 Research
 Open Access
Efficient authenticated key exchange protocols for wireless body area networks
 Jingwei Liu^{1}Email author,
 Qian Li^{1},
 Rui Yan^{1} and
 Rong Sun^{1}
https://doi.org/10.1186/s1363801504062
© Liu et al. 2015
 Received: 5 September 2014
 Accepted: 1 June 2015
 Published: 3 July 2015
Abstract
Secure protocol is a vital guarantee in all kinds of communication network environment. Designing on authenticated key exchange protocols is a hotspot in the field of information security at present, and the related theories have been increasingly mature. However, there is still scarcely any appropriate security protocol to guarantee the communication security of wireless body area networks (WBANs). In this paper, according to the standards on WBAN, we define a layered network model in accordance with the definition of twohop star network topology firstly. In line with this model, we put forward two new authenticated key exchange protocols based on symmetric cryptosystem, which are suitable for WBAN application scenario. The proposed protocols support the selective authentication between nodes in WBAN. Simultaneously, two pairs of session key are generated efficiently and succinctly in each certification process. Finally, after security analyzing and performance evaluating demonstrate that the proposed key agreement protocols are proved to meet desired security properties with light computation and communication overhead. The proposed protocols provide a primitive to develop efficient and secure WBAN systems.
Keywords
 Security protocol
 Wireless body area network
 BAN logic
 AES
1 Introduction
Authenticated key exchange protocols are important and have been widely applied in network communication. By a preregistration, two communication parties share a secret symmetric key with a trusted server correspondingly. When the two participants try to exchange any information with authentication property confidentially in an insecure environment, they must be in agreement on a new secret session key by the help of a server. This kind of key exchange method is called threeparty authenticated key exchange (3PAKE), and the 3PAKE protocols typically are employed for mutual authentication and secure communication in various applications.

Mutual authentication: The participants of protocols should be authenticated by the server and also they must be authenticated each other by themselves.

Session key security: The agreed session key should only be known by parties who participate in communication process.

Perfect forward secrecy: Perfect forward secrecy is the property that a session key derived from a set of longterm keys will not be compromised if one of the longterm key is compromised in the future.
In recent years, many threeparty authenticated key exchange protocols have been proposed [1–10] in recent years. Yeh et al. [4] proposed two 3PAKE protocols for secure communication over a public network. One was a plaintextequivalent authentication protocol and the other was a verifierbased authentication protocol. Lee et al. [8] proposed an improved encrypted key exchange protocol developed by Yeh’s scheme. They claimed that the proposed protocols had the same computation complexity as Yeh’s protocol. In [2] and [6], the server’s public keys were both needed in their schemes. Lu and Cao [5] proposed a new simple threeparty passwordbased authenticated key exchange protocol (S3PAKE) which did not require any server’s public key. Guo et al. [11] found that S3PAKE in [5] was vulnerable to a kind of maninthemiddle attack that exploited an authentication flaw in the protocol and is subject to the undetectable online dictionary attack. Then, they have provided an improved version. Kim and Choi [12] proposed another improved version of S3PAKE against the online password guessing attack. However, both of the two improved versions in [11] and [12] had more computation cost than the original S3PAKE protocol though they are more secure.
With efficiency and security in consideration, the number of protocol execution steps and the complexity of cryptographic operations have been used to measure the performance of the existing 3PAKE schemes. Different from the above existing 3PAKE protocols with less consideration of computation cost, Huang [7] proposed a 3PAKE protocol in five steps without improving the server’s public key. In [1–3], the authors presented several symmetric keybased authenticated key exchange protocols, respectively. In order to further improve the efficiency of 3PAKE protocols, in this paper, we propose two new efficient threeparty authenticated key exchange protocols with onetime key for WBANs especially, which achieve more security properties as Huang’s scheme claimed.

The proposed key agreement protocol should not require lots of energy and memory because sensor nodes are already resource constraints.

It must suit the topology structure of wireless body area network.

Communication messages should be of low redundancy rate and minimum message exchange between the nodes.
Possible attacks in wireless channel (such as replaying attack, eavesdropping attack, denial of service attack, Byzantine attack, etc.) have raised concerns of users and medical service providers. The detail security requirements of WBANs are introduced in [14] that is not altogether different from general WSNs.
Star topology is largely used in the WBANs, which is simple and easy to control. In this topology, it is possible to partition the sensor nodes according to their location: on the head; on the torso; and on the limbs [15]. However, it will impose higher energy costs for communications involving nodes that are distant from the BAN Network Controller. For these nodes, we could consider using relay nodes. Till date, there are very few security protocols [16–18] designed for this kind of network topology in WBANs.

We propose two novel threeparty authenticated key exchange protocols between controller node and sensor nodes in different situations. Due to the calculation ability and the storage capacity of sensor nodes, new protocols are specially based on symmetric cryptography.

The BAN logic formal verification tool has been employed in aid design of 3PAKE protocol for authentication and security verification.

