research article novel authentication schemes for iot based...

Research ArticleNovel Authentication Schemes for IoT Based Healthcare Systems

Jia-Li Hou and Kuo-Hui Yeh

Department of Information Management National Dong Hwa University Hualien 97401 Taiwan

Correspondence should be addressed to Kuo-Hui Yeh khyehmailndhuedutw

Received 16 June 2015 Accepted 20 August 2015

Academic Editor Sk Md Mizanur Rahman

Copyright copy 2015 J-L Hou and K-H Yeh This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited

With the advancement of information communication technologies the evolution of the Internet has given rise to a ubiquitousnetwork consisting of interconnected objects (or things) called the Internet of Things (IoT) Recently the academic communityhas made great strides in researching and developing security for IoT based applications focusing in particular on healthcaresystems based on IoT networks In this paper we propose a sensor (or sensor tags) based communication architecture for futureIoT based healthcare service systems A secure single sign-on based authentication scheme and a robust coexistence proof protocolfor IoT based healthcare systems are proposed With the formal security analysis the robustness of the two proposed schemes isguaranteed under the adversary model

1 Introduction

The rapid growth of population in cities calls for adequateprovision of services and infrastructure to meet the needs ofurban inhabitants Various information and communicationstechnologies (ICTs) such as Bluetooth WiFi 3G4G andNFCRFID go a long way to achieving this objective andcreate the possibility of smart cities where human basedservices and city monitoring are more aware interactive andefficient Following this trend the comprehensive evolutionof the traditional Internet has given rise to a ubiquitous net-work consisting of interconnected objects (or things) calledthe Internet of Things (IoT) In IoT based environmentsinformation sensing and human interaction with the physicalworld are fundamental concepts for the provision of humanvalue-added services Among these services in particularIoT oriented healthcare support systems are among the mostpromising and important directions for development and aretherefore a major focus of government and industry

Cyber attackers generally exploit security vulnerabilitiesin computer hardware software and communications proto-cols to target the IoT ecosystemswithin enterprise industrialand government systems The confidentiality integrity andavailability of these systems are thus undermined and seriousattacks (eg ones resulting in financial losses property

damage etc) may be launched on IoT based environmentsIt is known that the IoT brings with it a broad array of newsecurity challenges for the research community with respectto general system security network security and applicationsecurity We present the following observations

(i) Securing IoT-networked devices requires imple-mentation of secure cryptographic primitives onthe devices However the limited computationalresources of low-power-consuming and low-cost IoTbased devices make the design of security compo-nents for such devices difficult As it stands somedevices cannot even execute the currently existingencryption schemes Hence we must reconsider theimplementation efficiency of security primitives (orcryptocomponents) on IoT-networked devices Inother words a new lightweight cryptographic tech-nique is urgently needed to meet the critical securityand performance requirements of IoT based devices

(ii) Owing to the level of mutual connectivity betweenIoT based devices every time a user turns on anIoT-networked device which is infected by mal-ware or is simply open to unauthorized third-partyexploitation the vulnerability may spread throughthe network in a short time In light of these

Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2015 Article ID 183659 9 pageshttpdxdoiorg1011552015183659

2 International Journal of Distributed Sensor Networks

conditions devices cannot be seen as stand-aloneas they once were in traditional security settingsIn addition owing to its advantages in terms ofcomputation efficiency and identification accuracyBluetooth LowEnergy (ie BLE) technology has beenwidely adopted in recent years for smartphones andintelligent wearable-devices such as the Apple Watchthe Sony SmartWatch and Samsung Gear For an IoTbased application the user may be an entry pointfor triggering specific services Hence an appropriateauthentication scheme for entity verification is indis-pensable

(iii) One of the most important goals of IoT is to enrichpeoplersquos daily lives Sensor-based objects may beinvolved with several services at the same time Inthat case to guarantee both communication securityand retrieval efficiency during interactions betweensensor-based objects a secure and intelligent accesscontrol scheme is promptly required Moreover asmost IoT based technologies are still in the researchstage the development of a real and practical IoTapplication has been the focus of industry and busi-ness The feasibility and practicability of proposedIoT based applications must be evaluated via testingscenarios

(iv) In an IoT-wide universe a mechanism capable ofproving a group of tagged objects (or sensor tags)existing at the same time and the same place can bevery useful For example a consignment of medica-tion should always be accompanied by a usage leafletto comply with pharmaceutical safety regulations Ifall tablet containers and usage leaflets are labeled withRF tags a coexistence proof mechanism on RF tagscan provide the evidence that each tablet containerwas associated with an appropriate leaflet duringmedication distributionThis tag coexistence concepthas been widely applied in recent years

Based on the above analysis in this paper wewould like topresent a new IoT based secure healthcare process consistingof a refinement of the traditional authentication scheme froma performance standpointThe security components adoptedin the proposed authentication scheme have been redesignedto meet the hardware requirements of IoT based devicesThe suitability of the proposed authentication scheme asthe main protection mechanism for the entry point of anIoT based healthcare system is evaluated In addition weintroduce a coexistence scheme for proving the correctness ofthe coexisting medical items for which the ultra low-cost IoTbased sensors such as passive RF tags are utilized Medicineerror prevention and patient safety can thus be guaranteed

2 Related Work

The next generation of context-aware mobile applicationsrequire the continuous updating of relevant informationabout a userrsquos surroundings to create low latency notificationsand guarantee a high quality of experience Forsstrom et al

[1] studied the possibilities of doing so via transmission andmonitoring of contextual information from mobile devicesand found that the impact of the contextual information wasto overload IoT networks In addition the authors presentedan evaluation model to achieve dynamic control of theinformation flow without any centralized authority Recentlythe IoT based EPC (Electronic Product Code) system hasemerged as a revolutionary new technology formodern logis-tics management The IoT can achieve the properties of real-time location returning object tracking and monitoring andintelligent recognition For this type of envisioned scenarioWang [2] investigated relevant laws and technical standardswith a view to increasing government investment and settingup business models for the promotion of future IoT basedapplications On the other hand as the capability to providepersonalized healthcare is limited by the data available frompatients which is dynamic and often incomplete knowledgemining analysis and trending are increasingly importantTherefore Jara et al [3] presented a knowledge acquisitionand management platform relying on IoT based architectureThe platform focused on the management of personal andmobile health and enabled delivery of new services by virtueof its capabilities to predict health anomalies in real-timeoffer feedback to patients and support security and privacy

In 2011 Zakriti and Guennoun [4] investigated an IoTbased model to support interconnectivity and interoper-ability among smart objects The proposed method solvedvarious challenges such as the integration of heterogene-ity among devices the development of diversified proto-cols the desired properties of self-manageability and self-organization and adaptive security and privacy for IoTnetworks Then Tozlu et al [5] demonstrated three types ofsensor-based application scenarios and examined the feasi-bility of low-powerWiFi technology to enable IP connectivitybetween battery-powered objects Next Jin et al [6] proposeda framework encompassing an urban information systemwith a view to furthering the realization of smart citiesthrough the concept of the IoT The introduced frameworkincludes cloud-based integration of respective systems andservices and forms a transformational part of the existingcyber systemsThis framework can be adapted to enhance thelevel of interconnectivity and interoperability of importantcity services In 2014 Stankovic [7] investigated eight keyresearch topics that is massive scaling architecture anddependencies creating knowledge and big data robustnessopenness security privacy and human-in-the-loop to lookat how the IoT could change the world and concluded thatthe futurewill see the IoT gradually becoming an increasinglysophisticated utility in terms of sensing actuation communi-cations control and creating knowledge from vast amountsof data

In 2013 Hou et al [8] designed a technique that enablessecure initialization of a group of wireless devices calledChorus to defend against attack by an adversary In orderto achieve the key authentication property the authors usedChorus to provide in-band group message authenticationand group authenticated key agreement In addition twosecure protocols are proposed to satisfy minimal hardwarerequirements and allow for minimal user effort hence the

