AGE: authentication in gadget-free healthcare environments

Abstract

Mobile and sensor related technologies are significantly revolutionizing the medical and healthcare sectors. In current healthcare systems, gadgets are the prominent way of acquiring medical services. However, the recent technological advancements in smart and ambient environments are offering users new ways to access the healthcare services without using any explicit gadgets. One of the key challenges in such gadget-free environments is performing secure user authentication with the intelligent surroundings. For example, a secure, efficient and user-friendly authentication mechanism is essential for elderly/disabled people or patients in critical conditions requiring medical services. Hence, modern authentication systems should be sophisticated enough to identify such patients without requiring their physical efforts or placing gadgets on them. This paper proposes an anonymous and privacy-preserving biometrics based authentication scheme for such gadget-free healthcare environment. We performed formal security verification of our proposed scheme using CDVT /AD tool and our results indicate that the proposed scheme is secure for such smart and gadget-free environments. We verify that the proposed scheme can resist against various well-known security attacks. Moreover, the proposed system showed better performance as compared with existing biometrics based remote user authentication schemes.

1 Introduction

The rapid developments and continuous enhancements in technologies such as smart sensing and Internet of Things (IoTs) [62] together with high speed communication technologies, e.g. 5G have strengthened the concept of ambient intelligence [2, 5]. These offer new opportunities and ways in the practical implementation of such smart systems in our daily life for different purposes. Smart sensing technologies and printed electronics are taking us closer to the vision of complete ambient and gadget-free environment where services can be acquired anytime and anywhere. The advent of 5G technologies will play a vital role by providing fast and reliable access of services in such smart environments. The ubiquitous and persuasive computing are also considered as driving forces towards the “always available” services and supporting the vision of the future Industry 4.0 [1, 3, 55]. These intelligent and smart surroundings should be sensitive (understands user habits, emotions), adaptive and at the same time responsive according to the user’s need [73]. The surroundings should also be context-aware and must be capable of delivering digital services to the required users.

Currently, the widely used way of acquiring digital services is through gadgets. Gadgets such as smartphones, laptops, Personal Digital Assistants (PDAs) and tablets among others are mainly used by people to get desired services. The increasing number of connected devices offers huge potential for data gathering and service businesses. However, there is a clear need for a change from the individual user’s point of view where they have more control over their personal data. In addition to that, the current trend is also inclining towards wearable devices such as smart watches, smart clothes and fitness bands to access required services. The next major digital paradigm shift will be user-centric, ambient and gadget-free environment. In the gadget-free vision (also known as Naked World), users do not carry explicit gadgets for services, instead they will have seamless interaction with the intelligent environment for getting digital services [4, 32, 54]. In this gadget-free ambient world, one of the core challenges would be to provide the sufficient level of security and privacy. Most of these smart connected devices will have limited resources in terms of power, memory and computations. Thus lightweight security solutions are needed in the implementation and will heavily be used in future smart systems [57].

Healthcare is one of the prominent application areas which has been highly benefited from this technology shift. New technological advancements are shaping various alternative ways for providing healthcare services to patients and elderly/disabled people in the hospital or remotely from home in more secure and efficient ways. Patients, doctors and administration staff can manage and perform their responsibilities in much improved manner and can monitor user’s health both while having face to face treatment with patients or even remotely [92]. Also with the continuous increase in elderly population, it is now crucial to have intelligent environments that provide healthcare and well being services effectively, efficiently and with lesser costs, both home and hospitals [24]. Also persons with disabilities face similar kind of problems and require the corresponding health facilities [26]. However, security and privacy are crucial requirements for such smart IoT based healthcare systems and must be addressed carefully before delivery of such key services to various users [7, 20, 80, 93]. For example, user’s authentication is vital in these healthcare system to ensure only valid users should able to access or receive the required services [74, 94].

There are numerous proposals for efficient users authentication for healthcare systems available in the literature [39, 63, 70, 87, 88]. The traditional schemes mainly propose two-factor users authentication [60, 87]. However, due to recent advancements in the area of the IoT based healthcare systems, there requires more stronger and efficient ways of authentication as compared with the traditional solutions. In this context, several three-factor authentication schemes are proposed for the healthcare systems that would utilize any of the user’s unique biometrics features  [43, 69, 95]. These schemes are mainly dependent on secure utilization of gadgets (mobile or laptops) to fetch the required user’s biometrics characteristics along with other details (username, password/PIN etc.). These solutions are very suitable and feasible until the user can able to operate the gadgets and familiar with the respective technologies. However, if we consider the case of elderly or senior citizens and disabled persons, it is relatively harder to user gadgets to allow them to access various medical facilities [6, 37, 53]. Such situations demand more intelligent and secure means of users authentication mechanisms which should be less/no dependent on any explicit gadgets and provide intelligence support from IoT based smart environment.

This leads us to the vision of a smart surroundings where the users can able to access ubiquitously available digital services from the nearby ambient environment and with minimum or no support of gadgets [4, 49]. The key challenge in accessing these medical services in the gadget-free and smart environment is the secure authentication mechanism of the user by service or smart environment [21, 23, 29, 32, 35, 66, 91]. The research community are exploring various potential methods for secure authentication mechanism which are mainly based on biometrics features [30, 31, 38, 77]. The most important characteristics of biometrics keys are that they neither can not easily lost or forgotten and nor can not be guessed easily as compared to low-entropy passwords [36]. Efficient authentication mechanisms using these capabilities embedded in the smart surroundings and with less/no intervention of gadgets are becoming vital in various domains of smart cities vision [10, 11, 33, 76, 86]. Some example where researchers already started to explore the potential of biometrics in smart environments are: smart healthcare, automated monitoring, smart transportation and smart manufacturing etc [27, 48, 72]. However, the focus of this paper is in the domain of smart and gadget-free healthcare environment and we further define the usecase scenario in coming sections.

1.1 Motivation

The old age population is growing rapidly in both developed and developing countries. The choice of many senior citizens to live independently creates necessity to provide them improved and self-caring intelligent living environments. Among other services, healthcare services are vital for them and must be delivered according to the user demand and without any delay. However, most of the current healthcare systems still use traditional password based or smart card based authentication. In the case of emergency, it is hard to follow traditional password based identification mechanisms for a critical patient. Also for the disabled persons, who can not perform much physical activities, it is not very convenient to use a gadget-based systems for their identification. Hence, there is a clear need of smart and intelligent gadget-free environment, which will be useful to provide easy access to healthcare services for senior citizen/critical patients. However, the user authentication is quite challenging in such gadget free healthcare environment as users will not have any gadgets. Therefore, biometrics based efficient and robust authentication solutions are required for future ambient and gadget-free environments.

