, no. 5, pp. 541–552, 2002.

[12] P. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,” inPro-ceedings of 19th Annual International Cryptology Conference (CRYPTO1999), LNCS, vol. 1666, Santa Barbara, California, USA, 1999, pp. 388–397.

[13] K. B. Rasmussen, C. Castelluccia, T. S. Heydt-Benjamin, and S. Capkun,“Proximity-based Access Control for Implantable Medical Devices,” inProceedings of the 16th ACM Conference on Computer and Communi-cations Security (CCS 2009), Chicago, USA, 2009, pp. 410–419.

[14] N. Ellouze, M. Allouche, H. Ben Ahmed, S. Rekhis, and N. Boudriga,“Securing Implantable Cardiac Medical Devices: Use of Radio Fre-quency Energy Harvesting,” inProceedings of the 3rd InternationalWorkshop on Trustworthy Embedded Devices, Berlin, Germany, 2013,pp. 35–42.

[15] D. He and S. Zeadally, “An Analysis of RFID Authentication Schemesfor Internet of Things in Healthcare Environment Using Elliptic CurveCryptography,”IEEE Internet of Things Journal, vol. 2, no. 1, pp. 72–83, 2015.

[16] D. He, N. Kumar, J. Chen, C. C. Lee, N. Chilamkurti, and S. S. Yeo,“Robust anonymous authentication protocol for health-care applicationsusing wireless medical sensor networks,”Multimedia Systems, vol. 21,no. 1, pp. 49–60, 2015.

[17] D. He, S. Zeadally, N. Kumar, and J. H. Lee, “Anonymous Authentica-tion for Wireless Body Area Networks With Provable Security,”IEEESystems Journal, pp. 1–12, 2016, DOI: 10.1109/JSYST.2016.2544805.

[18] X. Li, J. Niu, S. Kumari, F. Wu, and K. K. R. Choo, “A robustbiometrics based three-factor authentication scheme for Global MobilityNetworks in smart city,”Future Generation Computer Systems, 2017,DOI: 10.1016/j.future.2017.04.012.

[19] X. Li, M. H. Ibrahim, S. Kumari, A. K. Sangaiah, V. Gupta, and K. K. R.Choo, “Anonymous mutual authentication and key agreement scheme forwearable sensors in wireless body area networks,”Computer Networks,2017, DOI: 10.1016/j.comnet.2017.03.013.

[20] X. Li, J. Peng, S. Kumari, F. Wu, M. Karuppiah, and K. K. R. Choo,“An enhanced 1-round authentication protocol for wireless body areanetworks with user anonymity,”Computers & Electrical Engineering,2017, DOI: 10.1016/j.compeleceng.2017.02.011.

[21] X. Li, J. Niu, M. K. Khan, J. Liao, and X. Zhao, “Robust three-factorremote user authentication scheme with key agreement for multimediasystems,”Security and Communication Networks, vol. 9, no. 13, pp.1916–1927, 2016.

[22] D. He, C. Chen, S. Chan, J. Bu, and A. V. Vasilakos, “ReTrust: Attack-Resistant and Lightweight Trust Management for Medical Sensor Net-works,” IEEE Transactions on Information Technology in Biomedicine,vol. 16, no. 4, pp. 623–632, 2012.

[23] Z. Zhang, H. Wang, A. V. Vasilakos, and H. Fang, “ECG-Cryptographyand Authentication in Body Area Networks,”IEEE Transactions onInformation Technology in Biomedicine, vol. 16, no. 6, pp. 1070–1078,2012.

[24] J. Zhou, Z. Cao, X. Dong, N. Xiong, and A. V. Vasilakos, “4S:A secure and privacy-preserving key management scheme for cloud-




assisted wireless body area network in m-healthcare social networks,”Information Sciences, vol. 314, pp. 255–276, 2015.

[25] F. Xu, Z. Qin, C. C. Tan, B. Wang, and Q. Li, “IMDGuard: Securingimplantable medical devices with the external wearable guardian,” inIEEE INFOCOM, Shanghai, China, 2011, pp. 1862–1870.

[26] M. Rushanan, A. D. Rubin, D. F. Kune, and C. M. Swanson, “SoK:Security and Privacy in Implantable Medical Devices and Body AreaNetworks,” inIEEE Symposium on Security and Privacy, San Jose, USA,2014, pp. 524–539.

[27] T. Denning, A. Borning, B. Friedman, B. T. Gill, T. Kohno, and W. H.Maisel, “Patients, Pacemakers, and Implantable Defibrillators: HumanValues and Security for Wireless Implantable Medical Devices,” inSIGCHI Conference on Human Factors in Computing Systems, ser. CHI’10. Atlanta, Georgia, USA: ACM, 2010, pp. 917–926.

