research article novel authentication schemes for iot based...
TRANSCRIPT
Research ArticleNovel Authentication Schemes for IoT Based Healthcare Systems
Jia-Li Hou and Kuo-Hui Yeh
Department of Information Management National Dong Hwa University Hualien 97401 Taiwan
Correspondence should be addressed to Kuo-Hui Yeh khyehmailndhuedutw
Received 16 June 2015 Accepted 20 August 2015
Academic Editor Sk Md Mizanur Rahman
Copyright copy 2015 J-L Hou and K-H Yeh This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited
With the advancement of information communication technologies the evolution of the Internet has given rise to a ubiquitousnetwork consisting of interconnected objects (or things) called the Internet of Things (IoT) Recently the academic communityhas made great strides in researching and developing security for IoT based applications focusing in particular on healthcaresystems based on IoT networks In this paper we propose a sensor (or sensor tags) based communication architecture for futureIoT based healthcare service systems A secure single sign-on based authentication scheme and a robust coexistence proof protocolfor IoT based healthcare systems are proposed With the formal security analysis the robustness of the two proposed schemes isguaranteed under the adversary model
1 Introduction
The rapid growth of population in cities calls for adequateprovision of services and infrastructure to meet the needs ofurban inhabitants Various information and communicationstechnologies (ICTs) such as Bluetooth WiFi 3G4G andNFCRFID go a long way to achieving this objective andcreate the possibility of smart cities where human basedservices and city monitoring are more aware interactive andefficient Following this trend the comprehensive evolutionof the traditional Internet has given rise to a ubiquitous net-work consisting of interconnected objects (or things) calledthe Internet of Things (IoT) In IoT based environmentsinformation sensing and human interaction with the physicalworld are fundamental concepts for the provision of humanvalue-added services Among these services in particularIoT oriented healthcare support systems are among the mostpromising and important directions for development and aretherefore a major focus of government and industry
Cyber attackers generally exploit security vulnerabilitiesin computer hardware software and communications proto-cols to target the IoT ecosystemswithin enterprise industrialand government systems The confidentiality integrity andavailability of these systems are thus undermined and seriousattacks (eg ones resulting in financial losses property
damage etc) may be launched on IoT based environmentsIt is known that the IoT brings with it a broad array of newsecurity challenges for the research community with respectto general system security network security and applicationsecurity We present the following observations
(i) Securing IoT-networked devices requires imple-mentation of secure cryptographic primitives onthe devices However the limited computationalresources of low-power-consuming and low-cost IoTbased devices make the design of security compo-nents for such devices difficult As it stands somedevices cannot even execute the currently existingencryption schemes Hence we must reconsider theimplementation efficiency of security primitives (orcryptocomponents) on IoT-networked devices Inother words a new lightweight cryptographic tech-nique is urgently needed to meet the critical securityand performance requirements of IoT based devices
(ii) Owing to the level of mutual connectivity betweenIoT based devices every time a user turns on anIoT-networked device which is infected by mal-ware or is simply open to unauthorized third-partyexploitation the vulnerability may spread throughthe network in a short time In light of these
Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2015 Article ID 183659 9 pageshttpdxdoiorg1011552015183659
2 International Journal of Distributed Sensor Networks
conditions devices cannot be seen as stand-aloneas they once were in traditional security settingsIn addition owing to its advantages in terms ofcomputation efficiency and identification accuracyBluetooth LowEnergy (ie BLE) technology has beenwidely adopted in recent years for smartphones andintelligent wearable-devices such as the Apple Watchthe Sony SmartWatch and Samsung Gear For an IoTbased application the user may be an entry pointfor triggering specific services Hence an appropriateauthentication scheme for entity verification is indis-pensable
(iii) One of the most important goals of IoT is to enrichpeoplersquos daily lives Sensor-based objects may beinvolved with several services at the same time Inthat case to guarantee both communication securityand retrieval efficiency during interactions betweensensor-based objects a secure and intelligent accesscontrol scheme is promptly required Moreover asmost IoT based technologies are still in the researchstage the development of a real and practical IoTapplication has been the focus of industry and busi-ness The feasibility and practicability of proposedIoT based applications must be evaluated via testingscenarios
(iv) In an IoT-wide universe a mechanism capable ofproving a group of tagged objects (or sensor tags)existing at the same time and the same place can bevery useful For example a consignment of medica-tion should always be accompanied by a usage leafletto comply with pharmaceutical safety regulations Ifall tablet containers and usage leaflets are labeled withRF tags a coexistence proof mechanism on RF tagscan provide the evidence that each tablet containerwas associated with an appropriate leaflet duringmedication distributionThis tag coexistence concepthas been widely applied in recent years
Based on the above analysis in this paper wewould like topresent a new IoT based secure healthcare process consistingof a refinement of the traditional authentication scheme froma performance standpointThe security components adoptedin the proposed authentication scheme have been redesignedto meet the hardware requirements of IoT based devicesThe suitability of the proposed authentication scheme asthe main protection mechanism for the entry point of anIoT based healthcare system is evaluated In addition weintroduce a coexistence scheme for proving the correctness ofthe coexisting medical items for which the ultra low-cost IoTbased sensors such as passive RF tags are utilized Medicineerror prevention and patient safety can thus be guaranteed
2 Related Work
The next generation of context-aware mobile applicationsrequire the continuous updating of relevant informationabout a userrsquos surroundings to create low latency notificationsand guarantee a high quality of experience Forsstrom et al
[1] studied the possibilities of doing so via transmission andmonitoring of contextual information from mobile devicesand found that the impact of the contextual information wasto overload IoT networks In addition the authors presentedan evaluation model to achieve dynamic control of theinformation flow without any centralized authority Recentlythe IoT based EPC (Electronic Product Code) system hasemerged as a revolutionary new technology formodern logis-tics management The IoT can achieve the properties of real-time location returning object tracking and monitoring andintelligent recognition For this type of envisioned scenarioWang [2] investigated relevant laws and technical standardswith a view to increasing government investment and settingup business models for the promotion of future IoT basedapplications On the other hand as the capability to providepersonalized healthcare is limited by the data available frompatients which is dynamic and often incomplete knowledgemining analysis and trending are increasingly importantTherefore Jara et al [3] presented a knowledge acquisitionand management platform relying on IoT based architectureThe platform focused on the management of personal andmobile health and enabled delivery of new services by virtueof its capabilities to predict health anomalies in real-timeoffer feedback to patients and support security and privacy
In 2011 Zakriti and Guennoun [4] investigated an IoTbased model to support interconnectivity and interoper-ability among smart objects The proposed method solvedvarious challenges such as the integration of heterogene-ity among devices the development of diversified proto-cols the desired properties of self-manageability and self-organization and adaptive security and privacy for IoTnetworks Then Tozlu et al [5] demonstrated three types ofsensor-based application scenarios and examined the feasi-bility of low-powerWiFi technology to enable IP connectivitybetween battery-powered objects Next Jin et al [6] proposeda framework encompassing an urban information systemwith a view to furthering the realization of smart citiesthrough the concept of the IoT The introduced frameworkincludes cloud-based integration of respective systems andservices and forms a transformational part of the existingcyber systemsThis framework can be adapted to enhance thelevel of interconnectivity and interoperability of importantcity services In 2014 Stankovic [7] investigated eight keyresearch topics that is massive scaling architecture anddependencies creating knowledge and big data robustnessopenness security privacy and human-in-the-loop to lookat how the IoT could change the world and concluded thatthe futurewill see the IoT gradually becoming an increasinglysophisticated utility in terms of sensing actuation communi-cations control and creating knowledge from vast amountsof data
In 2013 Hou et al [8] designed a technique that enablessecure initialization of a group of wireless devices calledChorus to defend against attack by an adversary In orderto achieve the key authentication property the authors usedChorus to provide in-band group message authenticationand group authenticated key agreement In addition twosecure protocols are proposed to satisfy minimal hardwarerequirements and allow for minimal user effort hence the
International Journal of Distributed Sensor Networks 3
protocols are scalable to a large group of wireless devicesNext in light of the coupling between diverse IoT sensorsapplications and services Ukil et al [9] presented the specificcharacteristics visions and challenges relating to the IoTBased on the observations and conclusions the authorsdeveloped a privacy preservation framework as a part of anIoT platform including a data masking tool for both privacyand utility preservation After that since security and privacyare two of themost pressing challenges for the development ofIoT applications or architecture Alqassem [10] specified theessential privacy and security requirements for the IoT andfurther established an engineering framework as the proofof concept With the emerging technology brought aboutby the IoT the connectivity between objects such as homeappliances and consumer electronics can be successfullycreated and applied On the other hand as trillions of objectseach require their own unique identifications low-cost RFIDtechnology has begun to attract attention For this reasonAggarwal and Das [11] developed a lightweight RFID basedprotocol to enhance system security while retaining theprotocolrsquos efficiency Later Torjusen et al [12] proposed asolution to integrate run-time verification enablers in thefeedback adaptation loop of the ASSET [13] that is anadaptive security framework for the IoT in the eHealthenvironment and implemented the framework with coloredPetri Nets The run-time enablers produce machine basedformal models of a systemrsquos status and context availableat run-time Moreover the authors presented requirementsfor verification at run-time as formal specifications andintroduced dynamic context monitoring and adaptation
In recent years IoT technologies have created an environ-ment characterized by linkage between software systems andthe physical world and have catalyzed a movement towardsinvisible and natural interactions among objects Howeverproviding efficient and customized personal services requiresinformation about every distinct individual or entity andthis leads to the potential for privacy invasion Hence theinformation flow control and the design of low-cost tags (oralternatively small data size) become very important issuesFrom these observations Evans and Eyers [14] introducedcode templates for two small microcontrollers that makemeaningful tagging possible Later Skarmeta et al [15]proposed a capability-based access control mechanism that isbuilt on public key cryptographyThe essential ideas are basedon the design of a lightweight token used for accessing CoAP(Constrained Application Protocol) resources and a digitalsignature algorithm inside the smart object Being based onthese two newly proposed techniques the presented accesscontrol mechanism can provide better security and privacyfor IoT based networks
Different wireless communication technologies and net-work infrastructures are continuously being integrated suchas WSN RFID systems 3G technology WIMAX PANand so forth In order to solve related security problemsChen et al [16] proposed a security architecture for an IoTenvironment The proposed system architecture is adaptiveto the IoT environment and in addition a security ver-ification mechanism was introduced Later Berhanu et al[17] described a setup for adaptive security for IoT devices
in an eHealth environment and discussed the validationof the setup through the study of the impact of antennaorientation on energy consumptionThe authors then studiedthe feasibility of adopting lightweight security solutions aspart of the ASSET infrastructure [13] Next Ning et al[18] proposed an authentication scheme for IoT networksThe authors exploited U2loT architecture to design anaggregated-proof based hierarchical authentication schemefor layered networks In this authentication mechanismseveral concepts such as anonymous data transmissionmutual authentication and different access authorities wereincorporated to achieve hierarchical access control More-over Chen [19] proposed a possible solution based on an IBE(identity-based encryption) cryptosystem to efficiently andeffectively solve the privacy and security threats encounteredin the IoT The elliptic curve cryptosystem is applied forachieving security in the IoT and the authors establishedthat essential security problems could be solved without toomuch resource consumption After that Paar [20] developeda concept that took into account both the destructive andconstructive aspects embedded in the security of the IoTThepurpose was to examine the efficiency of tradeoffs betweenthe desired security and the lowest possible cost
Li and Xiong [21] developed a secure scheme for achiev-ing confidentiality integrity authentication and nonrepudi-ation in a logical single step The proposed method splitsthe signcryption into two phases with an online phase andan offline phase and allows a sensor node in an identity-based cryptosystem to send a message to an Internet hostHence this scheme successfully provides an efficient solutionfor integrating WSN into IoT Afterwards in [22] the authoranalyzed the security requirements in different layers of theIoT and arrived at two conclusions (a) the future securityissues related to the IoT will mainly involve an open securitysystem individual privacy protection and terminal securityfunctionality and (b) the security of the IoT must be seenfrom a perspective of integration which mandates the needfor a series of policies laws and regulations as well as aperfect security management system for mutual collocationIn 2013 Hummen et al [23] introduced an IoT orientedauthentication scheme which is based on the designs ofprevalidation session resumption and handshake delega-tion The proposed scheme can provide peer authenticationand secure data transmission In the following year Kantarciand Hussein [24] demonstrated a framework for ensuringpublic safety in a cloud-centric IoT environment wheresmartphones equipped with various types of sensors aredeployed To ensure trustworthiness in the framework theauthors proposed a reputation-based S2aaS scheme calledTrustworthy Sensing forCrowdManagement (TSCM)whichis able to collect sensing data based on a cloud model Inaddition the authors designed an auction procedure to selectmobile devices for particular sensing tasks and to determinethe appropriate payments to the users of the mobile devicesthat provide data Furthermore Tilanus et al [25] discussedthe motivations for opening up a given IoT so as to makethe ldquothingsrdquo it contains part of the global IoT The proposedmethod comprises the definition and control of access rightsto the discovery and use of virtual objects It has the potential
4 International Journal of Distributed Sensor Networks
to play a central role in the verification of access rights tovirtual objects in the deployment of the IoT
3 The Proposed Schemes
With the advancement of IoT networks numerous networkservices and mobile devices have been deployed in pursuitof the betterment of human wellbeing In general usersmay register with the server once and maintain a set ofverified data (or parameters) as the login token for systemresource and service retrieval The concept is called thesingle sign-on (SSO) whereby legal users are allowed to usethe unitary token to access different services (or devices)Our proposed authentication scheme is based on the SSOtechnique whereby a mobile application allows a user toutilize a mobile device with a unitary token to access multipleservices The techniques of a one-way hash function andrandom nonce are adopted to simultaneously ensure systemefficiency and security robustness In addition we presenta coexistence mechanism to prove the correctness of thecoexisting medical items With a proof for a group of taggedobjects existing at the same time and the sameplacemedicineerror prevention and patient safety can further be enhanced
31 The Proposed Authentication Scheme In our schemethree entities that is the user 119880
119894or the authentication server
AS119895 and a trusted third-party authority TTPA exist The
server and the trusted authority TTPA do not require themaintenance of any registration table for each registeredcommunication entity First the TTPA selects two largeprimes 119901 and 119902 and computes 119873 = 119901 sdot 119902 Then the TTPAdetermines the key pair (119890 119889) such that 119890 sdot 119889 equiv 1mod120593(119873)where 120593(119873) = (119901 minus 1)(119902 minus 1) Next the TTPA chooses agenerator 119892 over the finite field119885
lowast
119899 where 119899 is a large-enough
odd prime number Finally the TTPA protects the secret 119889
and publishes (119890 119892 119899119873) Note that all the information aboutthe parameters 119901 and 119902 is erased after initialization of thesystem Now both the user and the server need to storeonly one set of public parameters that is 119890 119892 119892
119886 119899119873 ℎ(sdot)
published by the TTPA where 119886 is a secret generated by theTTPA and ℎ(sdot) is a collision-resistant one-way hash function
Registration Phase In the registration phase each user 119880119894
registers a unique and fixed bit-length identity ID119894at the
TTPA side and obtains a secret token 119878119894from the TTPA
through a secure channel The secret token 119878119894is as 119878
119894=
(ID119894 ℎ(ID
119894 119887))119889mod119873 where 119887 is also a secret generated
by the TTPA Similarly the server AS119895registers a unique
identity ID119895at the TTPA side and obtains a secret token
119878119895from the TTPA through a secure channel where 119878
119895=
(ℎ(ID119895 119887))119889mod119873 Note that ID
119895is public for each service
request
User Identification andVerification Phase (Figure 1) If the user119880119894wants to request an authentication service from AS
119895 the
user identification and verification phase is invoked
(1) 119880119894computes1198921198991 mod119873 (119892119886)1198991 mod119873 and119860 = (119878
119894
1198991) oplus ℎ(119892
1198861198991) and sends message 119898
1= ID
119895 1198921198991 119860
to AS119895 where 119899
1is a random nonce generated by 119880
119894
Upon receiving1198981 AS119895generates a random nonce 119899
2
to calculate 1198921198992 mod 119873 (119892119886)1198992 mod119873 and 119861 = (119878
119895
1198992) oplus ℎ(119892
1198861198992) and forwards 119898
2= ID
119895 1198921198991 119860 119892
1198992 119861
to the TTPA(2) After getting 119898
2 the TTPA computes (119892
1198991)119886mod119873
and (1198921198992)119886mod119873 and derived (119878
119894 1198991) and (119878
119895 1198992)
from 119860 oplus ℎ(1198921198861198991
) and 119861 oplus ℎ(1198921198861198992
) Next the TTPAverifies 119878
119894and 119878119895via the following computations
(119878119894)119890mod119873 = (ID
119894 ℎ(ID
119894 119887))119889119890mod119873
(119878119895)119890mod119873 = (ℎ(ID
119895 119887))119889119890mod119873
Compute ℎ(ID119894 119887) with retrieved value ID
119894 and com-
pare the result with retrieved value ℎ(ID119894 119887)
Compute ℎ(ID119894 119887)with received value ID
119895and retrieved
value ℎ(ID119895 119887)
If the above verification is passed the TTPA choosesa random nonce 119899
3and computes the following values
(1198921198991)1198993 mod119873 (1198921198992)1198993 mod119873 119862 = ℎ((119892
1198991)1198993
(1198921198992)1198993
1198992)
and 119863 = ℎ(ID119895
(1198921198992)1198993
1198991) Next the TTPA sends 119898
3=
11989211989911198993 119862 119892
11989921198993 119863 to AS
119895
(3) Once AS119895obtains 119898
3 AS119895computes the session key
119870119894119895
= (11989211989911198993)1198992 mod119873 and examines the validity of
value 119862 That is AS119895calculates ℎ((119892
1198991)1198993
(1198921198992)1198993
1198992) and compares it with value 119862 If these values are
not equal the protocol terminates Otherwise AS119895
calculates 119864 = ℎ(ID119895 119870119894119895) and sends 119898
4= 11989211989921198993 119863
119864 to 119880119894 After that AS
119895believes that 119880
119894is an
authorized user(4) After receiving 119898
4 119880119894derives the session key 119870
119894119895=
(11989211989921198993)1198991 mod119873 and examines the validity of values119863
and 119864 In other words 119880119894computes ℎ(ID
119895 (1198921198992)1198993
1198991) and ℎ(ID
119895 119870119894119895) and examines whether the fol-
lowing two equations hold or not
(a) Is computed ℎ(ID119895
(1198921198992)1198993
1198991) equal to
received 119863(b) Is computed ℎ(ID
119895 119870119894119895) equal to received 119864
If these two examinations hold 119880119894believes that AS
119895is an
authorized service provider with current session key 119870119894119895
32 The Proposed Coexistence Mechanism (Figure 2)Recently the concept of coexistence proof for RF tags hasbeen introduced to prove multiple tagged objects existing atthe same time in the same place Such proofs can be utilizedin the application field of inpatient safety and medicationmanagement In the proposed mechanism each RF tag 119879
119894
requires supporting lightweight operations that is a 16-bitpseudorandom number generation (PRNG) function andbitwise exclusive OR (XOR) operation and the backendcoexistence server maintains two secret keys 119883
119894and 119884
119894 an
index-pseudonym ID119878119894 and a unique identity ID
119894for each119879
119894
In addition the timestamp scheme and a random one-waypermutation function 119865 mapping within range [1 2119871] are
International Journal of Distributed Sensor Networks 5
Ui ASj TTPA
gn1 mod N
(ga)n1 mod N
A = (Si n1) oplus h(gan1 )
m1 = IDj gn1 A
gn2 mod N
(ga)n2 mod N
B = (Sj n2) oplus h(gan2 )
m2 = IDj gn1 A gn2 B
(gn1 )a mod N
(gn2 )a mod N
(Si n1) = A oplus h(gn1a)
(Sj n2) = B oplus h(gn2a)
(Si)e mod N = (IDi h(IDi b))
de mod N
(Sj)e mod N = (h(IDj b))
de mod N
Verify h(IDi b) and h(IDj b)(gn1 )
n3 mod N
(gn2 )n3 mod N
C = h((gn1 )n3 (gn2 )
n3 n2)
D = h(IDj (gn2 )
n3 n1)m3 = gn1n3 C gn2n3 D
Kij = (gn2n3 )n2 mod N
Verify CE = h(IDj Kij)
m4 = gn2n3 D E
Kij = (gn2n3 )n1 mod N
Verify D and E
Figure 1 The proposed authentication scheme
Tag Ta(IDSa IDaXa Ya)
Hello F(ts oplus Ks) Hello F(ts oplus Ks)
IDSa ra a
120572a F(F(ts oplus Ks) oplus IDSb)
120573a ma
Reader
IDSb rb b
120572b F(ma oplus IDSa)
120573b mb
Tag Tb
(IDSb IDb
Xb Yb)
Pab = (IDSa IDSb t ma mb)
Figure 2 The proposed coexistence mechanism
adopted in the proposed mechanism where 119871 is the securityparameter The implementation of 119865 is based on PRNG andXOR to obtain operational efficiency for low-cost RF tags[26]
Step 1 First the RF reader requests a well-protected times-tamp 119865(119905
119904oplus 119870119904) from the backend server where 119870
119904is the
serverrsquos secret key Note that a corresponding log is createdAn initial message Hello 119865(119905
119904oplus 119870119904) is then issued to 119879
119886
and 119879119887 After 119879
119886and 119879
119887get the incoming message they
both send ID119878119886 119903119886 V119886
= 119865(119865(119884119886) oplus 119865(119905
119904oplus 119870119904) oplus 119903119886) and
ID119878119887 119903119887 V119887
= 119865(119865(119884119887) oplus 119865(119905
119904oplus 119870119904) oplus 119903119887) to the reader
respectively And the reader immediately forwards these tworesponses with 119865(119905
119904oplus119870119904) to the backend server At the server
side if the verification of 119865(119905119904oplus 119870119904) holds (ie the validity
of the current process time-period is verified) the serverwill then verify V
119886and V119887 Once the examinations of V
119886and
V119887hold the server sends two derived key values that is
119870119886
= 119865(119865(119865(119884119886)) oplus 119903
119886) and 119870
119887= 119865(119865(119865(119884
119887)) oplus 119903
119887) to the
reader and updates 119884119886 ID119878119886 119884119887 ID119878119887 with 119884
1015840
119886= 119865(119884
119886oplus
119903119886) ID119878
1015840
119886= 119865(119884
1015840
119886oplus ID119878
119886) 1198841015840
119887= 119865(119884
119887oplus 119903119887) ID119878
1015840
119887= 119865(119884
1015840
119887
oplusID119878119887)
6 International Journal of Distributed Sensor Networks
Step 2 Upon obtaining119870119886and119870
119887 the reader computes 120572
119886=
119865(119870119886oplus 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887)) and sends 120572
119886 119865(119865(119905
119904oplus 119870119904) oplus
ID119878119887) to 119879
119886
Step 3 After 119879119886receives 120572
119886 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887) 119879119886
computes 119870119886
= 119865(119865(119865(119884119886)) oplus 119903119886) with its own secret key 119884
119886
and examines 120572119886
= 119865(119870119886oplus119865(119865(119905
119904oplus119870119904)oplusID119878
119887)) If it holds119879
119886
will then calculate119898119886
= 119865(ID119878119886oplus 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887) oplus 119883119886)
and 120573119886
= 119865(119865(119870119886) oplus 119898
119886) and send 119898
119886 120573119886 to the reader
Then 119879119886updates 119884
119886 ID119878119886 to 119884
1015840
119886= 119865(119884
119886oplus 119903119886) ID119878
1015840
119886=
119865(1198841015840
119886oplus ID119878
119886)
Step 4 Once the reader gets 119898119886 120573119886 it verifies 120573
119886=
