Secure and Anonymous Three-Factor Authentication Scheme for Remote Healthcare Systems

Wireless medical sensor networks (WMSNs) play a significant role in increasing the availability of remote healthcare systems. The vital and physiological data of the patient can be collected using the WMSN via sensor nodes that are placed on his/her body and then transmitted remotely to a healthcare professional for proper diagnosis. The protection of the patient’s privacy and their data from unauthorized access is a major concern in such systems. Therefore, an authentication scheme with a high level of security is one of the most effective mechanisms by which to address these security concerns. Many authentication schemes for remote patient monitoring have been proposed recently. However, the majority of these schemes are extremely vulnerable to attacks and are unsuitable for practical use. This paper proposes a secure three-factor authentication scheme for a patient-monitoring healthcare system that operates remotely using a WMSN. The proposed authentication scheme is formally verified using the Burrows, Abadi and Needham’s (BAN) logic model and an automatic cryptographic protocol verifier (ProVerif) tool. We show that our authentication scheme can prevent relevant types of security breaches in a practical context according to the discussed possible attack scenarios. Comparisons of the security and performance are carried out with recently proposed authentication schemes. The results of the analysis show that the proposed authentication scheme is secure and practical for use, with reasonable storage space, computation, and communication efficiency.


Introduction
Wireless medical sensor networks (WMSNs) represent an important trend that has emerged recently to enhance the quality of healthcare services. The vital signs (e.g., blood pressure, blood sugar, etc.) can be obtained via sensor nodes placed on the patient's body, and they are transmitted via the WMSN to the monitoring device of a healthcare professional, enabling them to keep track of the patient's health [1]. In general, remote healthcare systems using WMSNs can not only monitor the health of patients in real time but also save time and money. In the same context, such healthcare systems increase the productivity of medical professionals, enable a reduction in healthcare locations, compensate for the lack of healthcare in remote locations, and provide immediate and continuous health advice to communities, particularly in an emergency-their benefits have been demonstrated during the current COVID-19 pandemic [2,3].
The main elements of the healthcare system, as shown in Fig. 1, are healthcare professionals, medical sensors, and a gateway node (GWN). The medical sensors are placed on the patient's body to collect the patient's physiological data and relay them to the GWN over the WMSN with minimal computational resources. The GWN is a trusted node which represents the provider of the healthcare service and has adequate computational resources to serve as a link between sensors and healthcare professionals [4][5][6].
The essential challenges in the implementation and use of a WMSN are associated with the patient's privacy and the credibility of the received medical instructions [3]. Due to the open nature of wireless networks, unauthorized parties can access, modify, and forward the transmitted messages to deliver incorrect instructions or advice to patients [7,8]. It is particularly dangerous if the unauthorized party is able to instruct the patient to disable the wearable sensor devices, such as heart pumps [9]. Moreover, unauthorized access to the sensitive data that have been collected by the sensor nodes can lead to a loss of employment or government health benefits for the patient, as well as inaccurate or fabricated medical records [3]. Furthermore, other types of attacks can be carried out due to the limited capabilities of the sensor nodes, such as smartcard loss, removing the anonymity of the healthcare professionals or patients, and man-in-the-middle, impersonation, insider, desynchronization, and replay attacks [3][4][10][11][12][13][14][15]. Therefore, the primary concern when implementing a healthcare system is ensuring the confidentiality, availability, and integrity of the services in order to protect the patients' privacy and the data that are transmitted between the different elements of the system [16,17]. Thus, an authentication scheme is considered the most effective method to achieve a high level of security in such systems.
