Provably Secure Three-Factor-Based Mutual Authentication Scheme with PUF for Wireless Medical Sensor Networks

Abstract

Wireless medical sensor networks (WMSNs) are used in remote medical service environments to provide patients with convenient healthcare services. In a WMSN environment, patients wear a device that collects their health information and transmits the information via a gateway. Then, doctors make a diagnosis regarding the patient, utilizing the health information. However, this information can be vulnerable to various security attacks because the information is exchanged via an insecure channel. Therefore, a secure authentication scheme is necessary for WMSNs. In 2021, Masud et al. proposed a lightweight and anonymity-preserving user authentication scheme for healthcare environments. We discover that Masud et al.’s scheme is insecure against offline password guessing, user impersonation, and privileged insider attacks. Furthermore, we find that Masud et al.’s scheme cannot ensure user anonymity. To address the security vulnerabilities of Masud et al.’s scheme, we propose a three-factor-based mutual authentication scheme with a physical unclonable function (PUF). The proposed scheme is secure against various security attacks and provides anonymity, perfect forward secrecy, and mutual authentication utilizing biometrics and PUF. To prove the security features of our scheme, we analyze the scheme using informal analysis, Burrows–Abadi–Needham (BAN) logic, the Real-or-Random (RoR) model, and Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation. Furthermore, we estimate our scheme’s security features, computation costs, communication costs, and energy consumption compared with the other related schemes. Consequently, we demonstrate that our scheme is suitable for WMSNs.

1. Introduction

With the development of wireless communication and sensor minimization technology, wireless sensor networks (WSNs) have been widely used in various environments, such as industrial Internet of Things [1], healthcare [2], and smart homes [3]. In particular, the demand for remote healthcare services has been increased due to the COVID-19 pandemic [4]. Remote healthcare services can be realized through wireless medical sensor networks (WMSNs). Generally, WMSNs consist of doctors (users), a gateway, and sensor nodes. Doctors communicate with the gateway to access a patient’s health data through their smart device. The gateway, such as a smart hospital, stores sensitive data and supports smooth wireless communication between doctors and sensor nodes. Sensor nodes are attached to patients and transmit patients’ sensitive health data to doctors through the gateway [5]. Therefore, doctors can perform the diagnosis of patients remotely and patients can receive convenient remote medical services wherever they are.

Although WMSNs can provide convenient medical services to patients, there are several security risks. First of all, each message is exchanged through a public channel; therefore, malicious adversaries can perform security attacks such as replay and man-in-the-middle attacks [6]. In addition, the smart device of a doctor can be stolen and an adversary can attempt to impersonate the doctor using parameters extracted from the device. In addition, the sensor node can be physically captured by an adversary and the adversary can attempt to impersonate the patient using the secret parameter, extracted from the sensor node. If an adversary obtains and modifies the information of patients using the above security attacks, this can have a serious effect on the patient’s health, such as inducing a misdiagnosis by the doctor. Accordingly, secure authentication schemes are necessary to overcome these security vulnerabilities for WMSNs.

In 2021, Masud et al. [7] proposed a lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare environments. They claimed that their scheme is lightweight and prevents various security attacks (e.g., replay, privileged insider, and impersonation attacks). Moreover, they asserted that their scheme can ensure user anonymity and session key agreement. However, we find that Masud et al.’s scheme cannot prevent offline password guessing, user impersonation, and privileged insider attacks. Moreover, we prove that their scheme cannot ensure user anonymity. Their scheme also has a device update problem, where the doctor cannot perform a login process on his own smart device. To overcome these security vulnerabilities of Masud et al.’s scheme, we propose a secure three-factor-based mutual authentication scheme with physical unclonable function (PUF) for WMSNs. In our scheme, we use PUF and fuzzy extractor [8] to enhance the security level. The PUF is a physical circuit that outputs unpredictable random strings, and the fuzzy extractor is a cryptographic algorithm that utilizes the biometrics of users. Therefore, we install the PUF in the sensor node to prevent physical and cloning attacks, and we utilize the fuzzy extractor to overcome offline password guessing attacks. Our scheme also uses hash functions and exclusive-OR operations to ensure real-time communication.

1.1. Research Contributions

The contributions of our paper are as follows.

• We review Masud et al.’s scheme and prove that their scheme cannot ensure user anonymity. Moreover, we show that their scheme is vulnerable to offline password, impersonation, and privileged insider attacks and has a device update problem.
• We propose a secure three-factor-based mutual authentication scheme to overcome the security vulnerabilities of Masud et al.’s scheme. We use hash functions and exclusive-OR operations to provide real-time communication for WMSNs. We also utilize PUF and fuzzy extractor [8] to prevent physical and offline password guessing attacks, respectively.
• We analyze the security features of the proposed scheme using well-known Burrows–Abadi–Needham (BAN) logic [9] and the Real-or-Random (RoR) model [10], which can prove mutual authentication and session key security, respectively. Furthermore, we utilize the Automated Verification of Internet Security Protocols and Applications (AVISPA) simulation tool [11,12] to prove that the proposed scheme has resistance against replay and man-in-the-middle attacks.
• We show that our scheme has resistance against various security attacks, such as offline password, impersonation, privileged insider, replay, and man-in-the-middle attacks, using informal analysis. Moreover, the proposed scheme ensures user anonymity, perfect forward secrecy, and mutual authentication.
• We estimate the security properties and functionalities, communication costs, computation costs, and energy consumption of our scheme in comparison with existing authentication schemes.

1.2. Organization

In Section 2, we introduce related works for WMSNs. We describe the PUF, fuzzy extractor, adversary model, and system model in Section 3. In Section 4, we describe the detailed procedures of Masud et al.’s scheme. In Section 5, we prove the security vulnerabilities of Masud et al.’s scheme. To overcome these security vulnerabilities, we propose a secure three-factor-based mutual authentication scheme with PUF for WMSNs in Section 6. In Section 7 and Section 8, we analyze the security features of our scheme using formal and informal analyses and estimate the performance of our scheme, respectively. Finally, we conclude and summarize our paper in Section 9.

2. Related Works

In the past several decades, researchers have proposed numerous two-factor-based authentication schemes for WMSNs. In 2012, Kumar et al. [13] proposed an authentication scheme for healthcare applications using a smart card. Their scheme used a symmetric encryption method to establish the session key between the user and the medical sensor node. However, He et al. [14] claimed that Kumar et al.’s scheme is vulnerable to password guessing and privileged insider attacks. As a result, He et al. proposed a robust authentication scheme to overcome these security weaknesses. Unfortunately, Mir et al. [15] demonstrated that [14] cannot prevent offline password guessing and masquerading user attacks. To address the security vulnerabilities of He et al’s scheme [15], they proposed an authentication and key agreement scheme using hash functions and exclusive-OR operations. In 2018, Wu et al. [16] proposed an authentication scheme for personalized healthcare systems. They used a smart device as a factor to protect the privacy of the doctor. However, the above schemes [13,14,15,16] can be vulnerable to smart device theft and offline password guessing attacks because they adopt two-factor-based authentication schemes.

Three-factor-based authentication schemes have been proposed to improve the security level for WMSNs. In 2018, Challa et al. [17] proposed a three-factor-based user authentication and key agreement protocol using bilinear pairings for wireless healthcare sensor networks. Challa et al. employed bilinear pairing and the fuzzy extractor to overcome security vulnerabilities such as smart card theft, offline password guessing, and privileged insider attacks. In 2019, Li et al. [18] proposed a three-factor user authentication protocol based on elliptic curve cryptography (ECC). They claimed that their scheme can resist various security attacks utilizing biometrics verification with error-correcting code and a fuzzy commitment scheme. Shin et al. [19] suggested an authentication and key agreement scheme that can preserve users’ privacy in 5G-integrated IoT environments. In [19], each entity establishes the session key using elliptic curve Diffie–Hellman (ECDH). Furthermore, Ali et al. [20] proposed a biometric-based authentication and access control protocol for WMSNs using ECC. They claimed that their scheme is secure against privileged insider, stolen smart card, and offline password guessing attacks. In 2020, Hsu et al. [21] proposed a three-factor user-controlled single sign-on (UCSSO) scheme for telecare medicine information systems. Their scheme can provide fast authentication and privacy protection using only hash functions and exclusive-OR operations. Although the above schemes [18,19,20,21] can provide lightweight communications to doctors and patients, they cannot prevent sensor node physical and cloning attacks.

Recently, PUF-based authentication schemes have been proposed to prevent physical attacks. In 2017, Aman et al. [22] suggested a mutual authentication scheme using PUF in IoT systems. They claimed that their scheme is secure against IoT device cloning attacks because PUF is employed on each IoT device. Byun [23] proposed an end-to-end key exchange scheme using PUF. This scheme utilized PUF-embedded devices and the fuzzy extractor to ensure mutual authentication between two devices. In 2020, Fang et al. [24] proposed a PUF-based data transmission scheme for IoT environments. They proved that their scheme can prevent various attacks, such as DoS, eavesdropping, impersonation, and cloning attacks, using PUF. In 2021, Chen et al. [25] suggested an efficient mutual authentication and key agreement scheme using PUF and biometrics for wireless sensor network environments. To reduce the storage overhead of the user, Chen et al. [25] eliminated the password during the login phase.

In 2021, Masud et al. [7] proposed a lightweight user authentication scheme for IoT-based healthcare. They asserted that their scheme can protect against impersonation attacks and replay attacks and provide data privacy and anonymity. However, we discover that their scheme is vulnerable to several security issues, such as offline password guessing, user impersonation, and privileged insider attacks. We also find that their scheme cannot ensure user anonymity. Therefore, we propose a three-factor-based mutual authentication scheme using PUF to prevent various security weaknesses such as user anonymity, smart device theft, offline password, privileged insider, and cloning attacks, which are critical for WMSNs.

3. Preliminaries

In this section, we introduce the general system model and the adversary model for WMSNs. Then, we describe PUF and the fuzzy extractor, which can improve the security level of our scheme.

3.1. System Model

Figure 1 shows the general system model of a WMSN, which consists of doctors, a gateway, and sensor nodes. Details are as follows.

• Doctor (user): The doctor, who has a resource-constrained smart device, authenticates with the gateway to access patients’ health reports. To communicate with sensor nodes, the doctor must register with the gateway.
• Gateway: The gateway, which is the smart hospital, communicates with doctors and sensor nodes to provide efficient and convenient remote services to patients. We assume that the gateway is a trusted party and has enough storage and computing power.
• Sensor node: The sensor node is a resource-constrained device attached to the patient in the form of a wearable device. The sensor node collects the patient’s health information and sends it to the doctor through the gateway.

3.2. Adversary Model

In our paper, we assume that an adversary can eavesdrop, insert, remove, and modify messages transmitted through a public channel according to a well-known adversary model, the Dolev–Yao (DY) model [26]. Moreover, we use the Canetti–Krawczyk (CK) adversary model [27]. In this model, an adversary can access ephemeral parameters or the master key of the gateway. With the CK and DY adversary models, we assume that an adversary can perform various attacks. Details are as below.

