Академический Документы
Профессиональный Документы
Культура Документы
fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
1
Abstract—In recent years, wireless sensor networks have been widely used in healthcare applications, such as hospital
and home patient monitoring. Wireless medical sensor networks are more vulnerable to eavesdropping, modification,
impersonation and replaying attacks than the wired networks. A lot of work has been done to secure wireless medical
sensor networks. The existing solutions can protect the patient data during transmission, but cannot stop the inside
attack where the administrator of the patient database reveals the sensitive patient data. In this paper, we propose a
practical approach to prevent the inside attack by using multiple data servers to store patient data. The main contribution
of this paper is securely distributing the patient data in multiple data servers and employing the Paillier and ElGamal
cryptosystems to perform statistic analysis on the patient data without compromising the patients’ privacy.
Keywords—Wireless medical sensor network, patient data privacy, Paillier encryption, and ElGamal encryption
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
2
in the living space to sense environmental the patient data (such as, patient identity) for their
quality or conditions, such as temperature, dust, personal benefit, such as for medical fraud, fraudu-
motion, and light. Emplaced sensors maintain lent insurance claims, and sometimes this may even
connections with mobile body networks as they pose life-threatening risks.
move through the living space. To protect the wireless medical sensor networks
• AlarmGate applications serve as application- against various attacks, a lot of work has been
level gateways between the wireless sensor done. In 2012, a survey on the recently published
networks and IP networks. These nodes allow literature on secure healthcare monitoring using
user interfaces and a connection to a back-end wireless sensor networks was conducted by Kumar
database for long-term storage of data. and Lee [16]. Current solutions are built on either
• Back-end systems provide online analysis of secret-key encryption or public-key encryption as
sensor data and long-term storage of data. follows:
• User interfaces allow any legitimate user of the • Secret-key based solutions assume that the se-
system to query sensor data. cret keys for encryption and authentication are
Wireless medical sensor networks certainly im- deployed in the medical sensors and the servers
prove patient’s quality-of-care without disturbing in advance. A secret key cryptosystem, such
their comfort. However, there exist many potential as AES [1], is used for encryption, while the
security threats to the patient sensitive physiological message authentication code (MAC) is used for
data transmitted over the public channels and stored authentication. Typical examples of secret-key
in the back-end systems. Typical security threats to based solutions include [7], [12], [15], [26],
healthcare applications with WSNs can be summa- [29], [31], [32]. These solutions are usually
rized as follows. efficient. However, the distribution of the secret
Eavesdropping is a security threat to the patient keys are less efficient than the public-key based
data privacy. An eavesdropper, having a powerful solutions.
receiver antenna, may be able to capture the patient • Public-key based solutions assume that a
data from the medical sensors and therefore knows public-key cryptosystem, such as Diffie-
the patient’s health condition. He may even post the Hellman key exchange protocol [8] or RSA
patient’s health condition on social network, which [27], is used to establish a secret key for
can pose a serious threat to patient privacy. encryption on the basis of the public keys.
Impersonation is a security threat to the patient Typical examples of public-key based solutions
data authenticity. In a home care application, an include [11], [13], [17], [19], [21], [22]. These
attacker may impersonate a wireless rely point while solutions facilitate key distribution and update.
patient data is transmitting to the remote location. However, they are usually inefficient and not
This may lead to false alarms to remote sites and directly applicable to the wireless medical sen-
an emergency team could start a rescue operation sor networks, where the sensors have limited
for a non-existent person. This can even defeat the computation and communication capabilities.
purpose of wireless healthcare. In addition, in order to protect patients’ privacy,
Modification is a security threat to the patient k-anonymity has been used to make each patient
data integrity. While the patient data is transmitted indistinguishable from other k-1 similar patients in
to the physician, an adversary may capture the wireless medical sensor data before releasing the
physiological data from the wireless channels and data for medical research [2].
alter the physiological data. After the attacked data Most of current solutions focus on how to protect
(i.e., altered data) is sent to the physician, it could the wireless medical sensor networks against the
endanger the patient. outside attacks, where the attacker does not know
Data breach is a security threat to the patient any information about the secret keys. The outside
data privacy. A data breach is an incident in which attacks can be effectively prevented by encryption,
sensitive, protected or confidential patient data has authentication and access control.
