JIS  Vol.8 No.1 , January 2017
Authenticated Privacy Preserving Pairing-Based Scheme for Remote Health Monitoring Systems
ABSTRACT
The digitization of patient health information has brought many benefits and challenges for both the patients and physicians. However, security and privacy preservation have remained important challenges for remote health monitoring systems. Since a patient’s health information is sensitive and the communication channel (i.e. the Internet) is insecure, it is important to protect them against unauthorized entities. Otherwise, failure to do so will not only lead to compromise of a patient’s privacy, but will also put his/her life at risk. How to provide for confidentiality, patient anonymity and un-traceability, access control to a patient’s health information and even key exchange between a patient and her physician are critical issues that need to be addressed if a wider adoption of remote health monitoring systems is to be realized. This paper proposes an authenticated privacy preserving pairing-based scheme for remote health monitoring systems. The scheme is based on the concepts of bilinear paring, identity-based cryptography and non-interactive identity-based key agreement protocol. The scheme also incorporates an efficient batch signature verification scheme to reduce computation cost during multiple simultaneous signature verifications.

1. Introduction

The traditional healthcare systems are plagued by many problems and challenges. These problems and challenges include: diagnoses being written illegibly on paper, physicians not being able to easily access patient health information (PHI), and limitations on time, space, and personnel for monitoring patients. Similarly, the current health care systems―structured and optimized for reacting to crisis and managing illness―are facing new challenges: a rapidly growing population of elderly and rising healthcare spending [1] [2] . As more and more people enter an elder age, the risk of developing certain chronic and debilitating diseases is significantly higher [3] [4] . Furthermore, if aged populations prefer to live alone they do require long-term monitoring for better independent life [5] . Clearly, innovative strategies are needed to tackle the existing problems and to cater to the healthcare needs of an aging population in addition to sustaining the trend towards an independent lifestyle focusing on personalized non-hospital based care [6] . With recent advancements in telecommunication technology however, opportunities exist to improve the current state of the healthcare systems to minimize some of these problems and provide more personalized service [7] [8] .

The recent technological advances in sensors, low-power integrated circuits, and wireless communications have enabled the design of low-cost, miniature, lightweight, and intelligent physiological sensor nodes. These sensors capable of sensing, processing, and communicating one or more vital signs, can be seamlessly integrated into wireless personal or body area networks (WPANs or WBANs) for health monitoring [9] . A WBAN contains a number of portable, miniaturized, and autonomous sensor nodes (in-body or/and on-body nodes) that monitors patients under natural physiological states without constraining their normal activities. The gateway (e.g. PC or mobile phone) of the WBAN is responsible for data collection, processing and overall WBAN management. These networks promise to revolutionize healthcare by allowing inexpensive, non-invasive continuous health monitoring with almost real-time updates of medical records via the Internet. Remote health monitoring systems typically collect patient readings and then transmit them to a remote server for storage and later examination by the healthcare professionals. However, the different usage scenarios of remote health monitoring systems ranging from pre-hospital, in-hospital, ambulatory and in-home monitoring have resulted in diverse security and privacy concerns [10] [11] . Also, due to the sensitive nature of some of the remotely electronically collected PHI combined with the insecure nature of the communication channels, there is need to prevent unauthorized access to and use of the PHI by both active and passive adversaries. Otherwise, failure to do so will not only put a patient’s privacy in jeopardy, but also her life will be at risk. Hence there is need for new schemes to protect against privacy violation in remote health monitoring environments.

Many security protocols to enhance privacy and security in remote health monitoring systems have been put forward by researchers. Huang et al. [12] proposed an identity-based authentication and context privacy preservation scheme in wireless health monitoring system. They adopted identity-based encryption to protect the confidentiality of PHI. However, Huang et al.’s scheme does not achieve patient identity privacy and is also prone to password guessing attacks on the physician’s side [13] . Layouni et al. [14] proposed a privacy protection protocol for remote monitoring of medical care. They applied symmetric encryption and RSA algorithm to complete the encryption and authentication for PHI. Hasque et al. [15] proposed a secure u-healthcare sensor networks using public key based scheme. In their scheme, they adopted asymmetric encryption for confidentiality protection. Yang et al. [16] presented a password-based authentication scheme for healthcare delivery systems. The rationale behind their scheme is to allow patients to authenticate to healthcare providers using long- term short passwords. Sadly, password-based authentication systems are vulnerable to dictionary attacks. The U.S. government has also established stringent regulations to ensure that the security and privacy of PHI is properly protected [17] . Clearly, the issues of patient identity and data privacy have not been fully explored in the existing literature.

