Scholarly article on topic 'A novel and efficient user access control scheme for wireless body area sensor networks'

A novel and efficient user access control scheme for wireless body area sensor networks Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Keywords
{"Wireless body area sensor networks" / "User access control" / Authentication / Security / ECC / AVISPA}

Abstract of research paper on Computer and information sciences, author of scientific article — Santanu Chatterjee, Ashok Kumar Das, Jamuna Kanta Sing

Abstract Wireless body area networks (WBANs) can be applied to provide healthcare and patient monitoring. However, patient privacy can be vulnerable in a WBAN unless security is considered. Access to authorized users for the correct information and resources for different services can be provided with the help of efficient user access control mechanisms. This paper proposes a new user access control scheme for a WBAN. The proposed scheme makes use of a group-based user access ID, an access privilege mask, and a password. An elliptic curve cryptography-based public key cryptosystem is used to ensure that a particular legitimate user can only access the information for which he/she is authorized. We show that our scheme performs better than previously existing user access control schemes. Through a security analysis, we show that our scheme is secure against possible known attacks. Furthermore, through a formal security verification using the AVISPA (Automated Validation of Internet Security Protocols and Applications) tool, we show that our scheme is also secure against passive and active attacks.

Academic research paper on topic "A novel and efficient user access control scheme for wireless body area sensor networks"

Journal of King Saud University - Computer and Information Sciences (2013) xxx, xxx-xxx

King Saud University

Journal of King Saud University -Computer and Information Sciences

www.ksu.edu.sa www.sciencedirect.com

Journal of

King Saud University -

Computer and

Information Sciences

A novel and efficient user access control scheme for wireless body area sensor networks

Santanu Chatterjee a, Ashok Kumar Das b'*, Jamuna Kanta Sing c

a Research Center Imarat, Defence Research and Development Organization, Hyderabad 500 069, India b Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500 032, India

c Department of Computer Science and Engineering, Jadavpur University, Kolkata 700 032, India Received 20 February 2013; revised 13 August 2013; accepted 12 October 2013

KEYWORDS

Wireless body area sensor networks;

User access control;

Authentication;

Security;

AVISPA

Abstract Wireless body area networks (WBANs) can be applied to provide healthcare and patient monitoring. However, patient privacy can be vulnerable in a WBAN unless security is considered. Access to authorized users for the correct information and resources for different services can be provided with the help of efficient user access control mechanisms. This paper proposes a new user access control scheme for a WBAN. The proposed scheme makes use of a group-based user access ID, an access privilege mask, and a password. An elliptic curve cryptography-based public key cryptosystem is used to ensure that a particular legitimate user can only access the information for which he/she is authorized. We show that our scheme performs better than previously existing user access control schemes. Through a security analysis, we show that our scheme is secure against possible known attacks. Furthermore, through a formal security verification using the AVISPA (Automated Validation of Internet Security Protocols and Applications) tool, we show that our scheme is also secure against passive and active attacks.

© 2013 King Saud University. Production and hosting by Elsevier B.V. All rights reserved.

1. Introduction

* Corresponding author. Tel.: +91 40 6653 1506; fax: +91 40 6653 1413.

E-mail addresses: santanu@rcilab.in (S. Chatterjee), iitkgp.akdas@g-mail.com, ashok.das@iiit.ac.in (A.K. Das), jksing@ieee.org (J.K. Sing).

Peer review under responsibility of King Saud University.

^jjfl I

Elsevier I Production and hosting by Elsevier

In a wireless body area sensor network (WBAN), miniature low-power sensor nodes are placed around a patient's body for monitoring their body functions and the neighboring environment (Ghasemzadeh and Jafari, 2011; Liang et al., 2012; Otto et al., 2006; Zois et al., 2012). With the help of a WBAN, a patient's health related information, including their temperature, respiration, heart rate, pulse oximeter, blood pressure, blood sugar, and pH can be remotely monitored (Ameen et al., 2012). To achieve the maximum benefit, this information must be continuously processed in real time. The medical information must be shared and accessed by various levels of

1319-1578 © 2013 King Saud University. Production and hosting by Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/jjksuci.2013.10.007

users such as healthcare staff, researchers, government agencies, and insurance companies to make important decisions such as clinical diagnoses and emergency medical responses for the patients (Li et al., 2010).

The bio-sensors are placed on a patient's body to transmit sensing data through a secure channel to a small body area network gateway. The gateway then locally processes the data and resends it through a secure channel to the external network router and then onto the medical server at the hospital. The results are then observed and analyzed by the medical staff/doctors charged with monitoring patients. A typical example of a WBAN is shown in Fig. 1 (Li et al., 2010). In this scenario, a patient wears various bio-sensors. A centralized control device is used to transmit data in and out of the network. This control device can also be used as a gateway between the internal network and the base station. The base station is connected with the external network.

The communication of health related information between sensors on a patient's body in a WBAN over the Internet to medical servers must be strictly private and confidential (Alemdar and Ersoy, 2010; Kwak et al., 2009; Seyedi et al., 2013; Singelee et al., 2008; Venkatasubramanian et al., 2010). Authenticated medical data transmissions are essential requirements for a WBAN because false or unauthenticated medical information may lead to incorrect treatments or diagnoses for patients. Therefore, the transmitted information must be encrypted to protect patient privacy. In addition, the medical staff of the hospital that collects the data must be confident that the data are unaltered and indeed originate from the specified patient. The major challenges in a WBAN are security, robustness, and scalability. The size and resource constraints of the bio-sensors also play a crucial role in the success and reliability of a WBAN (Singelee et al., 2008). Health care staff can directly access data from the body area network of a patient after

successful authentication. A survey on wireless body area networks can be found in Klaoudatou et al. (2011), Latre et al. (2011) and Otto et al. (2006). Scalability, in terms of number of sensors and patients, is an important factor in this type of network. User access control is an essential requirement in providing security and data privacy for a WBAN.

User access control is critical to the successful operation and extensive adoption of wireless body area network services. The security framework for a WBAN should consist of user authentication (identity verification), user authorization (access provided to user) and user accountability (monitoring activity and controlling access) to control user access and prevent different types of attacks. User access control can identify and impose different access privileges for different types of users. In a typical WBAN, different doctors, health care staff, and medical insurance company agents are the major users, but access to all medical information of a particular patient may not be required for all types of users. For example, a concerned doctor can retrieve his/her patient's data but no other patient information.

This paper considers a WBAN where sensor nodes are sufficiently small and efficient to ensure long battery life. The electronics of a WBAN sensor node are designed to detect and transmit low frequency and low amplitude physiological signals. The sensor node hardware requires a wireless link (AM152100 IC) from an AMI semiconductor used for MICS band generation. Ameen et al. (2012) compared a medical WBAN and a general WSN, clearly mentioning that both general WSNs and medical WBANs have limited resources in battery, computation, and memory while both exhibited dynamic network scale, heterogeneous device ability, and dense distribution. WBAN sensors are single-function, safe, costly and quality devices, and WSN sensors are multi-functional, low cost, redundancy-based reliable devices. In general, a WBAN

Figure 1 A general three-tier architecture of WBAN (Li et al., 2010).

follows a small-scale star network where there is no device redundancy in the deterministic node distribution; the traffic is periodical and unidirectional, and each channel should be a specific medical channel. However, a general WSN typically has a large scale hierarchical network where redundant and random node distributions are followed. The traffic may be unidirectional or bidirectional, and it generally follows point-to-point communications where obstacles are unknown.

1.1. Motivation

Our scheme is motivated by the following considerations. In WBAN, external parties (users), those are authorized to access data, should get access as and when they demand. In order to allow authorized access of the real-time data from the sensor nodes inside WBAN to the authorized users on demand, there is a great need for user access control before allowing them to access the real-time data inside WBAN for which they are permitted. In healthcare applications, monitoring patient's conditions by the expert doctors is very essential. Thus, real-time data sensed by the sensors in a patient's body can be monitored directly by an authorized external user (doctor in that hospital) as and when demand is made. Based on critical and emergency situation of the patient, the doctor can take necessary action by instructing the nurses/medical staffs in the hospital for the patient. Hence, before allowing access to the sensitive and private real-time data of the patients, the external user (doctor) must be authenticated for a particular access privilege by the base station (medical server) as well as sensor node in the network. Considering these points, the user access control in WBAN for healthcare applications becomes a prominent research field.

1.2. Threat model

Based on Das ML (2009), we apply the Dolev-Yao threat model (Dolev and Yao, 1983) for our scheme, in which two parties (nodes) communicate over an insecure channel. We adopt a similar threat model where the channel is insecure and the end points (sensor nodes) cannot generally be trustworthy. Finally, we assume that an attacker can eavesdrop on all traffic, inject packets and reply to previously delivered messages. The base station (medical server) in our scheme is assumed to be trustworthy and impervious to attack. Due to cost constraints, the sensors are not equipped with tamper resistant hardware; if an attacker compromises any sensor from a patient's body, he/she can exact all cryptographic information, including the key materials, data and code stored on that node. Similar to Das et al. (2012b), we assume that the compromised (captured) nodes can be detected and the base station (medical server), users, and sensor nodes know the IDs of the compromised nodes. As a result, the base station (medical server) alerts the users to the compromised sensor nodes in the network.

1.3. Our contributions

This paper proposes a new password and group-based user access control scheme in wireless body area networks for health care applications. Our scheme has the following important properties:

• It provides password and group-based user authentication depending on the access rights provided for the genuine users in WBANs.

• It provides better security compared with the other related user access control schemes because it supports mutual authentication between the user and the base station and sensor node, resists denial-of-service, privileged-insider, smart card breach and man-in-the-middle attacks.

• It supports dynamic node additions after the initial deployment of nodes in the network. It also supports new node deployment for new patients and does not require updated information from the user's smart card.

• It supports a local change to the user's password without help from the base station (medical server).

• It establishes a secret session key between the user and a sensor node so that the same key can be used for future secret communication of real-time data inside the WBAN.

• Through formal security verification using the AVISPA (Automated Validation of Internet Security Protocols and Applications) tool, we show that our scheme is also secure against passive and active attacks such as replay and man-in-the-middle schemes.

1.4. Organization of the paper

The rest of this paper is organized as follows. In Section 2, we review the existing related works on user access control in WSN as well as works on security in wireless body area networks. In Section 3, we propose a novel ECC-based user access control scheme in WBANs for healthcare and patient monitoring applications. In Section 4, we analyze the functionality and security properties of our proposed scheme through the informal and formal security analysis. In Section 5, we simulate our proposed scheme using the widely-accepted AVISPA tool. We show that our scheme is secure against passive and active attacks. In Section 6, we compare the performance of our scheme with other related schemes. We conclude the paper in Section 7.

2. Related work

This section briefly discusses the existing related user access control schemes that are currently proposed in resource-constrained wireless sensor networks.

We use elliptic curve cryptography (ECC) for our proposed user access control scheme for a wireless body area network. RSA (Rivest et al., 1978) may also be used to authenticate external users and Diffie and Hellman (1976) over DLP (discrete logarithm problem) used to establish shared keys between external users and sensor nodes in the network. However, the evaluation of a 1024-bit modular exponentiation for the DLP of the form 2x (where x is at least 160 bits) requires more than 50 s (Malan et al., 2004; Watro et al., 2004) on both MICA1 and MICA2 motes (Atmel Corporation, 2010). In Gura et al. (2004), Gura et al. implemented the assembly language for ECC and RSA on the Atmel ATmega 128 processor (Atmel Corporation, 2010), and they showed in their implementation that a 160 bit-point multiplication of ECC required 0.81 s, whereas 1024-bit RSA public and private key operations required 0.43 s and 10.99 s, respectively. Compared with RSA, ECC can achieve the same level of security with a

smaller size key. For example, a 160-bit ECC provides comparable security to a 1024-bit RSA and a 224-bit ECC provides the comparable security of a 2048-bit RSA (Rivest et al., 1992). It was noted in Carman et al. (2000) that the transmission energy consumption rates in wireless sensor networks are over three orders of magnitude greater than the energy consumption rates for computing. Therefore, the packet size and the number of packets in the transmission play a crucial performance role in designing an access control protocol in sensor networks. If a node is preloaded with the certificate by the base station, then the verifying RSA signature in the certificate takes less time than the ECC signature verification in the certificate because the signature will be generated offline by the base station prior to the deployment of sensor nodes in the target field. However, compared with a 1024-bit RSA signature (Rivest et al., 1978), an ECC-based signature (Johnson and Menezes, 1999; Liao and Shen, 2006) in the certificate, will only require a 320-bit signature when a 160-bit ECC is used in the proposed scheme. This motivates us to use ECC instead of RSA in our proposed access control scheme so that we can achieve greater energy and bandwidth savings. Our scheme uses symmetric key cryptographic techniques along with ECC to achieve communication and computational efficiency.