Several authentication schemes have been proposed to provide a high level of security for healthcare systems using WMSNs. In 2015, He et al. [18] proposed a new two-factor authentication scheme for healthcare systems using WMSNs. They claimed that their scheme was secure against well-known attacks. However, Wu et al. [19] found that this scheme was vulnerable to different types of attacks, such as off-line estimation, user impersonation, and sensor node capture attacks. In 2017, an improved anonymous two-factor authentication protocol for healthcare applications with WMSNs was presented by Wu et al. [19], and they claimed that their improved authentication scheme was secure. Later, Srinivas et al. [20] indicated that the scheme proposed in [19] was vulnerable to smartcard theft and insider and user impersonation attacks. In 2018, a new two-factor authentication scheme for WMSNs was proposed by Amin et al. [21]. They claimed that their protocol could protect against existing well-known attacks. In 2019, Shuai et al. [9] noted that the authentication schemes proposed by Wu et al. [19] and Ali et al. [22] could not protect against a desynchronization attack or achieve a perfect forward secrecy feature. Therefore, they suggested a three-factor authentication scheme for remote patient observation using Figure 1: The healthcare monitoring architecture using WMSN sensor wireless networks. They claimed that their suggested scheme was lightweight and secure and could resolve the above-mentioned security concerns. In 2020, Fotouhi et al. [23] demonstrated that the authentication scheme that was proposed by Srinivas et al. [20] was unable to prevent an offline estimation attack, unable to achieve sensor anonymity with untraceability, and failed to provide forward secrecy services. Moreover, they also reported that the authentication schemes that were proposed in [19] and [21] were unable to ensure sensor anonymity, untraceability, or provide perfect forward secrecy services. Thus, they proposed a lightweight, secure two-factor authentication scheme for healthcare monitoring systems in order to prevent the mentioned attacks. In 2021, Nashwan [3] noted that the authentication schemes that were proposed by Fotouhi et al. [23] and Shuai et al. [9] could not support full mutual authentication or sensor node anonymity services, nor could it protect against a sensor node impersonation attack. Nashwan [3] proposed an authentication scheme for healthcare IoT systems using WMSNs to resolve the mentioned security concerns and to support a high level of security in such systems.
As mentioned previously, the authentication scheme is an essential strategy in preventing the current well-known attacks in remote healthcare systems. In this paper, we have designed a secure three-factor authentication scheme for healthcare systems using a WMSN to ensure a high level of security with reasonable computational and communication efficiency. The mutual authentication between the elements of the system has been verified using Burrows, Abadi and Needham's (BAN) logic mode. In addition, we have proven that the proposed authentication scheme is safe against various popular attacks using an automatic cryptographic protocol verifier (ProVerif) tool. The success of the proposed authentication scheme has been discussed in the context of different attack scenarios based on a comparison with other recently proposed authentication schemes. The results of the comparison illustrate that our authentication scheme is practical to use, with credible computation and communication efficiency.
The rest of this paper is presented as follows: our authentication scheme is presented in Section 2. The first part of section 3 discusses the formal verification of the proposed authentication scheme using BAN logic and the ProVerif tool. An informal security analysis of the proposed authentication scheme is performed in the second part of section 3. Section 4 presents the performance evaluation in terms of the computation, communication, and storage costs. Finally, we present our conclusions in Section 5.

Proposed Authentication Scheme
This section presents our proposed authentication scheme, which is a secure three-factor authentication scheme. The proposed authentication scheme includes four stages, namely healthcare professional registration, medical sensor node registration, login authentication and key agreement, and the password update stages. Moreover, there are three types of elements in our authentication scheme, namely the healthcare professional (Ui), GWN, and medical sensor node (SNj). In addition, the proposed authentication scheme is based on a symmetric cryptographic technique and a collection of one-way hash functions to achieve the desired security services. Furthermore, the fuzzy extractor function is used to randomly convert the biometric data of the healthcare professional into string values. The definition of the abbreviations that have been used in relation to the proposed authentication scheme throughout the next sections is listed in Tab. 1.

