SHAPARAK: Scalable healthcare authentication protocol with attack-resilience and anonymous key-agreement

Security in wearable sensor networks and telecare medical information systems (TMIS) has turned to an issue of scholarly interest in recent years. Adequate security to agree on a temporary session key is essential for establishing a secure connection on various layers of the protocol stack in the Internet of Things (IoT) environments. Recently, Gupta et al. proposed a lightweight authentication and key agreement scheme for wearable sensing devices. Our analysis of Gupta et al.'s scheme revealed that it is insecure against privileged-insider attack, compromise sensing device, and desynchronization attacks in wearable sensor registration and login and authentication phases. In this paper, a Scalable Healthcare Authentication Protocol with Attack-Resilience and Anonymous Key-agreement, SHAPARAK, is proposed to overcome security flaws of existing schemes. The proposed protocol offers more scalability as it uses a public channel in the process of registration of each wearable sensing device. It also contains the password and biometrics changing phase without involvement of the trusted server. The security analysis of the proposed scheme is evaluated using the GNY logic, AVISPA tool, random oracle model, and informal security analysis. It is also shown that the proposed protocol is cost-efficient in terms of computation and communication overheads, compared to the existing schemes.