Abstract
The E-healthcare system has a complex architecture, diverse business types, and sensitive data security. To meet the secure communication and access control requirements in the user–medical server, user–patient, patient–medical server, and other scenarios in the E-healthcare system, secure and efficient authenticated key agreement and access authorization scheme need to be studied. However, the existing multi-server solutions do not consider the authentication requirements of the Wireless Body Area Network (WBAN) and are not suitable for user–patient, patient–medical server scenarios; most of the existing WBAN authentication schemes are single-server type, which are difficult to meet the requirements of multi-server applications, and the study of user–patient real-time scenarios has not received due attention. This work first reveals the structural flaws and security vulnerabilities of the existing typical schemes and then proposes an authentication and access control architecture suitable for multiple scenarios of the E-healthcare system with separate management and business and designs a novel ECC-based multi-factor remote authentication and access control scheme for E-healthcare using physically unclonable function (PUF) and hash. Security analysis and efficiency analysis show that the new scheme has achieved improved functionality and higher security while maintaining low computational and communication overhead.
Similar content being viewed by others
Availability of data and material
Not applicable.
References
Abdalla M, Fouque PA, Pointcheval D (2005) Password-based authenticated key exchange in the three-party setting. In: International Workshop on Public Key Cryptography. Springer, pp 65-84. https://doi.org/10.1007/978-3-540-30580-4_6
Aghili SF, Mala H, Shojafar M, Peris-Lopez P (2019) LACO: lightweight three-factor authentication, access control and ownership transfer scheme for E-health systems in IoT. Futur Gener Comput Syst 96:410–424. https://doi.org/10.1016/j.future.2019.02.020
Alsahlani AYF, Popa A (2020) Analyzing of LAM-CIoT: lightweight authentication mechanism in cloud-based IoT environment. In: Proceedings of the 2020 IEEE Symposium Series on Computational Intelligence (SSCI), IEEE, pp 1837-1844. https://doi.org/10.1109/SSCI47803.2020.9308139
Amin R, Biswas GP (2015) Design and analysis of bilinear pairing based mutual authentication and key agreement protocol usable in multi-server environment. Wireless Pers Commun 84:439–462. https://doi.org/10.1007/s11277-015-2616-7
Amin R, Hafizul Islamb S, Biswas GP, Khurram Khan M, Kumar N (2018) A robust and anonymous patient monitoring system using wireless medical sensor networks. Futur Gener Comput Syst 80:483–495. https://doi.org/10.1016/j.future.2016.05.032
Amin R, Hafizul Islamb S, Gope P, Raymond Choo KK, Tapas N (2019) Anonymity preserving and lightweight multimedical server authentication protocol for telecare medical information system. IEEE J Biomed Health Inform 23(4):1749–1759. https://doi.org/10.1109/JBHI.2018.2870319
Armando A, Basin D, Boichut Y, et al. (2005) The AVISPA tool for the automated validation of internet security protocols and applications. In: International Conference on Computer Aided Verification, Springer, pp 281-285. https://doi.org/10.1007/11513988_27
Banerjee S, Odelu V, Das AK, Srinivas J, Kumar N, Chattopadhyay S (2019) A provably secure and lightweight anonymous user authenticated session key exchange scheme for Internet of things deployment. IEEE Internet Things J 6(5):8739–8752. https://doi.org/10.1109/JIOT.2019.2923373
Barman S, Shum Hubert PH, Chattopadhyay S, Samanta D (2019) A secure authentication protocol for multi-server-based E-healthcare using a fuzzy commitment scheme. IEEE Access 7:12557–12574. https://doi.org/10.1109/ACCESS.2019.2893185
Böhm C, Hofer M (2012) Physical unclonable functions in theory and practice. Springer, New York. https://doi.org/10.1007/978-1-4614-5040-5
Burrows M, Abadi M, Needham R (1990) A logic of authentication. ACM Trans. Comput. Syst. 8(1):18–36. https://doi.org/10.1098/rspa.1989.0125
Canetti R, Krawczyk H (2002) Universally composable notions of key exchange and secure channels. In: International Conference on the Theory and Applications of Cryptographic Techniques(Advances in Cryptology—EUROCRYPT 2002), Springer, Berlin/Heidelberg, 2332, pp 337–351. https://doi.org/10.1007/3-540-46035-7_22
