A user-centric privacy-preserving authentication protocol for IoT-AmI environments

.


Introduction
The Healthcare industry is being revolutionized with the tremendous progress in digital technologies, along with the IoT [1,2].The healthcare industry is being transformed to the advanced level when people, apps, sensors, and medical devices communicate when delivering healthcare solutions [3,4].IoT-driven drones, smart wearable devices, and health monitoring systems are considered to advance the healthcare industry's development [5].The requirement to acquire, preserve and study patient information has advanced the healthcare industry to consider numerous trending digital technologies.The increasing acceptance of AmI-IoT in healthcare and health domains has evolved the latest systems, i.e., the Internet of Medical Things (IoMT) [6].It decreases human mistakes and eradicates many decisionmaking delays.Some of the significant benefits of accepting IoT in the ambient Healthcare environments are real-time monitoring, improved patient experience, and cost minimization.Leveraging IoT-based systems and medical devices permits the clinician to monitor the patient remotely with real-time data that expedites the diagnosis and treatment and provides advantages, such as persistent communication, travel expenses, and diminishes hospital resources.
In the healthcare industry, the AmI-IoT is considered for interrelated healthcare entities/devices like patients' observing systems, sensorbased equipment, and sensor devices that acquire real-time health data.In healthcare 1.0, the doctors diagnosed the patients in person and maintained records on papers, whereas in ℎℎ 2.0, the doctors processed the patient's information as electronic health records (EHR).Healthcare 3.0 transformed the paradigm of medical diagnosis by introducing internet-enabled wearable devices, telemedicine, etc. Healthcare 4.0 uses a range of technologies like the IoT, UAVs, augmented reality (AR), artificial intelligence (AI), deep learning (DL), and natural language processing (NLP) to optimize and automate medical procedures [7,8].
IoT is a world of connected objects [9].It is predicted that by the year 2030, the total number of connected devices would be around 24 billion [10].IoT nodes are tiny in size and have limited storage, less power, and limited computation capabilities.Fig. 1 illustrates the smart healthcare system using IoT, where objects are controlled and monitored in real-time through the internet, e.g., automatic gate opening for ambulances, UAVs delivering human organs, and remote ordering of medicines and meals from pharmacy and pantry, respectively.Besides, the IoMT helps doctors and other authorized caretakers control the pressure of the ventilator, rate, and rhythm of the pacemaker remotely and generate the faulty medical equipment's alerts.In the recent COVID-19 situation, lockdowns and social distancing are the prime factors behind the rapid adoption of IoT by healthcare institutions.

Literature review
This section elaborates on the various authentication schemes developed to protect the AmI-IoMT networks.A mutual authentication approach for sensor networks was developed by Deebak [11], which was later found vulnerable [12].Inspired by Deebak, Chen et al. [13] extended Deebak's approach [11]; however, Xu et al. discovered that the scheme was prone to replay and impersonation attacks [14].Wang [15] constructed elliptic curve cryptography (ECC) based mutual authentication approach to counter password guessing and verifier attacks.Odelu et al. did cryptanalysis on Wang's approach and found it susceptible to cyber-threats [16].Similarly, Turkanovic et al. [17] designed a user authentication and key establishment scheme for a resourceconstrained ecosystem.However, both Farash [18], and Chang [19] found Turkanovic et al.'s scheme as insecure.Chang et al. [19] also attempted to devise privacy-preserving authentication and key agreement protocol, but Gope et al. [20] found it resource expensive and susceptible to traceability.Das et al. suggested a fuzzy extractor and smart card-based user authentication approach, whereas Li et al. introduced a biometric and password-based user legitimacy verification method; however, both the schemes have never been tested in hostile circumstances and are computationally expensive.

