Research Article Preserving Patient’s Anonymity for Mobile Healthcare System in IoT Environment Seungsoo Baek,1 Seung-Hyun Seo,2 and Seungjoo Kim1 1
Center for Information Security and Technologies (CIST), Korea University Anam Campus, Anam-dong 5(o)-ga, Seongbuk-gu, Seoul, Republic of Korea 2 Department of Mathematics, Korea University Sejong Campus, Sejong-ro, Sejong City, Republic of Korea Correspondence should be addressed to Seungjoo Kim;
[email protected] Received 4 March 2016; Accepted 8 May 2016 Academic Editor: Fan Wu Copyright © 2016 Seungsoo Baek et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Emerging IoT (Internet of Things) technologies provide many benefits to the improvement of healthcare service. The successful deployment of IoT depends on ensuring security and privacy that need to adapt to their processing capabilities. IoT is vulnerable to attacks since communications are mostly wireless. So far, most researchers have only focused on security or privacy issues related to wireless communication in the IoT environment without considering all the communication vulnerabilities. However, since most of biometric data from sensors travel over the cellular network, we are required to study a privacy-enhanced scheme that covers all the secure communications. Therefore, we propose a novel privacy-enhanced mobile healthcare system in the IoT environment. Our proposed scheme provides anonymous communication between a patient and a doctor in a wireless cellular network satisfying security requirements and guaranteeing its efficiency.
1. Introduction The recent surging interest in IoT (Internet of Things) is based on the perception that IoT will become a new trend setter in the postmobile computing era. IoT will begin connecting human-beings and electronic devices in the initial stage and this will eventually expand to human-material fusion which will become a main driving force in making human lives more comfortable. Ultimately, IoT’s aim is to achieve a truly ubiquitous society. The application of IoT is vast from home networking to smart healthcare which will bring significant benefits to our society; we as a society are fortunate enough to make an early investment decision in this area. In particular, with the growth of IoT technology, it has a similarly beneficial effect on the traditional healthcare practices. For example, it provides not only medication for illness but also health management. Nowadays, the provision of health services using digital technology has been termed as “mobile healthcare.” Mobile healthcare is defined as the practice of medicine and public health supported by mobile devices. Mobile healthcare has been recognized as one of the fastest growing industries, with growth rates of 10% annually. Moreover, the provision
of mobile healthcare service has been adopted by many countries, such as the USA, Canada, the UK, Korea, and the EU. The major reasons for the rapid growth of mobile healthcare are as follows. First, the number of smartphone users has increased dramatically. Secondly, medical expenses for large ageing populations and chronic disease patients have been growing gradually. In particular, the periodical medical visits for people with chronic diseases cost a lot of money, therefore imposing a financial burden on patients. Nevertheless, mobile healthcare services contain potential security and privacy problems, even though it is convenient and has economic benefits. Generally, it could be possible for patients to reveal a physical or psychological secret to medical staff. Therefore, the patients’ health information should be used for treatment by designated medical staff because of its sensitivity. However, what if a patient’s private information is leaked to the public or to unauthorized people? For example, a patient could be embarrassed if the fact that he goes to a special clinic which cares for mental illness, urinary disease, or sexual counseling is leaked. Thus, the sensitive medical record must be protected from unauthorized access or modification.
2 Of course, many countries know the importance and make efforts to protect patient’s information. In 2015, a European data protection supervisor mentioned that healthcare data should be regarded as basically sensitive private data and healthcare service providers must have the concept of “privacy by default, privacy by design” when they develop a healthcare system. In the US, use and disclosure of the PHI (Protected Health Information) should be in accordance with the requirements of the HIPAA (Health Insurance Portability and Accountability Act). The HIPAA requires that maintaining the confidentiality of the health data is not an option, but an obligation. However, the healthcare data is still being leaked. According to Identity Theft Resource Center(ITRC) report, healthcare data breach was the second largest portion of data breach in the industry sections in 2014. In 2015, social security numbers and personal medical information in Anthem, which is the second largest health insurer in the US, were hacked and stolen by hackers. To make matters worse, Reuters [1] reported that a medical record is worth 10 times more to hackers than credit card information. Of course, many researchers have studied security and privacy problems in mobile healthcare services. Burmester et al. [2] proposed the symmetric encryption scheme using RFID to solve security and privacy problems. Zhang et al. [3] stated ID-based encryption schemes for healthcare services. Tan et al. [4] addressed a secure healthcare protocol using IBE-Lite scheme that is more efficient than [3]. Huang et al. [5] pointed out Tan et al.’s [4] weaknesses about security and privacy breaches between smartphone and health cloud storage. However, these secure and privacy-preserving schemes overlook important facts. Their assumption on the environment of network communication uses the Internet which is provided by ISP (Internet Service Provider). In order to use the network, the devices should be identified and authenticated from the ISP. In cases where there exists a malicious cellular network operator or an adversarial cloud provider, the security and privacy breach problems become more critical. In particular, both of them can deal with all communications and monitor a special patient’s biometric data in their perspective network. They could be aware of who is communicating with whom, how often a person transmits his or her biodata, and the amount of the data exchanged between them. To make matters worse, all this information can be easily inferred for end-to-end communication, if a cellular network operator and a cloud provider collude with each other. They might threaten the privacy of all users in the mobile healthcare system. In this paper, we propose a novel secure and privacy-preserving mobile healthcare scheme using biosensors in wireless cellular network environment (Figure 3). First of all, we clarify the security requirements including patient’s anonymity in mobile healthcare systems. Next, we point out the weaknesses of previous work in [5]. Then, we propose the solution with the security requirements to overcome the weaknesses. The proposed scheme provides a secure communication and also allows smartphone users to communicate in an anonymous way. To the best extent of our knowledge, our paper is the first work that considers the anonymity of a patient and his or her biodata in a wireless cellular network. Our contributions are mainly summarized as
International Journal of Distributed Sensor Networks follows. (i) Our work is the first attempt for mobile healthcare systems considering wireless cellular network environment. Our proposed scheme provides an anonymous channel over wireless cellular network by using multihop Wi-Fi local communications that hides the source or destination. (ii) We draw the security requirements for mobile healthcare system and point out the weaknesses of Huang’s scheme [5]. (iii) Our scheme satisfies fundamental security issues such as an eavesdropping attack and a matching attack. The remainder of this paper is organized as follows. Section 2 presents preliminaries such as network architecture, notations, and security requirements for mobile healthcare services. Section 3 reviews previous privacy-preserving mobile healthcare services and discusses its weaknesses. Section 4 proposes a new secure and privacy-enhanced scheme. Section 5 presents the security and performance analysis of our protocol and Section 6 concludes this paper.
