key: cord-0846127-curt48cx
authors: Mohit, Prerna
title: An efficient mutual authentication and privacy prevention scheme for e-healthcare monitoring
date: 2021-12-31
journal: Journal of Information Security and Applications
DOI: 10.1016/j.jisa.2021.102992
sha: a76fa7f4a622e1c691afda9770f62e15322b40c7
doc_id: 846127
cord_uid: curt48cx

The progressive development in online healthcare monitoring may facilitate better service for recovered patients from some pandemic diseases like the novel Covid-19 and even in well-known diseases such as cancer, heart attack, and many more. This paper brings a mutual authentication protocol for the e-healthcare monitoring system using the telecare medical information system with body sensors. This scheme comes with a secure platform for communication by using three phases: patient data upload phase, treatment phase, and report delivery phase. The patient’s medical information is susceptible and must be protected from any modification. The two security issues (secure communication and privacy of patient information) are essential for the transmission over the public channel. The proposed protocol uses mobile characteristics that allow the recovered patients to use medical facilities effectively. The well-known traditional informal security analysis like the Man-in-the-middle attack, patient anonymity, doctor anonymity, and many more are validated to judge the security aspect of the proposed protocol. In addition, the widely accepted formal security analysis (both Burrows–Abadi–Needham (BAN) logic and Real-or-Random Model (ROR)) are investigated for the session-key security. Finally, the proposed e-healthcare monitoring protocol provides an efficient characteristic in terms of communication, computation, and storage cost compared to existing literature.

In this current digital world, health monitoring becomes a challenging task for some pandemic diseases such as current COVID-19, influenza, swine flu (H1N1 virus), Ebola, and many more in the last few decades. To ease the medical facilities through the telecare medical information system (TMIS) in remote areas with the help of the internet provides a sharp reduction in patient travel time and medical expenditure. With the advances in TMIS by employing various healthcare applications in the domain of Cloud Environment [1] [2] [3] [4] , Internet of Things platform [5] [6] [7] , Wearable Devices [8, 9] , Wireless Body Area Network (WBAN) [10, 11] , Wireless Medical Sensor Network [12, 13] are extensively focused in literature. Among the various applications, the cloud environment-based TMIS has received significant interest in the e-medical system. The proper communication (direct or indirect) between patient and doctor is made through cloud computing environment as a public cloud. It may have some security issues due to third party involvement [14, 15] . To overcome this problem, we have designed an advance mutual authentication and privacy prevention technique using the private cloud for e-healthcare monitoring of recovered patients from any particular diseases. The proposed system has less complexity in addition to other ones and uses only three phases along with registration as patient data upload phase, treatment phase, report E-mail address: prernamohit@outlook.com. delivery phase. The operational functionality of the e-healthcare monitoring utilizes fundamental cryptography modules like concatenation, XOR operation, hash function, and symmetric encryption for the protection of message and session key. To provide confidentiality along with authentication, a digital signature mechanism is used before sending the encrypted message/report of the patient. Continuous observation of the patient's biological changes and corresponding physiological data are examined by the doctor/medical staff for a few and more years. Hence, recovered patients are properly monitored by the health professionals. The proposed scheme uses mobile device, body sensor, and healthcare private cloud through which patients and doctors can securely communicate with each other in real time intervals via the internet without the physical appearance of patient in hospital. Thus, the recovered patient may easily access the medical facility through TMIS. Moreover, security in message exchange and other entities is considered a critical concern in this proposed scheme. These issues for communications over a public channel can be smoothly handled by using secure mutual authentication and key agreement scheme for data integrity, confidentiality, and availability for the TMIS.

https://doi.org/10.1016/j.jisa.2021.102992 P. Mohit 

Security and privacy are the two major issues in most applications such as Big data [16, 17] , healthcare [8, 18] , WSN [19, 20] , cloud [21, 22] vehicular communication [23, 24] and many more where information follows an unreliable channel. An authentication protocol plays an important role in these applications. Several user authentication schemes are enriched in the scientific literature with different environments and applications. Among them, healthcare application improvement becomes a trend to upgrade the current health care solution with a new authentication protocol for monitoring recovered patients after treatment from severe disease. To develop a new healthcare monitoring system, the author has proposed a scheme with the following contributions:

• Mutual authentication is achieved between patient and healthcare in which healthcare and doctor have to strengthen the security for transmitting or receiving information. • Patient anonymity is also supported during data transmission by hiding the real identity of the patient. • The protocol resists strong security attacks like security against patient anonymity, non-repudiation, and confidentiality of data. • The authentication workability of the proposed scheme is validated with the help of BAN logic and ROR model that yields mutual authentication and session key agreement securely. • A comparative analysis of our proposed protocol with other existing protocols is depicted with minimum communication and computation overheads.

The rest of this article is organized as follows: Section 2 reviews a complete survey of recent related work. In Section 3, the description of system models in terms of network, cryptographic models are outlined. Section 4 presents a detailed description of the proposed protocol. Both informal and formal security analysis are discussed in Section 5 and Section 6 respectively. Section 7 presents the performance analysis of the proposed scheme and its comparison with the existing protocols. Finally, this paper ends with concluding remarks in Section 8.