International Journal of Distributed Sensor Networks 3

protocols are scalable to a large group of wireless devicesNext in light of the coupling between diverse IoT sensorsapplications and services Ukil et al [9] presented the specificcharacteristics visions and challenges relating to the IoTBased on the observations and conclusions the authorsdeveloped a privacy preservation framework as a part of anIoT platform including a data masking tool for both privacyand utility preservation After that since security and privacyare two of themost pressing challenges for the development ofIoT applications or architecture Alqassem [10] specified theessential privacy and security requirements for the IoT andfurther established an engineering framework as the proofof concept With the emerging technology brought aboutby the IoT the connectivity between objects such as homeappliances and consumer electronics can be successfullycreated and applied On the other hand as trillions of objectseach require their own unique identifications low-cost RFIDtechnology has begun to attract attention For this reasonAggarwal and Das [11] developed a lightweight RFID basedprotocol to enhance system security while retaining theprotocolrsquos efficiency Later Torjusen et al [12] proposed asolution to integrate run-time verification enablers in thefeedback adaptation loop of the ASSET [13] that is anadaptive security framework for the IoT in the eHealthenvironment and implemented the framework with coloredPetri Nets The run-time enablers produce machine basedformal models of a systemrsquos status and context availableat run-time Moreover the authors presented requirementsfor verification at run-time as formal specifications andintroduced dynamic context monitoring and adaptation

In recent years IoT technologies have created an environ-ment characterized by linkage between software systems andthe physical world and have catalyzed a movement towardsinvisible and natural interactions among objects Howeverproviding efficient and customized personal services requiresinformation about every distinct individual or entity andthis leads to the potential for privacy invasion Hence theinformation flow control and the design of low-cost tags (oralternatively small data size) become very important issuesFrom these observations Evans and Eyers [14] introducedcode templates for two small microcontrollers that makemeaningful tagging possible Later Skarmeta et al [15]proposed a capability-based access control mechanism that isbuilt on public key cryptographyThe essential ideas are basedon the design of a lightweight token used for accessing CoAP(Constrained Application Protocol) resources and a digitalsignature algorithm inside the smart object Being based onthese two newly proposed techniques the presented accesscontrol mechanism can provide better security and privacyfor IoT based networks

Different wireless communication technologies and net-work infrastructures are continuously being integrated suchas WSN RFID systems 3G technology WIMAX PANand so forth In order to solve related security problemsChen et al [16] proposed a security architecture for an IoTenvironment The proposed system architecture is adaptiveto the IoT environment and in addition a security ver-ification mechanism was introduced Later Berhanu et al[17] described a setup for adaptive security for IoT devices

in an eHealth environment and discussed the validationof the setup through the study of the impact of antennaorientation on energy consumptionThe authors then studiedthe feasibility of adopting lightweight security solutions aspart of the ASSET infrastructure [13] Next Ning et al[18] proposed an authentication scheme for IoT networksThe authors exploited U2loT architecture to design anaggregated-proof based hierarchical authentication schemefor layered networks In this authentication mechanismseveral concepts such as anonymous data transmissionmutual authentication and different access authorities wereincorporated to achieve hierarchical access control More-over Chen [19] proposed a possible solution based on an IBE(identity-based encryption) cryptosystem to efficiently andeffectively solve the privacy and security threats encounteredin the IoT The elliptic curve cryptosystem is applied forachieving security in the IoT and the authors establishedthat essential security problems could be solved without toomuch resource consumption After that Paar [20] developeda concept that took into account both the destructive andconstructive aspects embedded in the security of the IoTThepurpose was to examine the efficiency of tradeoffs betweenthe desired security and the lowest possible cost

Li and Xiong [21] developed a secure scheme for achiev-ing confidentiality integrity authentication and nonrepudi-ation in a logical single step The proposed method splitsthe signcryption into two phases with an online phase andan offline phase and allows a sensor node in an identity-based cryptosystem to send a message to an Internet hostHence this scheme successfully provides an efficient solutionfor integrating WSN into IoT Afterwards in [22] the authoranalyzed the security requirements in different layers of theIoT and arrived at two conclusions (a) the future securityissues related to the IoT will mainly involve an open securitysystem individual privacy protection and terminal securityfunctionality and (b) the security of the IoT must be seenfrom a perspective of integration which mandates the needfor a series of policies laws and regulations as well as aperfect security management system for mutual collocationIn 2013 Hummen et al [23] introduced an IoT orientedauthentication scheme which is based on the designs ofprevalidation session resumption and handshake delega-tion The proposed scheme can provide peer authenticationand secure data transmission In the following year Kantarciand Hussein [24] demonstrated a framework for ensuringpublic safety in a cloud-centric IoT environment wheresmartphones equipped with various types of sensors aredeployed To ensure trustworthiness in the framework theauthors proposed a reputation-based S2aaS scheme calledTrustworthy Sensing forCrowdManagement (TSCM)whichis able to collect sensing data based on a cloud model Inaddition the authors designed an auction procedure to selectmobile devices for particular sensing tasks and to determinethe appropriate payments to the users of the mobile devicesthat provide data Furthermore Tilanus et al [25] discussedthe motivations for opening up a given IoT so as to makethe ldquothingsrdquo it contains part of the global IoT The proposedmethod comprises the definition and control of access rightsto the discovery and use of virtual objects It has the potential


to play a central role in the verification of access rights tovirtual objects in the deployment of the IoT

3 The Proposed Schemes

With the advancement of IoT networks numerous networkservices and mobile devices have been deployed in pursuitof the betterment of human wellbeing In general usersmay register with the server once and maintain a set ofverified data (or parameters) as the login token for systemresource and service retrieval The concept is called thesingle sign-on (SSO) whereby legal users are allowed to usethe unitary token to access different services (or devices)Our proposed authentication scheme is based on the SSOtechnique whereby a mobile application allows a user toutilize a mobile device with a unitary token to access multipleservices The techniques of a one-way hash function andrandom nonce are adopted to simultaneously ensure systemefficiency and security robustness In addition we presenta coexistence mechanism to prove the correctness of thecoexisting medical items With a proof for a group of taggedobjects existing at the same time and the sameplacemedicineerror prevention and patient safety can further be enhanced

31 The Proposed Authentication Scheme In our schemethree entities that is the user 119880

119894or the authentication server

AS119895 and a trusted third-party authority TTPA exist The

server and the trusted authority TTPA do not require themaintenance of any registration table for each registeredcommunication entity First the TTPA selects two largeprimes 119901 and 119902 and computes 119873 = 119901 sdot 119902 Then the TTPAdetermines the key pair (119890 119889) such that 119890 sdot 119889 equiv 1mod120593(119873)where 120593(119873) = (119901 minus 1)(119902 minus 1) Next the TTPA chooses agenerator 119892 over the finite field119885

lowast

119899 where 119899 is a large-enough

odd prime number Finally the TTPA protects the secret 119889

and publishes (119890 119892 119899119873) Note that all the information aboutthe parameters 119901 and 119902 is erased after initialization of thesystem Now both the user and the server need to storeonly one set of public parameters that is 119890 119892 119892

119886 119899119873 ℎ(sdot)

published by the TTPA where 119886 is a secret generated by theTTPA and ℎ(sdot) is a collision-resistant one-way hash function

Registration Phase In the registration phase each user 119880119894

registers a unique and fixed bit-length identity ID119894at the

TTPA side and obtains a secret token 119878119894from the TTPA

through a secure channel The secret token 119878119894is as 119878

119894=

(ID119894 ℎ(ID

119894 119887))119889mod119873 where 119887 is also a secret generated

by the TTPA Similarly the server AS119895registers a unique

identity ID119895at the TTPA side and obtains a secret token

119878119895from the TTPA through a secure channel where 119878

119895=

(ℎ(ID119895 119887))119889mod119873 Note that ID

119895is public for each service

request

User Identification andVerification Phase (Figure 1) If the user119880119894wants to request an authentication service from AS

119895 the

user identification and verification phase is invoked

(1) 119880119894computes1198921198991 mod119873 (119892119886)1198991 mod119873 and119860 = (119878

119894

1198991) oplus ℎ(119892

1198861198991) and sends message 119898

1= ID

119895 1198921198991 119860

to AS119895 where 119899

1is a random nonce generated by 119880

119894

Upon receiving1198981 AS119895generates a random nonce 119899

2

to calculate 1198921198992 mod 119873 (119892119886)1198992 mod119873 and 119861 = (119878

119895

1198992) oplus ℎ(119892

1198861198992) and forwards 119898

2= ID

119895 1198921198991 119860 119892

1198992 119861

to the TTPA(2) After getting 119898

2 the TTPA computes (119892

1198991)119886mod119873

and (1198921198992)119886mod119873 and derived (119878

119894 1198991) and (119878

119895 1198992)

from 119860 oplus ℎ(1198921198861198991

) and 119861 oplus ℎ(1198921198861198992

) Next the TTPAverifies 119878

119894and 119878119895via the following computations

(119878119894)119890mod119873 = (ID

119894 ℎ(ID

119894 119887))119889119890mod119873

(119878119895)119890mod119873 = (ℎ(ID

119895 119887))119889119890mod119873

Compute ℎ(ID119894 119887) with retrieved value ID

119894 and com-

pare the result with retrieved value ℎ(ID119894 119887)

