Survey on Security in Intra-Body Area Network Communication

Survey on Security in Intra-Body Area Network Communication Marko Kompara and Marko Hölbl University of Maribor, Faculty of Electrical Engineering and Computer Science Maribor, Slovenia {marko.kompara, marko.holbl}@um.si Published paper: https://doi.org/10.1016/j.adhoc.2017.11.006 Abstract. With the advances in microelectronics, embedded computing, and wireless communications, the interest in Body Sensor Networks has risen sharply and has enabled the development and implementation of such networks. A Body Sensor Network is constructed from sensor nodes distributed in and on the user’s body. The nodes form a wireless network that collects physiological data and forwards it on. This sort of network has wide application prospects in the future of healthcare. The collected data is highly private and must, therefore, be protected adequately. The security mechanisms usually deployed depend heavily on the key agreement scheme. Because of the reliability requirements, energy efficiency, and hardware constraints, building a key agreement scheme for a Body Sensor Network can be quite a challenge. This paper presents a state-of-the-art overview of security in Body Sensor Networks, focusing on proposed key agreement schemes, ways they are built in, and the methods used to evaluate their security and performance. Results show that the community is very much split between the traditional key agreement schemes and schemes that take advantage of physiological or other signals to exchange a key. Security analysis is rarely performed with formal methods; instead, descriptive analysis is commonplace. There are no standards or guidelines on measuring a scheme`s efficiency. The authors therefore used different methods and, consequently, schemes can be difficult to compare. Keywords: Survey, Body Area Network, Body Sensor Network, Key Agreement, Security evaluation, Performance evaluation

1. Introduction A Body Area Network (BAN) or a Body Sensor Network (BSN) is defined in IEEE 802.15 as a communication standard designed for low power devices and operation on, in or around the (human) body and employed for the benefit of the user [1]. A BSN is a special type of Wireless Sensor Network (WSN), consisting of numerus biosensor nodes, often called Implantable Medical Devices (IMDs). The sensors measure different physiological signals of the human body. Because such data is very sensitive (personal information) it could be exploited and, therefore it is also a legal requirement to protect such data - the authenticity, security, data confidentiality and patient's privacy are of utmost importance. A BSN was first proposed in 1996 by Zimmerman [2], as a specific use of a personal area network [3]. Considering the recent rise in the world population size, the expanding share of older people [4], and the increase of chronic diseases [5], BSNs are doubtlessly a part of our future, as a means to better and

more affordable healthcare. The second use for a BSN that is also often mentioned in the literature is the monitoring of soldiers on a battlefield. BSNs are also often referred to as: Body Area Network (BAN), Wireless BAN (WBAN), Wireless BSN (WBSN), Body Area Sensor Network (BASN) [6], Wireless Body Area Sensor Network (WBASN) [7], Body Area Network for Telemedicine (BANT) [8], Wearable Health-Monitoring Systems (WHMS) [9] and Wireless Medical Sensor Network (WMSN) [10]. A WMSN can also focus on the communication between the user and the medical facilities and/or personnel [11], similarly to the Telecare Medicine Information System (TMIS) [12]. In general, when talking about BAN type networks in the field of medicine it is more fitting to use BSN, as it describes a network of (bio)sensors [6] more closely; we did, however, notice that the older named – BAN is still more often used in research. In this paper, both BAN and BSN will be used, as the vast majority of the authors use these two terms. Further confusion comes from the fact that BANs are a subcategory of WSN and are, therefore, often addressed as such (e.g. [11] and [13]). Different names can be used to emphasize different network properties. Unfortunately, the definition or range of the BAN is not uniform across the field either. For some (e.g. [14]), a BAN is a network of sensors and a master node (also called a BAN controller, personal server or gateway), while data storage, data consumers etc., are not a part of it. Others (e.g. [15]) include those components into the BAN. The authors of [7] have divided BAN into three layers. Intra-BAN comprises of nodes that are located physically on the user`s body and a personal server (e.g. a smartphone or a PDA), which collects data from the nodes and sends it to a hospital. A personal server is a considerably more powerful device and has more storage and energy at its disposal than a sensor node. An Inter-BAN layer adds an access point, over which the personal server connects to other (Body Area) Networks. This allows for multiple BANs to connect and route data over them to the remote medical center. Beyond-BAN further includes wireless area networks or metropolitan area networks that transfer the gathered data to the medical care center. The three-layer structured BAN is shown in Fig. 1. Alternatively, the authors of [16] distinguished between intra-body and extra-body communication. Intra-body is comparable to intra-BAN, while extra-body communication contains inter-BAN and beyond-BAN.

Fig. 1: Structure of a BAN [17].

Biosensor nodes are divided into wearable and implanted nodes. Wearable nodes are generally larger and can, therefore, have bigger batteries and storage, and more computational resources [18]. Common examples of wearable nodes are [19]: Temperature monitor, respiration monitor, heart rate monitor, pulse oximeter SpO2, blood pressure monitor, pH monitor, glucose sensor etc. On the other hand, implantable medical devices are more typically [19]: Cardiac arrhythmia monitor/recorder, brain liquid pressure sensor, endoscope capsule, etc. Body Area Networks are a prominent research area and have been for some time. For that reason, many overview and survey papers have collected the research on different aspects in the field. They include: [7], [9], [16], [18], [20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], [31], [32], [33], [34], [35], [36], and [37]. The survey presented in [38] is, conceptually, the most similar to ours. In it, the authors are reviewing the research done on key agreements for the field of BSN, while previous reviews focused on other aspects in BAN (e.g. technologies, hardware, software, problems and challenges in BAN, interferences, quality of service, etc.). This paper’s contributions are a comprehensive list of security requirements and attacks on the key agreement schemes in BSN, the classification of existing schemes based on their design, an overview of the introduced schemes, a compiled list of schemes’ security properties, and an overview of methods used for security and performance evaluations. In this paper, we focus on security challenges when designing security schemes for BSNs, list the existing solutions, and look at how security and performance are evaluated in BSN schemes. We limit this paper to wireless communication and consider other channels (e.g. intrabody communications [39] or vibration channel [40]) out of scope. We also exclude key agreement schemes that considerably limit where and how BSN can be used. For example, this excludes schemes designed to be used at a fixed location (terminal) [41], schemes that use sensors to measure gestures (it is impossible for chest implants to measure gestures) [42], or schemes that can be only used with chargeable devices [43]. We concentrate on key agreement schemes in intra-BAN communication and exclude extra-body communications. Nevertheless it is relevant to know that there are certain challenges to address when transitioning from a wireless BAN to a wireless local area network (personal server is generally the bridge between the networks) [44][45]. After the introduction, section 2 describes problems that must be overcome and restrictions that must be understood to secure BSNs. Next, we present a general overview and requirements for key agreements in BSNs. We used the classification model from [38] with an alteration to split the schemes found in this survey into four groups, based on the derivation of the keys. The rest of Section 3 describes the four different classes of key agreements in BSNs. Section 4 discusses security requirements and attacks in BAN. First, we investigate the possible attacks a secure BAN should be resistant to and state the security requirements. The last part of this paper is dedicated to the techniques authors use to evaluate their schemes. We investigate the security and performance analyses of the schemes in Sections 5 and 6, respectively. Different methods of assessment for both aspects are described, together with their frequency of use. At the end of each chapter we discuss the results for the particular type of analysis and try to derive the best methods and the general faults with the process of evaluating key agreement schemes for BANs.

2. BSN security challenges The foundation of every secure system is an adept key negotiation scheme. Much research and many such schemes have been explored for use in WSNs. Unfortunately, those solutions are not suitable for BANs. The reasons for this are:

  

 



The scale of key negotiation [18]: Because WSNs have many more nodes, they use key pools or key chains to establish keys amongst the nodes. Such techniques are not suitable for BANs, which contain at most a few dozen nodes. Different categories of measured data [18]: Because WSNs gather data from the surrounding environment (and even though some of it has a high enough entropy) this data is not always available to be used in key negotiations. The security of keys [18]: WSN nodes are deployed mostly in an open environment, easily accessible for the adversary and have little physical protection (to cut the cost of the numerous nodes). BANs, on the other hand, are deployed on a human body, where it is much harder for an adversary to capture a node. The difference in energy [18]: BAN nodes are even smaller in size and more resource constrained than WSN nodes. For that reason, key agreement schemes for BANs have to be lightweight and must consume even less energy than schemes designed for WSNs. Dispersion of nodes [46]: BAN nodes are deployed much closer together than in WSNs, where they are, typically, scattered in large areas. This means it is not hard for all BAN nodes to be in communicational range, while this does not hold true for WSNs. This is why BANs are often connected in a star topology [47]. Physical access to nodes [46]: Although physical removal or replacement of nodes is not desirable (especially in the case of imbedded nodes), it is possible. WSNs, on the other hand, are often inaccessible and, therefore, it is impossible to remove compromised nodes physically.

Most challenges and constraints in BANs are general and are inherited from WSNs:  

   

 

Interference [48]: It is very important in a BAN that the network does not have interferences, otherwise a person’s health could be put in danger. This also includes BANs on different users interfering with each other [16]. Bio-compatibility, portability and heat generation [48][49]: Sensors implanted into a person’s body are very limited in the terms of size, shape, and the materials they are made from. They have to be made from materials not harmful to the body. It is also important for sensors not to generate too much heat, which could cause damage and discomfort to the wearer or create a suitable environment for bacteria. Power efficiency [48]: Due to their size and location the power supply of BAN sensors is very limited. It is therefore very important to be as efficient with the power consumption as possible. Limited memory [49]: The memory required for cryptographic computations and for the storage of keying material is severely limited due to the sensors’ size and energy restrictions. Low computational capability [49]: As a result of power and memory limitations the computational strength is also very restricted. Low communication rate [49]: The most energy consuming activity is the communication operation. It is, therefore, in the interest of energy efficiency, that communications be optimized, minimized and, where possible, eliminated completely. If possible, communicating should be replaced with computation and sensing (e.g. data compression and key generation based on physiological values). It was shown that a transmission of a bit can be a thousand times more energy consuming than a 32-bit computation [50]. Robustness and Fault Tolerance [48]: Especially for implanted sensors, the robustness and fault tolerance are very important. It would be unacceptable if sensors had to be surgically replaced or adjusted often. Error Rate [48]: While some error rate is allowed in WSNs, it is prohibited in BANs. Delay or loss of important medical data could be very dangerous.

3. Key Agreement in BSNs Because the data in BSNs is transmitted over the air, the communications have to be secured, to prevent eavesdropping and distortion of personal data. To achieve this, a cryptographic scheme has to be employed, and those require secret keys. For that reason, it is important to have a secure way for key agreement and distribution of them among the nodes in the network. Sensors in BANs have limited processing power, memory and energy reserves. It is, therefore, important for the key agreement scheme to be lightweight, energy efficient, and consume little memory. We divide the key agreement schemes into four classes:  Traditional key agreement schemes  Physiological value-based key agreement schemes  Hybrid key agreement schemes  Secret key generation schemes Non-physiological value-based schemes are the traditional type of key agreement schemes and are generally based on public-key cryptography or some sort of pre-deployment of keying material. This requires more storage space, but reduces the required processing effort. The second class of key agreement schemes are physiological value-based key agreement schemes. They use human vital signs to generate secret keys. The sender and the receiver can generate the same key, because they are on the same body and are, therefore, measuring highly correlated values. This removes the need for predeployment and explicit key distribution, and it saves on the memory usage. The third class of schemes are the hybrid schemes, which incorporate both of the previous approaches to key agreement. For the key generation and agreement, they most often use pre-deployment of keying materials and physiological values from the human body. Paper [38] categorized the key agreements schemes in BSNs into three groups: physiological-valuebased, non-physiological-value-based, and hybrid schemes. We choose to split up the nonphysiological-value-based group into the traditional key agreement and secret key generation, because we regard the two to be fundamentally different. Secret key generation is far more similar to the physiological value-based key agreement than it is to the traditional approach. They both use signals that are limited to the close proximity of the user while the traditional schemes do not involve any input from the physical world. Nevertheless there are implementation and characteristic differences between secret key generation and physiological value-based key agreement which drove us to separate them. Secret key generation is generally based on the characteristics of the communication channel and acceleration data from the user. These signals are typically used for independent generation of a key, while physiological signals are usually used to facilitate the exchange of a key. Each class and classification of all the schemes we have detected in literature will be introduced further on in this paper. Establishing a key or keys amongst communicating parties is, generally, the first thing and the most essential one for establishing data confidentiality, authenticity, and integrity. Key distribution is a process in which two or more parties obtain the same secret. The simplest instance of this is key transport, where one party creates or, in some other way, obtains the key, and transports it securely to the other parties in communication. Key agreement is more complex, as all parties contribute to the final secret and none of them can predetermine it. The term is, however, sometimes used to refer to key distribution. Key management, in addition to key generation and exchange, also includes storage, use, and replacement of keys. The most obvious choice in providing security in BANs is the symmetric encryption, due to its small storage and computational requirements [51]. That is why symmetric algorithms are generally

preferred over the asymmetric ones. However, being that symmetric algorithms use the same key for encryption and decryption, the involved parties must possess the same key before they can communicate successfully and securely. This, in turn, represents a problem, because of how vulnerable key distribution over wireless channels is to the man-in-the-middle (MITM) attack. Man-in-the-middle attack is possible with symmetric and asymmetric encryption. Asymmetric encryption is usually used with an external or internal certificate authority to negate this attack (public key infrastructure - PKI). Unfortunately, the BSN limitations make PKI unsuitable for adoption in such constrained environments. To prevent the possibility of such an attack, many different key establishment schemes, made for the use in BSNs, have been proposed. A list of schemes with resistance against the MITM attack can be found in Table 1 in Section 5.1 (other schemes are possibly resistant, but the property is not mentioned in their respected paper). Key agreement schemes based on physiological values and secret key generation are less likely to have a descriptive security evaluation made and are therefore rare in the Table 1. For this reason here are a more examples of schemes with MITM resistance that are based on physiological values and secret key generation: [52], [53], [54], and [55]. Most of the research is divided distinctly by the part of the network they are trying to secure. First is the research, where the goal is to protect the communications between the major entities in the network. Those are generally:  the user (personal server),  data consumers (medical professionals),  data storage,  and other (e.g. key generation center) Other research focuses on the security in the intra-BAN – communication between sensors and the master node. In this paper, we focus on the key agreement schemes for intra-BAN, because it is this section of BANs that is specific to them, while inter-BAN and beyond-BAN can be secured using more traditional methods. That is to say that beyond-BAN does not provide for such a restricted and specialized environment as the intra-BAN does. Beyond-BAN is the focal point of much research, but primarily because of the complicated access rights that have to exist within it. Nevertheless, we do mention some key agreement schemes that were developed for BSNs and contain beyond-BAN security; however, all of them also include the protection for intra-BAN.

3.1. Key Agreement Scheme requirements in BSNs For a key agreement scheme to be suitable for use in BSNs it has to comply with some requirements [16][38][56]:  



Node authentication: Is a system where nodes authenticate each other. This prevents a single point of failure (since multiple nodes can authenticate a node) and improves the authentication. Resilience: Describes the key management’s capability to resist a capture of a node. It is resilient if a compromised node does not endanger the whole network. Generally, schemes with pre-deployed keys have bad resilience, because the process of changing the pre-deployed key (especially on an imbedded device) is difficult if at all possible. Pre-deployed group keys are even worse than pairwise keys, because one stolen key affects multiple users. Scalability: Refers to the ability of the key agreement scheme to deal with the introduction of new nodes into the network and leaving of the old ones. In other words, new nodes should be able to join a network and nodes already a part of the networks should be able to leave it, without compromising its security. This is a problem in schemes with pre-deployed secrets, because a new secret has to be pre-deployed by a trusted party. Scalability is especially important in BAN, where the human body is often in motion, which changes the network topology. Schemes with the ability to plug-n-play have generally good scalability.