A wide array of research has been performed in the field of healthcare [25] [26] [27] [28] [29] [30] [31] [32] [33] . An interesting authentication scheme proposed by [25] facilitates medical service to the patient using smart card and password based authentication for TMIS. The pre-computing phase is used to avoid the time-consumption expenses with the rapid development of technologies. In 2012, [26] demonstrated an improvement over the scheme of [25] in terms of impersonation, insider, and stolen smart card attack. In the same year, [27] found that both [25, 26] scheme failed against some common attacks and improved these schemes to a single protocol. However, [28] showed the pitfall of [27] protocol and resolved the technical flaws like online password guessing attack, the inefficacy of the password change phase, traceability of user's stolen smart card, and denial-of-service. [29] proposed an ECCbased user authentication and key agreement protocol using smart card for TMIS to fix the flip side of [30] in server impersonation attack, smart card theft attack and session key disclose attack. Then, [31] proposed improvement of the [29] in terms of privileged-insider, user impersonation, and strong reply attacks. In 2016, [34] proposed a lightweight authentication scheme for wearable devices to combine with sensor networks as a wireless body area network. [32] found that the scheme is vulnerable to impersonation attack, denial-of-service attack, and stolen-verifier attack and proposed a new scheme. However, [33] identified that [32] authentication scheme has some security weaknesses such as perfect forward secrecy, lack of no key control, and clock synchronization. In addition, [33] also suggested a new protocol to remove the drawbacks mentioned above [32] .

Literature survey states numerous protocols with significant concern towards the security of user identity when it is openly transmitted over insecure channel [35] [36] [37] [38] [39] . Thus, it is very much essential in healthcare applications to preserve the anonymity of patients from attackers. Hence, [40] have reported an elliptic-curve-cryptosystem (ECC) based authentication scheme to ensure user anonymity. [41] also proposed a biometrics-based authentication scheme for a multi-server environment to provide user anonymity. [42] proposed a certificate less pairing-free authentication scheme for wireless body area network, which also supports patient anonymity. [33] presented an elliptic curve cryptography based authentication protocol to preserve user anonymity.

Moreover, in recent years numerous medical-based authentication protocols are enriched in literature where the treatment of patients is done online through TMIS [1] [2] [3] [4] [43] [44] [45] [46] [47] . In 2014, [43] a medical data exchange protocol based on a cloud environment was proposed by incorporating the importance of confidentiality and authentication of patients. Initially, they suggested their scheme is free from traditional attacks and uses symmetric/asymmetric encryption, digital signature, and pairing-based technology. In the same year, [44] proposed an advance scheme over the first one with an emergency condition. In 2016, [45] pointed out that both the protocol of [43, 44] have some flip side as common security problems like patient anonymity and identification of real telemedicine. To discard common security faults of [44, 45] demonstrated an improvement in the [44] scheme and claim that the protocol does not provide anonymity, unlinkability, and message authentication. To overcome the issue of [45] , a standard healthcare authentication protocol has been developed by [46] for the healthcare system. This scheme enables a design free from patient anonymity and mobile device verifier attacks. Furthermore, [1] developed an improved authentication protocol over [46] . Then, [2] proposed an authentication protocol for the same domain using ECC encryption for TMIS. To overcome the security weaknesses of [1] scheme such as patient anonymity attack, impersonation attack, message authentication, session key security, and patient unlinkability. In the same year, [3] have also proposed an authentication protocol for cloud-based e-healthcare monitoring of patients but the system is vulnerable to patient unlikability, impersonation attack, data nonrepudiation. Then, [47] proposed an authentication protocol for smart devices using ECC by a combining public and private cloud for the healthcare application, unfortunately it does not resist clock synchronization problems. In the same year, [4] proposed a cloud-based secure framework for a smart medical system using ECC cryptography. [48] proposed an improved anonymous authentication protocol for wearable health monitoring systems, and [12] proposed a secure and lightweight healthcare authentication scheme for a patient using wireless body area networks. A brief comparative summary of the relevant healthcarebased protocol has been inserted in Table 1 with their description and drawback. As per the above intensive literature survey, most of the schemes proposed for healthcare uses the public cloud by employing a patient's mobile for communication of data to healthcare/cloud using body sensor. Some articles consist of various known attacks termed as patient/user anonymity, patient unlikability, and impersonation attacks. Hence, the author has proposed a private-cloud-based protocol for the monitoring of recovered patients. The heart of the proposed ehealthcare monitoring protocol is three phases with registration that makes the protocol light-weighted. The functional behavior along with the security analysis is well established and verified with formal and informal security.

This section includes an overview of the network, attack, and cryptographic model for the proposed protocol. The useful symbol and notations are tabulated in Table 2 . Table 1 Brief summary of cloud related authentication scheme for e-healthcare.

Chen et al. [43] A secure medical data exchange protocol for electronic medical records based Vulnerable to impersonation attack, patient anonymity, on cloud environment using Bilinear pairing. and known-key security attack.

Chen et al. [44] A privacy authentication scheme based on cloud environment for the medical system Design issues in message authentication and patient anonymity. with bilinear pairing, elliptic curve cryptography. Also limited to support real telemedicine and interactive medical facilities.

Chiou et al. [45] Medical information sharing scheme implemented in the android system Failed to provide stolen mobile device attack, patient anonymity, with one-way cryptographic hash function. patient unlinkability, and doctor unlinkability.