Compute ℎ(ID119894 119887)with received value ID

119895and retrieved

value ℎ(ID119895 119887)

If the above verification is passed the TTPA choosesa random nonce 119899

3and computes the following values

(1198921198991)1198993 mod119873 (1198921198992)1198993 mod119873 119862 = ℎ((119892

1198991)1198993

(1198921198992)1198993

1198992)

and 119863 = ℎ(ID119895

(1198921198992)1198993

1198991) Next the TTPA sends 119898

3=

11989211989911198993 119862 119892

11989921198993 119863 to AS

119895

(3) Once AS119895obtains 119898

3 AS119895computes the session key

119870119894119895

= (11989211989911198993)1198992 mod119873 and examines the validity of

value 119862 That is AS119895calculates ℎ((119892

1198991)1198993

(1198921198992)1198993

1198992) and compares it with value 119862 If these values are

not equal the protocol terminates Otherwise AS119895

calculates 119864 = ℎ(ID119895 119870119894119895) and sends 119898

4= 11989211989921198993 119863

119864 to 119880119894 After that AS

119895believes that 119880

119894is an

authorized user(4) After receiving 119898

4 119880119894derives the session key 119870

119894119895=

(11989211989921198993)1198991 mod119873 and examines the validity of values119863

and 119864 In other words 119880119894computes ℎ(ID

119895 (1198921198992)1198993

1198991) and ℎ(ID

119895 119870119894119895) and examines whether the fol-

lowing two equations hold or not

(a) Is computed ℎ(ID119895

(1198921198992)1198993

1198991) equal to

received 119863(b) Is computed ℎ(ID

119895 119870119894119895) equal to received 119864

If these two examinations hold 119880119894believes that AS

119895is an

authorized service provider with current session key 119870119894119895

32 The Proposed Coexistence Mechanism (Figure 2)Recently the concept of coexistence proof for RF tags hasbeen introduced to prove multiple tagged objects existing atthe same time in the same place Such proofs can be utilizedin the application field of inpatient safety and medicationmanagement In the proposed mechanism each RF tag 119879

119894

requires supporting lightweight operations that is a 16-bitpseudorandom number generation (PRNG) function andbitwise exclusive OR (XOR) operation and the backendcoexistence server maintains two secret keys 119883

119894and 119884

119894 an

index-pseudonym ID119878119894 and a unique identity ID

119894for each119879

119894

In addition the timestamp scheme and a random one-waypermutation function 119865 mapping within range [1 2119871] are


Ui ASj TTPA

gn1 mod N

(ga)n1 mod N

A = (Si n1) oplus h(gan1 )

m1 = IDj gn1 A

gn2 mod N

(ga)n2 mod N

B = (Sj n2) oplus h(gan2 )

m2 = IDj gn1 A gn2 B

(gn1 )a mod N

(gn2 )a mod N

(Si n1) = A oplus h(gn1a)

(Sj n2) = B oplus h(gn2a)

(Si)e mod N = (IDi h(IDi b))

de mod N

(Sj)e mod N = (h(IDj b))

de mod N

Verify h(IDi b) and h(IDj b)(gn1 )

n3 mod N

(gn2 )n3 mod N

C = h((gn1 )n3 (gn2 )

n3 n2)

D = h(IDj (gn2 )

n3 n1)m3 = gn1n3 C gn2n3 D

Kij = (gn2n3 )n2 mod N

Verify CE = h(IDj Kij)

m4 = gn2n3 D E


Verify D and E

Figure 1 The proposed authentication scheme

Tag Ta(IDSa IDaXa Ya)

Hello F(ts oplus Ks) Hello F(ts oplus Ks)

IDSa ra a

120572a F(F(ts oplus Ks) oplus IDSb)

120573a ma

Reader

IDSb rb b

120572b F(ma oplus IDSa)

120573b mb

Tag Tb

(IDSb IDb

Xb Yb)

Pab = (IDSa IDSb t ma mb)

Figure 2 The proposed coexistence mechanism

adopted in the proposed mechanism where 119871 is the securityparameter The implementation of 119865 is based on PRNG andXOR to obtain operational efficiency for low-cost RF tags[26]

Step 1 First the RF reader requests a well-protected times-tamp 119865(119905

119904oplus 119870119904) from the backend server where 119870

119904is the

serverrsquos secret key Note that a corresponding log is createdAn initial message Hello 119865(119905

119904oplus 119870119904) is then issued to 119879

119886

and 119879119887 After 119879

119886and 119879

119887get the incoming message they

both send ID119878119886 119903119886 V119886

= 119865(119865(119884119886) oplus 119865(119905

119904oplus 119870119904) oplus 119903119886) and

ID119878119887 119903119887 V119887

= 119865(119865(119884119887) oplus 119865(119905

119904oplus 119870119904) oplus 119903119887) to the reader

respectively And the reader immediately forwards these tworesponses with 119865(119905

119904oplus119870119904) to the backend server At the server

side if the verification of 119865(119905119904oplus 119870119904) holds (ie the validity

of the current process time-period is verified) the serverwill then verify V

119886and V119887 Once the examinations of V

119886and

V119887hold the server sends two derived key values that is

119870119886

= 119865(119865(119865(119884119886)) oplus 119903

119886) and 119870

119887= 119865(119865(119865(119884

119887)) oplus 119903

119887) to the

reader and updates 119884119886 ID119878119886 119884119887 ID119878119887 with 119884

1015840

119886= 119865(119884

119886oplus

119903119886) ID119878

1015840

119886= 119865(119884

1015840

119886oplus ID119878

119886) 1198841015840

119887= 119865(119884

119887oplus 119903119887) ID119878

1015840

119887= 119865(119884

1015840

119887

oplusID119878119887)


Step 2 Upon obtaining119870119886and119870

119887 the reader computes 120572

119886=

119865(119870119886oplus 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887)) and sends 120572

119886 119865(119865(119905

119904oplus 119870119904) oplus

ID119878119887) to 119879

119886

Step 3 After 119879119886receives 120572

119886 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887) 119879119886

computes 119870119886

= 119865(119865(119865(119884119886)) oplus 119903119886) with its own secret key 119884

119886

and examines 120572119886

= 119865(119870119886oplus119865(119865(119905

119904oplus119870119904)oplusID119878

119887)) If it holds119879

119886

will then calculate119898119886

= 119865(ID119878119886oplus 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887) oplus 119883119886)

and 120573119886

= 119865(119865(119870119886) oplus 119898

119886) and send 119898

119886 120573119886 to the reader

Then 119879119886updates 119884

119886 ID119878119886 to 119884

1015840

119886= 119865(119884

119886oplus 119903119886) ID119878

1015840

119886=

119865(1198841015840

119886oplus ID119878

119886)

Step 4 Once the reader gets 119898119886 120573119886 it verifies 120573

119886=

119865(119865(119870119886) oplus 119898

119886) If the examination passes the reader sends

120572119887 119865(119898119886oplus ID119878

119886) to 119879

119887 where 120572

119887= 119865(119870

119887oplus 119865(119898

119886oplus ID119878

119886))

Step 5 After receiving 120572119887 119865(119898119886

oplus ID119878119886) 119879119887uses its key 119884

119887

to compute 119870119887

= 119865(119865(119865(119884119887)) oplus 119903

119887) and verify 120572

119887= 119865(119870

119887oplus

119865(119898119886oplusID119878119886)) If it holds119879

119887will send 120573

119887 119898119887 to the reader in

which119898119887= 119865(ID119878

119887oplus119865(119898

119886oplusID119878119886)oplus119883119887) and 120573

119887= 119865(119865(119870

119887)oplus

119898119887) Next119879

119887updates 119884

119887 ID119878119887with 119884

1015840

119887= 119865(119884

119887oplus119903119887) ID119878

1015840

119887=

119865(1198841015840

119887oplus ID119878

119887)

Step 6 Upon receiving 120573119887 119898119887 the reader performs the

verification of 120573119887

= 119865(119865(119870119887) oplus 119898

119887) If it holds the reader

confirms the coexistence of 119879119886and 119879

119887with a valid proof

119875119886119887

= (ID119878119886 ID119878119887 119905 119898119886 119898119887)

4 Security Analyses

In this section we analyze the security of the proposedauthentication scheme for IoT based healthcare systemsWe first present the adversary model and then conduct thesecurity analysis of the proposed authentication scheme andthe coexistence proof mechanism