    

Processing efficiency: The processing power required for the generation and agreement of keys should be minimal. This means computationally expensive operations are not desired [57]. Communication efficiency: Data sending is a very energy consuming operation. It is, therefore, very important to keep down the number of bits, as well as the number of overall messages communicated over the network during the key agreement. Storage efficiency: The amount of memory necessary to store all the data required in the processes of key generation and key agreement should be kept to a minimum, as BSN sensors do not have much of it. Energy efficiency: The overall energy consumed in the process of key agreement should be kept as low as possible, to prolong the device`s lifetime. Plug-n-play: The ability of a key agreement scheme to generate and agree on a key automatically, without human or other third party involvement. This is the biggest advantage of physiological value based schemes [38], because they do not require pre-deployment of secrets and are capable of generating keys automatically and authentication based on the physiological signals.

3.2. Traditional Key Agreement Schemes Traditional key agreement schemes are most often implemented with pre-deployment of keying material. The main advantage of pre-deployment over the dynamic key generation (like in physiological value-based schemes) is escaping the processing overhead that comes with key generation process [56]. The disadvantages, on the other hand, are the required storage space and generally bad adjustability to the changes in the network. The name traditional is due to the fact that these scheme are the oldest and most often used form of key agreement. Security Protocols for Sensor Networks (SPINS) [58] is a set of schemes designed to secure sensor networks. Unfortunately, SPINS and many similar schemes were created for general sensor networks and are, for the reasons discussed before, not applicable in BANs [59]. The following is a brief presentation of key agreement schemes designed for BANs that we have identified in the literature. A key management service, based on a Deterministic Pair-wise Key Pre-distribution Scheme (DPKPS) [60] is described in [61]. This scheme was created very early on and was meant for use in hospitals, where secure pre-deployment of keying material, used to generate pairwise keys later, was easily achievable. A key management scheme, FoSBaS, was introduced in [62], and is based on the Chinese Remainder Theorem. MαSKE was introduced in [63] and is a Multidimensional α-Secure Key Establishment. It is based on polynomial α-secure systems. The shared α-secure keying material is used to secure the communication, as well as provide a cryptographically enforced access control. The authors of the scheme LEXCOMM [64] proposed a very simple key management scheme, where every sensor has its own initial key. The keys are initialized before the deployment and are only used when a network starts for the first time or the network is rebooted. Otherwise, derived temporary keys are used. CICADA-S [65] is the secure version of the CICADA scheme (Cascading Information retrieval by Controlling Access with Distributed slot Assignment) [66], which is a cross-layer scheme that handles both access and the data routing. CICADA-S adds key managements and secure communication. The scheme starts with an initialization of a secret key, generally by using a private and authentic out-of-band channel. The authors of [47] introduced a security scheme for BANs that would encrypt communications from sensors to a personal server (intra-BAN), then all the way to the servers holding the gathered data (beyond-BAN). The scheme uses symmetric encryption and pre-deployed keys to authenticate sensor nodes and establish a temporary key for the actual data encryption.

In [67] the researchers have arranged the BAN into a tree-like structure. The top node is the central control node, followed by intermediate nodes and, finally, the sensor nodes. Nodes can only receive and send data to specific nodes. Symmetric encryption and decryption is performed for each level. The Efficient-Strong Authentication Protocol (E-SAP) was introduced in [10]. It was created to secure the communications from the sensors to the medical professionals. Medical professionals who wish to access the sensor readings, have first to register and receive a smart card at the Hospital Registration Centre. Users also have to register there first, before sensors can be used. It is during registration that the devices also receive their secret keys, on the basis of which all the following communications are encrypted. The authors of [11] exposed some of the E-SAPs vulnerabilities and proposed their own scheme, addressing the found flaws. This scheme was, in turn, reviewed in [68] where it was again shown to possess certain defects. The authors again proposed their own improved version. The scheme introduced in [69] uses a Group Device Pairing (GDP) key agreement scheme, where each device authenticates itself to every other device and the user verifies their legitimacy visually. Another GDP scheme is introduced in [14]. They both use light signals for the initial exchange. The authors of [14] also introduced a pairwise device pairing scheme, designed to exchange secret symmetric keys between a personal server and another node. Light channel for sensor Initialization and Radio channel for Authentication (LIRA) [70] is a multi-channel key deployment scheme. It uses a visible light channel to transmit secret keys to the nodes. These keys can then be verified and used to encrypt further communications. Light signals are very good for this, because they are easy to block and, therefore, attackers cannot intercept them. This does, however, require the sensors to be equipped with light detectors. The authors of [71] introduced HIGDCP, combining the ECC with human interactive security - security where a human establishes the trust of a communication channel. The user interacts with the sensors trough lights and a button on a sensor. In [72] the authors created a scheme they call hybrid. They call it that, because it uses asymmetric cryptography to secure the beyond-BAN communications and symmetric encryption for the intra-BAN. It contains zero security features that are based on physiological signals and is, therefore, firmly classified as a non-physiological value-based scheme. Asymmetric cryptosystems (Public Key Cryptography - PKC) are, at a first glance, not appropriate for a resource constrained environment such as BANs. However, research has shown the elliptic curve to be much more efficient in memory and processing power consumption than traditional asymmetric encryption (i.e. RSA [73]) [6][74]. Nevertheless, schemes using RSA for BANs were introduced in [75] and [76]. A scheme introduced in [77] includes a packet scheduling scheme and key distribution based on asymmetric cryptography. The scheme described in [13] includes a key agreement scheme that is based on PKC as well. In it, nodes have to register with the base station before they can start sending data. The registration message contains the public key, identification value and registration message. The three values are encrypted with the base station`s public key. Upon receiving the message, the base station checks if the received public key is registered, by comparing it with the one saved in the database. If the key is registered in the database, the base station returns a random number, encrypted by the nodes of the public key. Only if the node is authentic (holds the private key pair) can it decrypt the number and return an encrypted and incremented value of it. Afterwards, a session key is exchanged using the previous public keys. Asymmetric encryption requires more computational and storage resources than symmetric encryption [78]. In addition, depending on the scheme, it also requires a trusted third party to vouch for the authenticity of the parties involved. From these two reasons, it is easy to see why asymmetric encryption is not suitable to be used in BANs, which are severely limited in their resources and where,

for energy consumption reasons, the number of communications is kept at the minimum. However, asymmetric encryption has got a foothold in the more restrained environments with the Elliptic Curve Cryptography (ECC). ECC is a cryptographic primitive based on the theory of elliptic curves. ECC has similar security as RSA and ElGamal [79] cryptosystems, but with much smaller keys [80]. ECC was shown to have some advantages before other means of encryption, even in constrained environments like BANs [81][82]. The researchers in [83] have used ECC, together with pre-deployment of relevant private and public keys, to establish a session key for symmetric encryption of the subsequent messages. This is very much like the key agreement in the SNAP scheme [84]; however, a fingerprint is used here to authenticate each node with the personal server. Another research using ECC is presented in [78]. In this scheme an ID-based Elliptic Curve DiffieHellman key exchange protocol is used. The paper [85] introduces the Elliptic Curve Diffie Hellman version of Symmetric Hash commitment before knowledge protocol. Like the previous scheme, it uses ECC and the Diffie Hellman key exchange principle and joins it with symmetric hash commitment before knowledge protocol. Similarly to before, [86] uses ECC, this time together with Identity-Based Encryption (IBE). It uses the Boneh-Franklin IBE algorithm to establish keys in the nodes. Similarly to some schemes in traditional key agreement schemes, IBE-Lite [87][88] uses ECC together with Identity-Based Encryption (IBE). With some prerequisites, it allows a public key to be generated from a unique arbitrary information about the identity of the owner. IBE-Lite saves the encrypted data on a storage server, while a separate certificate authority is responsible for generation and distribution of decryption keys to the authorized healthcare providers. The authors of [80] developed the idea of IBE-Lite further. A whole suite of authentication and key agreement schemes adopted into an IEEE Standard [89] on BANs is described in [90]. All schemes in the suite use ECC for the agreement of the key that will be used in the following communications. The first is an unauthenticated key agreement scheme and serves as the basic scheme. The first authenticated scheme is the hidden public key transfer protocol. Here, the secret key is transferred into a separate and protected channel. The password-authenticated key agreement protocol changes the base protocol by sending the public key in a password-scrambled form, which the receiver retrieves with the knowledge of the password. The fourth scheme is the display authentication protocol. In it, the nonce value is not revealed in the first message, but the last. The first message includes a witness value that contains a hidden nonce. By sending the nonce in the last message the receiver can check it against the witness value and be assured the value was not altered throughout the exchange. K-H. Yeh [91] introduced a new secure system for the BSN, designed to be use in hospital environments. The local server and the BSN server are authenticated with the help of a trusted third party and ECC. Afterwards the two entities agree on a key that is later used by the local server to key hash messages coming from sensors and check messages coming from the BSN server. The authentication of the sensors to the BSN server and the consequent encryption of data between the devices is based on a pre-distributed secret. The local server, which is in this case under the control of medical staff, only serves as an intermediary between the BSN server and sensors that is not able to read the contents of the messages. Paper [92] suggested a different way to exchange a key between a sensor node and a remote BSN server that collects the data. Sensors come with a pre-deployed list of third parties and keys for safe communication with each of them. After establishing a connection with the remote server, the node prompts the third parties to aid in the key exchange. Willing third parties are then sent portions of the

key generated by the sensor node. Third parties authenticate themselves to the BSN server with the help of a certification authority, and use asymmetric cryptography to forward the data received from the sensor node. The server collects the key fragments from the different third parties and is then able to reconstruct the original key that was generated by the sensor node. This way the consuming cryptographic tasks are delegated from the restraint sensors to third parties. The authors of [93] and, later, [94], introduced a new key management protocol, designed to exchange keys between the user`s personal server and sensors on their body, as well as the personal server and the device medical professionals use to access the sensors’ readings. The key generation center is the only truly trustworthy participant in the protocol and it generates and distributes the necessary public keys for the ECC that is used to exchange symmetric keys. Authentication, on the other hand, is achieved with hash chains. In [95] the private and public keys are preloaded for the ECC. With them, session symmetric keys are exchanged and nodes are arranged into clusters, where the nodes with the highest energy levels become the cluster heads. Cluster key agreement was also developed in [96]. It is based on the Exclusive Based System and it produces a key matrix of distributed keys, which guarantees at least one key is unknown to a compromised node. TinyZKP [97] is a zero-knowledge proof based scheme. With it the personal server is able to authenticate and exchange a secret key with a sensor in the network, without the sensor revealing any information about itself. As the name for the three-party authenticated key exchange implies, it facilitates a secure distribution of a key between three parties. The paper [98], proposed such a scheme for a two tier BSN architecture, where keys are exchanged between a personal server, primary node, and secondary node. The primary node, besides being a sensor, also plays the role of a relay node for the secondary node that is further from the personal server, where a direct connection could present a problem. In the pre-deployment phase, all nodes get a paired secret key with the personal server. The researchers introduced two different schemes to be used in appropriate circumstances. The first is the more generic way, where the secondary node establishes contact with the primary node which, in turn, contacts the personal server, and all three parties authenticate and exchange temporary secret keys. The second scheme is more appropriate for situations where the two nodes gather complementary data (for example: Blood pressure and blood oxygen). In this case, it is the primary node that starts off the authentication and key exchange. The authors of [99] created a new secure scheme for a two-tier star topology, where they give special attention to the anonymity of the sensors and, consequently, the user. The scheme starts with a predeployment phase, where the System Administrator, over a secure channel, initializes parameters for the sensor nodes and personal server. One of those parameters is a temporary identity that each node gets. The personal server, on the other hand, gets a check parameter for every node in the network. With it, the personal server can authenticate the sensor. The temporary identity is changed in every authentication and key agreement phase, which prevents any eavesdroppers from linking two different requests for key agreement to the same sensor node.

3.3. Physiological Value Based Key Agreement Schemes Because BANs have many restrictions, the security schemes must be very energy efficient. It is for this reason that physiological signals have been introduced into the security schemes. In key negotiations based on physiological signals, two or more sensors measure (independently) the same physiological signal. This signal is then manipulated to get the common key. This saves on the number of

transmissions, as the common key can be established in a single communication. This helps with the energy efficiency, as transmission is the most energy-intensive operation. This way of key establishment in comparison to key pool and key chain techniques also saves on the storage space [18]. Symmetric cryptography is not perfect and it is faced with issues of key disclosure and is especially weak against physical compromise. The key management is also a burden on the devices. Nevertheless, symmetric cryptosystems have proven to be very secure [100]; however, many researchers believe that introduction of biometrics is the way forward. A survey of key agreement protocols based on physiological signals was presented in [18]. Because physiological values can only be measured on the user’s body, the key agreement based on the physiological signals is generally used only to provide security in intra-BAN [7]. Some of the physiological signals that could be used for securing BANs are: Blood Pressure (BP), Electrocardiogram (ECG or EKG) (e.g. [52], [101], [102], [103], [104], [105], [106], [107], [108], [109], [110], [111], [112], [113], [114], [115], [116] and [117]), photoplethysmogram (PPG) (e.g. [52], [112], [118], and [119]), Blood Oxygen level (SpO2), blood platelets etc.. Clearly, the two most often researched ones are ECG and PPG; however, most often these two signals are just an example of what a scheme could be used with. Frequently, a scheme can use an arbitrary physiological signal. The initial idea to use the physiological signals was presented in [49]. This idea was expanded upon with the use of interpulse interval (IPI), presented in [6]. IPI is the time between successive nerve impulses and is especially convenient to use with ECG and PPG signals. First, we briefly explain how physiological value-based security works. The communicating nodes measure the agreed upon physiological signal and encode it into a binary string. The sender then creates an arbitrary key and, with it, secures the data it wants to send. Afterwards, the sender hides the key with the binary data it got from measuring the physiological signal. Both values (secured data and hidden key) are transmitted to the receiver. The receiver retrieves the key with the help of the physiological signal it has itself measured. With this key, it can then use the data received. All the following communication between the two nodes is performed using the selected key, without the need to measure the physiological signals again (with some exceptions, e.g. network reconfiguration). Some researchers forgo key exchange completely in their research and use only physiological data to provide confidentiality [120]. A very early key distribution scheme for BANs introduced in [121], follows these very steps discernibly. Security based on physiological signals brings many advantages [120]:     

It can eliminate the pre-deployment of keys in BANs, because they are generated from physiological signals. An independent key distribution phase is also no longer necessary after the network is set up, because the keys are distributed together with data. It improves the space efficiency, because one measurement can secure all types of communications. It allows for dynamic changes in a network`s structure (nodes can be added, moved or removed), without the need to change any keys, because all constructed keys are different. It brings BAN security closer to the plug-n-play style of working, as the sensor is capable of communicating securely with any other node in the BAN right after its deployment.

Challenges in key negotiations for BANs when using physiological based signals include:

 



   

Low-energy design [18]: This is especially true for the implanted nodes, which are physically smaller, need to work for a long time, and cannot have their batteries replaced easily. Interference: When two users are close enough to each other, the BANs could start thinking mistakenly that the different sensors belong to the same body, consequently exchanging the security key and starting reporting the data from another user [18]. Other wireless technologies could, potentially, also disrupt the BAN`s communications [48]. Synchronous measurement of high-entropy physiological signals [18]: When using physiological signals to help negotiate a key, the data must have high enough entropy and the signals measured on the two different sensor nodes must be similar enough. Unfortunately, high entropy means high randomness, which makes it harder to get similar values on separate biosensor nodes. Identifying high-entropy physiological signals [18]: The science has not yet quite determined which physiological signals have high-enough entropy. Security of physiological signals [18]: For the security of such schemes, it is imperative that an adversary is not able to measure the physiological signal himself/herself. If an adversary gets such data, he/she can acquire the secret key easily. Efficient generation of keys [18]: The measurement of physiological signals must be fast enough to process and transmit the medical data while they are still relevant. Removal of noise [18]: Multiple independent sensors measuring the same signal are bound not to be exactly the same because, at the very least, they are positioned on different locations on the body. It is, therefore, very important to be able to remove the noise and match the measurements made at the same time on the same user.

