Amassing the Security: An Enhanced Authentication and Key Agreement Protocol for Remote Surgery in Healthcare Environment

1  Introduction

As a novel paradigm, Internet of Things (IoT) [1–5] can effectively share data, coordinate and utilize resources. Simultaneously, in addition to reducing data transmission delay, the active of the emergence of the 5G [6] technology also improves the data transmission rate, which makes it possible to exchange of large amounts of data. This technology has been widely adopted in smart agriculture, smart cities, transportation, healthcare [7,8], artificial intelligence [9–11], etc., and has become an important part of people’s life.

Healthcare is an important application of the IoT. With the improvement of living standards, the requirements for medical and health care are gradually increasing. Today, there is a substantial demand for medical and health care systems. The application of IoT in healthcare involves the use of the most advanced internet technology to realize interactions between patients and doctors and medical institutions and medical equipment, which enables the informatization. With the help of IoT technology, artificial intelligence [12] and intelligent equipment, we can build a perfect IoT medical system to solve or reduce the problems of difficult medical treatment and tense doctor-patient relationships caused by the lack of medical resources. Although healthcare can provide people with significant convenience, several security problems [13–17] exist, such as the disclosure of patients’ medical data and the tampering of patients’ medical schemes by illegal personnel of the system. Many researchers have proposed a large number of schemes [12,18–20] to address the security problems inherent in the healthcare environment. However, some existing authentication and key agreement protocols have security vulnerabilities, such as against offline guessing, impersonation and insider attacks. Therefore, it is crucial to propose an AKA protocol to address these challenges.

Wu et al. [21] proposed an authentication scheme, suitable for telemedicine information systems (TMIS). However, Debiao et al. [22] have confirmed that their scheme is vulnerable to several security problems, such as impersonation attacks and insider attacks. To address these vulnerabilities, Debiao et al. [22] proposed an improved scheme, which is also applicable to TMIS. Wei et al. [23] proposed a protocol suitable for TMIS without the pre-deployment phase; however, Zhu et al. [24] verified that the protocol proposed by Wei et al. [23] could not resist offline password guessing attacks. Xu et al. [25] proposed an elliptic curve cryptography (ECC)-based scheme. They claimed that their protocol can effectively provide authentication and user anonymity. However, Islam et al. [26] pointed out that Xu et al.’s [25] scheme are vulnerable to replay attacks and smart card stolen attacks, incorrect password update phase, and failure to successfully complete mutual authentication. Subsequently, Islam et al. [26] proposed an improved protocol based on the that proposed by Xu et al. [25]. The protocol was also designed based on ECC. Li et al. [27] designed an authentication scheme based on chaotic mapping; however, Madhusudhan et al. [28] proved that their scheme cannot successfully resist password guessing attacks. Zhang et al. [29] designed a three factor lightweight authentication agreement to address the problem of user anonymity in the e-healthcate system. However, Aghili et al. [30] pointed out that the agreement of Zhang et al. [29] cannot resist denial of service attacks (DOS) and insider attacks, as well as provide user untraceability and desynchronization. Therefore, Aghili et al. [30] proposed an improved scheme, which can provide user anonymity and mutual authentication. Sharma et al. [31] proposed a healthcare service authentication scheme based on cloud Internet of things, but Azrour et al. [32] pointed out that Sharma et al.'s [31] scheme could not resist user impersonatin attacks and offline password guessing attacks. Soni et al. [33] designed an authentication scheme for patient monitoring, but unfortunately, their scheme was proved by Xu et al. [34] that it could not provide perfect forward security. Kaur et al. [35] designed a secure protocol to solve the problem of security authentication in remote surgery. Ali et al. [36] designed a symmetric encryption and decryption scheme for TMIS; however, Yu et al. [37] discovered that this scheme [36] cannot withstand session key exposure attacks, man in the middle attacks (MITM) and impersonation attacks. Masud et al. [38] proposed a lightweight identity authentication scheme based on IoT healthcare. However, this scheme has been proved by Kwon et al. [39] that there are many security problems, such as offline password guessing, user impersonation, insider attacks and cannot ensure user anonymity. We summarize the literature reviewed in Table 1.