2. Preliminaries 2.1. The Overview of Mobile Healthcare Service in the IoT Environment. Mobile healthcare is defined as the practice of medicine and public health supported by mobile devices as shown in Figure 1. More specifically, the system includes all the medical practices such as prevention, situation understanding, prognosis, and prescriptions for patients. The network architecture of mobile healthcare service in the IoT environment mainly consists of 4 main entities such as patients’ biosensors, sink node, HSP (Healthcare Service Platform) including cloud storage, and medical staff ’s devices. Biosensors are attached on a patient’s body and sent to a sink node. They are usually low-powered and too tiny to transmit the data to a healthcare cloud storage directly. To overcome this limitation, a sink node, such as a smartphone, is usually used to extend the range of communication. The sink node stores the biodata from the sensors and forwards them into a healthcare service platform. This includes a cloud storage because the storage capacity of the smartphone is not enough to store all of the patient’s biodata. The healthcare service platform keeps a record of the patients’ biodata. Then, a medical staff physician retrieves the patients’ biodata and monitors it. Then, they can take a prescription or treatment for the patient. 2.2. Notations. We use the notations in Notations to analyze scheme in [5] and describe our proposed scheme. 2.3. An ElGamal with Elliptic Curve Cryptography and Its Example. The elliptic curve cryptography (ECC) is an approach to public key cryptography based on the algebraic structure of elliptic curves over finite fields. It is well known for fitting in mobile or remote environments, because ECC can offer the same level of security as RSA but while using much smaller key sizes. For example, a 256-bit ECC public key provides comparable security to a 3072-bit RSA public key [6]. In this paper, we and [5] use ECC over finite field GF(𝑝), where 𝑞 = 𝑝𝑛 and 𝑝 is a large prime. To set up an elliptic curve cryptosystem, we choose integer 𝑒, 𝑑 ∈ GF(𝑝)
International Journal of Distributed Sensor Networks
3
⟨Emergency call⟩
Smart band
⟨Cloud storage domain⟩
Heart rate ⟨Sensors⟩
⟨Cellular network
domain (ISP)⟩ ⟨Sink node⟩ (Transmitter device)
⟨Medical staff⟩
EEG
Figure 1: The network architecture of mobile healthcare service.
Patient A
Sensor
KDC
PDN (Internet)
ISP
Clone
Doctor
Store ⟨SA , YA , K⟩
SA , YA , K
Sensing: bAk k
n
str = ∑ hi (s | str k )yAi Calc: yA i=1
n
Aid k = ∑ hi (s | str k)sAi i=1
k
str Encrypt: cAk = Enc(yA , bAk | r)
Aid k , cAk
GenerateMAC = h(Kj | cAk | Aid k | T) m = ⟨MAC, j, cAk , T⟩ ⟨MAC, j, cAk , Aid k , T⟩
VerifyMAC = h(Kj | cAk | Aid k | T) Store: ⟨Aid k , cAk ⟩
Request: str ∗ ∗
n
str Calc: xA = ∑ hi (s | str ∗ )xAi n
i=1
Aid ∗ = ∑ hi (s | str k )sAi i=1
∗
str Reply: ⟨Aid ∗ , xA ⟩
Aid ∗ Retrieve: cA∗
cA∗ ∗
str Decrypt: Dec(xA , cA∗ )
Figure 2: Huang’s mobile healthcare system [5].