• An adversary can steal a doctor’s smart device and obtain the secret parameter, extracted from the smart device using a power analysis attack [28].
• An adversary can be a privileged insider who can obtain the user’s registration message.
• An adversary can obtain the patient’s sensor node and perform a cloning attack.
• An adversary can perform various attacks, such as man-in-the-middle, password guessing, and stolen verifier attacks [29].

3.3. Physical Unclonable Function

Physical unclonable functions (PUFs) are physical circuits that operate as a one-way function. In the PUF circuit, there is an input–output bit string pair called the “challenge–response pair”. If a random bit string challenge is entered into the PUF circuit, a unique output response is printed out. In this paper, we express this process as $R=PUF\left(C\right)$, where C and R are a challenge and a response, respectively. Ideal PUF properties are as below.

• The PUF is an unclonable circuit.
• The PUF is a unique physical microstructure. The output of the PUF depends on the physical circuit.
• The output of the PUF has to be unpredictable.
• The circuit of the PUF is easy to estimate and implement.

Since a PUF has the properties of a one-way function, the PUF returns the same response when the same challenge is input into a PUF-installed device. Moreover, the PUF gives different responses when the same challenge is input into different devices. Therefore, the PUF can provide a unique one-way function that cannot be duplicated. This uniqueness enables the PUF to prevent various attacks, such as physical and cloning attacks.

3.4. Fuzzy Extractor

In this section, we explain the basic concept and direction of the fuzzy extractor [8]. When a user utilizes his biometrics or the PUF response string, we cannot ensure the accuracy due to the noise of external environmental factors. The fuzzy extractor can control the noise using the helper string. Therefore, we can use the biometric information and the PUF response string as a secret parameter using the fuzzy extractor. The fuzzy extractor consists of “generate ($Gen(.)$)” and “reproduce ($Rep(.)$)” algorithms. Details are as follows.

• $Gen\left(B_i\right)=(R_i,P_i)$: This is a probability algorithm to generate a secret string $R_i$. If a user inputs a random string $B_i$, the fuzzy extractor generates the secret parameter $R_i$ and a helper string $P_i$.
• $Rep(B_i^{\ast },P_i)=\left(R_i\right)$: This is a deterministic algorithm to reproduce the secret string $R_i$. If a user enters the random string $B_i^{\ast }$, the fuzzy extractor controls the noise of $B_i^{\ast }$ using the helper string $P_i$ and reproduces the secret string $R_i$.

4. Review of Masud et al.’s Scheme

In 2021, Masud et al. [7] proposed a lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare environments. Their scheme consists of user registration, sensor node registration, and mutual authentication and key agreement phases. Notations and descriptions are explained in

Table 1. Notations and descriptions.

Notation	Description
$D_{ID},S_{ID}$	Identity of the doctor and the sensor node
$P{W}_D$	Password of the doctor
$BI{O}_D$	Biometric template of the doctor
s	Master key of the gateway
$R_{req}$	Registration request message
$R_{SG},R_{SN}$	Random number generated by the gateway and the sensor node
$D_{TID},S_{TID}$	Temporary identity of the doctor and the sensor node
$N_D,N_G,N_S$	Random nonce generated by device of the doctor, the gateway, and the sensor node
$C{H}_1,R{E}_1$	Challenge and response pair
$SK$	Session key
$PUF(.)$	Physical unclonable function
$h(.)$	Hash function
$\left|\right|$	Concatenation operator
⊕	Exclusive-OR operator

.

4.1. User Registration Phase

A doctor must register in the gateway to use this network system. We show the user registration phase of Masud et al.’s scheme as follows.

Step 1: The doctor inputs an identity $D_{ID}$ and password $P{W}_D$, and generates a registration request message $R_{req}$. Then, the doctor sends $M_{RD}^1=\{D_{ID},P{W}_D,R_{req}\}$ to the gateway through a secure channel.

Step 2: The gateway stores $D_{ID}$ and $P{W}_D$, and then generates $R_{SG}^1$ to compute $\alpha =(D_{ID}\oplus R_{SG}^1)\oplus P{W}_D$ and $D_{TID}=R_{SG}^1\oplus D_{ID}$. The gateway stores $\{R_{SG}^1,D_{TID}\}$ in its secure database and sends $\alpha$ to the doctor via a secure channel.

Step 3: The doctor computes $R_{SG}^{1\ast }=(\alpha \oplus P{W}_D)\oplus D_{ID}$ and $D_{TID}=R_{SG}^{1\ast }\oplus D_{ID}$, and stores $\{R_{SG}^{1\ast },D_{TID}\}$ in his device. Then, the doctor computes $\beta =h(P{W}_D\left|\right|R_{SG}^{1\ast })\oplus D_{TID}$ and stores $\left\{\beta \right\}$.

4.2. Sensor Node Registration Phase

To transmit the health information of a patient, the sensor node must register with the gateway. We describe the sensor node registration phase as below.

Step 1: The sensor node generates $R_{SN}^1$, and sends $\{S_{ID},R_{SN}^1\}$ to the gateway via a secure channel, where $S_{ID}$ is the real identity of the sensor node.

Step 2: The gateway generates $R_{SG}^2$ and computes $\delta =(S_{ID}\oplus R_{SG}^2)\oplus R_{SN}^1$ and $S_{TID}=R_{SG}^2\oplus S_{ID}$. Then, the gateway stores $\{S_{ID},R_{SN}^1,R_{SG}^2,S_{TID}\}$ in its secure database and transmits $\left\{\delta \right\}$ to the sensor node through a secure channel.

Step 3: When the sensor node receives $\left\{\delta \right\}$, it computes $R_{SG}^{2\ast }=(\delta \oplus R_{SN}^1)\oplus S_{ID}$ and $S_{TID}=R_{SG}^{2\ast }\oplus S_{ID}$. Finally, the sensor node stores $\{R_{SN}^1,R_{SG}^{2\ast },S_{TID}\}$ in its memory.

4.3. Mutual Authentication and Key Agreement Phase

In this phase, the doctor and the sensor node conduct a mutual authentication and key agreement phase to authenticate each other and establish a session key. Figure 2 shows the mutual authentication and key agreement phase of Masud et al.’s scheme and details are as follows.

Step 1: When the doctor inputs his own password $P{W}_D$, the smart device of the doctor computes $Q=h\left(P{W}_D\right|\left|R_{SG}^{1\ast }\right)$ and verifies $Q\stackrel{?}{=}\beta$. If it is correct, the smart device generates a random nonce $N_D^1$ and computes $N_D^{1\ast }=N_D^1\oplus P{W}_D$ and $\lambda =h\left(R_{SG}^{1\ast }\right|\left|P{W}_D\right)$. Then, the doctor sends $\{N_D^{1\ast },D_{TID},\lambda ,S_{TID}\}$ to the gateway via a public channel.

Step 2: The gateway receives $\{N_D^{1\ast },D_{TID},\lambda ,S_{TID}\}$ and computes $N_D^1=N_D^{1\ast }\oplus P{W}_D$. If $N_D^1$ is a fresh random nonce, the gateway checks the validity of $S_{TID}$ and $D_{TID}$, and computes ${\lambda }^{\ast }=h(R_{SG}^1\left|\right|P{W}_D)$. After verifying the equation ${\lambda }^{\ast }\stackrel{?}{=}\lambda$, the gateway generates $N_G^1$ and computes $G_W^1=N_G^1\oplus S_{TID}$, $G_W^2=h(R_{SN}^1\left|\right|R_{SG}^2)$, $S{K}_S=(SK\oplus R_{SN}^1)\oplus N_G^1$, and $G_W^3=R_{SG}^3\oplus R_{SN}^1$, where $SK$ is a session key. Then, the gateway sends $\{G_W^1,G_W^2,D_{TID},S{K}_S,G_W^3\}$ to the sensor node through a public channel.

Step 3: The sensor node computes $N_G^1=G_W^1\oplus S_{TID}$ and checks the freshness of $N_G^1$. After this, the sensor node computes $S_N^1=h(R_{SN}^1\left|\right|R_{SG}^2)$ and checks the equality of $S_N^1$ and $G_W^2$. If it is equal, the sensor node generates $N_S^1$ and computes $SK=(S{K}_S\oplus N_G^1)\oplus R_{SG}^1$, $S_N^2=N_S^1\oplus S_{TID}$, $S_N^3=h(R_{SG}^{2\ast }\left|\right|R_{SN}^1\left|\right|SK)$, $S_N^4=R_{SG}^2\oplus R_{SN}^2$, $R_{SG}^3=G_W^2\oplus R_{SN}^1$, and $S_{TID}^{new}=R_{SG}^3\oplus S_{ID}$. Finally, the sensor node stores $\{R_{SN}^2,R_{SG}^3,S_{TID}^{new}\}$ and transmits $\{S_N^2,S_N^3,S_N^4\}$ to the gateway.

Step 4: When the gateway receives $\{S_N^2,S_N^3,S_N^4\}$ from the sensor node, the gateway computes $N_S^1=S_N^2\oplus S_{TID}$ and verifies the freshness of $N_S^1$. Then, the gateway computes $G_W^4=h(R_{SG}^2\left|\right|R_{SN}^1\left|\right|SK)$ and checks $G_W^4\stackrel{?}{=}{S}_N^3$. If it is equal, the gateway computes $R_{SN}^2=S_N^4\oplus R_{SG}^2$ and $S_{TID}^{new}=R_{SG}^3\oplus S_{ID}$ and stores $\{R_{SN}^2,R_{SG}^3,S_{TID}^{new}\}$ in its database. The gateway generates a random nonce $N_G^2$ and computes $\mu =D_{ID}\oplus N_G^2$, $S{K}_U=(SK\oplus P{W}_D)\oplus N_G^2$, $\eta =h\left(D_{ID}\right|\left|P{W}_D\right|\left|SK\right|\left|N_G^2\right)$, $G_W^5=R_{SG}^4\oplus P{W}_D$, and $D_{TID}^{new}=R_{SG}^4\oplus D_{ID}$. Lastly, the gateway stores $\{R_{SG}^4,D_{TID}^{new}\}$ in its secure database and sends a message $\{\mu ,S{K}_U,\eta ,G_W^5\}$ to the smart device of the doctor.

Step 5: After receiving $\{\mu ,S{K}_U,\eta ,G_W^5\}$ from the gateway, the doctor computes $N_G^2=\mu \oplus D_{ID}$ and checks the freshness of $N_G^2$. Then, the smart device computes the session key $SK=(S{K}_U\oplus N_G^2)\oplus P{W}_D$ and $\varphi =h\left(D_{ID}\right|\left|P{W}_D\right|\left|SK\right|\left|N_G^2\right)$, and verifies $\varphi \stackrel{?}{=}\eta$. If it is equal, the smart device computes $R_{SG}^4=G_W^5\oplus P{W}_D$ and $D_{TID}^{new}=R_{SG}^4\oplus D_{ID}$, and stores $\{R_{SG}^4,D_{TID}^{new}\}$ in its memory.