potentially been viewed, stolen or used by an in- In 2013, Yi et al. [31] gave a secret-key based
dividual unauthorized to do so. For example, a solution to protect the wireless medical sensor net-
malicious patient database administrator may use works against the inside attacks, where the attacker
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
3
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
4
A notable feature of the Paillier cryptosystem is its • Compute the ciphertext c = (A, B), where
homomorphic properties. Given two ciphertexts A = gr (4)
E(m1 , pk) = g m1 r1N (mod N 2 ) B = m · yr (5)
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
5
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
6
Assume that the medical sensor sends a sequence 3.3 Access Control Protocol
of sensitive numerical patient data ρ1 , ρ2 , · · · (each
has less than 32 bits) to the three data servers, There is an initialization phase before any user
it firstly generates a sequence of random numbers (physician) can get access to the patient data. In this
phase, the user generates a public and private key
a1 , b1 , a2 , b2 , · · · (each has 40 bits) with SHA-3 [28]
(r = 40 and c = 160) as shown in Fig. 4, where K pair (pk, sk) for the Paillier cryptosystem [25] as
is the random number generation secret key and the described in Section 2.1 and a signature verification
initial vector IV includes the current time stamp, and signing key pair (pk ∗ , sk ∗ ) for the Digital Sig-
the size of both K and IV is 80 bits. nature Standard (DSS) [9]. For security reason, the
Let |αi | (|βi |) be the first 32 bits of ai (bi ).size of N in the Paillier cryptosystem is required to
The sign of αi (βi ) is positive if ai (bi ) is even be more than 1024 bits. Assume that there exists a
and otherwise negative. Then the medical sensor Public Key Infrastructure (PKI), where there exists a
computes Certificate Authority (CA) which certifies the public
γi = ρi − αi − βi keys (pk, pk ∗ ) for the user in a digital certificate. In
addition, we assume that the user establishes three
for i = 1, 2, · · · secure channel with three data servers, respectively.
Let Ai = {patient ID, data attribute, data unit}, To get access to the patient data, the user sends
the medical sensor sends {Ai , αi } to S1 through the a request including the patient’s identity, the data
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
7
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
8
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
9
pki = g ski (mod N 2 ), where i = 1, 2, 3, 4. Then the data server Si from Z∗q = {1, 2, · · · , q − 1}.
three data servers and the user run Algorithm 4. Due to the homomorphic properties of the ElGa-
mal cryptosystem, we have
Algorithm 4 Improved Product Computation α0 0 β0 0 γ0 0
Input: (αi , βi , γi ), (αi0 , βi0 , γi0 ) for i = 1, 2, · · · , n A0i1 A0i2 A0i3 = (Ai i g r1 )(Ai i g r2 )(Ai i g r2 )
0 0 0 0 0 0
N, g, pki , skP
i , i = 1, 2, 3, 4 = (Ai1 Ai2 Ai3 )αi +βi +γi g r1 +r2 +r3
Output: sxy = ni=1 xi yi 0 0
= (g r1 g r2 g r3 )yi g r1 +r2 +r3
0
4
1: Let A = B = 1, g1 = (N + 1)p , pk =
Q
i=1 pki
0 0 0
= g (r1 +r2 +r3 )yi +(r1 +r2 +r3 )
2: For i = 1 to n
3: S1 computes and sends (Ai1 , Bi1 ) to S2 .
0 0 0 α0 0 β0 0 γ0 0
Ai1 = g r1 (mod N 2 ), Bi1 = g1αi pk r1 (mod N 2 )Bi1 Bi2 Bi3 = (Bi i pk r1 )(Bi i pk r2 )(Bi i pk r2 )
α0i +βi0 +γi0 r10 +r20 +r30
4: S2 computes and sends (Ai1 Ai2 , Bi1 Bi2 ) to S3 . = (Bi1 B i2 B i3 ) pk
0 0 0
r2 2 βi r2 2
= (g1αi pk r1 g1βi pk r2 g1γi pk r3 )yi pk r1 +r2 +r3
Ai2 = g (mod N ), Bi2 = g1 pk (mod N ) 0 0 0
= g1xi yi pk (r1 +r2 +r3 )yi +(r1 +r2 +r3 )
5: S3 computes and sends (Ai , Bi ) to S1 , S2 .