In this paper an authenticated privacy preserving paring-based scheme for wireless health monitoring systems is proposed. The proposed scheme consists of three parties (see Figure 1 below), namely; the gateway of patient WBAN, the Electronic Health Record (EHR) database in Health Monitoring Server (HMS) and the physician. In the proposed scheme, all communications between the gateway and EHR, EHR and physician and physician with gateway are carried out over an insecure channel (i.e. the Internet). The HMS plays the role of the registration server and system parameter generator (or trusted authority) while the EHR acts as the authentication server. Identity-based cryptography (IBC) encryption is adopted to ensure the secure transmission, receiving, storing and access of PHI. This ensures integrity of PHI which in turn is crucial for accurate diagnoses of a patient by her respective physician. The scheme allows the patient and her physician to establish a secure communication channel via an established session key shared only between the two parties. This is possible because of the concept of non-interactive identity-based key agreement adopted. The analysis will show that the scheme provides confidentiality of a patient’s health information, explicit mutual authentication between the patient and her physician, patient anonymity and un-traceability, patient revocation, session key secrecy and resistance against replay attacks.

Figure 1. System environment.

The rest of the paper is organized as follows: in Section 2, we describe some of the preliminary work and notations that are used throughout this paper. In Section 3, a discussion of the proposed scheme including system initialization, Registration of parties and health information transfer is presented. Section 4, presents an analysis that proves that our scheme is efficient and that it achieves many desirable security and privacy preserving properties. Section 5 shows that the proposed scheme has a better performance than Huang et al. and Layouni et al.’s schemes by providing a comparison among the three. Finally, a conclusion is presented in Section 6.

2. Preliminaries

This section briefly reviews bilinear pairings, the Bilinear Diffie-Hellman problem and the original non-interactive identity-based key agreement protocol. Further, the threat model and notations used throughout the remainder of the paper are introduced.

2.1. Notations

Table 1 below presents the notations used throughout the remainder of the paper.

Table 1. Notations.

2.2. Bilinearity

Let G1 be an additive group of prime order q and G2 be a multiplicative cyclic group of the same order. In reality, G1 is a subgroup of points on an elliptic curve over Z q and 𝐺2 is a subgroup of the multiplicative group of a finite field Z q k for some k Z q . Let 𝑃 denote a generator of G1. Then, there exists an efficient computable bilinear map e ^ : G 1 G 1 G 2 which has the following properties [18] :

Ÿ Bilinearity: Given P and Q in G1 and a , b R Z q , we have e ^ ( a P , b Q ) = ( P , Q ) a b .

Ÿ Non-degeneracy: e ^ ( P , P ) 1 G 2 .

Ÿ Computability: There exists an efficient algorithm to compute e ^ ( P , Q ) for any P , Q G 1 .

2.3. The Bilinear Diffie-Hellman Assumption

The Bilinear Diffie-Hellman (BDH) problem is to compute e ^ ( P , P ) a b c G 2 given P G 1 and elements a P , b P , c P G 1 for a , b , c R Z q . Computing such a problem is assumed to be hard on { G 1 , G 2 , e ^ } .

2.4. Computational Diffie-Hellman Problem

The CDH problem is given ( P , a P , b P ) for any a , b Z q and P G 1 , computting abP is assumed hard.

2.5. Non-Interactive Identity-Based Key Agreement

For non-interactive identity-based key agreement protocol, central authority first generates two cyclic groups G1 and G2 and the bilinear map e ^ : G 1 G 1 G 2 to setup the parameters for an identity-based public key system. The central authority also chooses a cryptographic collision free hash function (∙): { 0 , 1 } G 1 . It then chooses a secret key s R Z q and computes corresponding public key P pub = s P , where 𝑃 is a generator of G1. Lastly it publishes public parameters { G 1 , G 2 , e ^ , P , P pub , ( ) } . For registered party i, the central authority computes a private key d i = ( i d i ) and sends it via a secure channel [19] [20] .

With such a setup, any two clients of the same central authority can compute shared key using only the identity of the other participant and their own private key. For two clients with identities, id1 and id2, the shared key is given by S K = e ^ ( H ( i d 1 ) , H ( i d 2 ) ) s which party id1 computes as S K 1 2 = e ^ ( d 1 , H ( i d 2 ) ) and id2 computes S K 2 1 = e ^ ( d 2 , H ( i d 1 ) ) .

Clearly, S K 1 2 = S K 2 1 = S K .