where 𝑒 is the public key and 𝑑 is the private key, where 𝑒 = 𝑑 ⋅ 𝑃 and 𝑃 is the base point in elliptic curve 𝐸. We see an instance of EC-ElGmal (Elliptic Curve Analog of ElGamal) cryptosystem shown in Table 1. 2.4. Security Requirements for Mobile Healthcare Systems. Although a mobile healthcare system is convenient and efficient for managing medical records and monitoring statuses,
it has various vulnerabilities such as a personal medical data leakage and unauthorized data modification. Therefore, it is strongly urged that we consider providing security for all communication channels involved with mobile healthcare services. First of all, we need to identify potential adversaries to mobile healthcare services when using wireless cellular networks, as shown in Table 2. Next, we need to characterize the security requirements of the mobile healthcare systems
4
International Journal of Distributed Sensor Networks
cA
···
(3) M̈
···
M̈
M̈
̃ (4) M
M ̂ ̂ (7) M
cj
(5) M
∘
̂ (8) M
(2) M
𝛼-clones
M
(6) M
ci
cB
pr
𝛽-clones pr
⟨Cloud storage domain⟩ ⟨Cellular network domain (ISP)⟩
M
(9) Ḿ M
𝛼-devices
𝛽-devices M ···
dj
d2
di
(10) Enc{PUc𝐵 , m} (1) M
Patient A
dA
··· d1
⟨Patient’s friendly group⟩
dB ⟨Doctor’s friendly group⟩
Figure 3: Our proposed scheme for secure and privacy-preserving mobile healthcare system.
Table 1: An example of elliptic curve cryptosystem. Section Public key Private key Encryption Enc(𝑒, 𝑀) Decryption Dec(𝑑, 𝐶)
Descriptions 𝑝, 𝑞, 𝑦 = 𝑥 ⋅ 𝑃 𝑥 𝐶 = {𝐶1 , 𝐶2 } = {𝑟 ⋅ 𝑃, 𝑟 ⋅ 𝑒 + 𝑀} 𝑀 = 𝐶2 − 𝑑 ⋅ 𝐶1
necessary to secure users from a variety of different attacks such as eavesdropping, replay, collusion, and impersonation attack, including privacy-preserving issue. (i) Resistance to Eavesdropping Attack. This attack is a typical passive attack, which listens to the communication of mobile healthcare systems without authorization. The attack damages the confidentiality of biometric data and anonymity. Thus, encryption of transmitted data is essential. (ii) Resistance to Matching Attack. The attacker can know other people’s public keys and encrypt a plain text with the public keys. Then, the attacker can compare cipher texts made by him with real cipher texts eavesdropped from a communication channel. Thus, patterns of cipher text should be changed in every session. (iii) Resistance to Replay Attack. The attacker can use previous network packets and maliciously repeat them.
Thus, the same pattern of data in communication should be avoided. (iv) Resistance to Impersonation Attack. The attacker can use a fake identity to gain unauthorized access to the cloud storage or clone. Therefore, all public or secret keys in mobile healthcare systems should be provided from a trustworthy organization. (v) Resistance to Collusion Attack. Several attackers or malicious entities can conspire together to damage user’s anonymity or decrypt cipher texts during communication. Therefore, these attacks should be blocked from occurring during multiple-messages communication. (vi) Provision of Unlinkability. Unlinkability is defined in [7] as ensuring that a user may use services or resources as often as they wish without worry about their research being trackable over multiple uses; in other words, the adversaries to mobile healthcare systems are not able to gather a user’s biometric data via primary user. Steinbrecher and K¨opsell [8] formulated the degree of unlinkability by using a concept of equivalence relation ∼𝑟(𝐴) , a notation which signifies “is related” within a set 𝐴. They define the degree of (𝑖1 , . . . , 𝑖𝑘 ) unlinkability 𝑑(𝑖1 , . . . , 𝑖𝑘 ) describing the unlinkability of 𝑘 items 𝑎𝑖1 , . . . , 𝑎𝑖𝑘 ∈ 𝐴. Obviously, it holds 0 ≤ 𝑑(𝑖1 , . . . , 𝑖𝑘 ) ≤ 1 and the maximum of unlinkability is reached if 𝑑(𝑖1 , . . . , 𝑖𝑘 ) ≤ 1 ⇔ ∀𝑗 ∈ |𝐼𝑘 | : 𝑃((∼𝑟𝑗 (𝐴) | {𝑎𝑖1 , . . . , 𝑎𝑖𝑘 }) = (∼𝑟(𝐴) )) =
International Journal of Distributed Sensor Networks
5
Table 2: Potential adversaries in mobile healthcare service. Adversaries Malicious device Malicious cellular network operator Malicious cloud provider
Description This adversary can access patient’s smartphone illegally with the near network area and eavesdrop his personal medical information A cellular network operator can observe all communication between cellular users and cloud clones. In particular, he can gather a targeted network traffic and identify the user or user’s location A cloud storage or clone is not secure because a malicious cloud provider can find out user’s identity and eavesdrop all communication between users and their clones
1/|𝐼𝑘 |, where |𝐼𝑘 | means an index set enumerating all possible equivalence relations on {𝑎𝑖1 , . . . , 𝑎𝑖𝑘 }. In other words, the worst case for the adversaries is that all possible relations among items have the probability 1/|items|.
3. Review of Huang’s Mobile Healthcare System [5] and Its Weaknesses Huang et al. [5] overcame the weaknesses surrounding damage of privacy in [4]. Huang et al. [5] assumed that KDC (Key Distribution Center) is trustworthy, and cloud storage permits only authorized users to access and use stored data. To solve the low-power limitation of WBAN, [4] used ElGamal cryptosystem with elliptic curves for their mobile healthcare scheme. Furthermore, they assumed that a smartphone is tamper-resistant. Excluding the above constraints, all the entities and communications are not secure. Figure 2 presents communication protocols in [5]. However, we have found [5]’s weaknesses with the several attack points listed below. (i) No Consideration about Malicious Network Entities. Reference [5] did not consider that a cellular network operator is able to monitor all the communications passing through the cellular network. Therefore, the malicious operator can observe a source address and destination address via healthcare cloud storage. In addition, the attacker can guess what periodical data is related to the sender’s health data.