The quantified performance analysis on the proposed 3PAKE protocols is conducted.
The rest of this paper is structured as follows. Section 2 briefly introduces the network model of WBANs. In Section 3, two threeparty key exchanged protocols are proposed in different application scenarios, namely normal situation and critical or special situation. Section 4 presents the formal demonstration by BAN logic and security analysis of the new protocols. The performance comparisons between proposed protocols and others are conducted in Section 5. Finally, conclusion is drawn in Section 6.
2 Network model of the wireless body area network
WBAN is a special branch of the wireless sensor network. It is a human bodycentered communication network [19], consisting of bodyrelated elements, including devices such as sensors distributed within and deployed around the human body. Through WBAN, people can transfer data of intracorporal sensors to the terminal equipments taken along, implement realtime health monitoring and auxiliary diagnosis of disease further for the patients [20], and meanwhile realize the network interconnection within the scope of human and so forth.
Considering the net as a twotier architecture, the control node (hub) is linked together with the primary sensor node S_{1}, S_{2}⋯S_{ n } logically so as to transmit data. Simultaneously, a portion of primary nodes S_{ i } are connected with the corresponding secondary nodes S_{ i1} in the second layer. Here, actually, the primary node plays the rule of relay node. In the initial condition, authentication process of each node should be conducted at the first place, before the session key is generated. It requires the adoption of authentication and key exchange protocol.
3 New authenticated key exchange protocols for wireless body area network
In this section, we give the description of two proposed protocols using twohop star topology. The protocols are explained in two different application scenarios. For the sake of simplicity, we make S denote the control node and B, C, D represent the primary nodes respectively, with A representing a secondary node. In the initial state, the control node S keeps the preshared key K_{bs} with primary node B, and K_{cs} with C, also K_{ds} with D, S shares the preshared key K_{as} with secondary nodes A identically.
3.1 Formalizing description of protocol I
In normal cases, the normal nodes periodically collect data from sensor nodes in WBANs and then send these data to the hub. If secondary node is near enough to the hub, it can establish connection with the hub directly. If not, it has to find a primary node as a relay to complete the connection.
The formalizing description of protocol I: Message1: A broadcast: A, Na Message2: B →S: B, {A, B, Na, Nb}\(_{K_{\textit {bs}}}\) Message3: S →B: {B, Na, K _{ ab }}\(_{K_{\textit {as}}}\), {A, Nb, K _{ ab }, KEY}\(_{K_{\textit {bs}}}\) Message3’: S →C: {Nc, text}\(_{K_{\textit {cs}}}\) Message4: B →A: {B, Na, K _{ ab }}\(_{K_{\textit {as}}}\), {Na, Nb}\(_{K_{\textit {ab}}}\) Message5: A →B: {Nb}\(_{K_{\textit {ab}}}\)
 (1)
The secondary node A, which is supposed to access to the network for authentication, broadcasts Message 1 including its own identifier A and generates a random number Na. After receiving the broadcasted message, B, C, D sends Message 2 to S.
 (2)
B sends a message encrypted with the preshared key K_{bs} to S, which contains identifier A, random Na, identifier B, and random number Nb generated by node B. Node C, D also sends the same type of messages.
 (3)
After receiving the request messages sent by primary nodes, S decrypts the messages by preshared key. Noticing that it is secondary node A that wants to be authenticated to join the network, S determines the most suitable primary node to be connected with A and sends Message 3 to the right node B as a reply, meanwhile S sends Message 3’ to C, D. Message 3 involves {B,N a,K_{ab}} encrypted with K_{as} and {A,N b,K_{ab},K E Y} encrypted with K_{bs}. Among them, K_{ab} is the session key for A and B generated by S, and KEY is the session key between B and S generated by S.
 (4)
After receiving Message 3, B decrypts the message with K_{bs} and gets the session KEY and K_{ab} then encrypts the random number N a,N b with K_{ab}, together with \(\{B, Na, \mathrm {K}_{\text {ab}}\}_{\mathrm {K}_{\text {as}}}\phantom {\dot {i}\!}\) and forwards them to node A. At the same time, node C, D receives the replied messages from S and knows that it is unable to connect with A.
 (5)
After receiving the previous message, A decrypts message \(\{B, Na, \mathrm {K}_{\text {ab}}\}_{\mathrm {K}_{\text {as}}}\phantom {\dot {i}\!}\) with K_{as} firstly to obtain the session key K_{ab}, then decrypts message \(\phantom {\dot {i}\!}\{Na, Nb\}_{\mathrm {K}_{\text {ab}}}\) with K_{ab} to get two random numbers Na and Nb, and finally verifies whether they are same. If so, A sends Nb encrypted with K_{ab} to B, otherwise the authentication fails.
 (6)
After receiving the message from node A, node B tests whether the assumed Nb is identical with the original one, if so it shows that node A has received the correct session key, then end the protocol.
3.2 Formalizing description of protocol II
In some special cases, the primary node and the secondary node must work together to analyze the data collected from the human body, for example, measuring the blood circulation system. The primary node measures blood pressure, while the secondary node measures blood oxygen. Each primary node measuring blood pressure is connected to a secondary node measuring blood oxygen. That is to say, whenever a primary node broadcasts requirements, there must be a synergistic secondary node in response. The protocol II is proposed for this kind of special application cases.
The formalizing description of protocol II: Message1: B broadcast: B, Nb Message2: A →B: \(\phantom {\dot {i}\!}A, Na, Nb, \{A, B, Na\}_{K_{\textit {as}}}\) Message3: B →S: \(B,\{\{A, Na, B\}_{K_{\textit {as}}}, A, Nb\}_{K_{\textit {bs}}}\phantom {\dot {i}\!}\) Message4: S →B: \(\{A, Nb, K_{\textit {AB}}, K_{\textit {BS}}\}_{K_{\textit {bs}}}, \{Na, B, K_{\textit {AB}}\}_{K_{\textit {as}}}\phantom {\dot {i}\!}\) Message5: B →A: \(\{Na, B, K_{\textit {AB}}\}_{K_{\textit {as}}}, \{Nb\}_{K_{\textit {AB}}}\phantom {\dot {i}\!}\) Message6: A →B: \(\{Nb+1\}_{K_{\textit {AB}}}\phantom {\dot {i}\!}\)