119865(119865(119870119886) oplus 119898
119886) If the examination passes the reader sends
120572119887 119865(119898119886oplus ID119878
119886) to 119879
119887 where 120572
119887= 119865(119870
119887oplus 119865(119898
119886oplus ID119878
119886))
Step 5 After receiving 120572119887 119865(119898119886
oplus ID119878119886) 119879119887uses its key 119884
119887
to compute 119870119887
= 119865(119865(119865(119884119887)) oplus 119903
119887) and verify 120572
119887= 119865(119870
119887oplus
119865(119898119886oplusID119878119886)) If it holds119879
119887will send 120573
119887 119898119887 to the reader in
which119898119887= 119865(ID119878
119887oplus119865(119898
119886oplusID119878119886)oplus119883119887) and 120573
119887= 119865(119865(119870
119887)oplus
119898119887) Next119879
119887updates 119884
119887 ID119878119887with 119884
1015840
119887= 119865(119884
119887oplus119903119887) ID119878
1015840
119887=
119865(1198841015840
119887oplus ID119878
119887)
Step 6 Upon receiving 120573119887 119898119887 the reader performs the
verification of 120573119887
= 119865(119865(119870119887) oplus 119898
119887) If it holds the reader
confirms the coexistence of 119879119886and 119879
119887with a valid proof
119875119886119887
= (ID119878119886 ID119878119887 119905 119898119886 119898119887)
4 Security Analyses
In this section we analyze the security of the proposedauthentication scheme for IoT based healthcare systemsWe first present the adversary model and then conduct thesecurity analysis of the proposed authentication scheme andthe coexistence proof mechanism
41 Adversary Model In the communication model weassume that a user 119880
119894intends to establish a session key
119878Key(119894119895)
with an authentication server 119878119895via the help of
the trusted third-party authority TTPA We assume that theadversary can interactwith the participants via oracle queriesThe following major queries model the capabilities of theadversary Note that Π
119894
119880is denoted as the instance 119894 of a
participant 119880
(i) Send(Π119894119880 119898) this query sends a message 119898 to an
oracle Π119894
119880and gets the corresponding result
(ii) Reveal(Π119894119880) this query returns the session key of the
oracle Π119894
119880
(iii) Corrupt(119880) this query returns the long-term secretkey of 119880
(iv) Execute(Π119894119880119860
Π119894
119880119861
) this query models passive attacksin which the adversary can obtain the messagesexchanged during the honest execution of the proto-col between two oracles Π
119894
119880119860
and Π119894
119880119861
(v) Hash(119898) the one-way hash function can be viewed
as random functions within the appropriate range in
the ideal hash model Note that if 119898 has never beenqueried before it returns a truly random number 119903
to the adversary and stores (119903 119898) in the hash tableOtherwise it returns the previously generated resultto the adversary
(vi) Test(Π119894119880) this querymodels the security of the session
key that is whether the real session key can bedistinguished from a random string or not Foranswering this question an unbiased coin 119887 is flippedby the oracle Π
119894
119880 When the adversary issues a single
Test query toΠ119894
119880 the adversary obtains either the real
session key 119878Key(119894119895)
if 119887 = 1 or a random string if119887 = 0
42 Security Analysis of the Proposed Authentication SchemeIn this subsection we present the formal analysis of ourproposed authentication scheme based on [27ndash29]
(i) AKE security (session key security) the adversarytries to guess the hidden bit 119887 involved in a Testquery via a guess 119887
1015840 We say that the adversary winsthe game of breaking the session key security of anAKE (Authenticated Key Exchange) protocol 119875 ifthe adversary issues Test queries to a fresh oracleΠ119894
119880and guesses the hidden bit 119887 successfully The
probability that the adversarywins the game is Pr[1198871015840 =119887] In brief the advantage of an adversary Eve inattacking protocol119875 can be defined as AdvAKE
119875(Eve) =
|2 times Pr[1198871015840 = 119887] minus 1| In brief 119875 is AKE-secure ifAdvAKE119875
(Eve) is negligible
In the following subsection we formally analyze thesecurity of our proposed authentication protocol Notationsand definitions are presented first and the formal securityanalysis is then demonstrated We define 119879Eve as the adver-saryrsquos total running time and 119902
119904 119902119903 119902119888 119902119890 and 119902
ℎare the
number of Send Reveal Corrupt Execute andHash queriesrespectively
(ii) Computational Diffie-Hellman (CDH) assumption let119866 = ⟨119892⟩ be a multiplicative cyclic group of order 119873and let two randomnumbers 119905 and 119896 be chosen in119885
lowast
119873
Given 119892 119892119905 and 119892119896 the adversary Eve has a negligible
success probability SuccCDH119866
(Eve) of obtaining anelement 119911 isin 119866 such that 119911 = 119892
119905119896 within polynomialtime
Theorem 1 Let Eve be an adversary against the AKEsecurity of our proposed authentication scheme within atime bound 119879
119864V119890 with less than 119902119904Send queries with the
communication entities and 119902ℎtimes Hash queries Then
119860119889V119860119870119864119875
(119864V119890 119902119904 119902ℎ) le 119902
ℎ119902119904
times 119878119906119888119888119862119863119867
119866(1198791015840
119864V119890) where 1198791015840
119864V119890denotes the computational time for 119878119906119888119888
119862119863119867
119866and 119902119904= sum5
119894=1119902119904 119894
is the sum of the number of 1198781198901198991198891 119878119890119899119889
2 119878119890119899119889
3 119878119890119899119889
4 and
1198781198901198991198895
Proof Let Eve be an adversary that is able to get an advantage120576 to break the AKE-secure protocol within time 119879Eve We can
International Journal of Distributed Sensor Networks 7
construct a CDH attacker ATT from Eve to respond to all ofEversquos queries and deal with the CDH problem where ATT isgiven a challenge Ω = (119892
119905 119892119896) and outputs an element 119911 such
that 119911 = 119892119905119896
First when Eve issues a Send1query as a start command
ATT responds with 1198981
= ID119895 1198921198991 119860 to Eve Second
when Eve issues a Send2query ATT randomly chooses two
integers 1198881and 1198882from [1 119902
119904 2] If 119888
1= 1198882 ATT responds
with ID119895 1198921198991 119860 119892
1198992 119861 to Eve Otherwise ATT replaces the
corresponding parameters of 1198982
= ID119895 1198921198991 119860 119892
1198992 119861 with
the element119892119896 fromΩ to generate a new and randommessage1198981015840
2and then respondswith themessage119898
1015840
2to EveThird once
ATT receives the Send3query from Eve ATT answers with
the message 1198983
= 11989211989911198993 119862 119892
11989921198993 119863 as the protocol If the
input of the query is from Ω ATT generates a new message1198981015840
3and then responds with 119898
1015840
3to Eve Fourth when Eve
issues the Send4query ATT answers with 119898
4= 11989211989921198993 119863 119864
to Eve Otherwise a random string 1198981015840
4will be generated and
sent to Eve Finally ATT answers a null string via a Send5
query and then sets the protocol as being successful (or setsall conditions to true)
In the alternative when Eve issues a Reveal(Π119894119880119894
) or aReveal(Π119895
119878119895
) query ATT checks whether the oracle has beenaccepted and is fresh or not If the result is positive ATTanswers with the session key 119878Key
(119894119895)to Eve Otherwise if
the session key has been constructed from the challenge ΩATT terminates When Eve issues Corrupt(119880
119894) Corrupt(119878
119895)
Execute(Π119894119880119894
Π119895
119878119895
) Hash(119898) queries ATT answers in astraightforward way When Eve issues a Test query ATTanswers in a straightforward way Otherwise if the sessionkey has been constructed from the challengeΩ ATT answersEve with a random string with the same length as the sessionkey 119878Key
(119894119895)
The above simulation is indistinguishable from any exe-cution of the proposed protocol 119875 except for one executionwhich involves the challenge Ω The probability 120574 that ATTcorrectly guesses the session key which Eve will make a Testquery on is equal to the probability of 119888
1= 1198882 Hence we have
120574 = 1119902119904 2
ge 1119902119904
Assume that Eve issues a Test query to output 1198871015840 where
1198871015840
= 119887 This means that Eve knows the session key sothere must be at least one Hash query that returns thesession key The probability 120582 that ATT will choose the Hashquery correctly is 120582 ge 1119902
ℎ The successful probability
SuccCDH119866
(ATT) that ATT will expose 119892119896119905 from the challenge
Ω is thus SuccCDH119866
(ATT) = 120576 times 120574 times 120582 ge 120576 times (1119902119904) times (1119902
ℎ)
Finally the advantage of Eve to break the AKE security of theprotocol 119875 is derived as follows
120576 = AdvAKE119875
(Eve 119902119904 119902ℎ) le 119902ℎ119902119904times SuccCDH
119866(1198791015840
Eve) (1)
43 Security Analysis of the Proposed Coexistence SchemeIn this subsection we present the security claims of our
proposed coexistence mechanism such as data confidential-ity and the resistance to proof counterfeit attack and replayattack
Claim 1 The proposed coexistence mechanism is secureagainst proof counterfeit attack
In our proposed coexistence mechanism the timestampis generated from the backend server and is well-protectedby the serverrsquos secret key This design removes the possi-bility of creating a legitimate but fake timestamp Henceit is impossible to create a counterfeit proof involving faketimestamp for the purpose of deception In addition theproposed mechanism is based on the random one-waypermutation function 119865 which is an efficient and robustcomputation component for low-cost RF tags [26] As all thetransmitted information is involved with the function 119865 itis difficult to derive the information without knowing all thecommunication entitiesrsquo secret keys and the correspondingtimestamps Therefore the proposed scheme can guaranteeresistance to proof counterfeit attack At the same timesystem efficiency is delivered by virtue of the lightweightcomputation cost of the permutation function 119865
Claim 2 The proposed coexistence mechanism can providedata confidentiality and resist against replay attack
We assume that a malicious adversary Eve can interceptall messages communicated between RF tags 119879
119886 119879119887 and the
reader Because the adversary Eve cannot derive the privatekeys that is 119883
119894or 119884119894for the target tag 119879
119894 from messages
transmitted via the public channel the data involved in thetransmitted messages cannot be retrieved In addition theone-way property of the function 119865 serves to guarantee theunrecovery of the input data so that data confidentialitycan thus be achieved Moreover in each session of ourproposed scheme we exploit random numbers that is 119903
119886
and 119903119887 in randomizing transmitted messages In addition
the timestamp 119905119904is involved with the construction of the
verification message 119875119886119887 These random numbers and the
timestamp can not only randomize the transmitted messagesbut can ensure resistance against replay attack
5 Conclusion
In this paper we have introduced two secure communicationprotocols for IoT based healthcare systems in which a SSObased authentication scheme and a coexistence proof mech-anism are proposed The proposed authentication scheme isappropriate for use as the main protection technique for anIoT based healthcare environment consisting of various typesof sensors such as thinfat sensors sensor tags or taggeditems For IoT network services the proposed authenticationscheme can provide robust entity authentication and securedata communication In addition we further present a coex-istence proof protocol for proving multiple tagged objects(or sensors andor sensor tags) existing at the same timeand the same place The generated proofs can be utilizedin the application field of inpatient safety and medication
8 International Journal of Distributed Sensor Networks
management Based on the security analysis results we haveconducted we are confident that the feasibility of these twoproposed schemes can be guaranteed
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by the Taiwan Information SecurityCenter (TWISC) and theMinistry of Science andTechnologyTaiwan under Grants numberedMOST 103-2221-E-259-016-MY2 and MOST 103-2221-E-011-090-MY2
References
[1] S Forsstrom P Osterberg and T Kanter ldquoEvaluating ubiq-uitous sensor information sharing on the internet-of-thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1454ndash1460 June 2012
[2] S Wang ldquoInternet of things based on EPC technology and itsapplication in logisticsrdquo in Proceedings of the 2nd InternationalConference on Artificial Intelligence Management Science andElectronic Commerce (AIMSEC rsquo11) pp 3077ndash3080 August 2011
[3] A J Jara M A Zamora and A F Skarmeta ldquoKnowledgeacquisition and management architecture for mobile and per-sonal health environments based on the internet of thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1811ndash1818 June 2012
[4] A Zakriti and Z Guennoun ldquoService entities model for theinternet of things a bio-inspired collaborative approachrdquo inProceedings of the International Conference on MultimediaComputing and Systems (ICMCS rsquo11) pp 1ndash5 April 2011
[5] S Tozlu M Senel W Mao and A Keshavarzian ldquoWi-Fienabled sensors for internet of things a practical approachrdquoIEEE Communications Magazine vol 50 no 6 pp 134ndash1432012
[6] J Jin J Gubbi S Marusic and M Palaniswami ldquoAn informa-tion framework for creating a smart city through internet ofthingsrdquo IEEE Internet of Things Journal vol 1 no 2 pp 112ndash1212014
[7] J A Stankovic ldquoResearch directions for the internet of thingsrdquoIEEE Internet of Things Journal vol 1 no 1 pp 3ndash9 2014
[8] Y Hou M Li and J D Guttman ldquoChorus scalable in-bandtrust establishment for multiple constrained devices over theinsecure wireless channelrdquo in Proceedings of the 6th ACMConference on Security and Privacy in Wireless and MobileNetworks (WiSec rsquo13) pp 167ndash178 ACM Budapest HungaryApril 2013
[9] AUkil S Bandyopadhyay J JosephV Banahatti and S LodhaldquoNegotiation-based privacy preservation scheme in internetof things platformrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 75ndash84 August 2012
[10] I Alqassem ldquoPrivacy and security requirements framework forthe internet of things (IoT)rdquo in Proceedings of the 36th Inter-national Conference on Software Engineering (ICSE Companionrsquo14) pp 739ndash741 June 2014
[11] R Aggarwal and M L Das ldquoRFID security in the contextof internet of thingsrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 51ndash56 August 2012
[12] A B Torjusen H Abie E Paintsil D Trcek and A SkomedalldquoTowards run-time verification of adaptive security for IoTin eHealthrdquo in Proceedings of the European Conference onSoftware Architecture Workshops (ECSAW rsquo14) Article no 4ACM Vienna Austria August 2014
[13] ASSET project httpassetnrno[14] D Evans and D M Eyers ldquoEfficient data tagging for managing
privacy in the internet of thingsrdquo in Proceedings of the IEEEInternational Conference on Green Computing and Communi-cations (GreenCom rsquo12) pp 244ndash248 IEEE Besancon FranceNovember 2012
[15] A F Skarmeta J L Hernandez-Ramos and M V Moreno ldquoAdecentralized approach for security and privacy challenges inthe Internet ofThingsrdquo in Proceedings of the IEEEWorld Forumon Internet of Things (WF-IoT rsquo14) pp 67ndash72 March 2014
[16] D Chen G Chang L Jin X Ren J Li and F Li ldquoA novelsecure architecture for the Internet of thingsrdquo in Proceedingsof the 5th International Conference on Genetic and EvolutionaryComputing (ICGEC rsquo11) pp 311ndash314 IEEE Xiamen ChinaSeptember 2011
[17] Y Berhanu H Abie and M Hamdi ldquoA testbed for adaptivesecurity for IoT in eHealthrdquo in Proceedings of the InternationalWorkshop on Adaptive Security (ASPI rsquo13) article 5 September2013
[18] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[19] W Chen ldquoAn IBE-based security scheme on internet of thingsrdquoin Proceedings of the IEEE 2nd International Conference onCloud Computing and Intelligence Systems (CCIS rsquo12) pp 1046ndash1049 November 2012
[20] C Paar ldquoConstructive and destructive aspects of embeddedsecurity in the internet of thingsrdquo in Proceedings of the ACMSIGSAC Conference on Computer amp Communications Security(CCS rsquo13) pp 1495ndash1496 ACM Berlin Germany November2013
[21] F Li and P Xiong ldquoPractical secure communication for inte-grating wireless sensor networks into the internet of thingsrdquoIEEE Sensors Journal vol 13 no 10 pp 3677ndash3684 2013
[22] L Lan ldquoStudy on security architecture in the internet of thingsrdquoin Proceedings of the International Conference on MeasurementInformation and Control (MIC rsquo12) pp 374ndash377 IEEE HarbinChina May 2012
[23] R Hummen J H Ziegeldorf H Shafagh S Raza and KWehrle ldquoTowards viable certificate-based authentication for theInternet ofThingsrdquo in Proceedings of the 2nd ACMWorkshop onHot Topics on Wireless Network Security and Privacy (HotWiSecrsquo13) pp 37ndash41 April 2013
[24] B Kantarci and T Hussein ldquoTrustworthy sensing for publicsafety in cloud-centric internet of thingsrdquo IEEE Internet ofThings Journal vol 1 no 4 pp 360ndash368 2014
International Journal of Distributed Sensor Networks 9
[25] P Tilanus B Ran M Faeth D Kelaidonis and V StavroulakildquoVirtual object access rights to enable multi-party use of sen-sorsrdquo in Proceedings of the IEEE 14th International Symposiumand Workshops on a World of Wireless Mobile and MultimediaNetworks (WoWMoM rsquo13) pp 1ndash7 June 2013
[26] S H Wu K F Chen and Y F Zhu ldquoA secure lightweight RFIDbinding proof protocol formedication errors and patient safetyrdquoJournal of Medical Systems vol 36 no 5 pp 2743ndash2749 2015
[27] M Bellare D Pointcheval and P Rogaway ldquoAuthenticatedkey exchange secure against dictionary attacksrdquo in Advancesin CryptologymdashEUROCRYPT 2000 vol 1807 of Lecture Notesin Computer Science pp 140ndash156 Springer Berlin Germany2000
[28] M Bellare and P Rogaway ldquoEntity authentication and key dis-tributionrdquo in Proceedings of the Annual International CryptologyConference (CRYPTOrsquo 93) vol 773 of Lecture Notes in ComputerScience pp 232ndash249 1993
[29] S Blake-Wilson D Johnson and A Menezes ldquoKey agreementprotocols and their security analysisrdquo in Crytography andCoding 6th IMA International Conference Cirencester UKDecember 17ndash19 1997 Proceedings vol 1355 of Lecture Notes inComputer Science pp 30ndash45 Springer Berlin Germany 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 International Journal of Distributed Sensor Networks
conditions devices cannot be seen as stand-aloneas they once were in traditional security settingsIn addition owing to its advantages in terms ofcomputation efficiency and identification accuracyBluetooth LowEnergy (ie BLE) technology has beenwidely adopted in recent years for smartphones andintelligent wearable-devices such as the Apple Watchthe Sony SmartWatch and Samsung Gear For an IoTbased application the user may be an entry pointfor triggering specific services Hence an appropriateauthentication scheme for entity verification is indis-pensable
(iii) One of the most important goals of IoT is to enrichpeoplersquos daily lives Sensor-based objects may beinvolved with several services at the same time Inthat case to guarantee both communication securityand retrieval efficiency during interactions betweensensor-based objects a secure and intelligent accesscontrol scheme is promptly required Moreover asmost IoT based technologies are still in the researchstage the development of a real and practical IoTapplication has been the focus of industry and busi-ness The feasibility and practicability of proposedIoT based applications must be evaluated via testingscenarios
(iv) In an IoT-wide universe a mechanism capable ofproving a group of tagged objects (or sensor tags)existing at the same time and the same place can bevery useful For example a consignment of medica-tion should always be accompanied by a usage leafletto comply with pharmaceutical safety regulations Ifall tablet containers and usage leaflets are labeled withRF tags a coexistence proof mechanism on RF tagscan provide the evidence that each tablet containerwas associated with an appropriate leaflet duringmedication distributionThis tag coexistence concepthas been widely applied in recent years
Based on the above analysis in this paper wewould like topresent a new IoT based secure healthcare process consistingof a refinement of the traditional authentication scheme froma performance standpointThe security components adoptedin the proposed authentication scheme have been redesignedto meet the hardware requirements of IoT based devicesThe suitability of the proposed authentication scheme asthe main protection mechanism for the entry point of anIoT based healthcare system is evaluated In addition weintroduce a coexistence scheme for proving the correctness ofthe coexisting medical items for which the ultra low-cost IoTbased sensors such as passive RF tags are utilized Medicineerror prevention and patient safety can thus be guaranteed
2 Related Work
The next generation of context-aware mobile applicationsrequire the continuous updating of relevant informationabout a userrsquos surroundings to create low latency notificationsand guarantee a high quality of experience Forsstrom et al
[1] studied the possibilities of doing so via transmission andmonitoring of contextual information from mobile devicesand found that the impact of the contextual information wasto overload IoT networks In addition the authors presentedan evaluation model to achieve dynamic control of theinformation flow without any centralized authority Recentlythe IoT based EPC (Electronic Product Code) system hasemerged as a revolutionary new technology formodern logis-tics management The IoT can achieve the properties of real-time location returning object tracking and monitoring andintelligent recognition For this type of envisioned scenarioWang [2] investigated relevant laws and technical standardswith a view to increasing government investment and settingup business models for the promotion of future IoT basedapplications On the other hand as the capability to providepersonalized healthcare is limited by the data available frompatients which is dynamic and often incomplete knowledgemining analysis and trending are increasingly importantTherefore Jara et al [3] presented a knowledge acquisitionand management platform relying on IoT based architectureThe platform focused on the management of personal andmobile health and enabled delivery of new services by virtueof its capabilities to predict health anomalies in real-timeoffer feedback to patients and support security and privacy
In 2011 Zakriti and Guennoun [4] investigated an IoTbased model to support interconnectivity and interoper-ability among smart objects The proposed method solvedvarious challenges such as the integration of heterogene-ity among devices the development of diversified proto-cols the desired properties of self-manageability and self-organization and adaptive security and privacy for IoTnetworks Then Tozlu et al [5] demonstrated three types ofsensor-based application scenarios and examined the feasi-bility of low-powerWiFi technology to enable IP connectivitybetween battery-powered objects Next Jin et al [6] proposeda framework encompassing an urban information systemwith a view to furthering the realization of smart citiesthrough the concept of the IoT The introduced frameworkincludes cloud-based integration of respective systems andservices and forms a transformational part of the existingcyber systemsThis framework can be adapted to enhance thelevel of interconnectivity and interoperability of importantcity services In 2014 Stankovic [7] investigated eight keyresearch topics that is massive scaling architecture anddependencies creating knowledge and big data robustnessopenness security privacy and human-in-the-loop to lookat how the IoT could change the world and concluded thatthe futurewill see the IoT gradually becoming an increasinglysophisticated utility in terms of sensing actuation communi-cations control and creating knowledge from vast amountsof data
In 2013 Hou et al [8] designed a technique that enablessecure initialization of a group of wireless devices calledChorus to defend against attack by an adversary In orderto achieve the key authentication property the authors usedChorus to provide in-band group message authenticationand group authenticated key agreement In addition twosecure protocols are proposed to satisfy minimal hardwarerequirements and allow for minimal user effort hence the
International Journal of Distributed Sensor Networks 3
protocols are scalable to a large group of wireless devicesNext in light of the coupling between diverse IoT sensorsapplications and services Ukil et al [9] presented the specificcharacteristics visions and challenges relating to the IoTBased on the observations and conclusions the authorsdeveloped a privacy preservation framework as a part of anIoT platform including a data masking tool for both privacyand utility preservation After that since security and privacyare two of themost pressing challenges for the development ofIoT applications or architecture Alqassem [10] specified theessential privacy and security requirements for the IoT andfurther established an engineering framework as the proofof concept With the emerging technology brought aboutby the IoT the connectivity between objects such as homeappliances and consumer electronics can be successfullycreated and applied On the other hand as trillions of objectseach require their own unique identifications low-cost RFIDtechnology has begun to attract attention For this reasonAggarwal and Das [11] developed a lightweight RFID basedprotocol to enhance system security while retaining theprotocolrsquos efficiency Later Torjusen et al [12] proposed asolution to integrate run-time verification enablers in thefeedback adaptation loop of the ASSET [13] that is anadaptive security framework for the IoT in the eHealthenvironment and implemented the framework with coloredPetri Nets The run-time enablers produce machine basedformal models of a systemrsquos status and context availableat run-time Moreover the authors presented requirementsfor verification at run-time as formal specifications andintroduced dynamic context monitoring and adaptation
In recent years IoT technologies have created an environ-ment characterized by linkage between software systems andthe physical world and have catalyzed a movement towardsinvisible and natural interactions among objects Howeverproviding efficient and customized personal services requiresinformation about every distinct individual or entity andthis leads to the potential for privacy invasion Hence theinformation flow control and the design of low-cost tags (oralternatively small data size) become very important issuesFrom these observations Evans and Eyers [14] introducedcode templates for two small microcontrollers that makemeaningful tagging possible Later Skarmeta et al [15]proposed a capability-based access control mechanism that isbuilt on public key cryptographyThe essential ideas are basedon the design of a lightweight token used for accessing CoAP(Constrained Application Protocol) resources and a digitalsignature algorithm inside the smart object Being based onthese two newly proposed techniques the presented accesscontrol mechanism can provide better security and privacyfor IoT based networks