3. Proposed Authenticated Privacy Preserving Scheme

In this section the proposed authenticated privacy preserving paring-based scheme for remote health monitoring systems is presented. The existence of a properly setup and functioning patient WBAN with the gateway of the WBAN responsible for collecting data from the biosensors and analyzing it is presumed. Based on the analysis, the gateway (equipped with a wireless Ethernet adapter so as to communicate with standard wireless router/switch) sends a summary report about the patient’s condition to the health monitoring server periodically. However, in case the analysis indicates a sudden health deterioration, or a condition that requires immediate attention, it is required that the gateway automatically trigger an emergency signal and send an immediate notification to the health monitoring server so that immediate necessary action can be taken to help the patient. The scheme consists of three parties, namely; the gateway of a patient’s WBAN, EHR database in HMS and the physician. Note: from here forth, we refer to a gateway of a patient’s WBAN simply as patient for convenience. In the proposed scheme, the HMS plays the role of the registration server and system parameter generator (or trusted authority) while the EHR acts as the authentication server. IBC-encryption is adopted to ensure the secure transmission, receiving, storing and access of PHI. This ensures integrity of PHI which in turn is crucial for accurate diagnoses of a patient by her respective physician. To achieve patient anonymity and un-traceability, privacy preserving technique based on pseudonyms is adopted. These pseudonyms are issued to the patient via a smartcard by trusted authority upon successful registration.

To aid authentication of patients and physicians by EHR, both patients and physicians are required to attach a signature to the message sent to EHR which can be successfully validated by EHR. To reduce computation overhead for EHR during signature validation process, an efficient batch signature verification scheme in which the EHR can simultaneously verify multiple received signatures is adopted [21] . The proposed scheme allows the patient and her physician to establish a secure communication channel via an established session key shared only between the two parties. This is possible because of the concept of non- interactive identity-based key agreement which has been adopted. The scheme also allows revocation of patients. This means that in cases of death, service subscription expiration period or upon request by the patient, the trusted authority can easily terminate service provision to the particular patient. The scheme consists of three main phases: system initialization, registration and health information exchange among patient, EHR and physician. First, a discussion of the threat model followed by a summary of notations and then we discuss the phases of our scheme.

3.1. Privacy Preserving Properties of the Scheme

There are many threats to a patient’s privacy and security in remote health monitoring systems. Some of these threats include: data breach by insiders (i.e. authorized EHR users or staff of the EHR organization), insider curiosity, accidental disclosure and unauthorized intrusion of network system by outsiders (i.e. third parties who act without authorization e.g. hackers) [22] . The aim of the proposed scheme is to enhance patient data and identity privacy against both insiders and outsiders. Below is a brief discussion of some of the security and privacy properties of the scheme and why they are important to a patient’s data security and identity privacy in remote health monitoring systems.

3.1.1. Confidentiality

In remote health monitoring systems, the disclosure of PHI to unauthorized persons is a serious security and privacy threat. This is because some of PHI can be sensitive. Hence once accessed, such data can be subjected to different misdemeanors such as fraudulent insurance claims by adversaries. In recent past there have been incidents where PHI was disclosed to external parties [23] [24] .

3.1.2. Anonymity and Untraceability

Among common privacy requirements, identity and location privacy, i.e. preventing unauthorized parties from learning one’s identity and current or past locations, are of paramount importance [25] [26] [27] . The recent expansion of electronic and mobile healthcare systems has resulted in an increased demand for patient anonymity. This is because adversaries are now more capable of breaching network systems and achieve unauthorized access to PHI. For example, hackers may intrude into a hospital’s network to access PHI or render the system inoperable. Hence patient anonymity and un-traceability would prove vital in such scenarios.

3.2. System Initialization

Similar to other identity-based schemes, the proposed one also requires a private key generator (PKG). In the proposed scheme HMS acts as PKG. To initialize the system, HMS runs the following steps. Let G1 be an additive cyclic group of prime order q, and G2 be multiplicative cyclic group of same order. Let e ^ : G 1 G 1 G 2 be a bilinear map and 𝑃 be an arbitrary generator of G1. HMS then chooses a random number s R Z q as the master secret key and computes the public key P pub = s P . It also chooses two secure collision free cryptographic hash functions H 1 ( ) : { 0 , 1 } G 1 and H 2 ( ) : { 0 , 1 } Z q . It further computes the public key Q EHR = H 1 ( i d EHR ) and corresponding private key d EHR = s H 1 ( i d EHR ) for EHR. The key pair { Q EHR , d EHR } is then sent to EHR via a secure channel (e.g. Transport Layer Security Protocol). HMS then publishes the public system parameters as { G 1 , G 2 , e ^ , q , P , P pub , H 1 ( ) , H 2 ( ) } and keeps the master secret key s, secret.

3.3. Registration

In this section, the registration process of involved parties in the system is discussed. All registrations are carried out by the HMS via a secure channel (see Figure 2).