 (1)
The primary node B broadcasts its own identifier B and generates a random number Nb.
 (2)
The secondary node A which cooperates with node B sends a message, which contains plain text identifier A, random Na, Nb, identifier B, and identifier A, identifier B, random Na encrypted with the preshared key K_{as}.
 (3)
After receiving the messages sent by secondary nodes A, B encrypts the encrypted message \(\{A,B,Na\}_{K_{\textit {as}}}\) and identifier A, random Nb with preshared key K_{bs}, along with plain text identifier B, and sends them to the control node S.
 (4)
After receiving Message 3, S decrypts the message and verifies it. If correct, S generates the session key K_{BS} between S and B, and session key K_{AB}, between A and B. S uses K_{bs} to encrypt A, Nb, K_{AB}, and K_{BS} and uses K_{as} to encrypt B, Na and K_{AB}, then send them to node B.
 (5)
After receiving the previous message and decrypting the first part, node B uses K_{bs} to get session key K_{BS} and K_{AB}, uses K_{AB} to encrypt Nb, and sends node A the message \(\{Na, B, \mathrm {K}_{\text {AB}}\}_{K_{\textit {as}}}\phantom {\dot {i}\!}\).
 (6)
After receiving the message from node B, A decrypts the front part of the message and uses K_{as} to get K_{AB}, random number and identifier, then verifies if the characteristic is right. If so, node A decrypts the second part and uses the new received session key K_{AB} to get Nb. If the received Nb is the same with original one generated by node B, A sends N b+1 encrypted with K_{AB} to node B.
 (7)
After receiving the message, node B decrypts it to get N b+1, then has N b+1 minus one, and checks if it is the same with the random Nb generated in the first step. If so, the protocol performs successfully, otherwise the authentication fails.
Primary and secondary nodes are synergistic, that is to say, the primary node sends messages to the control node S while the secondary node sends messages by virtue of primary nodes at the same time. After the protocol completes initialization and certification, the primary node B will send Message 2 to control node S, and secondary node A will send Message 1 to S. Simultaneously, node A encrypts Message 1 with session key K_{AB} and sends the original message to node B. B decrypts Message 1 with K_{AB} concatenate Message 2 and encrypts them with K_{BS} then sends the original message to S. Finally, S decrypts messages with K_{BS} and obtains Message 1 and Message 2.
4 Security analysis
Security analysis is an important way of detecting possible security flaws in security protocols. In this section, we give both the formalization analysis by BAN logic and nonformalization analysis of the proposed protocols.
4.1 Formal analysis
The two kinds of authenticated key exchange protocols are testified by the celebrated BAN logic in this subsection. The authentication logic is one of the most commonly used analysis tools of cryptographic protocols. BAN logic [21, 22] has not only revealed lots of flaws of famous protocols but also found the redundancy of many protocols. In BAN logic, messages are being idealized as formulas in the first place. After that, the initial state assumptions are defined as the case may be. Then, by making use of the known conditions and the logic regulations, it is reasonable to judge and to ratiocinate whether the protocols meet the goals or not.
4.1.1 4.1.1 Logical symbol
 1.
P, Q: subjects, those are the principles participant in the protocol
 2.
X: message
 3.
K: secret key
 4.
{X} _{K}: message X is encrypted with K
 5.
P ≡Q: P believes Q
 6.
P\(\lhd \)X: P has received message X
 7.
P∼X: P said X
 8.
Q ⇒X: Q has the jurisdiction to X
 9.
♯(X): X is fresh
 10.
P ⇔KQ: K is the common preshare key of P and Q
4.1.2 4.1.2 Inference rule
 1.Messagemeaning rules: P shares the secret key K with Q. If P receives a message X encrypted with K, then P believes that Q has sent X.$$\text{M}1: \frac{P\equiv P\stackrel{K}{\longleftrightarrow}Q,P\lhd\{X\}_{K_{X}}} {P\equiv Q\sim X} $$
 2.Nonceverification rule: if P believes that message X is fresh and believes that Q has sent X, then P believes that Q believes X.$$\text{N}1: \frac{P\equiv \sharp(X),P\equiv Q\sim X} {P\equiv Q\equiv X} $$
 3.Jurisdiction rules: if P believes Q has sent message X, and P believes Q believes X, then P believes X.$$\text{J}1: \frac{P\equiv Q\Rightarrow X,P\equiv Q\equiv X} {P\equiv X} $$
 4.Beliefjoint rules: if P believes X and Y, then P believes messages of a cascade of X and Y; if P believes that Q believes messages of a cascade of X and Y, then P believes Q believes X or Y; if P believes that Q has said X and Y, then P believes Q has said X or Y; if P believes the message of a cascade of X and Y, then P believes X or Y.$$\begin{aligned} &\text{B}1: \frac{P\equiv X,P\equiv Y}{P\equiv(X,Y)}\qquad\qquad \text{B}2: \frac{P\equiv Q\equiv(X,Y)}{P\equiv Q\equiv Y}\\ &\text{B}3: \frac{P\equiv Q\sim(X,Y)}{P\equiv Q\sim X}\qquad\qquad \text{B}4: \frac{P\equiv(X,Y)}{P\equiv X} \end{aligned} $$
 5.Freshnessjoint rule: if P believes that X is fresh, P believes the entire message that cascade with X is fresh.$$\text{F}1: \frac{P\equiv \sharp(X)} {P\equiv \sharp(X,Y)} $$
 6.Reception rules: if P receives messages of a cascade of X and Y, we consider P receives X or Y; if P receives the connection of formula of X and Y, we consider P receives X or Y; P shares secret key K with Q. If P receives message X encrypted with K, we can infer that P receives X.$$\begin{aligned} &\text{R}1: \frac{P\lhd(X,Y)}{P\lhd X} \qquad\qquad\qquad\qquad \text{R}2: \frac{P\lhd<X>_{Y}}{P\lhd X}\\ &\text{R}3: \frac{P\equiv P\stackrel{K}{\longleftrightarrow}Q,P\lhd\{X\}_{K}} {P\lhd X} \end{aligned} $$
 7.Additional rules: secret key K is fresh. If P receives message X encrypted with K and P believes P shares secret key K with Q, we can infer that P believes Q has sent message X, and P believes Q believes P shares secret key K with Q.$$\frac{\sharp(K),P\lhd\{X\}_{K},P\equiv P\stackrel{K}{\longleftrightarrow}Q } {P\equiv P\sim X,P\equiv Q\equiv P\stackrel{K}{\longleftrightarrow}Q } $$
4.1.3 4.1.3 The deduction of protocol I
4.1.3.1 4.1.3.0 (1) Idealization