The authors of a survey on key negotiation protocols based on physiological signals in BANs [18], divided physiological value based key agreement schemes in two general families: Protocols with predistributed secrets and protocols without pre-distributed secrets. Other authors have classified physiological value based protocols with pre-deployment as hybrid solutions, because they borrow from the traditional and physiological based schemes [38]. Schemes without pre-distributed secrets, on the other hand, need nothing more than some sort of physiological signals to exchange the keys. In this paper, schemes with pre-distribution and the use of physiological values in their key agreement schemes are coalesced and introduced in the Section 3.5. The authors of [38] divided physiological value based protocols into fuzzy and non-fuzzy groups. The paper [18] further classifies fuzzy protocols without pre-distributed secrets into the following categories: Protocols with fuzzy vault (e.g. PPG-based Key Agreement (PKA) [118], [119], OrderedPhysiological-Feature-based Key Agreement (OPFKA) [113], BDK [122],ESKE [103], [104] and [112]), protocols with fuzzy vault and encoded features (e.g. Physiological Signal Based Key Agreement (PSKA) [52], [123] and Physiological Feature based Key Agreement (PFKA) [115]), protocols with fuzzy vault and encoded key materials (e.g. [124]), fuzzy vault with a cubic spline curve (e.g. [125] and SKEP [114], although SKEP is, in this paper, considered a hybrid agreement scheme because it does not only use a fuzzy vault with a cubic spline curve). Here is the complete list of fuzzy physiological value based key agreement schemes, without pre-distribution that we came across during the survey: [105], [126], [8], [127], ECG-IJS [108], [106], [107], [128], ECG Linear Prediction key Agreement (ELPA) [109], and [110]. From this it is clear that the majority of physiological value-based key agreement schemes are centered on fuzzy vaults. Fuzzy vault was first introduced in [129]. The process of locking and unlocking a fuzzy vault is shown in Fig. 2. A polynomial function has to be selected for a fuzzy vault to lock a secret (𝐾). The secret is imbedded into the polynomial function so that its coefficients hold the value of the secret. Next, a value is required to lock the vault under. In our case, these are the Physiological Values (𝑃𝑉); however, it could be any information known to both parties exchanging the secret. These values

represent the x-coordinates (𝑏1 , 𝑏2 …) in Fig. 2 and are inputted into the previously constructed polynomial function to get the y-coordinates of the points in the graph. Other points to be included are the chaff points. Chaff points are selected randomly and serve to secure the previously created points. The result is called a fuzzy vault. The fuzzy vault, together with a hash value of the secret (𝐻(𝐾)), can then be transmitted to the other entity. To unlock the vault, the receiver has first to gather Physiological Values of its own (𝑃𝑉′). Because these values (𝑏1 ′, 𝑏2 ′ …) should have much in common with the values the sender has collected (𝑏1 , 𝑏2 …), the receiver can find the appropriate points in the vault and reconstruct the polynomial function. From it, the receiver can assemble the secret and check it by comparing its hashed value (𝐻(𝐾′)) to the received hash value of the original secret.

Fig. 2: Key distribution solution based on fuzzy vault scheme [112].

The same authors as before [18] have also split the non-fuzzy protocols into protocols with multiple commitments (e.g. [130]), protocols with matrices` comparison (e.g. EKG-based Key Agreement (EKA) [116] and [131]), and protocols with Reed–Solomon decoding (e.g. [132]). Based on our survey of existing schemes, the non-fuzzy solutions are not as common as the ones based on fuzzy constructs. Here is the complete list of the non-fuzzy protocols we could find: [51], [101], [111], Physiological Value-based Security (PVS) and Distributed Cluster Formation using Physiological Value-based Security (DCF-PVS) [120], [133], [117], and [134].

3.4. Secret Key Generation Schemes Shared secret key generation schemes allow two legitimate devices to establish a symmetric cryptographic key by exploiting user specific signals. Key agreement based on the physiological values requires all of the nodes in the communication to measure the same physiological signal. This causes additional hardware requirements (sensors have to measure the signals they were designed to measure and the signals that are used for the key agreement process) and deployment is constricted to the positions where the specific physiological signal can be measured (sensors have to be, at the very least, in contact with the skin). These requirements limit the usefulness of physiological value based schemes. Methods presented in this chapter do not limit the positioning of the sensors and use signals that are easily available to all sensors. Secret key generation schemes from this chapter and schemes based on physiological signals use signals that are specific to a very limited environment (i.e. the user), however the utilization of said signals to establish a pair of keys on multiple devices is different. Because of the changing state of the human body, the probability of extracting identical physiological signal features on different parts of the body is small [52]. That is why the physiological value based key agreement schemes generally use the signals to safely transfer the symmetric key. On the other hand, the schemes in this chapter use signals that have more consistent measurements on different devices and can therefore be used to generate the secret key independently on the nodes wishing to securely communicate. The two types of schemes however, have similar properties – scalable, with low memory requirements, that is offset by higher processing demands. There are two common sources of signals that are used in secret key generation. First is based on the wireless link characteristics, while the second is based on the common physical environment in which the devices agreeing on a key are located. It was shown that two devices in communication, can use the symmetrical properties of the wireless channel between them to directly generate secret keys. The property used most often is Received Signal Strength Indicator (RSSI), which measures the power present in a received radio signal. The RSSI can be measured by every device [135] and the measurements are difficult for eavesdroppers to reproduce, because the values are very susceptible to positioning and movement of the devices [136]. In [137] the researchers have shown that the exchanges needed to generate a key can be quite time consuming. They abandoned the idea of unconditional security and suggested that random channel measurements could be used to generate symmetric keys, which would change after a period of time. This idea was well received and today secret key generation schemes are typically constructed from four steps [138]. First step is the sampling phase, where the two nodes each measure the characteristic of the channel. This is achieved by the two nodes exchanging probe packets to estimate the mutual channel state. The second step is quantization, which transforms the measured data into a key. In the reconciliation phase, the small differences between the generated keys on the two devices, created by the noise in the channel, are discarded or corrected. Finally, the matching keys are strengthened to avoid possible correlated values in the key or to nullify any insight an eavesdropper might have gained during the reconciliation phase. The first secret key generation scheme designed for BSN we could find was [138]. In the paper authors show that it is possible to use the physical layer characteristics to produce keys in BSN and confirm that movement causes fluctuations in the RSSI measurements resulting in a faster key generation rate. Authors continue their research in [139] where they confirm their previous findings, test the usability of the key agreement scheme for devices on various body locations and improve the scheme by lowering the mismatch rate between the two nodes. In their third paper [136] they show that the biggest contribution to bit mismatch is the time difference between the signal readings. They also

suggest limiting the bit generation to high motion periods to further reduce the mismatch of the generated bits. Authors of [140] propose using existing packets that travel between the two nodes to measure the RSSI values. Furthermore, the scheme does not use the RSSI measurements, but instead collects the difference between consecutive measured RRSI values. After a predetermined number of differences have been collected and if their absolute added value is above a predetermined limit, a bit of the key can be calculated from it. If the absolute value is not big enough the accumulated values are discarded, because there was not enough variation in the collected measurements. The process is then repeated for the full length of the sought after key. The proposed method does not authenticate the device, which is left to be established separately. Schemes ASK-BAN (Authenticated Secret Key) [141] and its extension MASK-BAN (Movement-Aided Authenticated Secret Key) [57] are also based on wireless physical layer characteristics. Like the previous schemes, this pair of schemes use the RSSI to build the necessary secret keys, however they also use the same values to authenticate the devices in the same network (on the same body). In [142] compressed sensing encryption scheme was proposed for BSNs. The scheme also employs a wireless physical layer security to extract a shared secret from the RSSI values. Scheme SeAK [143] introduced the idea of using dual antennas into BSNs. By using two antennas that are spatially separate on (at least) one device (typically the personal server) the sampling can be randomly performed from either one, resulting in higher diversity. The result is harder for eavesdroppers to predict and it improves the key generation rate, especially when the user is not in motion. This is also very important for the usability of the method in scenarios where the user is unable to move. SeAK scheme also includes authentication of devices, while the next schemes using dual antennas - DLINK and iARC do not. DLINK [144] uses a new bit extraction method, allowing for a much smaller correlation between successive measurements and higher bit generation rate when compared to a preexisting scheme [145]. This scheme and iARC scheme [135][146][147] use frequency hopping. Both schemes also require for the nodes generating the key to be in a line of sight. iARC is striving to perform key generation which is mobility independent, by introducing artificial randomness (with the dual antennas and dynamic frequency hopping) into the channel. Paper [148] introduces a secret key generation based on the RSSI readings that works through a trusted relay node allowing for the two nodes agreeing on a key to not be within communicating range. This is achieved by the first node predicting the channel link characteristics between the relay and the other node and then based on the measurements from communicating with the relay, estimating the wireless characteristics to the second node in the key agreement. The resulting scheme allows for generation of keys with good entropy even when one or two of the three nodes are stationary. Not all schemes based on wireless link characteristics, however are used to generate secret keys. Paper [53] introduces a scheme that works like a typical physiological signal based schemes does. The two nodes that wish to communicate gather RSSI measurements, which the sender then uses to construct a fuzzy vault with a hidden key that was randomly generated. Like in the case of physiological value based schemes, the receiver can then, from the highly correlated RSSI values that it has gathered, extract the key from the vault. As we have mentioned before the second group of schemes in this chapter are the schemes that generate keys based on a common physical environment. The objective is to expose devices to the same common physical environmental conditions, measure those conditions and then construct a key or facilitate its exchange based on the measurements. The conditions have to be specific to the user, so the measurements can tie the devices on the same body together. With this, the devices can be

authenticated and the signals can be used to generate secret keys [149]. The research in this area has focused on acceleration signals that are produced on a body (sensors that are not on the body cannot measure them). For the devices to use a key agreement scheme that is based on acceleration signals the nodes have to have an accelerometer built in which does represent an additional cost compared to schemes based on the characteristics of the wireless channel. Some of the schemes based on the characteristics of the wireless channel are designed with the immobility of its users in mind, while such considerations are not possible in schemes where the keying materials are collected from the acceleration of a human body. Positioning of nodes can also present a challenge. Notably the spatial alignment of the three dimensions that are measured and the difference in acceleration of different body parts (e.g. because of the arm swing the sensor on a wrist will have different acceleration signals than a sensor on the chest). The first schemes using acceleration signals to generate secret keys were limited to account for these challenges. Paper [150] presents a scheme where two nodes would each generate a key from the acceleration data that was produced while the user shook them. The devices experience the same acceleration over time and from the collected data they can independently generate the same secret key. Authors of [151] propose a method that once again requires the user to shake the pairing devices. They introduce a device authentication scheme, as well as a ShaCK (shaking to construct a key) – a scheme which uses accelerometer data to extract features from the signal and construct a key from them. Both of these schemes require the user to explicitly shake them in his hand, limiting the two schemes to be only used with wearable devices that could be taken into a hand and shaken. The similarity between the key agreement schemes based on wireless link characteristics and those based on the common physical environment is also shown in the use of the same sequence of steps to generate a secret key. Like before the generation follows the four phases: sampling, quantization, reconciliation and strengthening phase. Schemes [54], [55], [152], and [153] all follow this construction. Paper [152] introduced a secret key generation scheme that is based on the ambient audio signals. The authors of [153] took this scheme and adopted it for the use with acceleration signals collected from body movements. Reed-Solomon correcting code is used in the reconciliation phase to correct the discrepancies in the generated key between the nodes. Measuring acceleration on different body locations can be a problem, because the measured values are an acceleration product of various body parts. All of the sensors measure acceleration of a user’s gait - an individual’s unique walking pattern. The sensors located on the body trunk predominately measure only the gait, while the wrist sensors, for example, also measure the arm swing. For the two sensors to be able to generate the same secret key, the acceleration of the arm swing must be removed from the measurements of the wrist sensor. Authors of [54] and [55] use the independent component analysis to distinguish the signals of various body parts from the measured collective acceleration signal and then use the gait signal to generate the secret key for any on-body communicating devices. The problem of synchronizing the measuring interval is solved by using a heel strike as a starting point for the data collection and the problem of spatial alignment of the measured dimensions is negated by transforming the data into a format independent of orientation and location. Paper [55] improves the scheme introduced in [54] by changing the binary quantization to a multilevel quantization, allowing for faster bit generation at the price of lower bit agreement rate. In the same way physiological signals and wireless link characteristics could be used with a fuzzy vault to exchange a key, acceleration signals can be used as well. The scheme presented in [154] uses acceleration data to construct a key, which is split into multiple blocks that are implemented as a the coefficients of the polynomial function. The vertical acceleration data, transformed with the quantization method from [144], is then used to lock the vault together with chaff points. Because the

devices are on the same body, the receiver can construct values from its own vertical acceleration data that are similar enough to the original data to unlock the vault and get the key that will afterwards be used for encrypting the communication.

3.5. Hybrid Key Agreement Schemes Hybrid key agreements are a mix between two types of schemes. Generally, this means the use of physiological values is coupled with pre-deployment of the keying material to create an overall more secure key exchange. With physiological value-based key agreements, it is often presumed an attacker will not have the possibility to obtain the physiological values from the user, because it is hard to implant a device in or on a user without him or her noticing it. However, if an attacker could somehow manage it, then the pre-deployed secrets would still protect the security of the exchange. Combining different techniques can also bring other benefits. The authors of [17] have created a hybrid scheme for securing communications even in beyond-BAN, by using Physically Unclonable Functions (PUF) with physiological signals. Where schemes with pre-distributed secrets are used, the communicating devices need secret material in addition to the high-entropy physiological signals in order to exchange security keys. Some hybrid schemes with pre-distributed secrets were collected in [18] and classified as protocols with pure fuzzy commitment (e.g. [49]), protocols with physiological certificate (e.g. [155]), protocols with multipoint key negotiation (e.g. [102]), and protocols with pre-distributed keys (e.g. [156]). Authors of [49] uses fuzzy commitment scheme with pre-distributed error-correcting code. The idea was refined in [102], where the session key is not transmitted but is derived independently on all devices, while the exchanged messages are only used to check and if necessary correct the key. The paper [157] introduces another hybrid key agreement scheme. The process for key exchange is very similar to the Diffie-Hellman protocol; however, the new scheme obtains the necessary random values from physiological signals. The Secret Key Exchange Protocol (SKEP) [114] uses a pre-deployed key to transmit the gathered and transformed physiological values securely to the base station. The two nodes afterwards agree on a session key, based on the sent values. Protocol BARI was presented in [46]; however, the initial idea for the scheme was introduced in [158]. BARI is another key management protocol, designed to secure communications from sensor nodes, through the personal server and all the way to the Medical Centre. BARI uses physiological values to generate keys, as biometrical data has sufficient randomness to it. BARI+ [159] is an improvement, where the authors have added a key refreshment schedule. The authors of [160] created a hybrid key agreement scheme. They used feature vectors to secure the communication in intra-body and pre-lading of keys for additional security. In [161] key predeployment was used to protect the exchange of the key created from the IPI values of the physiological signals. SEKEBAN (Secure and Efficient Key Exchange for wireless Body Area Network) [162] creates the session key based on the physiological signals. After the signal is measured, IPI vales are extracted and then morphed to create the final key. Morphing is necessary to obscure any personal information the key might otherwise contain about the user. Nodes in the key agreement proposed in [163] derived their session keys in the same manner; however, afterwards they use a pre-deployed public key from the base station and ECC to transmit the key safely. The base station checks the authenticity of the sender by extracting the key, generating one of its own from the template reference of the physiological signal, and comparing the two.