5. Cryptanalysis of Masud et al.’s Scheme

If an adversary $\mathcal{A}$ obtains a legitimate user’s smart device, $\mathcal{A}$ can extract the information $\{\beta ,R_{SG}^{1\ast },D_{TID}\}$ from the smart device using a power analysis attack [28], according to Section 3.2. With this information, $\mathcal{A}$ can perform various security attacks, such as offline password guessing, user impersonation, and privileged insider attacks. Furthermore, Masud et al.’s scheme does not ensure user anonymity and has a device update problem when signing in for the next session. Details are shown as below.

5.1. User Anonymity

An adversary $\mathcal{A}$ obtains the smart device of a doctor and extracts $\{\beta ,R_{SG}^{1\ast },D_{TID}\}$ using power analysis attack. Then, $\mathcal{A}$ calculates $D_{ID}=D_{TID}\oplus R_{SG}^{1\ast }$, where $D_{ID}$ is the real identity of the doctor. Therefore, Masud et al.’s scheme cannot ensure user anonymity.

5.2. Offline Password Guessing Attack

An offline password guessing attack has a purpose of obtaining the valid password for a user using a password dictionary in polynomial time. Thus, an adversary $\mathcal{A}$ needs some information about the user in order to check whether the guessed password is correct or not. In Masud et al.’s scheme, $\mathcal{A}$ can verify the correctness of the guessed password using the information extracted from the smart device of the doctor. We describe the procedures as follows.

Step 1: The adversary $\mathcal{A}$ inputs a guessed password $P{W}_{\mathcal{A}}$ and calculates $Q^{\ast }=h(P{W}_{\mathcal{A}}\left|\right|$$R_{SG}^{1\ast })\oplus D_{TID}$.

Step 2:$\mathcal{A}$ compares $Q^{\ast }\stackrel{?}{=}\beta$, where $\beta =h(P{W}_D\left|\right|R_{SG}^{1\ast })\oplus D_{TID}$ is a parameter extracted from the smart device of the doctor. If it is equal, it means that $\mathcal{A}$ has guessed the password $P{W}_D$ correctly.

Thus, Masud et al.’s scheme is vulnerable to offline password guessing attacks.

5.3. User Impersonation Attack

The adversary $\mathcal{A}$ can obtain the real identity $D_{ID}$ and the password $P{W}_D$ of the doctor, according to Section 5.1 and Section 5.2. Then, $\mathcal{A}$ can impersonate the doctor with this information. We describe the steps as follows.

Step 1:$\mathcal{A}$ generates a random nonce $N_{\mathcal{A}}^1$ and computes $N_{\mathcal{A}}^{1\ast }=N_{\mathcal{A}}^1\oplus P{W}_D$ and ${\lambda }_{\mathcal{A}}=h(R_{SG}^{1\ast }\left|\right|P{W}_D)$. Then, $\mathcal{A}$ sends $\{N_{\mathcal{A}}^{1\ast },D_{TID},{\lambda }_{\mathcal{A}},S_{TID}\}$ to the gateway.

Step 2: After receiving $\{N_{\mathcal{A}}^{1\ast },D_{TID},{\lambda }_{\mathcal{A}},S_{TID}\}$ from the adversary $\mathcal{A}$, the gateway retrieves $N_{\mathcal{A}}^1=N_{\mathcal{A}}^{1\ast }\oplus P{W}_D$ and checks the freshness of $N_{\mathcal{A}}^1$. If it is found to be fresh, the gateway verifies $D_{TID}$ and $S_{TID}$ from its database. Then, the gateway computes ${\lambda }^{\ast }=h(R_{SG}^1\left|\right|P{W}_D)$ and compares ${\lambda }^{\ast }\stackrel{?}{=}{\lambda }_{\mathcal{A}}$. If the equation is correct, the gateway generates a random nonce $N_G^1$ and computes $G_W^1=N_G^1\oplus S_{TID}$, $G_W^2=h(R_{SN}^1\left|\right|R_{SG}^2)$, $S{K}_S=(SK\oplus R_{SN}^1)\oplus N_G^1$ and $G_W^3=R_{SG}^3\oplus R_{SN}^1$. Finally, the gateway sends $\{G_W^1,G_W^2,D_{TID},S{K}_S,G_W^3\}$ to the sensor node.

Step 3: The sensor node receives $\{G_W^1,G_W^2,D_{TID},$$S{K}_S,$$G_W^3\}$ and retrieves $N_G^1=G_W^1\oplus S_{TID}$. If $N_G^1$ is a fresh random nonce, the sensor node computes $S_N^2=h(R_{SN}^1\left|\right|R_{SG}^2)$ and compares $S_N^2\stackrel{?}{=}{G}_W^2$. The sensor node generates a random nonce $N_S^1$ and computes $SK=(S{K}_S\oplus R_{SN}^1)\oplus N_G^1$, $S_N^2=N_S^1\oplus S_{TID}$, $S_N^3=h(R_{SG}^{2\ast }\left|\right|R_{SN}^1\left|\right|SK)$, $S_N^4=R_{SG}^2\oplus R_{SN}^2$, $R_S^{3}G=G_W^3\oplus R_{SN}^1$ and $S_{TID}^{new}=R^3{)}_{SG}\oplus S_{ID}$. The sensor node sends $\{S_N^2,S_N^3,S_N^4\}$ and stores $\{R_{SN}^2,R_{SG}^3,S_{TID}^{new}\}$.

Step 4: The gateway receives the message $\{S_N^2,S_N^3,S_N^4\}$ and retrieves $N_S^1=S_N^2\oplus S_{TID}$. If $N_S^1$ is a fresh random nonce, the gateway computes $G_W^4=h(R_{SG}^{2\ast }\left|\right|R_{SN}^1\left|\right|SK)$ and checks $G_W^4\stackrel{?}{=}{S}_N^3$. The gateway computes $R_{SN}^2=S_N^4\oplus R_{SG}^2$ and $S_{TID}^{new}=R_{SG}^3\oplus S_{ID}$, and stores $\{R_{SN}^2,R_{SG}^3,S_{TID}^{new}\}$. After this, the gateway generates a random nonce $N_G^2$ and computes $\mu =D_{ID}\oplus N_G^2$, $S{K}_U=(SK\oplus P{W}_D)\oplus N_G^2$, $\eta =h\left(D_{ID}\right|\left|P{W}_D\right|\left|SK\right|\left|N_G^2\right)$, $G_W^5=R_{SG}^4\oplus P{W}_D$ and $D_{TID}^{new}=R_{SG}^4\oplus D_{ID}$. Lastly, the gateway stores $\{R_{SG}^4,D_{TID}^{new}\}$ and sends $\{\mu ,S{K}_U,\eta ,G_W^5\}$ to $\mathcal{A}$.

Step 5:$\mathcal{A}$ computes $N_G^2=\mu \oplus D_{ID}$ and verifies the freshness of $N_G^2$. Then, $\mathcal{A}$ computes $SK=(S{K}_U\oplus P{W}_D)\oplus N_G^2$ and $\varphi =h\left(D_{ID}\right|\left|P{W}_D\right|\left|SK\right|\left|N_G^2\right)$, and compares $\varphi \stackrel{?}{=}\eta$. Finally, $\mathcal{A}$ computes $R_{SG}^4=G_W^5\oplus P{W}_D$ and $D_{TID}^{new}=R_{SG}^4\oplus D_{ID}$, and stores these parameters $\{R_{SG}^4,D_{TID}^{new}\}$.

Therefore, Masud et al.’s scheme cannot prevent an impersonation attack.

5.4. Privileged Insider Attack

A privileged insider attack can be performed by an insider adversary $\mathcal{A}$ that has unquestioned authority within the system. Therefore, the privileged insider $\mathcal{A}$ can obtain various information about users, including registration request messages, and may attempt to calculate the session key or impersonate a legal user.

In Masud et al.’s scheme, a privileged insider adversary $\mathcal{A}$ can impersonate a legitimate doctor after obtaining a registration request message $\{D_{ID},P{W}_D,R_{req}\}$ and the secret parameter $\{\beta ,R_{SG}^{1\ast },D_{TID}\}$ extracted from the smart device of the doctor. $\mathcal{A}$ generates a random nonce $N_{\mathcal{A}}^1$ and computes $N_{\mathcal{A}}^{1\ast }=N_{\mathcal{A}}^1\oplus P{W}_D$ and ${\lambda }_{\mathcal{A}}=h(R_{SG}^{1\ast }\left|\right|P{W}_D)$. Then, $\mathcal{A}$ sends a message $\{N_{\mathcal{A}}^{1\ast },D_{TID},{\lambda }_{\mathcal{A}},S_{TID}\}$. The gateway and the sensor node authenticate each other and return a message $\{\mu ,S{K}_U,\eta ,G_W^5\}$ to $\mathcal{A}$. Lastly, $\mathcal{A}$ calculates $N_G^2=\mu \oplus D_{ID}$ and the session key $SK=(S{K}_U\oplus N_G^2)\oplus P{W}_D$. Thus, Masud et al.’s scheme is insecure against privileged insider attacks.

5.5. Device Update Problem

The smart device replaces $\{R_{SG}^{1\ast },D_{TID}\}$ with $\{R_{SG}^4,D_{TID}^{new}\}$ at the end of the authentication and key agreement phase. After this, the doctor may try to authenticate another sensor node that is attached to a patient in other session. However, the doctor cannot perform the login phase. If the doctor inputs a password $P{W}_D$, the smart device computes $Q=h(P{W}_D\left|\right|R_{SG}^4)\oplus D_{TID}^{new}$ and verifies $Q\stackrel{?}{=}\beta$. Since $\beta =h(P{W}_D\left|\right|R_{SG}^{1\ast })\oplus D_{TID}$, the login phase is aborted. Therefore, Masud et al.’s scheme has a device update problem.

6. Proposed Scheme

Although Masud et al.’s scheme has efficiency for WMSNs, their scheme has several security vulnerabilities. To address these security weaknesses, we propose a secure three-factor-based mutual authentication and key agreement scheme using PUF. Our scheme consists of initialization, user registration, sensor node registration, mutual authentication and key agreement, and password change phases.

6.1. Initialization Phase

Before starting the registration phase, the gateway inserts an identity and a challenge into the sensor node. Figure 3 shows the initialization of our scheme and detailed steps are as follows.

Step 1: The gateway selects an identity $S_{ID}$, a challenge $C{H}_1$, and sends $\{S_{ID},C{H}_1\}$ to the sensor node via a secure channel.

Step 2: The sensor node stores $\{S_{ID},C{H}_1\}$ in the memory.

6.2. User Registration Phase

A doctor must register in the network to provide a convenient remote medical service to patients. We show the sensor node registration phase in Figure 4 and detailed steps are as follows.