Research gap and motivation
The integration of AmI-IoMT has significantly transformed healthcare.The new paradigm enables the patient to communicate remotely with the doctor, hence saving resources and reducing strain on healthcare facilities.Despite the fact that IoMT is advantageous, cyber analysts believe that it could put patients' and medical specialists' lives in danger [21].Based on the literature, IoMT networks are susceptible to attacks due to: () use of an insecure wireless medium, () absentia of strong cryptography solutions due to limited power, memory, and processing capability [22], and (iii) the lack of cyber knowledge to end-users (medical practitioners), hence falling prey to attackers.
Health-related information is sensitive, thus requires privacy [23].Besides, integrity is also a very important aspect because a minor alteration by the attacker in the diagnosis report could result in a patient's different medication.As many medical technologies support automation, any malicious activity could trigger a detrimental action resulting in unprecedented outcomes.
Cybersecurity specialists presented a variety of methods to mitigate vulnerabilities and threats, including public key and lattice-based encryption, digital signatures, and so on.However, most recommended approaches have been found vulnerable to attacks in addition to being resource intensive.Despite the existence of conventional approaches, medical institutions and stakeholders got affected severely; 41.2 million records were compromised, whereas 2013 breaches were recorded from 86 countries in 2019.Moreover, the existing security solutions are more or less centralized that may not work well for a geographically vast and large IoT ecosystem [24].Furthermore, centralized solutions have a single point of failure, decreased efficiency for larger networks, and notable delay [25,26].Blockchain is coined as a solution by security practitioners because it works on decentralized and geographically distributed technology with attributes such as immutability, transparency, and fault tolerance [27].In summary, security and privacy in AmI-IoT networks can be ensured by implementing robust authentication and key exchange mechanisms using blockchain [28,29].

Research contributions
The following are our contributions: • We identify vulnerabilities and research gaps in the AmI-IoT healthcare ecosystem.• We propose a decentralized and lightweight authentication framework based on Ethereum smart contracts, fog computing, PUF, and biometrics.• We investigate the robustness of the proposed framework in hostile situations to demonstrate its applicability to sensitive medical applications.• We calculate the transaction costs of smart contracts to evaluate the framework's appropriateness for resource-constrained environments.

Paper organization
The remaining structure of the paper is as follows: Section 2 discusses the preliminaries required for the proposed protocol.Section 3 explains the working scenario of the proposed protocol.Section 4 justifies the robustness of the protocol through formal security analysis.Section 5 shows the results and discusses comparison analysis.Section 6 concludes the paper and highlights the future scope.

System model
Fig. 2 illustrates the scenario of a smart healthcare institution where stakeholders (doctor, administrator, etc.) use digital gadgets (laptop, etc.) to access the internet-enabled wireless sensor nodes embedded on the medical appliances and patients' body (e.g., pacemaker) [30].The administrator has the responsibility to register the legitimate staff members and the IoT sensor nodes (e.g., drones) in the blockchain network.A user can be any staff member of the healthcare institution with interest to access the medical reports and appliances [31].On the contrary, the IoT sensor nodes (e.g., Zigbee-IEEE 802.15.4) are tiny in size and have limited computation abilities but powerful enough to sense the physical environment and relay the information to the user through the gateway [32].The healthcare institution has deployed a resourceabundant network gateway (supports IEEE 802.3 and IEEE 802.11) with the prime responsibility to facilitate communications between user, administrator, IoT sensor node, and blockchain network.To reduce the computation burden, blockchain fog nodes (BFN) are deployed to provide a decentralized authenticity verification framework [33].

Adversary model
The adversary model aka attacker model describes the various possible threats and the resulting risks that arise due to cyber attacks [34].According to the Dolev-Yao (DY) model, a cyber adversary is capable of eavesdropping, replaying, cloning, intercepting, injecting, phishing, modifications, malware, impersonation, privilege escalation, and manin-the-middle attacks.The implications of cyber-threats in the IoMT environment depends on the attack duration and application sensitivity.Most often, the organization and affected parties incur financial losses, reputational harm, legal ramifications, and intellectual property theft.These threats could result in benign (temporary shutdown of medical services) to severe (endangering patients lives) impact on medical IoT networks.

Goals
This section discusses the goals of the proposed security protocol.The protocol must prohibit unauthorized access and prevents cloning.Besides, the protocol must be robust to resist notable cyberattacks, e.g., man-in-the-middle, replay, impersonation, etc. [35].The protocol should only permit legitimate entities to initiate the session, and establish session keys to attain confidentiality.Most importantly, the authentication framework should not rely on a single server.Instead, it should be decentralized to prevent physical and denial of service attacks.These security goals must be tied to an efficiency goal, i.e., computations and communications required to achieve the security goals must not be enormous [36].