3.3.1. Physician Registration

To register, Dl (doctor/nurse) submits her identity idDL (e.g. an email address or social security number) to HMS. HMS first validates the submitted identity and if validation is successful it then computes the public key Q D l = H 1 ( i d D l ) and corresponding private key d D l = s H 1 ( i d D l ) for Dl. The HMS then sends { Q D l , d D l } to Dl via a secure channel.

Figure 2. Registration process.

3.3.2. Patient Registration

Let PTi be a patient seeking medical help from Dl. To register, PTi submits her real-ID idPTi to HMS. HMS first validates submitted identity. If the validation is successful, HMS then chooses a family of n un-linkable pseudo-IDs for PTi given by:

P I D P T i = { p i d 0 , , p i d j , p i d j + 1 , , p i d n 1 } . (1)

For each pseudo-ID pidj in PIDPTi, HMS computes the public key Q j = H 1 ( p i d j ) and the corresponding private key d j = s H 1 ( p i d j ) , such that the families of public and private keys are:

P U B P T i = { Q 0 , , Q j 1 , Q j , Q j + 1 , , Q n 1 } . (2)

P R I P T i = { d 0 , , d j 1 , d j , d j 1 , , d n 1 } . (3)

Once PTi completes registration procedures, the HMS issues her with a smartcard. The smartcard is personalized with parameters (i.e. PIDPTi, PUBPTi, PRIPTi, idDL, idEHR) which P can later use to register her gateway to the HMS. Upon arrival at home, PTi passes over the information in the smartcard to the gateway. Since some of the information is sensitive, an assumption is made that, once the gateway gets the parameters, it should erase the information from the memory of the smartcard to avoid security implications that may result in case the smartcard ends up in the hands of an adversary.

With these pseudo-IDs, PTi can constantly change her pseudo-IDs to achieve anonymity and un-traceability during communication process over the remote health monitoring system. The HMS also sends PIDPTi to appropriate Dl and EHR respectively.

To allow for revocation, the HMS adds an ExpiryDate into pidj for 0 ≤ j ≤ n − 1, such that each of the public keys Q j = H 1 ( p i d j ) is valid only before the specified expiry time tj. After the specified time, the corresponding private key d j = s H 1 ( p i d j ) is revoked automatically. Let { t 0 , t 1 , , t j 1 , t j , t j + 1 , , t n 1 } be the set of life spans for each of the pidj for 0 ≤ j ≤ n − 1, such that tj = tj−1 + Δt, where Δt is a constant value for all pseudo-IDs, meaning that the length of the life span for each of the private keys is the same. Further, suppose that PTi can only use the pseudo-ID sdj, 0 ≤ j ≤ n - 1 sequentially (i.e. that pidj+1 can only be used after pidj has expired). This allows Dl to request for specific patient health data from EHR. This is possible because Dl is also issued with PTi’s pseudo-IDs, hence making it easy for him/her to know which of the pseudo-IDs has expired or which one is the current pidj in the sequence of PTi’s pseudo IDs.

Note: according to [14] , a system is said to preserve pseudonimity if data records sent by the patient to the health monitoring server are linkable to each other but not to the patient’s real-ID. In the proposed scheme a patient’s pseudo IDs are assumed to be un-linkable. In this case an assumption is that the system uses other mechanisms for achieving pseudonimity and not a patient’s pseudo-IDs. But since there may be need to reveal a patient’s real-ID in cases of apparent abuse of conditions of service via judicial procedure, the proposed scheme assumes that only HMS (trusted authority) should know the relationship between the pseudo-IDs and the real-ID of the patient. As such the scheme can provide conditional privacy for the patient.

3.4. Health Information Transfer

Below the following are discussed: 1) patient health information transfer to EHR, 2) patient authentication, health information receiving and storing by the EHR and 3) patient health information request and recovery by the physician (see Figure 3).

Figure 3. Message exchange among patient, EHR and physician.

3.4.1. Patient Health Information Transfer to HER

To send health information to EHR, PTi carries out the following steps:

Ÿ Picks an unused valid pseudo-ID pidj and the corresponding private key dj.

Ÿ Using this private key, PTi computes a session key S K P T i D l = e ^ ( d j , H 1 ( i d D l ) ) = e ^ ( Q j , Q D l ) s . This key will be used to encrypt the health information and establish a secure channel with Dl.

Ÿ Using SKPTi−Dl, the PTi performs IBC-encryption on the health data as C 1 = E S K P T i ( M T P T i new ) , where M is the PHI and T P T i new is current timestamp. T P T i new is added to counter replay attacks. PTi then computes the signature σ P T i = H 2 ( C 1 p i d j ) d j on C1.