41 Adversary Model In the communication model weassume that a user 119880

119894intends to establish a session key

119878Key(119894119895)

with an authentication server 119878119895via the help of

the trusted third-party authority TTPA We assume that theadversary can interactwith the participants via oracle queriesThe following major queries model the capabilities of theadversary Note that Π

119894

119880is denoted as the instance 119894 of a

participant 119880

(i) Send(Π119894119880 119898) this query sends a message 119898 to an

oracle Π119894

119880and gets the corresponding result

(ii) Reveal(Π119894119880) this query returns the session key of the

oracle Π119894

119880

(iii) Corrupt(119880) this query returns the long-term secretkey of 119880

(iv) Execute(Π119894119880119860

Π119894

119880119861

) this query models passive attacksin which the adversary can obtain the messagesexchanged during the honest execution of the proto-col between two oracles Π

119894

119880119860

and Π119894

119880119861

(v) Hash(119898) the one-way hash function can be viewed

as random functions within the appropriate range in

the ideal hash model Note that if 119898 has never beenqueried before it returns a truly random number 119903

to the adversary and stores (119903 119898) in the hash tableOtherwise it returns the previously generated resultto the adversary

(vi) Test(Π119894119880) this querymodels the security of the session

key that is whether the real session key can bedistinguished from a random string or not Foranswering this question an unbiased coin 119887 is flippedby the oracle Π

119894

119880 When the adversary issues a single

Test query toΠ119894

119880 the adversary obtains either the real

session key 119878Key(119894119895)

if 119887 = 1 or a random string if119887 = 0

42 Security Analysis of the Proposed Authentication SchemeIn this subsection we present the formal analysis of ourproposed authentication scheme based on [27ndash29]

(i) AKE security (session key security) the adversarytries to guess the hidden bit 119887 involved in a Testquery via a guess 119887

1015840 We say that the adversary winsthe game of breaking the session key security of anAKE (Authenticated Key Exchange) protocol 119875 ifthe adversary issues Test queries to a fresh oracleΠ119894

119880and guesses the hidden bit 119887 successfully The

probability that the adversarywins the game is Pr[1198871015840 =119887] In brief the advantage of an adversary Eve inattacking protocol119875 can be defined as AdvAKE

119875(Eve) =

|2 times Pr[1198871015840 = 119887] minus 1| In brief 119875 is AKE-secure ifAdvAKE119875

(Eve) is negligible

In the following subsection we formally analyze thesecurity of our proposed authentication protocol Notationsand definitions are presented first and the formal securityanalysis is then demonstrated We define 119879Eve as the adver-saryrsquos total running time and 119902

119904 119902119903 119902119888 119902119890 and 119902

ℎare the

number of Send Reveal Corrupt Execute andHash queriesrespectively

(ii) Computational Diffie-Hellman (CDH) assumption let119866 = ⟨119892⟩ be a multiplicative cyclic group of order 119873and let two randomnumbers 119905 and 119896 be chosen in119885

lowast

119873

Given 119892 119892119905 and 119892119896 the adversary Eve has a negligible

success probability SuccCDH119866

(Eve) of obtaining anelement 119911 isin 119866 such that 119911 = 119892

119905119896 within polynomialtime

Theorem 1 Let Eve be an adversary against the AKEsecurity of our proposed authentication scheme within atime bound 119879

119864V119890 with less than 119902119904Send queries with the

communication entities and 119902ℎtimes Hash queries Then

119860119889V119860119870119864119875

(119864V119890 119902119904 119902ℎ) le 119902

ℎ119902119904

times 119878119906119888119888119862119863119867

119866(1198791015840

119864V119890) where 1198791015840

119864V119890denotes the computational time for 119878119906119888119888

119862119863119867

119866and 119902119904= sum5

119894=1119902119904 119894

is the sum of the number of 1198781198901198991198891 119878119890119899119889

2 119878119890119899119889

3 119878119890119899119889

4 and

1198781198901198991198895

Proof Let Eve be an adversary that is able to get an advantage120576 to break the AKE-secure protocol within time 119879Eve We can


construct a CDH attacker ATT from Eve to respond to all ofEversquos queries and deal with the CDH problem where ATT isgiven a challenge Ω = (119892

119905 119892119896) and outputs an element 119911 such

that 119911 = 119892119905119896

First when Eve issues a Send1query as a start command

ATT responds with 1198981

= ID119895 1198921198991 119860 to Eve Second

when Eve issues a Send2query ATT randomly chooses two

integers 1198881and 1198882from [1 119902

119904 2] If 119888

1= 1198882 ATT responds

with ID119895 1198921198991 119860 119892

1198992 119861 to Eve Otherwise ATT replaces the

corresponding parameters of 1198982

= ID119895 1198921198991 119860 119892

1198992 119861 with

the element119892119896 fromΩ to generate a new and randommessage1198981015840

2and then respondswith themessage119898

1015840

2to EveThird once

ATT receives the Send3query from Eve ATT answers with

the message 1198983

= 11989211989911198993 119862 119892

11989921198993 119863 as the protocol If the

input of the query is from Ω ATT generates a new message1198981015840

3and then responds with 119898

1015840

3to Eve Fourth when Eve

issues the Send4query ATT answers with 119898

4= 11989211989921198993 119863 119864

to Eve Otherwise a random string 1198981015840

4will be generated and

sent to Eve Finally ATT answers a null string via a Send5

query and then sets the protocol as being successful (or setsall conditions to true)

In the alternative when Eve issues a Reveal(Π119894119880119894

) or aReveal(Π119895

119878119895

) query ATT checks whether the oracle has beenaccepted and is fresh or not If the result is positive ATTanswers with the session key 119878Key

(119894119895)to Eve Otherwise if

the session key has been constructed from the challenge ΩATT terminates When Eve issues Corrupt(119880

119894) Corrupt(119878

119895)

Execute(Π119894119880119894

Π119895

119878119895

) Hash(119898) queries ATT answers in astraightforward way When Eve issues a Test query ATTanswers in a straightforward way Otherwise if the sessionkey has been constructed from the challengeΩ ATT answersEve with a random string with the same length as the sessionkey 119878Key

(119894119895)

The above simulation is indistinguishable from any exe-cution of the proposed protocol 119875 except for one executionwhich involves the challenge Ω The probability 120574 that ATTcorrectly guesses the session key which Eve will make a Testquery on is equal to the probability of 119888

1= 1198882 Hence we have

120574 = 1119902119904 2

ge 1119902119904

Assume that Eve issues a Test query to output 1198871015840 where

1198871015840

= 119887 This means that Eve knows the session key sothere must be at least one Hash query that returns thesession key The probability 120582 that ATT will choose the Hashquery correctly is 120582 ge 1119902

ℎ The successful probability

SuccCDH119866

(ATT) that ATT will expose 119892119896119905 from the challenge

Ω is thus SuccCDH119866

(ATT) = 120576 times 120574 times 120582 ge 120576 times (1119902119904) times (1119902

ℎ)

Finally the advantage of Eve to break the AKE security of theprotocol 119875 is derived as follows

120576 = AdvAKE119875

(Eve 119902119904 119902ℎ) le 119902ℎ119902119904times SuccCDH

119866(1198791015840

Eve) (1)

43 Security Analysis of the Proposed Coexistence SchemeIn this subsection we present the security claims of our

proposed coexistence mechanism such as data confidential-ity and the resistance to proof counterfeit attack and replayattack

Claim 1 The proposed coexistence mechanism is secureagainst proof counterfeit attack

In our proposed coexistence mechanism the timestampis generated from the backend server and is well-protectedby the serverrsquos secret key This design removes the possi-bility of creating a legitimate but fake timestamp Henceit is impossible to create a counterfeit proof involving faketimestamp for the purpose of deception In addition theproposed mechanism is based on the random one-waypermutation function 119865 which is an efficient and robustcomputation component for low-cost RF tags [26] As all thetransmitted information is involved with the function 119865 itis difficult to derive the information without knowing all thecommunication entitiesrsquo secret keys and the correspondingtimestamps Therefore the proposed scheme can guaranteeresistance to proof counterfeit attack At the same timesystem efficiency is delivered by virtue of the lightweightcomputation cost of the permutation function 119865

Claim 2 The proposed coexistence mechanism can providedata confidentiality and resist against replay attack

We assume that a malicious adversary Eve can interceptall messages communicated between RF tags 119879