Physical unclonable function (puf)
The traditional authentication protocols are computationally expensive due to the use of public-key cryptography.Besides, these protocols also demand storage space in tiny user and IoT devices [19].As the IoT nodes and user devices are subjected to physical capturing, it is necessary to protect them from cloning attacks.PUF provides a robust and resource economical solution to resist hardware threats.PUF enables the devices to prove their legitimacy without complex computations and storage requirements.A nanoscale variation during manufacturing makes every PUF of the integrated circuit () unique.Mathematically, PUF can be defined as,  =  ().It is apparent from the expression that the output response of the PUF depends upon the input challenge and the device executing it.It is noteworthy that any physical tampering with the PUF would destroy its original attributes [37].

Blockchain
It is a technology proposed by Satoshi Nakamoto (pseudonym) for enabling peer-to-peer (decentralized) secure transactions [38,39].The blockchain information is stored in the form of transactions that are further contained in blocks [40].The block consists of various elements, to name a few, timestamp, transaction details, gas consumed, current hash, parent hash, and nonce, etc. whereas, each transaction comprises transaction hash, timestamp, transaction fee, nonce, and input data, etc.The nodes of the network follow the consensus (e.g., proof of work (PoW), proof of stake (PoS)) to decide the acceptance or rejection of the transactions.Each new transaction includes the hash of the previous block, establishing a relationship between transactions (chain).Few properties that make the blockchain robust and the most reliable are unforgeability, non-repudiation, resilience, and transparency [41].

Smart contract
The smart contract is a concept similar to physical contracts but in digital form.Smart contracts establish a binding between untrusted and unknown parties; smart contracts are scripted and stored in the blockchain network as transactions [42,43].Unlike centralized approaches, smart contracts do not require a mediator for binding and execution, which eliminates third-party expenses and facilitates disputefree transactions.It has several benefits over conventional physical contracts, like immutability, speedy execution, real-time access, inexpensive, immense precision, etc.This concept is originally introduced by ethereum (ETH) to use the decentralized characteristics of blockchain for purposes other than cryptocurrencies.The cost to deploy the smart contract is measured in terms of gas (units, wei) wherein wei is one quintillionth of an ether (1 wei = 10 −18 ether).

Fog computing
Conventionally, centralized infrastructure is used to validate the authenticity of communicating entities.But it is encountered that vulnerability in a centralized server could compromise the entire network.Therefore, decentralized blockchain technology is introduced as the potential solution to the problem.However, certain challenges like time delay and computation requirements became a hurdle for its deployment in IoT and aerial networks.To overcome the hurdle, fog computing is proposed.Fog computing is a decentralized infrastructure deployed near the network location to perform the computations on behalf of resource-deprived nodes [44].The other few benefits of fog computing are low latency andefficient bandwidth utilization.

Proposed scheme
This section proposes a mutual authentication and secret key establishment process to ensure the security and privacy of the AmI-IoMT networks.The notations used in this paper to describe the protocol's working are listed in Table 1.

Assumptions
• The micro-controller of the user device and the IoT sensor node is connected to the PUF; it is infeasible to tamper the connection between micro-controller and PUF [20].• IoT nodes, user-, and network-devices can administer cryptography processes.• The user device and IoT sensor node are resource-constrained, unlike resource-abundant gateway and BFN.• The gateway is a tamper-proof and trusted network device; likewise, BFN is trusted and genuine.
• Due to antagonistic conditions, IoT sensor nodes, and user devices are subjected to physical capturing.• The administrator is honest, and his activities are lawful.