If a cloud storage provider colludes with a cellular network operator, a patient’s biometric data could be leaked. Of course, the cloud storage provider cannot know the precise user from ⟨Aid𝑘 , 𝑐𝑥𝑘 ⟩. However, they can ask a cellular network operator to identify a user’s real identity through an alias. Therefore, a patient’s privacy might be breached.
4. Our Proposed Scheme for Mobile Healthcare System 4.1. Motivation. The objective of our proposed scheme is to preserve a patient’s anonymity by hiding his source address in the network environment. We are inspired from Tor network that is well known for concealing routes in network. The major characteristic of Tor network circuit is to use the onion ring structure consisting of the multilayered cryptographic routers. When more routers participating in Tor network exist, the attacker with high-tech capability finds the source and destination address [9]. In other words, the encapsulated packets move to the next hop over decrypting the cryptographic ring of each router in the circuit. Therefore, the router cannot know the information but recognizes the next router. Consequently, the Tor circuit provides an untraceable route. Similarly, Ardagna et al. [10] present an anonymous communication model over cellular network environments. We apply communication model in [10] into our scheme using a cryptographic scheme in [5] to overcome the weakness in Section 3.
(ii) Weaknesses against Eavesdropping Attack and Collusion Attack. First, a doctor sends unencrypted querying data to KDC without any malicious intent. Then, a malicious cellular network operator is able to extract Aid𝑘 from ⟨MAC, 𝑗, 𝑐𝐴𝑘 , Aid𝑘 , 𝑇⟩ and tell the Aid𝑘 to a malicious cloud provider. After time passes, the malicious cellular network operator observes a doctor’s request str∗ = ⟨ID | date | time | type⟩ str𝑘 . Then, and the response of KDC, Aid∗ , and 𝑥𝐴 𝑘 ∗ the attacker compares stored Aid with Aid . If the str∗ attacker finds the matching Aid∗ , they can get 𝑥𝐴 ∗ str easily. Lastly, they share 𝑥𝐴 with the malicious cloud provider. Finally, they are able to decrypt 𝑏𝐴𝑘 from 𝑐𝐴𝑘 .
4.2. Anonymity Model. von Ahn et al. [11] state that in 𝑘anonymity message transmission model a transmitter picked among the transmitter’s group sends a message into a receiver, who is also chosen among the receiver’s group. The attacker cannot conclude the original source transmitter or the destination receiver in 𝑘 number of groups. This model is known as robust against selective nonparticipants. Ardagna et al. [10] extend the concept of [11] for assuring end-to-end anonymity in wireless cellular networks. They address (𝛼, 𝛽)-anonymity whose aim is to link the original source sender to the actual destination receiver. The definition is shown in Definition 1. In this paper, we achieve (𝛼, 𝛽)-anonymity of 𝛼 number of devices in a patient’s friend group and 𝛽 number of devices in a doctor’s friend group.
(iii) No Given Guarantee of Unlinkability. Huang’s scheme has the weakness of unlinkability by collusion attack.
Definition 1. (𝛼, 𝛽)-anonymity is kept if the attacker cannot associate 𝑠 device in 𝛼 number of devices as a transmitter’s
6
International Journal of Distributed Sensor Networks
group with 𝑟 device in 𝛽 number of devices as a receiver’s group.
malicious cloud providers. Finally, only 𝑐𝐴 can decrypt 𝑀̈ as (3) and store 𝑚. Figure 4 shows gathering a patient’s biometric data and a sender’s communication: 𝑀̈ = Enc (PU𝑐𝐴 , ⟨𝑐𝐷, 𝛽, 𝑚⟩) .
