Security Analysis on an Improved Anonymous Authentication Protocol for Wearable Health Monitoring Systems

—The wearable health monitoring system (WHMS) plays a significant role in medical experts collecting and using patient medical data. The WHMS is becoming more popular than in the past through mobile devices due to meaningful progress in wireless sensor networks. However, because the data about health used by the WHMS is related to privacy, it has to be protected from malicious access when wirelessly transmitted. Jiang et al. proposed a two-factor suitable for WHMSs using a fuzzy verifier. However, Jiaqing Mo et al. revealed that the protocol proposed by Jiang et al. had various security vulnerabilities and proposed an authentication protocol with improved security and guaranteed anonymity for WHMSs. In this paper, we analyse the authentication protocol proposed by Jiaqing Mo et al. and determine problems with the offline identification, password guessing attacks, operation process bit mismatch, no perfect forward secrecy, no mutual authentication and insider attacks.


I. INTRODUCTION
Electronic health system keeps Wireless communication, authentication protocol, sensors using low-power, and security solution on authentication protocol [1][2][3][4][5][6][7][8] safe. Wireless sensor networks (WSNs), which play a significant role in e-health, detect, measure, collect or record patient information on a medical server for physician diagnosis. The wearable health monitoring system (WHMS) has received considerable attention regarding its movability, adaptability and operation cost [9,10,11,12]. The WHMS detects, measures, and collects patient physiological data with the WSN inserted or embed within the patient's body. In addition, after monitoring the health status, information is transmitted through wireless channels to medical-related institutions to help manage it. Remote doctors can evaluate the health status through such data as the heart rate, blood pressure and body temperature.
The WHMS is simple and efficient for medical professionals, and patients receive many benefits from the WHMS. However, the detected data are transmitted over an unsafe wireless channel; thus, concerns exist regarding security and privacy problems. Therefore, a robust certified mechanism must be designed to protect the physiological data for patients whose security is critical. If an adversary modifies the data for a patient, the doctor will misdiagnose the patient based on incorrect data. In addition, revealed data are highly likely to be used by malicious and illegal purposes. Medical personnel must authenticate that they are normal users before accessing patient's physiological data from the wearable sensor of the patient to prevent this. Even if the adversary eavesdropped on the message through the gateway of the WHMS, their identity and passwords must not be disclosed. A session key must be calculated between the sensor node and the medical personnel on the patient's body for future secure communication.
Kumar et al. [13] studied a user authentication protocol in 2012 to monitor patient physiological data in the medical WSN E-SAP and argued that the protocol was safe on the known attacks. But He et al. [14] and Khan and Kumari [15] found security vulnerabilities, such as lack of user anonymity and password guessing attack in the plans by Kumar [16][17][18] individually found out that the plan by He et al. [14] has security problems, such as offline guessing attacks, denialof-service (DoS) attacks, most attacks, and sensor node capture attacks. They proposed an enhanced version that is safer than the previous proposal to compensate for these loopholes. Das et al. [20] pointed out various security flaws such as lack of user anonymity, privileged insider attacks and sensor capture attacks in the protocol by Li et al. [21] and proposed an improved framework based on biometric recognition. Amin et al. [19] proposed a mutually authentication protocol providing user's anonymity in the WHMS and stated that the system was secure against already known various attacks. But Jiang et al. [22] revealed that the protocol has various vulnerabilities like as unsynchronised attacks, sensor key exposure and stolen mobile device attacks. Jiang et al. proposed an enhanced authentication protocol using smart card and password [22,23]. Their protocol used square surplus, fuzzy validator [24] and timestamp mechanisms to ensure the plan by Amin et al. In addition, as a result of a security analysis, their plan achieved the desired security function.
Separately, Challa et al. [25] claimed an enhanced 3-factor (cryptography, smart card and biometric) authentication scheme for healthcare WSNs to enhance the scheme's security proposed by Liu and Chung [26]. However, this method, which requires the user to communicate directly with the remote sensor, greatly increases the sensor power consumption and *Corresponding Author. www.ijacsa.thesai.org rapidly reduces its lifespan. Therefore, their systems cannot be applied to healthcare WSNs. Ali et al. [27] proposed a 3-factor protocol providing anonymity in the plan by Amin et al. [19] to frustrate security threats, such as user impersonation attacks, offline password guessing attacks and known session key temporary information attacks. Shen et al. [28] presented a multilayer authentication protocol using ECC in WBANs (wireless body area networks) to improve authentication's security and compute group key generation between sensors and mobile devices. Li et al. [29] proposed an efficient authentication scheme for a centralised WBAN organized two hops while maintaining anonymity and nonconnectedness in data transmission. And Shen et al. [30] proposed an ECC-based authentication protocol using public key signature scheme for WBAN. But according to [31,32], their authentication scheme type with only two round messages is likely to fail in perfect forward secrecy.
Jiaqing Mo et al. analysed the protocol proposed by Jiang et al. [22] and discovered that Jiang et al.' protocol was not safe as their proven. Jiang et al.' scheme provides fuzzy verifiers to block offline password guessing attacks, their systems were still vulnerable to authoritative insider attacks, leading to user impersonation attacks. Unfortunately, the plan by Jiang et al. [22] is subject to KSSTI attacks; thus, their protocols are as vulnerable to sensor key disclosure as before. In addition, their protocols struggle with DoS attacks. In addition, Jiaqing Mo et al. implement an authentication scheme with improved security and guaranteed anonymity for WHMSs to solve this problem. However, in this paper, we analyse the authentication protocol proposed by Jiaqing Mo et al. and discovered problems with the offline identification, password guessing attacks, operation process bit mismatch, no perfect forward secrecy, no mutual authentication and insider attacks.
The rest of this paper is organised as follows. Section 2 describes the terms and adversary models used in this paper. Section 3 analyses the operation process of an authentication protocol with improved security and guaranteed anonymity for the WHMS proposed by Jiaqing Mo et al. Section 4 describes the vulnerabilities found by conducting a stability analysis on the protocol proposed by Jiaqing Mo et al. Finally, in Section 5, we conclude this paper.