User registration phase
A user (doctor, nurse, etc.) interested in accessing the IoT medical network has to register himself at the healthcare organization.The entire registration method is described in Fig. 3 and disclosed as follows: Step 1: The user device (UD) prepares the message  1   (=    ∥   ) comprising of registration request (   ) and institute provided unique identity (  ) and delivers it to admin.It is worth noting that the user and admin communicate through a secure channel [6] during the registration process.
Step 2: The admin receives the request and store the   into its device memory (DM).Subsequently, the admin prompts a challenge (  ) to the PUF of the UD.
Step 4: Upon receipt of  3   , admin stores ,   ,   into its DM and develop a smart contract (SC) as shown in Fig. 4,  1   to register users on the blockchain network (BN).Admin also prepares a message digest (MD) of   for later use.Admin applies its digital signature, Z = E(   ,  1  ), to counter forgery while deploying SC into the BN.Remarkably, the admin and BN exchange information via a public (insecure) channel [6] during the registration process.
Step 5: Miners in the BN decrypts D(   , Z) and deploys the SC,  1   .Upon successful deployment (transaction), miner reverts to the admin with these details  1   ,   into its DM.Finally, the admin generates the pseudo-identity (  1  ) for anonymity and gateway secret ( 1  ) for mutual authentication and send it to the user as  4    .

IoT sensor node registration phase
The admin enrolls the IoT sensor nodes (ISN) to declare them authentic.The registration helps the gateway to allow only authorized ISN to interact with the user.The whole manner is depicted in Fig. 5 and demonstrated as follows:  Step 1: Admin prompts the challenge   to ISN.The ISN and admin communicate through a secure channel during the registration process. Step

Mutual authentication and key agreement phase
It is imperative to investigate users' and ISN's legitimacy before permitting them to converse with each other.The introduced protocol guarantees mutual authentication and secure key establishment.The complete approach is illustrated in Fig. 6 and explained as follows: Step 1: The UD generates  1  and transmits  1  ∥   1  towards gateway (  ).Communication between all entities occurs over insecure public channels.
Step 3: The UD confirms the freshness of   address, and locates the transaction hash,  2  .Subsequently, BFN examines the authenticity of user and device by comparing the received information ℎ( 1 ‖  )‖ℎ(  ) with the already transacted information,  ∥ .BFN prepares the response code,   and deliver it to   as  2   .  discloses the success or failure of authentication.The authenticity verification mechanism using smart contracts is presented in Fig. 4.
Step 6:   evaluates   , wherein   = 1 approves the genuineness of user and its device, and   = 2 indicates an adversarial attempt.  terminates the connection in case of a malicious attempt.Otherwise, it continues.Upon authentication,   initiates the to connect UD with the    address, and locates the transaction hash,  4   .BFN examines the authenticity of ISN by comparing the received information ℎ(   ∥   ) with the already transacted information, .BFN prepares the response code,   and delivers it to   as  4   .  discloses the success∕failure of authentication.
Step 10:   evaluates   , wherein   = 1 approves the genuineness of ISN, and   = 2 indicates an adversarial attempt.  terminates the connection in case of adversarial attempt, otherwise continues.Furthermore,   generates the  3   and  4  calculates the new pseudo-identities of UD (  Step 12: Upon receipt of  3   , ISN verifies  4  , and calculates the SK (=  # ⊕  2  ) and   2  (=   2#  ⊕  2  ).The SK is used to secure the current session whereas   2   is stored for ensuring anonymity in the subsequent session.

Security analysis
Scyther facilitates the security protocol developers to test the strength of their devised protocol against attacks.It offers simplicity in modeling cryptosystems, and also supports the DY model [45].To operate Scyther, we have installed Scyther 1.1.3,Graphviz 2.46, Python 2.7, and wxPython 2.8, in the computing system that has Ubuntu OS (Linux, 64-bit).We have used the default settings of Scyther; typed matching and pruning method is used with a maximum no. of runs as 5 and maximum number of patterns per claim as 10, respectively.The protocol is scripted in Security Protocol Description Language and begins with global constants and functions declaration succeeded by roles of individual entities that comprise computations, communications, and claims.The results obtained from the Scyther are presented in Fig. 7; it proves the robustness of the proposed protocol against MITM, and replay attacks, etc.The claims 'secret' verified the confidentiality of the message elements, whereas 'Nisynch', 'Niagree', 'Alive', and  Gas price (Gwei): Transaction fee: Gas price × Gas used by transaction, Injected Web3: Metamask (Ropsten Test Network).
'Weakagree' verified the authenticity of the entities.Consequently, Scyther ascertained that the proposed protocol is secure to use for IoT healthcare networks.