1.2 Our contributions

Our Contributions in this paper are discussed as follows:

• We first briefly discussed the concept of future gadget-free hyperconnected environment and defined a problem scenario where patients and elderly people need to be authenticated by nearby hospital surrounding without explicit use of gadgets.

• We proposed an efficient and anonymous biometrics based authentication scheme for the future gadget-free treatment in healthcare environments where patients can be securely authenticated by the smart hospital environment.

• We validate the security properties of the proposed scheme by using formal verification technique (CDVT /AD tool). We also analyzed our proposed scheme using informal security analysis.

• And finally, we compared the communication and computation costs of our scheme with existing available well-known remote user biometrics authentication schemes.

Fig. 1

Transition phases from gadget to gadget-free world

1.3 Organization of paper

The rest of the paper is organized as follows. Section 2 introduces the concept of the gadget-free world. Section 3 highlights the previous work, whereas Sects. 4 and 5 elaborate the problem scenario and preliminary aspects required for the scheme. The proposed authentication scheme is presented in Sect. 6. Section 7 provides the formal and informal security analysis of the scheme whereas Sect. 8 mentions the performance analysis of the proposed scheme. We highlighted the discussion and managerial aspects of this system in Sect. 9 and conclude the paper in Sect. 10.

2 Vision of gadget-free world

The Gadget-Free world (also termed as Naked world) refers to the intelligent surroundings, where users can access digital services without using carry-on gadgets  [4, 32, 54]. This approach is based on a user centric vision where environments have to play the leading role for delivering services. Digital services are embedded in the environment by using various smart sensors/devices or printed electronics technologies. The transition from gadget to gadget-free world can be determined through three phases; Bearables, Wearables and Nearables as shown in Fig. 1.

• Bearables refer to hand-held devices such as mobile phones, laptops, tablets which are commonly used to get daily life services. This is the current and most popular way of acquiring services and have been around from several years.

• Wearables are digital devices which are worn by users to acquire required services. These devices may include smart watches, smart clothes and fitness bands. From the last decade, the wearable technology is improving and playing a vital role in various applications such as healthcare, military and personal assistance. It is also considered as a useful alternative for hand carry gadgets in some of application areas. IoT and wireless sensor networks technology are providing versatile options to enlarge the scope of wearable devices.

• The last phase towards the gadget-free transition will be Nearables. This phase deals with the direct and seamless interaction of the user with the smart and ambient surrounding where the user does not carry any gadgets or wearables. Almost all the functionalities and services that could be achieved using gadgets or wearables are integrated into nearby environments. Thus, smart sensors/printed electronics along with the required capabilities are embedded within the environment. The interaction of the user will be natural and multi-modal.

The development of transition towards the gadget-free world will require enhancements and evolutions in various communication technologies along with stronger security and privacy solutions. For example, authors in  [56] mainly presented the user’s privacy challenges in the future gadget-free environments, i.e. data, location and identity privacy. Moreover, considering these privacy challenges, the authors also suggested a conceptual privacy framework that can mitigate these concerns. For example, mechanisms such as access control, anonymity, transparency, data minimization, accountability, and privacy by design among others will be required to ensure the privacy protection in this transition towards gadget-free world. In addition to that, this also requires ethical and legal measures so that each involved stakeholder in such gadget-free digital environment should respect the privacy of others. The work in this article also requires privacy preserving based user authentication in gadget-free healthcare environment and thus privacy characteristics such as identity privacy need to be protected.

The interaction in the gadget-free environment will require different approaches as compared with what we have in the current gadget based interactions. The gadget-free interaction will include multi-modal interfaces and dimensions. Identification mechanisms for the gadget-free world is also among one of the key challenges which need to be addressed. The infrastructure must be capable of identifying authorized users automatically without their own intervention. The identification technologies have also evolved from usernames and passwords to digital user identifiers such as Subscriber Identity Module (SIM) cards or ID tags and then to bio-signatures such as fingerprints, eye scanning, and even DNA. So far, biometrics based identification is considered as the candidate with the highest potential for gadget-free authentication scenarios [32, 54]. Service availability will also drastically change in a future gadget-free environments. The gadget-free world vision allows services to be ubiquitously available and the user can access such services through custom infrastructures. This will open doors for many new applications such as location based applications, positioning and tracking among others which altogether are very critical for the vision of Industry 4.0 applications.

As this gadget-free vision promises that the user still get the required services without carrying gadgets, the means of personal data storage systems would no longer be required. Instead, data is moved from local storages to storages in the infrastructure such as servers or cloud storages. From the gadget-free environment perspective, the data become available for infrastructures embedded systems. The service logic, i.e. applications, is moved from devices to servers. The idea is to make service development and deployment easier, since the number of platforms will be smaller. The gadget-free world will utilize the concepts of edge and fog computing which will push storage and computational capabilities near to the proximity of the user.

3 Related work

In the current digital age, the basic and the most important requirement in many applications is the real-time and reliable authentication of each valid user. Some of the critical applications such as banking transactions, forensics, healthcare and international border security needs stronger, efficient and robust identification. Therefore, the use of biometrics based authentication approaches have rapidly increased over the last decade. The work in [41] presents state of the art in the field of biometrics recognition over the last 50 years including various recent biometrics traits, the potential challenges in biometrics recognition and available solutions corresponding to those issues.

Several symmetric key based smart card two-factor authentication schemes for single-server and multi-server architectures have been described in literature [82]. Several researchers in the past have highlighted the potential vulnerabilities with smart card based two-factor authentication schemes [83]. For example, authors in [9] highlighted that an adversary can follow offline methods to guess the user’s password in polynomial time. In addition, there are several threats identified in two-factor authentication for WSN related applications [50, 79]. Authors in  [84] explained the potential causes of security failures of two-factor authentication schemes and discussed that researchers only considers attacks on particular protocol and propose corresponding improvements in schemes but pay less focus on underlying rationales of the identified security failures. In order to enhance the security of such schemes further, three factor based authentication schemes are proposed for multi-server architectures by various researchers where biometrics (e.g. iris, face, retina, fingerprint,) are used as a third factor of authentication [12, 18, 51, 85]. In this work, as we are dealing with gadget-free smart environment for required services and users will be without any hand-carry gadgets, a biometrics based authentication schemes are more suitable option.