119886 119879119887 and the

reader Because the adversary Eve cannot derive the privatekeys that is 119883

119894or 119884119894for the target tag 119879

119894 from messages

transmitted via the public channel the data involved in thetransmitted messages cannot be retrieved In addition theone-way property of the function 119865 serves to guarantee theunrecovery of the input data so that data confidentialitycan thus be achieved Moreover in each session of ourproposed scheme we exploit random numbers that is 119903

119886

and 119903119887 in randomizing transmitted messages In addition

the timestamp 119905119904is involved with the construction of the

verification message 119875119886119887 These random numbers and the

timestamp can not only randomize the transmitted messagesbut can ensure resistance against replay attack

5 Conclusion

In this paper we have introduced two secure communicationprotocols for IoT based healthcare systems in which a SSObased authentication scheme and a coexistence proof mech-anism are proposed The proposed authentication scheme isappropriate for use as the main protection technique for anIoT based healthcare environment consisting of various typesof sensors such as thinfat sensors sensor tags or taggeditems For IoT network services the proposed authenticationscheme can provide robust entity authentication and securedata communication In addition we further present a coex-istence proof protocol for proving multiple tagged objects(or sensors andor sensor tags) existing at the same timeand the same place The generated proofs can be utilizedin the application field of inpatient safety and medication


management Based on the security analysis results we haveconducted we are confident that the feasibility of these twoproposed schemes can be guaranteed

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This work was supported by the Taiwan Information SecurityCenter (TWISC) and theMinistry of Science andTechnologyTaiwan under Grants numberedMOST 103-2221-E-259-016-MY2 and MOST 103-2221-E-011-090-MY2

References

[1] S Forsstrom P Osterberg and T Kanter ldquoEvaluating ubiq-uitous sensor information sharing on the internet-of-thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1454ndash1460 June 2012

[2] S Wang ldquoInternet of things based on EPC technology and itsapplication in logisticsrdquo in Proceedings of the 2nd InternationalConference on Artificial Intelligence Management Science andElectronic Commerce (AIMSEC rsquo11) pp 3077ndash3080 August 2011

[3] A J Jara M A Zamora and A F Skarmeta ldquoKnowledgeacquisition and management architecture for mobile and per-sonal health environments based on the internet of thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1811ndash1818 June 2012

[4] A Zakriti and Z Guennoun ldquoService entities model for theinternet of things a bio-inspired collaborative approachrdquo inProceedings of the International Conference on MultimediaComputing and Systems (ICMCS rsquo11) pp 1ndash5 April 2011

[5] S Tozlu M Senel W Mao and A Keshavarzian ldquoWi-Fienabled sensors for internet of things a practical approachrdquoIEEE Communications Magazine vol 50 no 6 pp 134ndash1432012

[6] J Jin J Gubbi S Marusic and M Palaniswami ldquoAn informa-tion framework for creating a smart city through internet ofthingsrdquo IEEE Internet of Things Journal vol 1 no 2 pp 112ndash1212014

[7] J A Stankovic ldquoResearch directions for the internet of thingsrdquoIEEE Internet of Things Journal vol 1 no 1 pp 3ndash9 2014

[8] Y Hou M Li and J D Guttman ldquoChorus scalable in-bandtrust establishment for multiple constrained devices over theinsecure wireless channelrdquo in Proceedings of the 6th ACMConference on Security and Privacy in Wireless and MobileNetworks (WiSec rsquo13) pp 167ndash178 ACM Budapest HungaryApril 2013

[9] AUkil S Bandyopadhyay J JosephV Banahatti and S LodhaldquoNegotiation-based privacy preservation scheme in internetof things platformrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 75ndash84 August 2012

[10] I Alqassem ldquoPrivacy and security requirements framework forthe internet of things (IoT)rdquo in Proceedings of the 36th Inter-national Conference on Software Engineering (ICSE Companionrsquo14) pp 739ndash741 June 2014

[11] R Aggarwal and M L Das ldquoRFID security in the contextof internet of thingsrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 51ndash56 August 2012

[12] A B Torjusen H Abie E Paintsil D Trcek and A SkomedalldquoTowards run-time verification of adaptive security for IoTin eHealthrdquo in Proceedings of the European Conference onSoftware Architecture Workshops (ECSAW rsquo14) Article no 4ACM Vienna Austria August 2014

[13] ASSET project httpassetnrno[14] D Evans and D M Eyers ldquoEfficient data tagging for managing

privacy in the internet of thingsrdquo in Proceedings of the IEEEInternational Conference on Green Computing and Communi-cations (GreenCom rsquo12) pp 244ndash248 IEEE Besancon FranceNovember 2012

[15] A F Skarmeta J L Hernandez-Ramos and M V Moreno ldquoAdecentralized approach for security and privacy challenges inthe Internet ofThingsrdquo in Proceedings of the IEEEWorld Forumon Internet of Things (WF-IoT rsquo14) pp 67ndash72 March 2014

[16] D Chen G Chang L Jin X Ren J Li and F Li ldquoA novelsecure architecture for the Internet of thingsrdquo in Proceedingsof the 5th International Conference on Genetic and EvolutionaryComputing (ICGEC rsquo11) pp 311ndash314 IEEE Xiamen ChinaSeptember 2011

[17] Y Berhanu H Abie and M Hamdi ldquoA testbed for adaptivesecurity for IoT in eHealthrdquo in Proceedings of the InternationalWorkshop on Adaptive Security (ASPI rsquo13) article 5 September2013

[18] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015

[19] W Chen ldquoAn IBE-based security scheme on internet of thingsrdquoin Proceedings of the IEEE 2nd International Conference onCloud Computing and Intelligence Systems (CCIS rsquo12) pp 1046ndash1049 November 2012

[20] C Paar ldquoConstructive and destructive aspects of embeddedsecurity in the internet of thingsrdquo in Proceedings of the ACMSIGSAC Conference on Computer amp Communications Security(CCS rsquo13) pp 1495ndash1496 ACM Berlin Germany November2013

[21] F Li and P Xiong ldquoPractical secure communication for inte-grating wireless sensor networks into the internet of thingsrdquoIEEE Sensors Journal vol 13 no 10 pp 3677ndash3684 2013

[22] L Lan ldquoStudy on security architecture in the internet of thingsrdquoin Proceedings of the International Conference on MeasurementInformation and Control (MIC rsquo12) pp 374ndash377 IEEE HarbinChina May 2012

[23] R Hummen J H Ziegeldorf H Shafagh S Raza and KWehrle ldquoTowards viable certificate-based authentication for theInternet ofThingsrdquo in Proceedings of the 2nd ACMWorkshop onHot Topics on Wireless Network Security and Privacy (HotWiSecrsquo13) pp 37ndash41 April 2013

[24] B Kantarci and T Hussein ldquoTrustworthy sensing for publicsafety in cloud-centric internet of thingsrdquo IEEE Internet ofThings Journal vol 1 no 4 pp 360ndash368 2014


[25] P Tilanus B Ran M Faeth D Kelaidonis and V StavroulakildquoVirtual object access rights to enable multi-party use of sen-sorsrdquo in Proceedings of the IEEE 14th International Symposiumand Workshops on a World of Wireless Mobile and MultimediaNetworks (WoWMoM rsquo13) pp 1ndash7 June 2013

[26] S H Wu K F Chen and Y F Zhu ldquoA secure lightweight RFIDbinding proof protocol formedication errors and patient safetyrdquoJournal of Medical Systems vol 36 no 5 pp 2743ndash2749 2015

[27] M Bellare D Pointcheval and P Rogaway ldquoAuthenticatedkey exchange secure against dictionary attacksrdquo in Advancesin CryptologymdashEUROCRYPT 2000 vol 1807 of Lecture Notesin Computer Science pp 140ndash156 Springer Berlin Germany2000

[28] M Bellare and P Rogaway ldquoEntity authentication and key dis-tributionrdquo in Proceedings of the Annual International CryptologyConference (CRYPTOrsquo 93) vol 773 of Lecture Notes in ComputerScience pp 232ndash249 1993

[29] S Blake-Wilson D Johnson and A Menezes ldquoKey agreementprotocols and their security analysisrdquo in Crytography andCoding 6th IMA International Conference Cirencester UKDecember 17ndash19 1997 Proceedings vol 1355 of Lecture Notes inComputer Science pp 30ndash45 Springer Berlin Germany 1997

