Efficient authenticated key exchange protocols for wireless body area networks

Secure protocol is a vital guarantee in all kinds of communication network environment. Designing on authenticated key exchange protocols is a hotspot in the field of information security at present, and the related theories have been increasingly mature. However, there is still scarcely any appropriate security protocol to guarantee the communication security of wireless body area networks (WBANs). In this paper, according to the standards on WBAN, we define a layered network model in accordance with the definition of two-hop star network topology firstly. In line with this model, we put forward two new authenticated key exchange protocols based on symmetric cryptosystem, which are suitable for WBAN application scenario. The proposed protocols support the selective authentication between nodes in WBAN. Simultaneously, two pairs of session key are generated efficiently and succinctly in each certification process. Finally, after security analyzing and performance evaluating demonstrate that the proposed key agreement protocols are proved to meet desired security properties with light computation and communication overhead. The proposed protocols provide a primitive to develop efficient and secure WBAN systems.


Introduction
Authenticated key exchange protocols are important and have been widely applied in network communication. By a pre-registration, two communication parties share a secret symmetric key with a trusted server correspondingly. When the two participants try to exchange any information with authentication property confidentially in an insecure environment, they must be in agreement on a new secret session key by the help of a server. This kind of key exchange method is called three-party authenticated key exchange (3PAKE), and the 3PAKE protocols typically are employed for mutual authentication and secure communication in various applications.
A good design of 3PAKE protocols should meet various security requirements of different applications, which are described as follows.
• Mutual authentication: The participants of protocols should be authenticated by the server and also they must be authenticated each other by themselves.
In recent years, many three-party authenticated key exchange protocols have been proposed [1][2][3][4][5][6][7][8][9][10] in recent years. Yeh et al. [4] proposed two 3PAKE protocols for secure communication over a public network. One was a plaintext-equivalent authentication protocol and the other was a verifier-based authentication protocol. Lee et al. [8] proposed an improved encrypted key exchange protocol developed by Yeh's scheme. They claimed that the proposed protocols had the same computation complexity as Yeh's protocol. In [2] and [6], the server's public keys were both needed in their schemes. Lu and Cao [5] proposed a new simple three-party password-based authenticated key exchange protocol (S-3PAKE) which did not require any server's public key. Guo et al. [11] found that S-3PAKE in [5] was vulnerable to a kind of man-in-themiddle attack that exploited an authentication flaw in the protocol and is subject to the undetectable online dictionary attack. Then, they have provided an improved version. Kim and Choi [12] proposed another improved version of S-3PAKE against the online password guessing attack. However, both of the two improved versions in [11] and [12] had more computation cost than the original S-3PAKE protocol though they are more secure.
With efficiency and security in consideration, the number of protocol execution steps and the complexity of cryptographic operations have been used to measure the performance of the existing 3PAKE schemes. Different from the above existing 3PAKE protocols with less consideration of computation cost, Huang [7] proposed a 3PAKE protocol in five steps without improving the server's public key. In [1][2][3], the authors presented several symmetric key-based authenticated key exchange protocols, respectively. In order to further improve the efficiency of 3PAKE protocols, in this paper, we propose two new efficient three-party authenticated key exchange protocols with one-time key for WBANs especially, which achieve more security properties as Huang's scheme claimed.
WBAN is the embranchment of wireless sensor network, which can benefit to monitor and improve health conditions of people, surveillance of old age, and handicapped people [13]. It can further improve quality of life by monitoring and examining the vital signs (e.g., temperature, blood pressure, etc.) of healthy people to avoid future health problems. The study on wireless body area network is in a fledging period at present, meanwhile IEEE raised 802.15.6 standard for wireless body area network in 2012, which regulates the technical requirements in each layers of WBAN. WBANs include various types of medical and non-medical sensors equipped in and on human bodies to monitor different biological information of people. All BAN nodes send monitored data to a BAN controller. In WBANs, each BN with biosensors must be operated with extremely stringent constrains, especially implanted BAN nodes. So, simplicity is an important factor in devising a new protocol for WBANs. Design considerations for efficient key exchange protocols for WBANs are as follows: • The proposed key agreement protocol should not require lots of energy and memory because sensor nodes are already resource constraints. • It must suit the topology structure of wireless body area network. • Communication messages should be of low redundancy rate and minimum message exchange between the nodes.
Possible attacks in wireless channel (such as replaying attack, eavesdropping attack, denial of service attack, Byzantine attack, etc.) have raised concerns of users and medical service providers. The detail security requirements of WBANs are introduced in [14] that is not altogether different from general WSNs.
Star topology is largely used in the WBANs, which is simple and easy to control. In this topology, it is possible to partition the sensor nodes according to their location: on the head; on the torso; and on the limbs [15]. However, it will impose higher energy costs for communications involving nodes that are distant from the BAN Network Controller. For these nodes, we could consider using relay nodes. Till date, there are very few security protocols [16][17][18] designed for this kind of network topology in WBANs.
In this paper, the main contributions of our work can be summarized as follows: • We propose two novel three-party authenticated key exchange protocols between controller node and sensor nodes in different situations. Due to the calculation ability and the storage capacity of sensor nodes, new protocols are specially based on symmetric cryptography. • The BAN logic formal verification tool has been employed in aid design of 3PAKE protocol for authentication and security verification. • The quantified performance analysis on the proposed 3PAKE protocols is conducted.
The rest of this paper is structured as follows. Section 2 briefly introduces the network model of WBANs. In Section 3, two three-party key exchanged protocols are proposed in different application scenarios, namely normal situation and critical or special situation. Section 4 presents the formal demonstration by BAN logic and security analysis of the new protocols. The performance comparisons between proposed protocols and others are conducted in Section 5. Finally, conclusion is drawn in Section 6.