Approaches such as fuzzy extractors, fuzzy vaults, and fuzzy commitments are mostly used in the case of the practical integration of biometrics information. They are used to enable the reusability and unlinkability of the proposed system. These techniques use a template and helper data for extracting the secret material [36, 59, 71]. Apart from these approaches, BioHashing technique is also quite useful for similar purposes. It deals with the mapping of the biometrics characteristics randomly onto binary strings with user specific tokenized pseudo-random numbers. Many improved and efficient BioHashing based user authentication mechanisms are presented in the literature that are more feasible for small devices such as smart cards and mobile devices [64, 68]. In this work, we are using the central access point (\(AP_C\)) to store the biometrics information of users and thus use of BioHashing can be avoided in this problem scenario.

With the advancement in healthcare technologies, an immense quantity of biomedical sensors will be worn on or implanted in patients in the future for the monitoring, diagnosis, and treatment of diseases. Securing inter-sensor communications within Body Area Networks (BANs) are essential for not only protecting privacy for health related data, but also to guarantee the safety of healthcare delivery. Therefore, biometrics based authentication schemes for BANs are proposed [42, 90]. In addition to that, remote user based telecare medical information systems (TMIS) based healthcare services are getting more widely adopted over traditional desktop telemedicine platforms. Several biometrics based remote user authentication schemes are proposed in the literature to provide protection from certain well-known security attacks such as replay attacks, the Denial of Services (DoS) attacks [17, 40, 78, 81]. Anonymity and unlinkability are also among key requirements for the user while proposing an authentication scheme for smart connected homes, healthcare or for any other critical services [51].

In our problem scenario, we are dealing with direct user’s authentication with the environment without using any intervention of a gadget or a device. The work in [54] explains a gadget-free user authentication framework for single user and restricted locations in the hospital environment. The authentication protocol is solely based on the biometrics characteristics as the user does not carry any smart card or gadget on which security material can be entered. This scheme is useful in preserving identity privacy and can also resist various security attacks. In this paper, we enhanced the system used in [54] by expanding for multiple users and locations within a hospital area. Moreover, we increase the adaptability of the system for low power IoT devices by using lightweight operations such as hash and XOR.

4 Problem definition

We consider a potential future ambient healthcare environment where patients come to the hospital to acquire medical services, carrying no explicit gadgets (smartphones, tablets, PDAs). Patients want to access the relevant medical services at any location within the hospital. There are various medical sensors deployed at different regions in the hospital, which are capable of providing medical services to the particular patients. These digital services may consist of monitoring heart beats, pulse rate among other health related measurements. Patients are allowed to go to their respective regions and can acquire services. As the patient carries no explicit gadgets, the camera is placed in the environment used for the identification of the valid patient. This can be achieved by capturing and analyzing biometric characteristics of the patients. The medical sensors need to be activated by a pin code, entered by the patient. The health information, registered by the medical end nodes, can then be sent to the Medical Server (MS), where only the patient is able to access the data. Through dedicated access control mechanisms, this data can further be shared with doctors, staff and close family and friends. However, the last part is not a subject of focus for this paper.

Fig. 2

System model of proposed gadget-free healthcare usecase

The central administration of the hospital (also called registration center (RC)) is supposed to be a trusted party, which will have access control and generates the required key material for the Access Points (APs) and medical sensors or End Nodes (ENs). The central AP \((AP_C)\) has the capabilities of capturing the biometric features of the patient and can also alert the other APs \((AP_1, AP_2 ,\ldots AP_n)\) within the hospital on the potential arrival of a patient. These APs forward the information further corresponding to their ENs. Considering the resources, especially the APs and ENs are vulnerable to security attacks. Figure 2 represents the system model of the proposed gadget-free healthcare usecase.

5 Preliminary aspects

5.1 Security requirements

Confidentiality Information delivered by the medical sensors can only be derived by the patient, thus not by the RC, the APs, the other ENs, or the MS.

Data authentication Nobody is able to alter the original data. The integrity of the data can be verified by the patient.

Identity privacy It guarantees that the identity of the user cannot be revealed by any outsider.

Unlinkability No outsider is able to link different messages to the same person.

5.2 Setting

In our design, we distinguish five different entities in the system, being the User (U), the Registration Center (RC), the Access Points (APs), the Medical Sensors or End Nodes (ENs) offering health related services and the Medical Server (MS) as shown in Fig. 2. The user in our case is the patient who needs medical services from the ambient and gadget-free environment of the hospital. Patients should not lose their biometric information and should not be traced by different APs.

There are multiple access points available at different regions within the hospital. These access points can be denoted by \((AP_C, AP_1, AP_2 ,\ldots AP_n)\). The Central Access point \((AP_C)\) is placed at the entrance of the hospital and captures the biometric of each patient that comes to the hospital. All other \(AP_S\)\((AP_1, AP_2 ,\ldots AP_n)\) are placed at various regions of the hospital. When \(AP_C\) captures the biometric details of the patient, it shares the patient related information with the other APs \((AP_1, AP_2 ,\ldots AP_n)\). These APs are not able to capture biometric information. They can be considered as a gateway between the \(AP_C\) and the ENs. The identity related information of the patient, in particular PIN information, should be securely forwarded to the ENs.

The Registration Center (RC) is a trusted party and plays a vital role for the patient’s registration. RC is responsible for the generation of key material between the patient and \(AP_C\), the APs and the ENs. End Nodes \((EN_S)\) are responsible for providing medical services and hence they must not derive identity or biometric information of patients and must ensure that whether the particular individual requesting the service is a valid registered patient. The Medical Server (MS) is a central server used to store the patient’s medical information and thus only limited people should be able to access the data such as patient, doctors, family members and close friends.