Healthcare Professional Registration Stage
The healthcare professional registration stage is depicted in Fig. 2. During this stage, the healthcare professional (Ui) becomes a legal user by completing the following steps with the service provider (GWN).
Step 1: The Ui selects his/her own identity (IDi) and password (PWi) and imprints his/her personal biometrics (BIOi) using an extraction generation function as < Fi, and Pi > = Gen (BIOi). After this, Ui calculates the BPWi = h1 (Fi), Vi = h3 (IDi ‖ PWi ‖ BPWi) and sends the M1: {IDi and Vi} to GWN as a registration request message using a reliable communication channel.
Step 2: After receiving M1: {IDi, and Vi} from the Ui, GWN checks whether the (IDi) has already been registered. If true, the GWN sends a denial notification message and requests that the Ui select another IDi. Otherwise, the GWN initiates sequence numbers as SSi0 = SSi1 = 0, computes SNi = h1 (SSi0), generates a pseudo-identity TIDi = h2 (IDi ‖ SNi), and initiates temporally identity TIDi* = ф. Moreover, it computes the KGWN−U = h2 (IDi ‖ XGWN), Di = KGWN−U ⊕ Vi, and Ci = h3 (IDi ‖ Vi ‖ KGWN−U), wherein the XGWN represents the GWN's secret key. After this, the GWN stores the Di, h1 (Ci), and SSi1 within a new smartcard (SC), transmits the SC to the Ui in a safe manner, and stores the values of the IDi, SSi0, TIDi, and TIDi* in the database of the healthcare service.
Step 3: Upon receiving the SC from GWN, the Ui completes the registration process by storing the Rep (.) and Pi.  Fig. 3 shows the sensor node registration stage. When a new sensor node (SNj) is activated to read the patient's physiological data and receive medical instructions from the Ui, the identification data of SNj should be registered in the GWN according to the following steps:

Sensor Node Registration Stage
Step 1: SNj sends a registration request message to GWN as M1: {IDSNj} over a reliable communication channel; the identity of SNj (IDSNj) was assigned to the sensor when it was developed.
Step 2: After receiving the registration request from SNj, the GWN generates an authentication session number SNj0 = (r1) randomly, sets the sensor sequence numbers as SSj0 = SSj1 = 0, inserts the SNj node's data into the sensor node database as [IDSNj, SSj0, and SNj0], and sends a response registration message M2: {SSj1 and SNj0} to SNj securely.
Step 3: Upon receiving M2 from GWN, the SNj stores the SSj1 and SNj0 parameters in its memory.

Login Authentication and Key Agreement Stage
Figs. 4a-4b shows the login and authentication and key agreement stage. During this stage, the Ui, GWN, and SNj can achieve mutual authentication and exchange the shared key between them. Therefore, after completing this stage, the SNj will enable the Ui to obtain the patient's vital signs through the GWN. The execution steps can be summarized as follows:  Then, the SC checks if the value of computed h1 (Ci*) matches with h1 (Ci) that was embedded in the smartcard by GWN. If not, then it will reject the login authentication request. Otherwise, the SC will consider the IDi, PWi, and BIOi* as valid values and the Ui as a legal user.
Step 2: After arriving (M1) from the Ui, the GWN fetches the Ui's record from the database of the healthcare service using the received value of the TIDi. Then, we have one of the following cases: , and verifies whether Vi1* matches Vi1. If not, the authentication session will be rejected by the GWN. Otherwise, the GWN will consider the Ui as a legal healthcare professional.
If not, then both the M1 and the authentication session will be rejected by GWN. Otherwise, GWN computes SSi0 = SSi0-1, computes Vi1*= h3 (TIDi ‖ r2 ‖ SSi1), and verifies whether Vi1* matches Vi1. If not, the authentication session will be rejected by GWN. Otherwise, the GWN will consider the Ui as a legal healthcare professional.
Case 3: If TIDi does not exist, the GWN will consider the Ui as a legal healthcare professional and terminate the authentication session.
Step 3: Upon arriving (M2) from GWN, the SNj computes ΔSSj = (SSj0 − SSj1) value and checks whether 1 ≤ ΔSSj ≤ μ0, wherein μ0 is determined according to the requirements of the system. If not, then both the M2 and the authentication session will be rejected by SNj. Otherwise, the SNj initiates SNj1 = SNj0, and it repeats the updating of the values of SNj1 = h2 (SNj1 ‖ IDSNj) and SSj1 = SSj1 + 1 for ΔSSj times until the SSj0 − SSj1 = 0.
Step 4: Upon arriving (M3) from SNj, GWN checks if TIDj is within the database of sensor nodes. If not, then GWN refuses M3 and aborts the authentication session. Otherwise, GWN computes Vj1* = h5 (ST ‖ IDSNj ‖ SJj ‖ SNj0 ‖ TIDj) and then verifies whether Vj1* matches Vj1. If not, then GWN refuses the M3 and aborts the authentication session. Otherwise, the GWN will consider the SNj as a legitimate sensor node.