Network model of the wireless body area network
WBAN is a special branch of the wireless sensor network. It is a human body-centered communication network [19], consisting of body-related elements, including devices such as sensors distributed within and deployed around the human body. Through WBAN, people can transfer data of intracorporal sensors to the terminal equipments taken along, implement real-time health monitoring and auxiliary diagnosis of disease further for the patients [20], and meanwhile realize the network interconnection within the scope of human and so forth. The 802.15.6 standard on WBAN gives out the topology model of such net, the two-hop star topology, composed by a hub node and several descendants, the number of which ranges from several to dozens. Here, except the hub, we differentiate the nodes as primary node and secondary node logically while the nodes have the same attribute. The affiliation of the nodes is shown in Fig. 1. The link hub-S 1 -S 11 means the two-hop connection between the hub and secondary node S 11 , and hub-S 2 -S 21 means the two-hop connection between the hub and secondary node S 21 .
Considering the net as a two-tier architecture, the control node (hub) is linked together with the primary sensor node S 1 , S 2 · · · S n logically so as to transmit data. Simultaneously, a portion of primary nodes S i are connected with the corresponding secondary nodes S i1 in the second layer. Here, actually, the primary node plays the rule of relay node. In the initial condition, authentication process of each node should be conducted at the first place, before the session key is generated. It requires the adoption of authentication and key exchange protocol.

New authenticated key exchange protocols for wireless body area network
In this section, we give the description of two proposed protocols using two-hop star topology. The protocols are explained in two different application scenarios. For the sake of simplicity, we make S denote the control node and B, C, D represent the primary nodes respectively, with A representing a secondary node. In the initial state, the control node S keeps the pre-shared key K bs with primary node B, and K cs with C, also K ds with D, S shares the pre-shared key K as with secondary nodes A identically.

