Abstract Wireless body area networks (WBANs) are expected access these data [7]. Therefore, it is important to design an
to act as an important role in monitoring the health information efficient access control scheme that is capable of authorizing,
and creating a highly reliable ubiquitous healthcare system. Since authenticating and revoking a user to access the WBANs.
the data collected by the WBANs are used to diagnose and
treat, only authorized users can access these data. Therefore, Without this access control, the health data may be abused,
it is important to design an access control scheme that can which may result in a catastrophic consequence. However, it is
authorize, authenticate, and revoke a user to access the WBANs. not an easy thing to design an efficient access control scheme
In this paper, we first give an efficient certificateless signcryption for the WBANs because the resource of the sensor nodes is
scheme and then design an access control scheme for the WBANs very limited.
using the given signcryption. Our scheme achieves confidentiality,
integrity, authentication, non-repudiation, public verifiability,
A. Related Work
and ciphertext authenticity. Compared with existing three access
control schemes using signcryption, our scheme has the least Security issues in the WBANs must be solved before
computational cost and energy consumption for the controller. real development [7]. Some secure schemes for the WBANs
In addition, our scheme has neither key escrow nor public key have been proposed for different security goals. In 2013,
certificates, since it is based on certificateless cryptography.
Hu et al. [8] discussed how to protect the communication
Index Terms Wireless body area networks, security, access between external users and the WBANs. Their solution is
control, signcryption, certificateless cryptography. attribute-based encryption (ABE) [9]. However, the ABE may
not be a good choice since it requires some costly crypto-
I. I NTRODUCTION graphic operations. These costly operations are a heavy burden
for resource-limited sensor nodes [7]. Lu et al. [10] proposed a
W ITH the rapid progress in wireless communi-
cation and medical sensors, wireless body area
networks (WBANs) [1], [2] are under rapid research and
privacy preserving opportunistic method for the WBANs. This
method can obtain reliable data process and transmission with
development. A typical WBAN is composed of a number minimal privacy disclosure. Zhao et al. [11] discussed the key
of implantable [3], [4] or wearable sensor nodes and a management problem of the WBANs. In order to reduce the
controller [5]. The sensor nodes are responsible for mon- energy consumption, they used energy-based multihop-route-
itoring a patients vital signs (e.g. electrocardiogram, heart choice method and biometrics synchronization mechanism.
rate, breathing rate and blood pressure) and environmental He et al. [12] discussed how to provide a secure commu-
parameter (e.g. temperature, humidity and light). The sensor nication channel in the WBANs. They used the lightweight
nodes communicate with the controller and the controller one-way hash chain to establish session keys. Tan et al. [13]
acts as a gateway that sends the collected health data to the designed an efficient identity-based encryption (IBE) scheme
healthcare staffs and network servers. The WBANs increase named IBE-Lite for the WBANs. Compared with the tradi-
the efficiency of healthcare since a patient is no longer required tional public key infrastructure (PKI) that employs a digital
to visit the hospital frequently. The clinical diagnosis and certificate to bind an identity and an public key, the identity-
some emergency medical response can also be realized by based cryptography (IBC) [14] does not require digital cer-
the WBANs. Therefore, the WBANs act as an important role in tificates. A users public key is computed from its identity
creating a highly reliable ubiquitous healthcare system. A good information, such as identification numbers, e-mail addresses
survey about the current state-of-art of WBANs is given by and IP addresses. The users private key is produced by
Movassaghi et al. [6]. a trusted third party named private key generator (PKG).
Since collected data by the WBANs act as a vital role in Authenticity of a public key is explicitly achieved without
the medical diagnosis and treatment, only authorized users can an attached certificate. Therefore, the IBC eliminates certifi-
cate management trouble of the traditional PKI, including
Manuscript received February 18, 2016; revised April 8, 2016; accepted generation, distribution, storage, verification and revocation.
