DOI QR코드

DOI QR Code

SVC: Secure VANET-Assisted Remote Healthcare Monitoring System in Disaster Area

  • Liu, Xuefeng (School of Cyber Engineering, Xidian University) ;
  • Quan, Hanyu (School of Cyber Engineering, Xidian University) ;
  • Zhang, Yuqing (National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences) ;
  • Zhao, Qianqian (School of Cyber Engineering, Xidian University) ;
  • Liu, Ling (School of Cyber Engineering, Xidian University)
  • Received : 2015.07.18
  • Accepted : 2016.01.21
  • Published : 2016.03.31

Abstract

With the feature of convenience and low cost, remote healthcare monitoring (RHM) has been extensively used in modern disease management to improve the quality of life. Due to the privacy of health data, it is of great importance to implement RHM based on a secure and dependable network. However, the network connectivity of existing RHM systems is unreliable in disaster area because of the unforeseeable damage to the communication infrastructure. To design a secure RHM system in disaster area, this paper presents a Secure VANET-Assisted Remote Healthcare Monitoring System (SVC) by utilizing the unique "store-carry-forward" transmission mode of vehicular ad hoc network (VANET). To improve the network performance, the VANET in SVC is designed to be a two-level network consisting of two kinds of vehicles. Specially, an innovative two-level key management model by mixing certificate-based cryptography and ID-based cryptography is customized to manage the trust of vehicles. In addition, the strong privacy of the health information including context privacy is taken into account in our scheme by combining searchable public-key encryption and broadcast techniques. Finally, comprehensive security and performance analysis demonstrate the scheme is secure and efficient.

Keywords

1. Introduction

Remote healthcare monitoring (RHM), providing a convenient and low-cost way to monitor patients outside of conventional clinical settings, has been extensively used in post-acute care and chronic disease management. A study report from IMS Research indicates that in 2012 there was estimated to be 308,000 patients remotely monitored by healthcare providers, and the number will increase to 1.8 million worldwide by 2017 [1]. In a typical RHM system, a patient deploys body sensors in a wireless body sensor network at home to collect the health parameters such as blood pressure, heart rate, body temperature, and SpO2 etc, and sends these personal health information (PHI) to healthcare provider′s end. Such a system enables disease progression track and early detection, and thus can evidently reduce readmission rate and decrease the healthcare spending on both patient personal cost and nation health expenditure. According to the American Heart Association, chronic heart failure alone costs the US economy more than $33.7 billion per year, of which $16 billion is attributed to readmission, while 42% of the readmission are preventable by adequate patient monitoring, instruction and education outside hospital [2].

As one of the most important components of RHM system, network is responsible for transmitting the PHI from patient′s end to the healthcare provider′s end (e.g., a health center). In recent years, there are many research works concerned with the practical RHM systems [3-10]. Most of the works use normal wireless communication technology such as 3G cellular networks with base stations, or WiFi access point connected with Internet to transmit the PHI. Unfortunately, all these networks rely on communication infrastructures which are vulnerable in natural disaster (e.g., Hurricane Katrina) or technical failure (e.g., the August 2003 electrical blackout in North America). The network connectivities are unpredictable due to the unforeseeable destructions to the infrastructures (e.g., cellular base stations, wireless access points, fiber and cable connections, power supplies) caused by the disaster. Therefore, an emergency infrastructure-free RHM system which can work normally in disaster area is highly desired.

The emergence of vehicular ad hoc network (VANET) puts forward a potential solution for post-disaster communication through its “store-carry-forward” feature. In VANET, each vehicle is equipped with an OnBoard Unit (OBU) communication device capable of storing, which allows messages to be transmitted in the network by intermittent connections while the fixed Roadside Units (RSUs) deployed along the roadside is optional [9][11]. However, using VANET to design an RHM system for post-disaster PHIs transmission comes with a set of new challenges. The first challenge is how to create a practical VANET when the disaster happens. A trivial solution is that the health center sends the ambulances it possesses into the disaster area to compose a VANET. Due to the limited number of the official vehicles, i.e., the number of the network nodes, the performance of such a network will be inefficiency. In addition, security and privacy are also the primary challenges to an RHM system. A recent study shows that 75% Americans consider the privacy of health information important or very important [12]. They may refuse to submit the PHIs to an insecure VANET without privacy protection. Therefore, a comprehensive privacy preserving scheme for the RHM system is indispensable. There are some research works discussing the topic of security and privacy of the RHM system in recent years [7-10]. We will review these works in the section of Related Works and show that they are not suitable for an RHM system working in disaster area.

Based on the above analysis, in this paper, we propose a Secure VANET-assisted Remote HealthCare Monitoring System, named SVC, for post-disaster PHIs transmission in disaster area.The main contribution of this paper is twofold.

First, we present a novel two-level VANET to help transmit the PHIs in the RHM system. Specially, the first level nodes are official vehicles such as ambulances, and common vehicles are introduced into the VANET as the second level nodes. Such a structure increases the number of the VANET nodes so that to improve the network performance. In addition, a corresponding two-level key management model is proposed by mixing certificate-based cryptography and ID-based cryptography to manage the trust of the vehicles.