4.3. Our Scheme for Secure and Anonymous Mobile Healthcare System 4.3.1. Registration Process. This step concerns the initialization process of a system similar to [5]’s scheme. First, a patient 𝐴 registers their identity into KDC (Key Distribution Center). KDC generates a pair of public and private keys for them. For successful registration, KDC derives the master public key 𝑌𝐴 = {𝑦𝐴1 , . . . , 𝑦𝐴𝑛 } and the master private key 𝑋𝐴 = 1 𝑛 1 𝑛 , . . . , 𝑥𝐴 }. And it generates a secret 𝑆𝐴 = {𝑠𝐴 , . . . , 𝑠𝐴 } for {𝑥𝐴 𝑖 𝑖 𝑖 𝑖 𝑖 a patient 𝐴, where 𝑦𝐴 , 𝑥𝐴, 𝑠𝐴 ∈ GF(𝑞) and 𝑦𝐴 = 𝑥𝐴 ⋅ 𝑃 (1 ≤ 𝑖 ≤ 𝑛). And, it sends a key ring 𝐾 = {𝐾1 , . . . , 𝐾𝑚 } into patient 𝐴’s smartphone. 4.3.2. Gathering Patient’s Biometric Data and Sender’s Communication. We adopt (𝛼, 𝛽)-anonymity to keep the anonymity of patient 𝐴’s identification. First, body-sensors gather patient 𝐴’s biometric data and encrypt the data. Then, they send the encrypted data to patient 𝐴’s smartphone 𝑃𝐴. The smartphone 𝑃𝐴 generates a message 𝑚 like [5]. Next, the 𝑃𝐴 searches for its trustworthy friends’ phones by sending “probe requests” to Wi-Fi networks periodically. The phones of 𝐴’s friends should have been registered in the healthcare cloud clone and are currently available to forward patient 𝐴’s data within the proximity Wi-Fi network. Then, 𝑃𝐴 checks for at least 𝛼 − 1 phones to keep the sender’s 𝛼-anonymity from a malicious cellular network operator. Then, 𝑃𝐴 chooses a device 𝑑𝑖 in 𝛼 sender’s group and assembles a message 𝑀 as follows. (i) It encrypts 𝑐𝑖 , which is a clone of 𝑑𝑖 , with the public key of cloud proxy PUpr . (ii) It encrypts the first destination clone 𝑐𝐴, which is a clone of patient 𝐴’s smartphone 𝑃𝐴, and a parameter 𝛼 with a public key PU𝑐𝑖 . (iii) It encrypts patient 𝐴’s biodata and the parameter 𝛽 for clone communication. It also encrypts doctor 𝐵’s clone 𝑐𝐵 with a public key of clone 𝑐𝐴, PU𝑐𝐴 . The message 𝑀 is the following equation: 𝑀 = {Enc (PUpr , 𝑐𝑖 ) , Enc (PU𝑐𝑖 , ⟨𝑐𝐴 , 𝛼⟩) , Enc (PU𝑐𝐴 , ⟨𝑐𝐵 , 𝛽, 𝑚⟩)} .
(1)
Patient 𝐴’s smartphone sends the message 𝑀 to 1/𝛼 probabilistic chosen devices and the device consecutively forwards 𝑀 to other chosen devices until 𝑑𝑖 is found. Finally 𝑑𝑖 also forwards 𝑀 into a cloud proxy pr in HSP. Next, pr decrypts Enc(PUpr , 𝑐𝑖 ) of 𝑀 and checks the next destination ∘
𝑐𝑖 . Then, pr sends the rest of message 𝑀, which is 𝑀 as (2), to 𝑐𝑖 : ∘
𝑀 = {Enc (PU𝑐𝑖 , ⟨𝑐𝐴 , 𝛼⟩) , Enc (PU𝑐𝐴 , ⟨𝑐𝐷, 𝛽, 𝑚⟩)} . ∘
(2)
The clone 𝑐𝑖 decrypts Enc(PU𝑐𝑖 , ⟨𝑐𝐴 , 𝛼⟩) of 𝑀. Then, 𝑐𝑖 chooses 𝛼 clones and broadcasts 𝑀̈ as (3) to other 𝛼 − 1 clones including 𝑐𝐴 to hide the precise destination from the
(3)
4.3.3. Clones Communication. In this step, 𝑐𝐴 sends the biodata 𝑚 into the doctor’s cloud clone 𝑐𝐷. Figure 5 shows the clone communication in HSP. First, 𝑐𝐴 searches 𝛽 cloud clones associated with a doctor’s clone 𝑐𝐷 to achieve 𝛽anonymity because wireless cellular network operators have to choose the real source clone with the probability of 1/𝛽. Then, 𝑐𝐴 selects a random doctor’s friend’s clone 𝑐𝑗 that will receive the transmitter’s message first among 𝛽 receiver’s clones to confuse the malicious cloud provider with ambiguity of the destination. Then, 𝑐𝐴 assembles a ̃ as (4) to send it to 𝑐𝑖 . If so, it would be new message 𝑀 hard for a malicious cloud provider to recognize the real ̃ is encrypted with the final destination of the messages. 𝑀 public key of 𝑐𝑖 to conceal the next destination clone 𝑐𝑗 , final destination 𝑐𝐷, and the patient data 𝑚: ̃ = {Enc (PU𝑐 , 𝑀 𝑖
(4)
⟨𝑐𝑗 , Enc (PU𝑐𝑗 , ⟨𝑐𝐷, 𝛽⟩) , Enc (PU𝑐𝐵 , 𝑚)⟩)} . ̃ to his friend 𝑐𝑖 and 𝑐𝑖 checks the next hop 𝑐𝑗 𝑐𝐴 sends 𝑀 ̃ Then, 𝑐𝑖 forwards 𝑀 as (5), the rest of 𝑀, ̃ from decrypted 𝑀. to 𝑐𝑗 : 𝑀 = {Enc (PU𝑐𝑗 , ⟨𝑐𝐷, 𝛽⟩) , Enc (PU𝑐𝐵 , 𝑚)} .
(5)
Then, 𝑐𝑗 finds a parameter 𝛽 and the destination 𝑐𝐷. Next, it broadcasts message 𝑀 as in 𝑀 = Enc (PU𝑐𝐵 , 𝑚) .