April 11, 2016. Date of publication April 15, 2016; date of current version
June 2, 2016. This work was supported in part by the Fundamental Research Although the lightweight IBC is very suitable for resource-
Funds for the Central Universities under Grant ZYGX2013J069 and in part constrained WBANs, it has key escrow problem since the PKG
by the National Natural Science Foundation of China under Grant 61073176, learns all users private keys. That is, the PKG is capable
Grant 61272525, Grant 61302161, and Grant 61462048. The associate editor
coordinating the review of this paper and approving it for publication was of decrypting a ciphertext in an IBE scheme and forging a
Prof. M. R. Yuce. signature for a message in an identity-based signature (IBS)
The authors are with the School of Computer Science and Engineering, scheme. Therefore, the IBC only fits small networks, such
University of Electronic Science and Technology of China, Chengdu 611731,
China (e-mail: fagenli@uestc.edu.cn; 735838075@qq.com). as the WBANs, and does not fit large-scale networks, such
Digital Object Identifier 10.1109/JSEN.2016.2554625 as the Internet. However, the goal of the access control
1558-1748 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted,
but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
5390 IEEE SENSORS JOURNAL, VOL. 16, NO. 13, JULY 1, 2016
important advantage of the CLC than the IBC. When a user H4 : (G 2 {0, 1} )3 Zp . Here n is the number of
hopes to access the monitoring data of the WBAN, it first bits of a message to be sent. The KGC randomly selects a
sends a query message to the WBAN. Then controller checks master secret key s Zp and computes the corresponding
if the user has been authorized to access the WBAN. If yes, public key Ppub = s P. The KGC publishes the system
the controller sends collected data to the user in a secure way. parameters {G 1 , G 2 , p, e, n, P, Ppub , g, H1, H2 , H3 , H4} and
Otherwise, the controller refuses the query request. keeps s secret. Here g = e(P, P) is a generator of G 2 .
Set-Secret-Value: A user with identity I DU chooses
B. Security Requirements a random xU Zp as the secret value.
The communication between the user and the controller Set-Public-Value: Given a secret value xU , this algorithm
should satisfy at least four security properties, i.e. confiden- returns the public value yU = g xU .
tiality, authentication, integrity and non-repudiation. Confiden- Partial-Private-Key-Extract: A user submits its identity
tiality keeps query messages secret from the others except the I DU and public value yU to the KGC. The KGC computes
user and the controller. Authentication ensures that only the the partial private key
authorized user can access the WBAN. Integrity ensures that 1
DU = P
a query message from the user has not been altered by some H2 (yU , I DU ) + s
unauthorized entities. Non-repudiation prevents the denial of and sends DU to the user.
previous queries submitted by the user. That is, if the user Set-Private-Key: Given a partial private key DU and a
has submitted a query message to the WBAN, it can not deny secret value xU , this algorithm returns a full private key
its action. In addition, we also hope that this communication SU = (xU , DU ).
satisfies public verifiability and ciphertext authenticity. The Set-Public-Key: Given a full private key SU = (xU , DU )
public verifiability means that a third party can verify the and a public value yU , the user does the following steps:
validity of a ciphertext without knowing the controllers private
1) Choose Zp randomly.
key. The ciphertext authenticity means that a third party can
2) Compute rU = g
verify the validity of a ciphertext without decrypting it.
3) Compute h U = H1(rU , yU , I DU ).
4) Compute TU = ( xU h U )DU .
C. Bilinear Pairings
5) Output a full public key (yU , h U , TU ).
Let G 1 and G 2 be two cyclic groups that have the same
Public-Key-Validate: Given a full public key (yU , h U , TU ),
prime order p. G 1 is an additive group and G 2 is a multiplica- p
a verifier checks that yU has order p (i.e. yU = 1 but yU = 1)
tive group. Let P be a generator of G 1 . A bilinear pairing is
and follows the steps below:
a map e : G 1 G 1 G 2 with the following properties: h
1) Compute rU = e(H2(yU , I DU )P + Ppub , TU )yUU
1) Bilinearity: e(a P, b Q) = e(P, Q)ab for all P, Q G 1 ,
2) Compute h U = H1(rU , yU , I DU ).
a, b Zp . 3) Accept the public key if and only if h U =h .