Different wireless communication technologies and net-work infrastructures are continuously being integrated suchas WSN RFID systems 3G technology WIMAX PANand so forth In order to solve related security problemsChen et al [16] proposed a security architecture for an IoTenvironment The proposed system architecture is adaptiveto the IoT environment and in addition a security ver-ification mechanism was introduced Later Berhanu et al[17] described a setup for adaptive security for IoT devices
in an eHealth environment and discussed the validationof the setup through the study of the impact of antennaorientation on energy consumptionThe authors then studiedthe feasibility of adopting lightweight security solutions aspart of the ASSET infrastructure [13] Next Ning et al[18] proposed an authentication scheme for IoT networksThe authors exploited U2loT architecture to design anaggregated-proof based hierarchical authentication schemefor layered networks In this authentication mechanismseveral concepts such as anonymous data transmissionmutual authentication and different access authorities wereincorporated to achieve hierarchical access control More-over Chen [19] proposed a possible solution based on an IBE(identity-based encryption) cryptosystem to efficiently andeffectively solve the privacy and security threats encounteredin the IoT The elliptic curve cryptosystem is applied forachieving security in the IoT and the authors establishedthat essential security problems could be solved without toomuch resource consumption After that Paar [20] developeda concept that took into account both the destructive andconstructive aspects embedded in the security of the IoTThepurpose was to examine the efficiency of tradeoffs betweenthe desired security and the lowest possible cost
Li and Xiong [21] developed a secure scheme for achiev-ing confidentiality integrity authentication and nonrepudi-ation in a logical single step The proposed method splitsthe signcryption into two phases with an online phase andan offline phase and allows a sensor node in an identity-based cryptosystem to send a message to an Internet hostHence this scheme successfully provides an efficient solutionfor integrating WSN into IoT Afterwards in [22] the authoranalyzed the security requirements in different layers of theIoT and arrived at two conclusions (a) the future securityissues related to the IoT will mainly involve an open securitysystem individual privacy protection and terminal securityfunctionality and (b) the security of the IoT must be seenfrom a perspective of integration which mandates the needfor a series of policies laws and regulations as well as aperfect security management system for mutual collocationIn 2013 Hummen et al [23] introduced an IoT orientedauthentication scheme which is based on the designs ofprevalidation session resumption and handshake delega-tion The proposed scheme can provide peer authenticationand secure data transmission In the following year Kantarciand Hussein [24] demonstrated a framework for ensuringpublic safety in a cloud-centric IoT environment wheresmartphones equipped with various types of sensors aredeployed To ensure trustworthiness in the framework theauthors proposed a reputation-based S2aaS scheme calledTrustworthy Sensing forCrowdManagement (TSCM)whichis able to collect sensing data based on a cloud model Inaddition the authors designed an auction procedure to selectmobile devices for particular sensing tasks and to determinethe appropriate payments to the users of the mobile devicesthat provide data Furthermore Tilanus et al [25] discussedthe motivations for opening up a given IoT so as to makethe ldquothingsrdquo it contains part of the global IoT The proposedmethod comprises the definition and control of access rightsto the discovery and use of virtual objects It has the potential
4 International Journal of Distributed Sensor Networks
to play a central role in the verification of access rights tovirtual objects in the deployment of the IoT
3 The Proposed Schemes
With the advancement of IoT networks numerous networkservices and mobile devices have been deployed in pursuitof the betterment of human wellbeing In general usersmay register with the server once and maintain a set ofverified data (or parameters) as the login token for systemresource and service retrieval The concept is called thesingle sign-on (SSO) whereby legal users are allowed to usethe unitary token to access different services (or devices)Our proposed authentication scheme is based on the SSOtechnique whereby a mobile application allows a user toutilize a mobile device with a unitary token to access multipleservices The techniques of a one-way hash function andrandom nonce are adopted to simultaneously ensure systemefficiency and security robustness In addition we presenta coexistence mechanism to prove the correctness of thecoexisting medical items With a proof for a group of taggedobjects existing at the same time and the sameplacemedicineerror prevention and patient safety can further be enhanced
31 The Proposed Authentication Scheme In our schemethree entities that is the user 119880
119894or the authentication server
AS119895 and a trusted third-party authority TTPA exist The
server and the trusted authority TTPA do not require themaintenance of any registration table for each registeredcommunication entity First the TTPA selects two largeprimes 119901 and 119902 and computes 119873 = 119901 sdot 119902 Then the TTPAdetermines the key pair (119890 119889) such that 119890 sdot 119889 equiv 1mod120593(119873)where 120593(119873) = (119901 minus 1)(119902 minus 1) Next the TTPA chooses agenerator 119892 over the finite field119885
lowast
119899 where 119899 is a large-enough
odd prime number Finally the TTPA protects the secret 119889
and publishes (119890 119892 119899119873) Note that all the information aboutthe parameters 119901 and 119902 is erased after initialization of thesystem Now both the user and the server need to storeonly one set of public parameters that is 119890 119892 119892
119886 119899119873 ℎ(sdot)
published by the TTPA where 119886 is a secret generated by theTTPA and ℎ(sdot) is a collision-resistant one-way hash function
Registration Phase In the registration phase each user 119880119894
registers a unique and fixed bit-length identity ID119894at the
TTPA side and obtains a secret token 119878119894from the TTPA
through a secure channel The secret token 119878119894is as 119878
119894=
(ID119894 ℎ(ID
119894 119887))119889mod119873 where 119887 is also a secret generated
by the TTPA Similarly the server AS119895registers a unique
identity ID119895at the TTPA side and obtains a secret token
119878119895from the TTPA through a secure channel where 119878
119895=
(ℎ(ID119895 119887))119889mod119873 Note that ID
119895is public for each service
request
User Identification andVerification Phase (Figure 1) If the user119880119894wants to request an authentication service from AS
119895 the
user identification and verification phase is invoked
(1) 119880119894computes1198921198991 mod119873 (119892119886)1198991 mod119873 and119860 = (119878
119894
1198991) oplus ℎ(119892
1198861198991) and sends message 119898
1= ID
119895 1198921198991 119860
to AS119895 where 119899
1is a random nonce generated by 119880
119894
Upon receiving1198981 AS119895generates a random nonce 119899
2
to calculate 1198921198992 mod 119873 (119892119886)1198992 mod119873 and 119861 = (119878
119895
1198992) oplus ℎ(119892
1198861198992) and forwards 119898
2= ID
119895 1198921198991 119860 119892
1198992 119861
to the TTPA(2) After getting 119898
2 the TTPA computes (119892
1198991)119886mod119873
and (1198921198992)119886mod119873 and derived (119878
119894 1198991) and (119878
119895 1198992)
from 119860 oplus ℎ(1198921198861198991
) and 119861 oplus ℎ(1198921198861198992
) Next the TTPAverifies 119878
119894and 119878119895via the following computations
(119878119894)119890mod119873 = (ID
119894 ℎ(ID
119894 119887))119889119890mod119873
(119878119895)119890mod119873 = (ℎ(ID
119895 119887))119889119890mod119873
Compute ℎ(ID119894 119887) with retrieved value ID
119894 and com-
pare the result with retrieved value ℎ(ID119894 119887)
Compute ℎ(ID119894 119887)with received value ID
119895and retrieved
value ℎ(ID119895 119887)
If the above verification is passed the TTPA choosesa random nonce 119899
3and computes the following values
(1198921198991)1198993 mod119873 (1198921198992)1198993 mod119873 119862 = ℎ((119892
1198991)1198993
(1198921198992)1198993
1198992)
and 119863 = ℎ(ID119895
(1198921198992)1198993
1198991) Next the TTPA sends 119898
3=
11989211989911198993 119862 119892
11989921198993 119863 to AS
119895
(3) Once AS119895obtains 119898
3 AS119895computes the session key
119870119894119895
= (11989211989911198993)1198992 mod119873 and examines the validity of
value 119862 That is AS119895calculates ℎ((119892
1198991)1198993
(1198921198992)1198993
1198992) and compares it with value 119862 If these values are
not equal the protocol terminates Otherwise AS119895
calculates 119864 = ℎ(ID119895 119870119894119895) and sends 119898
4= 11989211989921198993 119863
119864 to 119880119894 After that AS
119895believes that 119880
119894is an
authorized user(4) After receiving 119898
4 119880119894derives the session key 119870
119894119895=
(11989211989921198993)1198991 mod119873 and examines the validity of values119863
and 119864 In other words 119880119894computes ℎ(ID
119895 (1198921198992)1198993
1198991) and ℎ(ID
119895 119870119894119895) and examines whether the fol-
lowing two equations hold or not
(a) Is computed ℎ(ID119895
(1198921198992)1198993
1198991) equal to
received 119863(b) Is computed ℎ(ID
119895 119870119894119895) equal to received 119864
If these two examinations hold 119880119894believes that AS
119895is an
authorized service provider with current session key 119870119894119895
32 The Proposed Coexistence Mechanism (Figure 2)Recently the concept of coexistence proof for RF tags hasbeen introduced to prove multiple tagged objects existing atthe same time in the same place Such proofs can be utilizedin the application field of inpatient safety and medicationmanagement In the proposed mechanism each RF tag 119879
119894
requires supporting lightweight operations that is a 16-bitpseudorandom number generation (PRNG) function andbitwise exclusive OR (XOR) operation and the backendcoexistence server maintains two secret keys 119883
119894and 119884
119894 an
index-pseudonym ID119878119894 and a unique identity ID
119894for each119879
119894
In addition the timestamp scheme and a random one-waypermutation function 119865 mapping within range [1 2119871] are
International Journal of Distributed Sensor Networks 5
Ui ASj TTPA
gn1 mod N
(ga)n1 mod N
A = (Si n1) oplus h(gan1 )
m1 = IDj gn1 A
gn2 mod N
(ga)n2 mod N
B = (Sj n2) oplus h(gan2 )
m2 = IDj gn1 A gn2 B
(gn1 )a mod N
(gn2 )a mod N
(Si n1) = A oplus h(gn1a)
(Sj n2) = B oplus h(gn2a)
(Si)e mod N = (IDi h(IDi b))
de mod N
(Sj)e mod N = (h(IDj b))
de mod N
Verify h(IDi b) and h(IDj b)(gn1 )
n3 mod N
(gn2 )n3 mod N
C = h((gn1 )n3 (gn2 )
n3 n2)
D = h(IDj (gn2 )
n3 n1)m3 = gn1n3 C gn2n3 D
Kij = (gn2n3 )n2 mod N
Verify CE = h(IDj Kij)
m4 = gn2n3 D E
Kij = (gn2n3 )n1 mod N
Verify D and E
Figure 1 The proposed authentication scheme
Tag Ta(IDSa IDaXa Ya)
Hello F(ts oplus Ks) Hello F(ts oplus Ks)
IDSa ra a
120572a F(F(ts oplus Ks) oplus IDSb)
120573a ma
Reader
IDSb rb b
120572b F(ma oplus IDSa)
120573b mb
Tag Tb
(IDSb IDb
Xb Yb)
Pab = (IDSa IDSb t ma mb)
Figure 2 The proposed coexistence mechanism
adopted in the proposed mechanism where 119871 is the securityparameter The implementation of 119865 is based on PRNG andXOR to obtain operational efficiency for low-cost RF tags[26]
Step 1 First the RF reader requests a well-protected times-tamp 119865(119905
119904oplus 119870119904) from the backend server where 119870
119904is the
serverrsquos secret key Note that a corresponding log is createdAn initial message Hello 119865(119905
119904oplus 119870119904) is then issued to 119879
119886
and 119879119887 After 119879
119886and 119879
119887get the incoming message they
both send ID119878119886 119903119886 V119886
= 119865(119865(119884119886) oplus 119865(119905
119904oplus 119870119904) oplus 119903119886) and
ID119878119887 119903119887 V119887
= 119865(119865(119884119887) oplus 119865(119905
119904oplus 119870119904) oplus 119903119887) to the reader
respectively And the reader immediately forwards these tworesponses with 119865(119905
119904oplus119870119904) to the backend server At the server
side if the verification of 119865(119905119904oplus 119870119904) holds (ie the validity
of the current process time-period is verified) the serverwill then verify V
119886and V119887 Once the examinations of V
119886and
V119887hold the server sends two derived key values that is
119870119886
= 119865(119865(119865(119884119886)) oplus 119903
119886) and 119870
119887= 119865(119865(119865(119884
119887)) oplus 119903
119887) to the
reader and updates 119884119886 ID119878119886 119884119887 ID119878119887 with 119884
1015840
119886= 119865(119884
119886oplus
119903119886) ID119878
1015840
119886= 119865(119884
1015840
119886oplus ID119878
119886) 1198841015840
119887= 119865(119884
119887oplus 119903119887) ID119878
1015840
119887= 119865(119884
1015840
119887
oplusID119878119887)
6 International Journal of Distributed Sensor Networks
Step 2 Upon obtaining119870119886and119870
119887 the reader computes 120572
119886=
119865(119870119886oplus 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887)) and sends 120572
119886 119865(119865(119905
119904oplus 119870119904) oplus
ID119878119887) to 119879
119886
Step 3 After 119879119886receives 120572
119886 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887) 119879119886
computes 119870119886
= 119865(119865(119865(119884119886)) oplus 119903119886) with its own secret key 119884
119886
and examines 120572119886
= 119865(119870119886oplus119865(119865(119905
119904oplus119870119904)oplusID119878
119887)) If it holds119879
119886
will then calculate119898119886
= 119865(ID119878119886oplus 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887) oplus 119883119886)
and 120573119886
= 119865(119865(119870119886) oplus 119898
119886) and send 119898
119886 120573119886 to the reader
Then 119879119886updates 119884
119886 ID119878119886 to 119884
1015840
119886= 119865(119884
119886oplus 119903119886) ID119878
1015840
119886=
119865(1198841015840
119886oplus ID119878
119886)
Step 4 Once the reader gets 119898119886 120573119886 it verifies 120573
119886=
119865(119865(119870119886) oplus 119898
119886) If the examination passes the reader sends
120572119887 119865(119898119886oplus ID119878
119886) to 119879
119887 where 120572
119887= 119865(119870
119887oplus 119865(119898
119886oplus ID119878
119886))
Step 5 After receiving 120572119887 119865(119898119886
oplus ID119878119886) 119879119887uses its key 119884
119887
to compute 119870119887
= 119865(119865(119865(119884119887)) oplus 119903
119887) and verify 120572
119887= 119865(119870
119887oplus
119865(119898119886oplusID119878119886)) If it holds119879
119887will send 120573
119887 119898119887 to the reader in
which119898119887= 119865(ID119878
119887oplus119865(119898
119886oplusID119878119886)oplus119883119887) and 120573
119887= 119865(119865(119870
119887)oplus
119898119887) Next119879
119887updates 119884
119887 ID119878119887with 119884
1015840
119887= 119865(119884
119887oplus119903119887) ID119878
1015840
119887=
119865(1198841015840
119887oplus ID119878
119887)
Step 6 Upon receiving 120573119887 119898119887 the reader performs the
verification of 120573119887
= 119865(119865(119870119887) oplus 119898
119887) If it holds the reader
confirms the coexistence of 119879119886and 119879
119887with a valid proof
119875119886119887
= (ID119878119886 ID119878119887 119905 119898119886 119898119887)
4 Security Analyses
In this section we analyze the security of the proposedauthentication scheme for IoT based healthcare systemsWe first present the adversary model and then conduct thesecurity analysis of the proposed authentication scheme andthe coexistence proof mechanism
41 Adversary Model In the communication model weassume that a user 119880
119894intends to establish a session key
119878Key(119894119895)
with an authentication server 119878119895via the help of
the trusted third-party authority TTPA We assume that theadversary can interactwith the participants via oracle queriesThe following major queries model the capabilities of theadversary Note that Π
119894
119880is denoted as the instance 119894 of a
participant 119880
(i) Send(Π119894119880 119898) this query sends a message 119898 to an
oracle Π119894
119880and gets the corresponding result
(ii) Reveal(Π119894119880) this query returns the session key of the
oracle Π119894
119880
(iii) Corrupt(119880) this query returns the long-term secretkey of 119880
(iv) Execute(Π119894119880119860
Π119894
119880119861
) this query models passive attacksin which the adversary can obtain the messagesexchanged during the honest execution of the proto-col between two oracles Π
119894
119880119860
and Π119894
119880119861
(v) Hash(119898) the one-way hash function can be viewed
as random functions within the appropriate range in
the ideal hash model Note that if 119898 has never beenqueried before it returns a truly random number 119903
to the adversary and stores (119903 119898) in the hash tableOtherwise it returns the previously generated resultto the adversary
(vi) Test(Π119894119880) this querymodels the security of the session
key that is whether the real session key can bedistinguished from a random string or not Foranswering this question an unbiased coin 119887 is flippedby the oracle Π
119894
119880 When the adversary issues a single
Test query toΠ119894
119880 the adversary obtains either the real
session key 119878Key(119894119895)
if 119887 = 1 or a random string if119887 = 0
42 Security Analysis of the Proposed Authentication SchemeIn this subsection we present the formal analysis of ourproposed authentication scheme based on [27ndash29]
(i) AKE security (session key security) the adversarytries to guess the hidden bit 119887 involved in a Testquery via a guess 119887
1015840 We say that the adversary winsthe game of breaking the session key security of anAKE (Authenticated Key Exchange) protocol 119875 ifthe adversary issues Test queries to a fresh oracleΠ119894
119880and guesses the hidden bit 119887 successfully The
probability that the adversarywins the game is Pr[1198871015840 =119887] In brief the advantage of an adversary Eve inattacking protocol119875 can be defined as AdvAKE
119875(Eve) =
|2 times Pr[1198871015840 = 119887] minus 1| In brief 119875 is AKE-secure ifAdvAKE119875
(Eve) is negligible
In the following subsection we formally analyze thesecurity of our proposed authentication protocol Notationsand definitions are presented first and the formal securityanalysis is then demonstrated We define 119879Eve as the adver-saryrsquos total running time and 119902
119904 119902119903 119902119888 119902119890 and 119902
ℎare the
number of Send Reveal Corrupt Execute andHash queriesrespectively
(ii) Computational Diffie-Hellman (CDH) assumption let119866 = ⟨119892⟩ be a multiplicative cyclic group of order 119873and let two randomnumbers 119905 and 119896 be chosen in119885
lowast
119873
Given 119892 119892119905 and 119892119896 the adversary Eve has a negligible
success probability SuccCDH119866
(Eve) of obtaining anelement 119911 isin 119866 such that 119911 = 119892
119905119896 within polynomialtime
Theorem 1 Let Eve be an adversary against the AKEsecurity of our proposed authentication scheme within atime bound 119879
119864V119890 with less than 119902119904Send queries with the
communication entities and 119902ℎtimes Hash queries Then
119860119889V119860119870119864119875
(119864V119890 119902119904 119902ℎ) le 119902
ℎ119902119904
times 119878119906119888119888119862119863119867
119866(1198791015840
119864V119890) where 1198791015840
119864V119890denotes the computational time for 119878119906119888119888
119862119863119867
119866and 119902119904= sum5
119894=1119902119904 119894
is the sum of the number of 1198781198901198991198891 119878119890119899119889
2 119878119890119899119889
3 119878119890119899119889
4 and
1198781198901198991198895
Proof Let Eve be an adversary that is able to get an advantage120576 to break the AKE-secure protocol within time 119879Eve We can
International Journal of Distributed Sensor Networks 7
construct a CDH attacker ATT from Eve to respond to all ofEversquos queries and deal with the CDH problem where ATT isgiven a challenge Ω = (119892
119905 119892119896) and outputs an element 119911 such
that 119911 = 119892119905119896
First when Eve issues a Send1query as a start command
ATT responds with 1198981
= ID119895 1198921198991 119860 to Eve Second
when Eve issues a Send2query ATT randomly chooses two
integers 1198881and 1198882from [1 119902
119904 2] If 119888
1= 1198882 ATT responds
with ID119895 1198921198991 119860 119892
1198992 119861 to Eve Otherwise ATT replaces the
corresponding parameters of 1198982
= ID119895 1198921198991 119860 119892
1198992 119861 with
the element119892119896 fromΩ to generate a new and randommessage1198981015840
2and then respondswith themessage119898
1015840
2to EveThird once
ATT receives the Send3query from Eve ATT answers with
the message 1198983
= 11989211989911198993 119862 119892
11989921198993 119863 as the protocol If the
input of the query is from Ω ATT generates a new message1198981015840
3and then responds with 119898
1015840
3to Eve Fourth when Eve
issues the Send4query ATT answers with 119898
4= 11989211989921198993 119863 119864
to Eve Otherwise a random string 1198981015840
4will be generated and
sent to Eve Finally ATT answers a null string via a Send5
query and then sets the protocol as being successful (or setsall conditions to true)
In the alternative when Eve issues a Reveal(Π119894119880119894
) or aReveal(Π119895
119878119895
) query ATT checks whether the oracle has beenaccepted and is fresh or not If the result is positive ATTanswers with the session key 119878Key
(119894119895)to Eve Otherwise if
the session key has been constructed from the challenge ΩATT terminates When Eve issues Corrupt(119880
119894) Corrupt(119878
119895)
Execute(Π119894119880119894
Π119895
119878119895
) Hash(119898) queries ATT answers in astraightforward way When Eve issues a Test query ATTanswers in a straightforward way Otherwise if the sessionkey has been constructed from the challengeΩ ATT answersEve with a random string with the same length as the sessionkey 119878Key
(119894119895)
The above simulation is indistinguishable from any exe-cution of the proposed protocol 119875 except for one executionwhich involves the challenge Ω The probability 120574 that ATTcorrectly guesses the session key which Eve will make a Testquery on is equal to the probability of 119888
1= 1198882 Hence we have
120574 = 1119902119904 2
ge 1119902119904
Assume that Eve issues a Test query to output 1198871015840 where
1198871015840
= 119887 This means that Eve knows the session key sothere must be at least one Hash query that returns thesession key The probability 120582 that ATT will choose the Hashquery correctly is 120582 ge 1119902
ℎ The successful probability
SuccCDH119866
(ATT) that ATT will expose 119892119896119905 from the challenge
Ω is thus SuccCDH119866
(ATT) = 120576 times 120574 times 120582 ge 120576 times (1119902119904) times (1119902
ℎ)
Finally the advantage of Eve to break the AKE security of theprotocol 119875 is derived as follows
120576 = AdvAKE119875
(Eve 119902119904 119902ℎ) le 119902ℎ119902119904times SuccCDH
119866(1198791015840
Eve) (1)
43 Security Analysis of the Proposed Coexistence SchemeIn this subsection we present the security claims of our
proposed coexistence mechanism such as data confidential-ity and the resistance to proof counterfeit attack and replayattack
Claim 1 The proposed coexistence mechanism is secureagainst proof counterfeit attack
In our proposed coexistence mechanism the timestampis generated from the backend server and is well-protectedby the serverrsquos secret key This design removes the possi-bility of creating a legitimate but fake timestamp Henceit is impossible to create a counterfeit proof involving faketimestamp for the purpose of deception In addition theproposed mechanism is based on the random one-waypermutation function 119865 which is an efficient and robustcomputation component for low-cost RF tags [26] As all thetransmitted information is involved with the function 119865 itis difficult to derive the information without knowing all thecommunication entitiesrsquo secret keys and the correspondingtimestamps Therefore the proposed scheme can guaranteeresistance to proof counterfeit attack At the same timesystem efficiency is delivered by virtue of the lightweightcomputation cost of the permutation function 119865
Claim 2 The proposed coexistence mechanism can providedata confidentiality and resist against replay attack
We assume that a malicious adversary Eve can interceptall messages communicated between RF tags 119879
119886 119879119887 and the
reader Because the adversary Eve cannot derive the privatekeys that is 119883
119894or 119884119894for the target tag 119879
119894 from messages
transmitted via the public channel the data involved in thetransmitted messages cannot be retrieved In addition theone-way property of the function 119865 serves to guarantee theunrecovery of the input data so that data confidentialitycan thus be achieved Moreover in each session of ourproposed scheme we exploit random numbers that is 119903
119886
and 119903119887 in randomizing transmitted messages In addition
the timestamp 119905119904is involved with the construction of the
verification message 119875119886119887 These random numbers and the
timestamp can not only randomize the transmitted messagesbut can ensure resistance against replay attack
5 Conclusion
In this paper we have introduced two secure communicationprotocols for IoT based healthcare systems in which a SSObased authentication scheme and a coexistence proof mech-anism are proposed The proposed authentication scheme isappropriate for use as the main protection technique for anIoT based healthcare environment consisting of various typesof sensors such as thinfat sensors sensor tags or taggeditems For IoT network services the proposed authenticationscheme can provide robust entity authentication and securedata communication In addition we further present a coex-istence proof protocol for proving multiple tagged objects(or sensors andor sensor tags) existing at the same timeand the same place The generated proofs can be utilizedin the application field of inpatient safety and medication
8 International Journal of Distributed Sensor Networks
management Based on the security analysis results we haveconducted we are confident that the feasibility of these twoproposed schemes can be guaranteed