The patient first registers with the RC when requesting the services from the EN corresponding to a particular AP. Then, the RC generates the appropriate key material for the central AP (\(AP_C\)). After the initialization, the patient can be authenticated by the \(AP_C\). \(AP_C\) will further share the patient information with other access points within the hospital such as \((AP_1, AP_2 ,\ldots AP_n)\). The \(AP_S\) will then notify the request to the associated ENs, so that medical end nodes can already be aware about the particular patient and requested service. Next, when the patient is going to utilize the services of a particular EN, it enters its pin code. If this pin code is registered at the EN, the corresponding service can start and the resulting information of the service is then further transmitted through the corresponding AP and the \(AP_C\) to the MS.

5.3 Assumptions

We mainly focus on communication between patients and medical end nodes. For the communication between other entities, we assume the existence of secret shared keys. These keys can be established either by physical contact or by a more computer intensive public key infrastructure mechanism. As these techniques are well-known, we do not focus on them in this article. Consequently, the following notations are used for secret shared keys.

• Between registration center and access point: The secret shared key is generated by RC and denoted as \(K_{RC{AP_S}}\). It is used for communication between registration center RC and access points AP.

• Between end nodes and access points: This key is used between access points \(AP_S\) and EN and denoted by \(K_{AP_S{EN_J}}\).

• Between registration center and end nodes: The key is generated by RC and denoted as \(K_{RC{EN_J}}\). It is used while sharing information between registration center and end-nodes mainly during installation of end-nodes.

• Between \(AP_C\) and other APs: The key is generated by RC and denoted as \(K_{AP_C{AP_S}}\). It is used while sharing information from a particular AP to the central AP.

• Between central access point and medical server: The key is denoted by \(K_{AP_C{MS}}\) used while sharing information from central access point to medical server.

An outsider should not be able to derive the identity of the user in the whole process, nor to derive the content of the transmitted data produced by the EN. In addition, even if one of the devices, \(AP_S\) or \(EN_S\) are tampered, an attacker might not be able to steal the biometric characteristics of the user or to perform other damaging actions. Only authenticated users are able to request services or access to the ENs.

The attackers may come from inside or outside the network. They are able to eavesdrop on the traffic, inject new messages, replay and change messages, or spoof other identities. Their goals might be to obtain illegitimate data access to the nodes, to perform service degradation or denial of service.

5.4 Notations

The detailed and frequently used notations in our scheme are mentioned in Table 1.

Table 1 Notation for proposed scheme

6 System model

Different phases can be distinguished: (A) the installation phase of ENs and APs (B) registration of the patient with RC (C) request phase of patient with \(AP_C\) (D) notification of other \(AP_S\) (E) activation of the corresponding medical ENs (F) request phase of patient with particular \(EN_j\) (G) registration of info and forwarding to the MS. Figure 2 presents the different phases that can be distinguished.

6.1 Installation phase of ENs and APs

Let x, y be two secrets chosen by the RC. The identity related information corresponding to a medical end node can be denoted by \(EN_j\). This information is shared using the pre-established secret shared keys \(K_{RC{EN_J}}\) and \(K_{RC{AP_S}}\) respectively.

• ENs: The identity related information \(EN_j\), together with secrets \(H(x\Vert y), H(EN_j\Vert H(x))\).

• APs: List of ENs (\(EN_1, \ldots , EN_n\)) in its range, together with secret H(x).

6.2 Registration phase

The patient computes a biometric characteristic \(BIO_i\) at the time-stamp \({T_i}^1\). Next, the patient registers with the RC using \(BIO_i, ID_i, {T_i}^1\) along with \(P_i=H^2(PIN)\).

For each registration, the RC checks the identity of the patient and checks if \(P_i\) is not yet available in the database. Next, the following computations are made by the RC. Let N be the number of registrations (counter) for a patient with that identity.

$$\begin{aligned} A_i&= H(y \Vert ID_i\Vert N)\\ B_i&= H(x \Vert y)\oplus A_i\\ D_i&= (BIO)_i\\ P_i&= H^2({PIN_i)} \oplus A_i \end{aligned}$$

The data \(ID_i, N, H^2(PIN_i), {T_i}^1\) is stored at the RC. The information \(H(A_i), B_i, D_i, P_i, {T_i}^1\) is now securely shared with \(AP_C\), using the secret shared key \(K_{RC{AP_C}}\).

6.3 Request/login phase of patient with \(AP_C\)

Here, when the patient enters in the hospital, \(AP_C\) captures the biometric characteristic \({(BIO)_i}^*\) of the patient and further computes \(d(D_i, {(BIO)_i}^*)\) for all values \(D_i\) in the database and checks whether there is a potential candidate, meaning that the distance is lower than the predefined threshold of 0.32 [22]. Note that as shown in [15], if iris recognition is used as biometrics, this threshold equals to 0.32.

Iris recognition is also the best candidate and suggested to be used in our scheme as it has the the smallest percentages of Equal Error Rate (EER), False Accept Rate (FAR) and False Reject Rate (FRR) in comparison with others  [13]. Table 2 shows the EER, FAR and FRR of various popular and frequently used biometric traits

Table 2 Accuracy of biometrics computation [13]

6.4 Notification of other APs

Now, the central access point \(AP_C\) needs to notify other access points \((AP_1, AP_2 ,\ldots AP_n)\) present at various locations within the hospital/network, so that they can report to their ENs about the potential arrival of an authenticated patient. Let \({T_i}^2\) be the time-stamp at that particular instance, then the group key to be used equals to \(K_N = H(H(x)\Vert {T_i}^2)\). Consequently, the message \({T_i}^2, E_{K_{N}}(H(A_i),B_i, P_i, {T_i}^2)\) is sent to the other access points \((AP_1, AP_2 ,\ldots AP_n)\).

6.5 Activation of corresponding ENs

Next, the access points \((AP_1, AP_2 ,\ldots AP_n)\) present at various locations within the hospital need to activate their corresponding medical end nodes. Denote a random nonce by \(N_i\). The following computations are made at the \({AP_S}\):

$$\begin{aligned} V_1&= H(EN_j\Vert H(x)) \oplus N_i \\ CID_i&= B_i \oplus H(H(EN_j\Vert H(x))\Vert N_i\Vert {T_i}^3)\\ TK&= H(A_i)\oplus N_i\\ C_1&= E_{T_{K}}[P_i\Vert {T_i}^3] \end{aligned}$$

Here, TK is the temporary key and \({T_i}^3\) is the current time-stamp for the set of access points. Next, the \({AP_S}\) sends the message \(V_1\Vert CID_i\Vert C_1\Vert {T_i}^3\) to \(EN_J\). The parameters \(TK, {T_i}^3\) are added to the memory along with the values \(H(A_i),B_i, P_i\).