Wireless body area networks (WBANs) are envisioned to provide health care and patient monitoring applications in the near future. This paper addresses the importance of secure patient data acquisition for different types of users. The proposed authentication scheme consists of multiple phases that involve the users, the medical server (base station) and the sensors. The users' access is controlled through the use of binary mask value assigned to each user during the registration phase. Exchanged messages among parties are encrypted and signed using elliptic curve cryptography (ECC). The simulation of the proposed solution has been conducted through the use of the widely accepted AVISPA tool to evaluate the method against various known attack scenarios. The formal and informal security analyses show the protocol's resilience to known security attacks.

Wang et al. (2008) split the access control process into a local authentication conducted by a group of sensors physically close to a user and a remote authentication based on the endorsement of the local sensors. They implemented the access control protocol on a test bed of TelosB motes (Atmel Corporation, 2010). Based on ECC, they provided the local authentication. By using certificate-based authentication, the user access was verified by the sensor nodes.

He et al. (2011) proposed a distributed privacy preserving access control scheme for WSNs. They identified the characteristics of a single-owner multi-user sensor network and the requirements of a distributed privacy preserving access control. Their scheme was based on a ring signature technique. The user initially registers with a network owner. The network owner then divides all users into groups. The same group has the same access privilege. The network owner maintains a group access list pool that contains the identity and other information of each group, and access control is provided based on the group.

Wen et al. (2011) proposed a user access control scheme for a wireless multimedia sensor network. In this scheme, an authorized user can access the real time multimedia data. Their proposed scheme used Chinese Remainder Theorem-based group rekeying.

Li et al. (2010) discussed various practical issues required to fulfill the security and privacy requirements in WBANs. They explored the relevant security solutions in sensor networks and WBANs while analyzing various applications. They proposed an attribute-based encryption for achieving fine-grained access control. This is a one-to-many encryption method where the cipher text is only readable by a group of users that satisfy a certain access policy.

Mahmud and Morogan (2012) proposed an identity-based user authentication and access control protocol based on an identity-based signature (IBS) scheme. They used an ECC-based digital signature algorithm (DSA) for signing and verifying a message. At initialization, sensor nodes and users were registered to a base station and group identity and user access rights were also provided by the base station. User revocation was implemented through the expiration of user access time as assigned by the base station at the time of registration. The authenticated user was not allowed to gain access without the proper access rights. Though their scheme was secure against node capture and denial-of-service (DoS) attacks, the password change process was not supported. For new user additions, the base station needed to rebroadcast user parameters such as user ID, group ID and system timestamp, thus incurring more communication overhead in the network.

Wang et al. (2006) proposed an ECC-based user access control scheme. In this scheme, the user must register with the key distribution center (KDC) for access permission prior to authentication. The KDC maintains a user access list pool with the respective user's access privilege. This access privilege consists of user ID, group ID and a user access privilege mask; multiple users within the same group should have the same access privilege. Based on elliptic curve cryptography, the KDC generates the public key, the private key of the user and the access list certificate, based on the user's request. The user requests the sensor node by sending the certificate; the sensor node then selects one random number as a session key. In this scheme, the user authenticates a sensor node and a sensor node also authenticates the user; mutual authentication is thus provided between the user and the sensor node.

Le et al. (2009) proposed an energy-efficient access control scheme based on ECC that improved on Wang et al. (2006). Their scheme was a public key cryptography based access control scheme where the user must accept access permissions from a key distribution center (KDC). The KDC maintains an access control list (ACL) pool and associated user identifications. The user's access privileges are defined in the ACL based on the user's access privilege mask. The public keys between the KDC and the sensor nodes are mutually exchanged during the pre-deployment phase. After registration, the user gains a public and private key. One signed certificate of the access control list is also issued by the KDC and sent to the user. The user must then be authenticated by the sensor node for future communications.

3. The proposed scheme

In a wireless sensor network that controls user access, a genuine user gains permission to access the network. However, in real life WBAN scenarios, all users should not have the same network access privileges. A particular user should only be able to access required information. To provide controlled user

685243 : 25134 : 01:05:E4:27:F3:A7

User Id Group Id '

User Access Privilege mask

Figure 2 An example of a user access list.

access for WBANs, we propose a new access control scheme utilizing an access list composed of a user identity, a user access privilege mask and an access group ID Gid for each user. Gid represents a unique number to identify a particular access group. Each access group can access data according to the privileges given to that particular group. A user access privilege mask is a binary number where each bit represents specific information or services that can be accessed by an authenticated user. A sensor node stores and processes information, sending partially processed information to the next level. An authenticated user with a lower level of privilege is not allowed to access higher privilege information (Wang et al., 2008). An example of a user access list is shown in Fig. 2.

3.1. Notations

We use the notations in this paper to describe our proposed scheme given in Table 1. The public key of the base station is KBS = xG, where xG = G + G + ... + G(x times) is called the elliptic curve scalar multiplication in an elliptic curve Ep(a, b), which is the set of all points of y2 = x3 + ax + b(mod p) such that a, b 2 Zp = {0, 1, 2,...,p — 1} are constants with 4a3 + 27b2 „ 0(modp). If nG = O, where O the point at infinity or zero point. Then O is called the order of the base point G in Ep(a, b) (Koblitz, 1987). Here x is the private key of the base station. An example of a one-way hash function is SHA-1 (Secure Hash Standard, 1995), which has the above desired properties (i) to (vi). However, National Institute of Standards and Technology (NIST) does not recommend SHA-1 for top secret documents. Further, in 2011, Manuel showed collision attacks on SHA-1 (Manuel, 2011). As in Das (2012, 2013) one can also use the recently proposed one-way hash function, Quark

(Aumasson et al., 2010). Quark is a family of cryptographic hash functions which is designed for extremely resource-constrained environments like sensor networks and radio-frequency identification (RFID) tags. Like most one-way hash functions, Quark can be used as a pseudo-random function (PRF), a message authentication code (MAC), a pseudo-random number generator (PRNG), a key derivation function, etc. Quark is shown to be a much efficient hash function than SHA-1. However, in this paper, as in Das et al. (2013) we use SHA-2 as the secure one-way hash function in order to achieve top security. We may use only 160-bits from the hash digest output of SHA-2.

3.2. Different phases

This section discusses our proposed user access control scheme. Our scheme consists of the following phases: pre-deployment, post-deployment, registration, login, authentication, password change and dynamic node addition. These phases are described in the following subsections.

3.2.1. Pre-deployment phase

This phase is used to preload the keying materials to all sensor nodes prior to their deployment. It is performed offline by the (key) setup server. The setup server in our scheme is the base station (the medical server). This phase is implemented offline by the base station prior to the deployment of sensor nodes on a patient's body (target field). The pre-deployment phase consists of the following steps:

Step P1: The base station selects a set of network parameters from the following: a finite field GF(p) where p is a large odd prime of at least 160 bits; an elliptic curve Ep(a, b) that is the set of all points of y2 = x3 + ax + b(mod p) such that a, b 2 Zp = {0, 1, 2,...,p — 1} are constants with 4a3 + 27b2 „ 0 (mod p); and a base point G in Ep(a, b) whose order is n, where n is at least 160 bits such that n > 4^/p. The base station first selects a random number as its own private key x 2 Z* where Z'n = {1,2, ..., n — 1g. The base station then computes its public key KBS = xG. Depending on the probable user query, the base station prepares the group-based user access privilege mask (APM) and prepares an access list consisting of the access privilege mask and the respective access group identity Gid. For each deployed sensor node SNi, the base station assigns a unique identifier SNi. The base station also assigns a unique randomly generated master key MKSl for each deployed sensor node SNi, which is only shared with the base station. The base station computes xiG = (xi, yi) for each sensor node SNi where xi is the private key for sensor node SNi, which is known to the BS. The base station then computes the secret key Kt = x1 (modp) for each sensor node SNi. For security, p is considered as a 160-bit number for ECC. Note that Ki is also a 160-bit number. However, to use Ki as the secret key for symmetric key encryption (for example, Advanced Encryption Standard (AES) (Advanced Encryption Standard, 2001)), we can only use 128 bits from the 160 bits of Ki.

Step P2: Once the set of network parameters are selected, the base station (BS) loads the following information into the memory of each sensor node SNi prior to its deployment in offline: (i) a unique node identifier SNi; (ii) the elliptic curve Ep(a, b); (iii) the base point G; (iv) the secret key Ki with x; (v)

Table 1 Notations used in the proposed scheme.

Symbol Description

SNi Identifier of sensor node i

U, jth user

BS Base station

PW, Password of user Uj

Gid, Group id of user Uj

APM, Access privilege mask of user Uj

x Private key of base station

KBS Public key of base station

MKSi Master key of sensor node SN

RM, Random number for user Uj

Ki Secret key of node SNi shared with BS

H(-) Secure one-way collision-resistant hash function

Ti Bootstrapping time for node SNi

AiB Data A concatenates with data B

EKMM) Symmetric encryption using the key K

Dk(M) Symmetric decryption using the key K

X fi Y:M Entity X sends message M to entity Y

the base station's public key KBS; (vi) a secure one-way hash function H(-); and (vii) its own master key MKSi.

3.2.2. Post-deployment phase

This phase helps the sensor nodes and the base station to establish secure connections between them. As soon as sensor nodes are deployed, their first task is to locate physical neighbors within their communication ranges. For secure communication between sensor nodes, the nodes must establish pairwise secret keys between them. Because the major focus in this paper is addressing the user access control problem, we assume that nodes in a WBAN can establish secret keys by using existing key establishment schemes. For example, we can use an unconditionally secure key establishment scheme (Das AK, 2009) for pairwise key establishment between nodes in each cluster. Because our primary focus is on how authorized users belonging to different groups (doctors, nurses, medical insurance team, patient parties, etc.) can access the real-time data for monitoring a patient's condition from the sensors inside the WBAN, we require secure communication between the sensor nodes and the authorized users.

Once deployed, each sensor node sends a message with its node identity SN,, bootstrapping time T,, and encrypted information containing K,, SN and T, to the base station:

SN ! BS : {SN„ T„ EMKSi K SN,, T)}

After receiving the message from the sensor node SN,, the BS decrypts EMKs (K,, SN,, T,) with the master key MKSt of SN,, and then checks the validity of the received information Ki, SN,, and T,. Note that T, is the bootstrapping time of the sensor node SN,. The BS further checks if \T, — T*\ < AT,, where T* is the current system timestamp of the BS and AT, is the expected time interval for the transmission delay. If the check holds, then the BS stores K,and T, for the sensor node SN,.

3.2.3. Registration phase

In the registration phase, a user Uj must register with the base station to access the real-time data from a specific sensor node in a WBAN. This phase consists of the following steps:

Step R1: The user selects his/her identity Uj, a password PWj, his/her access group ID G,dj (depending on his/her access privilege), and a random number RMUj. Uj generates another secret random secret value Nj that is kept secret to Uj only.