Password Change Stage
The password change during the healthcare professional stage can be accomplished between Ui and SC and is not subject to GWN's consent. Fig. 5 shows the main processes of this stage, which can be summarized as follows: Step 1: Ui enters the IDi and old PWi and imprints the BIOi.
Step 3: Ui inserts a new password PWi new .

Security Analysis
This section verifies the security features of the proposed authentication scheme. First, a formal security analysis validates that our authentication scheme can support mutual authentication and secure authentication session features using the BAN logic model and Proverif tool. Second, an informal security analysis demonstrates that our authentication scheme provides suitable security features and can protect against related types of attacks, taking into account all possible attack scenarios. Finally, the last part of the analysis compares the security features of our authentication scheme with recently proposed, related authentication schemes.

Formal Security Analysis
The registration and password change stages are either not used frequently or are performed through a secure communication channel. Therefore, this part focuses on the soundness of the login authentication and key agreement stage.

Validation Using BAN Logic Model
The BAN logic model will be used to ensure that the authentication messages exchanged during the authentication and key agreement stage between the healthcare professional node (Ui), medical sensor node (SNj), and GWN are reliable, original, and up-to-date [9,22,24]. The notation, rules of the model, lists of our authentication goals, idealization of the exchange messages, and assumptions that are used in the verification process are illustrated in Tabs. 2-6, respectively.
The authentication and key agreement stage uses freshness authentication parameters to achieve mutual authentication. The KGWN-U is a cipher key that is used to cipher authentication messages between the Ui and GWN symmetrically. The SJj is an agreed secret key between all communication nodes. It comprises a Shared key F|≡ X F can consider X is true. F/ X F sees X. F|∼ X F says X, then F can send a message containing X. F0 X F jurisdiction over X.
A secret X is known only for F and Q. SK A session key.
set of sequential numbers, pseudonym identity, and random numbers such as (SSi0, SSi1, SSj0, and SSj1), (TIDi, and TIDj), (r2, and r3), respectively.   In order to validate the authentication process of the authentication and key agreement stage, we need to prove that our goals are fulfilled according to the following points:   According to (1), (2), (3), and (4), our goals are proven using the BAN logic model. Thus, the proposed authentication scheme can support mutual authentication among the Ui, SNj, and GWN elements during the authentication and key agreement stage.