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by the Taiwan Information SecurityCenter (TWISC) and theMinistry of Science andTechnologyTaiwan under Grants numberedMOST 103-2221-E-259-016-MY2 and MOST 103-2221-E-011-090-MY2
References
[1] S Forsstrom P Osterberg and T Kanter ldquoEvaluating ubiq-uitous sensor information sharing on the internet-of-thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1454ndash1460 June 2012
[2] S Wang ldquoInternet of things based on EPC technology and itsapplication in logisticsrdquo in Proceedings of the 2nd InternationalConference on Artificial Intelligence Management Science andElectronic Commerce (AIMSEC rsquo11) pp 3077ndash3080 August 2011
[3] A J Jara M A Zamora and A F Skarmeta ldquoKnowledgeacquisition and management architecture for mobile and per-sonal health environments based on the internet of thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1811ndash1818 June 2012
[4] A Zakriti and Z Guennoun ldquoService entities model for theinternet of things a bio-inspired collaborative approachrdquo inProceedings of the International Conference on MultimediaComputing and Systems (ICMCS rsquo11) pp 1ndash5 April 2011
[5] S Tozlu M Senel W Mao and A Keshavarzian ldquoWi-Fienabled sensors for internet of things a practical approachrdquoIEEE Communications Magazine vol 50 no 6 pp 134ndash1432012
[6] J Jin J Gubbi S Marusic and M Palaniswami ldquoAn informa-tion framework for creating a smart city through internet ofthingsrdquo IEEE Internet of Things Journal vol 1 no 2 pp 112ndash1212014
[7] J A Stankovic ldquoResearch directions for the internet of thingsrdquoIEEE Internet of Things Journal vol 1 no 1 pp 3ndash9 2014
[8] Y Hou M Li and J D Guttman ldquoChorus scalable in-bandtrust establishment for multiple constrained devices over theinsecure wireless channelrdquo in Proceedings of the 6th ACMConference on Security and Privacy in Wireless and MobileNetworks (WiSec rsquo13) pp 167ndash178 ACM Budapest HungaryApril 2013
[9] AUkil S Bandyopadhyay J JosephV Banahatti and S LodhaldquoNegotiation-based privacy preservation scheme in internetof things platformrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 75ndash84 August 2012
[10] I Alqassem ldquoPrivacy and security requirements framework forthe internet of things (IoT)rdquo in Proceedings of the 36th Inter-national Conference on Software Engineering (ICSE Companionrsquo14) pp 739ndash741 June 2014
[11] R Aggarwal and M L Das ldquoRFID security in the contextof internet of thingsrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 51ndash56 August 2012
[12] A B Torjusen H Abie E Paintsil D Trcek and A SkomedalldquoTowards run-time verification of adaptive security for IoTin eHealthrdquo in Proceedings of the European Conference onSoftware Architecture Workshops (ECSAW rsquo14) Article no 4ACM Vienna Austria August 2014
[13] ASSET project httpassetnrno[14] D Evans and D M Eyers ldquoEfficient data tagging for managing
privacy in the internet of thingsrdquo in Proceedings of the IEEEInternational Conference on Green Computing and Communi-cations (GreenCom rsquo12) pp 244ndash248 IEEE Besancon FranceNovember 2012
[15] A F Skarmeta J L Hernandez-Ramos and M V Moreno ldquoAdecentralized approach for security and privacy challenges inthe Internet ofThingsrdquo in Proceedings of the IEEEWorld Forumon Internet of Things (WF-IoT rsquo14) pp 67ndash72 March 2014
[16] D Chen G Chang L Jin X Ren J Li and F Li ldquoA novelsecure architecture for the Internet of thingsrdquo in Proceedingsof the 5th International Conference on Genetic and EvolutionaryComputing (ICGEC rsquo11) pp 311ndash314 IEEE Xiamen ChinaSeptember 2011
[17] Y Berhanu H Abie and M Hamdi ldquoA testbed for adaptivesecurity for IoT in eHealthrdquo in Proceedings of the InternationalWorkshop on Adaptive Security (ASPI rsquo13) article 5 September2013
[18] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[19] W Chen ldquoAn IBE-based security scheme on internet of thingsrdquoin Proceedings of the IEEE 2nd International Conference onCloud Computing and Intelligence Systems (CCIS rsquo12) pp 1046ndash1049 November 2012
[20] C Paar ldquoConstructive and destructive aspects of embeddedsecurity in the internet of thingsrdquo in Proceedings of the ACMSIGSAC Conference on Computer amp Communications Security(CCS rsquo13) pp 1495ndash1496 ACM Berlin Germany November2013
[21] F Li and P Xiong ldquoPractical secure communication for inte-grating wireless sensor networks into the internet of thingsrdquoIEEE Sensors Journal vol 13 no 10 pp 3677ndash3684 2013
[22] L Lan ldquoStudy on security architecture in the internet of thingsrdquoin Proceedings of the International Conference on MeasurementInformation and Control (MIC rsquo12) pp 374ndash377 IEEE HarbinChina May 2012
[23] R Hummen J H Ziegeldorf H Shafagh S Raza and KWehrle ldquoTowards viable certificate-based authentication for theInternet ofThingsrdquo in Proceedings of the 2nd ACMWorkshop onHot Topics on Wireless Network Security and Privacy (HotWiSecrsquo13) pp 37ndash41 April 2013
[24] B Kantarci and T Hussein ldquoTrustworthy sensing for publicsafety in cloud-centric internet of thingsrdquo IEEE Internet ofThings Journal vol 1 no 4 pp 360ndash368 2014
International Journal of Distributed Sensor Networks 9
[25] P Tilanus B Ran M Faeth D Kelaidonis and V StavroulakildquoVirtual object access rights to enable multi-party use of sen-sorsrdquo in Proceedings of the IEEE 14th International Symposiumand Workshops on a World of Wireless Mobile and MultimediaNetworks (WoWMoM rsquo13) pp 1ndash7 June 2013
[26] S H Wu K F Chen and Y F Zhu ldquoA secure lightweight RFIDbinding proof protocol formedication errors and patient safetyrdquoJournal of Medical Systems vol 36 no 5 pp 2743ndash2749 2015
[27] M Bellare D Pointcheval and P Rogaway ldquoAuthenticatedkey exchange secure against dictionary attacksrdquo in Advancesin CryptologymdashEUROCRYPT 2000 vol 1807 of Lecture Notesin Computer Science pp 140ndash156 Springer Berlin Germany2000
[28] M Bellare and P Rogaway ldquoEntity authentication and key dis-tributionrdquo in Proceedings of the Annual International CryptologyConference (CRYPTOrsquo 93) vol 773 of Lecture Notes in ComputerScience pp 232ndash249 1993
[29] S Blake-Wilson D Johnson and A Menezes ldquoKey agreementprotocols and their security analysisrdquo in Crytography andCoding 6th IMA International Conference Cirencester UKDecember 17ndash19 1997 Proceedings vol 1355 of Lecture Notes inComputer Science pp 30ndash45 Springer Berlin Germany 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 3
protocols are scalable to a large group of wireless devicesNext in light of the coupling between diverse IoT sensorsapplications and services Ukil et al [9] presented the specificcharacteristics visions and challenges relating to the IoTBased on the observations and conclusions the authorsdeveloped a privacy preservation framework as a part of anIoT platform including a data masking tool for both privacyand utility preservation After that since security and privacyare two of themost pressing challenges for the development ofIoT applications or architecture Alqassem [10] specified theessential privacy and security requirements for the IoT andfurther established an engineering framework as the proofof concept With the emerging technology brought aboutby the IoT the connectivity between objects such as homeappliances and consumer electronics can be successfullycreated and applied On the other hand as trillions of objectseach require their own unique identifications low-cost RFIDtechnology has begun to attract attention For this reasonAggarwal and Das [11] developed a lightweight RFID basedprotocol to enhance system security while retaining theprotocolrsquos efficiency Later Torjusen et al [12] proposed asolution to integrate run-time verification enablers in thefeedback adaptation loop of the ASSET [13] that is anadaptive security framework for the IoT in the eHealthenvironment and implemented the framework with coloredPetri Nets The run-time enablers produce machine basedformal models of a systemrsquos status and context availableat run-time Moreover the authors presented requirementsfor verification at run-time as formal specifications andintroduced dynamic context monitoring and adaptation
In recent years IoT technologies have created an environ-ment characterized by linkage between software systems andthe physical world and have catalyzed a movement towardsinvisible and natural interactions among objects Howeverproviding efficient and customized personal services requiresinformation about every distinct individual or entity andthis leads to the potential for privacy invasion Hence theinformation flow control and the design of low-cost tags (oralternatively small data size) become very important issuesFrom these observations Evans and Eyers [14] introducedcode templates for two small microcontrollers that makemeaningful tagging possible Later Skarmeta et al [15]proposed a capability-based access control mechanism that isbuilt on public key cryptographyThe essential ideas are basedon the design of a lightweight token used for accessing CoAP(Constrained Application Protocol) resources and a digitalsignature algorithm inside the smart object Being based onthese two newly proposed techniques the presented accesscontrol mechanism can provide better security and privacyfor IoT based networks
Different wireless communication technologies and net-work infrastructures are continuously being integrated suchas WSN RFID systems 3G technology WIMAX PANand so forth In order to solve related security problemsChen et al [16] proposed a security architecture for an IoTenvironment The proposed system architecture is adaptiveto the IoT environment and in addition a security ver-ification mechanism was introduced Later Berhanu et al[17] described a setup for adaptive security for IoT devices
in an eHealth environment and discussed the validationof the setup through the study of the impact of antennaorientation on energy consumptionThe authors then studiedthe feasibility of adopting lightweight security solutions aspart of the ASSET infrastructure [13] Next Ning et al[18] proposed an authentication scheme for IoT networksThe authors exploited U2loT architecture to design anaggregated-proof based hierarchical authentication schemefor layered networks In this authentication mechanismseveral concepts such as anonymous data transmissionmutual authentication and different access authorities wereincorporated to achieve hierarchical access control More-over Chen [19] proposed a possible solution based on an IBE(identity-based encryption) cryptosystem to efficiently andeffectively solve the privacy and security threats encounteredin the IoT The elliptic curve cryptosystem is applied forachieving security in the IoT and the authors establishedthat essential security problems could be solved without toomuch resource consumption After that Paar [20] developeda concept that took into account both the destructive andconstructive aspects embedded in the security of the IoTThepurpose was to examine the efficiency of tradeoffs betweenthe desired security and the lowest possible cost
Li and Xiong [21] developed a secure scheme for achiev-ing confidentiality integrity authentication and nonrepudi-ation in a logical single step The proposed method splitsthe signcryption into two phases with an online phase andan offline phase and allows a sensor node in an identity-based cryptosystem to send a message to an Internet hostHence this scheme successfully provides an efficient solutionfor integrating WSN into IoT Afterwards in [22] the authoranalyzed the security requirements in different layers of theIoT and arrived at two conclusions (a) the future securityissues related to the IoT will mainly involve an open securitysystem individual privacy protection and terminal securityfunctionality and (b) the security of the IoT must be seenfrom a perspective of integration which mandates the needfor a series of policies laws and regulations as well as aperfect security management system for mutual collocationIn 2013 Hummen et al [23] introduced an IoT orientedauthentication scheme which is based on the designs ofprevalidation session resumption and handshake delega-tion The proposed scheme can provide peer authenticationand secure data transmission In the following year Kantarciand Hussein [24] demonstrated a framework for ensuringpublic safety in a cloud-centric IoT environment wheresmartphones equipped with various types of sensors aredeployed To ensure trustworthiness in the framework theauthors proposed a reputation-based S2aaS scheme calledTrustworthy Sensing forCrowdManagement (TSCM)whichis able to collect sensing data based on a cloud model Inaddition the authors designed an auction procedure to selectmobile devices for particular sensing tasks and to determinethe appropriate payments to the users of the mobile devicesthat provide data Furthermore Tilanus et al [25] discussedthe motivations for opening up a given IoT so as to makethe ldquothingsrdquo it contains part of the global IoT The proposedmethod comprises the definition and control of access rightsto the discovery and use of virtual objects It has the potential
4 International Journal of Distributed Sensor Networks
to play a central role in the verification of access rights tovirtual objects in the deployment of the IoT
3 The Proposed Schemes
With the advancement of IoT networks numerous networkservices and mobile devices have been deployed in pursuitof the betterment of human wellbeing In general usersmay register with the server once and maintain a set ofverified data (or parameters) as the login token for systemresource and service retrieval The concept is called thesingle sign-on (SSO) whereby legal users are allowed to usethe unitary token to access different services (or devices)Our proposed authentication scheme is based on the SSOtechnique whereby a mobile application allows a user toutilize a mobile device with a unitary token to access multipleservices The techniques of a one-way hash function andrandom nonce are adopted to simultaneously ensure systemefficiency and security robustness In addition we presenta coexistence mechanism to prove the correctness of thecoexisting medical items With a proof for a group of taggedobjects existing at the same time and the sameplacemedicineerror prevention and patient safety can further be enhanced
31 The Proposed Authentication Scheme In our schemethree entities that is the user 119880
119894or the authentication server
AS119895 and a trusted third-party authority TTPA exist The
server and the trusted authority TTPA do not require themaintenance of any registration table for each registeredcommunication entity First the TTPA selects two largeprimes 119901 and 119902 and computes 119873 = 119901 sdot 119902 Then the TTPAdetermines the key pair (119890 119889) such that 119890 sdot 119889 equiv 1mod120593(119873)where 120593(119873) = (119901 minus 1)(119902 minus 1) Next the TTPA chooses agenerator 119892 over the finite field119885
lowast
119899 where 119899 is a large-enough
odd prime number Finally the TTPA protects the secret 119889
and publishes (119890 119892 119899119873) Note that all the information aboutthe parameters 119901 and 119902 is erased after initialization of thesystem Now both the user and the server need to storeonly one set of public parameters that is 119890 119892 119892
119886 119899119873 ℎ(sdot)
published by the TTPA where 119886 is a secret generated by theTTPA and ℎ(sdot) is a collision-resistant one-way hash function
Registration Phase In the registration phase each user 119880119894
registers a unique and fixed bit-length identity ID119894at the
TTPA side and obtains a secret token 119878119894from the TTPA
through a secure channel The secret token 119878119894is as 119878
119894=
(ID119894 ℎ(ID
119894 119887))119889mod119873 where 119887 is also a secret generated
by the TTPA Similarly the server AS119895registers a unique
identity ID119895at the TTPA side and obtains a secret token
119878119895from the TTPA through a secure channel where 119878
119895=
(ℎ(ID119895 119887))119889mod119873 Note that ID
119895is public for each service
request
User Identification andVerification Phase (Figure 1) If the user119880119894wants to request an authentication service from AS
119895 the
user identification and verification phase is invoked
(1) 119880119894computes1198921198991 mod119873 (119892119886)1198991 mod119873 and119860 = (119878
119894
1198991) oplus ℎ(119892
1198861198991) and sends message 119898
1= ID
119895 1198921198991 119860
to AS119895 where 119899
1is a random nonce generated by 119880
119894
Upon receiving1198981 AS119895generates a random nonce 119899
2
to calculate 1198921198992 mod 119873 (119892119886)1198992 mod119873 and 119861 = (119878
119895
1198992) oplus ℎ(119892
1198861198992) and forwards 119898
2= ID
119895 1198921198991 119860 119892
1198992 119861
to the TTPA(2) After getting 119898
2 the TTPA computes (119892
1198991)119886mod119873
and (1198921198992)119886mod119873 and derived (119878
119894 1198991) and (119878
119895 1198992)
from 119860 oplus ℎ(1198921198861198991
) and 119861 oplus ℎ(1198921198861198992
) Next the TTPAverifies 119878
119894and 119878119895via the following computations
(119878119894)119890mod119873 = (ID
119894 ℎ(ID
119894 119887))119889119890mod119873
(119878119895)119890mod119873 = (ℎ(ID
119895 119887))119889119890mod119873
Compute ℎ(ID119894 119887) with retrieved value ID
119894 and com-
pare the result with retrieved value ℎ(ID119894 119887)
Compute ℎ(ID119894 119887)with received value ID
119895and retrieved
value ℎ(ID119895 119887)
If the above verification is passed the TTPA choosesa random nonce 119899
3and computes the following values
(1198921198991)1198993 mod119873 (1198921198992)1198993 mod119873 119862 = ℎ((119892
1198991)1198993
(1198921198992)1198993
1198992)
and 119863 = ℎ(ID119895
(1198921198992)1198993
1198991) Next the TTPA sends 119898
3=
11989211989911198993 119862 119892
11989921198993 119863 to AS
119895
(3) Once AS119895obtains 119898
3 AS119895computes the session key
119870119894119895
= (11989211989911198993)1198992 mod119873 and examines the validity of
value 119862 That is AS119895calculates ℎ((119892
1198991)1198993
(1198921198992)1198993
1198992) and compares it with value 119862 If these values are
not equal the protocol terminates Otherwise AS119895
calculates 119864 = ℎ(ID119895 119870119894119895) and sends 119898
4= 11989211989921198993 119863
119864 to 119880119894 After that AS
119895believes that 119880
119894is an
authorized user(4) After receiving 119898
4 119880119894derives the session key 119870
119894119895=
(11989211989921198993)1198991 mod119873 and examines the validity of values119863
and 119864 In other words 119880119894computes ℎ(ID
119895 (1198921198992)1198993
1198991) and ℎ(ID
119895 119870119894119895) and examines whether the fol-
lowing two equations hold or not
(a) Is computed ℎ(ID119895
(1198921198992)1198993
1198991) equal to
received 119863(b) Is computed ℎ(ID
119895 119870119894119895) equal to received 119864
If these two examinations hold 119880119894believes that AS
119895is an
authorized service provider with current session key 119870119894119895
32 The Proposed Coexistence Mechanism (Figure 2)Recently the concept of coexistence proof for RF tags hasbeen introduced to prove multiple tagged objects existing atthe same time in the same place Such proofs can be utilizedin the application field of inpatient safety and medicationmanagement In the proposed mechanism each RF tag 119879
119894
requires supporting lightweight operations that is a 16-bitpseudorandom number generation (PRNG) function andbitwise exclusive OR (XOR) operation and the backendcoexistence server maintains two secret keys 119883
119894and 119884
119894 an
index-pseudonym ID119878119894 and a unique identity ID
119894for each119879
119894
In addition the timestamp scheme and a random one-waypermutation function 119865 mapping within range [1 2119871] are
International Journal of Distributed Sensor Networks 5
Ui ASj TTPA
gn1 mod N
(ga)n1 mod N
A = (Si n1) oplus h(gan1 )
m1 = IDj gn1 A
gn2 mod N
(ga)n2 mod N
B = (Sj n2) oplus h(gan2 )
m2 = IDj gn1 A gn2 B
(gn1 )a mod N
(gn2 )a mod N
(Si n1) = A oplus h(gn1a)
(Sj n2) = B oplus h(gn2a)
(Si)e mod N = (IDi h(IDi b))
de mod N
(Sj)e mod N = (h(IDj b))
de mod N
Verify h(IDi b) and h(IDj b)(gn1 )
n3 mod N
(gn2 )n3 mod N
C = h((gn1 )n3 (gn2 )
n3 n2)
D = h(IDj (gn2 )
n3 n1)m3 = gn1n3 C gn2n3 D
Kij = (gn2n3 )n2 mod N
Verify CE = h(IDj Kij)
m4 = gn2n3 D E
Kij = (gn2n3 )n1 mod N
Verify D and E
Figure 1 The proposed authentication scheme
Tag Ta(IDSa IDaXa Ya)
Hello F(ts oplus Ks) Hello F(ts oplus Ks)
IDSa ra a
120572a F(F(ts oplus Ks) oplus IDSb)
120573a ma
Reader
IDSb rb b
120572b F(ma oplus IDSa)
120573b mb
Tag Tb
(IDSb IDb
Xb Yb)
Pab = (IDSa IDSb t ma mb)
Figure 2 The proposed coexistence mechanism
adopted in the proposed mechanism where 119871 is the securityparameter The implementation of 119865 is based on PRNG andXOR to obtain operational efficiency for low-cost RF tags[26]
Step 1 First the RF reader requests a well-protected times-tamp 119865(119905
119904oplus 119870119904) from the backend server where 119870
119904is the
serverrsquos secret key Note that a corresponding log is createdAn initial message Hello 119865(119905
119904oplus 119870119904) is then issued to 119879
119886
and 119879119887 After 119879
119886and 119879
119887get the incoming message they
both send ID119878119886 119903119886 V119886
= 119865(119865(119884119886) oplus 119865(119905
119904oplus 119870119904) oplus 119903119886) and
ID119878119887 119903119887 V119887
= 119865(119865(119884119887) oplus 119865(119905
119904oplus 119870119904) oplus 119903119887) to the reader
respectively And the reader immediately forwards these tworesponses with 119865(119905
119904oplus119870119904) to the backend server At the server
side if the verification of 119865(119905119904oplus 119870119904) holds (ie the validity
of the current process time-period is verified) the serverwill then verify V
119886and V119887 Once the examinations of V
119886and
V119887hold the server sends two derived key values that is
119870119886
= 119865(119865(119865(119884119886)) oplus 119903
119886) and 119870
119887= 119865(119865(119865(119884
119887)) oplus 119903
119887) to the
reader and updates 119884119886 ID119878119886 119884119887 ID119878119887 with 119884
1015840
119886= 119865(119884
119886oplus
119903119886) ID119878
1015840
119886= 119865(119884
1015840
119886oplus ID119878
119886) 1198841015840
119887= 119865(119884
119887oplus 119903119887) ID119878
1015840
119887= 119865(119884
1015840
119887
oplusID119878119887)
6 International Journal of Distributed Sensor Networks
Step 2 Upon obtaining119870119886and119870
119887 the reader computes 120572
119886=
119865(119870119886oplus 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887)) and sends 120572
119886 119865(119865(119905
119904oplus 119870119904) oplus
ID119878119887) to 119879
119886
Step 3 After 119879119886receives 120572
119886 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887) 119879119886
computes 119870119886
= 119865(119865(119865(119884119886)) oplus 119903119886) with its own secret key 119884
119886
and examines 120572119886
= 119865(119870119886oplus119865(119865(119905
119904oplus119870119904)oplusID119878
119887)) If it holds119879
119886
will then calculate119898119886
= 119865(ID119878119886oplus 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887) oplus 119883119886)
and 120573119886
= 119865(119865(119870119886) oplus 119898
119886) and send 119898
119886 120573119886 to the reader
Then 119879119886updates 119884
119886 ID119878119886 to 119884
1015840
119886= 119865(119884
119886oplus 119903119886) ID119878
1015840
119886=
119865(1198841015840
119886oplus ID119878
119886)
Step 4 Once the reader gets 119898119886 120573119886 it verifies 120573
119886=
119865(119865(119870119886) oplus 119898
119886) If the examination passes the reader sends
120572119887 119865(119898119886oplus ID119878
119886) to 119879
119887 where 120572
119887= 119865(119870
119887oplus 119865(119898
119886oplus ID119878
119886))
Step 5 After receiving 120572119887 119865(119898119886
oplus ID119878119886) 119879119887uses its key 119884
119887
to compute 119870119887
= 119865(119865(119865(119884119887)) oplus 119903
119887) and verify 120572
119887= 119865(119870
119887oplus
119865(119898119886oplusID119878119886)) If it holds119879
119887will send 120573
119887 119898119887 to the reader in
which119898119887= 119865(ID119878
119887oplus119865(119898
119886oplusID119878119886)oplus119883119887) and 120573
119887= 119865(119865(119870
119887)oplus
119898119887) Next119879
119887updates 119884
119887 ID119878119887with 119884
1015840
119887= 119865(119884
119887oplus119903119887) ID119878
1015840
119887=
119865(1198841015840
119887oplus ID119878
119887)
Step 6 Upon receiving 120573119887 119898119887 the reader performs the
verification of 120573119887
= 119865(119865(119870119887) oplus 119898
119887) If it holds the reader
confirms the coexistence of 119879119886and 119879
119887with a valid proof
119875119886119887
= (ID119878119886 ID119878119887 119905 119898119886 119898119887)
4 Security Analyses
In this section we analyze the security of the proposedauthentication scheme for IoT based healthcare systemsWe first present the adversary model and then conduct thesecurity analysis of the proposed authentication scheme andthe coexistence proof mechanism
41 Adversary Model In the communication model weassume that a user 119880
119894intends to establish a session key
119878Key(119894119895)
with an authentication server 119878119895via the help of
the trusted third-party authority TTPA We assume that theadversary can interactwith the participants via oracle queriesThe following major queries model the capabilities of theadversary Note that Π
119894
119880is denoted as the instance 119894 of a
participant 119880
(i) Send(Π119894119880 119898) this query sends a message 119898 to an
oracle Π119894
119880and gets the corresponding result
(ii) Reveal(Π119894119880) this query returns the session key of the
oracle Π119894
119880
(iii) Corrupt(119880) this query returns the long-term secretkey of 119880
(iv) Execute(Π119894119880119860
Π119894
119880119861
) this query models passive attacksin which the adversary can obtain the messagesexchanged during the honest execution of the proto-col between two oracles Π
119894
119880119860
and Π119894
119880119861
(v) Hash(119898) the one-way hash function can be viewed
as random functions within the appropriate range in
the ideal hash model Note that if 119898 has never beenqueried before it returns a truly random number 119903
to the adversary and stores (119903 119898) in the hash tableOtherwise it returns the previously generated resultto the adversary
(vi) Test(Π119894119880) this querymodels the security of the session
key that is whether the real session key can bedistinguished from a random string or not Foranswering this question an unbiased coin 119887 is flippedby the oracle Π
119894
119880 When the adversary issues a single
Test query toΠ119894
119880 the adversary obtains either the real
session key 119878Key(119894119895)
if 119887 = 1 or a random string if119887 = 0
42 Security Analysis of the Proposed Authentication SchemeIn this subsection we present the formal analysis of ourproposed authentication scheme based on [27ndash29]