Influenced by COVID-19, the demand for remote surgery [40,41] under healthcare environment is gradually increasing. At the same time, the 5G network technology can transmit information with high efficiency and low delay, thereby facilitating remote surgery. The application of a remote surgery is shown in the Fig. 1. Surgeons can operate robotic arms to perform remote surgery for patients, which enables a number patients infected with the virus to receive prompt treatment, reduces the spread of the virus, and provide the stable development of society. Although the development of this technology can bring several benefits, they are highly dependent on the network, and there will be some security problems. For example, if network delay occurs when a surgeon remotely manipulates a robotic arm to operate a patient, the surgeon cannot obtain feedback information in time, which will adversely affect the operation process and severely endanger the patient’s life. In addition, if an illegal surgeon manipulates the robotic arm or an unauthorized robotic arm is utilized, this will also threaten the safety of patients. Therefore, a secure lightweight authentication and key agreement protocol design is required to address these problems.

Figure 1: The application of a remote surgery

Recently, Kamil et al. [42] designed a lightweight authentication protocol that primarily solves identity authentication problem in remote surgery. Its remote surgery framework is illustrated in Fig. 2. This framework comprises four entities: a trusted authority (TA), surgeon, gateway, and robotic arm. All medical data during surgery is transmitted through tactile networks. To protect the security and privacy of medical data, the entire operation process needs to be completed under the detection of TA. Before surgery, surgeons and gateways, and the robotic arm must register with TA and obtain a legal identity. After each entity completes its registration, the surgeon, gateway, and robotic arm jointly decide on a session key to transmit data during surgery. They claim that their protocol is secure and efficient. However, we find that their protocol is vulnerable to temporary value disclosure attacks and insider attacks. In this paper, we propose an enhanced protocol suitable for this environment. Our contributions are: (1) We point out that Kamil et al.’s protocol has some security problems. (2) To solve these security problems, we propose an enhanced authentication protocol for remote surgery. Unlike Kamil et al.’s protocol, the registration phase of the robotic arm does not register with the TA via the gateway, because in an operating machine, the gateway and robotic arm are in the same system. We use ProVerif tool and ROR model to evaluate the security of the protocol. In addition, we use informal analysis to conduct a detailed security evaluation of the protocol, and prove that the protocol can resist common attacks, such as MIMT, replay attacks, impersonation attacks, insider attacks, etc. (3) Finally, through security and performance comparison, we find that our protocol is secure and suitable for the remote surgery environment.

Figure 2: Network model

The remainder of this paper are arranged as follows. In Section 2, we review the protocol proposed by Kamil et al. The cryptanalysis of their protocol is then comprehensively introduced in detail in Section 3. In Section 4, we introduce our proposed protocol. Then, Section 5 presents a few security analyses of our protocol, while the performance comparison is introduced in Section 6. Finally, Section 7 concludes this paper.

2  Review of Kamil el at. Protocol

In this section, we review the protocol presented by Kamil et al. [42]. This protocol comprises seven phases; however, in this paper, we only adopt four phases: surgeon registration phase, gateway and robotic arm registration phase, user login, authentication and key agreement phase.

2.1 Surgeon Registration Phase

Surgeons are required to register with the TA as legitimate users to utilize robotic arms for remote surgeries. Messages at this stage are transmitted on a secure channel. The detailed steps are presented as follows in Table 2:

(1)   Si selects IDi, PWi, and a random number bi, computes Di=h(IDi∥bi), HPWi=h(PWi∥bi), and then sends {Di,HPWi} to TA.

(2)   After receiving the message sent by Si, TA selects a random number ci, computes α=h(ci∥Dk)⊕h(Di∥HPWi), and β=ci⊕h(IDk∥Dk), stores {α,β,h(⋅)} in the smart card (SC), and then sends SC to the user.

(3)   After receiving SC, Si computes A1=h(PWi∥IDi)⊕bi, A2=h(bi∥HPWi∥Di), and stores the {A1,A2} in the SC.