Validation Using ProVerif Tool
This section validates the proposed authentication scheme using one of the most commonly used verification tools that has been developed for the automated verification of the security features of authentication schemes, called the ProVerif tool [19,25]. We have verified our proposed scheme in terms of the security of the established session key and mutual authentication, wherein this tool supposes that an adversary can block, delete, modify, and forward the exchanged messages between communication nodes. Therefore, if the results of the verification procedures are true, then the authentication scheme can resist all well-known attacks and the authentication parameters are exchanged securely. If not, the traces of existing attacks are presented.
In order to execute the verification procedures, we have provided a group of premises that are used in our verification program code, as illustrated in Fig. 6. The pubchHPGWN and pubchGWNHP are public communication channels used by the healthcare professional and the GWN to exchange the challenge and response messages between them. Moreover, the pubchGWNSN and pubchSNGWN are public communication channels used by the GWN and the sensor node to exchange the challenge and response messages between them (lines 1-2). Furthermore, we prototyped three sets of data: the type key for the secret keys, type coins to set the generated random numbers, and type host to define the healthcare professional, sensor node, and GWN as the participants in our scheme (line 7). Next, tables including the registration data of the participants were generated (lines 14-15). Then, we declared four free names, secret1, secret2, secret3, and secret4, to verify the secrecy of the session key (SJj) that will be established (line 16). Next, we defined eight authentication events that determine the start and end of the authentication processes to check the effectivity of mutual authentication between participants (lines 17-24). Finally, we declared eight queries to verify whether our authentication scheme could satisfy the session key secrecy and mutual authentication (lines 25-32). Fig. 7 shows the code of the basic functions that are used to execute the main steps of the authentication stages. The h, xor, concate2, concate3, concat4, and concat5 represent the hash function, exclusive-or operation, and different levels of concatenation functions, respectively (lines 33-39). Besides this, the encrypt and decrypt symbols for encryption and decryption functions were used (lines 40-41). Finally, we defined a group of data type converter functions (lines 42-45).
The steps of the authentication and key agreement stage are performed as the simultaneous execution of three different processes in order to execute the role of each participant. Fig. 8 illustrates the code statements to simulate role of the healthcare professional, called the processHP process. The first section of the code statements represents Step 1 in the healthcare professional side (lines 50-60).
Step 5 is represented in the second section of code statements (lines 61-64). The (StartGWNHPparam) event of GWN is set at line 48 and the (endHPGWNparam) event of the healthcare professional is set at line 65. Finally, the verification query code to check the secrecy of the session key (SJj) through the pubchHPGWN public channel is set at line 66.       11 illustrates the code statement of the main process that executes the processes of the participants simultaneously. The code statements (lines 114 -122) represent the registration stages of the healthcare professional and sensor node, wherein the authentication data are initiated. In addition, the code statements to launch an unbounded number of authentication sessions between the processes are represented (lines 123 -127). Fig. 12. shows the results of the verification queries. The first four results demonstrate that the authentication events are executed in a stable order. Thus, our proposed scheme can satisfy mutual authentication among the heath professional (HPnode), GWN (GWN), and sensor node (SNnode). The second four results illustrate that the attacker cannot trace secret1, secret2, secret3, and secret4 (free names). Thus, our proposed scheme can preserve the secrecy of the session key (SJj).

Security Services Achievement
This section presents an informal discussion of the ability of the proposed authentication scheme to achieve a suitable set of security services, which comprise authentication key agreement, mutual authentication, anonymity and untraceability, and perfect forward secrecy.

The Proposed Authentication Scheme Supports the Authentication Key Agreement.
Proof. During the execution of the authentication and key agreement stage, the GWN randomly generates (SJj) as a shared secret key to accomplish mutual authentication with SNj and Ui, wherein the SJj key is updated for each authentication session between them. Thus, our authentication scheme can generate a session shared key between the authentication elements.  Therefore, the proposed authentication scheme is able to support mutual authentication services among the Ui, SNj, and GWN.

The Proposed Authentication Scheme Supports Anonymity and Untraceability Service.
Proof. To maintain Ui and SNj's anonymity and untraceability in our authentication scheme, the authentication messages exchanged during the authentication and key agreement stage do not contain the real identities of the Ui (IDi) and the SNj (IDSNj). Instead, our authentication scheme uses pseudonym identities (TIDi) and (TIDj) that are generated by one-way hash functions after completing each authentication session. Thus, it is almost impossible for an unauthorized party to obtain the real identity of either the Ui or the SNj from the messages exchanged between the authentication nodes. Thus, our authentication scheme can support the anonymity and untraceability of the service.

The Proposed Authentication Scheme Supports Perfect Forward Secrecy Service.
Proof. In our proposed authentication scheme, if an unauthorized party acquires the long-term keys of the authentication nodes, which are SNj0 and KGWN-U, it still cannot obtain the session key (SJj) that is generated by the GWN randomly. The reason for this is that, after executing the authentication and key agreement stage successfully, the keys, SNj0 and KGWN-U, will be changed by one-way hash functions. Thus, our authentication scheme is able to provide a perfect forward secrecy service.