Uj then computes the masked password RPWj = H(Nj\\PWj) and sends the message {Uj, RPWj, G,d], RMUj} to the BS through a secure channel.

Step R2: After receiving the information, the BS calculates the secret shared hash value RUj — H{RPWj\\Gid]\\RMUj) for user Uj.

Step R3: The BS finally generates a tamper-proof smart card for user Uj with the following parameters and sends the smart card to Uj through a secure channel:

BS fi Uj: (SmartCard(Uj, RMuj, HQ, RPWj, G,dj, Ru,)> The BS stores R^, G,dj and APMj for user Uj. This registration phase is summarized in Table 2.

3.2.4. Login phase

This phase allows users to login to the system to access realtime data from a specified sensor node in a WBAN. The user Uj must perform the following steps:

Step L1: At login, the user Uj inserts his/her smart card into the card reader of a specific terminal and inputs his/her user ID Uj, secret value Nj and password PWj, as well as his/her access group ID Gidj. The smart card then computes the masked password RPW — H{Nj \\PWj) and the hash value

RVj — H^RPW^G^WRM^ for user U, using the stored values of Gidj, RMUj in the smart card. The smart card checks whether RUj — RUj. If this verification does not hold, Uj has entered his/her password incorrectly and the phase terminates immediately. Otherwise, the smart card computes the hash value H (RU]t\T1) by using the timestamp T1 of the system and then sends the following message to the BS:

Uj ! BS :< Uj, H{Ruj\\Ti), Ti >

Step L2: After receiving the message in Step L1, the BS checks whether the condition \T1 — T*\ < AT1 is valid, where T1 is the timestamp of the user's system, TJ is the current time-stamp of the BS and A T1 is the expected time interval for the transmission delay. If it is valid, the BS computes the hash value H(RU]t\T1) using the received timestamp T1 and the previously computed value of RUj by the BS. The BS then compares this computed hash value with the received hash value H(RUj iT1) in the message. If they match, the BS computes the secret parameter Sj = x + x,RU] (mod p) and the hash value KVj = H(SNj|\ Uj\KBS\\Ki) for all sensor nodes SN,, i = 1, 2,..., n, and user Uj. The BS then computes Zj = KBS + KiRU]

Table 2 The registration phase of our Proposed Scheme.

User (£/,) BS

Selects Uj and PW^Nj,

Gidj and RMU].

Computes RPWj = H(Nj || PWj).

{Uj ,RPWj yGjj. ,RMUj ) ^

Computes^ = H(RPWj\\Gidj\\RMUj).

^ SmartCard (Uj ,RMUj ,H(-),RPWj,Gid .,/{„.)

(modp). The BS further computes the shared secret symmetric key U Kj = H(Ruj HU^IT) with the user Uj and sends the following message to the user Uj.

BS ! Uj : (EuKj(SN„ Sj, Zj, Kuj), Tu T2)

Step L3. After receiving the message in Step L2 from the BS, user Uj verifies whether | T2 — T2\ < DT2 is valid, where T2 is the timestamp of the BS, T'2 the timestamp of the user's system and DT2 the expected time interval for the transmission delay. Uj also checks the received value of T1 with its previous T1. If they match, it computes the same symmetric key UKj shared with the BS with the received value of T1, T2 as UKj — HRj||Uj|Ti||T2) and decrypts Euj(SN,, Sj, Zj, KVj) to retrieve Sj, Zj, and KUj . Ui then stores the retrieved values of Sj, Zj, and KVj for authorization purposes with the sensor node SNj.

Step L4. The BS computes two encrypted messages

EmKSî (SN„ Uj, (APMj ® Gd

RUj, T1, T2 ) by using the master key MKSl of the sensor node SN, and EKt (SNi, Uj, Gidj, T1) using the key K,. The BS sends the following message to the sensor node SNi:

BS ! SNi

: (SN,, Uj, Emks,(SN,, Uj, (APMj

® Gidj ),

T2), EKl(SNi, Uj, Gidj, Ti))

In this case, APMj is the access privilege mask for the access group ID Gidj for user Uj.

Step L5. When the sensor node SN, receives the message in Step L4, it decrypts EmkSi (SN,, Uj,(APMj © Gid), RVj, Ti, T2) by using its own master key MKSi to retrieve the information SNi, Uj,(APMj © Gidj), RUj, T1, T2. SN, then checks the received SNi, Ui, and T2 values by checking the condition I T2 — T*| < DT2, where T2 is the timestamp of the base station, T the timestamp of the sensor node SN, and DT2 is the expected time interval for the transmission delay. If all of these conditions are satisfied, SNi further decrypts EKi(SNi, Uj, Gidj, T1) by using the stored key K, to retrieve the information SNi, Uj, Gidj, T1. By using Gidj, SN, computes APM-j = (APMj © Gj © Gj SN, finally saves Ruj , T1, T2, Gid], and APMj for authentication purposes. The login phase of our scheme is summarized in Table 3.

3.2.5. Authentication phase

The authentication phase is required to authenticate the user when he/she wants to access real-time data inside a WBAN. During the login phase, when the user Uj receives the message in Step L2, Uj saves the values Sj, Zj and KUj for authorization purposes with the sensor node SNi in Step L3.

Step A1. For authentication, the user Uj computes the encrypted value EKVj (SN,, Uj, RUj, Gidj, T1, S,, Zj) and the hash value H(T1|Sj|Zj), sending the following authentication request message to the sensor node SN:i

Uj ! SN, :

< SN„ Uj, EKUj(SN„ Uj, Ruj, Gidj, T, Sj, Zj), H(T1 || Sj ||Zj) >

Step A2. After receiving the authentication request message from user Ujin Step A1, the sensor node SNi performs the following to verify whether user Uj is legitimate. SN, first

computes the key K'Uj — H^N^^^^Ki), using the stored parameters and the received user ID of Uj. Using the computed key ^uj, SN, then decrypts Ekuj(SN,, Uj, R^, Gidj, Tx, Sj, Zj) to retrieve the information SN,, Uj, RUj, Gidj, T1, Sj, ZjSN, further checks whether the retrieved value of T1 matches with the previously received value of T1. If they match, SN, computes the hash value H(T1|Sj|Zj) and verifies whether this value matches with the received hash value. If there is a match, SNi then proceeds in executing Step A3. Otherwise, the authentication phase immediately terminates.

Step A3. SN, checks the following signature verification equation Zj = SjG (mod p). Note that

Zj — (Kbs + XiGRuj) — (xG + XiGRuj) — (x + x,Ruj)G — SjG.

If the signature verification fails, SN, considers user Uj as illegal and the phase terminates immediately. Otherwise, the sensor node SNi checks the received Gidj with the value received from the BS during the login phase. If it is satisfied, SNi computes a secret session key SK,j to be shared with the user Uj as SK,j — H(SN,||Uj||APMj||G,dj ||Sj||Ruj HT1HT2). Finally, SN, sends an acknowledgment to user Uj and the BS, and responds to the query of the user Uj, depending upon the access privilege mask APMj stored for user Uj using the secret session key SK,j.

Step A4. After receiving the acknowledgment from SN,, user Uj computes the same secret session key SK,j shared with the sensor node SN, using its previous system timestamp T1, storing T2, Sj, Ru. as SKj — H(SN,| | Uj| | APMj| | Gidj| | Sj| | Ruj||T1||T2). Thereforej both user Uj and the sensor node SN, will securely communicate in future using the derived secret session key SK,j.

At the end of this phase, SN, deletes RUjt, T1, T2, G,dj, and AP Mj from its memory for security reasons. User Uj also deletes Sj and Zj. The authentication phase of our scheme is summarized in Table 4.

3.2.6. Password change phase

In this phase, a user Uj may change his/her password freely and completely locally for security reasons without contacting the BS. This phase consists of the following steps.

Step PC1. Uj inputs his/her smart card into the card reader of a specific terminal and provides his/her old password PW°'d and secret number Njold, as well as new changed password PWew and new secret number j.

Step PC2. The smart card computes the masked old pass-U _„( uvumA and com-

word of the user Uj as RPWod = H\N)

I 1 PW0

pares this value with the stored value of RPWj in the smart card. If they do not match, this means that the user Uj has entered his/her old password incorrectly and the password change phase terminates immediately. Otherwise, the smart card computes the hash value R^d — H(RPW°Id11Gidj11RMuj) with the old masked password RPW°Id, group identity Gidj and random number RMUj. The smart card then further compares this computed hash value RoUjd with the stored value of RUj. If they match, the smart card executes Step PC3.

Step PC3. The smart card computes the new masked password RPj — H^N"™ | | PWew) and Rj — U(RPWJew11 Gidj 11 RMuj).

Table 3 The login phase of our proposed scheme

User (Uj) BS Sensor

node (SNt)

Inserts smart card

Enters password PW}, Nj,

access group id Gu

and random number EMU .

Computes RPW, - H(Nj || PWj).

ff „ = H(RPWj || G„ || RMUi).

Checks R' „ - R^

If It Is correct, then sends

Checks |r,-r* |<AT,.

Checks mR^ || T,).

Computes VKj.Sj.Zj.K^.

t (¿r.T, '^"•'i.i'l^/.^u, UlJ'l''

Checks \T2-T*2 |<Ar2.

Decrypts the encrypted part.

Saves Sj.Zj.K^.

for authentication purpose.

Computes

E^SN^^APM^G«

J^, ,r„r2).and

E^S^.Uj.G^J,).

(SN, f}j,Eia,, (.SK„U,,(APMj®Gu. ),

K, ,Ti ,Tt),EKl W„Uj ,GU) ,r,)>

Decrypts the encrypted parts.

Checks | T2 -J*2 |<Ar2.

Saves ^, 7,, J2, ). and APMj

for authentication purpose.

Table 4 Authentication phase of our proposed scheme.

User (U,) Sensor node (.VY. )

ComputesK,„i =H(SN, || Ut || K„ || K,),

Decrypts EK (iW,,E/,,G„ ,Tt,Sj,Zj), using K'„

Checks T, andH(T„Sj,Zj)

Checks Zj -SjP

Computes

SK, = H(SN, || Uj II APM j || G„; || S j || || Tt || Tt)

Computes

SK, = H(SN, || Uj II APM, || GU/ || Sj || R,t TA\TJ

Step PC4: The smart card replaces the old masked password RPWj with the new masked password RPW^new and the old hash value RU]t with the new hash value RU] into the memory of the smart card.

3.2.7. Dynamic node addition phase

New node deployment in sensor networks is inevitable due to the loss of sensor nodes resulting from power exhaustion after weeks or months of operation. Some nodes may become compromised and require replacement. We assume that one or more nodes must be deployed in a dynamic node addition phase.

Let a new sensor node U be deployed during the dynamic node addition phase. Prior to its deployment, (during the pre-deployment phase), the BS will preload a set of node parameters offline. This set contains (i) a unique node identifier

SNU of the node u; (ii) the elliptic curve Ep(a, b); (iii) the base point G in Ep(a, b); (iv) the secret key Ku with xu for node SNU, where xU is the private-key of SNU and xUG = (x1, y1) with KU = x1(mod p); (v) the base station's public key KBS; (vi) a hash function H(-); and (vii) its own master key MKsu .

After deployment, SNU sends a message containing its own identity SNU, the bootstrapping time TU, and the encrypted information EMKS (KU, SNU, TU) using the master key MKSU to the BS: "

SNu ! BS :< SNu, Tu, EmkSU (Ku, SNu, Tu) >

After deployment, SNU establishes pairwise keys between them in the WBAN by using (Das AK, 2009). Then, SNU authenticates and establishes pairwise symmetric secret keys with user Uj as described in Sections 3.2.4 and 3.2.5. Therefore, the dynamic node addition phase in our scheme is simple and

efficient, and it does not require any involvement of the base station after deployment.