Therefore,
r3 2 γi r3 2
Ai3 = g (mod N ), Bi3 = g1 pk (mod N )
Pn
xy
(A, B) = (g r , g1 i=1 i i pk r )
Ai = Ai1 Ai2 Ai3 (mod N 2 )
Pn some r, which is an ElGamal encryption of
for
i=1 xi yi . Furthermore, we have
2
Bi = Bi1 Bi2 Bi3 (mod N )
6: S1 computes and sends (A0i1 , Bi1
0
) to S2 . C/D = B/(D1 D2 D3 D)
Pn 4
α0 0 α0 0 xy
Y
0
A0i1 = Ai i g r1 (mod N 2 ), Bi1 = Bi i pk r1 (mod N 2 ) = g1 i=1 i i pk r /( (g r )sk1 )
i=1
7: 0
S2 computes and sends (A0i1 A0i2 , Bi1 0
Bi2 ) to S3 . p
Pn
xi yi
= (1 + N ) i=1
β0 0 β0 0 n
A0i2 = Ai i g r2 (mod N 2 0
), Bi2 = Bi i pk r2 (mod N )2 X
= 1 + (p xi yi )N (mod N 2 )
8: S3 computes i=1
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
10
access control policies permit the user to access the channel is encrypted with the secret key pre-shared
variance of n patient data, the user runs Algorithm 2 between the sensor and the data server. Without the
and Algorithm
Pn 3 or 4 with thePthree data servers to secret key, the attacker cannot eavesdrop the patient
n
get x = i=1 xi /n and sx2 = i=1 x2i , respectively. data.
Then the user computes the variance Because the medical sensors are usually low-
power and low-cost, we can choose the lightweight
rP encryption scheme and the message authentication
− x)2
i=1 (xi
v = code (MAC) generation scheme proposed in [31] for
sP n−1 the secure channel. Both schemes are built on the
i=1 x2i + (1 − 2n)x2 smallest version of the SHA-3 with r = 40, c = 160,
= which can provide a security level sufficient for
n−1
many applications. In addition, the random numbers
3.4.4 Regression Analysis Protocol in our data collection protocol are also generated
When a user queries the linear relationship y = with SHA-3 as shown in Fig. 4.
kx + b of two measures of patient data, X = By the lightweight encryption scheme and the
(x1 , x2 , · · · , xn ) and Y = (y1 , y2 , · · · , yn ), where MAC generation scheme [31], we can achieve data
(xi , yi ) belongs to one patient and xi = αi + βi + γi confidentiality, authenticity and integrity between
and yi = αi0 + βi0 + γi0 for i = 1, 2, · · · , n, and each medical sensor and each data server.
(αi , αi0 ), (βi , βi0 ), (γi , γi0 ) are stored in the three data In our solution, the communication between the
servers, respectively, he submits his query with user and each data server is also through a secure
his signature and certificate to the three servers. channel. Because the three data servers and the
If the signature of the user is genuine and the user’s computing device are usually much more
access control policies permit the user to access powerful in computation and communication than
the linear relationship of two measures X and Y the medical sensors, we choose the Advanced En-
for the n patient data, the user runs Algorithm 2 cryption Standard (AES) [1] for the secure channel.
and Algorithm The secret key can be established by a public
Pn3 or 4 with P the three data servers
n Pn to key cryptosystem, such as the Diffie-Hellman key
obtain P sx = i=1 xi , sy = i=1 yi , sx2 = i=1 x2i ,
sxy = ni=1 xi yi , respectively. Then the user com- exchange protocol [8] or RSA [27]. The public keys
putes of users and three data servers are certified by a
P P P Certificate Authority (CA) in a Public Key Infras-
n xi yi − xi yi tructure (PKI). In addition, we choose the Digital
k =
n x2i − ( xi )2
P P
Signature Standard (DSS) [9] for data authentication
P P
y i − k xi and integrity.
b = By AES and DSS, we can achieve data confiden-
n
tiality, authenticity and integrity between the user
4 S ECURITY AND P RIVACY A NALYSIS and each data server.
In our solution, the communications among three
4.1 Security Analysis
data servers can be also through secure channels.