IMDGuard [164] was created with the idea of giving the user complete control over who accesses their information, until an emergency occurs, at which point the IMDGuard is turned off. The communication between the nodes and the Guardian (more powerful wearable device – a.k.a. personal server) is secured with symmetrical encryption. The data for key generation is extracted independently from ECG signals by the sensor and the personal server. This means there is no need for pre-deployment of keying materials and replacing either of the devices is relatively simple. Connection from the Guardian to the medical facilities is protected with ECC. After the Guardian authenticates the sensor and the medical facility it will assign a temporary symmetric key to both parties, with which they will secure the subsequent communications. Heart-to-Heart [165] is very similar to IMDGuard. It gathers physiological values from ECG signals and is designed for use in emergencies. The personal server and the sensor are simultaneously connected to the body and gather the ECG data and transform them into a key, which is used for the protection of communications between the devices, independently. The authors of [166] proposed a key agreement based on Biometric Encryption. It works by first collecting biometric data, sending them through a wavelet transformation, hashing them together with a pre-deployed value, applying a Reed-Solomon code to them and, finally, merging the new data with a generated cryptographic key. The created Bioscrypt is sent to the BAN controller. During the transport the key is secure, because it is hard to extract it computationally without knowing the used physiological data. The receiver collects physiological data and processes it in the same way as the sensor node. With it the controller can extract the session key from the received data. The Scheme proposed in [15] uses pre-deployed keys for the situation where the personal server has been compromised. The key used to encrypt the communication is, on the other hand, derived from the physiological values transformed by the wavelet function. This scheme also supports key exchange for inter-BAN. In [167] a scheme was proposed where a bivariate polynomial share is pre-deployed. It is used for key exchange, while physiological values are, later, used to update the key, by xor-ing the hash value of physiological data to the previous key.

4. Security of key agreement schemes in BSN BANs have a massive potential to be used in different fields, not only medical. However, because they deal with sensitive personal information, they have to be protected adequately before they can be deployed en masse. Each individual should have an assured security and privacy of their personal data. Because this is such an important aspect of BANs, the rest of this paper is devoted to the security of BSNs. Another reason for the importance of data security in BANs is the accessibility of the medical data. After a patient’s data has been stored in a database, different people might want to access it; not all of them, however, have the right to the same data. For example, Health Insurance people could access the patient`s address and Health Insurance number but, unlike the patient`s doctors, they should not be able to access their medical data (i.e. blood pressure, pulse rate, etc.) [168]. The problem of authorizing different users for different data is called fine-grained access control [169]. This issue is not discussed in this paper.

4.1. Attacks on BSNs Attacks and threats in BANs are classified into passive and active attacks. A passive information gathering or eavesdropping attack [19][38] is the simpler and generally less harmful attack of the two

[170]. A passive attack does not change the transmitted data while, on the other hand, an active attack changes the intercepted communications [170]. Here are some of the most common attacks on BSNs: 1. Eavesdropping attack [80]: Because BAN communication is transmitted over air, it is easy for an adversary to listen in on the exchanged data. The goal is to learn the content of the communication or to discover important information by collecting a large amount of data. It is very important to prevent this, as medical information is highly personal and also legally protected. To prevent eavesdropping an encryption must be used and the keys used in it must be changed regularly. An eavesdropping attack is the only passive attack in this list. 2. Message corruption [19][38]: Is an escalation of the eavesdropping attack, where the adversary not only eavesdrops on the communication, but deletes or modifies the information transmitted. The same countermeasures are required as with the passive information gathering. This is especially dangerous in health care where data used is vital to the users’ wellbeing. 3. Impersonation attack [19]: Allows an eavesdropping attacker to introduce itself as an authorized member of a network. The attacker obtains private identity information and uses it to impersonate a legitimate node in the network. A successful attacker would gain the same rights as the valid nodes. Authentication should be used to protect from such an attack. 4. Replay attack [38][103]: An attacker captures a send message and resends it at a later time. Without proper countermeasures the message appears to the receiver as a valid message. The attacker can, in this way, achieve some malicious intent and, because the receiver actually processes the message, with enough messages the attacker can deplete the sensor`s energy supply. The communications should, therefore, be secured in a way that prevents old valid messages from being sent again, successfully, at a later time. To achieve this, authentication and message freshness are required. This is most often achieved with the use of timestamps or nonces. 5. Man In The Middle (MITM) attack [103]: The attacker is able to intercept and relay messages between two parties who presume they are communicating directly with each other. It is a very powerful attack, because it allows the attacker to eavesdrop on and manipulate the transmitted information in real-time. A relay attack is a type of MITM attack, where the attacker initiates the exchange with two parties [51]. 6. On-line guessing attack and off-line guessing attack [103]: Are applicable to systems requiring passwords. In an on-line guessing attack, the attacker tries logging on to the server, using the possible passwords. With the off-line guessing attack, however, the attacker tests the passwords without contacting the server. That is achieved by first collecting all the data necessary for executing the password obscuring protocol. The attacker then tests the passwords without contacting the server, by using the recorded protocol. An off-line guessing attack is not limited to the rules of the server (e.g. limited number of tries) and is, therefore, much faster and harder to defend against. Because the defense against on-line attacks is generally a set of rules or limitations in the process of checking a password, the protection is not dependent on the security scheme, but the server’s system. In the rest of the paper we will, therefore, combine the two attacks in a guessing attack; however, the readers should be aware that the authors, when talking about guessing attacks or discussing the security of their schemes are, in a large majority of the cases, referring to an off-line guessing attack. 7. Denial of Service (DoS) [38][72]: DoS is an attack aiming to disrupt the availability of a machine or network resources. It is performed by flooding the target with fake communications until the target is no longer able to process them all. Apart from the performance, such an attack can affect the energy consumption of nodes. Defending against this attack is very difficult and it consists mainly of trying to identify legitimate messages and ignore the rest. It is especially difficult in BANs, where the resources are already, by default, very limited. A great many of the

8.

9.

10.

11.

12.

13.

14. 15.

16.

17.

security schemes for BSNs are not designed to prevent a DoS attack or are considered out of scope (e.g. [57]). Node-compromising attack [38][80][88] and clone attack [97]: Because it is infeasible to make the sensors resistant to tampering, the designers of security schemes should keep in mind that an attacker can extract all the data from a compromised node (including secret keys) and use it to gain unauthorized access to the network. All nodes are under human observation and are, therefore, very difficult for an attacker to compromise physically. It is, nevertheless, important to be able to revoke keys and to refresh them regularly so the attacker cannot resolve previously encrypted data. This also ties in with the forward and backward secrecy, as well as access to the physiological data itself. Clone attack is similar, as it also uses the data from a compromised node. The attacker will copy the retrieved information to a clone node in an effort to have the node under his control join the network. Tracking attack [88]: Here, an attacker can eavesdrop freely on the communications. If the attacker can determine which messages are coming from the same BSN (are transmitted from the same person), the attack is considered successful. Reflection attack [51]: Is an attack on a challenge-response authentication system. It is viable against systems that use the same challenge-response protocol to authenticate both parties. An attacker can respond to a challenge correctly, by sending the same challenge to the other party. This way, the original challenger will provide the response to its own challenge. Matching attack [88]: The attacker creates a large number of public keys. With them, the attacker encrypts all possible values of the message content and checks the created values for any matches with the encrypted message. This attack is possible when the values in the protected messages are limited. Collusion attack [171]: Is an attack where the attacker obtains keying materials for different nodes and, from that data, is able to calculate a key for an unrelated node in the network. The necessary starting material can be collected either by colluding users or an attacker with access to multiple compromised nodes. Key-compromise impersonation attack [172]: The attack is successful if, after an adversary gets the private key, he or she can impersonate other entities to the party whose key was obtained. Forge base station attack [97]: The attacker impersonates the personal server in order to collect data from a legal sensor node. Sinkhole attack and selective forwarding [173]: The attacker tries to lure as much traffic as possible through a node that it is under the attacker’s control. In selective forwarding the compromised node can, purposefully, not forward some or all of the received messages and simply drop them, ensuring they never reach their destination. The Sybil attack [174]: It is common for systems to employ redundancies to resist different threats. In a Sybil attack a single malicious entity presents itself with multiple identities. In this way, it undermines the redundancy by gaining disproportionately large influence in the system. An example of a resistance based on redundancy is a system where trust of an entity is established by a collective assurance from other entities. With a Sybil attack, an entity can create many identities and vouch for itself multiple times until the system accepts it as a trusted entity. The Sybil attack is a typical example of packet injection. Hello flood attack [173]: In some schemes, nodes inform their neighbors about their existence by broadcasting a hello message. The receiving node can assume that the sender is close enough to be in its radio range. An attacker can exploit this, by transmitting with larger power and deceiving a node into thinking they are neighbors. The attacker could then make itself look like a good route to the personal server, which would cause many nodes to send their communications trough the attacker’s device. The sent packets would be lost as they would never reach the distant device. The attack can be successful by simply replaying packets from legitimate nodes.

18. Wormhole attack [175]: The attacker receives packets in a specific location in the network. These packets are then tunneled to a different point in the network, where they are replayed into the network. This puts the attacker in a very good position to launch other attacks. Wormhole attack, sinkhole attack, selective forwarding, Hello flood attack and Sybil attack are all types of routing attacks. These attacks are not very potent in BSNs, because the nodes are so close together multi-hop communications are very rare and, therefore, hard for routing attacks to exploit [46].

4.2. Security requirements Successful and secure key distribution can establish most of the security requirements mentioned in this Chapter. For BANs to be secure, they have to meet the following requirements: 1. Data confidentiality [49]: Because the data transmitted is personal health information, it is in every user’s best interest to prevent unauthorized entities access to it. Confidentiality is, even in transmission, when the information is most vulnerable, achieved with encryption. 2. Node authenticity [49]: Describes the recipients’ ability to verify and trust that the received message has indeed come from the claimed sender. Without this ability malicious entities could easily impersonate authorized ones to gain access to the network. 3. Data integrity [49]: It is possible for data to be modified, while being transmitted, without breaking its confidentiality or authenticity. This can bring similar consequences as successful impersonation of authorized entities. Data integrity describes the ability to prevent data from being changed during the communications, or just to be able to detect if any such changes have occurred. 4. Mutual authentication [98]: The two parties participating in the communication authenticate each other. Mutual authentication is the main tool to prevent a Man-In-The-Middle attack. 5. Unforgeability [176]: Ensures that gateways cannot be faked. Schemes with unforgeability are resistant to forged base station attack. 6. Unlinkability [103]: Even if the network communication is encrypted and the code is not broken, an attacker should not be able to link different messages to the source user. This property is connected to the tracking attacks. 7. Forward secrecy and backward secrecy [83]: Nodes joining a network after a certain time must not be able to decipher messages sent before they joined. This is backward secrecy, while forward secrecy ensures nodes that have left the network cannot access messages sent after their departure. 8. Scalability [83]: While not necessarily a security parameter, a security scheme should still support the growth of the network after its deployment. Inadequate scalability could cause security flaws when adding a node. 9. Freshness [10]: The ability of the system to distinguish between new and old messages. Schemes with this property will not be susceptible to replay attacks, because replayed messages will be detected. 10. Resilience to the attacks: They have to be resilient to the attacks mentioned in section 4.1 Attacks on BSNs (off-line guessing attack, DoS attack, node-compromising attack, clone attack, tracking attack, reflection attack, matching attack, sinkhole attack, selective forwarding, Sybil attack, hello flood attack and wormhole attack).

5. Overview of security and its evaluation methods In this Chapter, we will review the security of proposed schemes for securing BSN communications and the different ways in which authors choose to show their schemes’ security strength and soundness.

5.1. Descriptive evaluation of security The majority of authors choose to use informal and very descriptive forms of analyzing the security of their schemes. This means no standard procedures are used to gauge or prove the proposed schemes’ security. Authors create scenarios to showcase the schemes’ security or just describe the particular parts of the scheme and how they ensure the schemes’ security and resilience to different attacks. In the following Table (Table 1) you can find a list of all the BAN security schemes we had come across in the process of creating this paper that use this method. The schemes are denoted by the reference to the paper describing them. Next is the classification column, which shows the type of scheme (T = Traditional, P = Physiological-based, H = Hybrid key agreement scheme, and G = Secret Key generation). Following are the requirements for a secure scheme and attacks secure schemes should be resistant to. We marked the cross-sections with a “Y” if the requirement was discussed in the security analysis of a specific paper (generally this means that the scheme possesses the property or is resistant to the given attack). Empty fields do not show scheme’s vulnerabilities, merely that specific feature or attack is not mentioned in the security analysis of the scheme. The Table is also limited to the attacks we have encountered in multiple papers included in this paper and were not produced by the same authors. The eavesdropping attack was also omitted from the Table, as resistance to it is the bare minimum every security scheme should ensure. Other rare examples of attacks found in security analysis include: Reflection attack [51], Relay attack [51], Jamming/Link corruption attack [67][99], Ephemeral secret key leakage attack [99], Gateway secret guessing attack [10], Known-key security [11], and KeyCompromise Impersonation attack [93][94]. Additionally, papers [120], [155] and [159] looked at the HELLO Flood attack and proposed schemes resistant to it. Other routing attacks (selective forwarding, sinkhole attack, Sybil attack, and wormhole attack) were taken into consideration in [92], [120], and [133], resulting in a scheme resistant to all or at least some of them. Selective forwarding attack was also discussed in [101]. Security property we have not mentioned before are the multiple, cancellable and revocable keys. We have not mentioned it before, because it is specific to biometric encryption. With biometric encryption, different Bioscrypts are created from the same biometrics, but different keys. This means that a compromised Bioscrypt can easily be replaced by generating a new one from the same physiological values. This property is a part of security analyses in [114] and [166].

Y

Y Y Y Y

Y Y

Impersonation attack

Unforgeability

Resistance to node-compromising att.

Resistance to DoS

Scalability

Forward secrecy / backward secrecy

Y Y

Unlinkability or tracking attack

Guessing attack

Replay attack or freshness

Y Y

Clone attack

Y Y

Y Y Y

Collusion attack

Y

Y

MITM attack or Mutual Authentication

Y

Matching attack

Data integrity

T T T T T

Node authenticity

Classification

[10] [11] [13] [14] [60]

Data confidentiality

Scheme

Table 1: List of schemes included in this survey and their security characteristics.

Y

Y

Y Y

[62] [63] [65] [68] [69] [72] [75] [76] [78] [80] [83] [84] [87] [88] [90] [91] [92] [93] [94] [95] [97] [98] [99] [51] [101] [103] [108] [109] [115] [117] [120] [15] [46] [114] [156] [159] [160] [162] [163] [165] [166] [141] [57]

T T T T T T T T T T T T T T T T T T T T T P P P P P P P P H H H H H H H H H H G

Y Y

Y

Y

Y

Y Y

Y/

Y

Y Y Y Y Y Y Y

Y Y Y Y

Y Y Y Y Y

Y

Y Y

Y/

Y Y

Y

Y

Y

Y Y

Y Y

Y Y Y Y

Y

Y Y

Y Y

Y Y

Y

Y Y

Y

Y

Y

Y Y

Y Y

Y Y Y Y Y Y Y Y Y Y Y

Y Y Y Y Y

Y Y Y Y Y Y Y

Y

Y Y Y Y Y Y

Y Y

Y Y

Y/

Y Y Y Y

Y

Y Y Y Y

Y Y Y Y Y

Y Y

Y Y Y Y Y Y

Y Y

Y

Y Y

Y

Y Y

Y/ Y

Y Y

Y

Y

Y/ Y

Y Y Y Y Y Y

Y

Y

Y

Y

Y Y

Y

Y

Y

Y

Y

Y

Y

Y Y/

Y Y Y

Y

Y

Y

Y

Y

Y Y

Y – The scheme is (at least partially) resistant to a particular attack or has that property. Blank cell – The information about a scheme`s resilience or property is not specified or it does not have it. T, P, H, and G – Types of key agreement schemes. Y/ – Scheme has forward secrecy but the information for backward secrecy is missing or it does not have it.