Attacks Resistance Analysis
An attacker can collect, decrypt, replace, track, imitate, and resend the authentication messages as they are transmitted over unsecured communication channels. In this section, we demonstrate that our authentication scheme can resist different types of known attacks in such an environment.

The Proposed Scheme Resists Desynchronization Attack.
Proof. The proposed authentication scheme uses different authentication parameters that can retain the synchronization between the authentication nodes, such as the pseudonym identities (TIDi and TIDj), sequential numbers (SSi0, SSi1, SSj0, and SSj1), and hash values (SNi, SNj0, and SNj1). Hence, the proposed scheme employs additional methods to preserve the consistency and synchronization of such values and prevent a desynchronization attack. To demonstrate how our authentication scheme achieves this, we take into account the following possible attack scenarios: Scenario 1: Assume that an attacker has interrupted the (M1) message. In this case, the attacker cannot to disrupt the synchronization among the GWN and Ui permanently. This attack suspends the authentication process temporarily, before the Ui and GWN have updated the values of the SSi1 and SSi0. Thus, this scenario will have no effect on the synchronization during the subsequent authentication session.

Scenario 2:
Assume that an attacker has interrupted the (M2) message. In such a case, the attacker cannot disrupt the synchronization between the SNj and GWN permanently. During the subsequent authentication session, the values of SNj1 and SSj1 will be updated by the SNj ΔSSj times as SNj1 = h2 (SNj1 ‖ IDSNj) and SSj1 = SSj1 + 1, respectively. As a result, the SNj will compute the TIDj value, which can synchronize the value of TIDj that is stored in the GWN. Thus, this case cannot cause an asynchronous state among the GWN and SNj permanently, and it will have no effect on the subsequent authentication session.
Scenario 3: Assume that an attacker has interrupted the (M3) message. In such a case, the attacker cannot disrupt the synchronization between the SNj and GWN permanently. The result of this scenario is equivalent to scenario 2. Thus, this scenario will not be taken into account.

Scenario 4:
Assume that an attacker has interrupted the (M4) message. In such a case, the attacker cannot disrupt the synchronization between the Ui and GWN permanently. In the upcoming authentication session, the TIDi value in the GWN will be updated, while the TIDi value in the Ui will not update. Fortunately, the previous value of TIDi is stored through the TIDi* value in the GWN, i.e., TIDi = TIDi*. Thus, when the next session is initiated by the Ui using the unchanged TIDi, the GWN is able to recognize the Ui and complete the subsequent authentication. Thus, this scenario cannot cause an asynchronous state between the GWN and Ui permanently, and it will have no effect on the subsequent authentication session.
Therefore, according to the above-discussed scenarios, our authentication scheme can protect against a desynchronization attack. Table Attack.

The Proposed Scheme Resists Stolen Password
Proof. In the proposed authentication scheme, the service provider (GWN) does not contain any details about the Ui's password or biometrics data. Thus, our authentication scheme is already able to resist a stolen verified table attack.

The Proposed Scheme Resists Incorrect Password Login Attack.
Proof. A detection mechanism is maintained in our authentication scheme to prevent an incorrect password login attack during the first steps of the authentication and key agreement stage without excessive computation when the SC obtains any incorrect login authentication data. The value of the h1 (Ci) stored in the smartcard is used to check the user's legitimacy. If the user inputs an incorrect password and biometric, then the computed h1 (Ci*) value is not equal to the stored value of h1 (Ci). Therefore, the SC will reject the login request. As a result, the proposed authentication scheme resists an incorrect password login attack.

The Proposed Scheme Resists Smartcard Attack.
Proof. The proposed authentication scheme uses three authentication factors (i.e., identity, password, and biometric). Even if an attacker is able to steal hidden information from a smartcard, he or she will be unable to log in. The explanation for this is that the attacker also needs to know the authorized user's identity IDi and biometric information Bi in order to create a login message.
The Proposed Scheme Resists Man-in-the-Middle Attack.
Proof. In our authentication scheme, the challenge and response messages that are exchanged among the elements of the system are protected by the SNi, SNj0, SNj, and K GWN−U . Thus, an unauthorized party cannot create valid authentication messages without these values. Thus, our authentication scheme can resist a man-in-the-middle attack.
The Proposed Scheme Resists Insider Privileged Attack.
Proof. Our authentication scheme does not allow inside workers to carry out privileged insider attacks. When the healthcare professional registration stage is executed, the PWi and BIOi values of the Ui are transmitted as hidden values through the hash value that is represented as Vi = h3 (IDi ‖ PWi ‖ BPWi). The one-way property of the hash function prevents the insider from disclosing the real value. As a result, the proposed authentication scheme can resist a privileged insider attack.