Mohit et al. [46] A lightweight authentication protocol for TMIS in the cloud environment It does not provide patient unlinkability, impersonation attack, based on one-way cryptographic hash function. and patient anonymity.

Li et al. [1] A cloud-assisted authentication and privacy preservation scheme for TMIS Unable to provide impersonation attack, message authentication, with one-way cryptographic hash function. patient anonymity, and session-key security.

Kumar et al. [2] The protocol is an improvement of [1] protocol using Does not resist clock synchronization problem. elliptic curve cryptography.

Chandrakar et al. [3] E-healthcare monitoring system based on public cloud environment with Vulnerable to patient unlikability, impersonation attack, seven phases, using one-way cryptographic hash function.

data non-repudiation.

Chen et al. [47] Secure electronic medical record(EMR) authentication protocol Does not resist clock synchronization problem. with elliptic curve cryptography.

Kumari et al. [4] ECC based smart medical system in cloud environment with six phases Does not resist clock synchronization problem. using elliptic curve cryptography.

An efficient and lightweight e-healthcare monitoring system with three phases Communication cost is slightly greater than [46] . for the complete security of the patient. Using one-way cryptographic hash function. 

The proposed architecture involves five entities for proper communication namely (1) Patient: A user/person that needs medical service, (2) Doctor: A person who provides medical consultation, (3) Healthcare: The organization/place where patient gets treatment, (4) Private cloud of healthcare: The place where healthcare stores the data of patient and (5) Body Sensor: A device that collects data from the body of patient. The complete architecture is shown in Fig. 1 with their phase execution. A brief explanation of the network model is described below as:

• The recovered patient goes out of healthcare after successful treatment by his/her medical staff such as doctors, nurses, etc. The patient has a file that contains description of the disease with a unique number that will be shared between healthcare and patient only (say ). This file also carries the identity of healthcare and doctor ( , ) with whom treatment is going on. In addition, healthcare provides the patient's identity ( ) with the pseudo-random identity of patient (NID) to doctors, which also informs the doctor about the patient. • There are two types of patients: one with embedded body sensors on the patient's body and another without any sensor. The patient without body sensors has to come to healthcare for regular check-ups. • Patients with body sensors embedded in their body have to collect the health report of the patients and transfer it to a patient mobile device (securely) on regular basis. A medical report ( ) viz. ECG, Blood pressure, EMG, Body Temperature, EEG, and a few more can be generated for the patient using body sensors. The sample of the patient's report is shown in Table 3 .

• After that, the recovered patient (with sensor) uploads a newly generated report by body sensor to the healthcare. • Patients without body sensors have to physically appear to healthcare for routine check-ups. Hence, monitoring such patients might be performed in online mode. But, the patient has to provide the current report (maybe from some diagnostic center) to healthcare. • Healthcare saves the information in its private cloud and sends the old and new report of the patient to the respective doctor to whom the patient wants to consult. • The doctor prescribes treatment by looking into the report, uploading the new report with its digital signature, and sending it to the healthcare. • Then, healthcare sends the final report to the patient, which contains the patient's treatment by the doctor and further saves the data in its private cloud for future use. Note: The involvement of three-party (patient, doctor, and healthcare) makes a complete core of the proposed authentication scheme for e-healthcare monitoring. Healthcare plays a significant role in authenticating the patient with the concerned doctor. After successful authentication, the patient sends medical data to healthcare. Then, the healthcare sends the updated patient data to the concerned doctor, where the doctor verifies the authenticity of healthcare, and after successful verification, the doctor performs the treatment. Finally, the doctor sends the updated report of the patient to the healthcare, where healthcare again verifies the doctor. Hence, patients, healthcare, and doctors are the three main entities involved in the proposed (three-party) scheme.

The attack model for the proposed system involves the widelyrecognized Dolev and Yao threat model [49] . This model permits two end-users to communicate over an insecure channel, where the adversary  can intercept the spoken message (Passive attack). In addition, the  has access to manage the transmitted message. The accessibility of these messages during the communication by the  may be in the form of reading, modify, delete, insert, and a few more (Active attack). Hence, both active and passive attacks among the communicating parties (example: Patient, healthcare, and doctor) in the proposed authentication protocol associate untrustworthy nodes.

A brief introduction of the cryptography models such as one-way hash function and encryption technology are described in this section.

A hash function maps a string of arbitrary length to a fixed-length string called the message digest. It can be characterized as:

∶ → , where = {0, 1} * , and = {0, 1} . The ( , ) are binary strings of arbitrary length and fixed length ( ) respectively. It is used in many cryptographic applications such as digital signature, random sequence generators in key agreement, and many more.

Symmetric encryption technique uses one key for encryption/decryption operation where the asymmetric encryption involves a public key for encryption and a private key for decryption. These two keys are mathematically connected based on some challenging problems. The symmetric encryption is faster and less complex compared to the asymmetric technique [50] . Hence, the proposed design follows the symmetric encryption technique.