5.2. Formal evaluation of security BAN logic is an analysis model, designed for formal verification of authentication and key distribution schemes [10]. It was introduced in [177] and is named after its inventors Burrows, Abadi and Needham. BAN logic can provide good proof of a scheme’s correctness, but is based on the assumptions made. It is also mainly only suitable for traditionally built schemes [14]. The model cannot be used to prove a scheme is flawed. The BAN logic proof that a scheme works and is secure does not guarantee a scheme without possible flaws or security deficiencies. The model also deals with ideal circumstances, which are very rare in the real world. BAN logic has its own syntax for the terms, statements that can be made, and the rules that are created from the first two. Even though it is a semi-formal model for verification of key distribution protocols, hardly any papers use it to prove the validity of their schemes. We have noticed BAN logic in only five papers: [10], [11], [91], [98] and [99]. An alternative is SVO logic [178], which came about as a unification of the preceding models, including BAN logic, and is used in [166].

5.3. AVISPA AVISPA [179] is a tool for Automated Validation of Internet Security Protocols and Applications. It provides modular and expressive formal language for defining the protocols and their properties. It also provides a wide selection of automatic analysis techniques to test the defined scheme with. AVISPA has a graphical interface that allows the user to define their scheme and select the testing methods, together with their parameters. We have found that, like BAN logic, AVISPA is seldom used to validate schemes for BSN. We have found only three examples: [92], [114], and [115].

5.4. Security evaluation for physiological Values When it comes to the schemes containing a fuzzy vault (a big portion of physiological value-based schemes) their security analysis is different. They focus their analysis on the properties of schemes that make the distribution of secrets more secure. Security issues in schemes with key agreements based on fuzzy vault are a result of sending the vault over an open network. An attacker can record this message and try to reconstruct the hidden key within it. Security analyses in [52], [112] and [118] researched the impact the number of chaff points and degree of the polynomial function have on vault security. Papers [109], [113], and [132] have also cited vault size as the most important attribute for the strength of security, while [122] showed how different vault sizes affect different schemes. Additionally, the choice of features extracted from physiological signals and selection of chaff points is important for fuzzy vault security [124]. The authors of [125] have researched increased security with bigger key sizes which derives, in this case, from cubic spline (alternative to polynomial function). The researchers in [122] gave formal security proof of resilience against chosen plaintext attack. Physiological value-based key agreement protocols are also vulnerable to specific attacks, such as compromise of the physiological value or remote monitoring of physiological signals [120]. Remote monitoring of PPG with the help of a camera is touched upon in [165]. Researchers in [6], [164] and [165] use the statistical tests to show that the collected physiological signals produced statistically random values.

5.5. Security evaluation for secret key generation schemes The most commonly used metric for the security evaluation in secret key generation schemes is the entropy estimation. Entropy is the measure of uncertainty or randomness in the bit string generated from the measured signals. Higher entropy means more randomness to the generated bit string or in other words less dependencies between the bits. Basically all of the papers use the NIST test suite [180] to estimate the entropy. The following papers include the entropy estimation for the proposed schemes: [53], [54], [55], [135], [136], [137], [140], [143], [144], [145], [146], [147], [148], [150], and [151]. In schemes based on wireless link characteristics beam-forming attacks is also discussed

[57][141][143], while with acceleration sensors an impersonation attack (where an attacker mimics the user’s walking pattern) is given some attention [54][55]. The schemes using these signals with a fuzzy vault have their security based on vault size (as was discussed in the previous section) [53][154].

5.6. Other methods for security evaluation The following papers also contain sections dedicated to security analysis; however, they are severely limited or describe aspects of security not relevant to a general overview: [60], [70], [71], [77], [96], [116], [130], [127], [131], [155], [156], [157], [161], [142], and [168].

5.7. Discussion on security evaluations Most of the papers proposing different key agreements in BANs contain security analysis at the end. The most common is for the authors to do a non-formal analysis. This means no standard procedures are used to gauge or prove the proposed scheme`s security. The authors create scenarios to showcase the scheme`s security, or just describe the particular parts of the scheme and how they ensure the scheme`s security. We have created the Table 1 to collect characteristics of different schemes and we have noticed that such analyses are often not complete or thorough enough. Authors often describe only the most basic of requirements, or they mention only the characteristics that they perceive as the scheme’s biggest assets. This is especially annoying, because authors almost never mention attacks that schemes are susceptible to, leaving behind doubt whether the scheme is vulnerable to an attack or the authors just did not mention its resistance in the paper. This can be noticed in Table 1, as dispersion of scheme characteristics and the fact that some schemes are resistant to advanced attacks, while the very basic properties of security schemes are not even mentioned. To prove our point, we took a look at two schemes that were introduced with a descriptive security analysis. The first is a traditional scheme, called CICADA-S [65]. From Table 1 it is visible that the authors have linked six of the security characteristics to their schemes. They could, however include a few more. First of all - authenticity, because both the nodes and gateway receive their key from the server over a secure channel. Second is resistance to Man-In-The-Middle attacks. The communication between sensor node and a gateway is always encrypted and, consequently, an MITM attack is not possible. A gateway node in this scheme cannot be forged as the forgery would not have a secure connection to the server and could, therefore, not decipher messages from sensor nodes. The authors mentioned the scheme having forward secrecy but, with regular key updates, backward secrecy is established as well. The last property the CICADA-S has that was not mentioned in the introductory paper is its good scalability, because adding or removing nodes from the network would not threaten the overall security. Together, that is five properties that the authors have left out in their security analysis of the scheme. Additionally, it is also evident that the scheme does not offer adequate protection from clone attacks or node compromise. The second scheme we examined is a physiological value-based PFKA [115]. The authors associated the scheme with six characteristics from our Table; we, however, attributed seven more characteristics to it. Messages sent are not linkable and the sensor nodes cannot be cloned, because cloned nodes would not have access to the physiological values. The same is true if an attacker would compromise a node by removing it from the body or forging a gateway. Node compromise is generally considered very unlikely, as it is difficult to achieve this without the owner`s notice. Because PFKA uses time variable physiological values, it achieves forward and backward secrecy. Joining or leaving of nodes from the network does not impact other nodes at all, so the scheme allows for scaling. When examining these schemes, it is important to mention that we glossed over the matching, guessing and DoS attacks as the resistance to these attacks is hard to gauge without more specifics.

Secret key generation scheme and especially the schemes using the acceleration signals often assume the legitimacy of the on-body devices [54]. The same assumption is made for physiological signal based schemes, however we would argue that there is a big difference between the two. For the sensors to be able to measure physiological signals they have to be placed in direct contact with the user (at least skin contact), which should be relatively easy for a user to notice. On the other hand, acceleration sensors can be placed anywhere. Together with the development of sensors and their reduced size, we believe it is possible for an attacker to plant a sensor on a user without him noticing (e.g. slipping one into their pocket). This sensor could then gather acceleration signals and help reveal keys generated amongst legitimate nodes. Another possible security shortcoming of using acceleration signals could be deriving the values from a video recording of a user. This threat was pointed out, but the applicability or its severity was not studied [54]. The descriptive method of security analysis is not perfect, but it is good to have it, as it is the easiest for a person to understand. This is why such methods should be reinforced with other formal or semiformal models for security analysis (e.g. BAN or SVO logic) or other tools for validation of security schemes (e.g. AVISPA). However, it is evident from our survey that such methods are used very rarely (not even 8% of the collected papers have one), and not a standard test of schemes` security at all. The descriptive analysis method is used fairly often in traditional and hybrid schemes, while it is not as common in papers with physiological value-based and secret key generation schemes. In fact, 72% and 56% of all papers containing traditional and hybrid schemes respectively, have a descriptive security analysis. It is used more rarely in the other two types of schemes, nevertheless papers introducing physiological based and secret key generating schemes include security analysis (not necessarily the descriptive kind) in 63% and 78% of all cases, respectively. Overall descriptive security analysis is used in more than two fifths of papers in this survey. Altogether this paper included 115 works where a key agreement scheme for the use in BSN was discussed, of which almost 77% contained some sort of security analysis.

6. Overview of performance evaluation methods BSNs` main differences from other networks are their severe hardware limitations. For this reason, all the operations in BANs are expected to use as little memory and computational power as possible and communicate the smallest amount of data with the smallest number of messages to achieve the smallest overall energy consumption. Because the limitations are so rigorous, authors very often include performance analysis in their papers, to show how efficient their scheme is. The analysis is often divided into memory, computational, communicational, and energy cost.

6.1. Memory requirements Authors most often measure memory requirements for their schemes in bits or bytes: [53], [60], [61], [62], [63], [75], [83], [84], [87], [96], [97], [98], [99], [118], [130], [156], [164], [165], and [167]. When considering any of the performance aspects, comparison to already existing schemes is an easy way to show the new scheme’s compliance to the limitations. In the case of memory usage, this can be achieved by comparing required space, as was done in [60], [95], [97], [110], [113], and [122]. Sometime authors express the scheme’s memory cost with a formula, containing all the constructs (e. g. pairwise keys, public and private keys, nonces, number of nodes in the network…) that will be saved to the memory: [14], [15], [60], [99], [108], [122], [159], and [166]. In this way, the final required memory can be calculated once the size of the keys, the size of the network, etc. have been established. Some authors judge storage efficiency by the number of keys to be stored: [15], [120], and [133].

6.2. Computational cost The next important performance indicator is computational cost. It is important for schemes to be as computationally efficient as possible, because sensor nodes do not pose much processing power and because more computing uses up more of the very much limited energy supply. The most common method to analyze computation cost is by measuring the amount of time it takes for the necessary operations to finish processing: [47], [63], [64], [69], [84], [91], [96], [112], [164], and [168]. To give some extra meaning to the measured time, the times are often compared to those of other schemes: [14], [62], [75], [76], [83], [95], [97], [98], [99], [122], [160], and [167]. When comparing with other schemes different ways of analyzing the computational cost emerge. One of the more common methods is by counting the number of different operations (e.g. hash, encryption, secret generation, etc.) that need to be performed and, commonly, comparing the results to those of other schemes: [10], [11], [14], [68], [72], [76], [90], [91], [93], [94], [99], [108], [113], [118], [120], [130], and [166]. In [80], [107], [117], [131], [133], and [160] the authors have expressed the computational cost with computational time complexity, often comparing them to other schemes. Computational cost has also been measured by the number of keys that have to be generated in the scheme [158], and by describing the scheme’s operations and how they are less computationally intensive than in other schemes [109]. The authors of [47], [53], [60], and [61] showed the computational cost with the number of CPU cycles their scheme requires to generate or encrypt a key. Paper [92] estimates the computational cost by the size of messages to encrypt. The last metric to measure the computational cost is the time required to generate the required keys. This method was used in [61], [87], [88], and [165].

6.3. Communication cost Measuring of communication cost is very important, because it is the most energy consuming operation of them all. The most common ways of determining the communication cost are by the size of the sent data, as done in [47], [60], [62], [65], [83], [92], [97], [98], [99], [109], [113], [120], [132], and [162] or by the number of messages that are sent, as performed in [10], [80], [93], [94], [97], and [158]. Like before, the authors like to put their results in perspective by comparing them to other schemes. Comparison by the communicated amount of bits was done in [14], [75], [95], [97], [115], [120], and [130], while comparison on the basis of message number was presented in [15], [71], [97], [133], [158], and [159]. Alternative estimation methods are communication complexity [133], description [101][122], and energy cost associated with the scheme’s communications [92][163].

6.4. Energy consumption The last frequent performance indicator is energy consumption. A vast majority of papers measured it in Joules (J): [14], [15], [46], [47], [57], [62], [64], [69], [71], [85], [92], [97], [98], [99], [101], [108], [113], [115], [120], [132], [133], [156], [159], [162], [163], and [167]. It is important to note that some of these measurements were gathered from experimental implementations, while other papers derived their results based on previous research and without actually building the scheme and measuring its consumption (e.g. [92] and [163]). Exceptionally, energy consumption was measured by how much energy is spent on every bit of information produced [86] or in ampere-hours (Ah) [61]. As we have mentioned, some authors have implemented their schemes. In this way, they can measure easily not only the energy consumption, but computation time, which, as we have shown before, is the most often used method to assess the computation costs. Different authors used different devices or simulators to implement them on, so the measurements are very much dependent on the hardware used. Consequently, the results cannot be compared without certain considerations. Here are a few examples of different devices that surveyed schemes were implemented on or processed with: MicaZ [14][60][61][97][167], Mica2 [102][155], Arduino Uno [70], Raspberry PI 2 [91], Waspmote [76],

Chipcon CC2420 [108], Tmote-Sky [14][69][84][87][88], AquisGrain 2 [63], TelosB [57][64][164][167], Sun SPOT[62], MSP430 [47], Cortex-M3[98][99][165], PXA270 [98], and SHIMMER [96].

6.5. Performance analysis for Physiological Values Like with the security analysis, schemes containing physiological-based values also have some specifics when it comes to performance analysis. In these schemes, more importance is given to the keys generated from physiological signals. Such schemes often discuss randomness, distinctiveness, temporal variance and latency of generated keys. The randomness of keys is determined by calculating the entropy of the keys and, basically, represents the probability of a certain key being generated [15]. Optimally, all keys have the same probability, and there is no pattern to them [131]. Distinctiveness is important, because it determines if physiological signals and, consequently, constructed secrets are distinguished enough to differentiate between people [103]. This prevents keys generated on different people to match and guarantees ultimately that only sensors in the same network will be able to authenticate successfully [52]. Temporal variance or repetition of keys is important to ensure that repeated measurements of physiological signals do not lead to repeated keys [116]. This also provides assurance that compromised physiological values cannot help in reconstructing previous or subsequent physiological values and, consequently, secret keys [120]. Latency talks about the necessary duration of collecting physiological signals to be able to create a secure key from the collected values. Lower latency is naturally preferred. Following is the list of all the papers that analyzed at least some of these properties: [15], [52], [102], [103], [112], [116], [117], [118], [120], [122], [131], [133], [160], [161], [164], and [166]. Majority of papers list these properties as performance metrics; however, they also show the security of the schemes and could therefore be listed under security as well (similarly to entropy estimation in the case of key generation schemes). The last performance metric that is also used frequently in schemes that are based on physiological value signals are False Acceptance Rate (FAR) and False Rejection Rate (FRR). FAR and FRR are used to measure the authentication accuracy. Both metrics therefore show distinctiveness. FAR represents the frequency with which a valid user is denied access (nodes on the same body fail to match a key), while FRR is the frequency with which a non-genuine user is granted access (two nodes in different BANs establish a secret). Multiple papers have shown that an increase in the number of collected features from physiological signals increases FAR and decreases FRR [105]. Researchers show that decrease in FAR results in an increase in FRR, i.e., they are inversely related. Half Total Error Rate (HTER) is a metric combining the FAR and FRR. The lower the HTER value gets, the better the average FAR and FRR [103]. Here is the list of papers containing analysis of FAR and FRR: [6], [51], [52], [57], [101], [102], [103], [105], [107], [108], [109], [110], [112], [113], [118], [121], [122], [123], [125], [126], [128], [132], [134], [162], and [166].