In our architecture as shown in Fig. 2, there are Like the secure communication between the user
three parts of communications as follows. and the data servers, any two of the three data
• The communications between the medical sen- servers can establish a secret key with a public key
sors and the three servers; cryptosystem. Then the communication between the
• The communications between the user (e.g., two data servers can be encrypted with AES based
physicians or medical professional) and three on the secret key.
servers; In our model, the three data servers are assumed
• The communications among the three servers. to be semi-honest. Otherwise, the user can never
In our solution, the communication between each obtain correct patient data and statistical analysis
medical sensor and each data server is through a results. To ensure data authenticity and integrity in
secure channel, which is implemented by a secret- the communications among the three data servers,
key cryptosystem. The patient data over the secure we choose the Digital Signature Standard (DSS) [9].
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
11
4.2 Privacy Analysis is not permitted to know the individual patient data
In the data collection protocol, the medical sensor in the statistical analysis.
splits the patient data into three numbers and sends
them to the three data servers, respectively, through 5 P ERFORMANCE A NALYSIS
secure channels. Two of the three numbers are
In our data collection protocol, we can use the
generated by SHA-3 with a secret key K and an
lightweight encryption scheme and MAC generation
initial vector IV as shown in Fig. 4. The key
scheme proposed in [31]. In addition, our random
is pre-deployed and known to the medical sensor
number stream generation scheme is also based on
only. Any inside attacker, including each data server,
SHA-3. All security mechanisms in the sensor can
cannot guess the two random numbers without the
be implemented with the same SHA-3. This design
secret key. As long as at least one data server is not
is suitable for wireless sensor networks where area
compromised by the inside attack, none can reveal
is particularly important since it determines the cost
the patient data during data collection.
of the sensors.
In the access control protocol (Algorithm 1) and
Our access control protocol is built on the Paillier
the statistical analysis protocols (Algorithms 2 and
cryptosystem [25], where the dominated computa-
3), the patient data is always encrypted by the public
tion is the modular exponentiation, i.e., ax (mod N 2 )
key of the user. Without the private key of the user,
where x ∈ Z∗N . In Algorithm 1, each data server
even if two data servers are compromised by the
computes two modular exponentiations and ex-
inside attacks, the attacker can never obtain the
change |N 2 | = 2|N | bits, where |N | is the length of
patient data. Algorithms 1-3 are useful when the
N . The user computes one modular exponentiation
user is permitted to get access the patient data,
and exchanges 2|N | bits.
but does not have a secure environment to protect
Our average analysis protocol is also built on
patient data in local statistical analysis.
the Paillier cryptosystem. In Algorithm 2, the com-
In Algorithm 4, all intermediate statistical data
putation and communication complexities for each
Q4 encrypted by the common public key pk = data server and the user are the same as those in
are
i=1 pki . Because p and q are public, the user may Algorithm 1.
attempt to decrypt the encrypted intermediate data
In our correlation analysis protocol, with the
by the decryption manner of the Paillier cryptosys-
help of the three data servers, the user compute
tem, e.g., raising Bij , Bi , Bij0 , B to the power of q
sx , sy by Algorithm 2 and compute sxy , sx2 , sy2 by
to remove the effect of pk r . However,
Algorithm 3 or Algorithm 4 and then computes
Biq = (g1xi pk r1 +r2 +r3 )q (mod N 2 ) the correlation rxy . Algorithm 3 is based on the
Paillier cryptosystem and can be used when the
= (N + 1)pqxi (mod N 2 ) user is permitted to access the individual patient
= 1 + xi pqN (mod N 2 ) data. Algorithm 4 is based on the combination of
2 the ElGamal and Paillier cryptosystems and can be
= 1 (mod N )
used when the user is not permitted to access any
In the same way, we can see that Bijq = Bij0 q = individual patient data.