U
2) Non-degeneracy: There are P, Q G 1 such that
Signcrypt: Given a message m, a senders secret value x A ,
e(P, Q) = 1. Here 1 is the identity element of G 2 .
identity I D A and public value y A , and a receivers identity
3) Computability: e(P, Q) can be efficiently computed for
I D B and public value y B , this algorithm works as follows.
all P, Q G 1 .
1) Choose Zp randomly.
The modified Weil pairing and Tate pairing supply admissible
maps of this type. Please refer to [14] for details. 2) Compute r = y B .
3) Compute c = m H3(r ).
4) Compute h = H4 (r, m, y A , I D A , y B , I D B ).
III. A C ERTIFICATELESS S IGNCRYPTION S CHEME
5) Compute z = /(h + x A ) mod p
In 2008, Barreto et al. [22] proposed an efficient certificate- 6) Output a ciphertext = (c, h, z).
less signcryption scheme (hereafter called BDCPS). However, Unsigncrypt: Given a ciphertext = (c, h, z), a senders
this scheme can not be directly used to design an access control identity I D A and public value y A , and a receivers secret value
scheme for the WBANs because it can not provide public x B , identity I D B and public value y B , this algorithm works
verifiability and ciphertext authenticity. In this section, we first as follows.
review BDCPS and then point out its weakness. Finally, we
1) Compute r = y Ax B z y hz
B .
give a modified scheme that is suitable for the design of an
2) Compute m = c H3(r ).
access control scheme for the WBANs.
3) Compute h = H4(r, m, y A , I D A , y B , I D B ).
4) Accept the message if and only if h = h, return the
A. The BDCPS Scheme false symbol otherwise.
The BDCPS consists of the following nine algorithms. The main characteristic of BDCPS is that BLMQ identity-
Setup: Given a security parameter k, the KGC chooses based signature [23], Schnorr signature [24], and Zheng
an additive group G 1 and a multiplicative G 2 of the same signcryption [19] are integrated into a certificateless sign-
prime order p, a generator P of G 1 , a bilinear map e : cryption. In fact, in Signcrypt and Unsigncrypt algorithms,
G 1 G 1 G 2 , and four hash functions H1 : G 22 {0, 1} BDCPS is similar to Zheng signcryption scheme except the
Zp , H2 : G 2 {0, 1} Zp , H3 : G 2 {0, 1}n and h value. In BDCPS, the identities and public values of both
5392 IEEE SENSORS JOURNAL, VOL. 16, NO. 13, JULY 1, 2016
the sender and the receiver are included in H4. This change
can thwart the key replacement denial-of-decryption attack.
In addition, Set-Public-Key and Public-Key-Validate bind the
identity I DU and public value yU . A user can generate a full
public key (yU , h U , TU ) only if it know the corresponding full
private key SU = (xU , DU ). The BDCPS has been proved to
satisfy confidentiality (i.e. indistinguishability against adap-
tive chosen ciphertext attack (IND-CCA2)) and unforgeability
(i.e. existential unforgeability against adaptive chosen mes-
sages attack (EUF-CMA)) in [22].
TABLE I
C OMPARISON OF P ERFORMANCE
C. Authentication and Authorization Phase is 2016-12-31, the user only can access the WBAN before
When the user with identity I D A wants to access the December 31, 2016. That is, the full private key and full
monitoring data of the WBAN, it first produces a query mes- public key of the user automatically become illegal after
sage m and runs Signcrypt algorithm to generate a ciphertext December 31, 2016. If we need to revoke the users access
= (c, h, z). To resist the replay attack, we may concatenate privilege before the expiration date due to some reasons, the
the query message and a timestamp to form a new signcrypted SP can submit the revoked identity to the controller. The
message. Then the user sends the controller the ciphertext , controller keeps a list of revoked identities to identify
its identity I D A and full public key (y A , h A , T A ). When the validity of users.