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



conditions devices cannot be seen as stand-aloneas they once were in traditional security settingsIn addition owing to its advantages in terms ofcomputation efficiency and identification accuracyBluetooth LowEnergy (ie BLE) technology has beenwidely adopted in recent years for smartphones andintelligent wearable-devices such as the Apple Watchthe Sony SmartWatch and Samsung Gear For an IoTbased application the user may be an entry pointfor triggering specific services Hence an appropriateauthentication scheme for entity verification is indis-pensable

(iii) One of the most important goals of IoT is to enrichpeoplersquos daily lives Sensor-based objects may beinvolved with several services at the same time Inthat case to guarantee both communication securityand retrieval efficiency during interactions betweensensor-based objects a secure and intelligent accesscontrol scheme is promptly required Moreover asmost IoT based technologies are still in the researchstage the development of a real and practical IoTapplication has been the focus of industry and busi-ness The feasibility and practicability of proposedIoT based applications must be evaluated via testingscenarios

(iv) In an IoT-wide universe a mechanism capable ofproving a group of tagged objects (or sensor tags)existing at the same time and the same place can bevery useful For example a consignment of medica-tion should always be accompanied by a usage leafletto comply with pharmaceutical safety regulations Ifall tablet containers and usage leaflets are labeled withRF tags a coexistence proof mechanism on RF tagscan provide the evidence that each tablet containerwas associated with an appropriate leaflet duringmedication distributionThis tag coexistence concepthas been widely applied in recent years

Based on the above analysis in this paper wewould like topresent a new IoT based secure healthcare process consistingof a refinement of the traditional authentication scheme froma performance standpointThe security components adoptedin the proposed authentication scheme have been redesignedto meet the hardware requirements of IoT based devicesThe suitability of the proposed authentication scheme asthe main protection mechanism for the entry point of anIoT based healthcare system is evaluated In addition weintroduce a coexistence scheme for proving the correctness ofthe coexisting medical items for which the ultra low-cost IoTbased sensors such as passive RF tags are utilized Medicineerror prevention and patient safety can thus be guaranteed

2 Related Work

The next generation of context-aware mobile applicationsrequire the continuous updating of relevant informationabout a userrsquos surroundings to create low latency notificationsand guarantee a high quality of experience Forsstrom et al

[1] studied the possibilities of doing so via transmission andmonitoring of contextual information from mobile devicesand found that the impact of the contextual information wasto overload IoT networks In addition the authors presentedan evaluation model to achieve dynamic control of theinformation flow without any centralized authority Recentlythe IoT based EPC (Electronic Product Code) system hasemerged as a revolutionary new technology formodern logis-tics management The IoT can achieve the properties of real-time location returning object tracking and monitoring andintelligent recognition For this type of envisioned scenarioWang [2] investigated relevant laws and technical standardswith a view to increasing government investment and settingup business models for the promotion of future IoT basedapplications On the other hand as the capability to providepersonalized healthcare is limited by the data available frompatients which is dynamic and often incomplete knowledgemining analysis and trending are increasingly importantTherefore Jara et al [3] presented a knowledge acquisitionand management platform relying on IoT based architectureThe platform focused on the management of personal andmobile health and enabled delivery of new services by virtueof its capabilities to predict health anomalies in real-timeoffer feedback to patients and support security and privacy

In 2011 Zakriti and Guennoun [4] investigated an IoTbased model to support interconnectivity and interoper-ability among smart objects The proposed method solvedvarious challenges such as the integration of heterogene-ity among devices the development of diversified proto-cols the desired properties of self-manageability and self-organization and adaptive security and privacy for IoTnetworks Then Tozlu et al [5] demonstrated three types ofsensor-based application scenarios and examined the feasi-bility of low-powerWiFi technology to enable IP connectivitybetween battery-powered objects Next Jin et al [6] proposeda framework encompassing an urban information systemwith a view to furthering the realization of smart citiesthrough the concept of the IoT The introduced frameworkincludes cloud-based integration of respective systems andservices and forms a transformational part of the existingcyber systemsThis framework can be adapted to enhance thelevel of interconnectivity and interoperability of importantcity services In 2014 Stankovic [7] investigated eight keyresearch topics that is massive scaling architecture anddependencies creating knowledge and big data robustnessopenness security privacy and human-in-the-loop to lookat how the IoT could change the world and concluded thatthe futurewill see the IoT gradually becoming an increasinglysophisticated utility in terms of sensing actuation communi-cations control and creating knowledge from vast amountsof data

In 2013 Hou et al [8] designed a technique that enablessecure initialization of a group of wireless devices calledChorus to defend against attack by an adversary In orderto achieve the key authentication property the authors usedChorus to provide in-band group message authenticationand group authenticated key agreement In addition twosecure protocols are proposed to satisfy minimal hardwarerequirements and allow for minimal user effort hence the















lowast




119886 119899119873 ℎ(sdot)






119894=

(ID119894 ℎ(ID





119895=



request


119895 the



119894

1198991) oplus ℎ(119892


1= ID

119895 1198921198991 119860

to AS119895 where 119899


119894


2


119895

1198992) oplus ℎ(119892

1198861198992) and forwards 119898

2= ID

119895 1198921198991 119860 119892

1198992 119861



1198991)119886mod119873


119894 1198991) and (119878

119895 1198992)

from 119860 oplus ℎ(1198921198861198991

) and 119861 oplus ℎ(1198921198861198992



(119878119894)119890mod119873 = (ID

119894 ℎ(ID

119894 119887))119889119890mod119873

(119878119895)119890mod119873 = (ℎ(ID

119895 119887))119889119890mod119873


119894 and com-



119895and retrieved

value ℎ(ID119895 119887)



(1198921198991)1198993 mod119873 (1198921198992)1198993 mod119873 119862 = ℎ((119892

1198991)1198993

(1198921198992)1198993

1198992)

and 119863 = ℎ(ID119895

(1198921198992)1198993


3=

11989211989911198993 119862 119892

11989921198993 119863 to AS

119895



119870119894119895



1198991)1198993

(1198921198992)1198993




4= 11989211989921198993 119863

119864 to 119880119894 After that AS


119894is an



119894119895=



119895 (1198921198992)1198993

1198991) and ℎ(ID




(1198921198992)1198993

1198991) equal to




119895is an



119894


119894and 119884

119894 an


119894for each119879

119894



Ui ASj TTPA

gn1 mod N

(ga)n1 mod N


m1 = IDj gn1 A

gn2 mod N

(ga)n2 mod N



(gn1 )a mod N

(gn2 )a mod N




de mod N


de mod N


n3 mod N

(gn2 )n3 mod N

C = h((gn1 )n3 (gn2 )

n3 n2)

D = h(IDj (gn2 )




m4 = gn2n3 D E


Verify D and E




IDSa ra a


120573a ma

Reader

IDSb rb b


120573b mb

Tag Tb

(IDSb IDb

Xb Yb)






119904is the



119886

and 119879119887 After 119879

119886and 119879


both send ID119878119886 119903119886 V119886

= 119865(119865(119884119886) oplus 119865(119905

119904oplus 119870119904) oplus 119903119886) and

ID119878119887 119903119887 V119887

= 119865(119865(119884119887) oplus 119865(119905







119886and


119870119886

= 119865(119865(119865(119884119886)) oplus 119903

119886) and 119870

119887= 119865(119865(119865(119884

119887)) oplus 119903

119887) to the


1015840

119886= 119865(119884

119886oplus

119903119886) ID119878

1015840

119886= 119865(119884

1015840

119886oplus ID119878

119886) 1198841015840

119887= 119865(119884

119887oplus 119903119887) ID119878

1015840

119887= 119865(119884

1015840

119887

oplusID119878119887)




119886=

119865(119870119886oplus 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887)) and sends 120572

119886 119865(119865(119905

119904oplus 119870119904) oplus

ID119878119887) to 119879

119886


119886 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887) 119879119886

computes 119870119886


119886


= 119865(119870119886oplus119865(119865(119905

119904oplus119870119904)oplusID119878

119887)) If it holds119879

119886


= 119865(ID119878119886oplus 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887) oplus 119883119886)

and 120573119886

= 119865(119865(119870119886) oplus 119898

119886) and send 119898

119886 120573119886 to the reader

Then 119879119886updates 119884

119886 ID119878119886 to 119884

1015840

119886= 119865(119884

119886oplus 119903119886) ID119878

1015840

119886=

119865(1198841015840

119886oplus ID119878

119886)


119886=

119865(119865(119870119886) oplus 119898


120572119887 119865(119898119886oplus ID119878

119886) to 119879

119887 where 120572

119887= 119865(119870

119887oplus 119865(119898

119886oplus ID119878

119886))