\(\phantom {\dot {i}\!}MS2:B \to S,\ B,\{ A,B,Na,Nb\}_{K_{\textit {bs}}}\)

\(\phantom {\dot {i}\!}MS3:S \to B,\{ Na,B,K_{\textit {ab}}\}_{K_{\textit {as}}},\{A,Nb,Kab,KEY\}_{K_{\textit {bs}}}\)

\(\phantom {\dot {i}\!}MS4:B \to A,\{ B,Na,K_{\textit {ab}}\}_{K_{\textit {as}}},\{Na,Nb\}_{K_{\textit {ab}}}\)

\(\phantom {\dot {i}\!}MS5:A \to B,\{Nb\}_{K_{\textit {ab}}}\)
The idealization of messages1 is omitted since it does not contribute to the logical properties of the protocol.
4.1.3.2 4.1.3.0 (2) Initial state assumptions
The initial state assumptions of S are: 1. \(S\equiv S \overset {K_{\textit {as}}}{\longleftrightarrow } A \) 2. \(S\equiv S \overset {K_{\textit {bs}}}{\longleftrightarrow } B \) 3. S⇒K E Y 4. S⇒K _{ ab }
The initial state assumptions of B are: 1. \(B\equiv B \overset {K_{\textit {bs}}}{\longleftrightarrow } S \) 2. S≡♯(N b) 3. \(B\equiv S\Rightarrow B \overset {KEY}{\longleftrightarrow } S\) 4. \(B\equiv S\Rightarrow A \overset {K_{\textit {ab}}}{\longleftrightarrow } B\)
The initial state assumptions of A are: 1. \(A\equiv A \overset {K_{\textit {as}}}{\longleftrightarrow } S \) 2. \(A\equiv S\Rightarrow A \overset {K_{\textit {ab}}}{\longleftrightarrow } B\) 3. A≡♯(N a)
4.1.3.3 4.1.3.0 (3) Annotation
1 S\(\lhd \){A,B,Na,Nb}\(\phantom {\dot {i}\!}_{\text {K}_{\text {bs}}}\) 2 B\(\lhd \left \{\text {Na}, \text {A}\stackrel {\text {K}_{\text {ab}}}{\longleftrightarrow }\text {B},\sharp \left (\text {A}\stackrel {\text {K}_{\text {ab}}}{\longleftrightarrow }\text {B}\right) \right \}_{\text {K}_{\text {as}}}\),\({\phantom {aaaai}}\left \{\text {Nb},\text {A}\stackrel {\text {K}_{\text {ab}}}{\longleftrightarrow }\text {B},\sharp \left (\text {A}\stackrel {\text {K}_{\text {ab}}}{\longleftrightarrow }\text {B}\right), \text {S}\stackrel {\text {KEY}}{\longleftrightarrow }\text {B},\right.\\ \left.{\phantom {aaaaaa}}\sharp \left (\text {S}\stackrel {\text {KEY}}{\longleftrightarrow }\text {B}\right)\right \}_{\text {K}_{\text {bs}}}\) 3 A\(\lhd \left \{\text {Na},\text {A}\stackrel {\text {K}_{\text {ab}}}{\longleftrightarrow }\text {B},\sharp \left (\text {A}\stackrel {\text {K}_{\text {ab}}}{\longleftrightarrow }\text {B}\right)\right \}_{\text {K}_{\text {as}}},\\ {\phantom {aaaiii}}\left \{\text {Na},\text {Nb},\text {A}\stackrel {\text {K}_{\text {ab}}}{\longleftrightarrow }\text {B}\right \}_{\text {K}_{\text {ab}}}\) 4 B\(\lhd \left \{\text {Nb},\text {A}\stackrel {\text {K}_{\text {ab}}}{\longleftrightarrow }\text {B}\right \}_{\text {K}_{\text {ab}}}\)
4.1.3.4 4.1.3.0 (4) Final faith

S and B realize twoway authentication
S≡B∼X _{ B }
B≡S∼X _{ S } (X _{ S } and X _{ B } are the messages generated by S and B)

B and A realize twoway authentication
B≡A∼X _{ A }
A≡B∼X _{ B } (X _{ A } and X _{ B } are the messages generated by A and B)

Using twoway authentication to negotiate shared secret key
\(B\equiv B \overset {KEY}{\longleftrightarrow } S \quad \quad \quad \quad \quad \quad \quad \quad B\equiv S\equiv B \overset {KEY}{\longleftrightarrow } S\)
\(B\equiv B \overset {K_{\textit {ab}}}{\longleftrightarrow } A \quad \quad \quad \quad \quad \quad \quad \quad B\equiv A\equiv B \overset {K_{\textit {ab}}}{\longleftrightarrow } A\)
\(A\equiv A \overset {K_{\textit {ab}}}{\longleftrightarrow } S \quad \quad \quad \quad \quad \quad \quad \quad A\equiv B\equiv A \overset {K_{\textit {ab}}}{\longleftrightarrow } B\)
4.1.3.5 4.1.3.0 (5) Derivation process
According to MS2: 1 \( \frac {S \equiv S \overset {K_{\textit {bs}}}{\longleftrightarrow }B,S \triangleleft {\{A,B,Na,Nb\}_{K_{\textit {bs}}}}}{S \equiv B\sim \{A,B,Na,Nb\}}\quad \quad \quad \quad (M1) \)
According to MS3: 1. \(\frac {B \equiv B \overset {K_{\textit {bs}}}{\longleftrightarrow }S,B \triangleleft \{A,Nb,K_{\textit {ab}},KEY\}_{K_{\textit {bs}}}}{B \equiv S\sim \{A,Nb,K_{\textit {ab}},KEY\}}\quad \quad \quad (M1)\) 2. \(\frac {B \equiv S\sim \{A,Nb,K_{\textit {ab}},KEY\}}{B \equiv S\sim {(KEY)}}\quad \quad \quad (B3)\) 3. \(\frac {B \equiv S\sim {(KEY)},B\equiv S\Rightarrow KEY}{B\equiv KEY}\quad \quad \quad (J)\) 4. \(\frac {B \equiv S\sim \{A,Nb,K_{\textit {ab}},KEY\}}{B \equiv S\sim {(K_{\textit {ab}})}}\quad \quad \quad (B3)\) 5. \(\frac {B \equiv S\sim {(K_{\textit {ab}})},B\equiv S\Rightarrow K_{\textit {ab}}}{B\equiv K_{\textit {ab}}}\quad \quad \quad (J)\) 6. \(\frac {B\equiv \sharp (Nb)}{B\equiv \sharp \{A,Nb,K_{\textit {ab}},KEY\}} \quad \quad \quad (F1)\) 7. \(\frac {B \equiv S\sim \{A,Nb,K_{\textit {ab}},KEY\},B\equiv \sharp \{A,Nb,K_{\textit {ab}},KEY\}}{B \equiv S\equiv \{A,Nb,K_{\textit {ab}},KEY\}}\quad \quad \quad (N1)\) 8. \(\frac {B \equiv S\equiv \{A,Nb,K_{\textit {ab}},KEY\}}{B\equiv S \equiv KEY}\quad \quad \quad (B2)\)
According to MS5: 1. \(\frac {\sharp K_{\textit {ab}},B\lhd (Nb)_{K_{\textit {ab}}},B\equiv K_{\textit {ab}}}{B\equiv A\sim (Nb),B\equiv A\equiv K_{\textit {ab}} }\)
According to MS4: 1. \(\frac {A \equiv A \overset {K_{\textit {as}}}{\longleftrightarrow }S,A \triangleleft \{B,Na,K_{\textit {ab}}\}_{K_{\textit {as}}}}{A \equiv S\sim \{B,Na,K_{\textit {ab}}\}}\quad \quad \quad (M1)\) 2. \(\frac {A\equiv \sharp (Na)}{A\equiv \sharp \{Na,B,K_{\textit {ab}}\}} \quad \quad \quad (F1)\) 3. \(\frac {A\equiv \sharp \{Na,B,K_{\textit {ab}}\},A \equiv S\sim \{B,Na,K_{\textit {ab}}\}}{A \equiv S\equiv \{B,Na,K_{\textit {ab}}\}}\quad \quad \quad (N1)\) 4. \(\frac {A \equiv S\equiv \{B,Na,K_{\textit {ab}}\}}{A \equiv S\equiv \{K_{\textit {ab}}\}}\quad \quad \quad (B2)\) 5. \(\frac {A \equiv S\equiv \{K_{\textit {ab}}\},A \equiv S\Rightarrow \{K_{\textit {ab}}\}}{A \equiv \{K_{\textit {ab}}\}}\quad \quad \quad (J)\) 6. \(\frac {\sharp K_{\textit {ab}},A \equiv A \overset {K_{\textit {ab}}}{\longleftrightarrow }S,A \triangleleft \{Na,Nb\}_{K_{\textit {ab}}}}{A \equiv B\sim \{Na,Nb\},A \equiv B\equiv A \overset {K_{\textit {ab}}}{\longleftrightarrow }S}\)
From the above derivation, we can draw the following conclusions: B has the KEY and believes that it is shared with S; B has the K _{ ab } and believes that it is shared with A; A has the K _{ ab } and believes that it is shared with B; S and B realize twoway authentication; B and A realize twoway authentication.
4.1.4 4.1.4 The deduction of protocol II
4.1.4.1 4.1.4.0 (1) Idealization