A. Summary of Symbol
Symbols used in the paper's operation process are shown in Table I.

B. Adversary Model
An adversary's capabilities are essential part of an adversary model. In this paper, it is assumed that the adversary has the following capabilities.
 An adversary can completely control open channels like as inserting, intercepting, eavesdropping, deleting, and modifying exchanged messages through open channels [33,34].
 An adversary can find out all data (i.e. secret key and random number) stored in the mobile device when adversary acquire user's lost mobile device [35,36].
 An adversary can estimate the ID_i and PW_i offline by listing pairs in Cartesian product D_ID×D_PW within polynomial time. Here, the D_ID represents identity space and D_PW is password space [31,37].
 The secret key and random numbers party are suitably large so they overcome adversary from successfully guessing accurate data within polynomial time.
 The inside adversary may get a user's registration request message, and the insider may access the verification table [38,39].

A. Setting Step
The registration center GWN selects two large primes and , computes , and maintains the private key .

B. Medical Professional Registration
Step 1) inserts own and , a random-nonce , and computes ; then send { , } to gateway through a secure channel.

C. Patient Registration Step
This step is almost identical to Jiang's plan [22]. www.ijacsa.thesai.org 1) The patient delivers the ID to the registration center.
2) Select the appropriate sensor kit from the registration center and assigns a professional.
3) The registration center calculates for as a secret key between GWN and sensor node. And the registration center delivers the patient's significant information to the designated specialist.

D. The Login and Authentication Step
Through this step, this protocol will be able to provide mutual authentication and generate session keys between and for future communication. terminates the current connection. If they are same, can believes that both GWN and are believable. Then and can proceed with secure communication in the future by using the session key. The login and authentication steps are summarized in Fig. 1.

IV. SECURITY ANALYSIS OF JIAQING MO ET AL'S PROTOCOL
This paper analyzed the operation process of Jiang et al.'s protocol and found various vulnerability as off-line ID, PW guessing attack, operation process bit mismatch, no perfect forward secrecy, no mutual authentication and insider attack.

A. Off-line ID, PW Guessing Attack
According to Jiaqing Mo et al.'s proposed protocol, when an adversary acquires a MD, the adversary can extract information stored in the MD and then find out the user's ID and PW. The information of { , , , , , } is sent to the MD through the GWN security channel. Thereafter, the MD calculates and updates and . Finally, information of { , , , , , , } is stored in the MD. Assuming that an adversary found out this through a physical analysis method, an ID and password can be derived through the formula of .
Summarizing the above formula, the adversary will be aware of the information { , , , } except for the ID and PW. The adversary repeatedly performs verification while continuing to change until the user's ID and PW are found. Ultimately, the user's exact ID and PW can be found. The process of ID, PW guessing attack is summarized in Fig. 2.