(i) AKE security (session key security) the adversarytries to guess the hidden bit 119887 involved in a Testquery via a guess 119887
1015840 We say that the adversary winsthe game of breaking the session key security of anAKE (Authenticated Key Exchange) protocol 119875 ifthe adversary issues Test queries to a fresh oracleΠ119894
119880and guesses the hidden bit 119887 successfully The
probability that the adversarywins the game is Pr[1198871015840 =119887] In brief the advantage of an adversary Eve inattacking protocol119875 can be defined as AdvAKE
119875(Eve) =
|2 times Pr[1198871015840 = 119887] minus 1| In brief 119875 is AKE-secure ifAdvAKE119875
(Eve) is negligible
In the following subsection we formally analyze thesecurity of our proposed authentication protocol Notationsand definitions are presented first and the formal securityanalysis is then demonstrated We define 119879Eve as the adver-saryrsquos total running time and 119902
119904 119902119903 119902119888 119902119890 and 119902
ℎare the
number of Send Reveal Corrupt Execute andHash queriesrespectively
(ii) Computational Diffie-Hellman (CDH) assumption let119866 = ⟨119892⟩ be a multiplicative cyclic group of order 119873and let two randomnumbers 119905 and 119896 be chosen in119885
lowast
119873
Given 119892 119892119905 and 119892119896 the adversary Eve has a negligible
success probability SuccCDH119866
(Eve) of obtaining anelement 119911 isin 119866 such that 119911 = 119892
119905119896 within polynomialtime
Theorem 1 Let Eve be an adversary against the AKEsecurity of our proposed authentication scheme within atime bound 119879
119864V119890 with less than 119902119904Send queries with the
communication entities and 119902ℎtimes Hash queries Then
119860119889V119860119870119864119875
(119864V119890 119902119904 119902ℎ) le 119902
ℎ119902119904
times 119878119906119888119888119862119863119867
119866(1198791015840
119864V119890) where 1198791015840
119864V119890denotes the computational time for 119878119906119888119888
119862119863119867
119866and 119902119904= sum5
119894=1119902119904 119894
is the sum of the number of 1198781198901198991198891 119878119890119899119889
2 119878119890119899119889
3 119878119890119899119889
4 and
1198781198901198991198895
Proof Let Eve be an adversary that is able to get an advantage120576 to break the AKE-secure protocol within time 119879Eve We can
International Journal of Distributed Sensor Networks 7
construct a CDH attacker ATT from Eve to respond to all ofEversquos queries and deal with the CDH problem where ATT isgiven a challenge Ω = (119892
119905 119892119896) and outputs an element 119911 such
that 119911 = 119892119905119896
First when Eve issues a Send1query as a start command
ATT responds with 1198981
= ID119895 1198921198991 119860 to Eve Second
when Eve issues a Send2query ATT randomly chooses two
integers 1198881and 1198882from [1 119902
119904 2] If 119888
1= 1198882 ATT responds
with ID119895 1198921198991 119860 119892
1198992 119861 to Eve Otherwise ATT replaces the
corresponding parameters of 1198982
= ID119895 1198921198991 119860 119892
1198992 119861 with
the element119892119896 fromΩ to generate a new and randommessage1198981015840
2and then respondswith themessage119898
1015840
2to EveThird once
ATT receives the Send3query from Eve ATT answers with
the message 1198983
= 11989211989911198993 119862 119892
11989921198993 119863 as the protocol If the
input of the query is from Ω ATT generates a new message1198981015840
3and then responds with 119898
1015840
3to Eve Fourth when Eve
issues the Send4query ATT answers with 119898
4= 11989211989921198993 119863 119864
to Eve Otherwise a random string 1198981015840
4will be generated and
sent to Eve Finally ATT answers a null string via a Send5
query and then sets the protocol as being successful (or setsall conditions to true)
In the alternative when Eve issues a Reveal(Π119894119880119894
) or aReveal(Π119895
119878119895
) query ATT checks whether the oracle has beenaccepted and is fresh or not If the result is positive ATTanswers with the session key 119878Key
(119894119895)to Eve Otherwise if
the session key has been constructed from the challenge ΩATT terminates When Eve issues Corrupt(119880
119894) Corrupt(119878
119895)
Execute(Π119894119880119894
Π119895
119878119895
) Hash(119898) queries ATT answers in astraightforward way When Eve issues a Test query ATTanswers in a straightforward way Otherwise if the sessionkey has been constructed from the challengeΩ ATT answersEve with a random string with the same length as the sessionkey 119878Key
(119894119895)
The above simulation is indistinguishable from any exe-cution of the proposed protocol 119875 except for one executionwhich involves the challenge Ω The probability 120574 that ATTcorrectly guesses the session key which Eve will make a Testquery on is equal to the probability of 119888
1= 1198882 Hence we have
120574 = 1119902119904 2
ge 1119902119904
Assume that Eve issues a Test query to output 1198871015840 where
1198871015840
= 119887 This means that Eve knows the session key sothere must be at least one Hash query that returns thesession key The probability 120582 that ATT will choose the Hashquery correctly is 120582 ge 1119902
ℎ The successful probability
SuccCDH119866
(ATT) that ATT will expose 119892119896119905 from the challenge
Ω is thus SuccCDH119866
(ATT) = 120576 times 120574 times 120582 ge 120576 times (1119902119904) times (1119902
ℎ)
Finally the advantage of Eve to break the AKE security of theprotocol 119875 is derived as follows
120576 = AdvAKE119875
(Eve 119902119904 119902ℎ) le 119902ℎ119902119904times SuccCDH
119866(1198791015840
Eve) (1)
43 Security Analysis of the Proposed Coexistence SchemeIn this subsection we present the security claims of our
proposed coexistence mechanism such as data confidential-ity and the resistance to proof counterfeit attack and replayattack
Claim 1 The proposed coexistence mechanism is secureagainst proof counterfeit attack
In our proposed coexistence mechanism the timestampis generated from the backend server and is well-protectedby the serverrsquos secret key This design removes the possi-bility of creating a legitimate but fake timestamp Henceit is impossible to create a counterfeit proof involving faketimestamp for the purpose of deception In addition theproposed mechanism is based on the random one-waypermutation function 119865 which is an efficient and robustcomputation component for low-cost RF tags [26] As all thetransmitted information is involved with the function 119865 itis difficult to derive the information without knowing all thecommunication entitiesrsquo secret keys and the correspondingtimestamps Therefore the proposed scheme can guaranteeresistance to proof counterfeit attack At the same timesystem efficiency is delivered by virtue of the lightweightcomputation cost of the permutation function 119865
Claim 2 The proposed coexistence mechanism can providedata confidentiality and resist against replay attack
We assume that a malicious adversary Eve can interceptall messages communicated between RF tags 119879
119886 119879119887 and the
reader Because the adversary Eve cannot derive the privatekeys that is 119883
119894or 119884119894for the target tag 119879
119894 from messages
transmitted via the public channel the data involved in thetransmitted messages cannot be retrieved In addition theone-way property of the function 119865 serves to guarantee theunrecovery of the input data so that data confidentialitycan thus be achieved Moreover in each session of ourproposed scheme we exploit random numbers that is 119903
119886
and 119903119887 in randomizing transmitted messages In addition
the timestamp 119905119904is involved with the construction of the
verification message 119875119886119887 These random numbers and the
timestamp can not only randomize the transmitted messagesbut can ensure resistance against replay attack
5 Conclusion
In this paper we have introduced two secure communicationprotocols for IoT based healthcare systems in which a SSObased authentication scheme and a coexistence proof mech-anism are proposed The proposed authentication scheme isappropriate for use as the main protection technique for anIoT based healthcare environment consisting of various typesof sensors such as thinfat sensors sensor tags or taggeditems For IoT network services the proposed authenticationscheme can provide robust entity authentication and securedata communication In addition we further present a coex-istence proof protocol for proving multiple tagged objects(or sensors andor sensor tags) existing at the same timeand the same place The generated proofs can be utilizedin the application field of inpatient safety and medication
8 International Journal of Distributed Sensor Networks
management Based on the security analysis results we haveconducted we are confident that the feasibility of these twoproposed schemes can be guaranteed
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by the Taiwan Information SecurityCenter (TWISC) and theMinistry of Science andTechnologyTaiwan under Grants numberedMOST 103-2221-E-259-016-MY2 and MOST 103-2221-E-011-090-MY2
References
[1] S Forsstrom P Osterberg and T Kanter ldquoEvaluating ubiq-uitous sensor information sharing on the internet-of-thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1454ndash1460 June 2012
[2] S Wang ldquoInternet of things based on EPC technology and itsapplication in logisticsrdquo in Proceedings of the 2nd InternationalConference on Artificial Intelligence Management Science andElectronic Commerce (AIMSEC rsquo11) pp 3077ndash3080 August 2011
[3] A J Jara M A Zamora and A F Skarmeta ldquoKnowledgeacquisition and management architecture for mobile and per-sonal health environments based on the internet of thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1811ndash1818 June 2012
[4] A Zakriti and Z Guennoun ldquoService entities model for theinternet of things a bio-inspired collaborative approachrdquo inProceedings of the International Conference on MultimediaComputing and Systems (ICMCS rsquo11) pp 1ndash5 April 2011
[5] S Tozlu M Senel W Mao and A Keshavarzian ldquoWi-Fienabled sensors for internet of things a practical approachrdquoIEEE Communications Magazine vol 50 no 6 pp 134ndash1432012
[6] J Jin J Gubbi S Marusic and M Palaniswami ldquoAn informa-tion framework for creating a smart city through internet ofthingsrdquo IEEE Internet of Things Journal vol 1 no 2 pp 112ndash1212014
[7] J A Stankovic ldquoResearch directions for the internet of thingsrdquoIEEE Internet of Things Journal vol 1 no 1 pp 3ndash9 2014
[8] Y Hou M Li and J D Guttman ldquoChorus scalable in-bandtrust establishment for multiple constrained devices over theinsecure wireless channelrdquo in Proceedings of the 6th ACMConference on Security and Privacy in Wireless and MobileNetworks (WiSec rsquo13) pp 167ndash178 ACM Budapest HungaryApril 2013
[9] AUkil S Bandyopadhyay J JosephV Banahatti and S LodhaldquoNegotiation-based privacy preservation scheme in internetof things platformrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 75ndash84 August 2012
[10] I Alqassem ldquoPrivacy and security requirements framework forthe internet of things (IoT)rdquo in Proceedings of the 36th Inter-national Conference on Software Engineering (ICSE Companionrsquo14) pp 739ndash741 June 2014
[11] R Aggarwal and M L Das ldquoRFID security in the contextof internet of thingsrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 51ndash56 August 2012
[12] A B Torjusen H Abie E Paintsil D Trcek and A SkomedalldquoTowards run-time verification of adaptive security for IoTin eHealthrdquo in Proceedings of the European Conference onSoftware Architecture Workshops (ECSAW rsquo14) Article no 4ACM Vienna Austria August 2014
[13] ASSET project httpassetnrno[14] D Evans and D M Eyers ldquoEfficient data tagging for managing
privacy in the internet of thingsrdquo in Proceedings of the IEEEInternational Conference on Green Computing and Communi-cations (GreenCom rsquo12) pp 244ndash248 IEEE Besancon FranceNovember 2012
[15] A F Skarmeta J L Hernandez-Ramos and M V Moreno ldquoAdecentralized approach for security and privacy challenges inthe Internet ofThingsrdquo in Proceedings of the IEEEWorld Forumon Internet of Things (WF-IoT rsquo14) pp 67ndash72 March 2014
[16] D Chen G Chang L Jin X Ren J Li and F Li ldquoA novelsecure architecture for the Internet of thingsrdquo in Proceedingsof the 5th International Conference on Genetic and EvolutionaryComputing (ICGEC rsquo11) pp 311ndash314 IEEE Xiamen ChinaSeptember 2011
[17] Y Berhanu H Abie and M Hamdi ldquoA testbed for adaptivesecurity for IoT in eHealthrdquo in Proceedings of the InternationalWorkshop on Adaptive Security (ASPI rsquo13) article 5 September2013
[18] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[19] W Chen ldquoAn IBE-based security scheme on internet of thingsrdquoin Proceedings of the IEEE 2nd International Conference onCloud Computing and Intelligence Systems (CCIS rsquo12) pp 1046ndash1049 November 2012
[20] C Paar ldquoConstructive and destructive aspects of embeddedsecurity in the internet of thingsrdquo in Proceedings of the ACMSIGSAC Conference on Computer amp Communications Security(CCS rsquo13) pp 1495ndash1496 ACM Berlin Germany November2013
[21] F Li and P Xiong ldquoPractical secure communication for inte-grating wireless sensor networks into the internet of thingsrdquoIEEE Sensors Journal vol 13 no 10 pp 3677ndash3684 2013
[22] L Lan ldquoStudy on security architecture in the internet of thingsrdquoin Proceedings of the International Conference on MeasurementInformation and Control (MIC rsquo12) pp 374ndash377 IEEE HarbinChina May 2012
[23] R Hummen J H Ziegeldorf H Shafagh S Raza and KWehrle ldquoTowards viable certificate-based authentication for theInternet ofThingsrdquo in Proceedings of the 2nd ACMWorkshop onHot Topics on Wireless Network Security and Privacy (HotWiSecrsquo13) pp 37ndash41 April 2013
[24] B Kantarci and T Hussein ldquoTrustworthy sensing for publicsafety in cloud-centric internet of thingsrdquo IEEE Internet ofThings Journal vol 1 no 4 pp 360ndash368 2014
International Journal of Distributed Sensor Networks 9
[25] P Tilanus B Ran M Faeth D Kelaidonis and V StavroulakildquoVirtual object access rights to enable multi-party use of sen-sorsrdquo in Proceedings of the IEEE 14th International Symposiumand Workshops on a World of Wireless Mobile and MultimediaNetworks (WoWMoM rsquo13) pp 1ndash7 June 2013
[26] S H Wu K F Chen and Y F Zhu ldquoA secure lightweight RFIDbinding proof protocol formedication errors and patient safetyrdquoJournal of Medical Systems vol 36 no 5 pp 2743ndash2749 2015
[27] M Bellare D Pointcheval and P Rogaway ldquoAuthenticatedkey exchange secure against dictionary attacksrdquo in Advancesin CryptologymdashEUROCRYPT 2000 vol 1807 of Lecture Notesin Computer Science pp 140ndash156 Springer Berlin Germany2000
[28] M Bellare and P Rogaway ldquoEntity authentication and key dis-tributionrdquo in Proceedings of the Annual International CryptologyConference (CRYPTOrsquo 93) vol 773 of Lecture Notes in ComputerScience pp 232ndash249 1993
[29] S Blake-Wilson D Johnson and A Menezes ldquoKey agreementprotocols and their security analysisrdquo in Crytography andCoding 6th IMA International Conference Cirencester UKDecember 17ndash19 1997 Proceedings vol 1355 of Lecture Notes inComputer Science pp 30ndash45 Springer Berlin Germany 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 International Journal of Distributed Sensor Networks
to play a central role in the verification of access rights tovirtual objects in the deployment of the IoT
3 The Proposed Schemes
With the advancement of IoT networks numerous networkservices and mobile devices have been deployed in pursuitof the betterment of human wellbeing In general usersmay register with the server once and maintain a set ofverified data (or parameters) as the login token for systemresource and service retrieval The concept is called thesingle sign-on (SSO) whereby legal users are allowed to usethe unitary token to access different services (or devices)Our proposed authentication scheme is based on the SSOtechnique whereby a mobile application allows a user toutilize a mobile device with a unitary token to access multipleservices The techniques of a one-way hash function andrandom nonce are adopted to simultaneously ensure systemefficiency and security robustness In addition we presenta coexistence mechanism to prove the correctness of thecoexisting medical items With a proof for a group of taggedobjects existing at the same time and the sameplacemedicineerror prevention and patient safety can further be enhanced
31 The Proposed Authentication Scheme In our schemethree entities that is the user 119880
119894or the authentication server
AS119895 and a trusted third-party authority TTPA exist The
server and the trusted authority TTPA do not require themaintenance of any registration table for each registeredcommunication entity First the TTPA selects two largeprimes 119901 and 119902 and computes 119873 = 119901 sdot 119902 Then the TTPAdetermines the key pair (119890 119889) such that 119890 sdot 119889 equiv 1mod120593(119873)where 120593(119873) = (119901 minus 1)(119902 minus 1) Next the TTPA chooses agenerator 119892 over the finite field119885
lowast
119899 where 119899 is a large-enough
odd prime number Finally the TTPA protects the secret 119889
and publishes (119890 119892 119899119873) Note that all the information aboutthe parameters 119901 and 119902 is erased after initialization of thesystem Now both the user and the server need to storeonly one set of public parameters that is 119890 119892 119892
119886 119899119873 ℎ(sdot)
published by the TTPA where 119886 is a secret generated by theTTPA and ℎ(sdot) is a collision-resistant one-way hash function
Registration Phase In the registration phase each user 119880119894
registers a unique and fixed bit-length identity ID119894at the
TTPA side and obtains a secret token 119878119894from the TTPA
through a secure channel The secret token 119878119894is as 119878
119894=
(ID119894 ℎ(ID
119894 119887))119889mod119873 where 119887 is also a secret generated
by the TTPA Similarly the server AS119895registers a unique
identity ID119895at the TTPA side and obtains a secret token
119878119895from the TTPA through a secure channel where 119878
119895=
(ℎ(ID119895 119887))119889mod119873 Note that ID
119895is public for each service
request
User Identification andVerification Phase (Figure 1) If the user119880119894wants to request an authentication service from AS
119895 the
user identification and verification phase is invoked
(1) 119880119894computes1198921198991 mod119873 (119892119886)1198991 mod119873 and119860 = (119878
119894
1198991) oplus ℎ(119892
1198861198991) and sends message 119898
1= ID
119895 1198921198991 119860
to AS119895 where 119899
1is a random nonce generated by 119880
119894
Upon receiving1198981 AS119895generates a random nonce 119899
2
to calculate 1198921198992 mod 119873 (119892119886)1198992 mod119873 and 119861 = (119878
119895
1198992) oplus ℎ(119892
1198861198992) and forwards 119898
2= ID
119895 1198921198991 119860 119892
1198992 119861
to the TTPA(2) After getting 119898
2 the TTPA computes (119892
1198991)119886mod119873
and (1198921198992)119886mod119873 and derived (119878
119894 1198991) and (119878
119895 1198992)
from 119860 oplus ℎ(1198921198861198991
) and 119861 oplus ℎ(1198921198861198992
) Next the TTPAverifies 119878
119894and 119878119895via the following computations
(119878119894)119890mod119873 = (ID
119894 ℎ(ID
119894 119887))119889119890mod119873
(119878119895)119890mod119873 = (ℎ(ID
119895 119887))119889119890mod119873
Compute ℎ(ID119894 119887) with retrieved value ID
119894 and com-
pare the result with retrieved value ℎ(ID119894 119887)
Compute ℎ(ID119894 119887)with received value ID
119895and retrieved
value ℎ(ID119895 119887)
If the above verification is passed the TTPA choosesa random nonce 119899
3and computes the following values
(1198921198991)1198993 mod119873 (1198921198992)1198993 mod119873 119862 = ℎ((119892
1198991)1198993
(1198921198992)1198993
1198992)
and 119863 = ℎ(ID119895
(1198921198992)1198993
1198991) Next the TTPA sends 119898
3=
11989211989911198993 119862 119892
11989921198993 119863 to AS
119895
(3) Once AS119895obtains 119898
3 AS119895computes the session key
119870119894119895
= (11989211989911198993)1198992 mod119873 and examines the validity of
value 119862 That is AS119895calculates ℎ((119892
1198991)1198993
(1198921198992)1198993
1198992) and compares it with value 119862 If these values are
not equal the protocol terminates Otherwise AS119895
calculates 119864 = ℎ(ID119895 119870119894119895) and sends 119898
4= 11989211989921198993 119863
119864 to 119880119894 After that AS
119895believes that 119880
119894is an
authorized user(4) After receiving 119898
4 119880119894derives the session key 119870
119894119895=
(11989211989921198993)1198991 mod119873 and examines the validity of values119863
and 119864 In other words 119880119894computes ℎ(ID
119895 (1198921198992)1198993
1198991) and ℎ(ID
119895 119870119894119895) and examines whether the fol-
lowing two equations hold or not
(a) Is computed ℎ(ID119895
(1198921198992)1198993
1198991) equal to
received 119863(b) Is computed ℎ(ID
119895 119870119894119895) equal to received 119864
If these two examinations hold 119880119894believes that AS
119895is an
authorized service provider with current session key 119870119894119895
32 The Proposed Coexistence Mechanism (Figure 2)Recently the concept of coexistence proof for RF tags hasbeen introduced to prove multiple tagged objects existing atthe same time in the same place Such proofs can be utilizedin the application field of inpatient safety and medicationmanagement In the proposed mechanism each RF tag 119879
119894
requires supporting lightweight operations that is a 16-bitpseudorandom number generation (PRNG) function andbitwise exclusive OR (XOR) operation and the backendcoexistence server maintains two secret keys 119883
119894and 119884
119894 an
index-pseudonym ID119878119894 and a unique identity ID
119894for each119879
119894
In addition the timestamp scheme and a random one-waypermutation function 119865 mapping within range [1 2119871] are
International Journal of Distributed Sensor Networks 5
Ui ASj TTPA
gn1 mod N
(ga)n1 mod N
A = (Si n1) oplus h(gan1 )
m1 = IDj gn1 A
gn2 mod N
(ga)n2 mod N
B = (Sj n2) oplus h(gan2 )
m2 = IDj gn1 A gn2 B
(gn1 )a mod N
(gn2 )a mod N
(Si n1) = A oplus h(gn1a)
(Sj n2) = B oplus h(gn2a)
(Si)e mod N = (IDi h(IDi b))
de mod N
(Sj)e mod N = (h(IDj b))
de mod N
Verify h(IDi b) and h(IDj b)(gn1 )
n3 mod N
(gn2 )n3 mod N
C = h((gn1 )n3 (gn2 )
n3 n2)
D = h(IDj (gn2 )
n3 n1)m3 = gn1n3 C gn2n3 D
Kij = (gn2n3 )n2 mod N
Verify CE = h(IDj Kij)
m4 = gn2n3 D E
Kij = (gn2n3 )n1 mod N
Verify D and E
Figure 1 The proposed authentication scheme
Tag Ta(IDSa IDaXa Ya)
Hello F(ts oplus Ks) Hello F(ts oplus Ks)
IDSa ra a
120572a F(F(ts oplus Ks) oplus IDSb)
120573a ma
Reader
IDSb rb b
120572b F(ma oplus IDSa)
120573b mb
Tag Tb
(IDSb IDb
Xb Yb)
Pab = (IDSa IDSb t ma mb)
Figure 2 The proposed coexistence mechanism
adopted in the proposed mechanism where 119871 is the securityparameter The implementation of 119865 is based on PRNG andXOR to obtain operational efficiency for low-cost RF tags[26]
Step 1 First the RF reader requests a well-protected times-tamp 119865(119905
119904oplus 119870119904) from the backend server where 119870
119904is the
serverrsquos secret key Note that a corresponding log is createdAn initial message Hello 119865(119905
119904oplus 119870119904) is then issued to 119879
119886
and 119879119887 After 119879
119886and 119879
119887get the incoming message they
both send ID119878119886 119903119886 V119886
= 119865(119865(119884119886) oplus 119865(119905
119904oplus 119870119904) oplus 119903119886) and
ID119878119887 119903119887 V119887
= 119865(119865(119884119887) oplus 119865(119905
119904oplus 119870119904) oplus 119903119887) to the reader
respectively And the reader immediately forwards these tworesponses with 119865(119905
119904oplus119870119904) to the backend server At the server
side if the verification of 119865(119905119904oplus 119870119904) holds (ie the validity
of the current process time-period is verified) the serverwill then verify V
119886and V119887 Once the examinations of V
119886and
V119887hold the server sends two derived key values that is
119870119886
= 119865(119865(119865(119884119886)) oplus 119903
119886) and 119870
119887= 119865(119865(119865(119884
119887)) oplus 119903
119887) to the
reader and updates 119884119886 ID119878119886 119884119887 ID119878119887 with 119884
1015840
119886= 119865(119884
119886oplus
119903119886) ID119878
1015840
119886= 119865(119884
1015840
119886oplus ID119878
119886) 1198841015840
119887= 119865(119884
119887oplus 119903119887) ID119878
1015840
119887= 119865(119884
1015840
119887
oplusID119878119887)
6 International Journal of Distributed Sensor Networks
Step 2 Upon obtaining119870119886and119870
119887 the reader computes 120572
119886=
119865(119870119886oplus 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887)) and sends 120572
119886 119865(119865(119905
119904oplus 119870119904) oplus
ID119878119887) to 119879
119886
Step 3 After 119879119886receives 120572
119886 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887) 119879119886
computes 119870119886
= 119865(119865(119865(119884119886)) oplus 119903119886) with its own secret key 119884
119886
and examines 120572119886
= 119865(119870119886oplus119865(119865(119905
119904oplus119870119904)oplusID119878
119887)) If it holds119879
119886
will then calculate119898119886
= 119865(ID119878119886oplus 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887) oplus 119883119886)
and 120573119886
= 119865(119865(119870119886) oplus 119898
119886) and send 119898
119886 120573119886 to the reader
Then 119879119886updates 119884
119886 ID119878119886 to 119884
1015840
119886= 119865(119884
119886oplus 119903119886) ID119878
1015840
119886=
119865(1198841015840
119886oplus ID119878
119886)
Step 4 Once the reader gets 119898119886 120573119886 it verifies 120573
119886=
119865(119865(119870119886) oplus 119898
119886) If the examination passes the reader sends
120572119887 119865(119898119886oplus ID119878
119886) to 119879
119887 where 120572
119887= 119865(119870
119887oplus 119865(119898
119886oplus ID119878
119886))
Step 5 After receiving 120572119887 119865(119898119886
oplus ID119878119886) 119879119887uses its key 119884
119887
to compute 119870119887
= 119865(119865(119865(119884119887)) oplus 119903
119887) and verify 120572
119887= 119865(119870
119887oplus
119865(119898119886oplusID119878119886)) If it holds119879
119887will send 120573
119887 119898119887 to the reader in
which119898119887= 119865(ID119878
119887oplus119865(119898
119886oplusID119878119886)oplus119883119887) and 120573
119887= 119865(119865(119870
119887)oplus
119898119887) Next119879
119887updates 119884
119887 ID119878119887with 119884
1015840
119887= 119865(119884
119887oplus119903119887) ID119878
1015840
119887=
119865(1198841015840
119887oplus ID119878
119887)
Step 6 Upon receiving 120573119887 119898119887 the reader performs the
verification of 120573119887
= 119865(119865(119870119887) oplus 119898
119887) If it holds the reader