Step 1: A doctor inputs an identity $D_{ID}$, a password $P{W}_D$, and biometric template $BI{O}_D$ to the smart device. Then, the smart device generates a registration request message $R_{req}$ and computes $Gen\left(BI{D}_D\right)=<R_D,P_D>$ and $GP{W}_D=h(P{W}_D\left|\right|R_D)$, where $Gen(.)$ is a fuzzy extractor generation function. The doctor sends $\{D_{ID},GP{W}_D,R_{req}\}$ to the gateway via a secure channel.

Step 2: After receiving $\{D_{ID},GP{W}_D,R_{req}\}$ from the doctor, the gateway generates random numbers $R_{SG}^1$ and $R_{SG}^2$, and computes $\alpha =h\left(D_{ID}\right|\left|s\right)$, $\beta =\alpha \oplus h\left(GP{W}_D\right|\left|R_{SG}^2\right)$, $\omega =\alpha \oplus h\left(R_{SG}^1\right|\left|s\right)$, and $D_{TID}=h\left(\alpha \right||R_{SG}^2\left|\right|R_{SG}^1)$. The gateway stores $\{\omega ,R_{SG}^1,$$D_{TID}\}$ in the secure database, and sends $\{\beta ,D_{TID},R_{SG}^2\}$ to the doctor via a secure channel.

Step 3: The doctor computes $\theta =h(R_D\left|\right|GP{W}_D)\oplus R_{SG}^2$ and $Ve{r}_D=h(D_{ID}\left|\right|GP{W}_D$$\left|\right|R_D)$, and stores $\{\beta ,\theta ,Ve{r}_D,D_{TID},P_D\}$ in the memory.

6.3. Sensor Node Registration Phase

A patient must register in the network using a sensor node in order to receive remote medical services from the doctor. In Figure 5, we show the sensor node registration phase of our scheme and details are as below.

Step 1: The sensor node retrieves the challenge stored in the memory and computes $R{E}_1=PUF\left(C{H}_1\right)$, $Gen\left(R{E}_1\right)=<R_{SN}^1,P_{SN}>$, and $A{S}_{ID}=h(R_{SN}^1\left|\right|S_{ID})$. Then, the sensor node sends $\{S_{ID},A{S}_{ID},C{H}_1\}$ to the gateway through a secure channel.

Step 2: The gateway generates $R_{SG}^3$ and computes $\delta =h\left(A{S}_{ID}\right|\left|s\right)$, $S_{TID}=h\left(\delta \right||R_{SG}^3$$\left|\right|A{S}_{ID})$. After this, the gateway stores $\{A{S}_{ID},S_{TID},C{H}_1\}$ in its secure database and sends $\{\delta ,S_{TID}\}$ to the sensor node via a secure channel.

Step 3: Finally, the sensor node deletes the challenge $C{H}_1$ and stores $\{\delta ,P_{SN},S_{TID}\}$ in its memory.

6.4. Mutual Authentication and Key Agreement Phase

The doctor sends a login request message to the gateway and establishes a session key among the doctor, the gateway, and the sensor node. After this, the doctor can perform an accurate diagnosis of the patient. We describe the mutual authentication and key agreement phase in Figure 6 and details are as follows.

Step 1: The doctor inputs the identity $D_{ID}$, the password $P{W}_D$, and imprints the biometrics $BI{O}_i$. Then, the smart device computes $R_D^{\ast }=Rep(BI{O}_D,P_D)$, $GP{W}_D^{\ast }=h(P{W}_D\left|\right|R_D^{\ast })$, and $Ve{r}_D^{\ast }=h(D_{ID}\left|\right|GP{W}_D^{\ast }\left|\right|R_D^{\ast })$, and verifies $Ve{r}_D\stackrel{?}{=}Ve{r}_D^{\ast }$. If it is correct, the smart device generates a random nonce $N_D^1$ and computes $R_{SG}^2=\theta \oplus h(R_D\left|\right|GP{W}_D)$, $\alpha =\beta \oplus h\left(GP{W}_D\right|\left|R_{SG}^2\right)$, $M_{D1}=N_D^1\oplus h(D_{TID}\left|\right|\alpha )$, and $V_{D1}=h(N_D^1\left|\right|D_{TID}\left|\right|\alpha \left|\right|S_{TID})$. The smart device sends $\{D_{TID},S_{TID},M_{D1},V_{D1}\}$ to the gateway through a public channel.

Step 2: When the gateway receives the message $\{D_{TID},S_{TID},M_{D1},V_{D1}\}$ from the doctor, the gateway checks the pseudo identity $\{D_{TID},S_{TID}\}$ and retrieves $\{\omega ,R_{SG}^1\}$ in the database. Then, the gateway computes $\alpha =\omega \oplus h\left(R_{SG}^1\right|\left|s\right)$, $N_D^{1\ast }=M_{D1}\oplus h(D_{TID}\left|\right|\alpha )$, and $V_{D1}^{\ast }=h(N_D^{1\ast }\left|\right|D_{TID}\left|\right|\alpha \left|\right|S_{TID})$. If $V_{D1}\stackrel{?}{=}{V}_{D1}^{\ast }$ is correct, the gateway generates a random nonce $N_G^1$ and retrieves $\{A{S}_{ID},C{H}_1\}$. The gateway computes $\delta =h\left(A{S}_{ID}\right|\left|s\right)$, $M_{G1}=C{H}_1\oplus h\left(\delta \right||D_{TID}\left|\right|S_{TID})$, $M_{G2}=\left(h\right(N_D^1\left|\right|\alpha )\oplus N_G^1)\oplus h(\delta \left|\right|D_{TID}\left|\right|A{S}_{ID})$, and $V_{G1}=h\left(\delta \right||S_{TID}\left|\right|$$A{S}_{ID}\left|\right|\left(h\right(N_D^1\left|\right|\alpha )\oplus N_G^1\left)\right||D_{TID})$. After this, the gateway transmits $\{D_{TID},S_{TID},M_{G1},M_{G2},V_{G1}\}$ to the sensor node via a public channel.

Step 3: The sensor node computes $C{H}_1^{\ast }=M_{G1}\oplus h\left(\delta \right||D_{TID}\left|\right|S_{TID})$, $R{E}_1^{\ast }$$=PUF\left(C{H}_1^{\ast }\right)$, $R_{SN}^{1\ast }=Rep(R{E}_1^{{}^{\ast }},P_{SN})$, $A{S}_{ID}^{\ast }=h(R_{SN}^{1\ast }\left|\right|S_{ID})$, $\left(h\right(N_D^1\left|\right|\alpha )$$\oplus N_G^1{)}^{\ast }=M_{G2}$$\oplus h(\delta$$\left|\right|D_{TID}$$\left|\right|A{S}_{ID}^{\ast })$, and $V_{G1}^{\ast }=h\left(\delta \right||S_{TID}^{\ast }\left|\right|A{S}_{ID}^{\ast }\left|\right|\left(h\right(N_D^1\left|\right|\alpha )\oplus N_G^1{)}^{\ast }\left|\right|D_{TID})$. If the equation $V_{G1}^{\ast }\stackrel{?}{=}{V}_{G1}$ is correct, the sensor node generates a random nonce $N_S^1$ and computes a new pseudo identity $S_{TID}^{new}=h\left(\delta \right||N_S^1\left|\right|A{S}_{ID})$, a session key $SK=h\left(h\right(N_D^1\left|\right|\alpha )\oplus N_G^1\oplus N_S^1)$, $M_{S1}=N_S^1\oplus h\left(\delta \right||A{S}_{ID}\left|\right|h(N_D^1\left|\right|\alpha )\oplus N_G^1)$, and $V_{S1}=h(N_S^1\left|\right|S_{TID}^{new}\left|\right|SK)$. Lastly, the sensor node sends $\{M_{S1},V_{S1}\}$ to the gateway through a public channel and updates $\left\{S_{TID}\right\}$ to $\left\{S_{TID}^{new}\right\}$.

Step 4: After receiving $\{M_{S1},V_{S1}\}$ from the sensor node, the gateway computes $N_S^{1\ast }=M_{S1}\oplus h\left(\delta \right||A{S}_{ID}\left|\right|h(N_D^1\left|\right|\alpha )\oplus N_G^1)$, the session key $S{K}^{\ast }=h\left(h\right(N_D^1\left|\right|\alpha )\oplus N_G^1\oplus N_S^{1\ast })$, the new pseudo identity of the sensor node $S_{TID}^{new\ast }=h\left(\delta \right||N_S^{1\ast }\left|\right|A{S}_{ID})$, and $V_{S1}^{\ast }=h(N_S^{1\ast }$$\left|\right|S_{TID}^{new\ast }$$\left|\right|S{K}^{\ast })$. If the equation $V_{S1}^{\ast }\stackrel{?}{=}{V}_{S1}$ is correct, the gateway computes a new pseudo identity of the doctor $D_{TID}^{new}=h\left(\alpha \right||N_D^1\left|\right|N_G^1\oplus N_S^1)$, $M_{G3}=(N_G^1\oplus N_S^1)\oplus h\left(\alpha \right||D_{TID})$, and $V_{G2}=h(N_G^1\oplus N_S^1\left|\right|D_{TID}^{new}\left|\right|SK)$. Then, the gateway sends $\{M_{G3},V_{G2}\}$ to the doctor and updates $\{S_{TID},D_{TID}\}$ to $\{S_{TID}^{new},D_{TID}^{new}\}$.

Step 5: The doctor computes ${(N_G^1\oplus N_S^1)}^{\ast }=M_{G3}\oplus h\left(\alpha \right||D_{TID})$, $D_{TID}^{new\ast }=h\left(\alpha \right||$$N_D^1\left|\right|$${(N_G^1\oplus N_S^1)}^{\ast })$, $S{K}^{\ast }=h\left(h\right(N_D^1\left|\right|\alpha )\oplus {(N_G^1\oplus N_S^1)}^{\ast })$, and $V_{G2}^{\ast }=h(N_G^{1\ast }\left|\right|N_S^{1\ast }\left|\right|D_{TID}^{new\ast }\left|\right|$$S{K}^{\ast })$ and verifies $V_{G2}^{\ast }\stackrel{?}{=}{V}_{G2}$. If it is correct, the doctor replaces $\left\{D_{TID}\right\}$ with $\left\{D_{TID}^{new}\right\}$ in the smart device.

6.5. Password Change Phase

In our scheme, we provide a convenient password update process for the doctor. Detailed steps are as follows.

Step 1: A doctor inputs $D_{ID}$, $P{W}_D$, and $BI{O}_D$ to the smart device.

Step 2: The smart device computes $R_D^{\ast }=Rep(BI{O}_D,P_D)$, $GP{W}_D^{\ast }=h(P{W}_D\left|\right|R_D^{\ast })$, and $Ve{r}_D^{\ast }=h(D_{ID}\left|\right|GP{W}_D^{\ast }\left|\right|R_D^{\ast })$ and verifies $Ve{r}_D\stackrel{?}{=}Ve{r}_D^{\ast }$. If the equation is correct, the smart device demands a new password from the doctor.