\( MS2:A \to B,\{ A,B,Na\}_{K_{\textit {as}}},\ A,\ Na,\ Nb \phantom {\dot {i}\!}\)

\(\phantom {\dot {i}\!} MS3:B \to S,\ B,\{\{A, Na,B\}_{K_{\textit {as}}},Nb,A\}_{K_{\textit {bs}}} \)

\(\phantom {\dot {i}\!} MS4:S \to B,\{ A,Nb,K_{\textit {AB}},K_{\textit {BS}}\}_{K_{\textit {bs}}},\{Na,B,K_{\textit {AB}}\}_{K_{\textit {as}}} \)

\(\phantom {\dot {i}\!} MS5:B \to A,\{ Na,B,K_{\textit {AB}}\}_{K_{\textit {as}}},\{Nb\}_{K_{\textit {AB}}} \)

\(\phantom {\dot {i}\!} MS6:A \to B,\{Nb+1\}_{K_{\textit {AB}}} \)
The idealization of Message 1 and part of Message 2 are omitted since it does not contribute to the logical properties of the protocol.
4.1.4.2 4.1.4.0 (2) Initial state assumptions
The initial state assumptions of S are: 1. \(S\equiv S \overset {K_{\textit {as}}}{\longleftrightarrow } A \) 2. \(S\equiv S \overset {K_{\textit {bs}}}{\longleftrightarrow } B \) 3. S⇒K _{ BS } 4. S⇒K _{ AB }
The initial state assumptions of B are: 1. \(B\equiv B \overset {K_{\textit {bs}}}{\longleftrightarrow } S \) 2. S≡♯(N b)3. \(B\equiv S\Rightarrow B \overset {K_{\textit {BS}}}{\longleftrightarrow } S\) 4. \(B\equiv S\Rightarrow A \overset {K_{\textit {ab}}}{\longleftrightarrow } B\)
The initial state assumptions of A are: 1. \(A\equiv A \overset {K_{\textit {as}}}{\longleftrightarrow } S \) 2. \(A\equiv S\Rightarrow A \overset {K_{\textit {ab}}}{\longleftrightarrow } B\) 3. A≡♯(N a)
4.1.4.3 4.1.4.0 (3) Annotation
1: B\(\lhd \){A,B,Na}\(\phantom {\dot {i}\!}_{\mathrm {K}_{\text {as}}}\) 2: S\(\lhd \){{A,Na,B}\(\phantom {\dot {i}\!}_{K_{\textit {as}}}\),A,B,Nb}\(_{K_{\textit {bs}}}\) 3: B\(\lhd \) {Nb,\(\mathrm {A}\stackrel {\mathrm {K}_{\text {AB}}}{\longleftrightarrow }\mathrm {B},\sharp (\mathrm {A}\stackrel {\mathrm {K}_ {\text {AB}}}{\longleftrightarrow }\mathrm {B}),\mathrm {B}\stackrel {\mathrm {K}_{\text {BS}}}{\longleftrightarrow }\mathrm {S}, \sharp (\mathrm {B}\stackrel {\mathrm {K}_{\text {BS}}}{\longleftrightarrow }\mathrm {S})\phantom {\dot {i}\!}\) }\(\phantom {\dot {i}\!}_{\mathrm {K}_{\text {bs}}}\), {Na,\(\mathrm {A}\stackrel {\mathrm {K}_{\text {AB}}}{\longleftrightarrow }\mathrm {B},\sharp (\mathrm {A}\stackrel {\mathrm {K}_{\text {AB}}} {\longleftrightarrow }\mathrm {B})\phantom {\dot {i}\!}\)}\(\phantom {\dot {i}\!}_{\mathrm {K}_{\text {as}}}\) 4: A\(\lhd \) {Na,\(\mathrm {A}\stackrel {\mathrm {K}_{\text {AB}}}{\longleftrightarrow }\mathrm {B},\sharp (\mathrm {A}\stackrel {\mathrm {K}_{\text {AB}}}{\longleftrightarrow }\mathrm {B})\phantom {\dot {i}\!}\)}\(\phantom {\dot {i}\!}_{\mathrm {K}_{\text {as}}}\),{Nb}\(\phantom {\dot {i}\!}_{\mathrm {K}_{\text {AB}}}\) 5: B\(\lhd \){Nb+1}\(_{K_{\textit {AB}}}\phantom {\dot {i}\!}\)
4.1.4.4 4.1.4.0 (4) Final faith