6.6. Performance analysis for secret key generation schemes Performance of secret key generation schemes are mainly expressed with two metrics. Key agreement is a measure of the proportion of matched bits in devices generating the key. If the constructed key is identical on all of the devices exchanging a key, then the key agreement is 100%. In other words, this metric estimates the possibility of the devices successfully agreeing on a key. Key agreement for eavesdroppers should be near 50% (the same as randomly generating bits). The second metric for evaluating the performance of key generation schemes is the secret bit rate. Secret bit rate tells how many bits of the key are extracted from a signal in a given time unit. This rate is affected by sampling rate, the quantization method, its parameters and the variability of the channel (e.g. schemes based on RSSI and acceleration data have higher secret bit rate when the host is in motion). The goal are schemes with high key agreement and high secret bit rate, however these goals conflict. Higher sampling rate measures less signal variation, which leads to lower key agreement and also lower

entropy. The opposite is true for lower sampling rate. The following papers contain a performance evaluation for the key agreement and/or secret bit rate: [53], [54], [55], [57], [135], [136], [137], [138], [139], [140], [141], [142], [143], [144], [145], [146], [147], [148], [150], [151], [152], [153], and [154]. It is also worth noting that in majority of the cases the measurements are taken from experiments that the authors of the papers performed. The results might therefore be dependent on the circumstances of the experiment (e.g. placement of the devices, type of motion user might have performed, etc.) and the comparison between schemes or repeatability of those results might be skewed by those factors.

6.7. Discussion on performance evaluation methods The best way to measure performance is by means that are not dependent on external factors. When measuring memory cost, the memory space a scheme requires is the most favored metric. We would argue that this is a good metric; however, some elements in a scheme can be changed (i.e. encryption function) and, consequently, key sizes, nonces etc. can change as well. That is why it is a good idea to include the formula for required memory calculation constructed from the basic elements of the algorithm (all the data that has to be saved). When measuring computational cost, time and number of operations required in the process were the two most favored metrics. Unfortunately, neither of them is perfect. Time measurements are very much dependent on the performance of the device the scheme is implemented on. When comparing scheme, the number of operations is the better option, because it makes the comparability (between schemes) less dependent on other factors. However, when comparing implementation of specific schemes, the same algorithms must be used in all compared schemes as in the other case, the different algorithms (e.g. encryption algorithms, hash functions, etc.) can have different computational complexity (e.g. AES or Twofish), making the comparison between the two meaningless. For communication cost analysis the size of transmitted data and number of messages are the two most commonly used metrics. Both of these two metrics are important, but they are also independent. The size of transmitted data is clearly a good indicator as more energy is required to send more data but, at the same time, multiple smaller messages are far more expensive than a single big message, because they have much more overhead. For this reason, perhaps the best idea is always to include both metrics. Unfortunately, as is seen from the survey, authors rarely do. The last important performance indicator is energy cost. Here, the large majority of authors measure the consumption in joules. Because most of the schemes are implemented on different devices or the consumption is estimated on prior work, the results are not easily comparable. Perhaps a research could be conducted into energy consumption of different popular devices for BAN. Results could help compare schemes implemented on different devices. Out of the 115 papers reviewed in this survey more than 56% included analysis of at least one of these four main performance indicators, while 87% of them contained some sort of performance analysis. The 86% is bigger than the 77% of the articles containing the security analysis. This could indicate that, between the two defining characteristics and main obstacles of BSNs (i.e. resource limitations and the sensitive data being transmitted), researchers devote more of their attention to the efficiency of the schemes than they do to the security.

7. Conclusion This paper presents a survey for the field of key agreement and security in Body Sensor Networks. After the initial introduction of Body Area Networks and the circumstances that make them interesting for research and challenging for establishing a secure connection within, we looked at key agreements in BSNs. Here, the importance and requirements are discussed for a successful assignment of keys. Next, we divided the schemes into four classes, based on the methods used in the process of constructing the key agreement schemes. Each class was examined further and described. Afterwards we examined the security in Body Area Networks. A list of possible attacks and the requirements of

the schemes was constructed. Afterwards we performed an overview of methods used by authors to showcase their schemes` security and performance aspects. The overview showed that the majority of authors chose to use the descriptive analysis to demonstrate the security of their schemes, while the more uniform methods, such as formal models or validation tools, were used rarely. Furthermore, when using the descriptive analysis, the examination was often geared towards the properties that improved the scheme compared to some previous scheme, set the scheme apart from other schemes, or were just deemed more important than other properties. As a result, the descriptive analyses are often incomplete. Performance evaluations suffered from a similar problem. Because there are no guidelines, the performance evaluations for different schemes were measured in different ways. As a consequence, schemes can be hard to compare, if the same properties and methods are not used in the evaluation process. Acknowledgments The authors acknowledge the financial support from the Slovenian Research Agency (research core funding No. P2-0057).

References [1]

“IEEE 802.15 WPAN, Task Group 6, Body Area Networks.” [Online]. Available: http://www.ieee802.org/15/pub/TG6.html. [Accessed: 03-Feb-2017].

[2]

T. G. Zimmerman, “Personal Area Networks: Near-field intrabody communication,” IBM Syst. J., vol. 35, no. 3.4, pp. 609–617, Sep. 1996.

[3]

V. Jones et al., “Mobihealth: Mobile Health Services Based on Body Area Networks,” in MHealth, Boston, MA: Springer US, 2006, pp. 219–236.

[4]

UN, “World Population Prospects: The 2015 Revision,” Population Division of the Department of Economic and Social Affairs of the United Nations Secretariat, 2015. [Online]. Available: https://esa.un.org/unpd/wpp/.

[5]

World Health Organization, “Global status report on noncommunicable diseases 2010,” 2011.

[6]

C. C. Y. Poon, “A novel biometrics method to secure wireless body area sensor networks for telemedicine and m-health,” IEEE Commun. Mag., vol. 44, no. 4, pp. 73–81, Apr. 2006.

[7]

M. Chen, S. Gonzalez, A. Vasilakos, H. Cao, and V. C. M. Leung, “Body Area Networks: A Survey,” Mob. Networks Appl., vol. 16, no. 2, pp. 171–193, 2011.

[8]

Shu-Di Bao, Lian-Feng Shen, and Yuan-Ting Zhang, “A novel key distribution of body area networks for telemedicine,” in IEEE International Workshop on Biomedical Circuits and Systems, 2004., 2004, pp. 37–40.

[9]

A. Pantelopoulos and N. G. Bourbakis, “A Survey on Wearable Sensor-Based Systems for Health Monitoring and Prognosis,” IEEE Trans. Syst. Man, Cybern. Part C (Applications Rev., vol. 40, no. 1, pp. 1–12, Jan. 2010.

[10]

P. Kumar, S. G. Lee, and H. J. Lee, “E-SAP: Efficient-strong authentication protocol for healthcare applications using wireless medical sensor networks,” Sensors, vol. 12, no. 2, pp. 1625–1647, 2012.

[11]

D. He, N. Kumar, J. Chen, C. C. Lee, N. Chilamkurti, and S. S. Yeo, “Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks,” Multimed. Syst., vol. 21, no. 1, pp. 49–60, 2013.

[12]

X. Li, Z. Zheng, and X. Zhang, “A Secure Authentication and Key Agreement Protocol for Telecare Medicine Information System,” in 2015 9th International Conference on Next Generation Mobile Applications, Services and Technologies, 2015, pp. 275–281.

[13]

M. R. Kanjee, K. Divi, and H. Liu, “A Two-Tiered Authentication and Encryption Scheme in Secure Healthcare Sensor Networks,” in 2010 7th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (SECON), 2010, pp. 1– 3.

[14]

M. Li, S. Yu, J. D. Guttman, W. Lou, and K. Ren, “Secure ad hoc trust initialization and key management in wireless body area networks,” ACM Trans. Sens. Networks, vol. 9, no. 2, pp. 1–35, 2013.

[15]

S. Irum, A. Ali, F. A. Khan, and H. Abbas, “A hybrid security mechanism for intra-wban and inter-WBAN communications,” Int. J. Distrib. Sens. Networks, vol. 2013, 2013.

[16]

B. Latré, B. Braem, I. Moerman, C. Blondia, and P. Demeester, “A survey on wireless body area networks,” Wirel. Networks, vol. 17, no. 1, pp. 1–18, 2011.

[17]

B. Ovilla-Martinez, A. Diaz-Perez, and J. J. Garza-Saldana, “Key establishment protocol for a patient monitoring system based on PUF and PKG,” 2013 10th Int. Conf. Expo Emerg. Technol. a Smarter World, pp. 1–6, 2013.

[18]

H. Zhao, R. Xu, M. Shu, and J. Hu, “Physiological-signal-based key negotiation protocols for body sensor networks: A survey,” Simul. Model. Pract. Theory, vol. 0, pp. 1–13, 2016.

[19]

M. Al Ameen, J. Liu, and K. Kwak, “Security and Privacy Issues in Wireless Sensor Networks for Healthcare Applications,” J. Med. Syst., vol. 36, no. 1, pp. 93–101, 2012.

[20]

G. V Crosby, T. Ghosh, R. Murimi, and C. a Chin, “Wireless Body Area Networks for Healthcare : A Survey,” Int. J. Ad hoc, Sens. Ubiquitous Comput., vol. 3, no. 3, 2012.

[21]

S. N. Ramli and R. Ahmad, “Surveying the Wireless Body Area Network in the realm of wireless communication,” 2011 7th Int. Conf. Inf. Assur. Secur., pp. 58–61, 2011.

[22]

D. B. Smith, D. Miniutti, T. A. Lamahewa, and L. W. Hanlen, “Propagation models for bodyarea networks: A survey and new outlook,” IEEE Antennas and Propagation Magazine. 2013.

[23]

R. Cavallari, F. Martelli, R. Rosini, C. Buratti, and R. Verdone, “A Survey on Wireless Body Area Networks: Technologies and Design Challenges,” IEEE Commun. Surv. Tutorials, vol. PP, no. 99, pp. 1–23, 2014.

[24]

T. Hayajneh, G. Almashaqbeh, S. Ullah, and A. V. Vasilakos, “A survey of wireless technologies coexistence in WBAN: analysis and open research issues,” Wirel. Networks, vol. 20, no. 8, pp. 2165–2199, 2014.

[25]

M. Rushanan, A. D. Rubin, D. F. Kune, and C. M. Swanson, “SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks,” in 2014 IEEE Symposium on Security and Privacy, 2014, pp. 524–539.

[26]

B. Malik and V. R. Singh, “A survey of research in WBAN for biomedical and scientific applications,” Health Technol. (Berl)., vol. 3, no. 3, pp. 227–235, Sep. 2013.

[27]

S. Movassaghi, M. Abolhasan, J. Lipman, D. Smith, and A. Jamalipour, “Wireless Body Area Networks: A Survey,” IEEE Commun. Surv. Tutorials Commun. Surv. Tutorials, vol. 16, no. 3, pp. 1658–1686, 2014.

[28]

V. Mainanwal, M. Gupta, and S. Kumar Upadhayay, “A Survey on Wireless Body Area

Network : Security Technology and its Design Methodology issue,” 2nd Int. Conf. Innov. Information,Embedded Commun. Syst. (ICIIECS)2015, no. I, pp. 1–5, 2015. [29]

H. Alemdar and C. Ersoy, “Wireless sensor networks for healthcare: A survey,” Comput. Networks, vol. 54, no. 15, pp. 2688–2710, 2010.

[30]

S. Al-Janabi, I. Al-Shourbaji, M. Shojafar, and S. Shamshirband, “Survey of main challenges (security and privacy) in wireless body area networks for healthcare applications,” Egypt. Informatics J., 2016.

[31]

S. Ullah et al., “A Comprehensive Survey of Wireless Body Area Networks,” J. Med. Syst., vol. 36, no. 3, pp. 1065–1094, 2012.

[32]

R. Negra, I. Jemili, and A. Belghith, “Wireless Body Area Networks: Applications and Technologies,” Procedia Comput. Sci., vol. 83, pp. 1274–1281, 2016.

[33]

R. G.K. and K. Baskaran, “A Survey on Futuristic Health Care System: WBANs,” Procedia Eng., vol. 30, no. 2011, pp. 889–896, 2012.

[34]

S. Wang, R. Bie, F. Zhao, N. Zhang, X. Cheng, and H.-A. Choi, “Security in wearable communications,” IEEE Netw., vol. 30, no. 5, pp. 61–67, Sep. 2016.

[35]

I. Ha, “Technologies and Research Trends in Wireless Body Area Networks for Healthcare: A Systematic Literature Review,” Int. J. Distrib. Sens. Networks, vol. 2015, no. 6, pp. 1–14, 2015.

[36]

B.-S. Kim, K. Kim, and K.-I. Kim, “A Survey on Mobility Support in Wireless Body Area Networks,” Sensors, vol. 17, no. 4, p. 797, Apr. 2017.

[37]

A. Mosenia, S. Sur-Kolay, A. Raghunathan, and N. Jha, “Wearable Medical Sensor-based System Design: A Survey,” IEEE Trans. Multi-Scale Comput. Syst., pp. 1–1, 2017.

[38]

A. Ali and F. A. Khan, “Key Agreement Schemes in Wireless Body Area Networks: Taxonomy and State-of-the-Art,” J. Med. Syst., vol. 39, no. 10, p. 115, 2015.

[39]

M. Seyedi, B. Kibret, D. T. H. Lai, and M. Faulkner, “A survey on intrabody communications for body area network applications,” IEEE Trans. Biomed. Eng., vol. 60, no. 8, pp. 2067–2079, 2013.

[40]

Y. Kim, W. S. Lee, V. Raghunathan, N. K. Jha, and A. Raghunathan, “Vibration-based secure side channel for medical devices,” in Proceedings of the 52nd Annual Design Automation Conference on - DAC ’15, 2015, pp. 1–6.

[41]

L. Yang, W. Wang, and Q. Zhang, “Secret from Muscle: Enabling Secure Pairing with Electromyography,” in Proceedings of the 14th ACM Conference on Embedded Network Sensor Systems CD-ROM - SenSys ’16, 2016, pp. 28–41.

[42]

I. Ahmed et al., “Checksum Gestures: Continuous Gestures as an Out-of-Band Channel for Secure Pairing,” in Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing - UbiComp ’15, 2015, pp. 391–401.

[43]

R. Snader, R. Kravets, and A. F. Harris, “CryptoCoP: Lightweight, Energy-efficient Encryption and Privacy for Wearable Devices,” in Proceedings of the 2016 Workshop on Wearable Systems and Applications - WearSys ’16, 2016, pp. 7–12.

[44]

S. Rashwand and J. Misic, “Two-tier WBAN/WLAN healthcare networks; priority considerations,” in 2012 IEEE Global Communications Conference (GLOBECOM), 2012, pp. 5398–5403.

[45]

B.-M. Cho, K.-J. Park, and E.-C. Park, “Contention window adaptation for coexistence of WBAN

and WLAN in medical environments,” in 2014 International Conference on Information and Communication Technology Convergence (ICTC), 2014, pp. 945–946. [46]

S. M. K.-R. Raazi, H. Lee, S. Lee, and Y.-K. Lee, “BARI: A Distributed Key Management Approach for Wireless Body Area Networks,” 2009 Int. Conf. Comput. Intell. Secur., pp. 324–329, 2009.

[47]

G. Selimis et al., “A lightweight security scheme for wireless body area networks: Design, energy evaluation and proposed microprocessor design,” J. Med. Syst., vol. 35, no. 5, pp. 1289–1298, 2011.