2.2 Gateway and Robotic Arm Registration Phase

At this phase, TA selects their respective identities for Gk and SNj, computes some private parameters, and then transmits these private parameters to Gk and SNj through secure channels. The detailed steps are presented as follows:

(1)   TA selects its own identity IDTA, a hash function h(⋅), and IDj, IDk, respectively, for the identity of Gk and SNj, selects a random number s, computes Dk=h(s∥IDTA∥IDk), Dj=h(s∥IDTA∥IDj), and sends {IDk,Dk,IDj,Dj} to the gateway.

2)   After receiving the message sent by TA, Gk stores {IDk,Dk,IDj,Dj} in its own memory, and then sends {IDj,Dj} to RMj.

3)   RMj receives the message sent by Gk and stores {IDj,Dj} in its own memory.

2.3 Login and Authentication Phase

1)   Si inputs IDi,PWi, computes bi=A1⊕h(PWi∥IDi), Di=h(IDi∥bi), HPWi=h(PWi∥bi), A2∗=h(bi∥HPWi∥Di), and then performs authentication by checking A2∗=?⁡A2. If the authentication is successful, Si selects a random number r1 and timestamp T1, and then computes A3=α⊕h(Di∥HPWi), A4=β⊕T1, A5=h(r1∥A3∥T1), and A6=(r1∥A5)⊕A3. After completing computation, it transfers the message M1={A4,A5,A6,T1} through the common channel to Gk.

2)    After receiving the message M1 sent by Si, Gk first computes ci∗=A4⊕h(IDk∥Dk)⊕T1, A3∗=h(ci∗∥Dk), and r1∗∥A5=A6⊕A3, and then verifies the timestamp |Tk−T1|=x<ΔT and A5∗=?⁡A5, where A5=h(r1∥A3∗∥T1). If both are verified, Gk will select a random number r2 and timestamp T2, computes A7=ci⊕h(IDj∥Dj∥r2∥r1∗∥T2), A8=Dj⊕(r2∥r1∗∥T2), A9=h(IDj∥Dj∥ci∗∥r2∥T2), and then send the message M2={A7,A8,A9} to RMj through the common channel.

3)   After receiving message M2, RMj first computes r2∥r1∥T2=A8⊕Dj and then verifies the timestamp |TR−T2|=x<ΔT. If the validation is successful, RMj computes ci∗∗=A7⊕h(IDj∥Dj∥r2∗∥r1∗∗∥T2), A9∗=h(IDj∥Dj∥ci∗∗∥r2∗∥T2) and checks A9∗=?⁡A9 to verify the identity of Gk. Subsequently, if the identification is successful, RMj selects a random number r2 and timestamp T3, computes K1=h(r2∗∥r1∗∗∥r3), A10=h(r2∗∥r3∥K1∥IDj∥Dj∥T3), A11=(r3∗∥T3)⊕r2, and then sends message M3={A10,A11} to Gk through the common channel.

4)   After receiving the message M3, Gk computes r3∗∥T3=A11⊕r2 and verifies the timestamp |Tk−T3|=x<ΔT. If the verification is successful, Gk computes the session key K2=h(r2∥r1∗∥r3), then computes A10∗=h(r2∥r3∥K2∥IDj∥Dj∥T3), and verifies the correctness of the session key through A10∗=?⁡A10. After the successful verification, Gk selects the timestamp T4, computes A12=h(K2∥r2∥r3∗∥A9∥T4), A13=(r2∥r3∗∥T4)⊕r1∗, and then transmits the message M4={A8,A12,A13} to Si through the common channel.

5)   After receiving the message M4, Si obtains the value of r2∗∥r3∗∗∥T4 by computing A13⊕r1, and then verifies the timestamp |TS−T4|=x<ΔT. If the verification is successful, Si computes the session key K3=h(r2∗∥r3∗∗∥r1), A12∗=h(K3∥r2∗∥r3∗∗∥A9∥T4), and verifies whether the session key is correct by checking A12∗=?⁡A12.

3  Cryptanalysis of Kamil et al.’s Protocol

In this section, based on the following attacker model [43], we analyze the security of the protocol proposed by Kamil et al. [42], and subsequently deduce that this protocol cannot resist temporary value disclosure attacks, insider attacks.