Formalizing description of protocol I
In normal cases, the normal nodes periodically collect data from sensor nodes in WBANs and then send these data to the hub. If secondary node is near enough to the hub, it can establish connection with the hub directly. If not, it has to find a primary node as a relay to complete the connection. Protocol I begins with a message broadcasted by a secondary node A. After receiving the message from A, the adjacent node B, C, D generates encrypted message respectively according to the received message, then send it to the control node S. Subsequently, S determines which primary node is appropriate to be connected with node A. Assuming that B is the most appropriate one, the protocol will accomplish the authentication between S and A, S and B, as well as A and B, respectively, and generate a session key named KEY between S and B, session key K ab between A and B correspondingly. At the same time, S replies to C, D to inform about the connection failure. Authentication flow diagram is shown in Fig. 2.
The formalizing description of protocol I: The analysis of the protocol I: (1) The secondary node A, which is supposed to access to the network for authentication, broadcasts Message 1 including its own identifier A and generates a random number Na. After receiving the broadcasted message, B, C, D sends Message 2 to S. (2) B sends a message encrypted with the pre-shared key K bs to S, which contains identifier A, random Na, identifier B, and random number Nb generated by node B. Node C, D also sends the same type of messages. (3) After receiving the request messages sent by primary nodes, S decrypts the messages by pre-shared key. Noticing that it is secondary node A that wants to be authenticated to join the network, S determines the most suitable primary node to be connected with A and sends Message 3 to the right node B as a reply, meanwhile S sends Message 3' to C, D. Message 3 involves {B, Na, K ab } encrypted with K as and {A, Nb, K ab , KEY } encrypted with K bs . Among them, Fig. 1 The structure of two-hop star topology of wireless body area network K ab is the session key for A and B generated by S, and KEY is the session key between B and S generated by S. (4) After receiving Message 3, B decrypts the message with K bs and gets the session KEY and K ab then encrypts the random number Na, Nb with K ab , together with {B, Na, K ab } K as and forwards them to node A. At the same time, node C, D receives the replied messages from S and knows that it is unable to connect with A. (5) After receiving the previous message, A decrypts message {B, Na, K ab } K as with K as firstly to obtain the session key K ab , then decrypts message {Na, Nb} K ab with K ab to get two random numbers Na and Nb, and finally verifies whether they are same. If so, A sends Nb encrypted with K ab to B, otherwise the authentication fails. (6) After receiving the message from node A, node B tests whether the assumed Nb is identical with the original one, if so it shows that node A has received the correct session key, then end the protocol.

Formalizing description of protocol II
In some special cases, the primary node and the secondary node must work together to analyze the data collected from the human body, for example, measuring the blood circulation system. The primary node measures blood pressure, while the secondary node measures blood oxygen. Each primary node measuring blood pressure is connected to a secondary node measuring blood oxygen. That is to say, whenever a primary node broadcasts requirements, there must be a synergistic secondary node in response. The protocol II is proposed for this kind of special application cases. The primary node B broadcasts a message first, and then the corresponding coordination secondary node A generates an encrypted message and sends it to the primary node B after receiving the broadcast message. On receiving message from node A, node B attaches its own information and encrypts all of them, then sends them to the control node S. S decrypts and certificates the received message. If the message is proved correctly, S sends the feedback information which contains the session keys to node B, such as K AB between node A and node B and K BS between node S and node B. Node B sends the message which includes K AB to A, and A gives a reply to node B after receiving and confirming it correctly. Authentication flow chart is shown in Fig. 3.
The formalizing description of protocol II: The analysis of the protocol II: (1) The primary node B broadcasts its own identifier B and generates a random number Nb. (2) The secondary node A which cooperates with node B sends a message, which contains plain text identifier A, random Na, Nb, identifier B, and identifier A, identifier B, random Na encrypted with the pre-shared key K as . (3) After receiving the messages sent by secondary nodes A, B encrypts the encrypted message {A, B, Na} K as and identifier A, random Nb with pre-shared key K bs , along with plain text identifier B, and sends them to the control node S. (4) After receiving Message 3, S decrypts the message and verifies it. If correct, S generates the session key K BS between S and B, and session key K AB , between A and B. S uses K bs to encrypt A, Nb, K AB , and K BS and uses K as to encrypt B, Na and K AB , then send them to node B. (5) After receiving the previous message and decrypting the first part, node B uses K bs to get session key K BS Fig. 3 The flow chart of the certification process of protocol II and K AB , uses K AB to encrypt Nb, and sends node A the message {Na, B, K AB } K as . (6) After receiving the message from node B, A decrypts the front part of the message and uses K as to get K AB , random number and identifier, then verifies if the characteristic is right. If so, node A decrypts the second part and uses the new received session key K AB to get Nb. If the received Nb is the same with original one generated by node B, A sends Nb + 1 encrypted with K AB to node B. (7) After receiving the message, node B decrypts it to get Nb + 1, then has Nb + 1 minus one, and checks if it is the same with the random Nb generated in the first step. If so, the protocol performs successfully, otherwise the authentication fails.
Primary and secondary nodes are synergistic, that is to say, the primary node sends messages to the control node S while the secondary node sends messages by virtue of primary nodes at the same time. After the protocol completes initialization and certification, the primary node B will send Message 2 to control node S, and secondary node A will send Message 1 to S. Simultaneously, node A encrypts Message 1 with session key K AB and sends the original message to node B. B decrypts Message 1 with K AB concatenate Message 2 and encrypts them with K BS then sends the original message to S. Finally, S decrypts messages with K BS and obtains Message 1 and Message 2.