4. Analysis of the proposed scheme

In this section, we perform functionality and security analyses of our proposed access control scheme.

4.1. Computational overhead

Let tecm, th, tenc, and tdec denote the time required to perform an elliptic curve scalar multiplication, a one-way hash function H(-), a symmetric key encryption, and a symmetric key decryption, respectively. During the registration phase, the user Uj and the BS require the computational overhead th and th, respectively. In our proposed scheme, during the login and authentication phases, the user Uj, the BS and the sensor node SNt require the computational overhead 6th + tdec + tenc, 3th + 2tecm + 2tenc + teca and 3th + 3tdec + tecm, respectively. The total computational cost becomes 14th + 8tenc/

tdec + 3tecm + teca.

4.2. Communication overhead

We consider the communication overhead of our scheme for both the login and authentication phase. Based on the login and authentication phases of our scheme, it is clear that the sensor node SNi, the BS and the user Uj must exchange four messages. We have calculated the bitwise and packetwise communication overhead for our proposed scheme during the login and authentication phases. For computing the number of packets required for transmission, we considered a CC2420 transmitter (CC2420.2.4 GHz IEEE 802.15.4, 2011). A CC2420 transmitter supports a packet size of 128 bytes, i.e., 1024 bits. To calculate the communication overhead, we used the bitwise size of different parameters as shown in Table 5.

In Table 6, we calculated the number of bits and packets required for each message in our scheme during the login and authentication phases. It should be noted that we required a communication overhead of 1008 bits and the transmission of only 4 packets during the login and authentication phases.

4.3. Storage overhead

During the pre-deployment phase described in Section 3.2.1, a sensor node SNi primarily requires storage space to meet the following node parameters. a unique node identifier SNi,

which needs 16 bits; the elliptic curve Ep(a, b), which needs (160 + 160 + 160) = 480 bits for storing p, a and b values of 160 bits each (for security reasons, we have considered 160 bits prime p in ECC); the base point G, which needs (160 + 160) = 320 bits; the secret key Kt with private key xt for SN,, which needs (160 + 160) = 320 bits; the base station's public key KBS, which needs (160 + 160) = 320 bits; and its own master key MKSi, which needs 128 bits. The total storage space of the sensor node SNt prior to its deployment becomes 1584 bits.

4.4. Energy consumption

Based on Zhang et al. (2012), we also use the Chipcon CC2420 (CC2420.2.4 GHz IEEE 802.15.4, 2011) configuration that is widely used in low-rate wireless personal area networks. Table 7 shows that the CC2420 supports a total of eight transmission power levels and a typical supply current (Zhang et al., 2012). As noted in Zhang et al. (2012), Ir = 19.7 mA is required to receive the signal, and the transmission rate is 250 kb/s.

Based on Zhang et al. (2012), we evaluated the energy consumption for communication through the following three-case model. Case I. Success. both data packets and acknowledgments are successfully transmitted.

Case II. PF. Unsuccessful data packet transmission.

Case III. AF. Successful data packet transmission followed by an unsuccessful acknowledgment transmission.

According to Zhang et al. (2012), the total energy consumption for communication can be calculated as

E(-) — E(-|Success) + E(-|PF)x Npf(-) + E(-|AF)x Naf(-),

where E(-| Success), E(-| PF ), and E(-| AF) represent the energy required for Case I. successful transmission, Case II. packet failure, and Case III. acknowledgment failure. NPF() denotes the expected number of packet transmission failures, and Naf(') is the expected number of acknowledgment transmission failures. For a detailed analysis, refer to Zhang et al. (2012).

4.5. Network scalability

Assume that there will be m cluster heads and m' controller nodes in a hierarchical WBAN (HWBAN) as shown in Fig. 3, representing a hospital ward with multiple patients. In this figure, a set of sensor nodes are deployed on a patient's body that constitute a WBAN. The WBAN is then associated with a cluster head, and a set of cluster heads are attached to a controller node. For example, if a patient's body is deployed with 10 regular sensor nodes and there are 1000 patients in various wards to be monitored in the hospital,

the total number of regular sensor nodes is 10 x 1000 = 10,000. If 5 cluster heads are attached to a controller node in a ward, we require 1000/5 = 200 controller nodes in the hospital. As a result, the total nodes to be deployed in the HWBAN is 11,200, and these nodes constitute a large-scale network.

In a case where a patient will be monitored at home, the total number of regular sensor nodes is 10 in the WBAN and only one cluster head is required in that WBAN. In both scenarios, the access control mechanism remains the same.

Table 5 Size (in bits) of different parameters used for our scheme.

Type Bitwise size

User identifier, Uj 16

Bootstrapping time, T, 32

Node identifier, SNt 16

Group identifier, Gidj 8

Access privilege mask, APMj 64

Random number, RMuj 32

Hash value 160

Symmetric encryption, EK(M) 128

4.6. Security analysis

In this section, we show that our scheme has the ability to tolerate various known attacks, which are discussed in the following subsections.

4.6.1. Stolen-verifier attack

It should be noted that our scheme does not require any verifier/password table storage for password verifications. A network insider cannot obtain a user's password because the BS and sensor nodes do not maintain any password/verifier table to validate a user's login request. During the registration phase of our scheme, a user securely Uj submits his/her identity Uj and masked password H(Nj\\PWj) to the BS. According to our threat model, the BS is considered to be a trustworthy entity in the network and cannot be compromised by any attacker. Because the secret value Nj is only known to user Uj, it is computationally infeasible for the BS to retrieve PWj from H(Nj\\PWj) due to one-way property of the hash function HQ. Therefore, our scheme has the ability to prevent such an attack.

4.6.2. Many logged-in users with the same login-ID attack

In general, if the systems that maintain the password table verify the user login, they can be vulnerable to attack. However, in our scheme, the BS and sensor nodes do not maintain any verifier table containing passwords for verification. In addition, no passwords are stored in the user's smart card. At the time of login, a user Uj must have a valid smart card with the valid input tuple (Uj, PWj, Nj). Note that our scheme requires on-card computation for both password verification and login to the WSN; once the smart card is removed from the system, the login process is aborted. If two users Ui and Uj have the same password due to random secret numbers Ni and Nj used in computation of their masked passwords, they will have different masked passwords. As a result, even if two users have the same password, the problem of many logged-in users with the same login ID does not arise in our

Table 7 Transmission power levels of CC2420.

Index Transmission power Transmission current

i Pt(i)[dBm] It(i)[mA]

1 -25 8.5

2 -15 9.9

3 -10 11.2

4 -7 12.5

5 -5 13.9

6 -3 15.2

7 -1 16.5

8 0 17.4

scheme. Thus, our scheme resists the many logged-in users with the same login-ID attack.

4.6.3. Resilience against node capture attack We evaluate the ability of our scheme to tolerate compromised nodes in the network. Let Pe(c) denote the probability that an adversary compromises a fraction of total secure communications by capturing c number of sensor nodes in the network. If Pe(c) = 0, we classify our user access control scheme as unconditionally secure against node capture attack. If an attacker captures a sensor node, he/she is able to discern the master key along with other information from its memory because the sensor nodes are not equipped with tamper-resistant hardware. However, each node is given a unique randomly generated master key prior to its deployment and each sensor node establishes a distinct secret session key with a user. Thus, the attacker can only respond with false data to a legitimate user by capturing a sensor node from which the user wants to access data. However, other non-captured sensor nodes can still communicate real-time data to legitimate users with 100% secrecy. As a result, the compromise of a sensor node does not lead to a compromise in any other secure communication between the user and the non-captured sensor node in the network; therefore, our scheme provides unconditional security against node capture attack.

Table 6 Message size and number of packets to be transmitted per message for our scheme during the login and authentication phases.

Message Exchange between Size No of packets

<U.,H(Ru. IIT^r,) Uj and BS 208 1

<EUKj(SNrSj,Zj,KUj),T2,Tl > BSand Uj 192 1

•UJ ' <SNi • U, ' (APMj ® % )• BS and SNi 288 1

x 1 J J J Kui ' 1 R , G., ,T , S Z .), H(T , S . ,Z .) > Uj' id j ' 1 ' ] j " v 1 ' j j ' Uj and SN; 320 1

Figure 3 An example of a hierarchical body area sensor network.

Remark 1. Note that in our scheme, the session key between the user and the sensor node in the BAN is secured after the successful authentication process. This key is used between the sensor and the user to secure the communication channel for the real-time data transmission. However, when a sensor node is physically captured by an attacker from a patient's body (WBAN), the attacker is able to discern the master key along with other information from its memory, including the established session key. As in our threat model discussed in Section 1.2, the compromised (captured) nodes can be detected and as a result, the base station (medical server), users and sensor nodes know the IDs of the compromised nodes. Consequently, the base station (medical server) alerts the users with the compromised sensor nodes in the network. Thus, another new sensor must be deployed in place of the captured sensor. In this case, with the help of the dynamic node addition phase described in Section 3.2.7, the newly deployed sensor will be able to establish a new session key and be shared with the user after a successful authentication process.

4.6.4. Masquerade attack

In our scheme, an illegal user cannot fabricate the fake login request message to convince the BS that it is a legal login request in the login phase. At the time of login, the user must insert his/her smart card into a card reader and then to provide his/her user ID Uj, secret value Nj, password PWj and access group ID Gid]. The smart card then computes the masked password RPW — H(N]\\PW]) and the hash value RU. — H(RPWj]\\Gidj\\RMUJ) for user U] by using the stored values of Gid], RMV] in the smart card. The smart card checks whether RU = RUj . If this verification passes, user Uj sends

the login request message (Uj , H(RU\T1), T1> to the BS. To convince the BS that this is a legal remote login request, the illegal user must know the value of Nj as well as PWj, Nj, Gid], and RMUj. As a result, the attacker does not have the ability to create a fake login request message on behalf of the original user Uj. Thus, our scheme resists this type of attack.

4.6.5. Replay attack

In this scenario, an attacker may try to pose as a valid user logging into the BS by sending messages that were previously transmitted by a legal user. However, our scheme utilizes a current system timestamp during the login and authentication phases. A comparison of the previous timestamp with the current timestamp of the receiver system withstands these replay attacks because the expected time interval for the transmission delay is very short. Moreover, in the login phase, the user sends the message {Uj, H(RU}\\T1), T1} to the BS. Because the attacker cannot change the hash value H(RU}\\T1), the attacker also cannot change the value of T1. Thus, an attacker does not have the ability to successfully replay previously used messages during the login and authentication phases. As a result, our scheme resists the replay attack.

4.6.6. Privileged-insider attack

Note that during the registration phase of our proposed scheme, the user Uj does not send his/her password PWj in plaintext. The user Uj sends the masked password RPW, = H(N]\\PWj) to the BS. Without knowing the secret value Nt (which is only known to the user Uj), it is computationally infeasible to retrieve PWj from RPWj due to the one-way property of the hash function H(-). A privileged insider at the BS does not have the ability to know the password PWj of user

Uj, and he/she is then unable to impersonate Uj by accessing other servers where Uj could also be a registered user and use the same password PWj for his/her convenience. Thus, our scheme protects against such an attack.

4.6.7. Smart card breach attack

As in Fan et al. (2010), the smart card is assumed to be safe and unable to be cracked; however, there is a risk of smart card crack. If an attacker/intruder obtains a smart card and cracks it, we must assume that he/she can obtain its stored information, such as Uj, RMUj, H(), RPWj, Gidj, and RUj. However, the attacker has no feasible way to know user Ufs password PWj from RPWj due to the one-way property of the hash function H('). Moreover, based on the hash value Ruj — H(RPWj\\Gidj\\RMuj), it is also difficult to know PWj for Uj due to one-way property of the hash function H(-). Therefore, the attacker must guess user Ujs correct password PWj and secret number Nj to pass clear the password verification during the login phase. In addition, the computation of Nj at the login phase becomes infeasible due to the one-way property of the hash function H(-). As a result, our scheme prevents a smart card breach attack.