getting the query request from the user, the controller first
runs Public-Key-Validate algorithm to check the validity of V. A NALYSIS OF THE ACCESS C ONTROL S CHEME
the received public key (y A , h A , T A ). If the public key is not In this section, we analyze the performance and security
valid, the controller immediately rejects the query request. properties of our access control scheme. First, we compare
Otherwise, the controller further computes t = y zA g hz and the main computational cost and communication cost of our
h = H4 (t, c, y A , I D A , y B , I D B ) and checks if h = h scheme with those of CK [17], HZLCL [20] and MXH [21]
holds. If not, it rejects the query request. Otherwise, the in Table I. The four schemes use different methods to design
user is authorized to access the data of the WBAN. In this the access control schemes. CK uses the IBSC, HZLCL uses
case, the controller computes r = t x B and recovers the FABSC, MXH uses PKI-based signcryption and our scheme
message m = c H3(r ). Then the controller can encrypt uses CLSC. We use the symbol P to denote a pairing operation,
the collected health data employing a symmetric cipher (such the symbol M to denote a point multiplication operation in G 1
as AES [27]) with the session key H3(r ) according to the and the symbol E to denote an exponentiation operation in G 2 .
query requirement m. This session key has been established The other operations are ignored since the three operations
between the controller and the user. Because the session key consume the most running time of the whole algorithm. Let
is only known by the controller and the user, we can achieve |x| be the number of bits of x. Since MXH is based on the
the confidentiality for future communication between them. traditional PKI system, we must verify the public key certifi-
In this access process, confidentiality, integrity, authentication cate before using a public key. Here we assume that the public
and non-repudiation are simultaneously achieved. In addition, key certificates are signed using ECDSA (elliptic curve digital
an important advantage of our scheme is to achieves the public signature algorithm) [28]. The ECDSA requires one point
verifiability and ciphertext authenticity. By using this modified multiplication operation in signing a message and two point
BDCPS scheme, full non-repudiation can be easily obtained. multiplication operations in verifying a signature. Therefore, in
In addition, any third party can verify the validity of the MXH, the controller needs two point multiplication operations
ciphertext without knowing the controllers private key and to verify a users public key certificate. From Table I, we know
the message m. Finally, the controller can throw away some that our scheme has less computational cost than the other
invalid ciphertexts without decryption. That is, the controller three schemes for both the user and the controller. For the
does not perform the fourth step of Unsigncrypt, which saves communication cost of the controller, MXH needs to receive
computational cost and energy consumption. If required, the the users certificate Cer t to verify its validity.
anonymity also can be gained by scrambling the users identity We give a quantitative evaluation for CK [17], HZLCL [20],
I D A and full public key (y A , h A , T A ) together with the MXH [21] and our scheme. Here we only consider the cost
message at the third step of Signcrypt algorithm. That is, of controller part since its resource is limited. For MXH,
we compute c = (I D A ||y A ||h A ||T A ||m) H3 (r ) instead of we adopt the experiment result in [29] on MICA2 which
c = m H3(r ). Of course, we should alter the output length is equipped with an ATmega128 8-bit processor clocked at
of H3 to adapt the length of the encrypted message. Such 7.3728 MHz, 128 KB ROM and 4 KB RAM. From [29],
modification do not affect the security and efficiency of our we learn that a point multiplication operation costs 0.81 s
scheme. using an elliptic curve with 160 bits p which represents 80-bit
security level. For the other three scheme, we adopt the
D. Revocation result in [30] on the same processor ATmega128. A pairing
The access privilege is revoked automatically by the expi- operation costs 1.9 s and an exponentiation operation in G 2
ration date E D. For example, if the expiration date E D costs 0.9 s using a supersingular curve y 2 + y = x 3 + x
5394 IEEE SENSORS JOURNAL, VOL. 16, NO. 13, JULY 1, 2016
TABLE II
C OMPARISON OF S ECURITY
[23] P. S. L. M. Barreto, B. Libert, N. McCullagh, and J.-J. Quisquater, [33] K. A. Shim, S2 DRP: Secure implementations of distributed reprogram-
Efficient and provably-secure identity-based signatures and signcryp- ming protocol for wireless sensor networks, Ad Hoc Netw., vol. 19,
tion from bilinear maps, in Advances in Cryptology (Lecture Notes in pp. 18, Aug. 2014.