confirms the coexistence of 119879119886and 119879
119887with a valid proof
119875119886119887
= (ID119878119886 ID119878119887 119905 119898119886 119898119887)
4 Security Analyses
In this section we analyze the security of the proposedauthentication scheme for IoT based healthcare systemsWe first present the adversary model and then conduct thesecurity analysis of the proposed authentication scheme andthe coexistence proof mechanism
41 Adversary Model In the communication model weassume that a user 119880
119894intends to establish a session key
119878Key(119894119895)
with an authentication server 119878119895via the help of
the trusted third-party authority TTPA We assume that theadversary can interactwith the participants via oracle queriesThe following major queries model the capabilities of theadversary Note that Π
119894
119880is denoted as the instance 119894 of a
participant 119880
(i) Send(Π119894119880 119898) this query sends a message 119898 to an
oracle Π119894
119880and gets the corresponding result
(ii) Reveal(Π119894119880) this query returns the session key of the
oracle Π119894
119880
(iii) Corrupt(119880) this query returns the long-term secretkey of 119880
(iv) Execute(Π119894119880119860
Π119894
119880119861
) this query models passive attacksin which the adversary can obtain the messagesexchanged during the honest execution of the proto-col between two oracles Π
119894
119880119860
and Π119894
119880119861
(v) Hash(119898) the one-way hash function can be viewed
as random functions within the appropriate range in
the ideal hash model Note that if 119898 has never beenqueried before it returns a truly random number 119903
to the adversary and stores (119903 119898) in the hash tableOtherwise it returns the previously generated resultto the adversary
(vi) Test(Π119894119880) this querymodels the security of the session
key that is whether the real session key can bedistinguished from a random string or not Foranswering this question an unbiased coin 119887 is flippedby the oracle Π
119894
119880 When the adversary issues a single
Test query toΠ119894
119880 the adversary obtains either the real
session key 119878Key(119894119895)
if 119887 = 1 or a random string if119887 = 0
42 Security Analysis of the Proposed Authentication SchemeIn this subsection we present the formal analysis of ourproposed authentication scheme based on [27ndash29]
(i) AKE security (session key security) the adversarytries to guess the hidden bit 119887 involved in a Testquery via a guess 119887
1015840 We say that the adversary winsthe game of breaking the session key security of anAKE (Authenticated Key Exchange) protocol 119875 ifthe adversary issues Test queries to a fresh oracleΠ119894
119880and guesses the hidden bit 119887 successfully The
probability that the adversarywins the game is Pr[1198871015840 =119887] In brief the advantage of an adversary Eve inattacking protocol119875 can be defined as AdvAKE
119875(Eve) =
|2 times Pr[1198871015840 = 119887] minus 1| In brief 119875 is AKE-secure ifAdvAKE119875
(Eve) is negligible
In the following subsection we formally analyze thesecurity of our proposed authentication protocol Notationsand definitions are presented first and the formal securityanalysis is then demonstrated We define 119879Eve as the adver-saryrsquos total running time and 119902
119904 119902119903 119902119888 119902119890 and 119902
ℎare the
number of Send Reveal Corrupt Execute andHash queriesrespectively
(ii) Computational Diffie-Hellman (CDH) assumption let119866 = ⟨119892⟩ be a multiplicative cyclic group of order 119873and let two randomnumbers 119905 and 119896 be chosen in119885
lowast
119873
Given 119892 119892119905 and 119892119896 the adversary Eve has a negligible
success probability SuccCDH119866
(Eve) of obtaining anelement 119911 isin 119866 such that 119911 = 119892
119905119896 within polynomialtime
Theorem 1 Let Eve be an adversary against the AKEsecurity of our proposed authentication scheme within atime bound 119879
119864V119890 with less than 119902119904Send queries with the
communication entities and 119902ℎtimes Hash queries Then
119860119889V119860119870119864119875
(119864V119890 119902119904 119902ℎ) le 119902
ℎ119902119904
times 119878119906119888119888119862119863119867
119866(1198791015840
119864V119890) where 1198791015840
119864V119890denotes the computational time for 119878119906119888119888
119862119863119867
119866and 119902119904= sum5
119894=1119902119904 119894
is the sum of the number of 1198781198901198991198891 119878119890119899119889
2 119878119890119899119889
3 119878119890119899119889
4 and
1198781198901198991198895
Proof Let Eve be an adversary that is able to get an advantage120576 to break the AKE-secure protocol within time 119879Eve We can
International Journal of Distributed Sensor Networks 7
construct a CDH attacker ATT from Eve to respond to all ofEversquos queries and deal with the CDH problem where ATT isgiven a challenge Ω = (119892
119905 119892119896) and outputs an element 119911 such
that 119911 = 119892119905119896
First when Eve issues a Send1query as a start command
ATT responds with 1198981
= ID119895 1198921198991 119860 to Eve Second
when Eve issues a Send2query ATT randomly chooses two
integers 1198881and 1198882from [1 119902
119904 2] If 119888
1= 1198882 ATT responds
with ID119895 1198921198991 119860 119892
1198992 119861 to Eve Otherwise ATT replaces the
corresponding parameters of 1198982
= ID119895 1198921198991 119860 119892
1198992 119861 with
the element119892119896 fromΩ to generate a new and randommessage1198981015840
2and then respondswith themessage119898
1015840
2to EveThird once
ATT receives the Send3query from Eve ATT answers with
the message 1198983
= 11989211989911198993 119862 119892
11989921198993 119863 as the protocol If the
input of the query is from Ω ATT generates a new message1198981015840
3and then responds with 119898
1015840
3to Eve Fourth when Eve
issues the Send4query ATT answers with 119898
4= 11989211989921198993 119863 119864
to Eve Otherwise a random string 1198981015840
4will be generated and
sent to Eve Finally ATT answers a null string via a Send5
query and then sets the protocol as being successful (or setsall conditions to true)
In the alternative when Eve issues a Reveal(Π119894119880119894
) or aReveal(Π119895
119878119895
) query ATT checks whether the oracle has beenaccepted and is fresh or not If the result is positive ATTanswers with the session key 119878Key
(119894119895)to Eve Otherwise if
the session key has been constructed from the challenge ΩATT terminates When Eve issues Corrupt(119880
119894) Corrupt(119878
119895)
Execute(Π119894119880119894
Π119895
119878119895
) Hash(119898) queries ATT answers in astraightforward way When Eve issues a Test query ATTanswers in a straightforward way Otherwise if the sessionkey has been constructed from the challengeΩ ATT answersEve with a random string with the same length as the sessionkey 119878Key
(119894119895)
The above simulation is indistinguishable from any exe-cution of the proposed protocol 119875 except for one executionwhich involves the challenge Ω The probability 120574 that ATTcorrectly guesses the session key which Eve will make a Testquery on is equal to the probability of 119888
1= 1198882 Hence we have
120574 = 1119902119904 2
ge 1119902119904
Assume that Eve issues a Test query to output 1198871015840 where
1198871015840
= 119887 This means that Eve knows the session key sothere must be at least one Hash query that returns thesession key The probability 120582 that ATT will choose the Hashquery correctly is 120582 ge 1119902
ℎ The successful probability
SuccCDH119866
(ATT) that ATT will expose 119892119896119905 from the challenge
Ω is thus SuccCDH119866
(ATT) = 120576 times 120574 times 120582 ge 120576 times (1119902119904) times (1119902
ℎ)
Finally the advantage of Eve to break the AKE security of theprotocol 119875 is derived as follows
120576 = AdvAKE119875
(Eve 119902119904 119902ℎ) le 119902ℎ119902119904times SuccCDH
119866(1198791015840
Eve) (1)
43 Security Analysis of the Proposed Coexistence SchemeIn this subsection we present the security claims of our
proposed coexistence mechanism such as data confidential-ity and the resistance to proof counterfeit attack and replayattack
Claim 1 The proposed coexistence mechanism is secureagainst proof counterfeit attack
In our proposed coexistence mechanism the timestampis generated from the backend server and is well-protectedby the serverrsquos secret key This design removes the possi-bility of creating a legitimate but fake timestamp Henceit is impossible to create a counterfeit proof involving faketimestamp for the purpose of deception In addition theproposed mechanism is based on the random one-waypermutation function 119865 which is an efficient and robustcomputation component for low-cost RF tags [26] As all thetransmitted information is involved with the function 119865 itis difficult to derive the information without knowing all thecommunication entitiesrsquo secret keys and the correspondingtimestamps Therefore the proposed scheme can guaranteeresistance to proof counterfeit attack At the same timesystem efficiency is delivered by virtue of the lightweightcomputation cost of the permutation function 119865
Claim 2 The proposed coexistence mechanism can providedata confidentiality and resist against replay attack
We assume that a malicious adversary Eve can interceptall messages communicated between RF tags 119879
119886 119879119887 and the
reader Because the adversary Eve cannot derive the privatekeys that is 119883
119894or 119884119894for the target tag 119879
119894 from messages
transmitted via the public channel the data involved in thetransmitted messages cannot be retrieved In addition theone-way property of the function 119865 serves to guarantee theunrecovery of the input data so that data confidentialitycan thus be achieved Moreover in each session of ourproposed scheme we exploit random numbers that is 119903
119886
and 119903119887 in randomizing transmitted messages In addition
the timestamp 119905119904is involved with the construction of the
verification message 119875119886119887 These random numbers and the
timestamp can not only randomize the transmitted messagesbut can ensure resistance against replay attack
5 Conclusion
In this paper we have introduced two secure communicationprotocols for IoT based healthcare systems in which a SSObased authentication scheme and a coexistence proof mech-anism are proposed The proposed authentication scheme isappropriate for use as the main protection technique for anIoT based healthcare environment consisting of various typesof sensors such as thinfat sensors sensor tags or taggeditems For IoT network services the proposed authenticationscheme can provide robust entity authentication and securedata communication In addition we further present a coex-istence proof protocol for proving multiple tagged objects(or sensors andor sensor tags) existing at the same timeand the same place The generated proofs can be utilizedin the application field of inpatient safety and medication
8 International Journal of Distributed Sensor Networks
management Based on the security analysis results we haveconducted we are confident that the feasibility of these twoproposed schemes can be guaranteed
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by the Taiwan Information SecurityCenter (TWISC) and theMinistry of Science andTechnologyTaiwan under Grants numberedMOST 103-2221-E-259-016-MY2 and MOST 103-2221-E-011-090-MY2
References
[1] S Forsstrom P Osterberg and T Kanter ldquoEvaluating ubiq-uitous sensor information sharing on the internet-of-thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1454ndash1460 June 2012
[2] S Wang ldquoInternet of things based on EPC technology and itsapplication in logisticsrdquo in Proceedings of the 2nd InternationalConference on Artificial Intelligence Management Science andElectronic Commerce (AIMSEC rsquo11) pp 3077ndash3080 August 2011
[3] A J Jara M A Zamora and A F Skarmeta ldquoKnowledgeacquisition and management architecture for mobile and per-sonal health environments based on the internet of thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1811ndash1818 June 2012
[4] A Zakriti and Z Guennoun ldquoService entities model for theinternet of things a bio-inspired collaborative approachrdquo inProceedings of the International Conference on MultimediaComputing and Systems (ICMCS rsquo11) pp 1ndash5 April 2011
[5] S Tozlu M Senel W Mao and A Keshavarzian ldquoWi-Fienabled sensors for internet of things a practical approachrdquoIEEE Communications Magazine vol 50 no 6 pp 134ndash1432012
[6] J Jin J Gubbi S Marusic and M Palaniswami ldquoAn informa-tion framework for creating a smart city through internet ofthingsrdquo IEEE Internet of Things Journal vol 1 no 2 pp 112ndash1212014
[7] J A Stankovic ldquoResearch directions for the internet of thingsrdquoIEEE Internet of Things Journal vol 1 no 1 pp 3ndash9 2014
[8] Y Hou M Li and J D Guttman ldquoChorus scalable in-bandtrust establishment for multiple constrained devices over theinsecure wireless channelrdquo in Proceedings of the 6th ACMConference on Security and Privacy in Wireless and MobileNetworks (WiSec rsquo13) pp 167ndash178 ACM Budapest HungaryApril 2013
[9] AUkil S Bandyopadhyay J JosephV Banahatti and S LodhaldquoNegotiation-based privacy preservation scheme in internetof things platformrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 75ndash84 August 2012
[10] I Alqassem ldquoPrivacy and security requirements framework forthe internet of things (IoT)rdquo in Proceedings of the 36th Inter-national Conference on Software Engineering (ICSE Companionrsquo14) pp 739ndash741 June 2014
[11] R Aggarwal and M L Das ldquoRFID security in the contextof internet of thingsrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 51ndash56 August 2012
[12] A B Torjusen H Abie E Paintsil D Trcek and A SkomedalldquoTowards run-time verification of adaptive security for IoTin eHealthrdquo in Proceedings of the European Conference onSoftware Architecture Workshops (ECSAW rsquo14) Article no 4ACM Vienna Austria August 2014
[13] ASSET project httpassetnrno[14] D Evans and D M Eyers ldquoEfficient data tagging for managing
privacy in the internet of thingsrdquo in Proceedings of the IEEEInternational Conference on Green Computing and Communi-cations (GreenCom rsquo12) pp 244ndash248 IEEE Besancon FranceNovember 2012
[15] A F Skarmeta J L Hernandez-Ramos and M V Moreno ldquoAdecentralized approach for security and privacy challenges inthe Internet ofThingsrdquo in Proceedings of the IEEEWorld Forumon Internet of Things (WF-IoT rsquo14) pp 67ndash72 March 2014
[16] D Chen G Chang L Jin X Ren J Li and F Li ldquoA novelsecure architecture for the Internet of thingsrdquo in Proceedingsof the 5th International Conference on Genetic and EvolutionaryComputing (ICGEC rsquo11) pp 311ndash314 IEEE Xiamen ChinaSeptember 2011
[17] Y Berhanu H Abie and M Hamdi ldquoA testbed for adaptivesecurity for IoT in eHealthrdquo in Proceedings of the InternationalWorkshop on Adaptive Security (ASPI rsquo13) article 5 September2013
[18] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[19] W Chen ldquoAn IBE-based security scheme on internet of thingsrdquoin Proceedings of the IEEE 2nd International Conference onCloud Computing and Intelligence Systems (CCIS rsquo12) pp 1046ndash1049 November 2012
[20] C Paar ldquoConstructive and destructive aspects of embeddedsecurity in the internet of thingsrdquo in Proceedings of the ACMSIGSAC Conference on Computer amp Communications Security(CCS rsquo13) pp 1495ndash1496 ACM Berlin Germany November2013
[21] F Li and P Xiong ldquoPractical secure communication for inte-grating wireless sensor networks into the internet of thingsrdquoIEEE Sensors Journal vol 13 no 10 pp 3677ndash3684 2013
[22] L Lan ldquoStudy on security architecture in the internet of thingsrdquoin Proceedings of the International Conference on MeasurementInformation and Control (MIC rsquo12) pp 374ndash377 IEEE HarbinChina May 2012
[23] R Hummen J H Ziegeldorf H Shafagh S Raza and KWehrle ldquoTowards viable certificate-based authentication for theInternet ofThingsrdquo in Proceedings of the 2nd ACMWorkshop onHot Topics on Wireless Network Security and Privacy (HotWiSecrsquo13) pp 37ndash41 April 2013
[24] B Kantarci and T Hussein ldquoTrustworthy sensing for publicsafety in cloud-centric internet of thingsrdquo IEEE Internet ofThings Journal vol 1 no 4 pp 360ndash368 2014
International Journal of Distributed Sensor Networks 9
[25] P Tilanus B Ran M Faeth D Kelaidonis and V StavroulakildquoVirtual object access rights to enable multi-party use of sen-sorsrdquo in Proceedings of the IEEE 14th International Symposiumand Workshops on a World of Wireless Mobile and MultimediaNetworks (WoWMoM rsquo13) pp 1ndash7 June 2013
[26] S H Wu K F Chen and Y F Zhu ldquoA secure lightweight RFIDbinding proof protocol formedication errors and patient safetyrdquoJournal of Medical Systems vol 36 no 5 pp 2743ndash2749 2015
[27] M Bellare D Pointcheval and P Rogaway ldquoAuthenticatedkey exchange secure against dictionary attacksrdquo in Advancesin CryptologymdashEUROCRYPT 2000 vol 1807 of Lecture Notesin Computer Science pp 140ndash156 Springer Berlin Germany2000
[28] M Bellare and P Rogaway ldquoEntity authentication and key dis-tributionrdquo in Proceedings of the Annual International CryptologyConference (CRYPTOrsquo 93) vol 773 of Lecture Notes in ComputerScience pp 232ndash249 1993
[29] S Blake-Wilson D Johnson and A Menezes ldquoKey agreementprotocols and their security analysisrdquo in Crytography andCoding 6th IMA International Conference Cirencester UKDecember 17ndash19 1997 Proceedings vol 1355 of Lecture Notes inComputer Science pp 30ndash45 Springer Berlin Germany 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 5
Ui ASj TTPA
gn1 mod N
(ga)n1 mod N
A = (Si n1) oplus h(gan1 )
m1 = IDj gn1 A
gn2 mod N
(ga)n2 mod N
B = (Sj n2) oplus h(gan2 )
m2 = IDj gn1 A gn2 B
(gn1 )a mod N
(gn2 )a mod N
(Si n1) = A oplus h(gn1a)
(Sj n2) = B oplus h(gn2a)
(Si)e mod N = (IDi h(IDi b))
de mod N
(Sj)e mod N = (h(IDj b))
de mod N
Verify h(IDi b) and h(IDj b)(gn1 )
n3 mod N
(gn2 )n3 mod N
C = h((gn1 )n3 (gn2 )
n3 n2)
D = h(IDj (gn2 )
n3 n1)m3 = gn1n3 C gn2n3 D
Kij = (gn2n3 )n2 mod N
Verify CE = h(IDj Kij)
m4 = gn2n3 D E
Kij = (gn2n3 )n1 mod N
Verify D and E
Figure 1 The proposed authentication scheme
Tag Ta(IDSa IDaXa Ya)
Hello F(ts oplus Ks) Hello F(ts oplus Ks)
IDSa ra a
120572a F(F(ts oplus Ks) oplus IDSb)
120573a ma
Reader
IDSb rb b
120572b F(ma oplus IDSa)
120573b mb
Tag Tb
(IDSb IDb
Xb Yb)
Pab = (IDSa IDSb t ma mb)
Figure 2 The proposed coexistence mechanism
adopted in the proposed mechanism where 119871 is the securityparameter The implementation of 119865 is based on PRNG andXOR to obtain operational efficiency for low-cost RF tags[26]
Step 1 First the RF reader requests a well-protected times-tamp 119865(119905
119904oplus 119870119904) from the backend server where 119870
119904is the
serverrsquos secret key Note that a corresponding log is createdAn initial message Hello 119865(119905
119904oplus 119870119904) is then issued to 119879
119886
and 119879119887 After 119879
119886and 119879
119887get the incoming message they
both send ID119878119886 119903119886 V119886
= 119865(119865(119884119886) oplus 119865(119905
119904oplus 119870119904) oplus 119903119886) and
ID119878119887 119903119887 V119887
= 119865(119865(119884119887) oplus 119865(119905
119904oplus 119870119904) oplus 119903119887) to the reader
respectively And the reader immediately forwards these tworesponses with 119865(119905
119904oplus119870119904) to the backend server At the server
side if the verification of 119865(119905119904oplus 119870119904) holds (ie the validity
of the current process time-period is verified) the serverwill then verify V
119886and V119887 Once the examinations of V
119886and
V119887hold the server sends two derived key values that is
119870119886
= 119865(119865(119865(119884119886)) oplus 119903
119886) and 119870
119887= 119865(119865(119865(119884
119887)) oplus 119903
119887) to the
reader and updates 119884119886 ID119878119886 119884119887 ID119878119887 with 119884
1015840
119886= 119865(119884
119886oplus
119903119886) ID119878
1015840
119886= 119865(119884
1015840
119886oplus ID119878
119886) 1198841015840
119887= 119865(119884
119887oplus 119903119887) ID119878
1015840
119887= 119865(119884
1015840
119887
oplusID119878119887)
6 International Journal of Distributed Sensor Networks
Step 2 Upon obtaining119870119886and119870
119887 the reader computes 120572
119886=
119865(119870119886oplus 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887)) and sends 120572
119886 119865(119865(119905
119904oplus 119870119904) oplus
ID119878119887) to 119879
119886
Step 3 After 119879119886receives 120572
119886 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887) 119879119886
computes 119870119886
= 119865(119865(119865(119884119886)) oplus 119903119886) with its own secret key 119884
119886
and examines 120572119886
= 119865(119870119886oplus119865(119865(119905
119904oplus119870119904)oplusID119878
119887)) If it holds119879
119886
will then calculate119898119886
= 119865(ID119878119886oplus 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887) oplus 119883119886)
and 120573119886
= 119865(119865(119870119886) oplus 119898
119886) and send 119898
119886 120573119886 to the reader
Then 119879119886updates 119884
119886 ID119878119886 to 119884
1015840
119886= 119865(119884
119886oplus 119903119886) ID119878
1015840
119886=
119865(1198841015840
119886oplus ID119878
119886)
Step 4 Once the reader gets 119898119886 120573119886 it verifies 120573
119886=
119865(119865(119870119886) oplus 119898
119886) If the examination passes the reader sends
120572119887 119865(119898119886oplus ID119878
119886) to 119879
119887 where 120572
119887= 119865(119870
119887oplus 119865(119898
119886oplus ID119878
119886))
Step 5 After receiving 120572119887 119865(119898119886
oplus ID119878119886) 119879119887uses its key 119884
119887
to compute 119870119887
= 119865(119865(119865(119884119887)) oplus 119903
119887) and verify 120572
119887= 119865(119870
119887oplus
119865(119898119886oplusID119878119886)) If it holds119879
119887will send 120573
119887 119898119887 to the reader in
which119898119887= 119865(ID119878
119887oplus119865(119898
119886oplusID119878119886)oplus119883119887) and 120573
119887= 119865(119865(119870
119887)oplus
119898119887) Next119879
119887updates 119884
119887 ID119878119887with 119884
1015840
119887= 119865(119884
119887oplus119903119887) ID119878
1015840
119887=
119865(1198841015840
119887oplus ID119878
119887)
Step 6 Upon receiving 120573119887 119898119887 the reader performs the
verification of 120573119887
= 119865(119865(119870119887) oplus 119898
119887) If it holds the reader
confirms the coexistence of 119879119886and 119879
119887with a valid proof
119875119886119887
= (ID119878119886 ID119878119887 119905 119898119886 119898119887)
4 Security Analyses
In this section we analyze the security of the proposedauthentication scheme for IoT based healthcare systemsWe first present the adversary model and then conduct thesecurity analysis of the proposed authentication scheme andthe coexistence proof mechanism
41 Adversary Model In the communication model weassume that a user 119880
119894intends to establish a session key
119878Key(119894119895)
with an authentication server 119878119895via the help of
the trusted third-party authority TTPA We assume that theadversary can interactwith the participants via oracle queriesThe following major queries model the capabilities of theadversary Note that Π
119894
119880is denoted as the instance 119894 of a
participant 119880
(i) Send(Π119894119880 119898) this query sends a message 119898 to an
oracle Π119894
119880and gets the corresponding result
(ii) Reveal(Π119894119880) this query returns the session key of the
oracle Π119894
119880
(iii) Corrupt(119880) this query returns the long-term secretkey of 119880
(iv) Execute(Π119894119880119860
Π119894
119880119861
) this query models passive attacksin which the adversary can obtain the messagesexchanged during the honest execution of the proto-col between two oracles Π
119894
119880119860
and Π119894
119880119861
(v) Hash(119898) the one-way hash function can be viewed
as random functions within the appropriate range in
the ideal hash model Note that if 119898 has never beenqueried before it returns a truly random number 119903
to the adversary and stores (119903 119898) in the hash tableOtherwise it returns the previously generated resultto the adversary
(vi) Test(Π119894119880) this querymodels the security of the session
key that is whether the real session key can bedistinguished from a random string or not Foranswering this question an unbiased coin 119887 is flippedby the oracle Π
119894
119880 When the adversary issues a single
Test query toΠ119894
119880 the adversary obtains either the real
session key 119878Key(119894119895)
if 119887 = 1 or a random string if119887 = 0
42 Security Analysis of the Proposed Authentication SchemeIn this subsection we present the formal analysis of ourproposed authentication scheme based on [27ndash29]
(i) AKE security (session key security) the adversarytries to guess the hidden bit 119887 involved in a Testquery via a guess 119887
1015840 We say that the adversary winsthe game of breaking the session key security of anAKE (Authenticated Key Exchange) protocol 119875 ifthe adversary issues Test queries to a fresh oracleΠ119894
119880and guesses the hidden bit 119887 successfully The
probability that the adversarywins the game is Pr[1198871015840 =119887] In brief the advantage of an adversary Eve inattacking protocol119875 can be defined as AdvAKE
119875(Eve) =
|2 times Pr[1198871015840 = 119887] minus 1| In brief 119875 is AKE-secure ifAdvAKE119875
(Eve) is negligible
In the following subsection we formally analyze thesecurity of our proposed authentication protocol Notationsand definitions are presented first and the formal securityanalysis is then demonstrated We define 119879Eve as the adver-saryrsquos total running time and 119902
119904 119902119903 119902119888 119902119890 and 119902
ℎare the
number of Send Reveal Corrupt Execute andHash queriesrespectively
(ii) Computational Diffie-Hellman (CDH) assumption let119866 = ⟨119892⟩ be a multiplicative cyclic group of order 119873and let two randomnumbers 119905 and 119896 be chosen in119885
lowast
119873
Given 119892 119892119905 and 119892119896 the adversary Eve has a negligible
success probability SuccCDH119866
(Eve) of obtaining anelement 119911 isin 119866 such that 119911 = 119892
119905119896 within polynomialtime
Theorem 1 Let Eve be an adversary against the AKEsecurity of our proposed authentication scheme within atime bound 119879
119864V119890 with less than 119902119904Send queries with the
communication entities and 119902ℎtimes Hash queries Then
119860119889V119860119870119864119875
(119864V119890 119902119904 119902ℎ) le 119902
ℎ119902119904
times 119878119906119888119888119862119863119867
119866(1198791015840
119864V119890) where 1198791015840
119864V119890denotes the computational time for 119878119906119888119888
119862119863119867
119866and 119902119904= sum5
119894=1119902119904 119894
is the sum of the number of 1198781198901198991198891 119878119890119899119889
2 119878119890119899119889
3 119878119890119899119889
4 and