Upon receiving the message, \(EN_j\) executes the following operations using the values stored in the memory.

$$\begin{aligned} N_i&= V_1\oplus H(EN_j\Vert H(x)) \\ B_i&= CID_i \oplus H(H(EN_j\Vert H(x))\Vert N_i\Vert {T_i}^3)\\ A_i&= B_i \oplus H(x\Vert y)\\ TK^*&= H(A_i)\oplus N_i\\ \end{aligned}$$

Next, the decryption of \({D_{TK^*}[C_1]}\) is done and it is checked whether \({T_i}^3 = {{T_i}^3}^*\). Furthermore, information on the pin code is derived by \(H^2(PIN_i) = P_i\oplus A_i\). The parameters \(H^2(PIN_i)\) and \(A_i\) are stored in the memory of the \(EN_j\).

6.6 Request phase patient with \(EN_j\)

Suppose the patient wants to use the medical end node \(EN_j\). The patient needs to enter its pin code \(PIN_i\). If \(H^2({PIN_i)}\) is stored in its memory, the \(EN_j\) starts delivering services and recording corresponding information m.

6.7 Registration of info by \(EN_j\) and forwarding to MS

Let m be the stream of info, which is generated by the \(EN_j\) for the patient, corresponding with the parameters \(H^2(PIN_i), A_i\). In order to send m to the MS, such that it can only be read by the authenticated user, which is in the possession of the biometrics and the knowledge of the pin code, it needs to undergo three communication phases. Denote the current timestamp by \(T_i^4\).

• From \(EN_j\) to \(AP_S\):

  Denote \(m_{EN} = m \oplus H(H(PIN_i)\Vert T_i^4)\). Send the following message to the \(AP_S\)

  $$\begin{aligned}&T_i^4, T_i^3 ,E_{TK}(m_{EN} , H(EN_j \Vert H(PIN_i)\Vert T_i^4 \Vert m), T_i^4) \end{aligned}$$

  If after decryption of the last part of the message by \(AP_S\) with the stored TK, the last part corresponds with the first part of the transmitted message, then the \(AP_S\) forwards the info to \(AP_C\).

• From \(AP_S\) to \(AP_C\):

  The \(AP_S\) now sends the message to the \(AP_C\) by including identity related information of patient and EN.

  $$\begin{aligned}&T_i^4, H(H(x)\Vert T_i^4) \oplus AP_S, \\&E_{K_{AP_CAP_S}}(m_{EN} , H(H(EN_j \Vert H(PIN_i)\Vert T_i^4) \Vert m), \\&B_i, EN_j,T_i^4) \end{aligned}$$

  If after decryption of the last part of the message by \(AP_C\), the last part corresponds with the first part of the transmitted message, then the \(AP_C\) forwards the info to the MS, by including also the biometrics information.

• From \(AP_C\) to MS:

  Send the message;

  \(T_i^4,E_{K_{AP_CMS}}(m_{EN}\oplus D_i, H(H(EN_j \Vert H(PIN_i)\Vert T_i^4) \Vert m),\)\(EN_j,T_i^4)\).

The information \(T_i^4, m_{EN}\oplus D_i, H(H(EN_j \Vert H(PIN_i)\Vert T_i^4) \Vert m)\), \(EN_j\) is now stored at the MS.Note that we assume that the length of the message m should be shorter than the length of the hash output. If not, instead of using the XOR operation, the message should be encrypted using \(H( H( PIN_i) , Ti_4 )\) as key

If the patient wants to retrieve its information, it first enters \(PIN_i, Bio_i\). From the second part, m can be derived. In addition, the third part allows to verify the integrity of the message.

7 Security analysis of proposed scheme

In this section we present the formal security analysis of our proposed scheme in the gadget-free healthcare environment using Cryptographic-protocol Development and Verification Tools with Attack Detection (CDVT/AD)  [46], that is an automated system implementing a modal logic of knowledge [19] and an attack detection theory [47]. Hence, the reason for using CDVT/AD tool to perform the security analysis of our proposed scheme is straightforward; this tool can analyse both: (a) the evolution of knowledge and belief during a protocol execution and therefore it is useful in addressing issues of both security and trust and (b) the design vulnerabilities of a protocol and therefore it is useful for the detection of freshness and interleaving session attacks. Additionally, another benefit of using CDVT/AD tool is that this verification technique is very efficient in terms of memory requirements and execution times (i.e. milliseconds) required for protocol verification  [44]. Furthermore, this tool successfully verified a large and various set of security protocols  [15, 25, 44].

We formally verify the correctness of our proposed scheme by:

• Formally analyse the security goals of the scheme e.g., authentication, freshness, session-key establishment) using an automated modal logic of knowledge CDVT  [19].

• Formally detect any vulnerability in the design of the scheme that may be exploited by freshness or interleaving session attacks  [47].

Before looking into these two objectives, we will first explain about CDVT/AD tool itself and message idealization process in the next two sections.

7.1 CDVT/AD tool

The CDVT/AD verification tool uses a parser to read in the protocol specification from a text file. Table 2 summarizes the atomic units of the textual grammar.

Table 3 Atomic units of textual grammar

Composite data components are constructed according to Table 3, where elements follow the regular expressions as given in Table 2 and “Data” represents an arbitrary data element (either atomic unit or composite data). Statements are defined according to the rules presented in Table 4, where elements follow the regular expressions as given in Table 2, “Data” is either an atomic data unit or a composite data as defined in Table 3, “i” indicates the indexed discrete time and “Statement” represents an arbitrary statement. “Operator” can be any of: “send”, “receive” or “possess”, while “Trans_Operator” are the transmission operators and can be any of the following: “send to” or “receive from”. The purpose of these transmission operators is to be used for the construction of a specific type of statement expressing reception from a principal or emission to a principal. Each line of the textual specification file is preceded by a label. Assumptions are labeled “An”, protocol steps are labeled “Sn” and protocol goals are labeled “Gn”, where n numbers each group sequentially. Every line must be closed with a semicolon (‘;’) and comments are introduced by a double forward slash (‘//’ , C++ style comments).