Attacker Model: Based on D-Y model [44], we define attacker A has the following capabilities:

1)   A can block, steal, change and replay messages transmitted via a common channel, but a cannot obtain information transmitted via a secure channel;

2)   A can steal the surgeon’s smart card and extract the information stored in the smart card through power analysis;

3)   A can be a malicious entity and can obtain the information stored in the gateway. A can also obtain the information stored in robotic arm’s memory.

3.1 Insider Attacks

Insider attacks refers to a malicious person in the system who obtains the information stored in the system by other entities, uses the messages on the public channel, and finally successfully calculates the session key. Suppose a malicious attack A in the hospital obtains the content {IDk,Dk,IDj,Dj} stored in the gateway during the registration phase, then he can launch the following attacks.

3.1.1 Impersonate the Surgeon

1)   A obtains the message {IDj,Dj} stored in the gateway, and messages M1={A4,A5,A6,T1} and M2={A7,A8,A9} on the common channel are also intercepted. Then, A can calculate r2∥r1∥T2=A8⊕Dj, ci=A7⊕h(IDj∥Dj∥r2∥r1∗∥T2), β=A4⊕T1, and A3=(r1∥A5)⊕A6.

2)   A reselects a random number r1′ and timestamp T1′, then calculates A4′=β⊕T1′, A5′=h(r1′∥A3∥T1′), A6′=(r1′∥A5′)⊕A3, and then sends message M1′={A4′,A5′,A6′,T1′} to Gk.

3)   After receiving message M1′, Gk calculates ci′=A4′⊕h(IDk∥Dk)⊕T1′, A3′=h(ci′∥Dk), r1′∥A5′=A6′⊕A3′. Subsequently, Gk checks the timestamp |Tk−T1′|=x<ΔT, if true, Gk verifies A5∗=?⁡A5′, where A5∗=h(r1∥A3∗∥T1). If the verification is successful, Gk selectes r2,T2, computes A7=ci′⊕h(IDj∥Dj∥r2∥r1′∥T2), A8=Dj⊕(r2∥r1′∥T2), A9=h(IDj∥Dj∥ci′∥r2∥T2), and then sends the message M2={A7,A8,A9} to SNj.

4)   After SNj receives M2, it calculates r2∥r1′∥T2=A8⊕Dj, and then checks |TR−T2|=x<ΔT. If true, SNj verifies A9∗=?⁡A9, where ci′=A7⊕h(IDj∥Dj∥r2∥r1′∥T2), A9∗=h(IDj∥Dj∥ci′∥r2∥T2). If the verification is successful, SNj selects T3,r2, K1=h(r2∥r1′∥r3), A10=h(r2∥r3∥K1∥IDj∥Dj∥T3), A11=(r3∥T3)⊕r2. Then it sends message M3={A10,A11} to Gk.

5)   After receiving M3, Gk calculates r3∗∥T3=A11⊕r2 and checks |Tk−T3|=x<ΔT; if true, it calculates K2=h(r2∥r1′∥r3). Gk verifies A10∗=?⁡A10, where A10∗=h(r2∥r3∥K2∥IDj∥Dj∥T3). If the verification is successful, Gk selects T4, calculates A12=h(K2∥r2∥r3∗∥A9∥T4), A13=(r2∥r3∗∥T4)⊕r1′, and then sends M4={A8,A12,A13} to Si.

6)   At this point, A intercepts the message M4 sent by Gk and calculates r2∗∥r3∗∥T4=A13⊕r1′, and the final session key K=h(r2∗∥r3∗∥r1′).

3.1.2 Derive Session key

1.    A intercepts the message M2={A7,A8,A9} transmitted on the common channel. Accordingly, A can calculate r2∥r1∥T2=A8⊕Dj.

2.    After r2 and r1 are calculated, A intercepts the message M3={A10,A11} transmitted on the common channel, and then calculates r3∗∥T3=A11⊕r2. Therefore, A can calculate the session key K2=h(r2∥r1∗∥r3).

In summary, we logically infer that the protocol proposed by Kamil et al. [42] cannot resist privileged insider attacks.