[48]

M. Guennoun, M. Zandi, and K. El-Khatib, “On the Use of Biometrics to Secure Wireless Biosensor Networks,” 2008 3rd Int. Conf. Inf. Commun. Technol. From Theory to Appl., pp. 1– 5, 2008.

[49]

S. Cherukuri, K. K. Venkatasubramanian, and S. K. S. Gupta, “Biosec: a biometric based approach for securing communication in wireless networks of biosensors implanted in the human body,” in 2003 International Conference on Parallel Processing Workshops, 2003. Proceedings., 2003, pp. 432–439.

[50]

K. C. Barr and K. Asanović, “Energy-aware lossless data compression,” ACM Trans. Comput. Syst., vol. 24, no. 3, pp. 250–291, Aug. 2006.

[51]

S. Bao, C. Y. Poon Carmen, L. Shen, and Y. Zhang, “Authenticated symmetric-key establishment for medical body sensor networks,” J. Electron., vol. 24, no. 3, pp. 421–427, 2007.

[52]

K. K. Venkatasubramanian, A. Banerjee, S. K. S. Gupta, and S. Member, “PSKA: Usable and Secure Key Agreement Scheme for Body Area Networks,” IEEE Trans. Inf. Technol. Biomed., vol. 14, no. 1, pp. 60–68, 2010.

[53]

Y. Wu, Y. Sun, L. Zhan, and Y. Ji, “Low mismatch key agreement based on wavelet-transform trend and fuzzy vault in body area network,” Int. J. Distrib. Sens. Networks, 2013.

[54]

W. Xu, G. Revadigar, C. Luo, N. Bergmann, and W. Hu, “Walkie-Talkie: Motion-Assisted Automatic Key Generation for Secure On-Body Device Communication,” in 2016 15th ACM/IEEE International Conference on Information Processing in Sensor Networks (IPSN), 2016, pp. 1–12.

[55]

W. Xu, C. Javali, G. Revadigar, C. Luo, N. Bergmann, and W. Hu, “Gait-Key: A Gait-Based Shared Secret Key Generation Protocol for Wearable Devices,” ACM Trans. Sens. Networks, vol. 13, no. 1, pp. 1–27, Jan. 2017.

[56]

M. a. Simplício, P. S. L. M. Barreto, C. B. Margi, and T. C. M. B. Carvalho, “A survey on key management mechanisms for distributed Wireless Sensor Networks,” Comput. Networks, vol. 54, no. 15, pp. 2591–2612, 2010.

[57]

L. Shi, J. Yuan, S. Yu, and M. Li, “MASK-BAN: Movement-Aided Authenticated Secret Key Extraction Utilizing Channel Characteristics in Body Area Networks,” Internet Things Journal, IEEE, vol. 2, no. 1, pp. 52–62, 2015.

[58]

A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E. Culler, “SPINS: security protocols for sensor networks,” Wirel. Networks, vol. 8, no. 5, pp. 521–534, Sep. 2002.

[59]

C. S. Jang, D. G. Lee, J. Han, and J. H. Park, “Hybrid security protocol for wireless body area networks,” Wirel. Commun. Mob. Comput., vol. 11, no. 2, pp. 277–288, Feb. 2011.

[60]

D. S. Sanchez and H. Baldus, “A Deterministic Pairwise Key Pre-distribution Scheme for Mobile Sensor Networks,” in First International Conference on Security and Privacy for Emerging

Areas in Communications Networks (SECURECOMM’05), 2005, pp. 277–288. [61]

O. G. Morchon, H. Baldus, and D. S. Sanchez, “Resource-efficient security for medical body sensor networks,” Int. Work. Wearable Implant. Body Sens. Networks, 2006, p. 4–pp, 2006.

[62]

Y. Ren, V. Oleshchuk, F. Y. Li, and S. Sulistyo, “FoSBaS: a bi-directional secrecy and collusion resilience key management scheme for BANs,” 2012 IEEE Wirel. Commun. Netw. Conf., pp. 2841–2846, 2012.

[63]

O. G. Morchon and H. Baldus, “Efficient distributed security for wireless medical sensor networks,” in ISSNIP 2008 - Proceedings of the 2008 International Conference on Intelligent Sensors, Sensor Networks and Information Processing, 2008, pp. 249–254.

[64]

B. Lamichhane, S. Mudda, F. Regazzoni, and A. Puiatti, “LEXCOMM: A low energy, secure and flexible communication protocol for a heterogenous body sensor network,” Proc. - IEEE-EMBS Int. Conf. Biomed. Heal. Informatics Glob. Gd. Chall. Heal. Informatics, BHI 2012, vol. 25, no. Bhi, pp. 273–276, 2012.

[65]

D. Singelée et al., “A Secure Cross-Layer Protocol for Multi-hop Wireless Body Area Networks,” Ad-hoc, Mob. Wirel. Networks, pp. 94–107, 2008.

[66]

B. Latre et al., “A Low-delay Protocol for Multihop Wireless Body Area Networks,” in Fourth Annual International Conference on Mobile and Ubiquitous Systems: Networking & Services, 2007., 2007.

[67]

S. Venkatasubramanian and V. Jothi, “Integrated authentication and security check with CDMA modulation technique in physical layer of Wireless Body Area Network,” 2012 IEEE Int. Conf. Comput. Intell. Comput. Res., pp. 1–6, 2012.

[68]

M. Sarvabhatla and C. S. Vorugunti, “An energy efficient mutual authentication scheme for secure data exchange in health-care applications using wireless body sensor network,” 2015 7th Int. Conf. Commun. Syst. Networks, pp. 1–6, 2015.

[69]

L. Ming, Y. Shucheng, L. Wenjing, and R. Kui, “Group Device Pairing based Secure Sensor Association and Key Management for Body Area Networks,” in Proceedings of the 29th conference on Information communications, 2010, pp. 1–9.

[70]

T. Kovačević, T. Perković, and M. Čagalj, “LIRA: A New Key Deployment Scheme for Wireless Body Area Networks,” Software, Telecommun. Comput. Networks (SoftCOM), 2013 21st Int. Conf., 2013.

[71]

Q. Wang, A. Markham, Z. Yan, A. W. Roscoe, B. Chen, and X. Huang, “Human interactive secure key and identity exchange protocols in body sensor networks,” IET Inf. Secur., vol. 7, no. 1, pp. 30–38, 2013.

[72]

W. Drira, E. Renault, and D. Zeghlache, “A Hybrid Authentication and Key Establishment Scheme for WBAN,” 2012 IEEE 11th Int. Conf. Trust. Secur. Priv. Comput. Commun., pp. 78–83, 2012.

[73]

R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and publickey cryptosystems,” Commun. ACM, vol. 21, no. 2, pp. 120–126, Feb. 1978.

[74]

K. M. Sharmilee, R. Mukesh, a. Damodaram, and V. S. Bharathi, “Secure WBAN using rulebased IDS with biometrics and MAC authentication,” 2008 10th IEEE Intl. Conf. e-Health Networking, Appl. Serv. Heal. 2008, pp. 102–107, 2008.

[75]

Z. Mehmood, S. A. Ch, W. Nasar, and A. Ghani, “An efficient key agreement with rekeying for secured body sensor networks,” 2012 Second Int. Conf. Digit. Inf. Process. Commun., pp. 164–

167, 2012. [76]

A. Sudarsono, M. U. H. Al Rasyid, and H. Hermawan, “An implementation of secure wireless sensor network for e-healthcare system,” 2014 Int. Conf. Comput. Control. Informatics Its Appl., pp. 69–74, 2014.

[77]

M. Barua, M. S. Alam, X. Liang, and X. Shen, “Secure and quality of service assurance scheduling scheme for WBAN with application to eHealth,” 2011 IEEE Wirel. Commun. Netw. Conf. WCNC 2011, pp. 1102–1106, 2011.

[78]

K. S. K. Jingwei Liu, “Hybrid security mechanisms for wireless body area networks,” 2010 Second Int. Conf. Ubiquitous Futur. Networks, pp. 98–103, 2010.

[79]

T. El Gamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Trans. Inf. Theory, vol. 31, no. 4, pp. 469–472, 1985.

[80]

C. Huang, H. Lee, and D. H. Lee, “A Privacy-Strengthened Scheme for E-Healthcare Monitoring System,” J. Med. Syst., vol. 36, no. 5, pp. 2959–2971, 2012.

[81]

N. Gura, A. Patel, A. Wander, H. Eberle, and S. C. Shantz, “Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs,” in 6th International Workshop Cambridge, 2004.

[82]

D. J. Malan, M. Welsh, and M. D. Smith, “A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography,” in 2004 First Annual IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks, 2004. IEEE SECON 2004., 2004, pp. 71–80.

[83]

N. U. Amin, M. Asad, and S. A. Chaudhry, “An authenticated key agreement with rekeying for secured body sensor networks based on hybrid cryptosystem,” Networking, Sens. Control (ICNSC), 2012 9th IEEE Int. Conf., pp. 118–121, 2012.

[84]

K. Malasri and L. Wang, “Addressing security in medical sensor networks,” in 1st ACM SIGMOBILE international workshop on Systems and networking support for healthcare and assisted living environments. ACM, 2007, pp. 7–12.

[85]

X. Huang, Q. Wang, C. Bangdao, A. Markham, R. Jäntti, and A. W. Roscoe, “Body sensor network key distribution using human interactive channels,” in Proceedings of the 4th International Symposium on Applied Sciences in Biomedical and Communication Technologies, 2011.

[86]

C. Rong and H. Cheng, “Authenticated Health Monitoring Scheme for Wireless Body Sensor Networks,” Proc. 7th Int. Conf. Body Area Networks, pp. 31–35, 2012.

[87]

C. C. Tan, H. Wang, S. Zhong, and Q. Li, “Body Sensor network security: an identity based cryptography approach,” ACM Conf. Wirel. Netw. Secur., pp. 148–153, 2008.

[88]

C. C. Tan, H. Wang, S. Zhong, and Q. Li, “IBE-lite: A lightweight identity-based cryptography for body sensor networks,” IEEE Trans. Inf. Technol. Biomed., vol. 13, no. 6, pp. 926–932, 2009.

[89]

“IEEE Standard for Local and Metropolitan Area Networks – Part 15.6: Wireless Body Area Networks.” IEEE Std 802.15.6 -2012.

[90]

J.-M. Ho, “A versatile suite of strong authenticated key agreement protocols for body area networks,” 2012 8th Int. Wirel. Commun. Mob. Comput. Conf., pp. 683–688, 2012.

[91]

K.-H. Yeh, “A Secure IoT-based Healthcare System with Body Sensor Networks,” IEEE Access, vol. 4, pp. 10288–10299, 2016.

[92]

M. R. Abdmeziem and D. Tandjaoui, “An end-to-end secure key management protocol for e-

health applications,” Comput. Electr. Eng., vol. 44, pp. 184–197, May 2015. [93]

J. Shen, S. Moh, and I. Chung, “A Novel Key Management Protocol in Body Area Networks,” in The 7th International Conference on Networking and Services, 2011.

[94]

J. Shen, H. Tan, S. Moh, I. Chung, Q. Liu, and X. Sun, “Enhanced secure sensor association and key management in wireless body area networks,” J. Commun. Networks, vol. 17, no. 5, pp. 453–462, 2015.

[95]

J. Iqbal, N. Amin, and A. I. Umar, “Authenticated key agreement and cluster head selection for Wireless Body Area Networks,” 2nd Natl. Conf. Inf. Assur., pp. 113–117, 2013.

[96]

S. Möller, T. Newe, and S. Lochmann, “Prototype of a secure wireless patient monitoring system for the medical community,” Sensors Actuators A Phys., vol. 173, no. 1, pp. 55–65, 2012.

[97]

L. Ma, Y. Ge, and Y. Zhu, “TinyZKP: A lightweight authentication scheme based on zeroknowledge proof for wireless body area networks,” Wirel. Pers. Commun., vol. 77, no. 2, pp. 1077–1090, 2014.

[98]

J. Liu, Q. Li, R. Yan, and R. Sun, “Efficient authenticated key exchange protocols for wireless body area networks,” EURASIP J. Wirel. Commun. Netw., vol. 2015, no. 1, p. 188, 2015.

[99]

M. H. Ibrahim, S. Kumari, A. K. Das, M. Wazid, and V. Odelu, “Secure anonymous mutual authentication for star two-tier wireless body area networks,” Comput. Methods Programs Biomed., vol. 135, pp. 37–50, 2016.

[100] S. Saleem, S. Ullah, and K. S. Kwak, “Towards security issues and solutions in Wireless Body Area Networks,” Networked Comput. (INC), 2010 6th Int. Conf., pp. 1–4, 2010. [101] A. Ali and F. A. Khan, “A broadcast-based key agreement scheme using set reconciliation for wireless body area networks,” J. Med. Syst., vol. 38, no. 5, p. 33, 2014. [102] F. M. Bui and D. Hatzinakos, “Biometric Methods for Secure Communications in Body Sensor Networks: Resource-Efficient Key Management and Signal-Level Data Scrambling,” EURASIP J. Adv. Signal Process., vol. 2008, no. 1, 2008. [103] L. Yao, B. Liu, K. Yao, G. Wu, and J. Wang, “An ECG-based signal key establishment protocol in body area networks,” Proc. - Symp. Work. Ubiquitous, Auton. Trust. Comput. Conjunction with UIC 2010 ATC 2010 Conf. UIC-ATC 2010, pp. 233–238, 2010. [104] F. Miao, L. Jiang, Y. Li, and Y.-T. Zhang, “A Novel Biometrics Based Security Solution for Body Sensor Networks,” 2009 2nd Int. Conf. Biomed. Eng. Informatics, pp. 1–5, 2009. [105] F. Miao, L. Jiang, Y. Li, and Y.-T. Zhang, “Biometrics based novel key distribution solution for body sensor networks.,” Conf. Proc. IEEE Eng. Med. Biol. Soc., vol. 2009, pp. 2458–61, 2009. [106] Q. Huang and C. Guo, “Efficient Key Cryptography Based on Body Area Networks,” in Proceedings of the 2011 IEEE International Conference on Cyber Technology in Automation, Control, and Intelligent Systems, 2011, pp. 171–174. [107] W. Wang, H. Wang, and M. Hempel, “Secure Stochastic ECG Signals Based on Gaussian Mixture Model for-Healthcare Systems,” IEEE Syst. J., vol. 5, no. 4, pp. 564–573, 2011. [108] Z. Zhang, H. Wang, A. V. Vasilakos, and H. Fang, “ECG-cryptography and authentication in body area networks,” IEEE Trans. Inf. Technol. Biomed., vol. 16, no. 6, pp. 1070–1078, 2012. [109] E. K. Zaghouani, A. Jemai, A. Benzina, and R. Attia, “ELPA: A new key agreement scheme based on linear prediction of ECG features for WBAN,” in 23rd European Signal Processing