Step 3: The doctor inputs a new password $P{W}_D^{new}$ to the smart device.

Step 4: The smart device computes $GP{W}_D^{new}=h(P{W}_D^{new}\left|\right|R_D)$, $\beta =\alpha \oplus h(GP{W}_D^{new}$$\left|\right|R_{SG}^2)$, $\theta =h(R_D\left|\right|GP{W}_D^{new})\oplus R_{SG}^2$, and $Ve{r}_D^{new}=h(D_{ID}$$\left|\right|G{P}^{new}{W}_D$$\left|\right|R_D)$ and updates $\{\beta ,\theta ,Ve{r}_D\}$ to $\{{\beta }^{new},{\theta }^{new},Ve{r}_D^{new}\}$.

7. Security Analysis

To prove the security features of the proposed scheme, we use BAN logic and the RoR model, which can prove the mutual authentication properties and session key security, respectively. Moreover, we show that our scheme has resistance against man-in-the-middle and replay attacks using AVISPA. Furthermore, we claim that the proposed scheme can prevent various security attacks using informal analysis.

7.1. BAN Logic

BAN logic is a well-known formal proof to verify the mutual authentication of a protocol. Therefore, many researchers have used BAN logic to prove the mutual authentication of their schemes [30,31,32,33]. In this section, we prove the mutual authentication of the proposed scheme using BAN logic [9]. The basic notations and descriptions of BAN logic are shown in

Table 2. Notations of BAN logic.

Notation	Description
$P_1,P_2$	Principals
$M_1,M_2$	Statements
$SK$	Session key
$P_1|\equiv M_1$	$P_1$ believes $M_1$
$P_1|\sim M_1$	$P_1$ once said $M_1$
$P_1⤇M_1$	$P_1$ controls $M_1$
$P_1⊲M_1$	$P_1$ receives $M_1$
$\#M_1$	$M_1$ is fresh
${\left\{M_1\right\}}_K$	$M_1$ is encrypted with K
$P_1\stackrel{K}{\leftrightarrow }{P}_2$	$P_1$ and $P_2$ have shared key K

.

7.1.1. Rules

The logical rules of BAN logic are as follows.

1. 

Message meaning rule (MMR):

$$\frac{P_1|\equiv P_1\stackrel{K}{\leftrightarrow }{P}_2,P_1⊲{\left\{M_1\right\}}_K}{P_1|\equiv P_2|\sim M_1}$$

2. 

Nonce verification rule (NVR):

$$\frac{P_1|\equiv \#\left(M_1\right),P_1|\equiv P_2|\sim M_1}{P_1|\equiv P_2|\equiv M_1}$$

3. 

Jurisdiction rule (JR):

$$\frac{P_1|\equiv P_2⤇M_1,P_1|\equiv P_2|\equiv M_1}{P_1|\equiv M_1}$$

4. 

Belief rule (BR):

$$\frac{P_1|\equiv (M_1,M_2)}{P_1|\equiv M_1}$$

5. 

Freshness rule (FR):

$$\frac{P_1|\equiv \#\left(M_1\right)}{P_1|\equiv \#(M_1,M_2)}$$

7.1.2. Goals

The BAN logic goals of the proposed scheme are as follows. We define the principals $DO$, $GWN$, and $SN$ as the doctor, the gateway, and the sensor node, respectively.

Goal 1: 

$DO|\equiv DO\stackrel{SK}{\leftrightarrow }GWN$

Goal 2: 

$DO|\equiv GWN|\equiv DO\stackrel{SK}{\leftrightarrow }GWN$

Goal 3: 

$GWN|\equiv DO\stackrel{SK}{\leftrightarrow }GWN$

Goal 4: 

$GWN|\equiv DO|\equiv DO\stackrel{SK}{\leftrightarrow }GWN$

Goal 5: 

$SN|\equiv SN\stackrel{SK}{\leftrightarrow }GWN$

Goal 6: 

$SN|\equiv GWN|\equiv SN\stackrel{SK}{\leftrightarrow }GWN$

Goal 7: 

$GWN|\equiv SN\stackrel{SK}{\leftrightarrow }GWN$

Goal 8: 

$GWN|\equiv SN|\equiv SN\stackrel{SK}{\leftrightarrow }GWN$

7.1.3. Idealized Forms

In the proposed scheme, there are four messages exchanged through a public channel. We transform these messages into idealized forms. Our scheme’s idealized forms for the messages are as follows:

$Messag{e}_1$

: $DO\to GWN:{\left\{N_D^1\right\}}_{\alpha }$

$Messag{e}_2$

: $GWN\to SN:\{N_G^1,h(N_D^1{\left|\right|\alpha \left)\right\}}_{\delta }$

$Messag{e}_3$

: $SN\to GWN:{\left\{N_S^1\right\}}_{\delta }$

$Messag{e}_4$

: $GWN\to DO:{\{N_G^1,N_S^1\}}_{\alpha }$

7.1.4. Assumptions

The assumptions in the proposed scheme are shown below.

$A_1$:

$GWN|\equiv \#(N_D^1)$

$A_2$:

$GWN|\equiv \#(N_S^1)$

$A_3$:

$SN|\equiv \#(h(N_D^1\left|\right|\alpha \left)\right)$

$A_4$:

$DO|\equiv \#(N_G^1)$

$A_5$:

$DO|\equiv GWN⤇(DO\stackrel{SK}{\leftrightarrow }GWN)$

$A_6$:

$GWN|\equiv DO⤇(DO\stackrel{SK}{\leftrightarrow }GWN)$

$A_7$:

$SN|\equiv GWN⤇(SN\stackrel{SK}{\leftrightarrow }GWN)$

$A_8$:

$GWN|\equiv SN⤇(SN\stackrel{SK}{\leftrightarrow }GWN)$

$A_9$:

$DO|\equiv DO\stackrel{\alpha }{\leftrightarrow }GWN$

$A_{10}$:

$GWN|\equiv DO\stackrel{\alpha }{\leftrightarrow }GWN$

$A_{11}$:

$SN|\equiv SN\stackrel{\delta }{\leftrightarrow }GWN$

$A_{12}$:

$GWN|\equiv SN\stackrel{\delta }{\leftrightarrow }GWN$

7.1.5. BAN Logic Proof

Step 1: We can obtain $S_1$ from the message $Messag{e}_1$.

$$S_1: GWN⊲{\left\{N_D^1\right\}}_{\alpha }$$

Step 2: We can obtain $S_2$ from the message meaning rule using $S_1$ and $A_{10}$.

$$S_2: GWN|\equiv DO|\sim \left(N_D^1\right)$$

Step 3: We can obtain $S_3$ from the freshness rule using $S_2$ and $A_1$.

$$S_3: GWN|\equiv \#(N_D^1)$$

Step 4: We can obtain $S_4$ from the nonce verification rule using $S_2$ and $S_3$.

$$S_4: GWN|\equiv DO|\equiv \left(N_D^1\right)$$

Step 5: We can obtain $S_5$ from the message $Messag{e}_2$.

$$S_5: SN⊲\{N_G^1,h(N_D^1{\left|\right|\alpha \left)\right\}}_{\delta }$$

Step 6: We can obtain $S_6$ from the message meaning rule using $S_5$ and $A_{11}$.

$$S_6: SN|\equiv GWN|\sim (N_G^1,h(N_D^1\left|\right|\alpha \left)\right)$$

Step 7: We can obtain $S_7$ from the freshness rule using $S_6$ and $A_3$.

$$S_7: SN|\equiv \#(N_G^1,h(N_D^1\left|\right|\alpha \left)\right)$$

Step 8: We can obtain $S_8$ from the nonce verification rule using $S_6$ and $S_7$.

$$S_8: SN|\equiv GWN|\equiv (N_G^1,h(N_D^1\left|\right|\alpha \left)\right)$$

Step 9: We can obtain $S_9$ from the message $Messag{e}_3$.

$$S_9: GWN⊲{\left\{N_S^1\right\}}_{\delta }$$

Step 10: We can obtain $S_{10}$ from the message meaning rule using $S_9$ and $A_{12}$.

$$S_{10}: GWN|\equiv SN|\sim \left(N_S^1\right)$$

Step 11: We can obtain $S_{11}$ from the nonce verification rule using $A_2$ and $S_{10}$.

$$S_{11}: GWN|\equiv SN|\equiv \left(N_S^1\right)$$

Step 12: We can obtain $S_{12}$ and $S_{13}$ from $S_8$ and $S_{11}$. $SN$ and $GWN$ can compute the session key $SK=h\left(h\right(N_D^1\left|\right|\alpha )\oplus N_G^1\oplus N_S^1)$.

$$S_{12}: GWN|\equiv SN|\equiv (SN\stackrel{SK}{\leftrightarrow }GWN) \mathbf{\left(}\mathbf{Goal}\mathbf{8}\mathbf{\right)}$$

$$S_{13}: SN|\equiv GWN|\equiv (SN\stackrel{SK}{\leftrightarrow }GWN) \mathbf{\left(}\mathbf{Goal}\mathbf{6}\mathbf{\right)}$$

Step 13: We can obtain $S_{14}$ and $S_{15}$ from the jurisdiction rule using $S_{12}$ and $A_8$, and $S_{13}$ and $A_7$, respectively.

$$S_{14}: GWN|\equiv (SN\stackrel{SK}{\leftrightarrow }GWN) \mathbf{\left(}\mathbf{Goal}\mathbf{7}\mathbf{\right)}$$

$$S_{15}: SN|\equiv (SN\stackrel{SK}{\leftrightarrow }GWN) \mathbf{\left(}\mathbf{Goal}\mathbf{5}\mathbf{\right)}$$

Step 14: We can obtain $S_{16}$ from the message $Messag{e}_4$.

$$S_{16}: DO⊲{\{N_G^1,N_S^1\}}_{\alpha }$$

Step 15: We can obtain $S_{17}$ from the message meaning rule using $A_9$ and $S_{16}$.

$$S_{17}: DO|\equiv GWN|\sim (N_G^1,N_S^1)$$

Step 16: We can obtain $S_{18}$ from the freshness rule using $S_{17}$ and $A_4$.

$$S_{18}: DO|\equiv \#(N_G^1,N_S^1)$$

Step 17: We can obtain $S_{19}$ from the nonce verification rule using $S_{17}$ and $S_{18}$.

$$S_{19}: DO|\equiv GWN|\equiv (N_G^1,N_S^1)$$

Step 18: We can obtain $S_{20}$ and $S_{21}$ using $S_4$ and $S_{19}$. $DO$ and $GWN$ can compute the session key $SK=h\left(h\right(N_D^1\left|\right|\alpha )\oplus N_G^1\oplus N_S^1)$.