B. Operation Process Bit Mismatch
In Jiaqing Mo et al.'s protocol, XOR operations are widely used, and XOR operations must have the same number of bits. However, in Jiaqing Mo et al.'s protocol, there may be a problem with the XOR operation because the number of bits does not match during the XOR operation. A hash function is a function that receives a message having an arbitrary length and outputs a hash value of a fixed length. Keys are used for cryptographic algorithms, but hash functions do not use keys, so the same output is always produced for the same input. The purpose of using these hash functions is to provide integrity to detect errors or alterations in messages. www.ijacsa.thesai.org Random nonce values used in the formula usually use large random numbers of 128 bits or more, but the length of the password is very short compared to Random nonce. That is, the length of the random nonce and the length of the password cannot be the same. Therefore, there may be a problem with the XOR operation due to inconsistency in the number of bits in Jiaqing Mo et al.'s protocol.

C. No Perfect Forward Secrecy
The fact that the Perfect Forward Secrecy is met means that even if one of the important master keys in the protocol is exposed, the previous session key cannot be determined. However, in this protocol, the exposure of the , value, one of the unchanged long-term keys, does not meet the Perfect Forward Secrecy because it can identify not only future session keys but also previously used session keys. That is, assuming that the adversary has found out , , it is possible to calculate the previous session key used between the mobile device and .
1) The adversary has exposed values and previous communication contents ( of , and of ) between the user and GWN and . The adversary may decrypt the of the login request as , and the adversary may find out and .

2)
In addition, the adversary may calculate using , and . .

3)
In addition, may be calculated using , and . .

4)
Finally, the adversary may calculate the session key by using the , , , and obtained so far. .
Since long-term key , is a key that does not change after it is generated, it is a serious problem that the previous session key is exposed because it does not satisfy the Perfect Forward Secrecy when , is exposed.

D. No Mutual Authentication
Mutual authentication means that all components of the authentication protocol authenticate with each other. In the present protocol, , GWN, authenticates using , , , . Through four messages, mutual authentication between and GWN and mutual authentication between GWN and are provided, but there is a problem of not providing mutual authentication between and . The mutual authentication process is as follows.
1) GWN verifies the authentication of using and having the secret key of GWN. When that has is transmitted to GWN, GWN calculates and . When and match, GWN authenticates that is a normal user. 2) When the consistency is confirmed, confirms the authentication of GWN using and ( ). The authentication is confirmed by comparing and having session key of GWN and .
3) When authentication is confirmed, GWN checks the consistency between and to confirm the authentication of .

GWN authenticates Ui through
, and authenticates GWN through . Through , GWN authenticates , and authenticates GWN through M10. That is, and GWN, GWN and are mutually authenticated, but in this protocol, mutual authentication between and is not provided. In order to create an authentication protocol with improved security, the authentication protocol will be safer only when and are also mutually authenticated. Fig. 3 describes in detail how the mutual authentication process is performed.

E. Insider Attack
Even an insider of GWN should not be able to pretend to be a normal user by utilizing the information obtained in the process of verifying the user's authentication information in the MD authentication step. However, in the protocol proposed by Jiaqing Mo et al., there is a problem that insiders can disguise themselves as normal users using only . In this protocol, in the process of calculating the user's authentication information, an internal adversary can find out the user's information that authenticates with the GWN's secret key . Based on this information, an internal adversary can www.ijacsa.thesai.org succeed in authentication under the guise of a normal user, and a session key can also be calculated. Fig. 4 shows the protocol authentication process and the adversary calculating the session key.

Among
transmitted to GWN by an insider, may calculate using the unchanged values and obtained by an insider adversary. In the case of , of may be found using information of known by an internal adversary. Since the value can also be generated by the internal adversary at the current time, can be calculated. This allows an internal adversary to succeed in authentication under the guise of a user with only the information received from GWN. An insider adversary who succeeds in logging in receives information through . The insider adversary must calculate information of and to compute the session key. Since the insider adversary has all the information in , may be calculated, and may be calculated using . An insider adversary may calculate because it has all the information of necessary for calculating the session key. As a result, authentication can be successful under the guise of a normal user only with the information possessed by the insider adversary.

V. CONCLUSION
In this paper, a security analysis was conducted after explaining the operation process of an authentication protocol with improved security and guaranteed anonymity for the WHMS proposed by Jiaqing Mo et al. The protocols proposed by Jiaqing Mo et al. have vulnerabilities in offline identification, password guessing attacks, operation process bit mismatch, no perfect forward secrecy, no mutual authentication and insider attack problems.