1198781198901198991198895
Proof Let Eve be an adversary that is able to get an advantage120576 to break the AKE-secure protocol within time 119879Eve We can
International Journal of Distributed Sensor Networks 7
construct a CDH attacker ATT from Eve to respond to all ofEversquos queries and deal with the CDH problem where ATT isgiven a challenge Ω = (119892
119905 119892119896) and outputs an element 119911 such
that 119911 = 119892119905119896
First when Eve issues a Send1query as a start command
ATT responds with 1198981
= ID119895 1198921198991 119860 to Eve Second
when Eve issues a Send2query ATT randomly chooses two
integers 1198881and 1198882from [1 119902
119904 2] If 119888
1= 1198882 ATT responds
with ID119895 1198921198991 119860 119892
1198992 119861 to Eve Otherwise ATT replaces the
corresponding parameters of 1198982
= ID119895 1198921198991 119860 119892
1198992 119861 with
the element119892119896 fromΩ to generate a new and randommessage1198981015840
2and then respondswith themessage119898
1015840
2to EveThird once
ATT receives the Send3query from Eve ATT answers with
the message 1198983
= 11989211989911198993 119862 119892
11989921198993 119863 as the protocol If the
input of the query is from Ω ATT generates a new message1198981015840
3and then responds with 119898
1015840
3to Eve Fourth when Eve
issues the Send4query ATT answers with 119898
4= 11989211989921198993 119863 119864
to Eve Otherwise a random string 1198981015840
4will be generated and
sent to Eve Finally ATT answers a null string via a Send5
query and then sets the protocol as being successful (or setsall conditions to true)
In the alternative when Eve issues a Reveal(Π119894119880119894
) or aReveal(Π119895
119878119895
) query ATT checks whether the oracle has beenaccepted and is fresh or not If the result is positive ATTanswers with the session key 119878Key
(119894119895)to Eve Otherwise if
the session key has been constructed from the challenge ΩATT terminates When Eve issues Corrupt(119880
119894) Corrupt(119878
119895)
Execute(Π119894119880119894
Π119895
119878119895
) Hash(119898) queries ATT answers in astraightforward way When Eve issues a Test query ATTanswers in a straightforward way Otherwise if the sessionkey has been constructed from the challengeΩ ATT answersEve with a random string with the same length as the sessionkey 119878Key
(119894119895)
The above simulation is indistinguishable from any exe-cution of the proposed protocol 119875 except for one executionwhich involves the challenge Ω The probability 120574 that ATTcorrectly guesses the session key which Eve will make a Testquery on is equal to the probability of 119888
1= 1198882 Hence we have
120574 = 1119902119904 2
ge 1119902119904
Assume that Eve issues a Test query to output 1198871015840 where
1198871015840
= 119887 This means that Eve knows the session key sothere must be at least one Hash query that returns thesession key The probability 120582 that ATT will choose the Hashquery correctly is 120582 ge 1119902
ℎ The successful probability
SuccCDH119866
(ATT) that ATT will expose 119892119896119905 from the challenge
Ω is thus SuccCDH119866
(ATT) = 120576 times 120574 times 120582 ge 120576 times (1119902119904) times (1119902
ℎ)
Finally the advantage of Eve to break the AKE security of theprotocol 119875 is derived as follows
120576 = AdvAKE119875
(Eve 119902119904 119902ℎ) le 119902ℎ119902119904times SuccCDH
119866(1198791015840
Eve) (1)
43 Security Analysis of the Proposed Coexistence SchemeIn this subsection we present the security claims of our
proposed coexistence mechanism such as data confidential-ity and the resistance to proof counterfeit attack and replayattack
Claim 1 The proposed coexistence mechanism is secureagainst proof counterfeit attack
In our proposed coexistence mechanism the timestampis generated from the backend server and is well-protectedby the serverrsquos secret key This design removes the possi-bility of creating a legitimate but fake timestamp Henceit is impossible to create a counterfeit proof involving faketimestamp for the purpose of deception In addition theproposed mechanism is based on the random one-waypermutation function 119865 which is an efficient and robustcomputation component for low-cost RF tags [26] As all thetransmitted information is involved with the function 119865 itis difficult to derive the information without knowing all thecommunication entitiesrsquo secret keys and the correspondingtimestamps Therefore the proposed scheme can guaranteeresistance to proof counterfeit attack At the same timesystem efficiency is delivered by virtue of the lightweightcomputation cost of the permutation function 119865
Claim 2 The proposed coexistence mechanism can providedata confidentiality and resist against replay attack
We assume that a malicious adversary Eve can interceptall messages communicated between RF tags 119879
119886 119879119887 and the
reader Because the adversary Eve cannot derive the privatekeys that is 119883
119894or 119884119894for the target tag 119879
119894 from messages
transmitted via the public channel the data involved in thetransmitted messages cannot be retrieved In addition theone-way property of the function 119865 serves to guarantee theunrecovery of the input data so that data confidentialitycan thus be achieved Moreover in each session of ourproposed scheme we exploit random numbers that is 119903
119886
and 119903119887 in randomizing transmitted messages In addition
the timestamp 119905119904is involved with the construction of the
verification message 119875119886119887 These random numbers and the
timestamp can not only randomize the transmitted messagesbut can ensure resistance against replay attack
5 Conclusion
In this paper we have introduced two secure communicationprotocols for IoT based healthcare systems in which a SSObased authentication scheme and a coexistence proof mech-anism are proposed The proposed authentication scheme isappropriate for use as the main protection technique for anIoT based healthcare environment consisting of various typesof sensors such as thinfat sensors sensor tags or taggeditems For IoT network services the proposed authenticationscheme can provide robust entity authentication and securedata communication In addition we further present a coex-istence proof protocol for proving multiple tagged objects(or sensors andor sensor tags) existing at the same timeand the same place The generated proofs can be utilizedin the application field of inpatient safety and medication
8 International Journal of Distributed Sensor Networks
management Based on the security analysis results we haveconducted we are confident that the feasibility of these twoproposed schemes can be guaranteed
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by the Taiwan Information SecurityCenter (TWISC) and theMinistry of Science andTechnologyTaiwan under Grants numberedMOST 103-2221-E-259-016-MY2 and MOST 103-2221-E-011-090-MY2
References
[1] S Forsstrom P Osterberg and T Kanter ldquoEvaluating ubiq-uitous sensor information sharing on the internet-of-thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1454ndash1460 June 2012
[2] S Wang ldquoInternet of things based on EPC technology and itsapplication in logisticsrdquo in Proceedings of the 2nd InternationalConference on Artificial Intelligence Management Science andElectronic Commerce (AIMSEC rsquo11) pp 3077ndash3080 August 2011
[3] A J Jara M A Zamora and A F Skarmeta ldquoKnowledgeacquisition and management architecture for mobile and per-sonal health environments based on the internet of thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1811ndash1818 June 2012
[4] A Zakriti and Z Guennoun ldquoService entities model for theinternet of things a bio-inspired collaborative approachrdquo inProceedings of the International Conference on MultimediaComputing and Systems (ICMCS rsquo11) pp 1ndash5 April 2011
[5] S Tozlu M Senel W Mao and A Keshavarzian ldquoWi-Fienabled sensors for internet of things a practical approachrdquoIEEE Communications Magazine vol 50 no 6 pp 134ndash1432012
[6] J Jin J Gubbi S Marusic and M Palaniswami ldquoAn informa-tion framework for creating a smart city through internet ofthingsrdquo IEEE Internet of Things Journal vol 1 no 2 pp 112ndash1212014
[7] J A Stankovic ldquoResearch directions for the internet of thingsrdquoIEEE Internet of Things Journal vol 1 no 1 pp 3ndash9 2014
[8] Y Hou M Li and J D Guttman ldquoChorus scalable in-bandtrust establishment for multiple constrained devices over theinsecure wireless channelrdquo in Proceedings of the 6th ACMConference on Security and Privacy in Wireless and MobileNetworks (WiSec rsquo13) pp 167ndash178 ACM Budapest HungaryApril 2013
[9] AUkil S Bandyopadhyay J JosephV Banahatti and S LodhaldquoNegotiation-based privacy preservation scheme in internetof things platformrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 75ndash84 August 2012
[10] I Alqassem ldquoPrivacy and security requirements framework forthe internet of things (IoT)rdquo in Proceedings of the 36th Inter-national Conference on Software Engineering (ICSE Companionrsquo14) pp 739ndash741 June 2014
[11] R Aggarwal and M L Das ldquoRFID security in the contextof internet of thingsrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 51ndash56 August 2012
[12] A B Torjusen H Abie E Paintsil D Trcek and A SkomedalldquoTowards run-time verification of adaptive security for IoTin eHealthrdquo in Proceedings of the European Conference onSoftware Architecture Workshops (ECSAW rsquo14) Article no 4ACM Vienna Austria August 2014
[13] ASSET project httpassetnrno[14] D Evans and D M Eyers ldquoEfficient data tagging for managing
privacy in the internet of thingsrdquo in Proceedings of the IEEEInternational Conference on Green Computing and Communi-cations (GreenCom rsquo12) pp 244ndash248 IEEE Besancon FranceNovember 2012
[15] A F Skarmeta J L Hernandez-Ramos and M V Moreno ldquoAdecentralized approach for security and privacy challenges inthe Internet ofThingsrdquo in Proceedings of the IEEEWorld Forumon Internet of Things (WF-IoT rsquo14) pp 67ndash72 March 2014
[16] D Chen G Chang L Jin X Ren J Li and F Li ldquoA novelsecure architecture for the Internet of thingsrdquo in Proceedingsof the 5th International Conference on Genetic and EvolutionaryComputing (ICGEC rsquo11) pp 311ndash314 IEEE Xiamen ChinaSeptember 2011
[17] Y Berhanu H Abie and M Hamdi ldquoA testbed for adaptivesecurity for IoT in eHealthrdquo in Proceedings of the InternationalWorkshop on Adaptive Security (ASPI rsquo13) article 5 September2013
[18] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[19] W Chen ldquoAn IBE-based security scheme on internet of thingsrdquoin Proceedings of the IEEE 2nd International Conference onCloud Computing and Intelligence Systems (CCIS rsquo12) pp 1046ndash1049 November 2012
[20] C Paar ldquoConstructive and destructive aspects of embeddedsecurity in the internet of thingsrdquo in Proceedings of the ACMSIGSAC Conference on Computer amp Communications Security(CCS rsquo13) pp 1495ndash1496 ACM Berlin Germany November2013
[21] F Li and P Xiong ldquoPractical secure communication for inte-grating wireless sensor networks into the internet of thingsrdquoIEEE Sensors Journal vol 13 no 10 pp 3677ndash3684 2013
[22] L Lan ldquoStudy on security architecture in the internet of thingsrdquoin Proceedings of the International Conference on MeasurementInformation and Control (MIC rsquo12) pp 374ndash377 IEEE HarbinChina May 2012
[23] R Hummen J H Ziegeldorf H Shafagh S Raza and KWehrle ldquoTowards viable certificate-based authentication for theInternet ofThingsrdquo in Proceedings of the 2nd ACMWorkshop onHot Topics on Wireless Network Security and Privacy (HotWiSecrsquo13) pp 37ndash41 April 2013
[24] B Kantarci and T Hussein ldquoTrustworthy sensing for publicsafety in cloud-centric internet of thingsrdquo IEEE Internet ofThings Journal vol 1 no 4 pp 360ndash368 2014
International Journal of Distributed Sensor Networks 9
[25] P Tilanus B Ran M Faeth D Kelaidonis and V StavroulakildquoVirtual object access rights to enable multi-party use of sen-sorsrdquo in Proceedings of the IEEE 14th International Symposiumand Workshops on a World of Wireless Mobile and MultimediaNetworks (WoWMoM rsquo13) pp 1ndash7 June 2013
[26] S H Wu K F Chen and Y F Zhu ldquoA secure lightweight RFIDbinding proof protocol formedication errors and patient safetyrdquoJournal of Medical Systems vol 36 no 5 pp 2743ndash2749 2015
[27] M Bellare D Pointcheval and P Rogaway ldquoAuthenticatedkey exchange secure against dictionary attacksrdquo in Advancesin CryptologymdashEUROCRYPT 2000 vol 1807 of Lecture Notesin Computer Science pp 140ndash156 Springer Berlin Germany2000
[28] M Bellare and P Rogaway ldquoEntity authentication and key dis-tributionrdquo in Proceedings of the Annual International CryptologyConference (CRYPTOrsquo 93) vol 773 of Lecture Notes in ComputerScience pp 232ndash249 1993
[29] S Blake-Wilson D Johnson and A Menezes ldquoKey agreementprotocols and their security analysisrdquo in Crytography andCoding 6th IMA International Conference Cirencester UKDecember 17ndash19 1997 Proceedings vol 1355 of Lecture Notes inComputer Science pp 30ndash45 Springer Berlin Germany 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 International Journal of Distributed Sensor Networks
Step 2 Upon obtaining119870119886and119870
119887 the reader computes 120572
119886=
119865(119870119886oplus 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887)) and sends 120572
119886 119865(119865(119905
119904oplus 119870119904) oplus
ID119878119887) to 119879
119886
Step 3 After 119879119886receives 120572
119886 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887) 119879119886
computes 119870119886
= 119865(119865(119865(119884119886)) oplus 119903119886) with its own secret key 119884
119886
and examines 120572119886
= 119865(119870119886oplus119865(119865(119905
119904oplus119870119904)oplusID119878
119887)) If it holds119879
119886
will then calculate119898119886
= 119865(ID119878119886oplus 119865(119865(119905
119904oplus 119870119904) oplus ID119878
119887) oplus 119883119886)
and 120573119886
= 119865(119865(119870119886) oplus 119898
119886) and send 119898
119886 120573119886 to the reader
Then 119879119886updates 119884
119886 ID119878119886 to 119884
1015840
119886= 119865(119884
119886oplus 119903119886) ID119878
1015840
119886=
119865(1198841015840
119886oplus ID119878
119886)
Step 4 Once the reader gets 119898119886 120573119886 it verifies 120573
119886=
119865(119865(119870119886) oplus 119898
119886) If the examination passes the reader sends
120572119887 119865(119898119886oplus ID119878
119886) to 119879
119887 where 120572
119887= 119865(119870
119887oplus 119865(119898
119886oplus ID119878
119886))
Step 5 After receiving 120572119887 119865(119898119886
oplus ID119878119886) 119879119887uses its key 119884
119887
to compute 119870119887
= 119865(119865(119865(119884119887)) oplus 119903
119887) and verify 120572
119887= 119865(119870
119887oplus
119865(119898119886oplusID119878119886)) If it holds119879
119887will send 120573
119887 119898119887 to the reader in
which119898119887= 119865(ID119878
119887oplus119865(119898
119886oplusID119878119886)oplus119883119887) and 120573
119887= 119865(119865(119870
119887)oplus
119898119887) Next119879
119887updates 119884
119887 ID119878119887with 119884
1015840
119887= 119865(119884
119887oplus119903119887) ID119878
1015840
119887=
119865(1198841015840
119887oplus ID119878
119887)
Step 6 Upon receiving 120573119887 119898119887 the reader performs the
verification of 120573119887
= 119865(119865(119870119887) oplus 119898
119887) If it holds the reader
confirms the coexistence of 119879119886and 119879
119887with a valid proof
119875119886119887
= (ID119878119886 ID119878119887 119905 119898119886 119898119887)
4 Security Analyses
In this section we analyze the security of the proposedauthentication scheme for IoT based healthcare systemsWe first present the adversary model and then conduct thesecurity analysis of the proposed authentication scheme andthe coexistence proof mechanism
41 Adversary Model In the communication model weassume that a user 119880
119894intends to establish a session key
119878Key(119894119895)
with an authentication server 119878119895via the help of
the trusted third-party authority TTPA We assume that theadversary can interactwith the participants via oracle queriesThe following major queries model the capabilities of theadversary Note that Π
119894
119880is denoted as the instance 119894 of a
participant 119880
(i) Send(Π119894119880 119898) this query sends a message 119898 to an
oracle Π119894
119880and gets the corresponding result
(ii) Reveal(Π119894119880) this query returns the session key of the
oracle Π119894
119880
(iii) Corrupt(119880) this query returns the long-term secretkey of 119880
(iv) Execute(Π119894119880119860
Π119894
119880119861
) this query models passive attacksin which the adversary can obtain the messagesexchanged during the honest execution of the proto-col between two oracles Π
119894
119880119860
and Π119894
119880119861
(v) Hash(119898) the one-way hash function can be viewed
as random functions within the appropriate range in
the ideal hash model Note that if 119898 has never beenqueried before it returns a truly random number 119903
to the adversary and stores (119903 119898) in the hash tableOtherwise it returns the previously generated resultto the adversary
(vi) Test(Π119894119880) this querymodels the security of the session
key that is whether the real session key can bedistinguished from a random string or not Foranswering this question an unbiased coin 119887 is flippedby the oracle Π
119894
119880 When the adversary issues a single
Test query toΠ119894
119880 the adversary obtains either the real
session key 119878Key(119894119895)
if 119887 = 1 or a random string if119887 = 0
42 Security Analysis of the Proposed Authentication SchemeIn this subsection we present the formal analysis of ourproposed authentication scheme based on [27ndash29]
(i) AKE security (session key security) the adversarytries to guess the hidden bit 119887 involved in a Testquery via a guess 119887
1015840 We say that the adversary winsthe game of breaking the session key security of anAKE (Authenticated Key Exchange) protocol 119875 ifthe adversary issues Test queries to a fresh oracleΠ119894
119880and guesses the hidden bit 119887 successfully The
probability that the adversarywins the game is Pr[1198871015840 =119887] In brief the advantage of an adversary Eve inattacking protocol119875 can be defined as AdvAKE
119875(Eve) =
|2 times Pr[1198871015840 = 119887] minus 1| In brief 119875 is AKE-secure ifAdvAKE119875
(Eve) is negligible
In the following subsection we formally analyze thesecurity of our proposed authentication protocol Notationsand definitions are presented first and the formal securityanalysis is then demonstrated We define 119879Eve as the adver-saryrsquos total running time and 119902
119904 119902119903 119902119888 119902119890 and 119902
ℎare the
number of Send Reveal Corrupt Execute andHash queriesrespectively
(ii) Computational Diffie-Hellman (CDH) assumption let119866 = ⟨119892⟩ be a multiplicative cyclic group of order 119873and let two randomnumbers 119905 and 119896 be chosen in119885
lowast
119873
Given 119892 119892119905 and 119892119896 the adversary Eve has a negligible
success probability SuccCDH119866
(Eve) of obtaining anelement 119911 isin 119866 such that 119911 = 119892
119905119896 within polynomialtime
Theorem 1 Let Eve be an adversary against the AKEsecurity of our proposed authentication scheme within atime bound 119879
119864V119890 with less than 119902119904Send queries with the
communication entities and 119902ℎtimes Hash queries Then
119860119889V119860119870119864119875
(119864V119890 119902119904 119902ℎ) le 119902
ℎ119902119904
times 119878119906119888119888119862119863119867
119866(1198791015840
119864V119890) where 1198791015840
119864V119890denotes the computational time for 119878119906119888119888
119862119863119867
119866and 119902119904= sum5
119894=1119902119904 119894
is the sum of the number of 1198781198901198991198891 119878119890119899119889
2 119878119890119899119889
3 119878119890119899119889
4 and
1198781198901198991198895
Proof Let Eve be an adversary that is able to get an advantage120576 to break the AKE-secure protocol within time 119879Eve We can
International Journal of Distributed Sensor Networks 7
construct a CDH attacker ATT from Eve to respond to all ofEversquos queries and deal with the CDH problem where ATT isgiven a challenge Ω = (119892
119905 119892119896) and outputs an element 119911 such
that 119911 = 119892119905119896
First when Eve issues a Send1query as a start command
ATT responds with 1198981
= ID119895 1198921198991 119860 to Eve Second
when Eve issues a Send2query ATT randomly chooses two
integers 1198881and 1198882from [1 119902
119904 2] If 119888
1= 1198882 ATT responds
with ID119895 1198921198991 119860 119892
1198992 119861 to Eve Otherwise ATT replaces the
corresponding parameters of 1198982
= ID119895 1198921198991 119860 119892
1198992 119861 with
the element119892119896 fromΩ to generate a new and randommessage1198981015840
2and then respondswith themessage119898
1015840
2to EveThird once
ATT receives the Send3query from Eve ATT answers with
the message 1198983
= 11989211989911198993 119862 119892
11989921198993 119863 as the protocol If the
input of the query is from Ω ATT generates a new message1198981015840
3and then responds with 119898
1015840
3to Eve Fourth when Eve
issues the Send4query ATT answers with 119898
4= 11989211989921198993 119863 119864
to Eve Otherwise a random string 1198981015840
4will be generated and
sent to Eve Finally ATT answers a null string via a Send5
query and then sets the protocol as being successful (or setsall conditions to true)
In the alternative when Eve issues a Reveal(Π119894119880119894
) or aReveal(Π119895
119878119895
) query ATT checks whether the oracle has beenaccepted and is fresh or not If the result is positive ATTanswers with the session key 119878Key
(119894119895)to Eve Otherwise if
the session key has been constructed from the challenge ΩATT terminates When Eve issues Corrupt(119880
119894) Corrupt(119878
119895)
Execute(Π119894119880119894
Π119895
119878119895
) Hash(119898) queries ATT answers in astraightforward way When Eve issues a Test query ATTanswers in a straightforward way Otherwise if the sessionkey has been constructed from the challengeΩ ATT answersEve with a random string with the same length as the sessionkey 119878Key
(119894119895)
The above simulation is indistinguishable from any exe-cution of the proposed protocol 119875 except for one executionwhich involves the challenge Ω The probability 120574 that ATTcorrectly guesses the session key which Eve will make a Testquery on is equal to the probability of 119888
1= 1198882 Hence we have
120574 = 1119902119904 2
ge 1119902119904
Assume that Eve issues a Test query to output 1198871015840 where
1198871015840
= 119887 This means that Eve knows the session key sothere must be at least one Hash query that returns thesession key The probability 120582 that ATT will choose the Hashquery correctly is 120582 ge 1119902
ℎ The successful probability
SuccCDH119866
(ATT) that ATT will expose 119892119896119905 from the challenge
Ω is thus SuccCDH119866
(ATT) = 120576 times 120574 times 120582 ge 120576 times (1119902119904) times (1119902
ℎ)
Finally the advantage of Eve to break the AKE security of theprotocol 119875 is derived as follows
120576 = AdvAKE119875
(Eve 119902119904 119902ℎ) le 119902ℎ119902119904times SuccCDH
119866(1198791015840
Eve) (1)
43 Security Analysis of the Proposed Coexistence SchemeIn this subsection we present the security claims of our
proposed coexistence mechanism such as data confidential-ity and the resistance to proof counterfeit attack and replayattack
Claim 1 The proposed coexistence mechanism is secureagainst proof counterfeit attack
In our proposed coexistence mechanism the timestampis generated from the backend server and is well-protectedby the serverrsquos secret key This design removes the possi-bility of creating a legitimate but fake timestamp Henceit is impossible to create a counterfeit proof involving faketimestamp for the purpose of deception In addition theproposed mechanism is based on the random one-waypermutation function 119865 which is an efficient and robustcomputation component for low-cost RF tags [26] As all thetransmitted information is involved with the function 119865 itis difficult to derive the information without knowing all thecommunication entitiesrsquo secret keys and the correspondingtimestamps Therefore the proposed scheme can guaranteeresistance to proof counterfeit attack At the same timesystem efficiency is delivered by virtue of the lightweightcomputation cost of the permutation function 119865
Claim 2 The proposed coexistence mechanism can providedata confidentiality and resist against replay attack
We assume that a malicious adversary Eve can interceptall messages communicated between RF tags 119879
119886 119879119887 and the
reader Because the adversary Eve cannot derive the privatekeys that is 119883
119894or 119884119894for the target tag 119879
119894 from messages
transmitted via the public channel the data involved in thetransmitted messages cannot be retrieved In addition theone-way property of the function 119865 serves to guarantee theunrecovery of the input data so that data confidentialitycan thus be achieved Moreover in each session of ourproposed scheme we exploit random numbers that is 119903
119886
and 119903119887 in randomizing transmitted messages In addition
the timestamp 119905119904is involved with the construction of the
verification message 119875119886119887 These random numbers and the
timestamp can not only randomize the transmitted messagesbut can ensure resistance against replay attack
5 Conclusion
In this paper we have introduced two secure communicationprotocols for IoT based healthcare systems in which a SSObased authentication scheme and a coexistence proof mech-anism are proposed The proposed authentication scheme isappropriate for use as the main protection technique for anIoT based healthcare environment consisting of various typesof sensors such as thinfat sensors sensor tags or taggeditems For IoT network services the proposed authenticationscheme can provide robust entity authentication and securedata communication In addition we further present a coex-istence proof protocol for proving multiple tagged objects(or sensors andor sensor tags) existing at the same timeand the same place The generated proofs can be utilizedin the application field of inpatient safety and medication
8 International Journal of Distributed Sensor Networks
management Based on the security analysis results we haveconducted we are confident that the feasibility of these twoproposed schemes can be guaranteed
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by the Taiwan Information SecurityCenter (TWISC) and theMinistry of Science andTechnologyTaiwan under Grants numberedMOST 103-2221-E-259-016-MY2 and MOST 103-2221-E-011-090-MY2
References
[1] S Forsstrom P Osterberg and T Kanter ldquoEvaluating ubiq-uitous sensor information sharing on the internet-of-thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1454ndash1460 June 2012