$$S_{20}: DO|\equiv GWN|\equiv \left(DO\stackrel{SK}{\leftrightarrow }GWN\right) \mathbf{\left(}\mathbf{Goal}\mathbf{2}\mathbf{\right)}$$

$$S_{21}: GWN|\equiv DO|\equiv \left(DO\stackrel{SK}{\leftrightarrow }GWN\right) \mathbf{\left(}\mathbf{Goal}\mathbf{4}\mathbf{\right)}$$

Step 19: We can obtain $S_{22}$ and $S_{23}$ using the jurisdiction rule using $S_{20}$ and $A_5$, $S_{21}$, and $A_6$, respectively.

$$S_{22}: DO|\equiv (DO\stackrel{SK}{\leftrightarrow }GWN) \mathbf{\left(}\mathbf{Goal}\mathbf{1}\mathbf{\right)}$$

$$S_{23}: GWN|\equiv (DO\stackrel{SK}{\leftrightarrow }GWN) \mathbf{\left(}\mathbf{Goal}\mathbf{3}\mathbf{\right)}$$

7.2. RoR Model

In this section, we prove that the session key in the proposed scheme is secure, using the Real-or-Random (RoR) model [10]. To apply our scheme into the RoR model, we discuss the basic concepts of participants, adversaries, and queries. There are three participants in our scheme: ${\mathcal{P}}_{User}^{t_1}$, ${\mathcal{P}}_{Gateway}^{t_2}$, and ${\mathcal{P}}_{Sensor}^{t_3}$, where $t_k$ is the participant instance of the user, the gateway, and the sensor node. We assume that an adversary $\mathcal{A}$ can control the whole network, which intercepts, deletes, inserts, and eavesdrops messages transmitted through a public channel. Moreover, $\mathcal{A}$ attempts to attack the network utilizing $Execute$, $CorruptSD$, $Reveal$, $Send$, and $Test$ queries in the RoR model. Details of the queries are as follows.

• $Execute({\mathcal{P}}_{User}^{t_1},{\mathcal{P}}_{Gateway}^{t_2},{\mathcal{P}}_{Sensor}^{t_3})$: The query $Execute$ is a passive attack. This query explains that $\mathcal{A}$ can eavesdrop messages generated by ${\mathcal{P}}_{User}^{t_1}$, ${\mathcal{P}}_{Gateway}^{t_2}$, and ${\mathcal{P}}_{Sensor}^{t_3}$.
• $CorruptSD\left({\mathcal{P}}_{User}^{t_1}\right)$: This query is an active attack. By this query, $\mathcal{A}$ can obtain sensitive information extracted from the smart device of ${\mathcal{P}}_{User}^{t_1}$.
• $Reveal\left({\mathcal{P}}^t\right)$: $\mathcal{A}$ can reveal the current session key $SK$.
• $Send({\mathcal{P}}^t,\mathcal{M})$: Using the query $Send$, $\mathcal{A}$ can send a message $\mathcal{M}$ to ${\mathcal{P}}_{User}^{t_1}$, ${\mathcal{P}}_{Gateway}^{t_2}$, and ${\mathcal{P}}_{Sensor}^{t_3}$. Moreover, $\mathcal{A}$ can receive the return message. Therefore, this query is an active attack.
• $Test\left(P^t\right)$: If $\mathcal{A}$ performs a $Test$ query, an unbiased coin C is flipped prior to starting the game. When the session key $SK$ is fresh, $\mathcal{A}$ obtains $C=1$. $\mathcal{A}$ also obtains $C=0$ when the session key is not fresh. Otherwise, $\mathcal{A}$ will receive a null value (⊥). If $\mathcal{A}$ cannot distinguish between the session key and the random number, we can ensure that the proposed scheme can provide the security of the session key.

Security Proof

Theorem 1.

In the RoR model, an adversary $\mathcal{A}$ tries to calculate the session key of the proposed scheme in polynomial time. Let $Ad{v}_{\mathcal{A}}\left(P\right)$ be the possibility that $\mathcal{A}$ breaks the security of the session key. We define $Hash$ and $PUF$ as the range space of hash function $h(.)$ and PUF function $PUF(.)$, respectively. In addition, we define $q_h$, $q_p$, and $q_s$ as the number of $Hash$, $PUF$, and $Send$ queries, respectively. $l_D$ is the number of bits in biometric secret key $BI{O}_D$ of the doctor, $C^{\prime }$ and $s^{\prime }$ are the Zipf’s parameter [34].

$$Ad{v}_{\mathcal{A}}\left(P\right)\le \frac{q_h^2}{\left|Hash\right|}+\frac{q_p^2}{\left|PUF\right|}+2max\{C^{\prime }{q}_s^{s^{\prime }},\frac{q_s}{2^{l_D}}\}$$

Proof. 

We follow the security proof as performed in [35,36,37]. In our proof, there are five games $Gam{e}_k$ where $k=0,1,2,3,4$. We denote $S_{Gam{e}_k}$ as the winning probability of the adversary $\mathcal{A}$ and $Pr\left[S_{Gam{e}_k}\right]$ as the advantage of the $S_{Gam{e}_k}$.

• $Gam{e}_0$: $Gam{e}_0$ is the starting game, where the adversary $\mathcal{A}$ picks up the random bit c. Therefore, we obtain the following:

  $$Ad{v}_{\mathcal{A}}\left(P\right)=|2Pr\left[S_{Gam{e}_0}\right]-1|$$

  (1)
• $Gam{e}_1$: In this game, $\mathcal{A}$ performs an eavesdropping attack, which is the $Execute$ query in the RoR model. When obtaining messages $\{D_{TID},S_{TID},M_{D1},V_{D1}\}$, $\{D_{TID},$$S_{TID},M_{G1}$, $M_{G2},V_{G1}\}$, $\{M_{S1},V_{S1}\}$, and $\{M_{G3},V_{G2}\}$, $\mathcal{A}$ carries out $Test$ and $Reveal$ queries to distinguish between the session key $SK$ and a random number. To obtain the session key $SK=h\left(h\right(N_D^1\left|\right|\alpha )\oplus N_G^1\oplus N_S^1)$, $\mathcal{A}$ needs $N_D^1$, $N_G^1$, and $N_S^1$, which are random numbers generated by the user (doctor), the gateway, and the sensor node, respectively. $\alpha$ is the shared secret parameter between the gateway and the user. For these reasons, the adversary $\mathcal{A}$ cannot compute the session key $SK$. This means that $\mathcal{A}$ does not enhance the probability compared with the $Gam{e}_0$.

  $$\left[Pr\left[S_{Gam{e}_1}\right]\right]=\left[Pr\left[S_{Gam{e}_0}\right]\right]$$

  (2)
• $Gam{e}_2$: In $Gam{e}_2$, the adversary $\mathcal{A}$ performs $Send$ and $Hash$ queries. In the message $\{D_{TID},S_{TID},M_{D1},V_{D1}\}$, $\{D_{TID},S_{TID},M_{G1},M_{G2},V_{G1}\}$, $\{M_{S1},V_{S1}\}$, and $\{M_{G3},V_{G2}\}$, parameters $D_{TID}$, $S_{TID}$, $V_{D1}$, $V_{G1}$, $V_{S1}$, and $V_{G2}$ are masked by the cryptographic one-way hash function, which provides resistance against hash collision. Moreover, random numbers $N_D^1$, $N_G^1$, $N_S^1$, and the hash functions are contained in $M_{D1}$, $M_{G1}$, $M_{G2}$, $M_{G3}$, and $M_{S1}$. Therefore, there is no collision problem when $\mathcal{A}$ performs a $Hash$ query. We apply the birthday paradox [38] and obtain the result as follows:

  $$|Pr\left[S_{Gam{e}_2}\right]-Pr\left[S_{Gam{e}_1}\right]|\le \frac{q_h^2}{\left|Hash\right|}$$

  (3)
• $Gam{e}_3$: $Gam{e}_3$ is similar to $Gam{e}_2$. $\mathcal{A}$ performs $Send$ and $PUF$ queries. As explained in Section 3.3, the physical function $PUF(.)$ has a secure property. Therefore, we can obtain the following inequation:

  $$|Pr\left[S_{Gam{e}_3}\right]-Pr\left[S_{Gam{e}_2}\right]|\le \frac{q_p^2}{\left|PUF\right|}$$

  (4)
• $Gam{e}_4$: In the final game $Gam{e}_4$, $\mathcal{A}$ performs a $CorruptSD$ query and extracts sensitive data $\{\beta ,\theta ,Ve{r}_D,D_{TID},P_D\}$ from the smart device of the user. $\mathcal{A}$ attempts to calculate parameters $\alpha$ and $R_{SG}^2$ from $\beta =\alpha \oplus h\left(GP{W}_D\right|\left|R_{SG}^2\right)$ and $\theta =R_{SG}^2\oplus h(R_D\left|\right|GP{W}_D)$, respectively. Since parameters $R_D$ and $GP{W}_D=h(P{W}_D\left|\right|R_D)$ are composed of the password and biometrics, $\mathcal{A}$ must guess these parameters. Therefore, $\mathcal{A}$ cannot enhance the probability because guessing the password and biometrics is a computationally infeasible task. According to Zipf’s law [34], we can make the following inequation:

  $$|Pr\left[S_{Gam{e}_4}\right]-Pr\left[S_{Gam{e}_2}\right]|\le max\{C^{\prime }{q}_s^{s^{\prime }},\frac{q_s}{2^{l_D}}\}$$

  (5)
  When the games are completed, the adversary $\mathcal{A}$ obtains the guessed bit c. Therefore, it is clear that

  $$Pr\left[S_{Gam{e}_4}\right]=\frac{1}{2}$$

  (6)
  By (2) and (3), we can obtain the following equation:

  $$\frac{1}{2}Ad{v}_{\mathcal{A}}\left(P\right)=|Pr\left[S_{Gam{e}_0}\right]-\frac{1}{2}|=|Pr\left[S_{Gam{e}_1}\right]-\frac{1}{2}|$$

  (7)
  We can obtain the following equation using (6) and (7):

  $$\frac{1}{2}Ad{v}_{\mathcal{A}}\left(P\right)=|Pr\left[S_{Gam{e}_1}\right]-Pr\left[S_{Gam{e}_4}\right]|$$

  (8)
  Applying the triangular inequality, we obtain the following result:

  $$\begin{array}{c}\frac{1}{2}Ad{v}_{\mathcal{A}}\left(P\right)=|Pr\left[S_{Gam{e}_1}\right]-Pr\left[S_{Gam{e}_4}\right]|\\ \le |Pr\left[S_{Gam{e}_1}\right]-Pr\left[S_{Gam{e}_3}\right]|\\ +|Pr\left[S_{Gam{e}_3}\right]-Pr\left[S_{Gam{e}_4}\right]|\\ \le |Pr\left[S_{Gam{e}_1}\right]-Pr\left[S_{Gam{e}_2}\right]|\\ +|Pr\left[S_{Gam{e}_2}\right]-Pr\left[S_{Gam{e}_3}\right]|\\ +|Pr\left[S_{Gam{e}_3}\right]-Pr\left[S_{Gam{e}_4}\right]|\end{array}$$

  $$\le \frac{q_h^2}{2\left|Hash\right|}+\frac{q_p^2}{2\left|PUF\right|}+max\{C^{\prime }{q}_s^{s^{\prime }},\frac{q_s}{2^{l_D}}\}$$

  (9)
  Finally, we obtain the required result multiplying (9) by 2:
  $$Ad{v}_{\mathcal{A}}\left(P\right)\le \frac{q_h^2}{\left|Hash\right|}+\frac{q_p^2}{\left|PUF\right|}+2max\{C^{\prime }{q}_s^{s^{\prime }},\frac{q_s}{2^{l_D}}\}$$

Thus, we have proven Theorem 1.