Security analysis
Security analysis is an important way of detecting possible security flaws in security protocols. In this section, we give both the formalization analysis by BAN logic and non-formalization analysis of the proposed protocols.

Formal analysis
The two kinds of authenticated key exchange protocols are testified by the celebrated BAN logic in this subsection. The authentication logic is one of the most commonly used analysis tools of cryptographic protocols. BAN logic [21,22] has not only revealed lots of flaws of famous protocols but also found the redundancy of many protocols. In BAN logic, messages are being idealized as formulas in the first place. After that, the initial state assumptions are defined as the case may be. Then, by making use of the known conditions and the logic regulations, it is reasonable to judge and to ratiocinate whether the protocols meet the goals or not.

Logical symbol
Below are logical symbols of BAN logic used in this paper: 1. P, Q: subjects, those are the principles participant in the protocol 2. X: message 3. K: secret key 4. {X} K : message X is encrypted with K 5. P| ≡Q: P believes Q 6. P X: P has received message X 7. P| ∼ X: P said X 8. Q⇒X: Q has the jurisdiction to X 9. (X): X is fresh 10. P K ←→Q: K is the common pre-share key of P and Q

Inference rule
BAN logic contains message-meaning rules, nonceverification rule, jurisdiction rules, and so forth. The messages above the horizontal line are known conditions while below line are the results deduced from the known conditions.
1. Message-meaning rules: P shares the secret key K with Q. If P receives a message X encrypted with K, then P believes that Q has sent X.

M1
: Nonce-verification rule: if P believes that message X is fresh and believes that Q has sent X, then P believes that Q believes X.

N1
: 3. Jurisdiction rules: if P believes Q has sent message X, and P believes Q believes X, then P believes X.

J1
: Belief-joint rules: if P believes X and Y , then P believes messages of a cascade of X and Y ; if P believes that Q believes messages of a cascade of X and Y , then P believes Q believes X or Y ; if P believes that Q has said X and Y , then P believes Q has said X or Y ; if P believes the message of a cascade of X and Y , then P believes X or Y .

B1
: Freshness-joint rule: if P believes that X is fresh, P believes the entire message that cascade with X is fresh.

F1
: 6. Reception rules: if P receives messages of a cascade of X and Y , we consider P receives X or Y ; if P receives the connection of formula of X and Y , we consider P receives X or Y ; P shares secret key K with Q. If P receives message X encrypted with K, we can infer that P receives X.

R1
: Additional rules: secret key K is fresh. If P receives message X encrypted with K and P believes P shares secret key K with Q, we can infer that P believes Q has sent message X, and P believes Q believes P shares secret key K with Q.

The deduction of protocol I
(1) Idealization The idealization of messages1 is omitted since it does not contribute to the logical properties of the protocol.

(2) Initial state assumptions
The initial state assumptions of S are: The initial state assumptions of B are: The initial state assumptions of A are:

←→S
From the above derivation, we can draw the following conclusions: B has the KEY and believes that it is shared with S; B has the K ab and believes that it is shared with A; A has the K ab and believes that it is shared with B; S and B realize two-way authentication; B and A realize two-way authentication.