Chatterjee S, Roy S, Das AK, Chattopadhyay S, Kumar N, Vasilakos AV (2016) Secure biometric-based authentication scheme using Chebyshev chaotic map for multi-server environment. IEEE Trans Dependable Secure Comput 15(5):824–839. https://doi.org/10.1109/TDSC.2016.2616876
Chaudhry SA, Irshad A, Yahya K, Kumar N, Alazab M, Zikria YB (2021) Rotating behind privacy: an improved lightweight authentication scheme for cloud-based IoT environment. ACM Trans Internet Technol 21(3):1–19. https://doi.org/10.1145/3425707
Chuang MC, Chen MC (2014) An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Syst Appl 41(4):1411–1418. https://doi.org/10.1016/j.eswa.2013.08.040
Das AK, Wazid M, Yannam AR, Rodrigues JJPC, Park Y (2019) Provably secure ECC-based device access control and key agreement protocol for IoT environment. IEEE Access 7:55382–55397. https://doi.org/10.1109/ACCESS.2019.2912998
Dharminder D, Mishra D, Li X (2020) Construction of RSA-based authentication scheme in authorized access to healthcare services. J Med Syst 44:6. https://doi.org/10.1007/s10916-019-1471-6
Dolev D, Yao A (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208. https://doi.org/10.1109/TIT.1983.1056650
Feng Q, He D, Zeadally S, Wang H (2018) Anonymous biometrics-based authentication scheme with key distribution for mobile multi-server environment. Futur Gener Comput Syst 84:239–251. https://doi.org/10.1016/j.future.2017.07.040
Fu X, Nie X, Li F, Wu T (2018) Large universe attribute based access control with efficient decryption in cloud storage system. J Syst Softw 135:157–164. https://doi.org/10.1016/j.jss.2017.10.020
He D (2011) Security flaws in a biometrics-based multi-server authentication with key agreement scheme. Cryptology ePrint Archive, Report 2011/365, https://eprint.iacr.org/2011/365.pdf. Accessed 26 Apr 2020
He D, Wang D (2015) Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst J 9(3):816–823. https://doi.org/10.1109/JSYST.2014.2301517
He D, Kumar N, Chen J, Lee C, Chilamkurti N, Yeo S (2015) Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimedia Syst 21(1):49–60. https://doi.org/10.1007/s00530-013-0346-9
Kirsal Ever Y (2018) Secure-anonymous user authentication scheme for E-healthcare application using wireless medical sensor networks. IEEE Syst J 13(1):456–467. https://doi.org/10.1109/JSYST.2018.2866067
Koblitz N (1987) Elliptic curve cryptosystems. Math Comput 48(177):203–209. https://doi.org/10.2307/2007884
Kumari S, Om H (2017) Cryptanalysis and improvement of an anonymous multi-server authenticated key agreement scheme. Wireless Pers Commun 96:2513–2537. https://doi.org/10.1007/s11277-017-4310-4
Kumari S, Li X, Wu F, Das A, Choo K, Shen J (2017) Design of a provably secure biometrics-based multi-cloud-server authentication scheme. Futur Gener Comput Syst 68:320–330. https://doi.org/10.1016/j.future.2016.10.004
Kumari A, Jangirala S, Abbasi M, Kumar V, Alam M (2020) ESEAP: ECC based secure and efficient mutual authentication protocol using smart card. J Inform Sec Appl 51:102443. https://doi.org/10.1016/j.jisa.2019.102443
Luo H, Zhang Q, Xu G (2021) Privacy-preserving ECC-based three-factor authentication protocol for smart remote vehicle control system. In: Chen B, Huang X (eds) Applied cryptography in computer and communications. AC3 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 386. Springer, Cham. https://doi.org/10.1007/978-3-030-80851-8_5
Lwamo NMR, Zhu L, Xu C, Sharif K, Liu X, Zhang C (2019) SUAA: a secure user authentication scheme with anonymity for the single and multi-server environments. Inf Sci 447:369–385. https://doi.org/10.1016/j.ins.2018.10.037
MIRACL Crypto SDK, MIRACL (2021) https://github.com/miracl/MIRACL
Nikravan M, Reza AA (2020) Multi-factor user authentication and key agreement protocol based on bilinear pairing for the Internet of things. Wireless Pers Commun 111:463–494. https://doi.org/10.1007/s11277-019-06869-y
Odelu V, Das AK, Goswami A (2015) A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans Inf Forensics Secur 10(9):1953–1966. https://doi.org/10.1109/TIFS.2015.2439964
Qi M, Chen J, Chen Y (2018) A secure biometrics-based authentication key exchange protocol for multi-server TMIS using ECC. Comput Methods Programs Biomed 164:101–109. https://doi.org/10.1016/j.cmpb.2018.07.008
Roy S, Chatterjee S, Das AK, Chattopadhyay S, Kumari S, Jo M (2018) Chaotic map-based anonymous user authentication scheme with user biometrics and fuzzy extractor for crowdsourcing Internet of things. IEEE Internet Things J 5(4):2884–2895. https://doi.org/10.1109/JIOT.2017.2714179