(6)
4.3.4. Receiver’s Communication. In this step, the doctor’s clone 𝑐𝐷 forwards 𝑚 to a doctor’s smartphone 𝑑𝐵 by using friend’s 𝑐𝑗 . First, 𝑐𝐷 searches 𝑐𝑗 devices in the proximity of doctor’s smartphone 𝑑𝐵 . 𝑐𝐷 sends newly assembled message ̂ ̂ as (7) to 𝑐𝑗 : 𝑀 ̂ ̂ = Enc (PU𝑐 , ⟨𝑑𝑗 , Enc (PU𝑑 , Enc (PU𝑑 , 𝑚))⟩) . (7) 𝑀 𝑗 𝑗 𝐵 ̂ as 𝑐𝑗 checks the destination of his device and transmits 𝑀 ̂ ̂ to cloud proxy pr. pr forwards 𝑀 ̂ to (8), the rest of message 𝑀, phone 𝑑𝑗 over cellular network. However, a malicious cellular network operator cannot recognize the precise destination 𝑑𝐵 ̂ After receiving the message, 𝑑𝑗 decrypts the message in 𝑀. and broadcasts Enc(PU𝑑𝐵 , 𝑚) to all devices in the proximity of doctor’s smartphone. Finally, doctor’s smartphone can only decrypt the message and get 𝑚. Next, the doctor’s smartphone verifies MAC for confirming the integrity of the message: ̂ = ⟨𝑑𝑗 , Enc (PU𝑑 , Enc (PU𝑑 , 𝑚))⟩ . 𝑀 𝑗 𝐵
(8)
International Journal of Distributed Sensor Networks
7 𝛼-clones
𝛼-devices KDC
SA , YA , K
Phone di
Patient A
Sensor
Clone ci
Cloud proxy ISP
Store ⟨SA , YA , K⟩
Clone cA
Clone c∗
Sensing: bAk k
n
str = ∑ hi (s | str k )yAi Calc: yA i=1
k
str Encrypt: cAk = Enc(yA , bAk | r)
cAk
GenerateMAC = h(Kk | cAk | T) m = ⟨MAC, j, cAk , T⟩ M = {Enc(PUpr , ci ), Enc(PUc 𝑖, ⟨cA , 𝛼⟩), Enc(PUc𝐴, ⟨cD , 𝛽, m⟩)}
M
M
d1
M
d2 .. . M
di
∘
M
Broadcast M̈ to 𝛼-clones cA only decrypts M̈
Figure 4: Gathering patient’s biometric data and sender’s communication.
Clone cA
Clone ci
Clone c∗
Clone ci
𝛽-clones
Clone cB
̃ = {Enc(PUc ⟨cj , Enc(PUc , ⟨cD , 𝛽 ⟩), Enc(PUc , m)⟩)} M 𝑖 𝑗 𝐵
M = {Enc(PUc𝑗 , ⟨cD , 𝛽 ⟩), Enc(PUc𝐵 , m)} M = Enc(PUc𝐵 , m) Broadcast M to 𝛽-clones cB only decrypts M
Figure 5: Clones communication.
4.3.5. Decryption of Patient’s Biodata. The doctor asks KDC for the information str𝑘 in order to decrypt the message 𝑐𝐴𝑘 . At this time, the doctor searches his friend’s devices 𝑑𝑗 randomly to forward the request as the above transmitter’s communication. Then, doctor’s smartphone sends a message as Enc(PU𝑑𝑗 , ⟨KDC, Enc(PUKDC , 𝐵 | str𝑘 )⟩) to nearby random device and the device forwards it until 𝑑𝑗 is found. Finally,
𝑑𝑗 transmits the above message to KDC. KDC computes 𝑘
str 𝑖 = ∑𝑛𝑖=1 ℎ𝑖 (𝑠 | str𝑘 )𝑥𝐴 and encrypts it the master key 𝑥𝐴 with doctor’s public key PU𝐵 . Then, KDC sends the response cipher text as (9) to the device 𝑑𝑗 . Then, the device 𝑑𝑗 𝑘
str broadcasts the message Enc(PU𝑑𝐵 , 𝑥𝐴 ) to nearby devices including the doctor’s smartphone. The doctor’s smartphone can only obtain the master key of 𝑐𝐴𝑘 . Then, it decrypts
8
International Journal of Distributed Sensor Networks
KDC
Clone cj
Clone cB
Cloud proxy
ISP ⟨Cloud storage domain⟩ ̂ ̂ = Enc(PUc , ⟨dj , Enc(PUd , Enc(PUd , m))⟩) M 𝑗 𝑗 𝐵
Phone dj
Phone d∗
Phone dB
̂ = ⟨dj , Enc(PUd , Enc(PUd , m))⟩ M 𝑗 𝐵 ̂ M
Broadcast Enc(PUd𝐵 , m) dB only decrypts Enc(PUd𝐵 , m) Enc(PUd𝑗 , ⟨KDC, Enc(PUKDC , B | str k)⟩) d1 d2 .. .
Enc(PUKDC , B | str k )
di
𝑘
str Enc(PUd𝑚 , Enc(PUd𝐵 , xA )) 𝑘
str ) Broadcast Enc(PUd𝐵 , xA
𝑘
str , cAk )= bAk Decrypt Dec(xA
Figure 6: Receiver’s communication and decryption of patient’s biodata.
Table 3: The initial assumption and expected goal for our proposed scheme. Resistance to/provision Eavesdropping attack Matching attack Replay attack Collusion attack Provision of unlinkability
Ours ⃝ ⃝ ⃝ ⃝ ⃝
[4] △ ⃝ ⃝ ⃝ ×
[5] △ ⃝ ⃝ ⃝ ×
𝑐𝐴𝑘 and gains 𝑏𝐴𝑘 like (10). Figure 6 presents the receiver’s communication and decryption of patient’s biodata: 𝑘
str Enc (PU𝑑𝑗 , Enc (PU𝑑𝐵 , 𝑥𝐴 )) , 𝑘
str Dec (𝑥𝐴 , 𝑐𝐴𝑘 ) = 𝑏𝐴𝑘 | 𝑟.