(2) Initial state assumptions
The initial state assumptions of S are: The initial state assumptions of B are: The initial state assumptions of A are:

(4) Final faith
After the protocol runs successfully, it should achieve the following certification targets.
-S and B realize two-way authentication S| ≡ B| ∼ X B B| ≡ S| ∼ X S (X S and X B are the messages generated by S and B) -B and A realize two-way authentication B| ≡ A| ∼ X A A| ≡ B| ∼ X B (X A and X B are the messages generated by A and B) -Using two-way authentication to negotiate shared secret key

←→S
From the above derivation, we can draw the following conclusions: B has the K BS and believes that it is shared with S; B has the K AB and believes that it is shared with A; A has the K AB and believes that it is shared with B; S and B realize two-way authentication; B and A realize two-way authentication.

Security properties analysis
Firstly, the proposed protocols have the following properties.
Mutual authentication: By our protocols, S can authenticate A and B respectively from the authentication request with the random number Na and Nb. Also, A and B authenticate each other identity through K ab and Nb. The protocols have mutual authentication property to make the man-in-the-middle attacks necessarily unsuccessful.
Perfect forward secrecy: Our protocols possess forward secrecy. An agreed key will not be compromised even if the other agreed keys derived from the same long-term keying material in a subsequent run are compromised. By the proposed protocols, the session key K ab and KEY are randomly selected, so they are independent among each protocol execution. Therefore, the compromised keys K as and K bs cannot reveal any previous session keys.
Then, we analyze the proposed protocols under the following kinds of attacks.
Trivial substitution and replay attack: Replaying attack means that an adversary first intercepts some communication data in the currently running of key exchange protocol run. Then, he replays the intercepted data with receiver in a future protocol running. The replay attack does not succeed in the proposed protocols because the freshness of messages transmitted between participants are guaranteed by the random nonces Na and Nb. Only A, B, and S can use the pre-shared key to encrypt the random nonces. Moreover, the proposed protocols do not require the time-stamp information to prevent replay attack which requires extremely imperative precise clock synchronization.
Man-in-the-middle attack: A man-in-the-middle attack means that an attacker can intercept, replay, substitute, or modify the information that is significant to the communication parties. Since all critical messages in the proposed protocols are encrypted to prevent eavesdropping, it is rarely able to modify the messages exchanged between entities. However, if an attacker I eavesdrops the communication channel between A and B, he can replace the authentication request {Na, A} with {Ni, I}. The replaced {Ni, I} will be forward to the S together with {Nb, B}. The attacker can be successfully authenticated by S if he is really a legitimate user in the system. However, the manin-the-middle attack can still not be successful because the attacker cannot generate a correct {Ni} K ab to respond to the {Ni, I}. Therefore, we conclude that a man-in-themiddle attack could not succeed against the proposed protocols.
Fake base station attack: False base station attack is that a fake node pretends to be a participant node in the protocol, to grasp the secret information. For pre-shared key is only known between A, B, and S in the new protocols, the transmitted information encrypted by the pre-shared secret key K as and K bs will not be decrypted by illegal entities. The fake entities do not know the pre-shared key, thereby it cannot get the resulting session key eventually. If the entities decrypt the messages correctly and obtain the right contents, we can make sure that the identities of the nodes are legal. Then, the authentication is accomplished.

The performance analysis of the protocols
In this paper, we propose two efficient key exchange protocols under normal conditions and special conditions, respectively. From the performance perspective, we mainly concern the computational time and energy consumption of our protocols. To detail the quantitative result, we conduct simulations and compare our protocols with several typical protocols. Firstly, we make detail analysis of the computation time which is vital to the efficiency of the protocols. Then, we conclude a discussion of energy consumption on computation.