□

7.3. AVISPA Simulation

We simulate the proposed scheme using AVISPA [11,12] to analyze the security features of our scheme. AVISPA is a formal verification tool that can detect security vulnerabilities regarding replay and man-in-the-middle attacks. Therefore, various authentication schemes [39,40,41] have been simulated by using AVISPA.

To simulate our protocol, we need to create a code written in the High-Level Protocol Specification Language (HLPSL). The code written in HLPSL is converted to the Intermediate Format (IF) by the translator. Then, the translator inputs the IF into back-ends. AVISPA has four back-ends, named On-the-Fly Model Checker (OFMC), Constraint Logic-based Attack Searcher (CL-AtSe), SAT-based Model Checker (SATMC), and Three Automata based on Automatic Approximations for Analysis of Security Protocol (TA4SP). In this paper, the OFMC and CL-AtSe back-ends are used because these back-ends provide exclusive-OR operations. Lastly, we obtain the Output Format (OF), which is the security analysis result of the protocol. If we obtain a “SAFE” message in the summary of OF, we can consider that the protocol is secure against replay and man-in-the-middle attacks.

7.3.1. HLPSL Specification

In this section, we explain the HLPSL code of our scheme. There are three basic roles in HLPSL: the doctor $DO$, the gateway $GW$, and the sensor node $SN$. With these roles, we describe the session and the environment roles. The goals, the environment, and the session of our scheme written in HLPSL are shown in Figure 7.

We show the role of the doctor in Figure 8. When state 1 starts, the doctor receives a start message and generates the registration request message $R_{req}$. Then, the doctor computes $GP{W}_D$ with his password $P{W}_D$, the biometrics $BI{O}_D$, and sends $\{D_{ID},GP{W}_D,R_{req}\}$ to the gateway via a secure channel. After this, the doctor receives $\{\beta ,D_{TID},R_{SG}^2\}$ from the gateway and computes $Ve{r}_D$ and $\theta$ in state 2. The doctor stores $\{\beta ,\theta ,Ve{r}_D,D_{TID},P_D\}$ in the smart device. With these parameters, the doctor sends a login and authentication request message $\{D_{TID},S_{TID},M_{D1},V_{D1}\}$ to the gateway via a public channel. $witness(DOC,GW$, $doc\_gw\_n1d,N_D^{\prime 1})$ indicates the freshness of $N_D^1$. When the doctor receives the message $\{M_{G3},V_{G2}\}$ in state 3, the doctor performs $request(GW,DOC,doc\_gw\_n1s,N_S^{\prime 1})$ and $request$$(GW,DOC,doc\_gw\_n1g,N_G^{\prime 1})$, which represent the freshness acceptance of the random nonces $N_G^1$ and $N_S^1$.

7.3.2. Simulation Result

We perform simulations using the OFMC and CL-AtSe back-ends and show the simulation result of the proposed scheme in Figure 9. If the summary message is “SAFE”, this indicates that the proposed scheme is secure against replay and man-in-the-middle attacks. As with the simulation result shown in Figure 9, both summaries simulated in the OFMC and CL-AtSe back-ends are “SAFE”. Thus, the proposed scheme can prevent replay and man-in-the-middle attacks.

7.4. Informal Analysis

In this section, we show the security features of the proposed scheme, including those that protect against offline password guessing, impersonation, replay, man-in-the-middle, physical, cloning, privileged insider, session-specific random number leakage, and verification table leakage attacks. Moreover, the proposed scheme can ensure user anonymity, perfect forward secrecy, and mutual authentication.

7.4.1. User Anonymity

We assume that an adversary $\mathcal{A}$ obtains the stolen smart device of a doctor (user) and extracts $\{\beta ,\theta ,Ve{r}_D,D_{TID},P_D\}$. However, $\mathcal{A}$ cannot compute the real identity of the doctor because the pseudo identity of the doctor $D_{TID}$ is masked by the hash function and updated in every session. Since the parameters $\beta =\alpha \oplus h\left(GP{W}_D\right|\left|R_{SG}^2\right)$ and $\theta =h(R_D\left|\right|GP{W}_D)\oplus R_{SG}^2$ stored in the smart device are masked in the biometric template of the doctor, the $\mathcal{A}$ has difficulty in guessing the real identity of the doctor. Hence, $\mathcal{A}$ cannot obtain the real identity of the doctor. Therefore, we demonstrate that the proposed scheme can ensure user anonymity.

7.4.2. Offline Password Guessing Attack

$\mathcal{A}$ obtains a doctor’s smart device and obtains $\{\beta ,\theta ,Ve{r}_D,D_{TID},P_D\}$ from the device using a power analysis attack. Then, $\mathcal{A}$ attempts to guess the password of the doctor using the extracted parameters. Unfortunately, $\mathcal{A}$ cannot guess the password of the doctor because we use the biometrics in the proposed scheme. Since $GP{W}_D=h(P{W}_D\left|\right|R_D)$, $\mathcal{A}$ must guess not only the password $P{W}_D$ but also the biometrics $BI{O}_D$ of the doctor at the same time. Note that $R_D$ is the result of the fuzzy extractor, which is expressed as $R_D=Rep(BI{O}_D,P_D)$. However, this process is a computationally infeasible task. Thus, the proposed scheme can prevent offline password guessing attacks.

7.4.3. Impersonation Attack

Assume that an adversary $\mathcal{A}$ tries to impersonate a legitimate doctor using parameters $\{\beta ,\theta ,Ve{r}_D,D_{TID},P_D\}$, which are stored in the doctor’s device. Then, $\mathcal{A}$ attempts to calculate the login request message $\{D_{TID},S_{TID},M_{D1},V_{D1}\}$. However, $\mathcal{A}$ cannot calculate $M_{D1}=N_D^1\oplus h(D_{TID}\left|\right|\alpha )$ and $V_{D1}=h(N_D^1\left|\right|D_{TID}\left|\right|\alpha \left|\right|S_{TID})$ because $\mathcal{A}$ cannot calculate $\alpha =\beta \oplus h\left(GP{W}_D\right|\left|R_{SG}^2\right)$. Hence, the proposed scheme is secure against impersonation attacks.

7.4.4. Replay Attack

Assume that an adversary $\mathcal{A}$ intercepts authentication request messages $\{D_{TID},$$S_{TID},M_{D1},V_{D1}\}$, $\{D_{TID},S_{TID},M_{G1},M_{G2},V_{G1}\}$, and sends messages to authenticate the gateway and the sensor node at other sessions. However, each entity checks the freshness of $N_D^1$, $N_G^1$, and $N_S^1$, which are random nonces generated by the doctor, the gateway, and the sensor node, respectively. Therefore, the proposed scheme is secure against replay attacks.

7.4.5. Man-in-the-Middle Attack

We show that $\mathcal{A}$ cannot generate the login request message $\{D_{TID},S_{TID},M_{D1},V_{D1}\}$, according to Section 7.4.3. Moreover, $\mathcal{A}$ cannot compute $\{D_{TID},S_{TID},M_{G1},M_{G2},V_{G1}\}$, $\{M_{S1},V_{S1}\}$, and $\{M_{G3},V_{G2}\}$ because each message is masked in the shared secret parameter $\alpha$ and $\delta$. Thus, the proposed scheme can prevent man-in-the-middle attacks.

7.4.6. Physical and Cloning Attacks

We can assume that $\mathcal{A}$ physically captures a sensor node $S{N}_1$ and tries to authenticate the gateway as $S{N}_1$. To do this, $\mathcal{A}$ obtains the parameters of $S{N}_1$$\{\delta ,P_{SN},S_{TID}\}$ using a power analysis attack. Then, $\mathcal{A}$ attempts to authenticate as a legitimate sensor node $S{N}_1$ using parameters $\{\delta ,P_{SN},S_{TID}\}$ or by cloning the sensor node $S{N}_1$. When $\mathcal{A}$ receives $\{D_{TID},S_{TID},M_{G1},M_{G2},V_{G1}\}$ from the gateway, $\mathcal{A}$ computes $C{H}_1^{\ast }=M_{G3}\oplus h\left(\delta \right||D_{TID}\left|\right|S_{TID})$. However, $\mathcal{A}$ cannot compute $R{E}_1$ because the function $PUF(.)$ is a physically unclonable circuit and cannot duplicate, according to Section 3.3. Therefore, $\mathcal{A}$ cannot compute $R_{SN}^1=Rep(R{E}_1,P_{SN})$ and $A{S}_{ID}=h(R_{SN}^1\left|\right|S_{ID})$ to calculate $M_{S1}$ and $V_{S1}$. Thus, the proposed scheme is secure against physical and cloning attacks.

7.4.7. Privileged Insider Attack

Assume that a privileged insider $\mathcal{A}$ obtains the registration request message $\{D_{ID},$$GP{W}_D,R_{req}\}$ of a doctor and obtains parameters $\{\beta ,\theta ,Ve{r}_D,D_{TID},P_D\}$, extracted from the stolen smart device of the doctor using a power analysis attack, and $\mathcal{A}$ attempts to impersonate as the doctor. To compute the login request message $\{D_{TID},S_{TID},M_{D1},V_{D1}\}$, $\mathcal{A}$ must calculate the shared secret parameter $\alpha$. However, $\mathcal{A}$ cannot calculate $\alpha =h\left(GP{W}_D\right|\left|R_{SG}^2\right)$ because the parameter $R_D$ in $GP{W}_D=h(P{W}_D\left|\right|R_D)$ is generated by the biometrics of the doctor. Moreover, $\mathcal{A}$ must guess the password $P{W}_D$ of the doctor to calculate $GP{W}_D=h(P{W}_D\left|\right|R_D)$, and it is a computationally infeasible task to guess $R_D$ and $P{W}_D$ at the same time. Therefore, the proposed scheme can prevent privileged insider attacks.