Table 4 Composite data construction

The inference rules provided are the standard rules of natural deduction. The axioms of the logic of knowledge express the fundamental properties of public-key cryptographic protocols such as the ability of a principal to encrypt/decrypt based on knowledge of a cryptographic key, while the axioms in the case of the attack detection logic theory enable reasoning about message characteristics in cryptographic protocols. The axioms also reflect the underlying assumptions of the logics, which include: (1) The communication environment is reliable, but hostile. That is, message loss or modification can only occur as consequence of hostile intervention; (2)The cryptosystem is ideal. That is, the encryption and decryption functions are completely non-invertible without knowledge of the appropriate cryptographic key and are invertible with knowledge of the appropriate cryptographic key. The cryptosystem is collision-free so that it is not possible to create the same ciphertext from two different pieces of plaintext; (3) A public key used by the system is considered valid if it has not exceeded its validity period and only its rightful owner knows the corresponding secret key; (4) If a piece of data is encrypted/decrypted, then the entity which performed the encryption/decryption must know that data (the data can be plaintext or ciphertext) (Table 5).

Table 5 Statement construction

7.2 Message idealization

Message idealization is to specify the exchanged messages of the proposed scheme. The following notations are used when translating the scheme into the language of the CDVT/AD tool:

• Registration Center RC: Trusted Third Party TTP;

• Access points of the system APs: Principal Ss;

• Central access point APc: Principal Sc;

• Medical Server MS: Principal Sm;

• End Points ENj: Principal Se;

• Secrets generated by RC x, y: Nx, Ny;

• Hash Function H(.): H();

• IDi (identity of user Ui): U;

• BIOi (bio of Ui): PWbio;

• PINi (Pin of Ui): PWpin;

• \(\oplus\): XOR ;

• Timestamp Ti: Nt;

• Session key between RC and APs Krcaps: Krs;

• Session key between APs and ENj Kapsenj: Kse;

• Session key between APc and MS Kapcms: Kcm;

• Session key between RC and ENj Krcenj: Kre;

• Session key between APc and APs Kapcaps: Kcs;

• Symmetric encryption EK(m): {m}K

• \({{-}}{{>}}\): send

The description of the scheme, using the above presented notations is as follows:

7.2.1 Initial phase

• TTP posses: Nx, Ny, Kre, Krx

• Se posses: H(Nx,Ny), H(Se, H(Nx)), Se

• Ss posses: H(Nx), Se

7.2.2 Registration phase

• U posses: PWbio, PWpin, Nt1, U, H(H(PWpin))

• TTP posses: Nn

• expression Ai = H(Ny, U, Nn)

• expression Bi = H(Nx, Ny) XOR Ai = XOR (H(Nx, Ny), H(Ny, U, Nn)) = H(Nx, Ny) H(Ny, U, Nn)

• expression Di = PWbio

• expression Pi = XOR (H(H(PWpin)), H(Ny, U, Nn))

• TTP posses U, Nn, H(H(PWpin)), Nt1, Krc

• Sc posses: H(Ai), Bi, Di, Pi, Nt1, Krc

7.2.3 Request phase of patient with APc

• Sc posses PWbio

Fig. 3

Scheme formal proof using CDVT/AD: a, b initial assumptions, c scheme steps

7.2.4 Notification of other APs

• Sc , Ss posses Kn = H(H(Nx),Nt2), Nt2

• Sc\({{-}}{{>}}\)Ss: Nt2, H(H(Ny, U, Nn)), XOR (H(Nx, Ny), H(Ny, U, Nn)), XOR (H(H(PWpin)), H(Ny, U, Nn)), Nt2Kn

7.2.5 Activation of ENj

• expression V1 = XOR (H(IDen, H(Nx)), Ni)

• expression CIDi = XOR (Bi, H(H(EN,H(Nx)),Ni, Nt3))

• expression TK = XOR (H(Ai), Ni)

• expression C1 = Pi, Nt3TK = Pi, Nt3 XOR (H(Ai), Ni)

• Ss\({{-}}{{>}}\) Se: V1, CIDi, C1, Nt3

7.2.6 Request phase patient with ENj

• U\({{-}}{{>}}\)Se: PWpin

7.2.7 Registration of info by ENj and forwarding to MS

• Se posses m, Nt4, expression mEN= XOR(H(H(PWpin), Nt4), m)

• Ss\({{-}}{{>}}\) Sc: Nt4, XOR(H(H(Nx),Nt4),IDaps), mEN, H(H(IDen,H(PWpin),Nt4,m)), Bi, IDen, Nt4 Kcs;

• Sc\({{-}}{{>}}\) Sm: Nt4, XOR(mEN, Di), H(H(IDen,H(PWpin), Nt4,m)),IDen,Nt4 Kcm;

7.3 Scheme formal proof using the automated CDVT logic of knowledge

Prior to the automated verification using CDVT logic of knowledge, the scheme must be formalized, i.e. translated into the language of the tool. A formalized protocol consists of three components:

• Initial assumptions (conditions that hold before the protocol starts);

• Protocol steps (the messages exchanged between the principals);

• Protocol goals (conditions that are expected to hold if the protocol terminates successfully).

The CDVT/AD tool applies the axioms and rules of the implemented logic of knowledge in an attempt to derive the protocol goals as a logical consequence of the initial assumptions and the protocol steps. If such a derivation exists, the verification is successful and the verified protocol can be considered secure within the scope of the logic.

7.3.1 Formalization of the proposed scheme

Initial assumptions and schemes steps Initial assumptions are statements defining what each principal possesses and knows at the beginning of a protocol run. Figure 3a, b specifies the initial assumptions of the proposed scheme. The proposed scheme steps are formalized in Fig.3c.

Security goals The formalized goals of the scheme are mentioned in Figs. 4 and 5.

Fig. 4

Security goals (1)

Fig. 5

Security goals (2)

7.3.2 Verification results

The results of the automated verification for the above formalized scheme are shown in Fig. 6. As can be seen, all security goals are verified successfully.