Performance and comparative analysis
The smart contract (SC) employed by the proposed protocol is realized in the Remix Integrated Development Environment (IDE) using Solidity programming language [46].The SC is deployed and tested on two distinct platforms (JavaScript VM (JVM), Injected Web3 (IW3)) for consistency check.Metamask supported IW3 Ropsten Test Network is used to execute smart contracts while etherscan is used to access transaction logs [47].Table 2 presents the gas and the transaction fee spent for deploying and registering the nodes on the decentralized blockchain network.It is worth noting that SC does not levy any transaction costs while verifying the authenticity of nodes.Based on the calculations, the deployment, registration, and duplicacy prevention in the JVM and IW3 environment would cost around $1.15, $0.11, $0.081, and $0.60, $0.16, and $0.0681, respectively.The costs may vary because the crypto-currencies are very volatile.The aforementioned calculations are based on this relationship, 1 ETH = $1765.88.
It is evident from Table 3 that the proposed protocol attained the security properties such as data privacy, message integrity, freshness, anonymity, untraceability, and biometric security.The accomplishment of security properties strengthened the proposed security protocol to withstand attacks like replay, impersonation, modification, DoS, MITM, and cloning, etc. Besides, the proposed protocol uses decentralized blockchain-powered Ethereum SC to overcome the demerits of centralized infrastructure.It is apparent from Table 3 that existing schemes [19,20,36,[48][49][50][51][52] are not able to resist all prominent attacks.Further, it is exposed that none of the traditional schemes [19,20,36,
The computation cost calculations for the registration phase is omitted because it incurs only once during initialization.As evident from Table 4, the proposed protocol is computationally economical because it uses lightweight cryptography primitives (hash, XOR, and PUF) instead of computing expensive cryptography primitives (publickey cryptography, scalar multiplications).Fig. 8 demonstrates that the entities in the proposed scheme (user device, gateway, IoT sensor node) executes the cryptographic operations fewer times than the entities in the conventional schemes [19,20,36,[48][49][50][51][52], indicating that it is computationally inexpensive.As apparent from Table 4 and Fig. 8, a few traditional schemes [19,50] have the reasonable computation, but those schemes [19,50] do not guarantee the complete security of the IoT networks.Therefore, the proposed protocol can be the best alternative to the existing compute expensive protocols.

Conclusions and future scope
Healthcare 4.0 in AmI environments is a technology-driven and patient-centric paradigm where IoT sensor nodes automatically operate, collect the information from medical equipment, and export it to the cloud.To protect sensitive health information from adversarial threats, authentication approaches were developed in the past.However, those schemes were infrastructure-centric, computationally expensive, and prone to adversarial threats.Therefore, we have employed PUF, blockchain-powered SC, and fog nodes in our proposed authentication protocol to circumvent SPOF, prevent cyber-attacks, and enhance efficiency.The ethereum SC is developed in Remix IDE using solidity, executed on metamask RTN, and used to verify the authenticity of network entities at minimal cost.We have verified the resiliency of the protocol against attacks using Scyther.Due to nominal computation cost, the proposed scheme finds its applicability in resource-constrained IoT based healthcare networks.Zero-Knowledge Proofs (ZKPs) and homomorphic encryption will be applied to perform confidentiality-preserving authentication and processing of information, hence extending the security and privacy of the IoT-enabled healthcare applications.

Fig. 2 .
Fig. 2. System model depicting the communication between user, administrator, IoT sensor node, gateway, and the blockchain fog nodes.

Table 1
Notations and descriptions.  Blockchain network, sensor node, miner address   ,   ,   Nonce generated by, U, G, S    ,    Pseudo-identity of user and sensor node  1 ,  2
) to preserve integrity and prevent non-repudiation.Remarkably, the admin and BN exchange information via a public (insecure) channel during the registration process.Step 4: The BN miners decrypts D(   , ) and deploys the  1  into the BN.Upon successful deployment, the miner returns  3  to the admin.Step 5: Admin analyze the  2  and stores the transaction hash ( 3  ), and contract address ( 2  ) into its DM.Besides, admin computes  ,  2  ,   1  ,  2  for future use.

Table 2
Smart contract transaction costs.