The Proposed Scheme Resists Impersonation Attack.
Proof. To ensure that our authentication scheme can protect against an impersonation attack, we consider the following possible attack scenarios: Scenario 1: To impersonate the Ui entity during authentication, assume that an attacker has intercepted the login request message M1: {TIDi, CTi1, and Vi1} that was sent to the GWN node, where TIDi = h2 (IDi ‖ SNi), SNi = h1 (SSi1), CTi1= E KGWN−U (r2 ‖ IDSNj ‖ SSi1), and vi1= h (TIDi ‖ r2 ‖ SSi1). The encrypted value (CTi1) is not available, since the attack cannot know the secret key (KGWN−U) or the actual (SNi) value. As a result, the attacker would be unable to impersonate Ui by computing (Vi1) with completely separate (r2) and (SSi1) values.

Scenario 2:
To impersonate the GWN node during authentication, assume that an attacker has intercepted the authentication request message M2: {CTj0, Vj0, and SSj0} that has been sent to SNj. Since the attacker cannot know the hidden keys or the value of (CTj0), the encrypted value of (CTj0) is infeasible. As a consequence, the attacker cannot impersonate the GWN by computing (Vj0) using separate (SJj), (SNj0), and (SSj0).

Scenario 3:
To impersonate the SNj node during authentication, assume that an attacker has intercepted the authentication response message M3: {TIDj, and Vj1} that has been sent to the GWN. Since the attacker does not know the SJj, SNj0, and SSj0, they are unable to compute Vj1 and TIDj. As a consequence, the attacker cannot impersonate the SNj by computing (Vj1) using separate (SJj), (SNj0), and (SSj0).
Therefore, according to the above-discussed scenarios, our authentication scheme can protect against an impersonation attack.

The Proposed Scheme Resists Replay Attack.
Proof. To ensure that our authentication scheme can resist a replay attack, we consider the following possible attack scenarios: Scenario 1: Consider that an attacker resends the previous intercepted M1: {TIDi, CTi0, and Vi1} to the service provider (GWN) without any alterations, wherein TIDi = h2 (IDi ‖ SNi), SNi = h1 (SSi1), CTi0 = E KGWN−U (r2 ‖ IDSNj ‖ SSi1), and Vi1= h1 (TIDi ‖ r2 ‖ SSi1). As a result, the GWN will decrypt the CTi0 and then verify SSi1, which represents the serial number of the present authentication session, which is modified as (SSi1 = SSi1 + 1) during each successful authentication session. Since the SSi0 would have been checked in the previous authentication session, the GWN would refuse the login authentication request.
Both authentication messages (i.e., M1 and M2) use the serial numbers, which are changed after each subsequent authentication session. Thus, our authentication scheme can prevent a replay attack during authentication in all the mentioned attack scenarios.

Security Comparisons
In this section, we compare our authentication scheme with other recently proposed authentication schemes [9,21,22,23].
The comparison results in Tab. 7 show that our authentication scheme can satisfy all the security features, while the other schemes presented in [9,21,22,23] did not provide security features such as fully mutual authentication among the elements of the system or medical sensor node anonymity. Moreover, the perfect forward secrecy service was not satisfied in [21] and [22]. Furthermore, our authentication scheme can resist all well-known attacks, while the authentication schemes presented in [21] and [22] cannot resist a desynchronization attack. The authentication scheme in [21] cannot resist healthcare professional impersonation, insider, and stolen password verifier table attacks. Moreover, our authentication scheme is the only one that can resist a man-in-the-middle attack. Therefore, our authentication scheme can achieve a high level of security compared to other recently proposed authentication schemes.

