Privacy-Preserving Fast Three-Factor Authentication and Key Agreement for IoT-Based E-Health Systems

Electronic healthcare (e-health) systems have received renewed interest, particularly in the current COVID-19 pandemic (e.g., lockdowns and changes in hospital policies due to the pandemic). However, ensuring security of both data-at-rest and data-in-transit remains challenging to achieve, particularly since data is collected and sent from less insecure devices (e.g., patients' wearable or home devices). While there have been a number of authentication schemes, such as those based on three-factor authentication, to provide authentication and privacy protection, a number of limitations associated with these schemes remain (e.g., (in)security or computationally expensive). In this study, we present a privacy-preserving three-factor authenticated key agreement scheme that is sufficiently lightweight for resource-constrained e-health systems. The proposed scheme enables both mutual authentication and session key negotiation in addition to privacy protection, with minimal computational cost. The security of the proposed scheme is demonstrated in the Real-or-Random model. Experiments using Raspberry Pi show that the proposed scheme achieves reduced computational cost (of up to 89.9% in comparison to three other related schemes).