(9) (10)
5. Security Analysis This section discusses how our proposed scheme satisfies the security requirements in Section 2, comparing [4] and [5]. Table 3 presents the summary of the comparison. 5.1. Resistance to Collusion Attack and Provision of Unlinkability. Our protocol satisfies sender unlinkability if, for any two actions, the adversary cannot determine whether these actions are executed by the same user. To protect from a
malicious cloud provider, our proposed scheme also uses an alias for patient’s biometric data when the data is stored in a cloud clone. Accordingly, the malicious cloud provider cannot precisely link identification of stored data from used aliases. In addition, we apply anonymous communications similar to onion routers of Tor network [9], which is stated in Section 4. The patient selects random devices in order to hide the original source from a cellular network operator. In order to identify the real source or destination, the malicious cellular network operator has to guess certain user with 1/𝛼 (or 1/𝛽) probability. If 𝛼 (or 𝛽) is large enough, it is harder for the cellular network operator to guess the identifications. Thus, we can achieve (𝛼, 𝛽)-anonymity. Also, the patient’s biometric data is not transmitted to his own cloud clone directly. Instead of them, their friend’s cloud broadcasts the encrypted message to other clones. Thus, it is impossible for the cloud provider and the cellular network operator to collude because both cannot link the original source with the destination. In conclusion, our enhanced privacy-preserving mobile healthcare system overcomes the weaknesses of [4, 5]. 5.2. Resistance to Eavesdropping Attack. One of the main weaknesses in [4, 5] is not being resistant against eavesdropping attacks. Of course, there exists cryptographic protocol in [4, 5], such as IBE-Lite. However, unencrypted KDC requests from a doctor in [4, 5] can reveal the patient’s identification in str𝑘 against a cellular network operator. To make matters worse, the cellular network operator can observe the response str𝑘 . However, we encrypt every message and get a master key 𝑥𝐴
International Journal of Distributed Sensor Networks
2500 2000 1500 1000 500 0
5.4. Resistance to Impersonation Attack. All entities in our proposed scheme are provided with cryptographic keys by a trustworthy organization, KDC. Also, all processes of identification in communication use the entities own keys. Therefore, our mobile healthcare system is secure.
15 30 45 60 75 90 The number of patient’s biodata sets (a datum = approximately 20 bytes) Huang et al. [5]
36 : 36
36 : 18
36 : 1
18 : 36
18 : 1
1 : 36
1 : 18
9:9
9:1
1:9
9:3
3:9
4500 4000 3500 3000 2500 2000 1500 1000 500 0
𝛼 number of senders : 𝛽 number of receivers ECC (112 bits) ECC (160 bits) ECC (256 bits)
Figure 8: Communication overhead with various 𝛼 senders and 𝛽 receivers.
in communication traffic and its efficiency, even though the system uses cryptographic encapsulation processes and forwards messages by using phones. However, the main limitation of our scheme is that several smartphones should exist for the anonymous communication. As a future extension of our proposed scheme, we will study anonymous network based mobile healthcare schemes considering all participants’ interests including insurance.
7. Conclusion We have proposed a novel and secure privacy-enhanced mobile healthcare scheme that is robust over the wireless cellular network. To the best extent of our knowledge, this is the first attempt for a mobile healthcare system to monitor over a cellular network. Our proposed scheme considers real network environments such as the ISP (Internet Service Provider) cellular network and it provides unlinkability between patient’s alias and their real identification in all communication and also satisfies the security requirements for mobile healthcare systems. In addition, we show fairness
180
Figure 7: Comparison between ours and [5].
1:1
To verify the validity of our proposed scheme, we implemented the prototype with Java 2 Standard Edition (J2SE Ver 1.7) platforms to support HTTP connections between smartphones and a cloud server. We used the Nexus 5 emulator in Android Studio in lieu of smartphones. In addition, we used a laptop as a testbed of cloud service which has 2.2 GHz Intel Core-i5 CPU and 8 GB RAM. For simulating the elliptic curve public key cryptography, we used JECC (Java Elliptic Curve Cryptography) package and arbitrary data packets which are similar to [5]’s data set. We then set up the testbeds for analyzing performance. First, we checked the encryption and decryption overhead of the whole process in ElGamal cryptosystem with elliptic curve. Figure 7 shows the comparison between our proposed scheme and [5]’s when 𝛼 and 𝛽 each have 20 phones. The transaction time for health monitoring is the amount of gathered biometric information that is sent to the destination at once. We can see that the time between [5] and ours is not much different and our scheme does not impose temporal burden on the system even though our scheme uses the friend’s phones for anonymous communication. Second, we checked communication overhead with various 𝛼 senders and 𝛽 receivers. We chose the max senders and receivers to be 36 and compared all possible 𝛼 sets and 𝛽 sets. In Figure 8, we can see that number of senders and receivers is not a big factor to affect the communication overhead.