The proposed protocol brings a mutual authentication with sessionkey for e-healthcare monitoring employing TMIS, where the patient can get medical treatment online without the physical appearance in the healthcare. In this section, a complete description of associated phases has described the workability of the e-monitoring system. The careful treatment after the registration phase is monitored by the body sensor along with the following three phases as below:

• Patient Data Upload Phase (PDUP): Communication between patient and healthcare. The involvement of Patient-Healthcare-Doctor makes the protocol a three-party scheme. Fig. 2 shows a brief description of message payloads in terms of patient data ( ), healthcare data ( ), and treatment data ( ). The data collected by the mobile device is the updated report of the patient obtained by the body sensor. This data belongs to the sample of patient data. This may be used to specify a particular disease from which the patient ( ) is suffering. First, the body sensor forwards this data to healthcare as with patient identity in PDUP. Then, healthcare sends the old patient data stored in private cloud with received data to the doctor as healthcare data ( ). Here, the doctor performs treatment based on the , , and generates a new report as doctor's/treated data . Hence, treatment phase data contains ( , , , ). After the treatment phase, this data needs to be sent back to the patient by healthcare.

The patient and doctor must have to register themselves with the healthcare before performing the e-healthcare monitoring process.

The recovered patients have to register themself with healthcare. The process of patient registration is shown in Fig. 3 and the following steps are involved:

Step 1. Patient inputs his/her identity ( ), pseudo-random identity (NID), imprints biometrics ( ) such as fingerprint, iris, and calculates the one-way hash function using the secret key given by healthcare during the release of the patient as = ( ). Then, it generate a function (.) called fuzzy extractor [51] as ( ) = ( , ), = ( ∥ ). Finally, the patient sends ⟨ , , ⟩ to healthcare via a secure channel.

Step 2. The healthcare receives the patient message and computes ′ = ( ). If healthcare finds ′ ? = ; it stores the received values in its private cloud. After that, it chooses a random number q and computes = ⊕ , = ⊕ ( ). Moreover, healthcare sends its identity with , to the patient via a secure channel.

Step 3. Then, the patient computes the value of = ⊕ . Finally, the value of , , are stored in the Patient's mobile device. 

The doctor has to register himself with the healthcare to perform the online treatment of the patient. The process of doctor registration is shown in Fig. 4 , which involves two steps:

Step 1. Doctor inputs its identity , computes

where is a random number, and sends ⟨ , ⟩ to the healthcare via a secure channel.

Step 2. After receiving ⟨ , ⟩ the healthcare inputs its identity and computes = ( ∥ ), = ⊕ , where is a random number and sends ⟨ , ⟩ to doctor via a secure channel.

Step 3. On receiving the message ⟨ , ⟩, the doctor computes values of as ( ∥ ) and = ⊕ .

In PDUP, the body sensor embedded in the patient's body has to collect the data and sends it to the patient mobile device. The process of PDUP is described in Fig. 5 and follows the following steps:

Step 1. The healthcare initializes the process by asking the patient to send the updated patient report ( ).

Step 2. The patient gets health information ( ) from the body sensor via mobile phone. So, the patient inputs his/her identity ( ), imprints biometrics ( ) into the terminal and calculates = . Then, the patient generates a random number , calculates

, and sends message 1 = ⟨ 0 ⟩ to healthcare via an insecure channel.

Step 3. After receiving 1 , healthcare decrypts ′ [ 0 ] = { 0 , 1 , 2 } using the key , computes it does not hold: terminate session otherwise healthcare authorize the patient. Then, healthcare generate a random number and computes 3 ] and sends 2 = ⟨ 1 ⟩ to patient.

Step 4. Upon receiving the message 2 

. Then, the patient checks whether 

) and sends 3 = ⟨ 2 , 2 ⟩ to healthcare via public channel.

Step 5. On receiving messages 3 , healthcare computes 

The healthcare initiates the process by sending data to the doctor of the respective patient. A complete TP analysis is shown in Fig. 6 and the execution steps are as followed:

Step 1. Healthcare inputs its identity , , and generates a random number 1 . Then, healthcare computes

, encrypts the report of patient = 2 ( ), and generates the signature corresponding to using the private key as

) and sends 4 = ⟨ 3 , 3 ⟩ to doctor via a public channel.

Step 2. Upon receiving these messages, the doctor decrypts the received ciphertext as = .

Step 4. After successful verification of healthcare signature, the doctor makes a medical diagnosis based on the reports with , that generates medical records = ( , ) and encrypts ( , , ) using the key ′ as = ′ ( , , 

After successful treatment by the doctor, healthcare delivers the updated report to the patient. The execution of RDP phase is visualized by Fig. 7 , and details of the steps are as below:

Step 1. The healthcare computes 5 = ( ′ ∥ ∥ ), encrypts the final report of the patient with the session key of patient and healthcare as 5 = ′ [ , , 5 ] and sends message 6 = ⟨ 5 , 5 ⟩ to patient via public channel.

Step 2. On receiving message 6 , the patient decrypts the ciphertext 5 as Step 3. Finally, after receiving message 7 , the healthcare first decrypts the ciphertext 7 as

[ 7 ] = { 6 , 6 }, computes ′ 6 = ( ∥ 6 ) and verifies whether ′ 6 ? = 6 holds or not. If it does, the healthcare stores 6 otherwise terminate.

This section describes the security issues and their implementation aspects in our proposed protocol. We have considered that an adversary ( ) with the capacity to modify and eavesdrop on the communicating message over the public channel. A brief overview of various security protection against some common threats via. Man-in-the-middle attack, anonymity, unlikability, impersonation attack, session-key security, known-key security are well compared in Table 4 . The sign ( √ ) represents the presence of a particular feature, and ( ) designates the absence of the features.