Performance Analysis
This section assesses the efficiency of our authentication scheme and compares its costs in terms of the storage space used, communication size, and run time of computation with the authentication schemes recently proposed in [9,21,22,23]. The computation and communication costs are calculated for the login authentication and key agreement stage, whereas the costs of the storage space used are calculated for the healthcare professional registration and sensor node registration stages, whether for healthcare professionals or sensor nodes.
In order to perform fairly accurate comparisons, we assume the following: the size of sequential numbers, security codes, random numbers, passwords, and identities are set to be 128 bits; the output of the used hash functions is equal to 160 bits, and the input/output of the encryption/decryption functions are multiples of 128 bits. Moreover, we assume that the running times of the fuzzy extractor generating function, SHA-1 hash function, and AES cryptographic function are (T fe = 0.0171s), (T h = 0.00032s), and (T E/D = 0.0056s), respectively, as in [3,10,[26][27][28][29].

Storage Space Cost Analysis
The cost optimization of the used storage space in the healthcare professional/smartcards and the medical sensor nodes is one of the major issues in such systems. The size of the hash functions that are embedded in the smartcards is not taken into account in order to simplify the analysis. The storage space costs of smartcards and sensor nodes in our authentication scheme and the authentication schemes proposed in [9,[21][22][23] are shown in Tab. 8.
In our authentication scheme, the storage space cost of the healthcare professional's smartcard to store the (Rep (.), Pi, Di, h1(Ci), and SSi1) is (64 + 128 + 160 + 160 + 128) = 640 bits, while that cost of storing the (SSj1 and SNj0) in the sensor node is (128 + 160) = 288 bits. Tab. 8 shows that our authentication scheme requires the least storage space for the healthcare professional's smartcard. Furthermore, the storage space that is needed for the sensor node in our authentication scheme is greater than that of the authentication scheme proposed in [9] but less than in other authentication schemes.

Communication Cost Analysis
The communication costs can be calculated according to the total size of the transmitted authentication messages among elements of the system during the login authentication and key agreement stage. The total communication costs of our authentication scheme and the authentication schemes proposed in [9,21,22,23] are shown in Tab. 9.

Computation Cost Analysis
In this section, the computation costs are compared among our authentication scheme and the authentication schemes proposed in [9,[21][22][23]. The overall time required to execute the cryptographic functions in each element of the system is computed. The total computation costs for our authentication scheme and other authentication schemes proposed in [9,[21][22][23] are shown in Tab. 10.
The results show that our authentication scheme carried lower costs of computation than the authentication scheme proposed in [22]; in both of them, hash and encryption/decryption functions are used simultaneously. Meanwhile, the computation costs of our authentication scheme are higher than those of other authentication schemes that only use one-way hash functions during the authentication process.

Conclusion
A secure and anonymous three-factor authentication scheme for healthcare systems is proposed in this paper based on a WMSN to solve the present security issues in such systems. The proposed authentication scheme offers promising security services, such as fully mutual authentication, perfect forward service, anonymity, and untraceability. To verify the security level of our authentication scheme, the BAN logic model and ProVerif tool were used, and its resistance to attacks is discussed considering all possible attack scenarios. Thus, the proposed authentication scheme can protect against desynchronization, impersonation, smartcard loss, replay, man-in-the-middle, insider, and password table attacks. Furthermore, the performance cost analysis shows that our authentication scheme is practical to use, with reasonable costs in terms of the storage space, computation, and communication. Finally, our authentication scheme can be used by healthcare professionals in healthcare systems to track and diagnose the medical status of patients safely and remotely.
Funding Statement: The authors would like to thank the Deanship of Graduate Studies at Jouf University for funding and supporting this research through the initiative of DGS, Graduate Students Research Support (GSR) at Jouf University, Saudi Arabia.

Conflicts of Interest:
The authors declare that they have no conflicts of interest to report regarding the present research.