S and B realize twoway authentication
S≡B∼X _{ B }
B≡S∼X _{ S } (X _{ S } and X _{ B } are the messages generated by S and B)

B and A realize twoway authentication
B≡A∼X _{ A }
A≡B∼X _{ B } (X _{ A } and X _{ B } are the messages generated by A and B)

Using twoway authentication to negotiate shared secret key
\(B\equiv B \overset {K_{\textit {BS}}}{\longleftrightarrow } S \quad \quad \quad \quad \quad \quad \quad \quad B\equiv S\equiv B \overset {K_{\textit {BS}}}{\longleftrightarrow } S\)
\(B\equiv B \overset {K_{\textit {AB}}}{\longleftrightarrow } A \quad \quad \quad \quad \quad \quad \quad \quad B\equiv A\equiv B \overset {K_{\textit {AB}}}{\longleftrightarrow } A\)
\(A\equiv A \overset {K_{\textit {AB}}}{\longleftrightarrow } S \quad \quad \quad \quad \quad \quad \quad \quad A\equiv B\equiv A \overset {K_{\textit {AB}}}{\longleftrightarrow } B\)
4.1.4.5 4.1.4.0 (5) Derivation process
According to MS3: 1. \( \frac {S \equiv S \overset {K_{\textit {bs}}}{\longleftrightarrow }B,S \triangleleft \{\{A, Na,B\}_{K_{\textit {as}}},Nb,A\}_{K_{\textit {bs}}} }{S \equiv B\sim \{{\{A, Na,B\}_{K_{\textit {as}}},Nb,A}\}}\quad \quad \quad \quad (M1) \)
According to MS4: 1. \(\frac {B \equiv B \overset {K_{\textit {bs}}}{\longleftrightarrow }S,B \triangleleft \{A,Nb,K_{\textit {AB}},K_{\textit {BS}}\}_{K_{\textit {bs}}}}{B \equiv S\sim \{A,Nb,K_{\textit {AB}},K_{\textit {BS}}\}}\quad \quad \quad (M1)\) 2. \(\frac {B \equiv S\sim \{A,Nb,K_{\textit {AB}},K_{\textit {BS}}\}}{B \equiv S\sim {(K_{\textit {BS}})}}\quad \quad \quad (B3)\) 3. \(\frac {B \equiv S\sim {(K_{\textit {BS}})},B\equiv S\equiv \Rightarrow KEY}{B\equiv K_{\textit {BS}}}\quad \quad \quad (J)\) 4. \(\frac {B \equiv S\sim \{A,Nb,K_{\textit {AB}},K_{\textit {BS}}\}}{B \equiv S\sim {(K_{\textit {AB}})}}\quad \quad \quad (B3)\) 5. \(\frac {B \equiv S\sim {(K_{\textit {AB}})},B\equiv S\Rightarrow K_{\textit {AB}}}{B\equiv K_{\textit {AB}}}\quad \quad \quad (J)\) 6. \(\frac {B\equiv \sharp (Nb)}{B\equiv \sharp \{Nb,A,K_{\textit {AB}},K_{\textit {BS}}\}} \quad \quad \quad (F1)\) 7. \(\frac {B \equiv S\sim \{A,Nb,K_{\textit {AB}},K_{\textit {BS}}\},B\equiv \sharp \{A,Nb,K_{\textit {AB}},K_{\textit {BS}}\}}{B \equiv S\equiv \{A,Nb,K_{\textit {AB}},K_{\textit {BS}}\}}\quad \quad \quad (N1)\) 8. \(\frac {B \equiv S\equiv \{A,Nb,K_{\textit {AB}},K_{\textit {BS}}\}}{B\equiv S \equiv K_{\textit {BS}}}\quad \quad \quad (B2)\)
According to MS6: 1. \(\frac {\sharp K_{\textit {ab}},B\lhd (Nb+1)_{K_{\textit {AB}}},B\equiv K_{\textit {AB}}}{B\equiv A\sim (Nb+1),B\equiv A\equiv K_{\textit {AB}} }\)
According to MS5: 1. \(\frac {A \equiv A \overset {K_{\textit {as}}}{\longleftrightarrow }S,A \triangleleft \{Na,B,K_{\textit {AB}}\}_{K_{\textit {as}}}}{A \equiv S\sim \{B,Na,K_{\textit {AB}}\}}\quad \quad \quad (M1)\) 2. \( \frac {A\equiv \sharp (Na)}{A\equiv \sharp \{Na,B,K_{\textit {AB}}\}} \quad \quad \quad (F1)\) 3. \(\frac {A \equiv S\sim \{B,Na,K_{\textit {AB}}\},A\equiv \sharp \{Na,B,K_{\textit {AB}}\}}{A \equiv S\equiv \{B,Na,K_{\textit {AB}}\}}\quad \quad \quad (N1)\) 4. \(\frac {A \equiv S\equiv \{B, Na,K_{\textit {AB}}\}}{A \equiv S\equiv \{K_{\textit {AB}}\}}\quad \quad \quad (B2)\) 5. \(\frac {A \equiv S\equiv \{K_{\textit {ab}}\},A \equiv S\Rightarrow \{K_{\textit {ab}}\}}{A \equiv \{K_{\textit {ab}}\}}\quad \quad \quad (J)\) 6. \(\frac {\sharp K_{\textit {AB}},A \triangleleft \{Nb\}_{K_{\textit {AB}}},A \equiv A \overset {K_{\textit {AB}}}{\longleftrightarrow }S}{A \equiv B\sim \{Nb\},A \equiv B\equiv A \overset {K_{\textit {AB}}}{\longleftrightarrow }S}\)
From the above derivation, we can draw the following conclusions: B has the K _{ BS } and believes that it is shared with S; B has the K _{ AB } and believes that it is shared with A; A has the K _{ AB } and believes that it is shared with B; S and B realize twoway authentication; B and A realize twoway authentication.
4.2 Security properties analysis
Firstly, the proposed protocols have the following properties.
Mutual authentication: By our protocols, S can authenticate A and B respectively from the authentication request with the random number Na and Nb. Also, A and B authenticate each other identity through K _{ ab } and Nb. The protocols have mutual authentication property to make the maninthemiddle attacks necessarily unsuccessful.
Perfect forward secrecy: Our protocols possess forward secrecy. An agreed key will not be compromised even if the other agreed keys derived from the same longterm keying material in a subsequent run are compromised. By the proposed protocols, the session key K _{ ab } and KEY are randomly selected, so they are independent among each protocol execution. Therefore, the compromised keys K _{ as } and K _{ bs } cannot reveal any previous session keys.
Then, we analyze the proposed protocols under the following kinds of attacks.
Trivial substitution and replay attack: Replaying attack means that an adversary first intercepts some communication data in the currently running of key exchange protocol run. Then, he replays the intercepted data with receiver in a future protocol running. The replay attack does not succeed in the proposed protocols because the freshness of messages transmitted between participants are guaranteed by the random nonces Na and Nb. Only A, B, and S can use the preshared key to encrypt the random nonces. Moreover, the proposed protocols do not require the timestamp information to prevent replay attack which requires extremely imperative precise clock synchronization.
Maninthemiddle attack: A maninthemiddle attack means that an attacker can intercept, replay, substitute, or modify the information that is significant to the communication parties. Since all critical messages in the proposed protocols are encrypted to prevent eavesdropping, it is rarely able to modify the messages exchanged between entities. However, if an attacker I eavesdrops the communication channel between A and B, he can replace the authentication request {Na, A} with {Ni, I}. The replaced {Ni, I} will be forward to the S together with {Nb, B}. The attacker can be successfully authenticated by S if he is really a legitimate user in the system. However, the maninthemiddle attack can still not be successful because the attacker cannot generate a correct \(\{Ni\}_{K_{\textit {ab}}}\) to respond to the {Ni, I}. Therefore, we conclude that a maninthemiddle attack could not succeed against the proposed protocols.
Fake base station attack: False base station attack is that a fake node pretends to be a participant node in the protocol, to grasp the secret information. For preshared key is only known between A, B, and S in the new protocols, the transmitted information encrypted by the preshared secret key K _{ as } and K _{ bs } will not be decrypted by illegal entities. The fake entities do not know the preshared key, thereby it cannot get the resulting session key eventually. If the entities decrypt the messages correctly and obtain the right contents, we can make sure that the identities of the nodes are legal. Then, the authentication is accomplished.
5 The performance analysis of the protocols
In this paper, we propose two efficient key exchange protocols under normal conditions and special conditions, respectively. From the performance perspective, we mainly concern the computational time and energy consumption of our protocols. To detail the quantitative result, we conduct simulations and compare our protocols with several typical protocols. Firstly, we make detail analysis of the computation time which is vital to the efficiency of the protocols. Then, we conclude a discussion of energy consumption on computation.
5.1 Computation time
In this section, we analyze and test the computation time associated with the efficiency of protocols.
Simulation environment setup: In this part, we setup a simulation hardware environment to measure the computation time of the selected schemes. The simulation environment is a 32bit CortexM3 microcontroller with 72MHz ARM MCU and 512 KB memory. For each protocol, AES is selected as the secret key encryption scheme and SHA256 for hash function. The random number is generated with three times AES128 cryptographic algorithm and two times XOR operations. The simulations are run several times to eliminate the randomness.
Computational time
Operations  Time(ms) 