Roy S, Das AK, Chatterjee S, Kumar N, Chattopadhyay S, Rodrigues Joel JPC (2019) Provably secure fine-grained data access control over multiple cloud servers in mobile cloud computing based healthcare applications. IEEE Trans Ind Inf 5(1):457–468. https://doi.org/10.1109/TII.2018.2824815
Shuai M, Liu B, Yu N, Xiong L, Wang C (2020) Efficient and privacy-preserving authentication scheme for wireless body area networks. J Inform Sec Appl 52:102499. https://doi.org/10.1016/j.jisa.2020.102499
Simoens K, Bringer J, Chabanne H, Seys S (2012) A framework for analyzing template security and privacy in biometric authentication systems. IEEE Trans Inf Forensics Secur 7(2):833–841. https://doi.org/10.1109/TIFS.2012.2184092
Wang C, Wang D, Tu Y, Xu G, Wang H (2020) Understanding node capture attacks in user authentication schemes for wireless sensor networks. IEEE Trans Depend Sec Comput. https://doi.org/10.1109/TDSC.2020.2974220
Wang D, Zhang X, Zhang Z, Wang P (2020) Understanding security failures of multi-factor authentication schemes for multi-server environments. Comput Sec 88:101619. https://doi.org/10.1016/j.cose.2019.101619
Wang D, Zhang Z, Wang P, Yan J, Huang X (2016) Targeted online password guessing: an underestimated threat. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security(CCS’16), ACM, 1242–1254. https://doi.org/10.1145/2976749.2978339
Wazid M, Das Ashok K, Vasilakos Athanasios V (2018) Authenticated key management protocol for cloud-assisted body area sensor networks. J Netw Comput Appl 123:112–126. https://doi.org/10.1016/j.jnca.2018.09.008
Wazid M, Das AK, Bhat V, Vasilakos AV (2020) LAM-CIoT: lightweight authentication mechanism in cloud-based IoT environment. J Netw Comput Appl 150:102496. https://doi.org/10.1016/j.jnca.2019.102496
Yang D, Yang B (2010) A biometric password-based multi-server authentication scheme with smart card. In: Proceedings of the 2010 international conference on computer design and applications, IEEE, NY, pp 554–559. https://doi.org/10.1109/ICCDA.2010.5541128
Yao H, Fu X, Wang C, Meng C,Hai B, Zhu S (2019a) Cryptanalysis and improvement of a remote anonymous authentication protocol for mobile multi-server environments. In: Proceedings of the 2019 IEEE fourth international conference on data science in cyberspac. IEEE, NY, pp 19222220. https://doi.org/10.1109/DSC.2019.00015
Yao H, Wang C, Fu X, Liu C, Wu B, Li F (2019) A privacy-preserving RLWE-based remote biometric authentication scheme for single and multi-server environments. IEEE Access 7:109597–109611. https://doi.org/10.1109/ACCESS.2019.2933576
Yao H, Wang C, Fu X, Liu C, Wu B, Li F (2020) Impersonation attacks on lightweight anonymous authenticated key exchange scheme for IoT. Cryptology ePrint Archive, Report 2020/143, https://eprint.iacr.org/2020/143.pdf. Accessed 26 Apr. 2020
Yoon EJ, Yoo KY (2013) Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. J Supercomput 63:235–255. https://doi.org/10.1007/s11227-010-0512-1
Zhang L, Zhang Y, Tang S, Luo H (2018) Privacy protection for E-health systems by means of dynamic authentication and three-factor key agreement. IEEE Trans Industr Electron 65(3):2795–2805. https://doi.org/10.1109/TIE.2017.2739683
Acknowledgements
This work was funded by the National Natural Science Foundation of China No. 61976142; the Zhejiang Province Natural Science Foundation of China under Grant No. LY19F020045. The authors gratefully acknowledge the anonymous reviewers for their valuable comments.
Funding
This work was funded by the National Natural Science Foundation of China No. 61976142; the Zhejiang Province Natural Science Foundation of China under Grant No. LY19F020045; and the Smart City Construction Plan of Anning District, Lanzhou City (2021-2035).
Author information
Authors and Affiliations
Contributions
Qiao Yan contributed to supervision; Hailong Yao was involved in conceptualization, methodology, and writing—original draft preparation; Xingbing Fu contributed to writing—reviewing and editing; and Zhibin Zhang and Caihui Lan provided software.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Code availability
The code that supports the findings of this study is available from the corresponding author upon reasonable request.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Yao, H., Yan, Q., Fu, X. et al. ECC-based lightweight authentication and access control scheme for IoT E-healthcare. Soft Comput 26, 4441–4461 (2022). https://doi.org/10.1007/s00500-021-06512-8
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-021-06512-8