[28] N. Koblitz, A. Menezes, and S. A. Vanstone, “The state of elliptic curvecryptography,”Designs, Codes and Cryptography, vol. 19, no. 2-3, pp.173–193, 2000.

[29] Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: How to generatestrong keys from biometrics and other noisy data,” inAdvances incryptology-Eurocrypt 2004. Interlaken, Switzerland: Springer, 2004,pp. 523–540.

[30] V. Odelu, A. K. Das, and A. Goswami, “A secure biometrics-basedmulti-server authentication protocol using smart cards,”IEEE Transac-tions on Information Forensics and Security, vol. 10, no. 9, pp. 1953–1966, 2015.

[31] C. Blundo, A. D. Santis, A. Herzberg, S. Kutten, U. Vaccaro, andM. Yung, “Perfectly-Secure Key Distribution for Dynamic Conferences,”in Proceedings of 12th Annual International Cryptology Conference(CRYPTO’92), Lecture Notes in Computer Science, vol. 740, SantaBarbara, California, USA, 1993, pp. 471–486.

[32] A. K. Das and I. Sengupta, “An effective group-based key establish-ment scheme for large-scale wireless sensor networks using bivariatepolynomials,” in3rd IEEE International Conference on CommunicationSystems Software and Middleware (COMSWARE 2008), Bangalore,India, 2008, pp. 9–16.

[33] H. Wang and Y. Zhang, “Cryptanalysis of an Efficient Threshold Self-Healing Key Distribution Scheme,”IEEE Transactions on WirelessCommunications, vol. 10, no. 1, pp. 1–4, 2011.

[34] D. Liu, P. Ning, and R. Li, “Establishing Pairwise Keys in DistributedSensor Networks,”ACM Transactions on Information and System Secu-rity, vol. 8, no. 1, pp. 41–77, 2005.

[35] A. K. Das, “A secure and robust temporal credential-based three-factoruser authentication scheme for wireless sensor networks,”Peer-to-PeerNetworking and Applications, vol. 9, no. 1, pp. 223–244, 2016.

[36] V. Odelu, A. K. Das, and A. Goswami, “SEAP: Secure and efficientauthentication protocol for NFC applications using pseudonyms,”IEEETransactions on Consumer Electronics, vol. 62, no. 1, pp. 30–38, 2016.

[37] A. K. Das, P. Sharma, S. Chatterjee, and J. K. Sing, “A dynamicpassword-based user authentication scheme for hierarchical wirelesssensor networks,”Journal of Network and Computer Applications,vol. 35, no. 5, pp. 1646 – 1656, 2012.

[38] S. Kumari, A. K. Das, M. Wazid, X. Li, F. Wu, K.-K. R. Choo, and M. K.Khan, “On the design of a secure user authentication and key agreementscheme for wireless sensor networks,”Concurrency and Computation:Practice and Experience, 2016, DOI: 10.1002/cpe.3930.

[39] AVISPA, “Automated Validation of Internet Security Protocols andApplications,” http://www.avispa-project.org/. Accessed on April 2016.

[40] A. Armando et al., “The AVISPA Tool for the Automated Validationof Internet Security Protocols and Applications,” in17th InternationalConference on Computer Aided Verification (CAV’05), Lecture Notesin Computer Science (LNCS), Springer-Verlag, vol. 3576, Edinburgh,Scotland, UK, 2005, pp. 281–285.

[41] AVISPA, “SPAN, the Security Protocol ANimator for AVISPA,”http://www.avispa-project.org. Accessed on April 2017.

[42] D. He, N. Kumar, J. H. Lee, and R. S. Sherratt, “Enhanced three-factor security protocol for consumer USB mass storage devices,”IEEETransactions on Consumer Electronics, vol. 60, no. 1, pp. 30–37, 2014.

[43] “Secure Hash Standard,” FIPS PUB 180-1, National Institute of Stan-dards and Technology (NIST), U.S. Department of Commerce, April1995. Available at http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf. Accessed on September 2015.

[44] S. Vanstone, “Responses to NIST’s proposal,”Communications of theACM, vol. 35, no. 7, pp. 50–52, 1992.

[45] “Advanced Encryption Standard (AES),” FIPS PUB197, National Institute of Standards and Technology(NIST), U.S. Department of Commerce, November 2001.

http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf. Accessedon April 2016.

[46] “The Network Simulator-ns-2,” http://www.isi.edu/nsnam/ns/. Accessedon January 2017.

[47] J. Wang, “NS-2 Tutorial,” http://www.cs.virginia.edu/c̃s757/slidespdf/cs757-ns2-tutorial1.pdf. Accessed on April 2016.