Fig. 6

Security goals verification results

Fig. 7

Analysis of design vulnerabilities using CDVT/AD: a, b initial assumptions, c scheme steps

7.4 Scheme analysis against design vulnerabilities using CDVT/AD tool

Prior to the automated verification using CDVT/AD for the attack detection  [46], the scheme must be formalized into a txt file. The txt file consists of two components: initial assumptions and the protocol steps.

The main idea behind the implemented attack detection technique [47] is to characterize the general circumstances under which a potential attack may exist, by examining the protocol messages structure, and to define a logical formula that describes such circumstances. The logic incorporates detection rules that are classified into five main categories [45] addressing problems related to: (1) message freshness, (2) message symmetries, (3) handshake construction, (4) signed statements and (5) certificates.

The CDVT/AD tool triggers an attack detection rule violation if the prerequisites of the rule can be derived from the formal specification. For any detected failure the analysis will also reveal reasons for the weaknesses, facilitating design corrections. In this case the protocol should be re-designed and re-verified.

7.4.1 Formalization of the proposed scheme

Initial assumptions Initial assumptions are statements defining what each principal possesses and knows at the beginning of a protocol run. The initial assumptions of the scheme is given in Fig 7a, b. The proposed scheme steps are formalized as shown in Fig. 7c:

7.4.2 Verification results

The results of the verification are shown in Fig. 8. As can be seen, the outcome for the attack detection verification is free of any weakness in the design of the proposed scheme that can be exploited by mountable replay (i.e. freshness) attacks and parallel session (i.e. interleaving session) attacks.

Fig. 8

Attack detection verification results

7.5 Discussion on the security features

In this section, we discuss the important security features of the proposed scheme and and its resistance against the most relevant attacks in the literature.

7.5.1 Accountability

Note that a logging mechanism should be installed in each AP and EN. Each log contains identity related information, \(B_i\) in case of AP and \(A_i\) in case of EN. These parameters give no direct information on a certain identity. However, by keeping track of the same pseudonym, abnormal behavior leading to for instance service degradation and DoS attacks, can be more easily detected. In case of doubt, the RC will be contacted to derive the identity.

7.5.2 Replay attacks

These type of attacks are avoided due to the usage of nonces and timestamps in each communication phase. First at the side of the ENs and APs, since logging is performed, replay attacks will be noticed. Secondly, also the RC keeps track of the number of registrations for a particular identity.

7.5.3 Insider attacks

We distinguish the impact of two different situations, being a compromised \(AP_S\) and \(EN_j\).

Compromised AP Let us assume that the attacker has physical access to an \(AP_S\) and is able to retrieve the stored information on the device, being a list of valid combinations of \(H(A_i),B_i, P_i, T_i^3, TK\), together with the secret value H(x). The attacker will not be able to derive the information delivered by the EN or to create fake information m, as it is not capable to find the value of \(H(PIN_i)\).

Compromised end node A compromised end node makes the information \(P_i,A_i\) of the patients, together with the stored secret \(H(x\Vert y)\) available. This information cannot be used to find the message m, stored at the MS, since \(H(PIN_i)\) is required, which cannot be derived from \(P_i\). However, if a patient uses two times the same pin code, then \(H(PIN_i)\) can be registered by the pin code compromised EN and be used to decrypt the stored info at the MS. Consequently, the patient needs to renew its pin code for each usage of the medical EN.

7.5.4 Identity privacy

Note that the activation of the the ENs by the APs contains the parameter \(CID_i\), which is a dynamic reference (nonce is included), related to the pseudonym identity \(B_i\) of the patient. Consequently, no outsider can ever link the different requests to a particular user or to the same user. This also guarantees the location privacy of the patient for any outside attacker.

The same holds for the notification message of the \(AP_C\) to the \(AP_S\) and the messages in the forwarding phase to the MS. As the identity related information is encrypted using pre-established secret shared keys, it is impossible to link the messages to certain patients.

In all messages to APs and ENs, indirect links \(H(A_i)\), \(B_i\) with the user’s identity are used. Only the RC is able to retrieve the real identity. Note that in contrast to an outsider, the end node does have the possibility to link the requests to the same user. This feature is needed in order to easier detect abnormal behavior.

8 Performance analysis

Here, we analyze the efficiency of the system, being the cost and the accuracy for authenticate a person in order to access the required services. The analysis is split in two parts i.e. the computational cost for cryptographic operations on the authentication protocol and the communication of the messages during the request and response phase.

Table 6 Comparison of computational cost using our scheme

8.1 Timing for cryptographic/computational operation

In this section, we have computed the computational costs of two major phases in the proposed authentication scheme i.e. the request/login phase and the answer/authentication phase. Suppose \(T_H\) represents the time required to execute one way hash function SHA-1, \(T_S\) denotes a symmetric key encryption/decryption operation AES and \(T_M\) is the time required for an elliptic curve point multiplication [71]. The Elliptic Curve Cryptography (ECC) includes all necessary primitives of asymmetric cryptographic i.e. Elliptic Curve Digital Signature Algorithm (ECDSA), key exchange and agreement protocols. Point multiplication servers are considered as an elementary unit in all ECC and are computationally most complex and expensive operations [8].

We have not included the computational cost for bitwise XOR and concatenation because these two operations take relatively very less computational overhead. Based on results presented in [52] , the computation times for \(T_H\), \(T_S\) and \(T_M\) are 0.0023 ms, 0.0046 ms and 2.226 ms respectively. We have compared results of our biometrics based user authentication directly with smart environments with existing remote biometric authentication schemes (e.g, biometrics based multiserver environments and TMIS). The schemes presented in  [16, 17, 34, 36, 40, 40, 58, 61, 71, 75, 78] take higher execution time because of the need for elliptic curve point multiplication and that is not in the case of our proposed scheme as shown in Table 6. The remote biometrics authentication scheme presented in [12] has quite similar computational cost compared with our scheme because it only uses hash functions. Our proposed scheme even slightly performs better than  [12], because it uses less number of hash functions and has relatively smaller execution time. As compared with  [54], our scheme has slightly higher computation cost because our proposed scheme also contains the forwarding step of medical information from ENs to MS, while scheme in  [54] does not cover that.