Ÿ Finally PTi sends the message { T P T i new , p i d j , C 1 , σ P T i , i d D l } to EHR.

3.4.2. Patient Authentication, Health Information Receiving and Storage by HER

When EHR receives the message { T P T i new , p i d j , C 1 , σ P T i , i d D l } from PTi, it carries out the following authentication steps:

Ÿ Checks if the timestamp T P T i new satisfies the inequality T P T i last T P T i new Δ T , where T P T i last is last time of message receipt by EHR and ΔT is fixed time interval between successive health information collections. This could help to counter replay attack attempts. If successful, it proceeds to examine piryDate included in pidj to verify the service expiration time.

Ÿ Using public parameters and received values, EHR checks the validity of the signature by computing e ^ ( σ P T i , P ) = e ^ ( H 2 ( C 1 p i d j ) H 1 ( p i d j ) , P p u b ) . The equation is valid because:

e ^ ( σ P T i , P ) = e ^ ( H 2 ( C 1 p i d j ) d j , P ) = e ^ ( H 2 ( C 1 p i d j ) s H 1 ( p i d j ) , P ) = e ^ ( H 2 ( C 1 p i d j ) H 1 ( p i d j ) , s P ) = e ^ ( H 2 ( C 1 p i d j ) H 1 ( p i d j ) , P p u b ) .

Once the above steps are satisfied, EHR accepts the message as authentic and stores the necessary message components (see Table 2). EHR can then either notify the respective Dl of the received PHI or may wait for a message request from Dl.

3.4.3. Health Information Access by Physician

To access a patient’s health information, Dl first gets herself authenticated to EHR by carrying out the following steps:

Table 2. Patient health information storing by EHR.

Ÿ Using HER’s public key, Dl carries out IBC-encryption as, C 2 = E Q E H R ( T D l , i d D l , p i d j ) and computes the signature σ D l = H 2 ( C 2 i d D l ) d D l . Since Dl is aware that each of the patient’s pseudo-IDs has an expiry date and that they are used sequentially, when choosing pidj, Dl chooses the one that is valid and current. Hence Dl can request for specific patient health information from EHR depending on the specified pidj.

Ÿ The Dl then sends { T D l , C 2 , σ D l , i d D l , p i d j } as request for a patient’s health information.

Ÿ Once EHR receives the message { T D l , C 2 , σ D l , i d D l , p i d j } from Dl, it carries out the following steps to authenticate the request before responding.

Ÿ Checks if the timestamp TDl satisfies the inequality T T D l Δ T , where T is the time of arrival of the request and ΔT is fixed tolerated transmission delay. This can also help in countering replay attacks.

Ÿ Applies IBC-decryption as, { T D l , i d H P l , p i d j } = D d E ( C 2 ) . Using idDL and public parameters, EHR validates the received signature by computing e ^ ( σ D l , P ) = e ^ ( H 2 ( C 2 i d D l ) H 1 ( i d D l ) , P p u b ) . Here;

e ^ ( σ D l , P ) = e ^ ( H 2 ( C 2 i d D l ) d D l , P ) = e ^ ( H 2 ( C 2 i d D l ) s H 1 ( i d D l ) , P ) = e ^ ( H 2 ( C 2 i d D l ) H 1 ( i d D l ) , s P ) = e ^ ( H 2 ( C 2 i d D l ) H 1 ( i d D l ) , P p u b ) .

Ÿ Once the above steps are satisfied, EHR believes that the request is authentic and forwards the message { p i d j , C 1 , i d D l } to.

To recover, Dl first computes S K D l P T i = e ^ ( d D l , H 1 ( p i d j ) ) = e ^ ( Q D l , Q j ) s and uses it to perform IBC-decryption

On C1 as,

{ M T P T i new } = D S K D l P T i ( C 1 ) .

Note: S K D l P T i = S K P T i D l . This is because:

S K H P l P T i = e ^ ( d D l , H 1 ( p i d j ) ) = e ^ ( s H 1 ( i d D l ) , H 1 ( p i d j ) ) = e ^ ( H 1 ( i d D l ) , H 1 ( p i d j ) ) = e ^ ( H 1 ( i d D l ) , s H 1 ( p i d j ) ) = e ^ ( H 1 ( i d D l ) , d j ) = S K P T i D l .

Hence Dl can now analyze M and give necessary and timely medical advice. By checking T P T i new , Dl is able to tell when the information was sent by the PTi. This can help her to estimate a patient’s health condition since the time the data was collected by biomedical devices. To send medical advice M Advice to the PTi in response to the received health information M, Dl computes

Auth = H 2 ( S K D l P T i p i d j i d D l ) and encrypts M Advice using S K D l P T i as, C 3 = E S K D l P T i ( M Advice T D l ) . 𝐷𝑙 then sends { T D l , Auth , C 3 } to PTi.