B q = 1(mod N 2 ). Therefore, this attack cannot get In Algorithm 3, each data server computes 4n
any information about the patient data. In addition, modular exponentiations and exchanges 8|N |n bits
because Aqij = Aqi = A0ij q = Aq = 1, any in average, where n is the number of patients.
attacker cannot determine the random exponents in The user computes one modular exponentiation
Aij , Ai , A0ij , A like the Paillier decryption. and exchanges 2|N | bits. In Algorithm 4, each
Even if the user can get the encrypted interme- data server computes 8n modular exponentiations
diate data, he cannot decrypt it without cooperation and exchanges 20|N |n bits in average. The user
with all three data servers. Note that we assume that computes one modular exponentiation and exchange
at least one data server is not compromised by the 4|N | bits. The computations of modular exponen-
inside attack. Until the end of the algorithm, the user tiation in Algorithms 3 and 4 are different. In
is not allowed to decrypt the final statistical result. Algorithm 3, we compute ax (mod N 2 ) where x ∈
Therefore, Algorithm 4 can be used when the user ZN , denoted as Exp. In Algorithm 4, we compute
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
12
TABLE 1
Performance Analysis
ax (mod N 2 ) where x ∈ Zp , denoted as exp. It is [5], a modular exponentiation with a 1024-bit mod-
estimated that Exp.≈ 2·exp. ulus takes about 0.67 milliseconds. Note that it is
For simplicity, our statistical analysis protocols coded in C++, compiled with Microsoft Visual C++
based on Algorithms 3 and 4 are denoted as 2005 SP1 (whole program optimization, optimize
statistical analysis 1 and 2, respectively. In our for speed), and runs on an AMD Opteron 8354
correlation analysis 1, each data server computes 2.2 GHz processor under Linux. Based on this
3 · 4n + 2 · 2 = 12n + 4 Exp. and exchanges result, in the Paillier cryptosystem with a 1024-bit
3 · 8|N |n + 2 · 2|N | = (24n + 4)|N | bits in average. modulus, one modular exponentiation takes about
The user computes 5 Exp. and exchange 10|N | 1.34 milliseconds if we use the Chinese remainder
bits. In our correlation analysis 2, each data server theorem to compute ax (mod N 2 ) = ax (mod p2 q 2 ).
computes 3 · 8n exp. +2 · 2 Exp. =24n exp. + 4 Exp. Taking the most expensive correlation analysis 1 for
and exchanges 3 · 20|N |n + 2 · 2|N | = (60n + 4)|N | n = 10, 000 as an example, assuming that the three
bits in average. The user computes 3 exp. +2 Exp. data servers are connected by a 100-gigabit network,
and exchange 16|N | bits. the total computation and communication times are
In our variance analysis protocol, the user com- estimated to be 2.68 minutes and 1 second, respec-
putes x by Algorithm 2 and sx2 by Algorithm 3 or tively. Our algorithms support parallel computation.
4 and then computes the variance. In the variance If each data server runs 10 computers in parallel,
analysis 1, each data server computes 4n + 2 Exp. the total running time of our correlation analysis
and exchanges (8n + 2)|N | in average. The user 1 for n = 10, 000 can be reduced to 16 seconds.
computes 2 Exp. and exchange 4|N | bits. In the The estimated time for access control and other data
variance analysis 2, each data server computes 8n analyses for n = 10, 000 are listed in TABLE 1 as
exp. + 2 Exp. and exchanges (20n + 2)|N | in well.
average. The user computes 1 exp. + 1 Exp. and
exchange 6|N | bits.
In our regression analysis protocol, the user 6 C ONCLUSION
computes sx , sy by Algorithm 2 and sx2 , sxy by In this paper, we have investigated the security and
Algorithm 3 or 4 and then determines the line. In privacy issues in the medical sensor data collection,
the regression analysis 1, each data server computes storage and queries and presented a complete solu-
8n+4 Exp. and exchanges (16n+4)|N | in average. tion for privacy-preserving medical sensor network.