[2] S Wang ldquoInternet of things based on EPC technology and itsapplication in logisticsrdquo in Proceedings of the 2nd InternationalConference on Artificial Intelligence Management Science andElectronic Commerce (AIMSEC rsquo11) pp 3077ndash3080 August 2011
[3] A J Jara M A Zamora and A F Skarmeta ldquoKnowledgeacquisition and management architecture for mobile and per-sonal health environments based on the internet of thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1811ndash1818 June 2012
[4] A Zakriti and Z Guennoun ldquoService entities model for theinternet of things a bio-inspired collaborative approachrdquo inProceedings of the International Conference on MultimediaComputing and Systems (ICMCS rsquo11) pp 1ndash5 April 2011
[5] S Tozlu M Senel W Mao and A Keshavarzian ldquoWi-Fienabled sensors for internet of things a practical approachrdquoIEEE Communications Magazine vol 50 no 6 pp 134ndash1432012
[6] J Jin J Gubbi S Marusic and M Palaniswami ldquoAn informa-tion framework for creating a smart city through internet ofthingsrdquo IEEE Internet of Things Journal vol 1 no 2 pp 112ndash1212014
[7] J A Stankovic ldquoResearch directions for the internet of thingsrdquoIEEE Internet of Things Journal vol 1 no 1 pp 3ndash9 2014
[8] Y Hou M Li and J D Guttman ldquoChorus scalable in-bandtrust establishment for multiple constrained devices over theinsecure wireless channelrdquo in Proceedings of the 6th ACMConference on Security and Privacy in Wireless and MobileNetworks (WiSec rsquo13) pp 167ndash178 ACM Budapest HungaryApril 2013
[9] AUkil S Bandyopadhyay J JosephV Banahatti and S LodhaldquoNegotiation-based privacy preservation scheme in internetof things platformrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 75ndash84 August 2012
[10] I Alqassem ldquoPrivacy and security requirements framework forthe internet of things (IoT)rdquo in Proceedings of the 36th Inter-national Conference on Software Engineering (ICSE Companionrsquo14) pp 739ndash741 June 2014
[11] R Aggarwal and M L Das ldquoRFID security in the contextof internet of thingsrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 51ndash56 August 2012
[12] A B Torjusen H Abie E Paintsil D Trcek and A SkomedalldquoTowards run-time verification of adaptive security for IoTin eHealthrdquo in Proceedings of the European Conference onSoftware Architecture Workshops (ECSAW rsquo14) Article no 4ACM Vienna Austria August 2014
[13] ASSET project httpassetnrno[14] D Evans and D M Eyers ldquoEfficient data tagging for managing
privacy in the internet of thingsrdquo in Proceedings of the IEEEInternational Conference on Green Computing and Communi-cations (GreenCom rsquo12) pp 244ndash248 IEEE Besancon FranceNovember 2012
[15] A F Skarmeta J L Hernandez-Ramos and M V Moreno ldquoAdecentralized approach for security and privacy challenges inthe Internet ofThingsrdquo in Proceedings of the IEEEWorld Forumon Internet of Things (WF-IoT rsquo14) pp 67ndash72 March 2014
[16] D Chen G Chang L Jin X Ren J Li and F Li ldquoA novelsecure architecture for the Internet of thingsrdquo in Proceedingsof the 5th International Conference on Genetic and EvolutionaryComputing (ICGEC rsquo11) pp 311ndash314 IEEE Xiamen ChinaSeptember 2011
[17] Y Berhanu H Abie and M Hamdi ldquoA testbed for adaptivesecurity for IoT in eHealthrdquo in Proceedings of the InternationalWorkshop on Adaptive Security (ASPI rsquo13) article 5 September2013
[18] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[19] W Chen ldquoAn IBE-based security scheme on internet of thingsrdquoin Proceedings of the IEEE 2nd International Conference onCloud Computing and Intelligence Systems (CCIS rsquo12) pp 1046ndash1049 November 2012
[20] C Paar ldquoConstructive and destructive aspects of embeddedsecurity in the internet of thingsrdquo in Proceedings of the ACMSIGSAC Conference on Computer amp Communications Security(CCS rsquo13) pp 1495ndash1496 ACM Berlin Germany November2013
[21] F Li and P Xiong ldquoPractical secure communication for inte-grating wireless sensor networks into the internet of thingsrdquoIEEE Sensors Journal vol 13 no 10 pp 3677ndash3684 2013
[22] L Lan ldquoStudy on security architecture in the internet of thingsrdquoin Proceedings of the International Conference on MeasurementInformation and Control (MIC rsquo12) pp 374ndash377 IEEE HarbinChina May 2012
[23] R Hummen J H Ziegeldorf H Shafagh S Raza and KWehrle ldquoTowards viable certificate-based authentication for theInternet ofThingsrdquo in Proceedings of the 2nd ACMWorkshop onHot Topics on Wireless Network Security and Privacy (HotWiSecrsquo13) pp 37ndash41 April 2013
[24] B Kantarci and T Hussein ldquoTrustworthy sensing for publicsafety in cloud-centric internet of thingsrdquo IEEE Internet ofThings Journal vol 1 no 4 pp 360ndash368 2014
International Journal of Distributed Sensor Networks 9
[25] P Tilanus B Ran M Faeth D Kelaidonis and V StavroulakildquoVirtual object access rights to enable multi-party use of sen-sorsrdquo in Proceedings of the IEEE 14th International Symposiumand Workshops on a World of Wireless Mobile and MultimediaNetworks (WoWMoM rsquo13) pp 1ndash7 June 2013
[26] S H Wu K F Chen and Y F Zhu ldquoA secure lightweight RFIDbinding proof protocol formedication errors and patient safetyrdquoJournal of Medical Systems vol 36 no 5 pp 2743ndash2749 2015
[27] M Bellare D Pointcheval and P Rogaway ldquoAuthenticatedkey exchange secure against dictionary attacksrdquo in Advancesin CryptologymdashEUROCRYPT 2000 vol 1807 of Lecture Notesin Computer Science pp 140ndash156 Springer Berlin Germany2000
[28] M Bellare and P Rogaway ldquoEntity authentication and key dis-tributionrdquo in Proceedings of the Annual International CryptologyConference (CRYPTOrsquo 93) vol 773 of Lecture Notes in ComputerScience pp 232ndash249 1993
[29] S Blake-Wilson D Johnson and A Menezes ldquoKey agreementprotocols and their security analysisrdquo in Crytography andCoding 6th IMA International Conference Cirencester UKDecember 17ndash19 1997 Proceedings vol 1355 of Lecture Notes inComputer Science pp 30ndash45 Springer Berlin Germany 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 7
construct a CDH attacker ATT from Eve to respond to all ofEversquos queries and deal with the CDH problem where ATT isgiven a challenge Ω = (119892
119905 119892119896) and outputs an element 119911 such
that 119911 = 119892119905119896
First when Eve issues a Send1query as a start command
ATT responds with 1198981
= ID119895 1198921198991 119860 to Eve Second
when Eve issues a Send2query ATT randomly chooses two
integers 1198881and 1198882from [1 119902
119904 2] If 119888
1= 1198882 ATT responds
with ID119895 1198921198991 119860 119892
1198992 119861 to Eve Otherwise ATT replaces the
corresponding parameters of 1198982
= ID119895 1198921198991 119860 119892
1198992 119861 with
the element119892119896 fromΩ to generate a new and randommessage1198981015840
2and then respondswith themessage119898
1015840
2to EveThird once
ATT receives the Send3query from Eve ATT answers with
the message 1198983
= 11989211989911198993 119862 119892
11989921198993 119863 as the protocol If the
input of the query is from Ω ATT generates a new message1198981015840
3and then responds with 119898
1015840
3to Eve Fourth when Eve
issues the Send4query ATT answers with 119898
4= 11989211989921198993 119863 119864
to Eve Otherwise a random string 1198981015840
4will be generated and
sent to Eve Finally ATT answers a null string via a Send5
query and then sets the protocol as being successful (or setsall conditions to true)
In the alternative when Eve issues a Reveal(Π119894119880119894
) or aReveal(Π119895
119878119895
) query ATT checks whether the oracle has beenaccepted and is fresh or not If the result is positive ATTanswers with the session key 119878Key
(119894119895)to Eve Otherwise if
the session key has been constructed from the challenge ΩATT terminates When Eve issues Corrupt(119880
119894) Corrupt(119878
119895)
Execute(Π119894119880119894
Π119895
119878119895
) Hash(119898) queries ATT answers in astraightforward way When Eve issues a Test query ATTanswers in a straightforward way Otherwise if the sessionkey has been constructed from the challengeΩ ATT answersEve with a random string with the same length as the sessionkey 119878Key
(119894119895)
The above simulation is indistinguishable from any exe-cution of the proposed protocol 119875 except for one executionwhich involves the challenge Ω The probability 120574 that ATTcorrectly guesses the session key which Eve will make a Testquery on is equal to the probability of 119888
1= 1198882 Hence we have
120574 = 1119902119904 2
ge 1119902119904
Assume that Eve issues a Test query to output 1198871015840 where
1198871015840
= 119887 This means that Eve knows the session key sothere must be at least one Hash query that returns thesession key The probability 120582 that ATT will choose the Hashquery correctly is 120582 ge 1119902
ℎ The successful probability
SuccCDH119866
(ATT) that ATT will expose 119892119896119905 from the challenge
Ω is thus SuccCDH119866
(ATT) = 120576 times 120574 times 120582 ge 120576 times (1119902119904) times (1119902
ℎ)
Finally the advantage of Eve to break the AKE security of theprotocol 119875 is derived as follows
120576 = AdvAKE119875
(Eve 119902119904 119902ℎ) le 119902ℎ119902119904times SuccCDH
119866(1198791015840
Eve) (1)
43 Security Analysis of the Proposed Coexistence SchemeIn this subsection we present the security claims of our
proposed coexistence mechanism such as data confidential-ity and the resistance to proof counterfeit attack and replayattack
Claim 1 The proposed coexistence mechanism is secureagainst proof counterfeit attack
In our proposed coexistence mechanism the timestampis generated from the backend server and is well-protectedby the serverrsquos secret key This design removes the possi-bility of creating a legitimate but fake timestamp Henceit is impossible to create a counterfeit proof involving faketimestamp for the purpose of deception In addition theproposed mechanism is based on the random one-waypermutation function 119865 which is an efficient and robustcomputation component for low-cost RF tags [26] As all thetransmitted information is involved with the function 119865 itis difficult to derive the information without knowing all thecommunication entitiesrsquo secret keys and the correspondingtimestamps Therefore the proposed scheme can guaranteeresistance to proof counterfeit attack At the same timesystem efficiency is delivered by virtue of the lightweightcomputation cost of the permutation function 119865
Claim 2 The proposed coexistence mechanism can providedata confidentiality and resist against replay attack
We assume that a malicious adversary Eve can interceptall messages communicated between RF tags 119879
119886 119879119887 and the
reader Because the adversary Eve cannot derive the privatekeys that is 119883
119894or 119884119894for the target tag 119879
119894 from messages
transmitted via the public channel the data involved in thetransmitted messages cannot be retrieved In addition theone-way property of the function 119865 serves to guarantee theunrecovery of the input data so that data confidentialitycan thus be achieved Moreover in each session of ourproposed scheme we exploit random numbers that is 119903
119886
and 119903119887 in randomizing transmitted messages In addition
the timestamp 119905119904is involved with the construction of the
verification message 119875119886119887 These random numbers and the
timestamp can not only randomize the transmitted messagesbut can ensure resistance against replay attack
5 Conclusion
In this paper we have introduced two secure communicationprotocols for IoT based healthcare systems in which a SSObased authentication scheme and a coexistence proof mech-anism are proposed The proposed authentication scheme isappropriate for use as the main protection technique for anIoT based healthcare environment consisting of various typesof sensors such as thinfat sensors sensor tags or taggeditems For IoT network services the proposed authenticationscheme can provide robust entity authentication and securedata communication In addition we further present a coex-istence proof protocol for proving multiple tagged objects(or sensors andor sensor tags) existing at the same timeand the same place The generated proofs can be utilizedin the application field of inpatient safety and medication
8 International Journal of Distributed Sensor Networks
management Based on the security analysis results we haveconducted we are confident that the feasibility of these twoproposed schemes can be guaranteed
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by the Taiwan Information SecurityCenter (TWISC) and theMinistry of Science andTechnologyTaiwan under Grants numberedMOST 103-2221-E-259-016-MY2 and MOST 103-2221-E-011-090-MY2
References
[1] S Forsstrom P Osterberg and T Kanter ldquoEvaluating ubiq-uitous sensor information sharing on the internet-of-thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1454ndash1460 June 2012
[2] S Wang ldquoInternet of things based on EPC technology and itsapplication in logisticsrdquo in Proceedings of the 2nd InternationalConference on Artificial Intelligence Management Science andElectronic Commerce (AIMSEC rsquo11) pp 3077ndash3080 August 2011
[3] A J Jara M A Zamora and A F Skarmeta ldquoKnowledgeacquisition and management architecture for mobile and per-sonal health environments based on the internet of thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1811ndash1818 June 2012
[4] A Zakriti and Z Guennoun ldquoService entities model for theinternet of things a bio-inspired collaborative approachrdquo inProceedings of the International Conference on MultimediaComputing and Systems (ICMCS rsquo11) pp 1ndash5 April 2011
[5] S Tozlu M Senel W Mao and A Keshavarzian ldquoWi-Fienabled sensors for internet of things a practical approachrdquoIEEE Communications Magazine vol 50 no 6 pp 134ndash1432012
[6] J Jin J Gubbi S Marusic and M Palaniswami ldquoAn informa-tion framework for creating a smart city through internet ofthingsrdquo IEEE Internet of Things Journal vol 1 no 2 pp 112ndash1212014
[7] J A Stankovic ldquoResearch directions for the internet of thingsrdquoIEEE Internet of Things Journal vol 1 no 1 pp 3ndash9 2014
[8] Y Hou M Li and J D Guttman ldquoChorus scalable in-bandtrust establishment for multiple constrained devices over theinsecure wireless channelrdquo in Proceedings of the 6th ACMConference on Security and Privacy in Wireless and MobileNetworks (WiSec rsquo13) pp 167ndash178 ACM Budapest HungaryApril 2013
[9] AUkil S Bandyopadhyay J JosephV Banahatti and S LodhaldquoNegotiation-based privacy preservation scheme in internetof things platformrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 75ndash84 August 2012
[10] I Alqassem ldquoPrivacy and security requirements framework forthe internet of things (IoT)rdquo in Proceedings of the 36th Inter-national Conference on Software Engineering (ICSE Companionrsquo14) pp 739ndash741 June 2014
[11] R Aggarwal and M L Das ldquoRFID security in the contextof internet of thingsrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 51ndash56 August 2012
[12] A B Torjusen H Abie E Paintsil D Trcek and A SkomedalldquoTowards run-time verification of adaptive security for IoTin eHealthrdquo in Proceedings of the European Conference onSoftware Architecture Workshops (ECSAW rsquo14) Article no 4ACM Vienna Austria August 2014
[13] ASSET project httpassetnrno[14] D Evans and D M Eyers ldquoEfficient data tagging for managing
privacy in the internet of thingsrdquo in Proceedings of the IEEEInternational Conference on Green Computing and Communi-cations (GreenCom rsquo12) pp 244ndash248 IEEE Besancon FranceNovember 2012
[15] A F Skarmeta J L Hernandez-Ramos and M V Moreno ldquoAdecentralized approach for security and privacy challenges inthe Internet ofThingsrdquo in Proceedings of the IEEEWorld Forumon Internet of Things (WF-IoT rsquo14) pp 67ndash72 March 2014
[16] D Chen G Chang L Jin X Ren J Li and F Li ldquoA novelsecure architecture for the Internet of thingsrdquo in Proceedingsof the 5th International Conference on Genetic and EvolutionaryComputing (ICGEC rsquo11) pp 311ndash314 IEEE Xiamen ChinaSeptember 2011
[17] Y Berhanu H Abie and M Hamdi ldquoA testbed for adaptivesecurity for IoT in eHealthrdquo in Proceedings of the InternationalWorkshop on Adaptive Security (ASPI rsquo13) article 5 September2013
[18] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[19] W Chen ldquoAn IBE-based security scheme on internet of thingsrdquoin Proceedings of the IEEE 2nd International Conference onCloud Computing and Intelligence Systems (CCIS rsquo12) pp 1046ndash1049 November 2012
[20] C Paar ldquoConstructive and destructive aspects of embeddedsecurity in the internet of thingsrdquo in Proceedings of the ACMSIGSAC Conference on Computer amp Communications Security(CCS rsquo13) pp 1495ndash1496 ACM Berlin Germany November2013
[21] F Li and P Xiong ldquoPractical secure communication for inte-grating wireless sensor networks into the internet of thingsrdquoIEEE Sensors Journal vol 13 no 10 pp 3677ndash3684 2013
[22] L Lan ldquoStudy on security architecture in the internet of thingsrdquoin Proceedings of the International Conference on MeasurementInformation and Control (MIC rsquo12) pp 374ndash377 IEEE HarbinChina May 2012
[23] R Hummen J H Ziegeldorf H Shafagh S Raza and KWehrle ldquoTowards viable certificate-based authentication for theInternet ofThingsrdquo in Proceedings of the 2nd ACMWorkshop onHot Topics on Wireless Network Security and Privacy (HotWiSecrsquo13) pp 37ndash41 April 2013
[24] B Kantarci and T Hussein ldquoTrustworthy sensing for publicsafety in cloud-centric internet of thingsrdquo IEEE Internet ofThings Journal vol 1 no 4 pp 360ndash368 2014
International Journal of Distributed Sensor Networks 9
[25] P Tilanus B Ran M Faeth D Kelaidonis and V StavroulakildquoVirtual object access rights to enable multi-party use of sen-sorsrdquo in Proceedings of the IEEE 14th International Symposiumand Workshops on a World of Wireless Mobile and MultimediaNetworks (WoWMoM rsquo13) pp 1ndash7 June 2013
[26] S H Wu K F Chen and Y F Zhu ldquoA secure lightweight RFIDbinding proof protocol formedication errors and patient safetyrdquoJournal of Medical Systems vol 36 no 5 pp 2743ndash2749 2015
[27] M Bellare D Pointcheval and P Rogaway ldquoAuthenticatedkey exchange secure against dictionary attacksrdquo in Advancesin CryptologymdashEUROCRYPT 2000 vol 1807 of Lecture Notesin Computer Science pp 140ndash156 Springer Berlin Germany2000
[28] M Bellare and P Rogaway ldquoEntity authentication and key dis-tributionrdquo in Proceedings of the Annual International CryptologyConference (CRYPTOrsquo 93) vol 773 of Lecture Notes in ComputerScience pp 232ndash249 1993
[29] S Blake-Wilson D Johnson and A Menezes ldquoKey agreementprotocols and their security analysisrdquo in Crytography andCoding 6th IMA International Conference Cirencester UKDecember 17ndash19 1997 Proceedings vol 1355 of Lecture Notes inComputer Science pp 30ndash45 Springer Berlin Germany 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
8 International Journal of Distributed Sensor Networks
management Based on the security analysis results we haveconducted we are confident that the feasibility of these twoproposed schemes can be guaranteed
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work was supported by the Taiwan Information SecurityCenter (TWISC) and theMinistry of Science andTechnologyTaiwan under Grants numberedMOST 103-2221-E-259-016-MY2 and MOST 103-2221-E-011-090-MY2
References
[1] S Forsstrom P Osterberg and T Kanter ldquoEvaluating ubiq-uitous sensor information sharing on the internet-of-thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1454ndash1460 June 2012
[2] S Wang ldquoInternet of things based on EPC technology and itsapplication in logisticsrdquo in Proceedings of the 2nd InternationalConference on Artificial Intelligence Management Science andElectronic Commerce (AIMSEC rsquo11) pp 3077ndash3080 August 2011
[3] A J Jara M A Zamora and A F Skarmeta ldquoKnowledgeacquisition and management architecture for mobile and per-sonal health environments based on the internet of thingsrdquoin Proceedings of the 11th IEEE International Conference onTrust Security and Privacy in Computing and Communications(TrustCom rsquo12) pp 1811ndash1818 June 2012
[4] A Zakriti and Z Guennoun ldquoService entities model for theinternet of things a bio-inspired collaborative approachrdquo inProceedings of the International Conference on MultimediaComputing and Systems (ICMCS rsquo11) pp 1ndash5 April 2011
[5] S Tozlu M Senel W Mao and A Keshavarzian ldquoWi-Fienabled sensors for internet of things a practical approachrdquoIEEE Communications Magazine vol 50 no 6 pp 134ndash1432012
[6] J Jin J Gubbi S Marusic and M Palaniswami ldquoAn informa-tion framework for creating a smart city through internet ofthingsrdquo IEEE Internet of Things Journal vol 1 no 2 pp 112ndash1212014
[7] J A Stankovic ldquoResearch directions for the internet of thingsrdquoIEEE Internet of Things Journal vol 1 no 1 pp 3ndash9 2014
[8] Y Hou M Li and J D Guttman ldquoChorus scalable in-bandtrust establishment for multiple constrained devices over theinsecure wireless channelrdquo in Proceedings of the 6th ACMConference on Security and Privacy in Wireless and MobileNetworks (WiSec rsquo13) pp 167ndash178 ACM Budapest HungaryApril 2013
[9] AUkil S Bandyopadhyay J JosephV Banahatti and S LodhaldquoNegotiation-based privacy preservation scheme in internetof things platformrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 75ndash84 August 2012
[10] I Alqassem ldquoPrivacy and security requirements framework forthe internet of things (IoT)rdquo in Proceedings of the 36th Inter-national Conference on Software Engineering (ICSE Companionrsquo14) pp 739ndash741 June 2014
[11] R Aggarwal and M L Das ldquoRFID security in the contextof internet of thingsrdquo in Proceedings of the 1st InternationalConference on Security of Internet ofThings (SecurIT rsquo12) pp 51ndash56 August 2012
[12] A B Torjusen H Abie E Paintsil D Trcek and A SkomedalldquoTowards run-time verification of adaptive security for IoTin eHealthrdquo in Proceedings of the European Conference onSoftware Architecture Workshops (ECSAW rsquo14) Article no 4ACM Vienna Austria August 2014
[13] ASSET project httpassetnrno[14] D Evans and D M Eyers ldquoEfficient data tagging for managing
privacy in the internet of thingsrdquo in Proceedings of the IEEEInternational Conference on Green Computing and Communi-cations (GreenCom rsquo12) pp 244ndash248 IEEE Besancon FranceNovember 2012
[15] A F Skarmeta J L Hernandez-Ramos and M V Moreno ldquoAdecentralized approach for security and privacy challenges inthe Internet ofThingsrdquo in Proceedings of the IEEEWorld Forumon Internet of Things (WF-IoT rsquo14) pp 67ndash72 March 2014
[16] D Chen G Chang L Jin X Ren J Li and F Li ldquoA novelsecure architecture for the Internet of thingsrdquo in Proceedingsof the 5th International Conference on Genetic and EvolutionaryComputing (ICGEC rsquo11) pp 311ndash314 IEEE Xiamen ChinaSeptember 2011
[17] Y Berhanu H Abie and M Hamdi ldquoA testbed for adaptivesecurity for IoT in eHealthrdquo in Proceedings of the InternationalWorkshop on Adaptive Security (ASPI rsquo13) article 5 September2013
[18] H Ning H Liu and L T Yang ldquoAggregated-proof basedhierarchical authentication scheme for the internet of thingsrdquoIEEE Transactions on Parallel and Distributed Systems vol 26no 3 pp 657ndash667 2015
[19] W Chen ldquoAn IBE-based security scheme on internet of thingsrdquoin Proceedings of the IEEE 2nd International Conference onCloud Computing and Intelligence Systems (CCIS rsquo12) pp 1046ndash1049 November 2012
[20] C Paar ldquoConstructive and destructive aspects of embeddedsecurity in the internet of thingsrdquo in Proceedings of the ACMSIGSAC Conference on Computer amp Communications Security(CCS rsquo13) pp 1495ndash1496 ACM Berlin Germany November2013
[21] F Li and P Xiong ldquoPractical secure communication for inte-grating wireless sensor networks into the internet of thingsrdquoIEEE Sensors Journal vol 13 no 10 pp 3677ndash3684 2013
[22] L Lan ldquoStudy on security architecture in the internet of thingsrdquoin Proceedings of the International Conference on MeasurementInformation and Control (MIC rsquo12) pp 374ndash377 IEEE HarbinChina May 2012
[23] R Hummen J H Ziegeldorf H Shafagh S Raza and KWehrle ldquoTowards viable certificate-based authentication for theInternet ofThingsrdquo in Proceedings of the 2nd ACMWorkshop onHot Topics on Wireless Network Security and Privacy (HotWiSecrsquo13) pp 37ndash41 April 2013
[24] B Kantarci and T Hussein ldquoTrustworthy sensing for publicsafety in cloud-centric internet of thingsrdquo IEEE Internet ofThings Journal vol 1 no 4 pp 360ndash368 2014
International Journal of Distributed Sensor Networks 9
[25] P Tilanus B Ran M Faeth D Kelaidonis and V StavroulakildquoVirtual object access rights to enable multi-party use of sen-sorsrdquo in Proceedings of the IEEE 14th International Symposiumand Workshops on a World of Wireless Mobile and MultimediaNetworks (WoWMoM rsquo13) pp 1ndash7 June 2013
[26] S H Wu K F Chen and Y F Zhu ldquoA secure lightweight RFIDbinding proof protocol formedication errors and patient safetyrdquoJournal of Medical Systems vol 36 no 5 pp 2743ndash2749 2015
[27] M Bellare D Pointcheval and P Rogaway ldquoAuthenticatedkey exchange secure against dictionary attacksrdquo in Advancesin CryptologymdashEUROCRYPT 2000 vol 1807 of Lecture Notesin Computer Science pp 140ndash156 Springer Berlin Germany2000
[28] M Bellare and P Rogaway ldquoEntity authentication and key dis-tributionrdquo in Proceedings of the Annual International CryptologyConference (CRYPTOrsquo 93) vol 773 of Lecture Notes in ComputerScience pp 232ndash249 1993
[29] S Blake-Wilson D Johnson and A Menezes ldquoKey agreementprotocols and their security analysisrdquo in Crytography andCoding 6th IMA International Conference Cirencester UKDecember 17ndash19 1997 Proceedings vol 1355 of Lecture Notes inComputer Science pp 30ndash45 Springer Berlin Germany 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 9
[25] P Tilanus B Ran M Faeth D Kelaidonis and V StavroulakildquoVirtual object access rights to enable multi-party use of sen-sorsrdquo in Proceedings of the IEEE 14th International Symposiumand Workshops on a World of Wireless Mobile and MultimediaNetworks (WoWMoM rsquo13) pp 1ndash7 June 2013
[26] S H Wu K F Chen and Y F Zhu ldquoA secure lightweight RFIDbinding proof protocol formedication errors and patient safetyrdquoJournal of Medical Systems vol 36 no 5 pp 2743ndash2749 2015
[27] M Bellare D Pointcheval and P Rogaway ldquoAuthenticatedkey exchange secure against dictionary attacksrdquo in Advancesin CryptologymdashEUROCRYPT 2000 vol 1807 of Lecture Notesin Computer Science pp 140ndash156 Springer Berlin Germany2000
[28] M Bellare and P Rogaway ldquoEntity authentication and key dis-tributionrdquo in Proceedings of the Annual International CryptologyConference (CRYPTOrsquo 93) vol 773 of Lecture Notes in ComputerScience pp 232ndash249 1993
[29] S Blake-Wilson D Johnson and A Menezes ldquoKey agreementprotocols and their security analysisrdquo in Crytography andCoding 6th IMA International Conference Cirencester UKDecember 17ndash19 1997 Proceedings vol 1355 of Lecture Notes inComputer Science pp 30ndash45 Springer Berlin Germany 1997
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of