3.2 Temperory Value Disclosure Attacks

Assuming that attacker A obtains the random number r1 selected by surgeon Sk in the login authentication phase, and intercepts the message A13 transmitted on the public channel, he can obtain the values of r2∗ and r3∗∗ by computing A13⊕r1, and A can easily calculate the session key K=h(r2∗∥r3∗∗∥r1). Therefore, it can be concluded that their proposed protocol cannot resist the temporary value disclosure attacks.

4  The Proposed Protocol

In this section, we introduce the proposed protocol. The protocol comprises four phases: surgeon registration phase, gateway registration phase, robotic arm registration phase, login and authentication phase. Each phase will be comprehensively described in detail next.

4.1 Registration Phases

The registration phase mainly includes gateway registration, surgeon registration and robtic arm registration, which will be described in detail.

Surgeon Registration Phase: Before operating with a robotic arm, a surgeon must register with the TA as a legal user via a secure channel. Fig. 3 shows the surgeon’s registration process. The specific steps necessary for this registration are as follows:

1)   The surgeon Si selects his own IDi, PWi, BIOi, and a random number ai, and then computes Gen(BIOi)=(σi,τi), RPWi=h(PWi∥ai), Ai=h(IDi∥RPWi∥σi), TRPWi=h(RPWi∥σi). Subsequently, TA sends {IDi,TRPWi} to TA.

2)   After receiving the information sent by Si, TA selects a random number bi, and then computes X=x⊕h(bi∥TRPWi), Bi=h(IDi∥x)⊕TRPWi, Di=bi⊕TRPWi. Subsequently, TA issues a smart card SC to the Si, stores {Bi,Di} into the SC, and sends it to Si.

3)   After receiving the SC sent by TA, the surgeon stores {Ai,τi} in the SC.

Figure 3: Surgeon registration

1.    The gateway selects its own IDk and sends it to the TA.

2.    After receiving the message sent by the gateway, TA selects a random number dk, computes Gk=h(IDk∥dk), Gx=Gk⊕x, and then sends Gk,dk to the gateway.

3.    Subsequently, the gateway stores Gk,dk in its own memory.

Figure 4: Gateway registration phase

Robotic Arm Registration Phase: Because the robotic arm and gateway are in the same system, the robotic arm is solely required to register with the gateway via a secure channel. Fig. 5 shows robotic arm’s registration process. The specific steps required are comprehensively presented as follows:

1)   The robotic arm RMj selects its identity IDj and sends it to the gateway via a secure channel.

2)   After receiving a message sent by the robotic arm, gateway selects a random number cj, and computes x=h(IDk∥dk)⊕Gx, Ej=h(IDj∥x), Fj=cj⊕Ej; subsequently, Gk stores Fj and then sends {Ej,Fj} to RMj.

3)   Finally RMj saves {Ej,Fj} in its memory.

Figure 5: Robotic arm registration phase

4.2 Login and Authentication Phase

Before performing long-distance operations, surgeons need to manipulate robotic arms via an access gateway. After Si logs into the system, Gk first verifies Si’s identity, and then sends an authentication request to RMj. After RMj completes the authentication, Gk sends an authentication message to Si. After mutual authentication, the three entities establish a common session key for communications. The specific login authentication and session key establishment process are shown in Table 3 and comprehensively described as follows:

1)   Si inputes IDi, PWi, inprints BIOi, and computes σi′=Rep(BIOi,τi), RPWi=h(PWi∥ai), Ai′=h(IDi∥RPWi∥σi′), Ai′=h(IDi∥RPWi∥σi′), by checking Ai′=?⁡Ai to verify whether the legality of Si’s identity. If the verification process is successful, Si selects a random number r1 and timestamp T1, computes TRPWi′=h(RPWi∥σi′), h(IDi∥x)=Bi⊕TRPWi′, bi=Di⊕TRPWi′, x=X⊕h(bi∥TRPWi), C1=IDi⊕h(IDk∥x), C2=SIDj⊕h(h(IDi∥x)∥bi), C3=r1⊕h(bi∥IDi), C4=h(r1∥IDi∥IDj∥bi∥T1), and sends the message M1={Di,Bi,C1,C2,C3,C4,T1} to Gk.