The user computes 4 Exp. and exchange 8|N | bits. To secure the communication between medical sen-
In the regression analysis 2, each data server com- sors and data servers, we used the lightweight
putes 16n exp. + 4 Exp. and exchanges (40n+4)|N | encryption scheme and MAC generation scheme
in average. The user computes 2 exp. + 2 Exp. and based on SHA-3 proposed in [31]. To keep the
exchange 12|N | bits. privacy of the patient data, we proposed a new data
The performance of all of our protocols are collection protocol which splits the patient data into
summarized in TABLE 1. three numbers and stores them in three data servers,
With reference to Crypto++ 5.6.0 Benchmarks respectively. As long as one data server is not
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
13
compromised, the privacy of the patient data can be [12] F. Hu, M. Jiang, M. Wagner, D. C. Dong. Privacy-Preserving
preserved. For the legitimate user (e.g., physician) Telecardiology Sensor Networks: Toward a Low-Cost Portable
Wireless Hardware/Software Codesign. IEEE Trans. Inform.
to access the patient data, we proposed an access Tech. Biomed, 11: 619-627, 2007.
control protocol, where three data servers cooperate [13] Y. M. Huang, M. Y. Hsieh, H. C. Hung, J. H. Park. Perva-
to provide the user with the patient data, but do sive, Secure Access to a Hierarchical Sensor-Based Healthcare
Monitoring Architecture in Wireless Heterogeneous Networks.
not know what it is. For the legitimate user (e.g., IEEE J. Select. Areas Commun. 27: 400-411, 2009.
medical researcher) to perform statistical analysis on [14] J. Ko, J. H. Lim, Y. Chen, R. Musaloiu-E., A. Terzis, G. M.
the patient data, we proposed some new protocols Masson. MEDiSN: Medical Emergency Detection in Sensor
Networks. ACM Trans. Embed. Comput. Syst. 10: 1-29, 2010.
for average, correlation, variance and regression [15] P. Kumar, Y. D. Lee, H. J. Lee. Secure Health Monitoring Using
analysis, where the three data servers cooperate Medical Wireless Sensor Networks. In Proc. 6th International
to process the patient data without disclosing the Conference on Networked Computing and Advanced Informa-
patient privacy and then provide the user with tion Management, pages 491-494, Seoul, Korea, 16-18 August
2010.
the statistical analysis results. Security and privacy [16] P. Kumar and H. J. Lee. Security Issues in Healthcare Appli-
analysis has shown that our protocols are secure cations Using Wireless Medical Sensor Networks: A Survey.
against both outside and inside attacks as long as Sensors 12: 55-91, 2012.
[17] X. H. Le, M. Khalid, R. Sankar, S. Lee. An Efficient Mutual
one data server is not compromised. Performance Authentication and Access Control Scheme for Wireless Sensor
analysis has shown that our protocols are practical Network in Healthcare. J. Networks 27: 355-364, 2011.
as well. [18] H. J. Lee and K. Chen. A New Stream Cipher for Ubiquitous
Application. In Proc. ICCIT’07, South Korea, 2007.
Unlike [31], our solution can preserve the patient [19] X. Lin, R. Lu, X. Shen, Y. Nemoto, N. Kato. SAGE: A Strong
data privacy as long as one of three data server is Privacy-Preserving Scheme Against Global Eavesdropping for
not compromised. [31] requires that the number of eHealth System. IEEE J. Select. Area Commun. 27: 365-378,
the compromised data servers is at most one. 2009.
[20] D. Malan, T. F. Jones, M. Welsh, S. Moulton. CodeBlue: An
Ad-Hoc Sensor Network Infrastructure for Emergency Medical
R EFERENCES Care. In Proc. MobiSys 2004 Workshop on Applications of
Mobile Embedded Systems (WAMES’04), Boston, MA, USA,
[1] Advanced Encryption Standard (AES). FIPS PUB 197, Novem-
6-9 June 2004.
ber 26, 2001. http://csrc.nist.gov/publications/fips/fips197/fips-
[21] K. Malasri, L. Wang. Design and Implementation of Secure
197.pdf
Wireless Mote-Based Medical Sensor Network. Sensors 9:
[2] P. Belsis and G. Pantziou. A k-anonymity privacy-preserving
6273-6297, 2009.
approach in wireless medical monitoring environments. Journal
Personal and Ubiquitous Computing, 18(1): 61-74, 2014. [22] J. Misic, V. Misic. Enforcing Patient Privacy in Healthcare
[3] D. Bogdanov, S. Laur, J. Willemson. Sharemind: a Frame- WSNs Through Key Distribution Algorithms. Secur. Commun.
work for Fast Privacy-Preserving Computations. In Proc. ES- Network 1: 417-429, 2008.