Computation time
In this section, we analyze and test the computation time associated with the efficiency of protocols.
Simulation environment setup: In this part, we setup a simulation hardware environment to measure the computation time of the selected schemes. The simulation environment is a 32-bit Cortex-M3 microcontroller with 72MHz ARM MCU and 512 KB memory. For each protocol, AES is selected as the secret key encryption scheme and SHA256 for hash function. The random number is generated with three times AES-128 cryptographic algorithm and two times XOR operations. The simulations are run several times to eliminate the randomness.
Simulation results: Noting that the computation overhead of these schemes mainly results from the cryptographic operations, thus the computation time consumed on the cryptographic operations can be used to approximate the efficiency of the schemes for the sake of simplicity. Table 1 shows the operating time of each algorithm. Given the cryptographic operations and their corresponding consuming time, we can calculate the computation time of each protocol as shown in Table 2. The corresponding figure is shown in Fig. 4.
From the simulations, we can find that the modular computations still cost much. It is clear that a good design of authenticated key exchange protocols should adopt suitable cryptographic operations with less computation in order to achieve better performance and efficiency. By comparing with other schemes, the proposed protocols show a relatively short time among all six schemes. In other four schemes, the computation time of relay node are time-consuming and will shorten the lifetime of the relay nodes which are not suited for WBAN environment. Therefore, this feature makes our protocols more effective. Based on these analyses, our schemes show a better performance in WBAN scenario.

Energy consumption
In this part, the energy consumption consumed by cryptographic operations is used to evaluate the schemes. This time, we use a low-processor and 64 MB memory running Windows Mobile 5.0 for packet pc. According to PXA270 [23], the typical power consumption of PXA270 in active is 570 mW. Therefore, using the computation time in Table 3, we can calculate the corresponding energy consumption. For example, if it takes 0.919 ms to complete a AES-128, the energy consumption is approximately 0.919 * 570/1000 = 0.523 mJ. Similarly, based on Table 2, the energy consumption of all schemes is calculated as shown in Table 3. The corresponding figures are shown in Fig. 5.  Due to the computation energy consumption being proportional to the computational time, we can draw the same conclusions as the ones in Section 5.1.

Memory requirement of the protocols
In the protocols, a 2-byte-long node identifier is used to identify each node in the network, which starts from 0001 and increases on a sequential basis. In Table 4, we can find that the length of the random numbers generated by the nodes is 16 bytes, while pre-shared key K as , K bs and session key KEY , K ab , K AB and K BS are all 16 bytes long. In the running process of the protocols, each node only needs to store the node identifier and the relevant random numbers, while the control node needs to generate and store the session keys additionally. The overall memory cost is no more than 1 KB. The ROM requirement of ordinary nodes including its identifier and pre-shared key is no more than 0.145 KB, and the memory requirement of RAM including random number and session key is no more than 0.25 KB. The ROM requirement of the control node including the pre-shared keys is at most 0.125 KB, and the RAM requirement including two pairs of the session key is no more than 0.25 KB. In summary, the overall  In the implementation procedure of authentication and session key generation of the authenticated key exchange protocols, the communication traffic is constant. That is to say, the length of messages is consistent. In protocol I  Pre-shared key (K as , K bs ) 16 Session key (KEY, K ab , K AB , K BS ) 16 and protocol II, the maximum communication traffic is no more than 0.5 KB. Communication traffic of the two protocols is extremely small, so the efficiency is higher.

Conclusions
In this paper, we propose two authenticated key exchange protocols that are suitable for WBANs. The two schemes are proved to be secure in BAN logic model. The performance analysis of them are also given. The analysis results show that the proposed protocols achieve the expectative goals and possess several advantages: they provide favorable security performance and are capable of resisting sundry common attacks to guarantee communication security; the participants accomplish authentication and generate session key by five or six steps without tanglesome cryptographic operation; on account of majority security protocols utilizing timestamp to guarantee the freshness of messages, the participants must keep clock synchronization which is rather untoward and costly. However, the proposed protocols adopt random number instead of timestamp, reducing the complexity of the network as well as decreasing the cost. The performance analysis shows that the protocols have superior running time performance, less memory costs, and so forth. How to design more and better protocols for WBANs is the next target of further research.