Computer Science), vol. 3788. New York, NY, USA: Springer-Verlag, [34] K. Ren, W. Lou, K. Zeng, and P. J. Moran, On broadcast authentication
2005, pp. 515532. in wireless sensor networks, IEEE Trans. Wireless Commun., vol. 6,
[24] C. P. Schnorr, Efficient signature generation by smart cards, no. 11, pp. 41364144, Nov. 2007.
J. Cryptol., vol. 4, no. 3, pp. 161174, 1991.
[25] S. S. M. Chow, S. M. Yiu, L. C. K. Hui, and K. P. Chow, Efficient
forward and provably secure ID-based signcryption scheme with public Fagen Li (M14) received the Ph.D. degree in
verifiability and public ciphertext authenticity, in Information Security cryptography from Xidian University, Xian, China,
and Cryptology (Lecture Notes in Computer Science), vol. 2971. New in 2007. He was a Post-Doctoral Fellow with Future
York, NY, USA: Springer-Verlag, 2004, pp. 352369. University-Hakodate, Hokkaido, Japan, from 2008
[26] C. Gamage, J. Leiwo, and Y. Zheng, Encrypted message authentication to 2009, which is supported by the Japan Society
by firewalls, in Public Key Cryptography (Lecture Notes in Computer for the Promotion of Science. He was a Research
Science), vol. 1560. New York, NY, USA: Springer-Verlag, 1999, Fellow with the Institute of Mathematics for Indus-
pp. 6981. try, Kyushu University, Fukuoka, Japan, from 2010
[27] J. Daemen and V. Rijmen, The Design of Rijndael: AESThe Advanced to 2012. He is currently an Associate Professor with
Encryption Standard. Springer, 2002. the School of Computer Science and Engineering,
[28] D. Johnson, A. Menezes, and S. Vanstone, The elliptic curve digi- University of Electronic Science and Technology of
tal signature algorithm (ECDSA), Int. J. Inf. Secur., vol. 1, no. 1, China, Chengdu, China. He has authored more than 70 papers in international
pp. 3663, Aug. 2001. journals and conferences. His recent research interests include cryptography
[29] N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, Comparing and network security.
elliptic curve cryptography and RSA on 8-bit CPUs, in Cryptographic
Hardware and Embedded Systems (Lecture Notes in Computer Science), Jiaojiao Hong received the B.S. degree from Anhui
vol. 3156. New York, NY, USA: Springer-Verlag, 2004, pp. 119132. University, Hefei, China, in 2014. She is cur-
[30] K.-A. Shim, Y.-R. Lee, and C.-M. Park, EIBAS: An efficient identity- rently pursuing the masters degree with the School
based broadcast authentication scheme in wireless sensor networks, Ad of Computer Science and Engineering, University
Hoc Netw., vol. 11, no. 1, pp. 182189, Jan. 2013. of Electronic Science and Technology of China,
[31] X. Cao, W. Kou, L. Dang, and B. Zhao, IMBAS: Identity-based multi- Chengdu, China. Her research interests include cryp-
user broadcast authentication in wireless sensor networks, Comput. tography and information security.
Commun., vol. 31, no. 4, pp. 659667, Mar. 2008.
[32] F. Li, Z. Zheng, and C. Jin, Secure and efficient data transmission in
the Internet of Things, Telecommun. Syst., vol. 62, no. 1, pp. 111122,
2016.