Upon receiving l, { T D l , Auth , C 3 } , PTi first validate timestamp to overcome replay attacks. If validation is successful, PTi proceeds to compute verification code Veri = H 2 ( S K D l P T i p i d j i d D l ) and checks if Veri = ? Auth. If the equation holds PTi believes that the message is from legitimate Dl and that he/she has established a secure channel. This protects the patient from bogus medical advice which could be life threatening for him/her. PTi can now decrypt C3 using PTi−Dl as, { M Advice T D l } = D S K P T i D l ( C 3 ) and act upon the medical advice.

The protocol above achieves explicit mutual authentication between PTi and Dl. It also allows anonymous authentication for the PTi. Furthermore, PTi and Dl successfully establish a shared symmetric key SKPTi−Dl that is used for the subsequent communication session.

4. Analysis

This section analyses desirable properties of the proposed scheme including security and privacy preserving properties. Note that other properties including patient revocation and replay attack have been analyzed in Section 4.

4.1. Batch Authentication

In the proposed scheme, the EHR verifies an appended signature to a message to ensure the authenticity of PTi and Dl.

This means that for n distinct patients, P T 1 , P T 2 , , P T n , the EHR receives σ P T 1 , σ P T 2 , , σ P T n signatures. All the signatures are valid if:

e ^ ( i = 1 n σ P T i , P ) = e ^ ( i = 1 n H 2 ( C i p i d i ) H 1 ( p i d i ) , P p u b ) ,

where pidi is just jth pseudo-ID for patient i. This batch verification equation holds since,

e ^ ( i = 1 n σ P T i , P ) = e ^ ( i = 1 n H 2 ( C i p i d i ) d j , P ) = e ^ ( i = 1 n H 2 ( C i p i d i ) s H 1 ( p i d i ) , P ) = e ^ ( i = 1 n H 2 ( C i p i d i ) H 1 ( p i d i ) , s P ) = e ^ ( i = 1 n H 2 ( C i p i d i ) H 1 ( p i d i ) , P p u b ) .

Note: the same batch verification method applies in situations where EHR receives σ D 1 , σ D 2 , , σ D n signatures from n distinct physicians. In this case, all the signatures are valid if;

e ^ ( l = 1 n σ D l , P ) = e ^ ( l = 1 n H 2 ( C i i d l ) H 1 ( i d l ) , P p u b ) ,

where idl is the identity for physician l.

4.2. Patient Service Subscription Validation

To check service subscription validation for PTi, the EHR checks signature σ P T i = H 2 ( C i p i d i ) d j appended to the message. The signature σ P T i = H 2 ( C i p i d i ) d j is a pseudo-ID-based signature. Without the private key d j = s H 1 ( p i d j ) , it is infeasible for third parties to forge a valid signature. This is because based on the hardness of the CDH problem in G1, it is difficult for someone to derive the private key sH1(pidj) given pidj, P and Ppub. Hence the pseudo-ID-based signature is unforgeable and a patient’s service subscription validation can be achieved.

4.3. Mutual Authentication

The patient and her physician achieves explicit mutual authentication. This is so because, when sending medical advice M Advice , the physician Dl computes th = H 2 ( S K D l P T i p i d j i d D l ) and send it to PTi together with encrypted medical advice C3 and timestamp T D l as part of the message { T D l , Auth, C 3 } . The security of th depends on S K D l P T i = e ^ ( d D l , H 1 ( p i d j ) ) . Based on the BDH problem on {G1, G2, ê}, it is infeasible for an adversary to derive SKDl−PTi given idDl, pidi, P and Ppub. Furthermore, based on the non-interactive identity-based key agreement, only whose private key is dDl and PTi who has the private key corresponding to H1(pidj) can share this key. Once PTi receive Auth he/she can then check whether Veri = H 2 ( S K P T i D l p i d j i d D l ) = Auth holds. Note: Veri = Auth since S K D l P T i = S K P T i D l . If the equation holds, then the patient can authenticate the message and trust that it is from the right source otherwise he/she rejects the message.