10
Ours
Transmission time (ms)
6. Performance Analysis
1
3:3
5.3. Resistance to Replay Attack and Matching Attack. Our proposed scheme, similar to [4, 5], provides a cryptographic scheme by using random numbers to protect against replay attacks and matching attacks. In this way, the attacker cannot guess the cipher text pattern and cannot reuse it. The attacker can use previous network packets and maliciously repeat them. Thus, the same pattern of information in communication is avoided.
3000
Transmission time (ms)
message in all of the communication steps to protect from eavesdropping attacks from any adversaries.
9
Notations 𝑃: 𝑞: 𝑝: ℎ(): 𝑋𝐴:
A based point of the elliptic curve 𝐸 Order of 𝑃, a large prime GF(𝑃): A finite field in ECC A one-way hash function: ℎ : {0, 1}∗ → {0, 1}𝑛 Patient 𝐴’s master private key, 1 2 𝑛 𝑋𝐴 = {𝑥𝐴 , 𝑥𝐴 , . . . , 𝑥𝐴 } 𝑌𝐴: Patient 𝐴’s master public key, 𝑌𝐴 = {𝑦𝐴1 , 𝑦𝐴2 , . . . , 𝑦𝐴𝑛 } 1 2 𝑛 , 𝑠𝐴, . . . , 𝑠𝐴 } 𝑆𝐴 : Patient 𝐴’s secret set, 𝑆𝐴 = {𝑠𝐴
10 str𝑘 :
A string used to derive keys and aliases in 𝑘th session: str𝑘 = ⟨ID | date | time | type⟩ str𝑘 𝑥𝐴 : A decryption key of patient 𝐴 derived from str𝑘 𝑘 𝑦𝐴str : An encryption key of patient 𝐴 derived from str𝑘 𝑟: Random number Biodata of patient 𝐴 in 𝑘th session 𝑏𝐴𝑘 : 𝐾: A key ring for MAC generation, 𝐾 = {𝑘1 , 𝑘2 , . . . , 𝑘𝑚 } 𝑘 Aid : An alias of patient 𝐴 in 𝑘th session Encrypted biodata of patient 𝐴 in 𝑘th session 𝑐𝐴𝑘 : 1 2 𝑛 | 𝑠𝐴 | ⋅ ⋅ ⋅ | 𝑠𝐴 𝑆: The concatenation of 𝑆𝐴 , 𝑆 = 𝑠𝐴 Enc(𝐾, 𝑃): ECC encryption algorithm with a key 𝐾 and a plain text 𝑃 Dec(𝐾, 𝐶): ECC decryption algorithm with a key 𝐾 and a cipher text 𝐶 User 𝐴’s device (e.g., smartphone) 𝑑𝐴 : User 𝐴’s cloud clone 𝑐𝐴 : A public key of 𝐴 PU𝐴 : A private key of 𝐴. PR𝐴:
Competing Interests The authors declare that they have no competing interests.
Acknowledgments This work was supported by Institute for Information & Communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (R0101-16-0195, Development of EAL 4 level military fusion security solution for protecting against unauthorized accesses and ensuring a trusted execution environment in mobile devices).
References [1] C. Humer and J. Finkle, “Your medical record is worth more to hackers than your credit card,” http://www.reuters.com/article/ 2014/09/24/us-cybersecurityhospitals-idUSKCN0HJ21I20140924. [2] M. Burmester, T. Van Le, B. De Medeiros, and G. Tsudik, “Universally composable RFID identification and authentication protocols,” ACM Transactions on Information and System Security, vol. 12, no. 4, article 21, 2009. [3] Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Location-based compromise-tolerant security mechanisms for wireless sensor networks,” IEEE Journal on Selected Areas in Communications, vol. 24, no. 2, pp. 247–260, 2006. [4] C. C. Tan, H. Wang, S. Zhong, and Q. Li, “IBE-lite: a lightweight identity-based cryptography for body sensor networks,” IEEE Transactions on Information Technology in Biomedicine, vol. 13, no. 6, pp. 926–932, 2009. [5] C. Huang, H. Lee, and D. H. Lee, “A privacy-strengthened scheme for E-healthcare monitoring system,” Journal of Medical Systems, vol. 36, no. 5, pp. 2959–2971, 2012. [6] U.S. National Security Agency, “Fact Sheet NSA Suite B Cryptography,” https://www.nsa.gov/what-we-do/information-assurance/.
International Journal of Distributed Sensor Networks [7] NIST, Common Crieteria for Information Technology Security Evaluation Version 3.1, revision 4, 2012. [8] S. Steinbrecher and S. K¨opsell, “Modelling unlinkability,” in Privacy Enhancing Technologies, R. Dingledine, Ed., vol. 2760 of Lecture Notes in Computer Science, pp. 32–47, Springer, Berlin, Germany, 2003. [9] R. Dingledine, N. Mathewson, and P. Syverson, Tor: The Second Generation Onion Router, Naval Research Lab, Washington, DC, USA, 2004. [10] C. A. Ardagna, M. Conti, M. Leone, and J. Stefa, “Preserving smartphone users’ anonymity in cloudy days,” in Proceedings of the IEEE 2013 22nd International Conference on Computer Communication and Networks (ICCCN ’13), pp. 1–5, Nassau, Bahamas, August 2013. [11] L. von Ahn, A. Bortz, and N. J. Hopper, “K-anonymous message transmission,” in Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS ’03), pp. 122–130, ACM, October 2003.