119887

to compute 119870119887

= 119865(119865(119865(119884119887)) oplus 119903

119887) and verify 120572

119887= 119865(119870

119887oplus


119887will send 120573

119887 119898119887 to the reader in

which119898119887= 119865(ID119878

119887oplus119865(119898


119887= 119865(119865(119870

119887)oplus

119898119887) Next119879

119887updates 119884

119887 ID119878119887with 119884

1015840

119887= 119865(119884

119887oplus119903119887) ID119878

1015840

119887=

119865(1198841015840

119887oplus ID119878

119887)



= 119865(119865(119870119887) oplus 119898




119875119886119887

= (ID119878119886 ID119878119887 119905 119898119886 119898119887)

4 Security Analyses




119878Key(119894119895)



119894


participant 119880


oracle Π119894



oracle Π119894

119880


(iv) Execute(Π119894119880119860

Π119894

119880119861


119894

119880119860

and Π119894

119880119861







119894




session key 119878Key(119894119895)







119875(Eve) =


(Eve) is negligible


119904 119902119903 119902119888 119902119890 and 119902

ℎare the



lowast

119873








119860119889V119860119870119864119875

(119864V119890 119902119904 119902ℎ) le 119902

ℎ119902119904

times 119878119906119888119888119862119863119867

119866(1198791015840

119864V119890) where 1198791015840


119862119863119867

119866and 119902119904= sum5

119894=1119902119904 119894


2 119878119890119899119889

3 119878119890119899119889

4 and

1198781198901198991198895





that 119911 = 119892119905119896



= ID119895 1198921198991 119860 to Eve Second



119904 2] If 119888


with ID119895 1198921198991 119860 119892



= ID119895 1198921198991 119860 119892

1198992 119861 with



1015840

2to EveThird once


the message 1198983

= 11989211989911198993 119862 119892




1015840



4= 11989211989921198993 119863 119864







119878119895




119894) Corrupt(119878

119895)

Execute(Π119894119880119894

Π119895

119878119895


(119894119895)



120574 = 1119902119904 2

ge 1119902119904


1198871015840



SuccCDH119866




ℎ)


120576 = AdvAKE119875


119866(1198791015840

Eve) (1)







119886 119879119887 and the





119886





5 Conclusion






Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation























lowast




119886 119899119873 ℎ(sdot)






119894=

(ID119894 ℎ(ID





119895=



request


119895 the



119894

1198991) oplus ℎ(119892


1= ID

119895 1198921198991 119860

to AS119895 where 119899


119894


2


119895

1198992) oplus ℎ(119892

1198861198992) and forwards 119898

2= ID

119895 1198921198991 119860 119892

1198992 119861



1198991)119886mod119873


119894 1198991) and (119878

119895 1198992)

from 119860 oplus ℎ(1198921198861198991

) and 119861 oplus ℎ(1198921198861198992



(119878119894)119890mod119873 = (ID

119894 ℎ(ID

119894 119887))119889119890mod119873

(119878119895)119890mod119873 = (ℎ(ID

119895 119887))119889119890mod119873


119894 and com-



119895and retrieved

value ℎ(ID119895 119887)



(1198921198991)1198993 mod119873 (1198921198992)1198993 mod119873 119862 = ℎ((119892

1198991)1198993

(1198921198992)1198993

1198992)

and 119863 = ℎ(ID119895

(1198921198992)1198993


3=

11989211989911198993 119862 119892

11989921198993 119863 to AS

119895



119870119894119895



1198991)1198993

(1198921198992)1198993




4= 11989211989921198993 119863

119864 to 119880119894 After that AS


119894is an



119894119895=



119895 (1198921198992)1198993

1198991) and ℎ(ID




(1198921198992)1198993

1198991) equal to




119895is an



119894


119894and 119884

119894 an


119894for each119879

119894



Ui ASj TTPA

gn1 mod N

(ga)n1 mod N


m1 = IDj gn1 A

gn2 mod N

(ga)n2 mod N



(gn1 )a mod N

(gn2 )a mod N




de mod N


de mod N


n3 mod N

(gn2 )n3 mod N

C = h((gn1 )n3 (gn2 )

n3 n2)

D = h(IDj (gn2 )




m4 = gn2n3 D E


Verify D and E




IDSa ra a


120573a ma

Reader

IDSb rb b


120573b mb

Tag Tb

(IDSb IDb

Xb Yb)






119904is the



119886

and 119879119887 After 119879

119886and 119879


both send ID119878119886 119903119886 V119886

= 119865(119865(119884119886) oplus 119865(119905

119904oplus 119870119904) oplus 119903119886) and

ID119878119887 119903119887 V119887

= 119865(119865(119884119887) oplus 119865(119905







119886and


119870119886

= 119865(119865(119865(119884119886)) oplus 119903

119886) and 119870

119887= 119865(119865(119865(119884

119887)) oplus 119903

119887) to the


1015840

119886= 119865(119884

119886oplus

119903119886) ID119878

1015840

119886= 119865(119884

1015840

119886oplus ID119878

119886) 1198841015840

119887= 119865(119884

119887oplus 119903119887) ID119878

1015840

119887= 119865(119884

1015840

119887

oplusID119878119887)




119886=

119865(119870119886oplus 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887)) and sends 120572

119886 119865(119865(119905

119904oplus 119870119904) oplus

ID119878119887) to 119879

119886


119886 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887) 119879119886

computes 119870119886


119886


= 119865(119870119886oplus119865(119865(119905

119904oplus119870119904)oplusID119878

119887)) If it holds119879

119886


= 119865(ID119878119886oplus 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887) oplus 119883119886)

and 120573119886

= 119865(119865(119870119886) oplus 119898

119886) and send 119898

119886 120573119886 to the reader

Then 119879119886updates 119884

119886 ID119878119886 to 119884

1015840

119886= 119865(119884

119886oplus 119903119886) ID119878

1015840

119886=

119865(1198841015840

119886oplus ID119878

119886)


119886=

119865(119865(119870119886) oplus 119898


120572119887 119865(119898119886oplus ID119878

119886) to 119879

119887 where 120572

119887= 119865(119870

119887oplus 119865(119898

119886oplus ID119878

119886))



119887

to compute 119870119887

= 119865(119865(119865(119884119887)) oplus 119903

119887) and verify 120572

119887= 119865(119870

119887oplus


119887will send 120573

119887 119898119887 to the reader in

which119898119887= 119865(ID119878

119887oplus119865(119898


119887= 119865(119865(119870

119887)oplus

119898119887) Next119879

119887updates 119884

119887 ID119878119887with 119884

1015840

119887= 119865(119884

119887oplus119903119887) ID119878

1015840

119887=

119865(1198841015840

119887oplus ID119878

119887)



= 119865(119865(119870119887) oplus 119898




119875119886119887

= (ID119878119886 ID119878119887 119905 119898119886 119898119887)

4 Security Analyses




119878Key(119894119895)



119894


participant 119880


oracle Π119894



oracle Π119894

119880


(iv) Execute(Π119894119880119860

Π119894

119880119861


119894

119880119860

and Π119894

119880119861







119894




session key 119878Key(119894119895)







119875(Eve) =


(Eve) is negligible


119904 119902119903 119902119888 119902119890 and 119902

ℎare the



lowast

119873








119860119889V119860119870119864119875

(119864V119890 119902119904 119902ℎ) le 119902

ℎ119902119904

times 119878119906119888119888119862119863119867

119866(1198791015840

119864V119890) where 1198791015840


119862119863119867

119866and 119902119904= sum5

119894=1119902119904 119894


2 119878119890119899119889

3 119878119890119899119889

4 and

1198781198901198991198895





that 119911 = 119892119905119896



= ID119895 1198921198991 119860 to Eve Second



119904 2] If 119888


with ID119895 1198921198991 119860 119892



= ID119895 1198921198991 119860 119892

1198992 119861 with



1015840

2to EveThird once


the message 1198983

= 11989211989911198993 119862 119892




1015840



4= 11989211989921198993 119863 119864







119878119895




119894) Corrupt(119878

119895)

Execute(Π119894119880119894

Π119895

119878119895


(119894119895)



120574 = 1119902119904 2

ge 1119902119904


1198871015840



SuccCDH119866




ℎ)


120576 = AdvAKE119875


119866(1198791015840

Eve) (1)







119886 119879119887 and the





119886





5 Conclusion






Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










Ui ASj TTPA

gn1 mod N

(ga)n1 mod N


m1 = IDj gn1 A

gn2 mod N

(ga)n2 mod N



(gn1 )a mod N

(gn2 )a mod N




de mod N


de mod N


n3 mod N

(gn2 )n3 mod N

C = h((gn1 )n3 (gn2 )

n3 n2)