In MITMA, the attacker  intercepts transmitted messages and tries to collect information from the public channel. This attempt will be unsuccessful due to the protection of public messages by symmetrickey encryption or a one-way hash function. The received message are also validated using other communicating parties. For instance, during PDUP attacker interrupts message 3 = ⟨ 2 , 2 ⟩ he/she will not be able to compute the values of 2 ∕ 2 as 2 encrypted by the key only known to patient and healthcare as well as 2 due to the use of an irreversible one-way hash function.

For healthcare applications, it is very much essential to protect the real identity of the patient. During the PDUP, the identity of a patient is hidden in the session key between patient and healthcare ( ). However, the session key is hashed with other parameters to compute and send 2 over a public channel. If an adversary  interrupts the message 2 . He/she will be unable to identify the patient. Hence, PA is not possible in this scheme.

The doctor's identity plays a vital role in this protocol. During the treatment phase, the doctors' identity is kept hidden by using the session key between doctor and healthcare ( ). To preserve DA, the communicating entities doctor and healthcare share 4 over a public channel, where 4 is the hash of with other parameters. If  attacks on the message 4 , he/she will not obtain the doctor's identity. Therefore, the protocol is protected by DA.

During PDUP, the data transferred between patient and healthcare over an insecure channel ( 1 , 2 , 3 ) are truly random in nature and session-dependent. Every field in 1 3 

One of the potential attacks is IA, in which an adversary  interrupts in between the communicating entity. Ay can trap the transmitting messages via the public channel. After getting the transmitted message,  can alter the message and retransmit the modified message. Moreover, the modified message must have to pass the verification process performed by the other party, which is impossible in the proposed protocol. A brief detail is described in terms of PDUP and follows the same concept for different phases as:

• An adversary  tries to impersonate as legal healthcare and eavesdrops on the transmitted message 2 = ⟨ 1 ⟩ and tries to computes = ( ∥ ).  cannot be able to calculate , which is the hash of parameters , .

is the unique identity of the patient, and is random numbers generated by the patient. Further,  cannot compute ′ = ( ) because healthcare and patient share in the offline phase. Thus, any adversary cannot impersonate valid healthcare.

• If  tries to impersonate as a legal patient by using a different identity or guessing the . It results in computing the value of 1 = ⟨ 0 ⟩ and tries to computes , 0 = ( ∥ ∥ ).  cannot compute 0 , which is hash of parameters , , . The is the unique identity of the patient , is random numbers generated by the patient.

• If  tries to impersonate as a patient by computing the message 3 as ⟨ 2 , 2 ⟩. The computation of 2 involves the five other parameters: (1) Session key between P and HC: , (2) Ciphertext of the patient: , (3) Signature of the patient: , (4) 1 hash of with random number , q, and (5) Random number generated by patient . Note: The high entropy property may cause an unsuccessful prediction of the above set of parameters at a particular time. Hence, the incorrect value of any parameter leads to an false value of 2 . Thus, the adversary cannot impersonate a legal patient.

A unique session key is generated in each session. But the disclosure of any session-key should not be compromised by the other sessionkey. The patient, healthcare, and doctor must have random numbers to generate their session key. The session key of patient and healthcare is = ( ∥ ∥ ∥ ∥ 1 ). To computes two random numbers , are used. Similarly, the session key of healthcare and doctor ( = ( ∥ ∥ 1 ∥ )) uses random number 1 , . So, if  has the previous session key: he/she cannot generate the session key for the current session. Thus, our protocol is protected against KKS.

The SKS is one of the fundamental security aspects. The availability of session-key is limited to legitimate parties. In this protocol, two session keys are computed between (1) the Patient and Healthcare and (2) the Doctor and Healthcare. All of these session keys are well secured by using the following steps:

• Hence, the session key can only be generated by a legitimate party.

The forward secrecy enables potent security for session keys if the long-term key gets compromised in the proposed scheme and an attacker captures the message 1 = ⟨ 0 ⟩, 2 = ⟨ 2 ⟩, 3 = ⟨ 2 , 2 ⟩ during PDUP. Then,  can get the values as 0 , 1 , 2 , 1 , , 3 4 , . So, the attacker will be unable to find the value of , , and 1 . The necessary parameters for the calculation of session key between healthcare and doctor. Hence, the proposed protocol comes with forward secrecy.

Message authentication is a mechanism used to verify the integrity of the message. Here, we have described the MA in each phase as: Hence, our scheme protects MA in each phase.

Confidentiality offers protection of transmitted data from the adversary during transmission. A clear description for the above claim can be explained as below:

• During PDUP, the patient's report = ( ) will be encrypted with to obtains = ( ), Afterward, is encrypted using key 1 to get 1 and 1 is sent to the healthcare server.

• In TP, the healthcare report as encrypted data with 2 to obtains = 2 ( ). However, is further encrypted using key to evaluate 3 and finally sent to the doctor. • In TP, the doctor report is encrypted data with to obtains = ( , ). Again is further encrypted using key 3 to get 4 for healthcare.

• In RDP, the is used to encrypt 6 = ( , ).