ORICS’08, pages 192-206, 2008. [23] K. Montgomery, C. Mundt, G. Thonier, A. Tellier, U. Udoh,
[4] R. Chakravorty. A Programmable Service Architecture for Mo- V. Barker, R. Ricks, L. Giovangrandi, P. Davies, Y. Cagle, J.
bile Medical Care. In Proc. 4th Annual IEEE International Con- Swain, J. Hines, G. Kovacs. Lifeguard - A Personal Physiolog-
ference on Pervasive Computing and Communication Workshop ical Monitor for Extreme Environments. In Proc. 26th Annual
(PERSOMW’06), Pisa, Italy, 13-17 March 2006. International Conference of the IEEE EMBS, pages 2192-2195,
[5] Crypto++ 5.6.0 Benchmarks. http://www.cryptopp.com / bench- San Francisco, CA, USA, 1-5 September 2004.
marks.html. [24] J. Ng, B. Lo, O. Wells, M. Sloman, N. Peters, A. Darzi, C.
[6] J. Daemen, G. Bertoni, M. Peeters, G. V. Assche, Toumazou, G. Z. Yang. Ubiquitous Monitoring Environment for
Permutation-based Encryption, Authentication and Authenti- Wearable and Implantable Sensors (UbiMon). In Proc. 6th Inter-
cated Encryption, DIAC’12, Stockholm, 6 July 2012. Avail- national Conference on Ubiquitous Computing (UbiComp’04),
able at http://www.hyperelliptic.org/DIAC/slides /Permutation- Nottingham, UK, 7-14 September 2004.
DIAC2012.pdf [25] P. Paillier. Public-key Cryptosystems Based on Composite
[7] S. Dagtas, G. Pekhteryev, Z. Sahinoglu, H. Cam, N. Challa. Degree Residuosity Classes. In Proc. EUROCRYPT’99, pages
Real-Time and Secure Wireless Health Monitoring. Int. J. 223-238, 1999.
Telemed. Appl. 2008, doi: 10.1155/2008/135808. [26] S. Raazi, H. Lee, S. Lee, Y. K. Lee. BARI+: A Biometric Based
[8] W. Diffie and M. Hellman. New Directions in Cryptography. Distributed Key Management Approach for Wireless Body Area
IEEE Transactions on Information Theory, 22 (6): 644-654, Networks. Sensors 10: 3911-3933, 2010.
1976. [27] R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining
[9] Digital Signature Standard (DSS). FIPS PUB 186-4, July 2013, Digital Signatures and Public-Key Cryptosystems. Communica-
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf tions of the ACM, 21 (2): 120-126, 1978.
[10] T. ElGamal. A Public-Key Cryptosystem and a Signature [28] SHA-3 Standard: Permutation-Based Hash and Extendable-
Scheme Based on Discrete Logarithms. IEEE Transactions on Output Functions. Draft FIPS PUB 202, May 2014.
Information Theory, 31 (4): 469-472, 1985. http:csrc.nist.govpublicationsdraftsfips202fips 202 draft.pdf
[11] D. He, S. Chan and S. Tang. A Novel and Lightweight System [29] A. B. Waluyo, I. Pek, X. Chen, W.-S.Yeoh. Design and Eval-
to Secure Wireless Medical Sensor Networks. IEEE Journal of uation of Lightweight Middleware for Personal Wireless Body
Biomedical and Health Informatics, 18 (1): 316-326, 2014. Area Network. Pers. Ubiquit. Comput, 13: 509-525, 2009.