8.2 Communication cost

We have also calculated the communication costs of the request and answer phases of our proposed scheme and compared it with some of the recent and well-known remote user biometric based schemes. In order to evaluate the communication cost, we used SHA-1 as the hash function having 160 bits as the message digest. For the symmetric encryption/decryption, we assume Advanced Encryption Standard (AES) having block sizes of 128 bits. Whereas random nonce and timestamps each take 32 bits. In our scheme during the request phase the message \({T_i}^2, E_{K_{N}}(H(A_i),B_i, P_i, {T_i}^2)\) requires (32+128) = 160 bits and the message \(V_1\Vert CID_i\Vert C_1\Vert {T_i}^3\) needs (160+160+128+32) = 480 bits. Hence, the total communication cost at the request phase is (160+480) = 640 bits.

Table 7 Comparison of communication cost using our scheme

There are multiple messages at answer phase: message \({D_{TK^*}[C_1]}\) requires 128 bits and forwarding of patient’s information from EN to MS requires three messages: \(T_i^4\), \(T_i^3\),\(E_{TK}(m_{EN},H(EN_j \Vert H(PIN_i)\Vert T_i^4 \Vert m), T_i^4)\) needs (32+32+128) = 192 bits. Message \(T_i^4\), \(H(H(x)\Vert T_i^4)\)\(\oplus AP_S, E_{K_{AP_CAP_S}}(m_{EN}\), \(H(H(EN_j\Vert H(PIN_i)\Vert T_i^4) \Vert m)\), \(B_i, EN_j,T_i^4)\) requires (32+160+128) = 320 bits and \(T_i^4,E_{K_{AP_CMS}}(m_{EN}\oplus D_i, H(H(EN_j \Vert H(PIN_i)\Vert T_i^4) \Vert m)\) , \(EN_j,T_i^4)\) needs (32+128) = 160 bits. The total communication cost at answer phase is (128+192+320+160) = 800 bits. Hence as a result, total communication overhead for combined request and answer phases using our proposed scheme is 640+800 = 1440 bits. We can see that our scheme has significantly better communication costs in comparison with  [16, 17, 36, 40, 58, 61, 71, 75, 78] which takes 3520 bits, 2944 bits, 2880 bits, 1664 bits, 3360 bits, 3240 bits, 1860 bits, 1440 bits and 1696 bits respectively as shown in Table 7. Though our scheme has little higher communication cost compared with the schemes of [12, 34] and [54] because our scheme takes few more messages for one additional feature such as forwarding the medical information from ENs to MS.

9 Managerial insight and discussion

This gadget-free environment will be crucial in many key applications such as healthcare, smart home, transportation, smart factories and others. This paper mainly deals with the utilization of gadget-free environment in the healthcare sector. The main goal of this paper is to provide a privacy-preserving biometrics based authentication scheme for the treatment of patients in the gadget-free environment. It is important to guarantee that only valid and authorized patients need to authenticate for healthcare services. In future, this gadget-free authentication mechanism can be utilized for other daily life applications in order to verify the valid users. The authentication process may vary from application to application depending upon the security requirements. In a single application/usecase, there might be various layers of authentication required. For example, various gadget-free users in a smart home may have different authentication requirements based on the priority of their requested services.

In the proposed system, each involved entity has to fulfill the assigned responsibility in order to provide secure and gadget-free healthcare services from nearby hospital surroundings. For example, the registration center is a trusted entity in the whole system and thus responsible for sharing the patient’s credentials and key material to other entities such as to the access points. Thus, the major managerial responsibilities in the proposed system are carried out by the registration center as a secure entity. Access points are considered as high resourceful devices that can fetch the patient’s biometrics and do the further processing with the user’s credentials. It is also responsible to send the patient’s request to various end nodes available in the hospital environment regarding the desired medical services. End nodes/medical nodes are sensors that have capabilities to verify the valid request from the access point and deliver the basic required healthcare services. The medical server is responsible for storing and processing the patient’s data.

The successful patient’s authentication in the gadget-free healthcare environment is also crucial for hospital management from various means. For example, the population of old age citizens is increasing worldwide and thus they require basic medical services quite frequently and without doing much physical efforts. This smart and gadget-free healthcare environment will play a key role in delivering such medical services to them. Likewise, such intelligent environments will be helpful for the persons with disabilities. In addition, the traditional healthcare system is using paperwork based patient registration and most of the current healthcare systems use gadget based registration that may take longer and not suitable in the emergencies. Thus, in such emergency situations, these gadget-free healthcare environments are useful for quick registration and can provide fast basic health services. If the hospital management does not adopt such secure gadget-free authentication mechanisms, privacy-based attacks may arise and patient’s privacy will be leaked. Furthermore, medical services might get delay or not available in a ubiquitously manner.

This work uses the deterministic based gadget-free environment as we have taken a restricted/limited smart healthcare environment (indoor) along with all defined constraints and variables. The role of each entity has been assigned /mentioned clearly and the output is certainly known. Therefore, deterministic based approaches are appropriate for this proposed indoor/limited healthcare usecase. However, in the future, this gadget-free vision will grow further and would be vital for massive scale smart applications. The transition towards complete deployment of the gadget-free environment will naturally be bounded by the evolution of the required technologies. When the enabling technologies for the complete/outdoor gadget-free environment will become mature, there might be applications where stochastic issues can arise in these intelligent environments due to random factors such as random fluctuation in weather causing unpredicted issues to outdoor gadget-free systems/process. In such cases, various basic optimization approaches can be applied to resolve the issues such as; stochastic gradient descent tricks [14], scenario based stochastic optimizations [67, 89] and cross entropy methods [28] among others [65]. These approaches also vary according to the nature of the application and requirements of that particular usecase in the gadget-free environment.

10 Conclusions

In the present digital era, it is vital that healthcare services should be made readily available in the most natural way possible. Thus, it is crucial to have secure and efficient authentication mechanism for users. In this paper, we have considered the future smart healthcare scenario, where users can acquire digital services without using any hand-held gadgets. We have proposed a secure, efficient and privacy preserving biometrics based authentication mechanism for such intelligent environment solely using lightweight operations. The proposed scheme also achieved anonymity and unlinkability using the lightweight operations and protect the system against the well known security attacks. We have found better results in terms of computation and communication costs for our proposed framework when compared with the previous biometrics schemes. Finally, we also performed the formal security verification of the proposed scheme by using the CDVT/AD tool and examined that our authentication framework is secure for several attacks.