Hence, if  tries to accumulate information during communication, he/she gets encrypted data. But one cannot decrypt the message without the key. Thus, our scheme supports confidentiality.

''Non-repudiation'' refers to the ability of the sender/receiver to ensure that a communicating party cannot deny the authenticity of their signature on a document.

• During PDUP, the patient makes digital signature on a message = ( = ( ).

Therefore, our protocol protects DNR. Note: The number of stages in the proposed protocol is only three, which is less than the existing protocols. Besides, public cloud attack resistance (PCAR) is also available in our protocol.

To judge the security of the session key formal security analysis in terms of BAN logic and ROR model are presented in the proposed scheme. The detail of BAN logic and ROR model are described in Section 6.1, and 6.2 respectively.

The first section of the formal security analysis describes the well known Burrows-Abadi-Needham (BAN) logic [52] . BAN logic investigation enables us to validate the proposed authentication protocol that establishes secure communication between the (1) patient and healthcare, (2) To verify the proposed protocol, the following eight goals (GL) must have to satisfy the BAN logic:

GL 1: |≡ ⟷ The patient (P) believes that there is a session key ( ) established between patient (P) and healthcare (HC). 

|≡ ⟷ HC believes that there is a session key ( ) established between HC & D.

|≡ |≡ ⟷ HC & D believe that there is a session key ( ) established between them.

Initially, the proposed protocol is transformed into an idealized form with four distinct messages ( ) as:

Then, the following assumptions ( ) on the initial state are exercised to analyze the proposed scheme:

) have not previously been sent in any message. 

The patient authentication of the healthcare can be derived by the assumptions with the following BAN logic: 1 send by healthcare to patient: 1 :

→ ∶ ⟨ 1 , , , ⟩ From seeing rule, Assertion 1 can be derived as: The Patient believes that , is fresh (according to assumption 1 ) and it is another necessary parameter of the session key ( ). As per assumption 1 and Session keys postulate ( ) which is applied on Assertion 3. Then it gives:

Then, we apply assumption 2 , Nonce-verification postulate ( ) on Assertion 5, it gives:

The healthcare authentication of the patient can be shown by the following assumptions and postulates. The Healthcare HC believes that is fresh (according to assumption 2 ), which is a necessary parameter of the session key . As per 2 and applied on Assertion 9. It becomes:

As per 2 and on Assertion 11 that gives:

The doctor authentication of the healthcare can be shown by the following assumptions and postulates. 3 : The above discussion based on BAN logic gives the justification of mutual authentication and session key establishment in our proposed protocol.

In addition to BAN logic, this subsection presents formal security for session key using a famous Real-Or-Random (ROR) model [53] . To make the protocol free from the active and passive adversary, ROR model gives a significant contribution towards the validation of key assignments. Some different queries for the test purpose of the real attacks are taken into account as per Table 5 . In ROR model, we have assumed that any two participants in a network can communicate over an insecure channel. Under these criteria, an adversary ( ) has control over all communicated messages. Besides,  may also intercept with  and the th instance of an executing participant. The PDUP of proposed protocol includes two participants  ,  ℎ , that indicates the instances p and h of and respectively. The verification of the proposed e-monitoring healthcare system can be validated by Theorem 1. , , |#| and || represent the number of hash queries, send queries, number of bits, range of hash function, size of password dictionary  respectively. Then, the prominence of  to crack the e-monitoring protocol (HP) to establish the session key as a function of relevant parameter is approximated as:

Proof. The formal authentication proof of the proposed protocol follows similar proceedings as [9, 54] , and a few more. For verification purpose, four games ( ) are introduced in which adversary ( ) can win a game is described:

Moreover, a benefit in the is represented as:

• 0 : In this initial phase of the game, the bit '' '' is selected and the real attack by  against can be modeled as:

• 1 : This game involves an eavesdropping attack in which  can intersperse the communication message 2 = ⟨ 1 ⟩ and 3 = ⟨ 2 , 2 ⟩ during PDUP phase. Then,  requires a test query at the end of the game. The test query output informs whether  receives true session key between patient and healthcare or random value. If  wants to compute the session key, it needs to know the secret values:

, , , , 1 . As the session key is computed as = ( ∥ ∥ ∥ ∥ 1 ). But  cannot evaluate the session key without the aforementioned secret. Hence, eavesdropping cannot be possible in this 1 and have same probability as that of 0 :

• 2 : An active attack by incorporating send and # queries are simulated in this game. In our proposed protocol the communicated messages ( 2 , 3 ) are protected through hash function. If  tries to compute the session key ( ) between and :  becomes unsuccessful due to the collision resistant feature of hash function. Finally, the birthday paradox for the two identical game ( 1 and 2 ) results in the following inequality:

• 3 : In this game,  attempts to guess the identity of patient ( ). Also, tries to use this information for the derivation of the session key between P and HC. Suppose  has intercepted the messages ( 2 , 3 ), then it either gets the encrypted data or hash value of some parameters like random number , , . To guess the identity of patient by ( ) requires some secret credentials to decrypt it. Hence, the proposed systems allow only a limited number of wrong identity input that yields:

After executing all four games,  can only predict the correct bit to win the game after the test. That concludes:

Now, by simplifying Eq. (2), (3), (6) provide the following set of the equation :

Again by applying triangular inequality, it yields:

Now, Eqs. (7) and (8) give the following expression:  can also access the session key between ( ) and its partner.