2)   After receiving the message M1 sent by Si, Gk first checks the timestamp |T1−Tk|=x<ΔT. If the verification is successful, it computes x=h(IDk∥dk)⊕Gx, IDi=C1⊕h(IDk∥x), TRPWi=Bi⊕h(IDi∥x), bi=Di⊕TRPWi, SIDj=C2⊕h(h(IDi∥x)∥bi), r1=C3⊕h(bi∥IDi), C4′=h(r1∥IDi∥IDj∥bi∥T1), and checks C4′=?⁡C4 to verify Si. If the verification passes, Gk selects the timestamp T2 and random number r1, computes Ej=h(IDj∥x), cj=Fj⊕Ej, PIDj=h(IDj∥cj), C5=r2⊕PIDj, C6=h(PIDj∥r2∥cj∥T2), C7=r1⊕h(r2∥cj), C8=h(bi∥cj)⊕h(IDj∥r2), and then sends the message M2={C5,C6,C7,C8,T2} to SNj.

3)   After receiving the message M2 sent by Gk, SNj first checks the timestamp |T2−Tj|=x<ΔT. If the verification is successful, SNj computes cj=Fj⊕Ej, PIDj=h(IDj∥cj), r2=C5⊕PIDj, C6′=h(PIDj∥r2∥cj∥T2), C6′=?⁡C6; if true Gk selects r3,T3, and verifies Gk’s identity by computing C6′=?⁡C6. If this verification is successful, SNj selects a random number r3 and timestamp T3, computes r1=C7⊕h(r2∥cj), h(bi∥cj)=C8⊕h(IDj∥r2), SK=h(r1∥r2∥r3∥h(bi∥cj), C9=h(SK∥h(bi∥cj)∥T3), C10=r3⊕h(r1∥IDj), and then sends the message M3={C9,C10,T3} to the gateway.

4)   After receiving the message M3 from SNj, Gk first checks the timestamp |T3−Tk|=x<ΔT and computes r3=C10⊕h(r1∥IDj), SK=h(r1∥r2∥r3∥h(bi∥cj), C9′=h(SK∥h(bi∥cj)∥T3); subsequently, Gk verifies the identity of SNj by calculating C9′=?⁡C9. After successful verification, Gk selects T4, computes C11=r2⊕h(TRPWi∥r1), C12=h(bi∥cj)⊕h(bi∥IDi), C13′=h(SK∥r2∥r3∥T4), and sends message M4 to Si.

5)   When Si receives the message from Gk, it first validates the timestamp |T4−Ti|=x<ΔT, then computes r3=C10⊕h(r1∥IDj), r2=C11⊕h(TRPWi∥r1), h(bi∥cj)=C12⊕h(bi∥IDi), SK=h(r1∥r2∥r3∥h(bi∥cj)), C13′=h(SK∥r2∥r3∥T4), and finally verifies C13′=?⁡C13. If the verification is successful, Si saves SK for future communication.

5  Security Analysis

In this section, we adopt Proverif, ROR model, and informal analysis to validate the security of our proposed protocol

5.1 Proverif

Four entities are adopted in our protocol: TA, Gk, Si and RMj. According to the registration and authentication processes of the four entities in the protocol, we utilize Proverif [45,46] to describe the entire protocol process, which is comprehensively presented below:

1)   ch and sch are used to represent common channel and secure channel, respectively. The registration phase is carried out on the secure channel, while the login and authentication phase is conducted on the public channel. The session key adopts SKi, SKj, and SKk to represent the session key of the surgeon, robotic arm, and gateway, respectively. We also define some operations, such as hash, XOR, etc. The defined query is adopted for security verification. The specific function definition is presented in Figs. 6a–6c.

2)   Si’s process is illustrated in Fig. 7a.

3)   Gk’s process is presented in Fig. 7b.

4)   Rj’s process is illustrated in Fig. 7c.

5)   TA’s process is shown in Fig. 7d.

6)   Fig. 6d presents the obtained verification results. The final results are “Query not attacker (SKi[]) is true,” “Query not attacker (SKj[]) is true,” “Query not attacker (SKk[]),” “Query inj-event (SurgeonAuthed) ==> inj-event (SurgeonStarted) is true,” “Query inj-event (RMAcGateway) ==> inj-event(GatewayAcSurgeon) is true,” “Query inj-event(GatewayAcRM) ==> inj-event(RMAcGateway) is true,” and “Query inj-event(SurgeonAcGateway) ==> inj-event(GatewayAcRM) is true.” Therefore, our protocol can successfully pass the security verification of Proverif and resist attacks.

