Abstract
Healthcare integrated with the Internet of Things (IoT) offers several advantages, including the ability to enable timely and accurate assessments of patient health conditions. However, IoT-based healthcare is vulnerable to security attacks because sensor data, which often include sensitive and personal health information and are transmitted via a public channel. Therefore, a mutual authentication scheme is necessary to ensure that only authorized entities can access patient data. Recently, Saleem et al. suggested an authentication scheme for healthcare services employing a physical unclonable function (PUF). Although their scheme offers mutual authentication between patients and healthcare providers, it remains susceptible to insider, ephemeral secret leakage (ESL), and desynchronization attacks, suffers from a correctness issue, and cannot guarantee user anonymity and untraceability. To address the limitations, we propose a lightweight and robust authentication scheme using exclusive-or and hash functions. We also employ Ascon for resource-constrained IoT systems because it offers integrity and authenticity with low computational and communication overhead compared with conventional cryptographic mechanisms. We prove the robustness of the proposed scheme through formal and informal analyses, including “Burrows–Abadi–Needham (BAN) logic,” “Real-or-Random (RoR) model,” and “Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool.” Furthermore, we analyze the communication and computation overhead and the security properties by comparing our scheme with related studies. Finally, we demonstrate that our scheme is lightweight, secure, and well-suited for an IoT-enabled healthcare environment.