In this query, an active attack by  can send a message to any instance  and receive the answer for  . Test ( )  asks  for the session key but  gives probabilistic outcome.

Cryptographic hash function is accessible by all the participants and  Finally, multiplying Eq. (9) by factor 2 results:

The final expression validates Theorem 1. □

This section presents a comparative study of communication, storage and computation cost of the proposed healthcare monitoring protocol with other schemes [1] [2] [3] [4] [43] [44] [45] [46] [47] . The involvement/ availability of communication and computation cost in the respective protocols are evaluated for different phases such as the healthcare update phase (HUP), patient data upload phase (PDUP), treatment phase (TP), report delivery phase (RDP), and emergency phase (EP).

For a fair comparison, communication overheads of existing protocol evaluated based on the literature [1] [2] [3] . The bit sizes of different entities are considered as: identity 48 bits, time-stamp 48 bits, generated random number 48 bits, symmetric encryption/decryption operation 128 bits, cryptographic hash function 160 bits, executing/verifying a signature 512 bits. Table 6 describes a brief comparison of communication costs. It is found that among all the presented healthcare protocols, the proposed protocol has the lowest communication cost. As the number of communicated message is only seven, transmitted between the patient, healthcare, doctor (three party) 1. transmitted between patient and healthcare: { 0 }, { 1 }, { 2 , 2 }, 2. transmitted between healthcare and doctor: { 3 , 3 }, { 4 , 4 } and 3. transfer between the patient and healthcare: { 5 , 5 }, { 7 , 6 }. Therefore, the total communication cost of our protocol is: (128 + 128 + 160 + 128) + (160 + 128 + 128 + 160) + (128 + 160 + 128 + 160) = 1696 bits.

In addition, Table 6 , also shows storage cost offers a marginally better storage cost than the [1, 45, 46] , [2] [3] [4] 47] . But the overall cost (communication and storage cost) in the proposed design has less than the existing literature. Besides, a comparative statement of communication expenditure for related schemes in terms of percentage is shown in Fig. 8 Table 6 and Fig. 8 , it is obvious that the communication cost of our protocol is very less in comparison to the other methods [43, 44] , [1] [2] [3] [4] [45] [46] [47] .

The other functionality feature in terms of computation cost of the proposed protocol with existing schemes is also evaluated. To measure the performance of all protocol, a common platform for mobile phone Android 4.4.4KTU84P (1.8 GHz processor and 2 GB RAM) and windows 7 computer with a configuration of Intel Core Quad CPU (Q8300@2.50 GHz and 2 GB RAM) is used as per the literature [45] . It is found that the complexity of bit-wise XOR operation exhibits very little time in comparison to addition (+) and subtraction (-). Hence, the complexity of XOR and concatenation are considered as Big-O(1) or constant time. In addition, other cryptographic operations such as hash function, symmetric encryption, signature involve multiple steps to generate the output bits [55, 56] . Hence, bit-wise XOR and concatenation operation are neglected in this proposed protocol.

A complete comparison of computation cost is shown in Table 7 in which the different execution time in each phase is illustrated. The description of the different execution time are given below [45] : In the proposed protocol, computation cost of messages is 6 + 21 + 36 = 2.1909 s which is transmitted between the patient, healthcare and doctor. However, the related schemes [1] [2] [3] [4] [43] [44] [45] 47] require 4.7091, 4.379, 2.7705, 2.419, 2.5405, 3.503, 8.3144, 2.3401 secs, respectively. Moreover, the proposed protocol utilizes slightly more computation overhead than [46] .

In addition, a detailed comparison in terms of percentage increase of computation cost with the proposed scheme is shown in Fig. 9 and given below:

• The total execution time of Chen et al. [43] computation cost is 4.7091 s, which is nearly 114.93% greater than our computation cost. • The total execution time of Chen et al. [44] computation cost is 4.379 s, which is nearly 99.87% greater than our computation cost. • The total execution time of Chiou et al. [45] computation cost is 2.7705 s, which is nearly 26.45% greater than our computation cost. • The total execution time of Mohit et al. [46] computation cost is 2.086 s, which is nearly 5% less than our computation cost. • The total execution time of Li et al. [1] computation cost is 2.419 s, which is nearly 10.41% greater than our computation cost. • The total execution time of Kumar et al. [2] computation cost is 2.5405 s, which is nearly 15.95% greater than our computation cost.

• The total execution time of Chandrakar et al. [3] computation cost is 3.503 s, which is nearly 59.88% greater than our computation cost. • The total execution time of Chen et al. [47] computation cost is 8.3144 s, which is nearly 279.49% greater than our computation cost. • The total execution time of Kumari et al. [4] computation cost is 2.3401 s, which is nearly 6.809% greater than our computation cost.

From Table 7 and Fig. 9 , it is obvious that the computation cost of our protocol is very less in comparison to the other methods [43, 44] , [1] [2] [3] [4] 45, 47] but slightly greater then [46] , but it does not satisfy patient anonymity, impersonation attack. Therefore, the proposed e-healthcare monitoring scheme is an efficient protocol compared to computation and communication functionality features.