Mohammad Wazid (S’17)received the M.Tech. de-gree in computer network engineering from GraphicEra University, Dehradun, India. He also receivedhis Ph.D. degree in Computer Science and Engineer-ing from the International Institute of InformationTechnology, Hyderabad, India, in 2017. His cur-rent research interests include security, remote userauthentication, Internet of things (IoT) and cloudcomputing. He has published more than 40 papers ininternational journals and conferences in the aboveareas. He was a recipient of the University Gold

Medal and the Young Scientist Award by UCOST, Department of Science andTechnology, Government of Uttarakhand, India. He is the member of IEEEEngineering in Medicine and Biology Society (EMBS), IEEE CybersecurityCommunity, IEEE Cloud Computing Community and European Alliance forInnovation (EAI).

Ashok Kumar Das (M’17) received the Ph.D.degree in computer science and engineering, theM.Tech. degree in computer science and data pro-cessing, and the M.Sc. degree in mathematics fromIIT Kharagpur, India. He is currently an AssistantProfessor with the Center for Security, Theory andAlgorithmic Research, International Institute of In-formation Technology, Hyderabad, India. His cur-rent research interests include cryptography, wirelesssensor network security, hierarchical access control,data mining, security in vehicular ad hoc networks,

smart grid and cloud computing, and remote user authentication. He hasauthored over 135 papers in international journals and conferences in theabove areas. He was a recipient of the Institute Silver Medal from IITKharagpur. He is in the editorial board of KSII Transactions on Internet andInformation Systems, and the International Journal of Internet Technology andSecured Transactions (Inderscience), and a Guest Editor for the Computers& Electrical Engineering (Elsevier) for the special issue on Big data and IoTin e-healthcare, and has served as a Program Committee Member in manyinternational conferences.

Neeraj Kumar (M’16) received the Ph.D. degree incomputer science and engineering from Shri MataVaishno Devi University, Katra (J&K), India, in2009. He was a Post-Doctoral Research Fellow atCoventry University, Coventry, U.K. He is currentlyan Associate Professor with the Department of Com-puter Science and Engineering, Thapar University,Patiala, India. He has authored more than 160 tech-nical research papers published in leading journalsand conferences from the IEEE, Elsevier, Springer,John Wiley, etc. Some of his research findings are

published in top cited journals such as the IEEE Transactions on IndustrialElectronics, IEEE Transactions on Dependable and Secure Computing, IEEETransactions on Intelligent Transportation Systems, IEEE Transactions onConsumer Electronics, IEEE Network, IEEE Communications, IEEE WirelessCommunications, IEEE Internet of Things Journal and IEEE Systems Journal.He has guided many research scholars leading to Ph.D. and M.E./M.Tech.




Mauro Conti (SM’14) is an Associate Professor atthe University of Padua, Italy. He obtained his Ph.D.from Sapienza University of Rome, Italy, in 2009.After his Ph.D., he was a Post-Doc Researcher atVrije Universiteit Amsterdam, The Netherlands. In2011 he joined as Assistant Professor the Universityof Padua, where he became Associate Professor in2015. He has been Visiting Researcher at GMU(2008), UCLA (2010), UCI (2012, 2013, and 2014),and TU Darmstadt (2013). He has been awardedwith a Marie Curie Fellowship (2012) by the Eu-

ropean Commission, and with a Fellowship by the German DAAD (2013).His main research interest is in the area of security and privacy. In thisarea, he published more than 170 papers in topmost international peer-reviewed journals and conferences. He is Associate Editor for several journals,including IEEE Communications Surveys & Tutorials and IEEE Transactionson Information Forensics and Security. He was Program Chair for TRUST2015 and ICISS 2016, and General Chair for SecureComm 2012 and ACMSACMAT 2013. He is Senior Member of the IEEE.

Athanasios V. Vasilakosis recently Professor withthe Lulea University of Technology, Sweden. Heserved or is serving as an Editor for many technicaljournals, such as the IEEE Transactions on Networkand Service management, IEEE Transactions onCloud Computing, IEEE Transactions on Informa-tion Forensics and Security, IEEE Transactions onCybernetics, IEEE Transactions on Nanobioscience,IEEE Transactions on Information Technology inBiomedicine, IEEE Transactions on Cloud Comput-ing, IEEE Communication Magazine, ACM Trans-

actions on Autonomous and Adaptive Systems, IEEE Journal on SelectedAreas in Communications, ACM Transactions on Autonomous and AdaptiveSystems, etc. He has published over 500 technical research papers in leadingjournals and conferences in his areas of research. He is also General Chairof the European Alliances for Innovation (http://www.eai.eu).

ieee journal of biomedical and health … · implantable medical devices (imds) ... security of...

Documents