4.4. Confidentiality

Confidentiality of a PHI entails ensuring that patient health information is not made available or disclosed to unauthorized parties including EHR itself. The proposed scheme achieves confidentiality against both insider and outsider adversaries. This is because the M is stored encrypted in EHR with SKPTi−Dl as, C 1 = E S K P T i ( M T P T i new ) and based on the BDH problem on {G1, G2, ê}, it is impossible for anyone else except the legit Dl to derive SKPTi−Dl. The BDH problem on {G1, G2, ê} is: compute e ^ ( P , P ) a b c G 2 with known aP, bP, cP for a , b , c R Z q , where P is generator of G1 and ê is the bilinear map. In our scheme if an adversary is to succeed in decrypting C1, he/she must compute

S K P T i D l = e ^ ( d j , H 1 ( i d D l ) ) = e ^ ( s H 1 ( p i d j ) , H 1 ( i d D l ) )

Given idDl, pidj, P and Ppub. This is the same as solving the BDH. Hence our scheme satisfies the confidentiality property of PHI.

4.5. Patient Anonymity and Untraceability

In the proposed scheme, each PTi upon successful registration receives a family of n un-linkable pseudo-IDs given by,

P I D P T i = { p i d 0 , p i d 1 , , p i d j 1 , p i d j , p i d j + 1 , , p i d n 1 }

and corresponding private keys P R I P T i = { d 0 , d 1 , , d j 1 , d j , d j + 1 , , d n 1 } . Instead of using her real-ID for authentication and message transfer, the patient uses these issued pseudo-IDs. This ensures patient identity privacy protection since the pseudo-IDs reveals nothing about the patient’s real-ID to other parties. Since there is no linkage between the pseudo-IDs, our scheme can also achieve untraceability.

4.6. Session Key Secrecy

As shown above, computing the session key SKPTi−HPl by adversary means solving the BDH problem in {G1, G2, ê}. But under the random oracle model, solving BDH is infeasible in {G1, G2, ê}. Hence the session key between i and Dl is secure and incomputable by third parties.

5. Comparison

Table 3 below presents a comparison between proposed scheme against Huang et al.’s identity-based authentication and context privacy preservation scheme and Layouni et al.’s privacy-preserving telemonitoring for ehealth scheme.

6. Conclusion

This paper has proposed a privacy preserving paring based authentication and key established scheme for wireless health monitoring systems. The proposed scheme is based on bilinear paring, IBC and non-interactive key agreement scheme using bilinearity. In the scheme, patients are only pseudonymously identified hence protecting the patients from negative effects of identity theft such as fraudulent insurance claims by adversaries. However, the scheme achieves conditional privacy, this is so because central authority―health monitoring server― knows the patients’ real identity hence in case of apparent abuse via judicial procedure, this real identity can be revealed. The security and privacy preservation analysis has shown that the scheme also achieves confidentiality of PHI, and session key secrecy. While the performance comparison has shown that our

Table 3. Performance comparison between proposed scheme against schemes in [13] and [15] .

scheme achieves more privacy preserving properties than Huang et al. and Layouni et al.’s schemes.

Cite this paper
Mtonga, K. , Yoon, E. and Kim, H. (2017) Authenticated Privacy Preserving Pairing-Based Scheme for Remote Health Monitoring Systems. Journal of Information Security, 8, 75-90. doi: 10.4236/jis.2017.81006.
References
[1]   An Aging World, 2013. http://www.census.gov/prod/2009pubs/p95-09-1.pdf

[2]   Borger, C., Smith, S., Truffer, C., Keehan, S., Sisko, A., Posal, J. and Clement, M.K. (2006) Health Spending Projections through 2015: Changes on the Horizon. Health Affairs Web Exclusive, 25, W61-W73.

[3]   Kumar, P. and Lee, H.J. (2012) Security Issues in Healthcare Applications Using Wireless Medical Sensor Networks: A Survey. Sensors, 12, 55-91. https://doi.org/10.3390/s120100055

[4]   Aging Heart and Arteries (2013) A Scientific Quest.
http://www.nia.nih.gov/health/publication/aging-hearts-and-arteries-scientific-quest

[5]   Gaddam, A., Mukhopadhyay, S.C. and Gupta, G.S. (2011) Elder Care Based on Cognitive Sensor Network. IEEE Sensors Journal, 11, 574-581. https://doi.org/10.1109/JSEN.2010.2051425

[6]   Tablado, A., Illarramendi, A., Bermudez, J. and Goni, A. (2003) Intelligent Monitoring of Elderly People. In: Proceedings of the 4th Annual IEEE EMBS Special Topic Conference on Information Technology Applications in Biomedicine, 24-26 April 2003.
https://doi.org/10.1109/itab.2003.1222447

[7]   Mtonga, K., Paul, A. and Rho, S. (2014) Time-and-Id-Based Proxy Re-Encryption Scheme. Journal of Applied Mathematics, 2014, Article ID: 329198. https://doi.org/10.1155/2014/329198