4.6.8. Denial-of-service attack

After deployment, the sensor node in our scheme initially sends a message to the BS to inform its own bootstrapping time. At the time of authentication, the BS sends an authentication request message to a specific sensor node SNt from which user Uj wants to access real-time data inside the WBAN. After receiving the request message from user Uj, the sensor node SNi sends an acknowledgment to the user after successful authentication. If an attacker blocks the messages from reaching the BS and sensor nodes, the BS and sensor node will know about the malicious dropping of these control messages. Therefore, the denial-of-service attack is not possible in our scheme because an acknowledgment is sent to user Uj at the end of user authentication.

4.6.9. Formal security proof of the proposed scheme

This section shows through a formal security analysis that our scheme is secure against an attacker deriving the user's password and the base station's private key. For this purpose, we define the following formal definitions:

X = {0,1}' and produces an output y 2 {0,1}n as a binary string of fixed-length, n. If AdvHAASH (t) denotes an adversary (attacker) A's advantage in finding collision, we then have

\t) = Pr[(x, x')(rA : x-X, H(x) = H(x']

where Pr[E] denotes the probability of a random event E, and (x, x') ^ rA denotes the pair (x, x') is selected randomly by A. In this case, the adversary A is allowed to be probabilistic and the probability in the advantage is computed over the random choices made by the adversary A with the execution time t. We call the hash function H(') collision-resistant if AdvH ASHA(t) 6 2 , for any sufficiently small 2 >0.

Definition 2. (Indistinguishability of encryption and chosen plaintext attack (IND-CPA)). As in Wu and Chen (2012), we define the indistinguishability of encryption (IND) and chosen-plaintext attack (CPA) as follows. Let SE/ME be the single/ multiple eavesdropper, respectively, and Ok1, Ok2,..., OkN be N different independent encryption oracles associated with encryption keys k1, k2,.. .,kN, respectively. Define the advantage functions of SE and ME, respectively as: Adv^f (l) — 2Pr[SE ^ Ok1; (m0, m^SE); 9<r{0,1}; y<R Ok1(me):SE(y) = 9] - 1, and Adv^pEa(l) — 2Pr[ME ^ Ou, ..., OkN; (m0, ME); 9<r{0,1}; y1<ROk1(m0),..., yN<ROkN(m9):ME (y1,...,yN) = 9] — 1 where X is the encryption scheme. Then, we say that the encryption scheme X is IND-CPA secure in the single (multiple) eavesdropper setting if AdV£dSf£a(l) (respectively, Adv^E () is negligible (in the security parameter l) for any probabilistic, polynomial time (PPT) adversary SE (ME).

Definition 3. (Elliptic curve discrete logarithm problem (ECDLP)). We define the elliptic curve discrete logarithm problem (ECDLP) formally given in Das et al. (2012a). Let Ep (a, b) be an elliptic curve modulo a prime p. Let P 2 Ep(a,b) and Q = kP 2 Ep(a,b) be two points, where k 2 RZp (We use the notation a 2 RB to denote that a is chosen randomly from the set B).

Instance : (P, Q, r) for some

k, r2R Zp.

Output : Yes, if Q — rP, i.e., k — r, and output No, otherwise.

Definition 1. (One-way hash function). There exists a secure one-way hash function H:X fi Y, where X = {0,1} and Y = Zp* = {a| 0 < a < p and gcd(a, p) = 1} satisfying the following requirements (Stallings, 2003):

(i) For a given y 2 Y, it is hard to find an x in X such that H(x) = y.

(ii) For a given x 2 X, it is hard to find another x' in X, with x' „ x, such that H(x') = H(x).

(iii) It is hard to find a pair x, x') 2 X x X, with x' „ x, such that H(x') = H(x).

As defined in Sarkar (2010), Stinson (2006), a collision-resistant one-way hash function H:X fi Y, where X = {0,1} and Y = {0, 1}n, is considered as a deterministic algorithm that takes an input as an arbitrary length binary string

Dreal —fk2RZp, A — P, B — Q(— kP), C — k : (A, B, C)}, Drand — {k, r2RZp, A — P, B — Q(— kP), C — r : (A, B, C)}.

The advantage of any probabilistic, polynomial-time, 0/1-val-ued (false/true-valued) distinguisher D in solving ECDLP on Ep(a, b) is defined as

AdvDf(P) — \P r[(A, B, C) ^ Dreal: D(A, B, C) — 1] —P r[(A, B, C) ^ Drand : D(A, B, C) — 1]|,

where the probability Pr[-] is taken over the random choices of k and r. D is said to be a (t, 2)-ECDLP distinguisher for Ep(a, b) if D runs at most in time t such that AdvDCD(LP,)(t) P2.

ECDLP assumption: There exists no (t, 2 )-ECDLP distin-guisher for Ep(a, b). In other words, for every probabilistic, polynomial-time 0/1-valued distinguisher D, we have AdvDCDS)(t) 62 for any sufficiently small 2 >0.

We define the following three random oracles for the attacker (adversary) A:

Reveall: This unconditionally outputs k from given points P and Q = kP in an elliptic curve Ep(a,b).

Reveal2: This unconditionally outputs the plaintext message M using symmetric-key cryptosystem X with the help of the relevant public parameters and cipher text message Ekey(M), without knowing the symmetric key, key.

Reveal3: This unconditionally outputs the input x from the corresponding hash value y = H(x).

Theorem 1. Let the used symmetric encryption scheme X be IND-CPA. Our scheme is then secure against deriving a user's password by an attacker under the assumption that the one-way

However, it is computationally infeasible due to the difficulty in solving the one-way hash function and the indistinguishabil-ity of the encryption and chosen plaintext attack (IND-CPA). As a result, Adv1HASCHsfD'CFA(tu qRl, qR}) 6 e, for any sufficiently small 2 > 0, as it is dependent on Adv^E" (l) and the difficulty of inverting the one-way hash function, i.e., AdvHASH(t). Therefore, our scheme is probably secure against an attacker deriving a user's password. □

Algorithm 1.

1: Eavesdrop the message (Uj,H(Ru. ||Ti),Ti) during the login phase, which is sent from the user Uj totheBS.

2: Call Reveals oracle on the input H{Ru.\\Ti) to retrieve the information Rv. and Ti. Let {R'v., T[) <- RevealS{H{Ru. | |Ti)).

3: Check if Tj matches with Ti in the eavesdropped message. If so, call Reveal'i oracle on the input R^ = H (RPWj \\Gidj \\RMUj), where RPWj =

H(Nj 11PWj), in order to retrieve the information RPWj, Gidj and RMUj. Let (RPWG'id., RM'u. ) <- Reveal^R'jj,). 4: Call RevealS oracle on the input RPW- to derive Nj and PWj of the user Uj. Let (N'p PW-) <- Reveal3(RPW-).

5: Eavesdrop the message (SNi,Uj,EMKs. (SNi,Ui, (APMj © Gidj), RuJ,T1,T2), EKi(SNi,Uj, Gidj,T{)) during the login message, which is

sent from the BS to a sensor node S Ni. 6: Call Reveal 2 oracle on the input EK. (S Ni, Uj, Gid., Ti ).

Let (SN!\ U", G"d., T{') *- Reveal2(EKi (SNi, Uj, Gidj, Ti)). 7: if (G'/d. = Gidj ) and (T[' = Ti) then

8: Accept the derived password PWj as the correct password PWj of the user Uj. 9: return 1 (Success) 10: else

11 : return 0 (Failure) 12: end if

hash function H(-) closely behaves like a random oracle.

Proof. We follow the similar proof as in Das et al. (2012a) and Odelu et al. (2013). We must construct an adversary A that can correctly derive the user UJs password PWj. For this purpose, the adversary A runs the experiment given in Algorithm 1 for our proposed user access control scheme UACS.

We define the success probability for EXP1'HAASSH')1aND-CPA provided in Algorithm 1 as

HASH,IND-CPA

i HASH,IND-CPA

= 1]-1|-

lUACS,A — l2Pr[EXP1HACHA

The advantage function for this experiment is given by

■¡HASHJND-CPAu „ „ 1 r o. „„1 HASH,IND-CPA

UACS ,A

\h, qR2, qR3)= maxISucclHACHA

where the maximum is taken over all A with the execution time ti, and the number of queries qRi made to the Reveal2 oracle and the number of queries qR3 made to the Reveal3 oracle. Our scheme is probably secure against an adversary A for deriving a user's password by an attacker, if Adv1i^CHI^D'CFA(t1,l qR , qR ) 6 e, for any sufficiently small e > 0. ; 23

Finally, consider the experiment EXP1HiSH,,AND-CPA. According to this experiment, if the adversary A can correctly derive the private key of the BS, he/she can win the game.

Theorem 2. Let the used symmetric encryption scheme X be IND-CPA. Under the ECDLP assumption, our scheme is secure against an attacker deriving the base station's private key if the hash function H() closely behaves like a random oracle.

Proof. We must construct an adversary A that can correctly derive the base station BS's private key x. For this purpose, the adversary A runs the experiment Exp2HHH,!aD~CFAECDLP given in Algorithm 2 for our proposed user access control scheme UACS.

We define the success probability for the experiment in Algorithm 2 as

HASH,IND-CPA, ECDLP

= |3Pr \Exj2^ - 1|-

HASH IND-CPA ECDLP

The advantage function for this experiment is given by

HASH IND-CPA ECDLP Adv2UACS,A (t2 ; qR1 ,qR2; qR3)

— ma^ Succ2

HASH IND-CPA ECDLP UACS, A

where the maximum is taken over all A with the execution time t2, and the number of queries qRi, qRl, qR^ made to the Reveall, Reveal2 and Reveal3 oracles, respectively. Our scheme is called

UACS ,A

probably secure against an adversary A deriving the base station's private key if

/ , ^.HASHJND-CPA,ECDLP ,. ,

Adv2UACS:A , (t2, qR1 , 4r2 , qR3 ) 6 e ,

for any sufficiently small e >0. Algorithm 2.

simulate the implemented protocol to show that our scheme is secure.

5.1. AVISPA tool

AVISPA (Automated Validation of Internet Security Protocols and Applications) (Armando, 2005) is a widely-accepted and powerful tool for the formal security verification of a pro-

1: Eavesdrop the message {Uj, H{RUj\\T1),Ti) during the login phase, which is sent from the user Uj to the BS.

2: Call Reveal3 oracle on the input H{RuA\Ti) to retrieve the information Rv and Tj. Let (R'y^Tl) <— Reveal3{H{RUj\\Tl)).

3: Check if T[ matches with Tj in the eavesdropped message. If so, eavesdrop the message {.EuKj(SNi,Sj, Zj, KuJ).T2, T1} during the login phase, which is sent from the BS to the user Uj.

4: Call Reveal2 oracle on the input EUKj(SNhSj, Zj, KVj). Let (SJV/, Sj, Z'}, K'U}) <-Reveal2(EuKj(SNi, Sj, Zj,Kus)).

5: Compute UK'j = H{R'u]\Uj\\Ti\\Ti), and encrypt the information using the key UK'j as EuK't{SN<, Sj, Zj, K'U}). If this encrypted value Euk^SN'^S^Z^K^.) matches with received EUKj(SN„ Sj, Zj,KVj), accept K'Uj as the correct KU}.

6: Call RevealS oracle on the input K'Vj to retrieve KBS. Let (SN'^U'j, K'BS, K<) «- RevealZ(K'Vj), where KVj = H(SNi\\Uj\\KBS\\Ki).'

7: Call Reveal 1 oracle on the input K'BS to derive the private key x of the BS. Let x' <— Reveall(K'BS). Compute Z'J = K'BS + K'^. (modp).

8: if (Z'j = Z'j) then

9: Accept the derived x' as the correct private key x of the BS.