Secret key encrypt(AES128)  0.919 
Secret key decrypt(AES128)  1.074 
Random number  2.781 
Hash  0.054 
Modular  5.542 
From the simulations, we can find that the modular computations still cost much. It is clear that a good design of authenticated key exchange protocols should adopt suitable cryptographic operations with less computation in order to achieve better performance and efficiency. By comparing with other schemes, the proposed protocols show a relatively short time among all six schemes. In other four schemes, the computation time of relay node are timeconsuming and will shorten the lifetime of the relay nodes which are not suited for WBAN environment. Therefore, this feature makes our protocols more effective. Based on these analyses, our schemes show a better performance in WBAN scenario.
5.2 Energy consumption
Due to the computation energy consumption being proportional to the computational time, we can draw the same conclusions as the ones in Section 5.1.
5.3 Memory requirement of the protocols

The proposed protocol I : the total message size of the scheme is equal to A+N a+B+E _{ bs }{A+B+N a+N b}+E _{ as }{B+N a+K _{ ab }}+E _{ bs }{A+N b+K _{ ab }+K E Y}+E _{ as }{B+N a+K _{ ab }}+K _{ ab }{N a+N b}+E _{ ab }{N b} Here, ∗ denotes the size of ^{′}∗^{′} in byte. E _{ c }(∗) represents the AES encryption algorithm calculated for the contents inside the bracket with c. The total message size of protocol I is 274 bytes.Table 4
ROM requirement for keys
ROM (byte)
Identify (A,B)
2
Random number (N a,N b)
16
Preshared key (K _{ as },K _{ bs })
16
Session key (K E Y,K _{ ab },K _{ AB },K _{ BS })
16