[8]   Mtonga, K., Yoon, E.J. and Kim, H. (2014) A Pairing Based Authentication and Key establishment Scheme for Remote Monitoring Systems. e-Infrastructure and eServices for Developing Countries, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 135, 79-89.
https://doi.org/10.1007/978-3-319-08368-1_9

[9]   Ko, J., Lu, C., Srivaslava, M.B., Terzis, A. and Welsh, M. (2009) Wireless Sensor Networks for Healthcare. Proceedings of the IEEE, 98, 1947-1960.
https://doi.org/10.1109/JPROC.2010.2065210

[10]   Varshney, U. (2003) Pervasive Healthcare. IEEE Computer, 36, 138-140.
https://doi.org/10.1109/mc.2003.1250897

[11]   Ng, H.S., Sim, M.L. and Tan, C.M. (2006) Security Issues of Wireless Sensor Networks in Healthcare Applications. BT Technology Journal, 24, 138-144.
https://doi.org/10.1007/s10550-006-0051-8

[12]   Huang, Q., Yang, X. and Li, S. (2011) Identity Authentication and Context Privacy Preservation in Wireless Health Monitoring System. International Journal of Computer Network and Information Security, 3, 53-60. https://doi.org/10.5815/ijcnis.2011.04.08

[13]   Gong, L., Lomas, T.M.A., Needham, R.M. and Saltzer, J.H. (1993) Protecting Poorly Chosen Secrets from Guessing Attacks. IEEE Journal on Selected Areas in Communications, 11, 648-656. https://doi.org/10.1109/49.223865

[14]   Layouni, M., Verslype, K. and Sandikkaya, M.T. (2009) Privacy-Preserving Telemonitoring for eHealth. Data and Applications Security. IFIP Annual Conference on Data and Applications Security and Privacy, Montreal, 12-15 July 2009, 95-110.

[15]   Hasque, M.M., Pathan, A.K. and Hong, C.S. (2008) Securing U-Healthcare Sensor Networks Using Public Key Based Scheme. 10th International Conference on Advanced Communication Technology, Gangwon-Do, 17-20 February 2008, 1108-1111.

[16]   Yang, Y., Deng, R.H. and Bao, F. (2006) Fortifying Password Authentication in Integrated Healthcare Delivery Systems. Proceedings of the ACM Symposium on Information, Computer and Communications Security, Taipei, 21-24 March 2006, 255-265.

[17]   Health Insurance Portability Accountability Act (HIPAA).

[18]   Boneh, D. and Franklin, M. (2001) Identity-Based Encryption from the Weil Pairing. Proceedings of Crypto 2001, Santa Barbara, 19-23 August 2001, 213-229.

[19]   Sakai, R. and Kasahara, M. (2000) Cryptosystems Based on Pairings. Proceedings of the 2000 Symposium on Cryptography and Information Security, Okinawa, January 2000.

[20]   Dupont, R. and Enge, A. (2006) Provably Secure Non-Interactive Key Distribution Based on Pairings. Discrete Applied Mathematics, 154, 270-276.
https://doi.org/10.1016/j.dam.2005.03.024

[21]   He, D., Chen, C., Chan, S. and Bu, J. (2002) Secure and Efficient Handover Authentication Based on Bilinear Pairing Functions. IEEE Transactions on Wireless Communications, 11, 48-53.
https://doi.org/10.1109/TWC.2011.110811.111240

[22]   National Research Council (NRC) for the Record (1997) Protecting Electric Health Information. National Academy Press, Washington DC.

[23]   Dixon, P. (2006) Medical Identity Theft: The Information Crime That Can Kill You. The World Privacy Forum.

[24]   Alan, W.M. (2006) Buying Prescription Drugs on the Internet: Promises and Pitfalls. Cleveland Clinic Journal of Medicine, 73, 282-288. https://doi.org/10.3949/ccjm.73.3.282

[25]   Liang, X., Chan, L., Lu, R., Lin, X. and Shen, X. (2011) PEC: A Privacypreserving Emergency Call Scheme for Mobile Healthcare Social Networks. IEEE/KICS Journal Communications and Networks, 13, 102-112. https://doi.org/10.1109/JCN.2011.6157409

[26]   Freudiger, J., Manshaei, M., Hubaux, J.P. and Parkes, D. (2009) On Noncooperative Location Privacy: A Game-Theoretic Analysis. Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, 9-13 November 2009, 324-337.

[27]   Lu, R., Lin, X., Luan, H., Liang, X. and Shen, X. (2012) Pseudonym Changing at Social Spots: An Effective Strategy for Location Privacy in Vanets. IEEE Transactions on Vehicular Technology, 61, 86-96. https://doi.org/10.1109/TVT.2011.2162864

 
 
Top