10: return I (Success)

11: else

12: return 0 (Failure)

13: end if

Consider the experiment Exp2%fHr~CFAECDLP. According to the experiment, if the adversary A can correctly derive the user password, he/she can win the game. However, it is computationally infeasible due to the difficulty of solving the one-way hash function, the indistinguishability of the encryption and chosen plaintext attack (IND-CPA) and the elliptic curve discrete logarithm problem (ECDLP). As a result, AdvlHJACHA^'D-CFA,ECDLF(t2, qRl, qRl, qR,) 6 e, for any sufficiently small e > 0, because it is dependent on Adv^a(l),Advlf^ (t) and AdvHASH(t). Therefore, our scheme is probably secure against an attacker deriving the private key of the BS.

5. Formal security verification of our scheme using AVISPA back-ends

In this section, we only simulate our scheme for the formal security analysis. We do not simulate communication, computation and energy cost of our scheme, since these are evaluated extensively theoretically in this paper. Through the simulation results using the widely-accepted AVISPA tool we show that our scheme is secure against passive and active attacks including the replay and man-in-the-middle attacks. For this purpose, we first describe in brief the AVISPA tool, implement our scheme in the high level language, called HLPSL and

tocol, which ensures whether the protocol is secure or not. Model checking methods are used to search for states of the system whether some properties are violated or not. Model checking tools have been successfully employed to detect attacks on security protocols (Basin et al., 2005). We have used AVISPA back-ends for our formal security verification. AVISPA implements four different back-ends and abstraction-based methods which are integrated through the high level protocol specific language, known as HLPSL (von Oheimb, 2005). A static analysis is performed to check the executability of the protocol, and then the protocol and the intruder actions are compiled into an intermediate format (IF). This intermediate format is the start point for the four automated protocol analysis techniques. IF is a lower level language than HLPSL and it is read directly by the back-ends to the AVISPA tool. The back-ends are used to provide protocol falsification, bounded and unbounded verification. The first back-end, called the On-the-fly Model-Checker (OFMC), does several symbolic techniques to explore the state space in a demand-driven way. The second back-end, called the CL-AtSe (Constraint-Logic-based Attack Searcher), provides a translation from any security protocol specification written as transition relation in intermediate format into a set of constraints which are effectively used to find whether there are attacks on protocols. Third back-end, called the SAT-based Model-Checker (SATMC), builds a propositional formula which is then fed to a state-of-the-art SAT solver and any model found is translated back into an attack. Finally, TA4SP (Tree Automata

based on Automatic Approximations for the Analysis of Security Protocols) is the final back-end, which approximates the intruder knowledge by using regular tree languages.

HLPSL is a role-oriented language, in which each principal is implemented in transitional roles where the transitions of a principal takes place during the protocol run as specified. The protocol session is considered as a parallel composition of these transitional roles. The intruder is modeled using the Dolev-Yao model (Dolev and Yao, 1983) (as in our threat model) with the possibility for the intruder to assume a legitimate role in a protocol run. The role system also defines the number of sessions, the number of principals and the roles.

5.2. Specifying our scheme

We have implemented our scheme in the HLPSL language. In this implementation, we have three basic roles, namely alice, server and bob, which represent the participants: the sensor node SNi, the BS and the user Uj, respectively. We have also defined the session and environment in our scheme.

Fig. 4 illustrates the role specification for user Uj in HLPSL. During the registration phase, Uj sends the message (Uj, RPWj, Gidj, RMuj) securely to the BS with the Snd() operation. The type declaration channel (dy) indicates the channel for the Dolev-Yao threat model (as described in our threat model in

Section 1.2). Uj then waits for the smart card containing the secure information in the message (Uj, RMUj, H(-), RPWj, Gidj, RU ) from the BS from the Rcv() operation. The intruder will have the ability to intercept, analyze, and/or modify messages transmitted over the insecure channel. During the login phase, Uj sends the login request message (Uj, H(RUjiT1), T1)) to the BS. In reply, the BS sends the message (EU Kj(SNj, Sj, Zj, KUj), T2, Ti) to Uj. During the authentication phase, Uj finally sends the authentication request message (SNi, Uj, Zj, Sj, Ekuj (SNi, Uj, Ruj , Gldj, Ti, Sj, Zj), H(Ti\\Sj\\Zj)) to the sensor node SNi.

Fig. 5 shows the role specification for the BS in the HLPSL language. During the post-deployment phase, the BS receives the message (SN, T¡, Emks (Kt, SNt, T)) from the sensor node SNi. During the registration phase after receiving the message (Uj, RPWj, Gidj, RMUj) securely from the user Uj, the BS securely sends the smart card containing the information in the message (Uj, RMUj, H(-), RPWj, Gidj, RUj) to the user Uj. In the login phase, when the BS receives the message (Uj, H(RU}iT1), T1)) from the user Uj, the BS sends the messages (EUK(SNi, Sj, Zj, KuJ), T2, T1) to Uj and (SN,, Uj, Emks. (SN„ U, (APMj ® Gidj), Ruj, Ti, T2), EKi(SNi, Uj, Gidj, T)) to the

role server (BS. SN. U : agent, MKsi: symmetric_key, MKuj: symmetric_key, H: hash_func, Snd. Rev: channel(dy)) played_by BS def=

local State : nat. RPWj, RMuj, Ruj. Kbs, Kuj, Sj, Zj, T2, APMj, Gidj, Nj, PWj, UKj : text. SNi, Uj, Ki, Ti,TI, M3 : text const alice_server, alice_bob. bob_server, bob_alice, subsl. subs2, subs3, subs4. subs5, subs6 : protocol_id init State :=0 transition

1. State = 0 A Rcv(SN.BS.SNi.Ti.{ Ki.SNi.Ti )_MKsi) =t> State' := 1 A Kuj' := H(SNi.Uj.Kbs.Ki)

2. State = 1 A Rcv(U.BS.{Uj.H(PWj.Nj) .GIdj.RMuj')_MKuj) =l>

% user registration through secure channel State' := 2 A Snd (BS.U.{Uj.GIdj.H(H(PWj.Nj).GIdj.RMuj'). H.H(PWj.Nj) )_MKuj) A secret ((Ki), subsl, )SN,BS}) A secret ((MKsi), subs2. (SN.BS}) Asecret({RMuj'),subs3,(U.BS)) A secret({Kbs), subs4, (SN,BS)) A secret({ APMj.GIdj), subsS, {U.BS}) A secret({PWj.Nj), subs6, U) A request(SN, BS, aliceserver. Ti )

3. State = 2 A Rcv(U.BS.Uj.H(H(H(PWj.Nj).

Gldj.RMuj'VTl' ).T1')=I> State' := 3 A M3' := xorfAPMj. Gidj) A T2' := new() A UKj' := H(Ruj.Uj.Tl '.T2') A SndtBS.U. j Sj.Zj.Kuj.SNi )_UKj.T2' .TI' ) A Snd(BS.SN.SNi.Uj.{SNi.Uj.M3\ Ruj.

TI '.T2' }_MKsi.(SNi.Uj.GIdj.Tl' }_Ki) A witness(BS. SN. alice_server, T2' ) A request(U. BS, bob_server, TI' )

end role

Figure 5 Role specification in HLPSL for the BS of our scheme.

role bob (U. BS. SN : agent,

MKsi: symmetric_key,

MKuj: symmetric_key,

H: hash_func.

Snd. Rev: channel(dy))

played_by U

local State : nat.

Uj, RPWj. APMj. RMuj. Nj. PWj. UKj : text,

Ruj. Kuj, SNi, Sj, Zj, Ki. Kbs, Gidj, RNui: text,

T1,T2: text

const alice_server, server_bob. bob_server.bob_alice,

subsl, subs2. subs3, subs4, subsS, subs6 : protocoled

init State := 0

transition

I. State = 0 A Rcv(start) =i>

State' := 1 A RPWj' := H(PWj.Nj)

A RMuj' := new()

A Snd( U.BS.{ Uj.RPWj'.Gidj. RMuj' }_MKuj)

2. State = 1 A Rcv(BS.U.(Uj.GIdj.H(H(PWj.Nj).GIdj.RMuj').

H.H(PWj.Nj)}_MKuj) =fc>

% s mart card values

State' :=2Asecret((Ki),subsl, (SN,BS))

A secret ((MKsi), subs2, (SN.BS))

A secret!{RMuj' ),subs3,( U.BS))

A secret!(Kbs), subs4, (SN,BS))

A secret((APMj,Gidj), subs5, (U,BS))

A secret((PWj,Nj), subs6, U)

ATI' := new( )

ASnd(U.BS.Uj.H(H(H(PWj.Nj).GIdj.RMuj ).TI ).TT)

A witness(U, BS. bob_server, TI ' )

3. State = 2A Rcv(BS.U.(Sj.Zj.SNi.H(SNi.Uj.Kbs.Ki))_H(H(H(PWj.Nj).

GIdj.RMuj') .Uj.Tl'.T2').T2'.Tr ) =t>

State' := 3 A UKj' := H(Ruj.Uj.Tl '.T2')

A Kuj' := H(SNi.Uj.Kbs.Ki)

A Snd(U.SN.SNi.UjZj.Sj.( SNi.Uj.Ruj.GIdj.TI .SjZj)_Kuj'.

H(Tl'.SjZj))

A witness(U, SN. bob_aIice, TI' )

end role

Figure 4 Role specification in HLPSL for the user Uj of our scheme.

sensor node SNi.

In Fig. 6, we have implemented the role specification for the sensor node SN in the HLPSL language. In the post-deployment phase, the sensor node SN sends the message (SN^T, EMKs (Kj,SNj, T)> to the BS. In the login phase, the sensor node SNreceives the message (SN;-, Uj, EMKs (SNi,Uj,(AP Mj © Gidj), Ruj,T1, T2),EKi(SNi, UJ,GidJ,T1)> from the BS. During the authentication phase, the sensor node receives the authentication request message (SN ¡,Uj,Zj,Sj, EKUj(S-Ni,Uj,Ruj,Gdj,T1,Sj,Zj), H(T1 |Sj | | Zj)> from the user Uj.

Witness (A, B, ID, E) declares for a (weak) authentication property of A by B on E, declares that agent A is witness for the information E; this goal will be identified by the constant ID in the goal section. Request (B, A, ID, E) demands a strong authentication property of A by B on E, declares that agent B requests a check of the value E; this goal will be identified by the constant ID in the goal section. The intruder is always denoted by i.

Finally, the specifications in the HLPSL language for the role of session, goal and environment are specified in Figs. 7 and 8. In the session segment, all of the basic roles—alice, server and bob—are instanced with concrete arguments. The top-

level role (environment) is always defined in the specification of the HLPSL language. This role contains the global constants and a composition of one or more sessions, where the intruder may play some roles as legitimate users. The intruder also participates in the execution of protocol as a concrete session.

The current version of HLPSL supports the standard authentication and secrecy goals. In our scheme, six secrecy goals and four authentications are verified. We simulated our scheme for OFMC and CL-AtSe back-ends using the AVISPA web tool (AVISPA, 2013). The simulation results are shown in Figs. 9 and 10. The summary of the results are as follows:

• OFMC reports the protocol is safe.