Figure 6: Definitions and results

Figure 7: Process

5.2 Formal Security Analysis

In this section, we perform a security analysis on the proposed protocol in the ROR [19,47] model to demonstrate the protocol’s security.

5.2.1 ROR Model

The proposed protocol contains four entities: a surgeon, gateway, TA, and robotic arm. In the ROR model, we adopt ΠDix, ΠRMjy, ΠGkz, and ΠTAn to denote the x-th doctor’s instance, y-th robot arm instance, z-th gateway, and the n-th TA, respectively. We assume that attacker A can possess the following query capabilities: Y=ΠDix, ΠRMjy, ΠGkz, and ΠTAn.

Execute(Y): If the attacker executes this query, it intercepts the messages transmitted between Si, Gk and SNj on the public channel. The specific query is shown in Table 4.

Send(Y,M): If the attacker executes this query, it sends the message M to Y, and can receive a response from Y. The specific query is shown in Table 5.

Hash(string): If an attacker executes this query, it enters a string and gets its hash value. The specific query is shown in Table 6.

Corrupt(Y): If an attacker executes this query, it obtains the private value of an entity, such as a long-term private key, a parameter stored in SC, or a temporary message. The specific query is shown in Table 6.

Test(Y): If the attacker executes this query, it flips a coin c. If c=1, A obtains the correct SK, and if c=0, A obtains a string with an equal length to the SK. The specific query is shown in Table 6.

5.2.2 Theorem

In the ROR model, if A can execute the queries Execute(Y), Send(Y,M), Hash(string), Corrupt(Y), and Test(Y), then the probability that the attacker can break the proposed protocol P in polynomial time is: AdvAP(ξ)≤qsend/2l−2+3qhash2/2l−1+2max{C′⋅qsends′,qsend/2l}. Here, qsend denotes the number of queries executed; qhash refers to the number of Hash executions; C’ and s’ are two constants, and l represents the bit length of the biological information [48].

5.2.3 Proof

We played five rounds of the game, GMi(i=0,1,2,3,4). SuccAGMi(ξ) is denoted as the probability that A can win in GMi. The detailed simulation steps of the query in the game are presented below.

GM0: This game commences by flipping a coin c. GM0 does not perform query; hence, we can obtain the probability that A can successfully break P as follows:

AdvAP(ξ)=|2Pr[SuccAGM0(ξ)]−1|.(1)

GM1: GM1 is an execute query added to GM0. A can only intercept messages M1,M2,M3,M4 transmitted on the common channel in GM1. Subsequently, A will obtain SK by Test(Y) query; however, r1,r2,r3 cannot be obtained. Hence, the probability of GM1 is equal to that of GM0.

|Pr[SuccAGM1(ξ)]|=Pr[SuccAGM0(ξ)].(2)

GM2: GM2 is based on GM1 with the addition of Send query, and according to Zipf’s law [48], we can obtain the probability of GM2 as follows:

|Pr[SuccAGM2(ξ)]−Pr[SuccAGM1(ξ)]|≤qsend/2l.(3)

GM3: GM3 is based on GM2 with the Hash query added and the Send query removed. According to the birthday paradox, we can get the probability of GM3 as:

|Pr[SuccAGM3(ξ)]−Pr[SuccAGM2(ξ)]|≤qhash2/2l+1.(4)

GM4: In GM4, we analyze two events to verify the security of SK=h(r1∥r2∥r3∥h(bi∥cj)). One is to verify perfect forward security by obtaining the long-term key x of TA, and the other is to obtain temporary information to verify that the protocol can resist temporary information disclosure attacks.

1)   Perfect forward security: A adopts ΠTAn to obtain the long-term key x of TA, or ΠDix, ΠRMjy or ΠGkz to obtain the private value of the registration phase.

2)   Temporary information disclosure attack: A adopts ΠDix, ΠRMjy or ΠGkz to obtain the temporary information of the three parties.