The proposed protocol II : the total message size of the scheme is equal to B+N b+A+N b+N a+E _{ as }{A+B+N a}+B+E _{ bs }{E _{ as }{A+N a+B}+N b+A}+E _{ bs }{A+N b+K _{ AB }+K _{ BS }}+E _{ as }{N a+B+K _{ AB }}+E _{ as }{N a+B+K _{ AB }}+E _{ AB }{N b}+E _{ AB }{N b+1}. The total message size is 422 bytes.
In the implementation procedure of authentication and session key generation of the authenticated key exchange protocols, the communication traffic is constant. That is to say, the length of messages is consistent. In protocol I and protocol II, the maximum communication traffic is no more than 0.5 KB. Communication traffic of the two protocols is extremely small, so the efficiency is higher.
6 Conclusions
In this paper, we propose two authenticated key exchange protocols that are suitable for WBANs. The two schemes are proved to be secure in BAN logic model. The performance analysis of them are also given. The analysis results show that the proposed protocols achieve the expectative goals and possess several advantages: they provide favorable security performance and are capable of resisting sundry common attacks to guarantee communication security; the participants accomplish authentication and generate session key by five or six steps without tanglesome cryptographic operation; on account of majority security protocols utilizing timestamp to guarantee the freshness of messages, the participants must keep clock synchronization which is rather untoward and costly. However, the proposed protocols adopt random number instead of timestamp, reducing the complexity of the network as well as decreasing the cost. The performance analysis shows that the protocols have superior running time performance, less memory costs, and so forth. How to design more and better protocols for WBANs is the next target of further research.
Declarations
Acknowledgements
This work is supported by the National Natural Science Foundation of China (No. 61100232), National Science and Technology Major Project of the Ministry of Science and Technology of China (No. 2013ZX03005007), the Fundamental Research Funds for the Central Universities (No. K5051301012), the 111 Project (B08038).
Authors’ Affiliations
References
 J Liao, B Zhu, Y He, Security analysis of NSSK protocol and its improvement. IEEE Int. Conf, 115–118 (2009). doi:10.1109/DASC.2009.44.
 Li, Shi L MX, in 3rd IEEE Conference on Industrial Electronics and Applications. Security analysis and improvement of Yahalom protocol, (2008), pp. 1137–40.Google Scholar
 YJ Deng, Based on BAN logic analysis OtwayRees protocol[J]. Chaohu Coll. J. 78(3), 36–37 (2006).Google Scholar
 HT Yeh, HM Sun, T Hwang, Efficient threeparty authentication and key agreement protocols resistant to password guessing attacks. J. Inform. Sci. Eng. 19(6), 1059–1070 (2003).Google Scholar
 R Lu, Z Cao, Simple threeparty key exchange protocol. Comput. Secur. 26(1), 94–97 (2007).View ArticleGoogle Scholar
 T Chen, WB Lee, HB Chen, A round and computationefficient threeparty authenticated key exchange protocol. J. Syst. Softw. 81(9), 1581–1590 (2008).MathSciNetView ArticleGoogle Scholar
 HF Huang, A simple threeparty passwordbased key exchange protocol. Int. J. Commun. Syst. 22(7), 857–862 (2009).View ArticleGoogle Scholar
 TF Lee, JL Liu, MJ Sung, SB Yang, CM Chen, Communicationefficient threeparty protocols for authentication and key agreement. Comput. Math. Appl. 58(4), 641–648 (2009).MathSciNetView ArticleMATHGoogle Scholar
 X Li, JW Niu, S Kumari, MK Khan, J Liao, W Liang, Design and analysis of a chaotic mapsbased threeparty authenticated key agreement protocol. Nonlinear Dyn. 80 (2015). doi:10.1007/s1107101519370.
 X Li, J Niu, MK Khan, JG Liao, An enhanced smart card based remote user password authentication scheme. J. Netw. Comp. Appl. 365, 1365–1371 (2013).Google Scholar
 H Guo, Z Li, Y Mu, X Zhang, Cryptanalysis of simple threeparty key exchange protocol. Comput. Secur. 27(12), 16–21 (2008).View ArticleGoogle Scholar
 HS Kim, JY Choi, Enhanced passwordbased simple threeparty key exchange protocol.Comput. Electrical Eng. 35(1), 107–114 (2009).MATHGoogle Scholar
 HB Li, T Kenichi, B Zhen, K Ryuji, Body area network and its standardization at IEEE 802.15.MBAN. Mob. Wirel. Commun. Summit. 16th IST, 1–5 (2007).View ArticleGoogle Scholar
 B Zhen, P Maulin, L SungHyup, W EunTae, A Arthur, TG6 technical Requirements Document (TRD). IEEE (2008). ID: 802.15080644.Google Scholar
 W Burleson, SS Clark, B Ransford, K Fu, in Proceedings of Design Automation Conference(DAC), 49th ACM/EDAC/IEEE. Design challenges for secure implantable medical devices (IEEE, 2012), pp. 12–17.Google Scholar
 JM Ho, in The 8th International Wireless Communications and Mobile Computing Conference (IWCMC). A versatile suite of strong authenticated key agreement protocols for body area networks (IEEE,Limassol, 2012), pp. 683–688, doi:10.1109/IWCMC.2012.6314287.
 SD Bao, YT Zhang, LF Shen, in Proceeding of Wearable and Implantable Body Sensor Networks. A design proposal of security architecture for medical body sensor networks (IEEE, BSN, 2006), pp. 84–90, doi:10.1109/BSN.2006.2.
 JW Liu, ZH Zhang, XF Chen, K Sup Kwak, Certificateless remote anonymous authentication schemes for wireless body area networks. IEEE Trans. Parallel Distributed Syst. 25(2), 332–342 (2014).View ArticleGoogle Scholar
 B Latré, B Braem, I Moerman, A survey on wireless body area networks. J. Wireless Netw. 17(1), 1–18 (2011).View ArticleGoogle Scholar
 M Rostami, W Burleson, A Juels, in Design Automation Conference (DAC). Balancing security and utility in medical devices? (IEEE, 2013), pp. 1–6. 50th ACM/EDAC/IEEE.Google Scholar
 M Burrows, M Abadi, R Needham, A logic of authentication.In:William Stallings (IEEE Computer Society Press, Practical Cryp tography for Data Internetworks, 1996).Google Scholar
 JH Wen, M Zhang, X Li, The study on the application of BAN logic in formal analysis of authentication protocols. ACM Int. Conf. Proc. Series. 113, 744–747 (2005). 7th International Conference on Electronic Commerce, ICEC05: Towards Ubiquitous Business.Google Scholar
 PXA, 270 processor electrical, mechanical, and thermal specification. http://pdf.dzsc.com/CXX/NHPXA270Cxxx.pdf.
 EJ Yoon, KY Yoo, Improving the novel threeparty encrypted key exchange protocol. Comput. Stand. Interfaces. 30(5), 309–314 (2008).View ArticleGoogle Scholar
 C Lv, M Ma, H Li, J Ma, An efficient threeparty authenticated key exchange protocol with onetime key. IEEE INFOCOM, 1–5 (2010). doi:10.1109/INFCOMW.2010.5466648.
Copyright
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly credited.