• CL-AtSe reports the protocol is safe.

role session(SN. BS, U : agent, % H is hash function MKsi : symmetric_key, MKuj : symmetric_key, H : hash_func )

local US, UR, SS, SR. VS. VR: channel (dy) composition

alice(SN, BS, U. MKsi. H, US, UR) Л server(BS, U, SN, MKsi, MKuj, H, SS. SR) Л bob(U, BS, SN, MKsi, MKuj, H, VS. VR) end role

Figure 7 Role specification in HLPSL for the session of our scheme.

role alice (SN. BS, U : agent, MKsi: symmetric_key. H : hash_func, Snd, Rev: channel(dy)) played_by SN def=

local State : nat, SNi, Ti. Ki.Kbs: text, Uj, APMj, Gidj, RPWj. RMuj, Tl. T2, Sj, Zj, Ruj. Kuj, Nj. PWj, UKj : text const alice_server, bob_server. a!ice_bob, bob_alice, subsl, subs2, subs3, subs4, subs5, subs6 : protocoljd

init State := 0 transition

1. State = 0 A Rcv(start) =fc> State' := 1 A Ti' := new()

A secret ({Ki}, subs 1. (SN.BS}) A secret ({MKsi). subs2, {SN,BS}) A secret( {RMuj) ,subs3,{ U.BS}) A secret( {Kbs}, subs4, {SN,BS)) A secret({APMj,Gidj). subs5, {U,BSJ) A secret({PWj,Nj}, subs6, U) A Snd(SN.BS.SNi.Ti.{ Ki.SNi.Ti)_MKsi) A witness(SN, BS, alice_server, Ti' )

2. State = 1 ARcv(BS.SN.SNi.Uj.{SNi.Uj.xor(APMj,GIdj).

H(H(PWj.Nj).GIdj.RMuj').T1 \T2' )_MKsi. {SNi.Uj.GIdj.Tl' }_Ki) =t> State' := 2 A request(BS, SN, alice_server. T2')

3. State = 2 A Rcv(U.SN.SNi.UjZj.Sj.

{SNi. Uj. H( H(PW j. Nj). Gidj. RMuj'). GIdj.Tl '.Sj.Zj}_ H(SNi.Uj.Kbs. Ki). H(Tl'.Sj.Zj))=t> State' := 3 A request(U, SN, bob_alice, Tl') end role

Figure 6 Role specification in HLPSL for the sensor SNJ- of our scheme.

alice_server, alice_bob, bob^server, bob_alice, subsl, subs2, subs3, subs4, subs5, subs6: protocoljd

intruder_knowledge = {u, bs, sn , h, uj, sni, uj j

Figure 8 Role specification in HLPSL for the goal and environment of our scheme.

Thus, it is clear that our scheme is secure against passive and active attacks, including the replay and man-in-the-middle attacks.

6. Performance comparison with other related schemes

This section compares the performance of our scheme with relevant existing access control schemes such as Mahmud et al.'s scheme (Mahmud and Morogan, 2012), Wang et al.'s scheme (Wang et al., 2006) and Le et al.'s scheme (Le et al., 2009).

6.1. Comparison of computational costs

We have used the notations for computational cost comparisons between our scheme and other schemes provided in Table 8. t

ecmi Leca>

ti, tadd, tmul, th, tenc, tdec, tecenc, tecdec, tmac,

tsiggen, and tSigVer denote the time taken for performing one ECC point multiplication over a finite field GF (2163), an ECC point addition over a finite field GF (2163), a modular inverse over a finite field GF (2163), a modular addition over a finite field GF (2163), a modular multiplication over finite field GF (2163), a hashing operation H(-), an AES encryption, an AES decryption, an ECC encryption over a finite field GF (2163), an ECC decryption over a finite field GF (2163), a MAC operation, an ECC signature generation over finite field GF (2163), and an ECC signature verification over a finite field GF (2163), respectively. For the sake of simplicity, we considered the time taken for one MAC operation as that for one hashing operation. The quantitative analysis of Koblitz et al. (2000) shows that the computation of a multiplication point requires approximately 1200 field multiplications; an elliptic curve point addition requires one field inversion and two field multiplications; the computation of a field inversion requires approximately three field multiplications; the computation of elliptic curve encryption and decryption require approximately 2405 and 1205 field multiplications, respectively (DeWin et al., 1996; Schroeppel et al., 1995); and the cost of field addition is negligible. Furthermore, a 1024-bit modular multiplication takes 41 times longer than a field multiplication in a finite field GF (2163). The results of Wong et al. (2001) show the speed for

% OFMC

% Version of 2006/02/13 SUMMARY SAFE DETAILS

BOUNDED_NUMBER_OF_SESSIONS PROTOCOL

/home/avispa/web-interface-computatioiV ytempdir/workfileu 1 mRmM.if GOAL as_specified BACKEND OFMC

COMMENTS STATISTICS parseTime: 0.00s searchTime: 5.18s visitedNodes: 472 nodes depth: 9 plies

SUMMARY SAFE

DETAILS

BOUNDED_NUMBER_OF_SESSIONS TYPED_MODEL

PROTOCOL

/home/avispa/web-interface-computation/ ytempdir/workfileu 1 mRmM.if

GOAL As Specified

BACKEND CL-AtSe

STATISTICS

Analysed : 15 states Reachable : 15 states Translation: 0.25 seconds Computation: 0.00 seconds

Figure 10 The result of the analysis using CL-AtSe.

Table 8 Time complexity of various operations in terms of

tecm ~ Î.200 tmul tsigver ~ 24°5.36tmul ti ~ 3 tmul

tadd is negligible th ~ °,36tmul tenc ~ 0,15tmul

tdec ~ 0,15tmul tecenc ~ 2405 tmul tecdec ~ 1205tmul

tmac ~ th tsiggen ~ 1204,36tmul teca ~ 5tmul

Figure 9 The result of the analysis using OFMC.

AES encryption and decryption, hash function using SHA-1 and 1024-bit modular multiplication. In Table 8, the time complexity of various operations in terms of tmul are listed according to the analysis results reported in Wu and Chen (2012).

We have compared the computational complexity using both formulated results and a rough quantitative analysis in Table 9 for different phases: the registration, login and authentication phases of Le et al. (2009), Wang et al. (2006), Mahmud and Morogan (2012), and our scheme. It is clear that, compared with the other existing schemes, the computational cost of our scheme is significantly lower. Thus, our scheme is more suitable for resource-constrained sensor nodes.

6.2. Comparison of communication costs

In Table 10, we compared the communication costs between our scheme and the other related schemes (Le et al., 2009; Wang et al., 2006; Mahmud and Morogan, 2012) in terms of the total number of bits and the total number of packets required for transmissions during all phases. The table shows that our scheme requires six message exchanges; among those where a sensor node is directly involved, only one message transmission is required, compared with the other schemes where a sensor node is directly involved. As a result, our scheme is significantly efficient in terms of communication costs as compared with the other related schemes.

I1: Total number of bits transmission required for messages of all phases for the schemes; I2: Total number of packets

Table 9 Comparison of computational costs for different phases in different access control schemes.

User or Node Le et al. (2009)

Wang et al. (2006) Mahmud

and Morogan (2012)

Registration Uj BS

Login + Authentication

Total Cost

th + 3 tecm + tmul th

th + tsigver + tmac

3 tmac + th

lecm 1 ^lmac

1eca + 2t

th + tsi

6th + tdec + tenc

3th + 2 tecm + 3 tenc + ten 3th + tecm + 3 tdec

4th + 2tecm + 4thsigver + 6tmac 2th + 7tecm + tmu1 4th + 2tsiggen + 2tsigver 14th + 8tencltdec + 3tecm + teca

Rough Estimation 12025.04tmul

8413.16 tm

1220.88tmui

3611.24tm

Table 10 Comparison of communication costs between the proposed scheme and the other schemes.

Scheme I1 I2 I3

Le et al. (2009) 2208 7 7

Mahmud and Morogan (2012) 1132 5 5

Wang et al. (2006) 2544 6 6

Ours 1400 6 6

2t + t

¿*iecm 1 lsiggen

2tsigver + 2tmac + 2th

2t + 4t

eca mac

transmissions during all phases for the schemes; I3: Total number of message transmissions during all phases for the schemes.

We further calculated the total number of bits required for all of the messages during all phases for the access control schemes. We also calculated the number of packets required for transmission of a message for the CC2420 transceiver (CC2420:2.4 GHz IEEE 802.15.4, 2011) which supports a packet size of 128 bytes, i.e., 1024 bits. The results shown in Table 10 demonstrate that our scheme is also efficient compared with other related schemes.

6.3. Comparison of energy costs

Because sensor nodes are resource-constrained, we primarily considered the energy costs of a sensor node during the login and authentication phases. We compared the energy costs of a sensor node during the login and authentication phases between our scheme, Le et al.'s scheme (Le et al., 2009), Mahmud-Morogan's scheme (Mahmud and Morogan, 2012)

and Wang et al.'s scheme (Wang et al., 2006) in Table 11. As in Chatterjee et al. (in press), Das et al. (2012b), the energy costs of a sensor node consider both the computational and communication costs involved during the login and authentication phases. In wireless communication, the energy for sensor nodes primarily goes towards the transmission and reception of messages/packets rather than computing. Because our scheme requires no message or packet transmissions during the login and authentication phases (compared with the other schemes), the energy spent by sensor nodes is significantly less compared with those schemes.

6.4. Comparison of functionality

This section compares the functionality of our scheme with schemes (Le et al., 2009; Wang et al. (2006); Mahmud and Morogan (2012)) in Table 12. It is noted that Le et al.'s scheme (Le et al., 2009) is based on ECC; it supports session key establishment between the user and the sensor node and mutual authentication between the user and the sensor node. Their scheme does not support a user's password change or a dynamic sensor node addition phase after initial deployment. In Wang et al.'s scheme (Wang et al., 2006), ECC is used as the cryptographic technique. It supports session key establishment between the user and the sensor node and mutual authentication between the user and the sensor node, but it does not support a user's password change or dynamic sensor node addition phase after initial deployment. In Mahmud-Morogan's scheme (Mahmud and Morogan, 2012), an identity-based signature approach with ECC is the basis for the crypto-

Table 11 Comparison of energy costs of schemes. a sensor node during the login and authentication phases between our scheme and other

Scheme Sensor node's energy cost

Le et al. (2009) Mahmud and Morogan (2012) Wang et al. (2006) Ours three MAC operations + one hash operation + three message transmissions one ECC-point addition + three ECC-point multiplication + one hash operation + two MAC operations + three message transmissions two hash operations + one ECC-signature generation + two ECC-signature verifications + two message transmissions three hash operations + one ECC-point multiplication + three symmetric-key decryptions + no message transmissions

Table 12 Comparison of functionality analysis between the proposed scheme and the other schemes.

Scheme Le et al. (2009) Wang et al. (2006) Mahmud and Morogan (2012) Ours

Cryptographic technique ECC ECC IBS with ECC Hybrid (ECC with symmetric-key

cryptosystem)

Session key establishment Supported Supported Supported Supported

User password change Not available Not available Not available Supported

Dynamic sensor node addition Not available Not available Not available Supported

Mutual authentication between user Supported Supported Supported Supported

and sensor node

graphic technique. As in other schemes, their scheme supports session key establishment between the user and the sensor node and mutual authentication between the user and the sensor node, but it does not support a user's password change or dynamic sensor node addition phase after initial deployment. Our scheme uses a hybrid approach of both ECC and symmetric-key cryptosystem (AES) for communication and computational efficiency, compared with other schemes. Our scheme supports session key establishment between the user and the sensor node and mutual authentication between the user and the sensor node. In addition, our scheme supports a user's password change and a dynamic sensor node addition phase after initial deployment, which are important requirements for an ideal user access scheme designed for WSNs. Furthermore, our scheme provides for mutual authentication between the BS and the sensor nodes.