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TDSC.2015.2406699, IEEE Transactions on Dependable and Secure Computing
14
[30] A. Wood, G. Virone, T. Doan, Q. Cao, L. Selavo, Y. Wu, Dimitrios Georgakopoulos is currently a
L. Fang, Z. He, S. Lin, J. Stankovic. ALARM-NET: Wireless Professor with School of Computer Sci-
Sensor Networks for Assisted-Living and Residential Monitor- ence and IT, RMIT University, Australia.
ing. Technical Report CS-2006-01; Department of Computer PLACE Before joining RMIT, he was a Research
Science, University of Virginia: Charlottesville, VA, USA, PHOTO Director at the CSIRO ICT Centre where he
2006. HERE headed the Information Engineering Labo-
[31] X. Yi, J. Willemson, F. Nat-Abdesselam. Privacy-Preserving ratory that is based in Canberra and Syd-
Wireless Medical Sensor Network. In Proc. TrustCom’13, pages ney. Dimitrios is also an Adjunct Professor
118-125, 2013. at the Australian National University. Before
[32] H. Zhao, J. Qin, and J. Hu. An Energy Efficient Key Manage- coming to CSIRO in October 2008, Dimitrios held research and
ment Scheme for Body Sensor Networks. IEEE Transactions management positions in several industrial laboratories in the
on Parallel and Distributed Systems, 24 (11): 2202-2210, 2013. US. From 2000 to 2008, he was a Senior Scientist with Telcordia,
[33] B. Zoltak. An Efficient Message Authentication Scheme for where he helped found Telcordia’s Research Centers in Austin,
Stream Cipher. Cryptology ePrint Archive 2004. Texas, and Poznan, Poland. From 1997 to 2000, Dimitrios was
a Technical Manager in the Information Technology organization
of Microelectronics and Computer Corporation (MCC), and the
Chief Architect of MCC’s Collaboration Management Infrastruc-
ture (CMI) consortial project. From 1990-1997, Dimitrios was
a Principal Scientist at GTE (currently Verizon) Laboratories
Xun Yi is currently a Professor with School Inc. Dimitrios has received a GTE (Verizon) Excellence Award,
of Computer Science and IT, RMIT Uni- two IEEE Computer Society Outstanding Paper Awards, and
versity, Australia. His research interests was nominated for the Computerworld Smithsonian Award in
PLACE include applied cryptography, computer Science. He has published more than one hundred journal and
PHOTO and network security, mobile and wire- conference papers.
HERE less communication security, and privacy-
preserving data mining. He has published
more than 150 research papers in interna-
tional journals, such as IEEE Trans. Knowl-
edge and Data Engineering, IEEE Trans. Wireless Communi-
cation, IEEE Trans. Dependable and Secure Computing, IEEE
Trans. Circuit and Systems, and conference proceedings. He
has ever undertaken program committee members for more
than 20 international conferences. Since 2014, he has been
an Associate Editor for IEEE Trans. Dependable and Secure
Andy Song is currently a Lecturer with
Computing.
School of Computer Science and IT, RMIT
University, Australia. His research interests
PLACE include machine vision and texture analy-
PHOTO sis, supervised learning and classification,
HERE genetic programming, evolutionary compu-
tation, prediction and learning agents.
Athman Bouguettaya received the PhD
degree in computer science from the Uni-
versity of Colorado at Boulder in 1992. He
PLACE is the head of the School of Computer Sci-
PHOTO ence and Information Technology at RMIT,
HERE Melbourne, Australia. He was a science
leader at the CSIRO ICT Centre, Canberra,
Australia. He was also previously a tenured
faculty member in the Computer Science
Department at the Virginia Polytechnic Institute and State Uni-
versity (commonly known as Virginia Tech). He currently holds
adjunct professorships at the Australian National University, Jan Wilimson is currently a senior re-
Canberra, the University of Queensland, Brisbane, Australia, searcher with Cybernetica, Tartu, 51003,
and Macquarie University, Sydney, Australia. He is on the ed- Estonia. His research interests include
itorial boards of several journals, including the VLDB Journal, PLACE practical data security, secure multi-party
the Distributed and Parallel Databases Journal, the International PHOTO computations, security issues of digital
Journal of Cooperative Information Systems, and the IEEE HERE document formats, and e-voting.
Transactions on Services Computing. He has published more
than 130 articles in journals and conferences in the area of
databases and service computing (e.g., IEEE Transactions on
Knowledge and Data Engineering, the ACM Transactions on the
Web, the International Journal on Very Large Data Bases, SIG-
MOD, ICDE, VLDB, and EDBT). His current research interests
include the foundations of web service management systems.
He is a fellow of the IEEE.
1545-5971 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.