D = h(IDj (gn2 )




m4 = gn2n3 D E


Verify D and E




IDSa ra a


120573a ma

Reader

IDSb rb b


120573b mb

Tag Tb

(IDSb IDb

Xb Yb)






119904is the



119886

and 119879119887 After 119879

119886and 119879


both send ID119878119886 119903119886 V119886

= 119865(119865(119884119886) oplus 119865(119905

119904oplus 119870119904) oplus 119903119886) and

ID119878119887 119903119887 V119887

= 119865(119865(119884119887) oplus 119865(119905







119886and


119870119886

= 119865(119865(119865(119884119886)) oplus 119903

119886) and 119870

119887= 119865(119865(119865(119884

119887)) oplus 119903

119887) to the


1015840

119886= 119865(119884

119886oplus

119903119886) ID119878

1015840

119886= 119865(119884

1015840

119886oplus ID119878

119886) 1198841015840

119887= 119865(119884

119887oplus 119903119887) ID119878

1015840

119887= 119865(119884

1015840

119887

oplusID119878119887)




119886=

119865(119870119886oplus 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887)) and sends 120572

119886 119865(119865(119905

119904oplus 119870119904) oplus

ID119878119887) to 119879

119886


119886 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887) 119879119886

computes 119870119886


119886


= 119865(119870119886oplus119865(119865(119905

119904oplus119870119904)oplusID119878

119887)) If it holds119879

119886


= 119865(ID119878119886oplus 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887) oplus 119883119886)

and 120573119886

= 119865(119865(119870119886) oplus 119898

119886) and send 119898

119886 120573119886 to the reader

Then 119879119886updates 119884

119886 ID119878119886 to 119884

1015840

119886= 119865(119884

119886oplus 119903119886) ID119878

1015840

119886=

119865(1198841015840

119886oplus ID119878

119886)


119886=

119865(119865(119870119886) oplus 119898


120572119887 119865(119898119886oplus ID119878

119886) to 119879

119887 where 120572

119887= 119865(119870

119887oplus 119865(119898

119886oplus ID119878

119886))



119887

to compute 119870119887

= 119865(119865(119865(119884119887)) oplus 119903

119887) and verify 120572

119887= 119865(119870

119887oplus


119887will send 120573

119887 119898119887 to the reader in

which119898119887= 119865(ID119878

119887oplus119865(119898


119887= 119865(119865(119870

119887)oplus

119898119887) Next119879

119887updates 119884

119887 ID119878119887with 119884

1015840

119887= 119865(119884

119887oplus119903119887) ID119878

1015840

119887=

119865(1198841015840

119887oplus ID119878

119887)



= 119865(119865(119870119887) oplus 119898




119875119886119887

= (ID119878119886 ID119878119887 119905 119898119886 119898119887)

4 Security Analyses




119878Key(119894119895)



119894


participant 119880


oracle Π119894



oracle Π119894

119880


(iv) Execute(Π119894119880119860

Π119894

119880119861


119894

119880119860

and Π119894

119880119861







119894




session key 119878Key(119894119895)







119875(Eve) =


(Eve) is negligible


119904 119902119903 119902119888 119902119890 and 119902

ℎare the



lowast

119873








119860119889V119860119870119864119875

(119864V119890 119902119904 119902ℎ) le 119902

ℎ119902119904

times 119878119906119888119888119862119863119867

119866(1198791015840

119864V119890) where 1198791015840


119862119863119867

119866and 119902119904= sum5

119894=1119902119904 119894


2 119878119890119899119889

3 119878119890119899119889

4 and

1198781198901198991198895





that 119911 = 119892119905119896



= ID119895 1198921198991 119860 to Eve Second



119904 2] If 119888


with ID119895 1198921198991 119860 119892



= ID119895 1198921198991 119860 119892

1198992 119861 with



1015840

2to EveThird once


the message 1198983

= 11989211989911198993 119862 119892




1015840



4= 11989211989921198993 119863 119864







119878119895




119894) Corrupt(119878

119895)

Execute(Π119894119880119894

Π119895

119878119895


(119894119895)



120574 = 1119902119904 2

ge 1119902119904


1198871015840



SuccCDH119866




ℎ)


120576 = AdvAKE119875


119866(1198791015840

Eve) (1)







119886 119879119887 and the





119886





5 Conclusion






Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












119886=

119865(119870119886oplus 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887)) and sends 120572

119886 119865(119865(119905

119904oplus 119870119904) oplus

ID119878119887) to 119879

119886


119886 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887) 119879119886

computes 119870119886


119886


= 119865(119870119886oplus119865(119865(119905

119904oplus119870119904)oplusID119878

119887)) If it holds119879

119886


= 119865(ID119878119886oplus 119865(119865(119905

119904oplus 119870119904) oplus ID119878

119887) oplus 119883119886)

and 120573119886

= 119865(119865(119870119886) oplus 119898

119886) and send 119898

119886 120573119886 to the reader

Then 119879119886updates 119884

119886 ID119878119886 to 119884

1015840

119886= 119865(119884

119886oplus 119903119886) ID119878

1015840

119886=

119865(1198841015840

119886oplus ID119878

119886)


119886=

119865(119865(119870119886) oplus 119898


120572119887 119865(119898119886oplus ID119878

119886) to 119879

119887 where 120572

119887= 119865(119870

119887oplus 119865(119898

119886oplus ID119878

119886))



119887

to compute 119870119887

= 119865(119865(119865(119884119887)) oplus 119903

119887) and verify 120572

119887= 119865(119870

119887oplus


119887will send 120573

119887 119898119887 to the reader in

which119898119887= 119865(ID119878

119887oplus119865(119898


119887= 119865(119865(119870

119887)oplus

119898119887) Next119879

119887updates 119884

119887 ID119878119887with 119884

1015840

119887= 119865(119884

119887oplus119903119887) ID119878

1015840

119887=

119865(1198841015840

119887oplus ID119878

119887)



= 119865(119865(119870119887) oplus 119898




119875119886119887

= (ID119878119886 ID119878119887 119905 119898119886 119898119887)

4 Security Analyses




119878Key(119894119895)



119894


participant 119880


oracle Π119894



oracle Π119894

119880


(iv) Execute(Π119894119880119860

Π119894

119880119861


119894

119880119860

and Π119894

119880119861







119894




session key 119878Key(119894119895)







119875(Eve) =


(Eve) is negligible


119904 119902119903 119902119888 119902119890 and 119902

ℎare the



lowast

119873








119860119889V119860119870119864119875

(119864V119890 119902119904 119902ℎ) le 119902

ℎ119902119904

times 119878119906119888119888119862119863119867

119866(1198791015840

119864V119890) where 1198791015840


119862119863119867

119866and 119902119904= sum5

119894=1119902119904 119894


2 119878119890119899119889

3 119878119890119899119889

4 and

1198781198901198991198895





that 119911 = 119892119905119896



= ID119895 1198921198991 119860 to Eve Second



119904 2] If 119888


with ID119895 1198921198991 119860 119892



= ID119895 1198921198991 119860 119892

1198992 119861 with



1015840

2to EveThird once


the message 1198983

= 11989211989911198993 119862 119892




1015840



4= 11989211989921198993 119863 119864







119878119895




119894) Corrupt(119878

119895)

Execute(Π119894119880119894

Π119895

119878119895


(119894119895)



120574 = 1119902119904 2

ge 1119902119904


1198871015840



SuccCDH119866




ℎ)


120576 = AdvAKE119875


119866(1198791015840

Eve) (1)







119886 119879119887 and the





119886





5 Conclusion






Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












that 119911 = 119892119905119896



= ID119895 1198921198991 119860 to Eve Second



119904 2] If 119888


with ID119895 1198921198991 119860 119892



= ID119895 1198921198991 119860 119892

1198992 119861 with



1015840

2to EveThird once


the message 1198983

= 11989211989911198993 119862 119892




1015840



4= 11989211989921198993 119863 119864







119878119895




119894) Corrupt(119878

119895)

Execute(Π119894119880119894

Π119895

119878119895


(119894119895)



120574 = 1119902119904 2

ge 1119902119904


1198871015840



SuccCDH119866




ℎ)


120576 = AdvAKE119875


119866(1198791015840

Eve) (1)







119886 119879119887 and the





119886





5 Conclusion






Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation













Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

















RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









research article novel authentication schemes for iot based...

Documents