7. Conclusion

This paper proposed a new user access control scheme suitable in wireless body area networks for healthcare and patient monitoring applications. The proposed scheme allowed the user to authenticate at the sensor node inside a WBAN under certain access privileges. After successful authentication, both the user and the sensor node from which the user wants to access realtime data can establish a secret session key between them. By using this session key, the user can later contact the sensor node for the real-time data inside the WBANs. Our scheme provides unconditional security against node capture attack and also prevents other known attacks such as denial-of-ser-vice, masquerade, stolen-verifier, many logged-in users with the same login-ID, replay, privileged insider, smart card breach, and man-in-the-middle attacks. The proposed scheme supports a dynamic node addition phase; there is no need to update stored information in the user's smart card for accessing real-time data from the added/replaced sensor nodes in the network. Using a AVISPA tool, we showed that our scheme is secure against both passive and active attacks, including the replay and man-in-the-middle attacks. Our scheme also supports other features such as freely and locally changing the password by the user without contacting the BS for any security reasons, and other existing schemes do not support this feature. Our scheme also supports a dynamic sensor node addition after initial deployment, whereas other existing approaches do not have this important feature. Our scheme is also efficient in terms of communication, computation, storage and energy overheads. Overall, the higher security and the lower communication and computational costs make our scheme

much more appropriate for practical applications in the emerging healthcare field compared with other existing approaches.

Acknowledgements

The authors would like to acknowledge the many helpful suggestions of the anonymous reviewers and the Editor-in-Chief,

which have improved the content and the presentation of this

paper.

References

Advanced Encryption Standard, 2007. FIPS PUB 197, National Institute of Standards and Technology (NIST), US Department of Commerce (November 2001). <http://csrc.nist.gov/publications/ fips/fips197/fips-197.pdf>.

Alemdar, H., Ersoy, C., 2010. Wireless sensor networks for healthcare: a survey. Computer Networks 54 (15), 2688-2710.

Ameen, M. Al., Liu, J., Kwak, K., 2012. Security and privacy issues in wireless sensor networks for healthcare applications. Journal of Medical Systems 36 (1), 93-101.

Armando, A. et al., 2005. The AVISPA tool for the automated validation of internet security protocols and applications. In: Computer Aided Verification (CAV), LNCS, vol. 3576, pp. 281-285.

Atmel Corporation. Available from: <http://www.atmel.com> a(accessed November 2010).

Aumasson, J.P., Henzen, L., Meier, W., Plasencia, M.N., 2010. Quark: a lightweight hash. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES 2010), LNCS, vol. 6225, pp. 1-15.

AVISPA. AVISPA Web Tool. <http://www.avispa-project.org/web-interface/expert.php/> (accessed January 2013).

Basin, D., Modersheim, S., Vigano, L., 2005. OFMC: a symbolic model checker for security protocols. International Journal of Information Security 4 (3), 181-208.

Carman, D.W., Kruus, P.S., Matt, B.J., 2001. Constraints and approaches for distributed sensor network security (Dated September 1, 2000). NAI Labs Technical Report No. 00-010.

CC2420:2.4 GHz IEEE 802.15.4/ ZigBee-Ready RF Transceiver. Available from: <http://www.ti.com/product/cc2420> (accessed September 2011).

Chatterjee, S., Das, A.K., Sing, J.K., in press. An enhanced access control scheme in wireless sensor networks. Ad Hoc & Sensor Wireless Networks.

Das, A.K., 2009. An unconditionally secure key management scheme for large-scale heterogeneous wireless sensor networks. In: First International Conference on Communication Systems and Networks (COMSNETS 2009), pp. 1-10.

Das, M.L., 2009. Two-factor user authentication in wireless sensor networks. IEEE Transactions on Wireless Communications 8 (3), 1086-1090.

Das, A.K., 2012. A random key establishment scheme for multi-phase deployment in large-scale distributed sensor networks. International Journal of Information Security 11 (3), 189-211.

Das, A.K., 2013. A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Networking Science 2 (1-2), 12-27.

Das, A.K., Paul, N.R., Tripathy, L., 2012a. Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem. Information Sciences 209, 80-92.

Das, A.K., Sharma, P., Chatterjee, S., Sing, J.K., 2012b. A dynamic password-based user authentication scheme for hierarchical wireless sensor networks. Journal of Network and Computer Applications 35 (5), 1646-1656.

Das, A.K., Massand, A., Patil, S., 2013. A novel proxy signature scheme based on user hierarchical access control policy. Journal of King Saud University - Computer and Information Sciences 25 (2), 219-228.

DeWin, E., Bosselaers, A., Vandenberghe, S., De Gersem, P., Vandewalle, J., 1996. A fast software implementation for arithmetic operations in GF (2n). In: Proceedings of Advances in Cryptology - ASIACRYPT '96. Lecture Notes in Computer Science, vol. 1163. Springer-Verlag, pp. 65-76.

Diffie, W., Hellman, M.E., 1976. New directions in cryptography. IEEE Transactions on Information Theory 22, 644-654.

Dolev, D., Yao, A., 1983. On the security of public key protocols. IEEE Transactions on Information Theory 29 (2), 198-208.

Fan, R., Ping, L.-D., Fu, J.-Q., Pan, X.-Z., 2010. A secure and efficient user authentication protocol for two-tiered wireless sensor networks. In: Second Pacific-Asia Conference on Circuits, Communications and System (PACCS'10), pp. 425-428.

Ghasemzadeh, H., Jafari, R., 2011. Physical movement monitoring using body sensor networks: a phonological approach to construct spatial decision trees. IEEE Transactions on Industrial Informatics 7 (1), 66-77.

Gura, N., Patel, A., Wander, A., Eberle, H., Shantz, S.C., 2004. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In: Proceedings of Sixth International Workshop on Cryptographic Hardware and Embedded Systems (CHES'04).

He, D., Bu, J., Zhu, S., Chan, S., Chen, C., 2011. Distributed access control with privacy support in wireless sensor networks. IEEE Transactions on Wireless Communications 10, 3473-3481.

Johnson, D., Menezes, A., 1999. The Elliptic Curve Digital Signature Algorithm (ECDSA). Technical Report CORR 99-34, Dept. of C & O, University of Waterloo, Canada, August 23, 1999.

Klaoudatou, E., Konstantinou, E., Kambourakis, G., Gritzalis, S.,

2011. A survey on cluster-based group key agreement protocols for WSNs. IEEE Communications Surveys and Tutorials 13 (3), 429442.

Koblitz, N., 1987. Elliptic curves cryptosystems. Mathematics of Computation 48, 203-209.

Koblitz, N., Menezes, A., Vanstone, S.A., 2000. The state of elliptic curve cryptography. Designs, Codes and Cryptography 19 (2-3), 173-193.

Kwak, K.S., Ameen, M.A., Kwak, D., Lee, C., Lee, H., 2009. A study on proposed IEEE 802.15 WBAN MAC Protocols. In: Proceedings of ICCIT'09.

Latre, B., Braem, B., Moerman, I., Blondia, C., Demeester, P., 2011. A survey on wireless body area networks. Wireless Networks 17 (1), 1-18.

Le, X.H., Lee, S., Butun, I., Khalid, M., Sankar, R., Kim, M., Han, M., Lee, Y.-K., Lee, H., 2009. An energy-efficient access control scheme for wireless sensor networks based on elliptic curve cryptography. Journal of Communications and Networks 11 (6), 599-606.

Liang, X., Li, X., Shen, Q., Lu, R., Lin, X., Shen, X., Zhuang, W.,

2012. Exploiting prediction to enable Secure and Reliable routing in wireless body area networks. In: INFOCOM 2012, pp. 388396.

Liao, H.Z., Shen, Y.Y., 2006. On the elliptic curve digital signature algorithm. Tunghai Science 8, 109-126.

Li, M., Lou, W., Ren, K., 2010. Data security and privacy in wireless body area networks. IEEE Wireless Communications, 51-58.

Mahmud, A. Al., Morogan, M.C., 2012. Identity-based authentication and access control in wireless sensor networks. International Journal of Computer Applications 41 (13), 18-24.

Malan, D.J., Welsh, M., Smith, M.D., 2004. A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography. In: Proceedings of First IEEE International Conference on Sensor and Ad Hoc Communications and Networks (SEC0N'04), Santa Clara, California, USA.

Manuel, S., 2011. Classification and generation of disturbance vectors for collision attacks against SHA-1. Designs, Codes and Cryptography 59 (1-3), 247-263.

Odelu, V., Das, A.K., Goswami, A., 2013. An effective and secure keymanagement scheme for hierarchical access control in e-medicine system. Journal of Medical Systems 37 (2), 1-18.

Otto, C., Milenkovic, A., Sanders, C., Jovanov, E., 2006. System architecture of a wireless body area sensor network for ubiquitous health monitoring. Journal of Mobile Multimedia 1 (4), 307-326.

Rivest, R.L., Shamir, A., Adleman, L.M., 1978. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21, 120-126.

Rivest, R.L., Hellman, M.E., Anderson, J.C., Lyons, J.W., 1992. Responses to NIST's proposal. Communications of the ACM 35 (7), 41-54.

Sarkar, P., 2010. A simple and generic construction of authenticated encryption with associated data. ACM Transactions on Information and System Security 13 (4), 33.

Schroeppel, R., Orman, H., O'Malley, S., Spatscheck, O., 1995. Fast key exchange with elliptic curve systems. In: Proceedings of Advances in Cryptology - CRYPTO '95. Lecture Notes in Computer Science, vol. 963. Springer-Verlag, pp. 43-56.

Secure Hash Standard. FIPS PUB 180-1, National Institute of Standards and Technology (NIST), US Department of Commerce, April 1995.

Seyedi, M., Kibret, B., Lai, D., Faulkner, M., 2013. A survey on intrabody communications for body area network applications. IEEE Transactions on Biomedical Engineering.

Singelee, D., Latre, B., Braem, B., Peeters, M., Soete, M.D., Cleyn, P.D., Preneel, B., Moerman, I., Blondia, C., 2008. A secure crosslayer protocol for multi-hop wireless body area networks. In: Proceedings of 7th International Conference on Ad-hoc, Mobile and Wireless Networks (ADHOC-NOW 2008), LNCS 5198.

Stallings, W., 2003. Cryptography and Network Security: Principles and Practices, 3rd ed. Prentice Hall.

Stinson, D.R., 2006. Some observations on the theory of cryptographic hash functions. Designs, Codes and Cryptography 38 (2), 259-277.

Venkatasubramanian, K.K., Banerjee, A., Gupta, S.K.S., 2010. PSKA: usable and secure key agreement scheme for body area networks. IEEE Transactions on Information Technology in Biomedicine 14 (1), 60-68.

von Oheimb, D., 2005. The high-level protocol specification language HLPSL developed in the EU project AVISPA. In: Proceedings of APPSEM Workshop.

Wang, H., Sheng, B., Li, Q., 2006. Elliptic curve cryptography-based access control in sensor networks. International Journal of Security and Networks 1 (3/4), 127-137.

Wang, H., Sheng, B., Tan, C.C., Li, Q., 2008. Comparing symmetric-key and public-key based security schemes in sensor networks: a case study of user access control. In: Proceedings of 28th International Conference on Distributed Computing Systems.

Watro, R., Kong, D., Cuti, S., Gardiner, C., Lynn, C., Kruus, P., 2004. TinyPK: securing sensor networks with public key technology. In Proceedings of the 2nd ACM Workshop on Security of ad hoc and Sensor Networks (SASN'04), Washington, DC, USA, October 2004, pp. 59-64.

Wen, M., Lei, J., Li, J., Wang, Y., Chen, K., 2011. Efficient user access control mechanism for wireless multimedia sensor networks. Journal of Computational Information Systems 7 (9), 3325-3332.

Wong, D.S., Fuentes, H.H., Chan, A.H., 2001. The performance measurement of cryptographic primitives on palm devices. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001), pp. 92-101.

Wu, S., Chen, K., 2012. An efficient key-management scheme for hierarchical access control in e-medicine system. Journal of Medical Systems 36 (4), 2325-2337.

Zhang, Z., Wang, H., Vasilakos, A.V., Fang, H., 2012. ECG-Cryptography and Authentication in Body Area Networks. IEEE Transactions on Information Technology in Biomedicine 16 (6), 1070-1078.

Zois, D.S., Levorato, M., Mitra, U., 2012. A POMDP framework for heterogeneous sensor selection in wireless body area networks. In: INFOCOM 2012, pp. 2611-2615.