Security Analysis of a User Authentication Scheme for IoT-Based Healthcare

Shengbao Wang; Xin Zhou; Kang Wen; Bosen Weng; Peng Zeng

doi:10.1109/JIOT.2022.3228921

Security Analysis of a User Authentication Scheme for IoT-Based Healthcare

Shengbao Wang, Xin Zhou, Kang Wen, Bosen Weng, Peng Zeng

Software Engineering Institute

Hangzhou Normal University

Research output: Contribution to journal › Article › peer-review

20 Scopus citations

Abstract

Very recently, Masud et al. (2022) proposed a lightweight and anonymity-preserving user authentication scheme to establish secure communication between the doctor, the gateway, and sensor nodes in IoT-based healthcare, aiming to ensure the privacy of the patients' physiological data. In this article, however, we carefully revisit their scheme and first point out that the scheme is not practically implementable in its current form, and second we show that it is vulnerable to session key disclosure attacks, off-line password guessing attacks, and traceability attacks, under the assumption that the attacker can gain access to the sensor nodes and the doctor's device. We also propose fixes for each of these issues or vulnerabilities.

Original language	English
Pages (from-to)	6527-6530
Number of pages	4
Journal	IEEE Internet of Things Journal
Volume	10
Issue number	7
DOIs	https://doi.org/10.1109/JIOT.2022.3228921
State	Published - 1 Apr 2023

Keywords

Healthcare
Internet of Things (IoT)
session key disclosure attack
traceability attack
wireless medical sensor networks (WMSNs)

Access to Document

10.1109/JIOT.2022.3228921

Cite this

@article{bc82883b068f4d55878586efee3ba4ed,

title = "Security Analysis of a User Authentication Scheme for IoT-Based Healthcare",

abstract = "Very recently, Masud et al. (2022) proposed a lightweight and anonymity-preserving user authentication scheme to establish secure communication between the doctor, the gateway, and sensor nodes in IoT-based healthcare, aiming to ensure the privacy of the patients' physiological data. In this article, however, we carefully revisit their scheme and first point out that the scheme is not practically implementable in its current form, and second we show that it is vulnerable to session key disclosure attacks, off-line password guessing attacks, and traceability attacks, under the assumption that the attacker can gain access to the sensor nodes and the doctor's device. We also propose fixes for each of these issues or vulnerabilities.",

keywords = "Healthcare, Internet of Things (IoT), session key disclosure attack, traceability attack, wireless medical sensor networks (WMSNs)",

author = "Shengbao Wang and Xin Zhou and Kang Wen and Bosen Weng and Peng Zeng",

note = "Publisher Copyright: {\textcopyright} 2014 IEEE.",

year = "2023",

month = apr,

day = "1",

doi = "10.1109/JIOT.2022.3228921",

language = "英语",

volume = "10",

pages = "6527--6530",

journal = "IEEE Internet of Things Journal",

issn = "2327-4662",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "7",

}

TY - JOUR

T1 - Security Analysis of a User Authentication Scheme for IoT-Based Healthcare

AU - Wang, Shengbao

AU - Zhou, Xin

AU - Wen, Kang

AU - Weng, Bosen

AU - Zeng, Peng

PY - 2023/4/1

Y1 - 2023/4/1

N2 - Very recently, Masud et al. (2022) proposed a lightweight and anonymity-preserving user authentication scheme to establish secure communication between the doctor, the gateway, and sensor nodes in IoT-based healthcare, aiming to ensure the privacy of the patients' physiological data. In this article, however, we carefully revisit their scheme and first point out that the scheme is not practically implementable in its current form, and second we show that it is vulnerable to session key disclosure attacks, off-line password guessing attacks, and traceability attacks, under the assumption that the attacker can gain access to the sensor nodes and the doctor's device. We also propose fixes for each of these issues or vulnerabilities.

AB - Very recently, Masud et al. (2022) proposed a lightweight and anonymity-preserving user authentication scheme to establish secure communication between the doctor, the gateway, and sensor nodes in IoT-based healthcare, aiming to ensure the privacy of the patients' physiological data. In this article, however, we carefully revisit their scheme and first point out that the scheme is not practically implementable in its current form, and second we show that it is vulnerable to session key disclosure attacks, off-line password guessing attacks, and traceability attacks, under the assumption that the attacker can gain access to the sensor nodes and the doctor's device. We also propose fixes for each of these issues or vulnerabilities.

KW - Healthcare

KW - Internet of Things (IoT)

KW - session key disclosure attack

KW - traceability attack

KW - wireless medical sensor networks (WMSNs)

UR - https://www.scopus.com/pages/publications/85144761857

U2 - 10.1109/JIOT.2022.3228921

DO - 10.1109/JIOT.2022.3228921

M3 - 文章

AN - SCOPUS:85144761857

SN - 2327-4662

VL - 10

SP - 6527

EP - 6530

JO - IEEE Internet of Things Journal

JF - IEEE Internet of Things Journal

IS - 7

ER -

Security Analysis of a User Authentication Scheme for IoT-Based Healthcare

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this