For the first event, even if A gets the long-term key x of TA, or the private values of both in the registration phase, the random numbers r1,r2 and r3 cannot be computed; hence, A cannot compute the value of SK, where SK=h(r1∥r2∥r3∥h(bi∥cj)). For the second event, even if A can obtain r1, the values of r2,r3,bi, and cj are kept secret; hence, SK cannot be computed. Similarly, even if A can obtain r2 or r3, the value of SK cannot be computed. Accordingly, we can obtain the probability of GM4 as:

|Pr[SuccAGM4(ξ)]−Pr[SuccAGM3(ξ)]|≤qsend/2l+qhash2/2l+1.(5)

GM5: In GM5, A adopts Corrupt(A) to query the smart card for parameters {ai,Ai,τi,Bi,Di,h(⋅)} and we show that that the proposed protocol is resistant to offline key guessing attacks. Si is registered using the password PWi and biometric Bioi. A attempts to guess Ai=h(IDi∥RPWi∥σi′); however, IDi, RPWi and σi are kept secret. The probability that A guesses bits of biological information is: 1/2l [49]. In Zipf’s law [48], when qsend≦106, the probability that A can guess the password is greater than 0.5. Therefore, we can obtain the probability of GM5 as:

|Pr[SuccAGM5(ξ)]−Pr[SuccAGM4(ξ)]|≤max{C′⋅qsends′,qsend/2l}(6)

GM6: In GM6, to verify whether the protocol P can resist the impersonate attack, A queries h(r1∥r2∥r3∥h(bi∥cj)), and the game is terminated. Hence, we can obtain the probability of GM6 as:

|Pr[SuccAGM6(ξ)]−Pr[SuccAGM5(ξ)]|≤qhash2/2l+1.(7)

Because the probabilities of the success and failure of GM6 are equal, the probability that A can guess the session key is:

Pr[SuccAGM6(ξ)]=1/2.(8)

According to the above formula, we can obtain

1/2AdvAP(ξ)=|Pr[SuccAGM0(ξ)]−1/2|      =|Pr[SuccAGM0(ξ)]−Pr[SuccAGM6(ξ)]|      =|Pr[SuccAGM1(ξ)]−Pr[SuccAGM6(ξ)]|      ≤∑i=05|Pr[SuccAGMi+1(ξ)]−Pr[SuccAGMi(ξ)]|      =qsend/2l−1+3qhash2/2l+max{C′⋅qsends′,qsend/2l}(9)

Therefore, we can obtain

AdvAP(ξ)≤qsend/2l−2+3qhash2/2l−1+2max{C′⋅qsends′,qsend/2l}.(10)

It is not difficult to infer that our protocol has successfully passed the security verification of ROR model, and that it can resist offline password guessing attacks, smart card stolen attacks, random number disclosure attacks, as well as provide perfect forward security.

5.3 Informal Security Analysis

In this section, we verify that our proposed protocol can resist some common attacks.

5.3.1 Impersonation Attacks

Attacker A is likely to impersonate any one of the surgeon, gateway, and sensor nodes.

1)   Impersonate Surgeon: An attacker A can attempt to impersonate a surgeon by intercepting a message M1={Di,Bi,C1,C2,C3,C4,T1} on the public channel. He attempts to compute C1=IDi⊕h(IDk∥x), C2=IDj⊕h(h(IDi∥x)∥bi), and C3=r1⊕h(bi∥IDi); however, A does not know the values of x, bi, and IDi, Consequently he cannot compute the values of C1,C2,C3, and C4 accurately. So he cannot calculate to re-initiate a new message M1′. Therefore, attacker A cannot impersonate a legitimate surgeon.

2)   Impersonate gateway: An attacker A intercepts the message M2={C5,C6,C7,C8,T2} transmitted on the common channel, tries to compute PIDj=h(IDj∥cj), C6=h(PIDj∥r2∥cj∥T2), C7=r1⊕h(r2∥cj), C8=h(bi∥cj)⊕h(IDj∥r2), and change some of its values. However, because A cannot obtain the value of cj, he cannot compute PIDj and r2, and thus cannot correctly compute the value of C6, therefore, they cannot re-initiate a message M2′, as well as impersonate a legitimate gateway.