Conference (EUSIPCO), 2015, pp. 81–85. [110] F. M. Bui and D. Hatzinakos, “Resource allocation strategies for secure and efficient communications in biometrics-based body sensor networks,” in Biometrics Symposium, 2007. [111] H. Wang, H. Fang, L. Xing, and M. Chen, “An Integrated Biometric-Based Security Framework Using Wavelet-Domain HMM in Wireless Body Area Networks (WBAN),” 2011 IEEE Int. Conf. Commun., pp. 1–5, 2011. [112] S.-D. Bao, F. Miao, and Y. Li, “Biometric key distribution solution with energy distribution information of physiological signals for body sensor network security,” IET Inf. Secur., vol. 7, no. 2, pp. 87–96, 2013. [113] C. Hu, X. Cheng, F. Zhang, D. Wu, X. Liao, and D. Chen, “OPFKA: Secure and efficient OrderedPhysiological-Feature-based key agreement for wireless Body Area Networks,” IEEE Int. Conf. Comput. Commun., pp. 2274–2282, 2013. [114] N. Jamali and L. C. Fourati, “SKEP : a Secret Key Exchange Protocol using physiological signals in wireless body area networks,” 2015 Int. Conf. Wirel. Networks Mob. Commun., 2015. [115] N. Jammali and L. C. Fourati, “PFKA: A Physiological Feature based Key Agreement for Wireless Body Area Network,” in 2015 International Conference on Wireless Networks and Mobile Communications (WINCOM), 2015. [116] K. K. Venkatasubramanian, A. Banerjee, and S. K. S. Gupta, “EKG-based Key Agreement in Body Sensor Networks,” in IEEE International Conference on Computer Communications (INFOCOM), 2008. [117] A. Ali, S. Irum, F. Kausar, and F. A. Khan, “A cluster-based key agreement scheme using keyed hashing for Body Area Networks,” in Multimedia Tools and Applications, 2013, vol. 66, no. 2, pp. 201–214. [118] K. K. Venkatasubramanian, A. Banerjee, and S. K. S. Gupta, “Plethysmogram-based secure inter-sensor communication in body area networks,” Proc. - IEEE Mil. Commun. Conf. MILCOM, 2008. [119] M. R. Kanjee, K. Divi, and H. Liu, “A Physiological Authentication Scheme in Secure Healthcare Sensor Networks,” in 7th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (SECON), 2010, pp. 1–3. [120] K. K. Venkatasubramanian and S. K. S. Gupta, “Physiological value-based efficient usable security solutions for body sensor networks,” ACM Trans. Sens. Networks, vol. 6, no. 4, pp. 1– 36, 2010. [121] S.-D. Bao, Y.-T. Zhang, and L.-F. Shen, “A design proposal of security architecture for medical body sensor networks,” in International Workshop on Wearable and Implantable Body Sensor Networks (BSN’06), 2006, vol. 2006, pp. 84–87. [122] J. Zhou, Z. Cao, and X. Dong, “BDK: Secure and Efficient Biometric Based Deterministic Key Agreement in Wireless Body Area Networks,” Proc. 8th Int. Conf. Body Area Networks, vol. 1, pp. 488–494, 2013. [123] F. Miao, S.-D. Bao, and Y. Li, “A Modified Fuzzy Vault Scheme for Biometrics-Based Body Sensor Networks Security,” 2010 IEEE Glob. Telecommun. Conf. GLOBECOM 2010, no. 2009, pp. 1–5, 2010. [124] C. Z. Cao, C. G. He, S. Di Bao, and Y. Li, “Improvement of fuzzy vault scheme for securing key distribution in body sensor network,” Proc. Annu. Int. Conf. IEEE Eng. Med. Biol. Soc. EMBS,

pp. 3563–3567, 2011. [125] R. T. Rajasekaran, V. Manjula, V. Kishore, T. M. Sridhar, and C. Jayakumar, “An Efficient and Secure Key Agreement Scheme Using Physiological Signals in Body Area Networks,” in International Conference on Advances in Computing, Communications and Informatics, 2012. [126] Z. Zhang, H. Wang, and A. V Vasilakos, “Channel Information based Cryptography and Authentication in Wireless Body Area Networks,” in 8th International Conference on Body Area Networks, 2013, vol. 1, pp. 2–5. [127] A. Juels and M. Wattenberg, “A Fuzzy Commitment Scheme,” CCS ’99 Proc. 6th ACM Conf. Comput. Commun. Secur., pp. 28–36, 1999. [128] Y. Lu and S.-D. Bao, “Efficient fuzzy vault application in node recognition for securing body sensor networks,” IEEE Int. Conf. Commun., pp. 3648–3651, 2014. [129] A. Juels and M. Sudan, “A fuzzy vault scheme,” Des. Codes Cryptogr., vol. 38, no. 2, pp. 237– 257, 2006. [130] K. Cho and D. Lee, “Biometric based secure communications without pre-deployed key for biosensor implanted in body sensor networks,” Lect. Notes Comput. Sci., vol. 7115, pp. 203– 218, 2012. [131] A. Ali and F. A. Khan, “An Improved EKG-Based Key Agreement Scheme for Body Area Networks,” in 4th International Conference on Information Security and Assurance, 2010, pp. 298–308. [132] J. Shi, K.-Y. Lam, M. Gu, M. Li, and S.-L. Chung, “Towards Energy-Efficient Secure Communications Using Biometric Key Distribution in Wireless Biomedical Healthcare Networks,” in 2nd International Conference on Biomedical Engineering and Informatics, 2009, pp. 1–5. [133] A. Ali and F. A. Khan, “Energy-efficient cluster-based security mechanism for intra-WBAN and inter-WBAN communications for healthcare applications,” EURASIP J. Wirel. Commun. Netw., pp. 1–19, 2013. [134] W. Wang et al., “A Stochastic Biometric Authentication Scheme using Uniformed GMM in Wireless Body Area,” in 21st International Symposium on Personal Indoor and Mobile Radio Communications (PIMRC’10), 2010, pp. 1620–1624. [135] G. Revadigar, C. Javali, H. J. Asghar, K. B. Rasmussen, and S. Jha, “Mobility Independent Secret Key Generation for Wearable Health-care Devices,” in Proceedings of the 10th EAI International Conference on Body Area Networks, 2015, pp. 294–300. [136] S. T. Ali, V. Sivaraman, and D. Ostry, “Zero reconciliation secret key generation for body-worn health monitoring devices,” Proc. fifth ACM Conf. Secur. Priv. Wirel. Mob. Networks, pp. 39– 50, 2012. [137] L. W. Hanlen, D. Smith, J. (Andrew) Zhang, and D. Lewis, “Key-sharing via channel randomness in narrowband body area networks: Is everyday movement sufficient?,” in Proceedings of the 4th International ICST Conference on Body Area Networks, 2009, p. 17. [138] S. T. Ali, V. Sivaraman, and D. Ostry, “Secret Key Generation Rate vs. Reconciliation Cost Using Wireless Channel Characteristics in Body Area Networks,” in 2010 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, 2010, pp. 644–650. [139] L. Yao, T. A. Ali, V. Sivaraman, and D. Ostry, “Improving secret key generation performance for on-body devices,” in Proceedings of the 6th International Conference on Body Area Networks,

2011. [140] G. R. Tsouri and J. Wilczewski, “Reliable symmetric key generation for body area networks using wireless physical layer security in the presence of an on-body eavesdropper,” in Proceedings of the 4th International Symposium on Applied Sciences in Biomedical and Communication Technologies - ISABEL ’11, 2011, pp. 1–6. [141] L. Shi, J. Yuan, S. Yu, and M. Li, “ASK-BAN: Authenticated Secret Key Extraction Utilizing Channel Characteristics for Body Area Networks,” in Sixth ACM conference on Security and privacy in wireless and mobile networks, 2013. [142] R. Dautov and G. R. Tsouri, “Securing while Sampling in Wireless Body Area Networks with Application to Electrocardiography,” IEEE J. Biomed. Heal. informatics, vol. PP, no. 99, p. 1, 2014. [143] C. Javali, G. Revadigar, L. Libman, and S. Jha, “SeAK: Secure Authentication and Key Generation Protocol Based on Dual Antennas for Wireless Body Area Networks,” Springer, Cham, 2014, pp. 74–89. [144] G. Revadigar, C. Javali, W. Hu, and S. Jha, “DLINK: Dual link based radio frequency fingerprinting for wearable devices,” in 2015 IEEE 40th Conference on Local Computer Networks (LCN), 2015, pp. 329–337. [145] L. Yao, S. T. Ali, V. Sivaraman, and D. Ostry, “Decorrelating secret bit extraction via channel hopping in body area networks,” in 2012 IEEE 23rd International Symposium on Personal, Indoor and Mobile Radio Communications - (PIMRC), 2012, pp. 1454–1459. [146] G. Revadigar, C. Javali, H. J. Asghar, K. B. Rasmussen, and S. Jha, “iARC: Secret Key Generation for Resource Constrained Devices by Inducing Artificial Randomness in the Channel,” in Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security - ASIA CCS ’15, 2015, pp. 669–669. [147] G. Revadigar, C. Javali, H. J. Asghar, K. B. Rasmussen, and S. Jha, “Secret Key Generation for Body-worn Devices by Inducing Artificial Randomness in the Channel,” 2015. [148] C. Javali, G. Revadigar, M. Ding, and S. Jha, “Secret Key Generation by Virtual Link Estimation,” in Proceedings of the 10th EAI International Conference on Body Area Networks, 2015, pp. 301–307. [149] J. Lester, J. Lester, B. Hannaford, and G. Borriello, “Are You with Me?” – using accelerometers to determine if two devices are carried by the same person,” Proc. Second Int. Conf. PERVASIVE Comput. (PERVASIVE 2004, vol. 3001, pp. 33--50, 2004. [150] D. Bichler, G. Stromberg, M. Huemer, and M. Löw, “Key Generation Based on Acceleration Data of Shaking Processes,” in UbiComp 2007: Ubiquitous Computing, Berlin, Heidelberg: Springer Berlin Heidelberg, 2007, pp. 304–317. [151] R. Mayrhofer and H. Gellersen, “Shake Well Before Use: Intuitive and Secure Pairing of Mobile Devices,” IEEE Trans. Mob. Comput., vol. 8, no. 6, pp. 792–806, Jun. 2009. [152] Q. Quach, N. Nguyen, and T. Dinh, “Secure Authentication for Mobile Devices Based on Acoustic Background Fingerprint,” Springer, Cham, 2014, pp. 375–387. [153] D. Oberoi, Wing Yan Sou, Yin Yi Lui, R. Fisher, L. Dinca, and G. P. Hancke, “Wearable security: Key derivation for Body Area sensor Networks based on host movement,” in 2016 IEEE 25th International Symposium on Industrial Electronics (ISIE), 2016, pp. 1116–1121. [154] G. Revadigar, C. Javali, W. Xu, W. Hu, and S. Jha, “Secure key generation and distribution

protocol for wearable devices,” in 2016 IEEE International Conference on Pervasive Computing and Communication Workshops (PerCom Workshops), 2016, pp. 1–4. [155] K. K. Venkatasubramanian and S. K. S. Gupta, “Security for Pervasive Health Monitoring Sensor Applications,” Fourth Int. Conf. Intell. Sens. Inf. Process., pp. 197–202, 2006. [156] H. Zhao, J. Qin, and J. Hu, “An Energy Efficient Key Management Scheme for Body Sensor Networks,” IEEE Trans. Parallel Distrib. Syst., vol. 24, no. 11, pp. 2202–2210, 2013. [157] A. S. Sangari and J. M. L. Manickam, “Public Key Cryptosystem Based Security in Wireless Body Area Network,” in International Conference on Circuit, Power and Computing Technologies (ICCPCT), 2014, pp. 1609–1612. [158] S. M. K.-R. Raazi, S. Lee, and Y.-K. Lee, “A Novel Architecture for Efficient Key Management in Humanware Applications,” Fifth Int. Jt. Conf. INC, IMS IDC, pp. 1918–1922, 2009. [159] K.-R. R. S. Muhammad, H. Lee, S. Lee, and Y.-K. Lee, “BARI+: a biometric based distributed key management approach for wireless body area networks.,” Sensors, vol. 10, no. 4, pp. 3911– 33, 2010. [160] A. Alsadhan and N. Khan, “An LBP Based Key Management for Secure Wireless Body Area Network (WBAN),” 14th ACIS Int. Conf. Softw. Eng. Artif. Intell. Netw. Parallel/Distributed Comput., pp. 85–88, 2013. [161] G. H. Zhang, C. C. Y. Poon, Y. Li, and Y. T. Zhang, “A biometric method to secure telemedicine systems.,” Conf. Proc. IEEE Eng. Med. Biol. Soc., vol. 2009, pp. 701–4, 2009. [162] M. M. Mana, “SEKEBAN (Secure and Efficient Key Exchange for wireless Body Area Network),” Int. J. Adv. Sci. Technol., vol. 12, pp. 45–60, 2009. [163] M. Mana, M. Feham, and B. Bensaber, “Trust Key Management Scheme for Wireless Body Area Networks.,” Int. J. Netw. Secur., vol. 12, no. 2, pp. 71–79, 2011. [164] F. Xu, Z. Qin, C. C. Tan, B. Wang, and Q. Li, “IMDGuard: Securing Implantable Medical Devices with the External Wearable Guardian,” in IEEE International Conference on Computer Communications (INFOCOM), 2011, pp. 1862–1870. [165] M. Rostami, A. Juels, F. Koushanfar, M. Rostami, A. Juels, and F. Koushanfar, “Heart-to-Heart (H2H): Authentication for Implanted Medical Devices,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security - CCS ’13, 2013, pp. 1099–1112. [166] L. Yao, B. Liu, G. Wu, K. Yao, and J. Wang, “A biometric key establishment protocol for body area networks,” Int. J. Distrib. Sens. Networks, vol. 2011, 2011. [167] D. He, C. Chen, S. Chan, J. Bu, and P. Zhang, “Secure and lightweight network admission and transmission protocol for body sensor networks,” IEEE J. Biomed. Heal. Informatics, vol. 17, no. 3, pp. 664–674, 2013. [168] G. K. Ragesh and K. Baskaran, “CRYPE: towards cryptographically enforced and privacy enhanced WBANs,” Proc. First Int. Conf. Secur. Internet Things - Secur. ’12, pp. 204–209, 2012. [169] S. Yu, K. Ren, and W. Lou, “FDAC: Toward Fine-Grained Distributed Data Access Control in Wireless Sensor Networks,” IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 4, pp. 673–686, Apr. 2011. [170] H. S. Ng, M. L. Sim, and C. M. Tan, “Security issues of wireless sensor networks in healthcare applications,” BT Technol. J., 2006. [171] O. García-Morchón, D. Gómez-Pérez, J. Gutiérrez, R. Rietman, B. Schoenmakers, and L.

Tolhuizen, “HIMMO: A Lightweight Collusion-Resistant Key Predistribution Scheme.” [172] K. Chalkias, F. Mpaldimtsi, D. Hristu-Varsakelis, and G. Stephanides, “ON THE KEYCOMPROMISE IMPERSONATION VULNERABILITY OF ONE-PASS KEY ESTABLISHMENT PROTOCOLS,” SECRYPT, pp. 222–228, 2007. [173] V. P. Singh, S. Jain, and J. Singhai, “Hello Flood Attack and its Countermeasures in Wireless Sensor Networks,” Int. J. Comput. Sci., vol. 7, no. 3, p. 23, 2010. [174] J. R. Douceur, “The Sybil Attack,” in Proceedings of 1st International Workshop on Peer-toPeer Systems (IPTPS), 2002. [175] H. Yih-Chun, A. Perrig, and D. B. Johnson, “Wormhole attacks in wireless networks,” IEEE J. Sel. Areas Commun., vol. 24, no. 2, pp. 370–380, Feb. 2006. [176] E. Alasaarela, “Secure key management scheme based on ECC algorithm for patient’s medical information in healthcare system,” Int. Conf. Inf. Netw. 2014, pp. 453–457, 2014. [177] M. Burrows, M. Abadi, and R. Needham, “A logic of authentication,” ACM Trans. Comput. Syst., vol. 8, no. 1, pp. 18–36, Feb. 1990. [178] P. F. Syverson Code and P. C. Van Oorschot, “A Unified Cryptographic Protocol Logic,” 1996. [179] “AVISPA: Automated Validation of Internet Security Protocols and Applications.” [Online]. Available: http://www.avispa-project.org/. [Accessed: 06-Jun-2016]. [180] A. Rukhin et al., “A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications,” 2010.