7.4.8. Session-Specific Random Number Leakage Attack

Suppose that $\mathcal{A}$ obtains random nonces $N_D^1$, $N_G^1$, and $N_S^1$. Then, $\mathcal{A}$ tries to calculate the session key $SK=h\left(h\right(N_D^1\left|\right|\alpha )\oplus N_G^1\oplus N_S^1)$. However, $\mathcal{A}$ cannot compute the session key $SK$ without knowing the shared secret parameter $\alpha$. Since $\alpha$ is masked by the hash functions, $\mathcal{A}$ cannot calculate $\alpha$. Thus, the proposed scheme has resistance against session-specific random number leakage attacks.

7.4.9. Verification Table Leakage Attack

If $\mathcal{A}$ obtains the verification table $\{\omega ,R_{SG}^1,D_{TID}\}$, $\{A{S}_{ID},S_{TID},C{H}_1\}$ of the gateway, $\mathcal{A}$ attempts to calculate the session key $SK$ or impersonate a doctor. However, $\mathcal{A}$ cannot calculate the shared secret parameter $\alpha =\omega \oplus h\left(R_{SG}^1\right|\left|s\right)$ and $\delta =h\left(A{S}_{ID}\right|\left|s\right)$ without the master key s of the gateway. Therefore, it is difficult for $\mathcal{A}$ to compute the session key $SK=h\left(h\right(N_D^1\left|\right|\alpha )\oplus N_G^1\oplus N_S^1)$ or impersonate a doctor. Therefore, the proposed scheme can prevent verification table leakage attacks.

7.4.10. Perfect Forward Secrecy

If $\mathcal{A}$ obtains the master key s of the gateway, $\mathcal{A}$ attempts to compute the session key $SK=h\left(h\right(N_D^1\left|\right|\alpha )\oplus N_G^1\oplus N_S^1)$. However, $\mathcal{A}$ cannot compute $\alpha =h\left(D_{ID}\right|\left|s\right)$ without the real identity of the doctor, and all random nonces are masked by hash functions. Therefore, $\mathcal{A}$ cannot calculate $SK$. For this reason, the proposed scheme ensures perfect forward secrecy.

7.4.11. Mutual Authentication

To ensure mutual authentication, each entity checks the validity of $V_{D1}^{\ast }\stackrel{?}{=}{V}_{D1}$, $V_{G1}^{\ast }\stackrel{?}{=}{V}_{G1}$, $V_{S1}^{\ast }\stackrel{?}{=}{V}_{S1}$, and $V_{G2}^{\ast }\stackrel{?}{=}{V}_{G2}$. Furthermore, all participants check the freshness of random nonces $N_D^1$, $N_G^1$, and $N_S^1$. When the verification processes are successful, we can demonstrate that the participants of the proposed scheme authenticate each other. Therefore, the proposed scheme ensures mutual authentication.

8. Performance

In this section, we compare the security features of the proposed scheme with other related schemes [7,18,19,20,25]. Moreover, we show the communication costs, computation costs, and energy consumption of the proposed scheme.

8.1. Security Features Comparison

We present the security features of the proposed scheme compared with related schemes [7,18,19,20,25]. In

Table 3. Security and functionality features comparison.

Security Properties	[18]	[19]	[20]	[25]	[7]	Proposed
$SP1$	×	🗸	🗸	🗸	×	🗸
$SP2$	🗸	🗸	🗸	🗸	×	🗸
$SP3$	🗸	🗸	🗸	🗸	×	🗸
$SP4$	🗸	🗸	🗸	🗸	🗸	🗸
$SP5$	×	🗸	🗸	🗸	×	🗸
$SP6$	×	×	×	🗸	×	🗸
$SP7$	×	×	🗸	🗸	🗸	🗸
$SP8$	−	−	−	−	−	🗸
$SP9$	×	🗸	🗸	🗸	×	🗸
$SP10$	🗸	🗸	🗸	🗸	🗸	🗸
$SP11$	🗸	🗸	🗸	🗸	🗸	🗸
$SP12$	🗸	−	−	🗸	−	🗸
$SP13$	🗸	🗸	🗸	−	🗸	🗸
$SP14$	−	🗸	🗸	−	−	🗸

🗸: Provides the security/functionality feature. ×: Does not provide the security/functionality feature. −: Does not consider the security/functionality feature.

, we consider various security attacks and functionalities. The security features and the functionalities are as follows: $SP1$: resistance against smart device theft attack, $SP2$: resistance against offline password guessing attack, $SP3$: resistance against impersonation attack, $SP4$: resistance against replay attack, $SP5$: resistance against privileged insider attack, $SP6$: resistance against physical and cloning attacks, $SP7$: resistance against session-specific random number leakage attack, $SP8$: resistance against verification table leakage attack, $SP9$: ensuring user anonymity, $SP10$: ensuring perfect forward secrecy, $SP11$: ensuring mutual authentication, $SP12$: performing RoR model, $SP13$: performing AVISPA simulation, $SP14$: performing BAN logic proof. Therefore, our scheme can provide a secure authentication process compared with [7,18,19,20].

8.2. Communication Costs Comparison

In this section, we compare the communication costs of the proposed scheme with existing schemes [7,18,19,20,25]. According to [35], we suppose that the SHA-1 hash digest, identity, random number, PUF challenge–response pair, timestamp, and ECC point are 160, 160, 128, 128, 32, and 320 bits, respectively. Therefore, the communication costs of the proposed scheme can be described as follows.

• Message 1: The message $\{D_{TID},S_{TID},M_{D1},V_{D1}\}$ requires $(160+160+160+160)=640$ bits.
• Message 2: The message $\{D_{TID},S_{TID},M_{G1},M_{G2},V_{G1}\}$ needs $(160+160+160+160+160)=800$ bits.
• Message 3: The message $\{M_{S1},V_{S1}\}$ needs $(160+160)=320$ bits.
• Message 4: The message $\{M_{G3},V_{G2}\}$ requires $(160+160)=320$ bits.

Therefore, the total communication costs of our scheme are $640+800+320+320=2080$ bits. In

Table 4. Comparison of communication costs.

Schemes	Total Communication Costs	Messages
Li et al. [18]	2880 bits	4 messages
Shin et al. [19]	3328 bits	4 messages
Ali et al. [20]	2240 bits	4 messages
Chen et al. [25]	2880 bits	5 messages
Masud et al. [7]	2176 bits	4 messages
Proposed	2080 bits	4 messages

, we show the total communication costs of our scheme and other related schemes. Consequently, we demonstrate that our scheme has more efficient communication costs than other related schemes [7,18,19,20,25].

8.3. Computation Costs Comparison

We compare the computation costs of the proposed scheme with [7,18,19,20,25]. According to [42,43], we define $T_{RNG}$, $T_H$, $T_{EM}$, $T_{EA}$, $T_F$, and $T_{PUF}$ as the random number generation (≈0.0539 s), hash function (≈0.00023 s), ECC multiplication (≈0.2226 s), ECC addition (≈0.00288 s), fuzzy extractor (≈0.268 s), and PUF operation time (≈0.012 s), respectively. Furthermore, we ignore the execution time of exclusive-OR (⊕) operations because it is computationally negligible.

The total computation costs of our scheme are slightly higher than those of Masud et al.’s scheme [7] as shown in

Table 5. Comparison of computational costs.

Schemes	User	Gateway	Sensor Node	Total	Total Cost (s)
Li et al. [18]	$1T_{RNG}+8T_H+3T_{EM}$	$1T_{RNG}+8T_H+T_{EM}$	$1T_{RNG}+4T_H+2T_{EM}$	$3T_{RNG}+20T_H+6T_{EM}$	$1.502$
Shin et al. [19]	$1T_{RNG}+1T_F+14T_H+2T_{EM}$	$12T_H+1T_{EM}$	$1T_{RNG}+5T_H+1T_{EM}$	$2T_{RNG}+1T_F+31T_H+4T_{EM}$	$1.232$
Ali et al. [20]	$1T_{RNG}+1T_F+3T_H+2T_{EM}$	$1T_{RNG}+4T_H+2T_{EM}$	$1T_H$	$2T_{RNG}+1T_F+8T_H+4T_{EM}$	$1.268$
Chen et al. [25]	$1T_{RNG}+2T_F+14T_H+1T_{PUF}$	$8T_H$	$1T_{RNG}+1T_F+8T_H$	$2T_{RNG}+3T_F+30T_H+1T_{PUF}$	$0.919$
Masud et al. [7]	$1T_{RNG}+3T_H$	$4T_{RNG}+3T_H$	$2T_{RNG}+2T_H$	$7T_{RNG}+8T_H$	$0.379$
Proposed	$1T_{RNG}+1T_F+11T_H$	$1T_{RNG}+15T_H$	$1T_{RNG}+1T_F+8T_H+1T_{PUF}$	$3T_{RNG}+2T_F+34T_H+1T_{PUF}$	$0.717$

. However, our scheme has a much higher security level than [7] using the fuzzy extractor and PUF. Moreover, our scheme is more efficient and lightweight than previous schemes [18,19,20,25] that utilize ECC, the fuzzy extractor, and PUF.

8.4. Energy Consumption Comparison

In this section, we compare the energy consumption of our scheme with [7,18,19,20,25]. We follow the battery consumption model used in [44], where the energy consumption for sending and receiving a bit are taken as 4.602 mJ and 2.34 mJ, respectively [45]. Therefore, the total energy consumption of our scheme is 4867 mJ.

Table 6. Comparison of energy consumption.

Schemes	Total Energy Consumption
Li et al. [18]	6739 mJ
Shin et al. [19]	7788 mJ
Ali et al. [20]	5242 mJ
Chen et al. [25]	6739 mJ
Masud et al. [7]	5092 mJ
Proposed	4867 mJ

shows the total energy consumption of the proposed scheme and [7,18,19,20,25]. The result indicates that our scheme is more efficient in terms of energy consumption than other related schemes.

9. Conclusions

In this paper, we review Masud et al.’s scheme and prove that their scheme is vulnerable to offline password guessing, impersonation, and privileged insider attacks. We also discover that Masud et al.’s scheme cannot ensure user anonymity and has a device update problem. To improve the security level and overcome the security weaknesses of Masud et al.’s scheme, we propose a provably secure three-factor-based mutual authentication and key agreement scheme for WMSNs. Our scheme has light weight, using only hash functions and exclusive-OR operators; it provides a secure login process to the doctor using the fuzzy extractor, and it provides resistance against cloning and physical attacks using PUF. We ensure the mutual authentication utilizing BAN logic and prove the session key security of our scheme using the RoR model. We also show that our scheme offers resistance against replay and man-in-the-middle attacks by utilizing the AVISPA simulation tool. We prove that our scheme is secure against various attacks, including offline password, impersonation, sensor node capture, and verification table leakage attacks, through informal analysis. Furthermore, we demonstrate that our scheme can provide user anonymity, perfect forward secrecy, and mutual authentication. Finally, we estimate the computation costs, communication costs, and energy consumption of our scheme and compare it with other related schemes. Our result shows that the proposed scheme can provide doctors and patients with more secure services for WMSNs. In the future, we will develop and implement our scheme, considering performance evaluation and result analysis, confirming its suitability for practical WMSN environments.