This research article presents a secure and compact authentication protocol for e-Healthcare monitoring with private cloud services. To achieve this purpose, we have developed a new three-phase scheme, specifically Patient Data Upload Phase (PDUP), Treatment Phase (TP), and Report Delivery Phase (RDP), in addition to the registration phase for e-healthcare monitoring of recovered patients. The proposed scheme is well tested for various security aspects that comprise both informal security analysis ''Man-in-the-middle attack, patient anonymity, doctor P. Mohit anonymity, patient unlikability, impersonation attack, known key security, session key security, message authentication, data confidentiality, data non-repudiation'' and formal security analysis ''BAN logic and ROR model''. In addition, the performance effectiveness of the proposed protocol is also evaluated in terms of computation, communication, storage cost, and a fair comparison with existing scientific literature. A comparative study of the proposed scheme with others gives efficient functionality features and a lightweight authentication scheme. Finally, this type of development in e-healthcare monitoring through TMIS may provide a step forward towards humanizing effectively and privacy convenience treatment for recovered patients with any severe disease.

Prerna Mohit: Conception and design of study, Writing -original draft.

Cloud-assisted mutual authentication and privacy preservation protocol for telecare medical information systems

A secure elliptic curve cryptography based mutual authentication protocol for cloud-assisted TMIS

Cloud-based authenticated protocol for healthcare monitoring system

Cloudbased secure and efficient framework for smart medical system using ECC

An efficient two-factor authentication scheme with key agreement for IoT based E-health care application using smart card

A distributed key authentication and OKM-ANFIS scheme based breast cancer prediction system in the IoT environment

A secure three factor based authentication scheme for health care systems using IoT enabled devices

Efficient end-to-end authentication protocol for wearable health monitoring systems

Cloud centric authentication for wearable healthcare monitoring system

An enhanced three factor based authentication protocol using wireless medical sensor networks for healthcare monitoring

An improved authentication protocol for wireless body sensor networks applied in healthcare applications

A provably secure and lightweight patient-healthcare authentication protocol in Wireless Body Area networks

A secure three-factor user authentication protocol with forward secrecy for wireless medical sensor network systems

On developing dynamic and efficient cryptosystem for safeguarding healthcare data in public clouds

Can public-cloud security meet its unique challenges?

Paradigm of IoT big data analytics in healthcare industry: a review of scientific literature and mapping of research trends

Secure authentication in cloud big data with hierarchical attribute authorization structure

Digital healthcare technology adoption by elderly people: A capability approach model

Emap: An efficient mutual-authentication protocol for low-cost rfid tags

A secure and efficient user anonymity-preserving three-factor authentication protocol for large-scale distributed wireless sensor networks

An empirical study of factors influencing cloud adoption among private sector organisations

A lightweight hierarchical authentication scheme for internet of things

Design of authentication protocol for wireless sensor network-based smart vehicular system

RSEAP: RFID based secure and efficient authentication protocol for vehicular cloud computing

A secure authentication scheme for telecare medicine information systems

A more secure authentication scheme for telecare medicine information systems

An improved authentication scheme for telecare medicine information systems

An authentication scheme for secure access to healthcare services

A secure three-factor user authentication and key agreement protocol for tmis with user anonymity

Cryptanalysis and improvement of Yan et al.'s biometric-based authentication scheme for telecare medicine information systems

Design of an efficient and provably secure anonymity preserving three-factor user authentication and key agreement scheme for TMIS

An enhanced 1-round authentication protocol for wireless body area networks with user anonymity

An elliptic curve cryptography based enhanced anonymous authentication protocol for wearable health monitoring systems

1-RAAP: An efficient 1-round anonymous authentication protocol for wireless body area networks

A secure and robust anonymous three-factor remote user authentication scheme for multi-server environment using ECC

Three-factor-based confidentiality-preserving remote user authentication scheme in multi-server environment

Secure and efficient two-factor user authentication scheme with user anonymity for network based e-health care applications

Cloud-aided lightweight certificateless authentication protocol with anonymity for wireless body area networks

A robust and anonymous patient monitoring system using wireless medical sensor networks

Secure-anonymous user authentication scheme for e-healthcare application using wireless medical sensor networks

Anonymous biometrics-based authentication with key agreement scheme for multi-server environment using ECC

Certificateless pairing-free authentication scheme for wireless body area network in healthcare management system

A secure medical data exchange protocol based on cloud environment

A privacy authentication scheme based on cloud for medical environment

Improvement of a privacy authentication scheme based on cloud for medical environment

A standard mutual authentication protocol for cloud computing based health care system

A secure electronic medical record authorization system for smart device application in cloud computing environments

An improved anonymous authentication protocol for wearable health monitoring systems

On the security of public key protocols

Introduction to modern cryptography

Fuzzy extractors: How to generate strong keys from biometrics and other noisy data

A logic of authentication

Password-based authenticated key exchange in the three-party setting

Provably secure ECC-based device access control and key agreement protocol for IoT environment

Instruction latencies and throughput for AMD and Intel x86 Processors

A secure authentication protocol for multi-server-based e-healthcare using a fuzzy commitment scheme

Chen et al. [43] 816 816 944 N/A N/A 2576 768 3,344 Chen et al. [44] 1936 2064 2192 N/A 1760 7952 1280 9,232 Chiou et al. [45] 704