Second, under the two-level network model, we propose a secure PHIs transmission scheme, Speically, PHI is encrypted with a symmetric key that can only be decrypted by the corresponding doctor. Moreover, the context privacy of the PHI is protected by using searchable public-key encryption and broadcast techniques. Security analysis shows the security requirements including message autentication, identity privacy, content privacy, and context privacy are all achieved, while an extensive analysis of performance domenstrates the scheme is effective and efficient.

The rest of this paper is organized as follows. Section 2 introduces some preliminaries relevant to our work. Section 3 describes the system and threat model, and identifies the security requirements. The SVC system is presented in detail in Section 4, followed by the security analysis and the performance evaluation in Sectioin 5 and Section 6, respectively. We discuss the related works in Section 7, and conclude our work in Section 8.

 

2. Preliminaries

2.1 IBC and Bilinear Maps

ID-based cryptosystem (IBC) enables the public key of an entity to be its public ID (such as the name or the email address), which avoids the use of public key infrastructure (PKI) [13]. D.Boneh et al. proposed the first full functional ID-based encryption scheme based on bilinear maps [14]. Let G and GT be two multiplicative cyclic groups of the same prime order q. Let e: G × G → GT denote a bilinear map constructed with the following properties:

1. Bilinear: for all a,b ∈ and g1, g2 ∈ G,

2. Non-degenerate: there exists a point g1 such that e(g1,g1) ≠ 1.

3. Computable: there is an efficient algorithm to compute e(g1,g2) for any g1,g2 ∈ G.

A bilinear map satisfying the three properties above is said to be an admissible bilinear map, and the Weil pairing on elliptic curves is an example of such a map.

2.2 Computational Assumptions

The security of SVC depends on the hardness of Computational Diffie-Hellman (CDH) problem and Bilinear Diffie-Hellmanm (BDH) problem.

Definition 1 (Computational Diffie-Hellman Assumption). For unknown a,b ∈ , given g,ga,gb ∈ G, it is infeasible to compute gab ∈ G.

Definition 2 (Bilinear Diffie-Hellman Assumption). For unknown a,b,c ∈ , given g,ga,gb,gc ∈ G, it is infeasible to compute e(g,g)abc ∈ GT.

Note that the BDH problem in 〈G, GT, e〉 is no harder than the CDH problem in G. In other words, an algorithm for CDH in G is sufficient for solving BDH in 〈G, GT, e〉 [15].

2.3 Batch Verification

Batch verification can verify all the signatures received in a time window with rather short time compared to verify each signature one after another. Let σ1,⋯,σn denote n signatures of different messages. With batch verification, the n signatures can be combined into a “batch” form σbatch, and one can verify it once instead of verifying σi (1 ≤ i ≤ n).

The first batch verification scheme was introduced by Fiat [16] in Crypto 1989, which is based on RSA. In this paper, BLS [17] and ChCh [18] signature techqines that support batch verification will be used to speed up the message authentication.

2.4 Searchable Public-Key Encryption

Public-key encryption with keyword search (PEKS), also named “searchable public-key encryption”, was first introduced by D.Boneh et al. in Eurocrypt 2004 [20]. In that work, the PEKS scheme is developed for an email system that enables a server to retrieve messages containing certain keywords without learning any other information. Specially, consider an email server that stores a message encrypted for Alice by someone else in the form of EApub(M)║⋯║PEKS(Apub, W1)║PEKS(Apub, Wn), where Apub is Alice′s public key, M is the plaintext, and Wi is the keyword. Given a trapdoor TW computed by Alice, the server can test whether one of the keywords associated with the message is equal to the keyword W of Alice′s choice, i.e., whether Wi=W for PEKS(Apub, Wi), 1 ≤ i ≤ n. If Wi ≠ W, the server learns nothing more about Wi.

In SVC, we combine the PEKS scheme with broadcast techniqueto protect the context privacy which defined in next section.

 

3. System and Security Models

3.1 System Model

We consider the entire system works in disaster area where the communication infrastructure (e.g., cellular 3G/4G, Wi-Fi public access, and Internet, etc.) is unavailable. With the “store-carry-forward” feature, we design a special VANET in SVC to help transmitting the PHI from the patient′s house to the health center. The system model is divided into three domains: the wireless body area network (WBAN), the vehicular ad-hoc network (VANET), and the health center, as shown in Fig. 1.

Fig. 1.The system model of SVC

Health Center includes a PHI database (DB) and physicians (PHs). DB is responsible for receiving, storing, and forwarding the PHIs to the corresponding PHs. In SVC, DB is assumed to be honest-but-curious [21][22], in other words, it follows the protocol correctly but attempts to obtain as much secret information in the stored PHIs as possible. All entities in the health center are managed by a TA, which is a trusted server that takes charge of key management.

VANET in SVC consists of two types of vehicles: the leading vehicles (L-vehicles) and the assistant vehicles (A-vehicles). L-vehicles belong to the health center. When the disaster happens, they will be sent into the disaster area to set up the VANET for transmitting the PHIs. A-vehicles are common vehicles (e.g., personal cars) who volunteer to join the VANET to help transmit the PHIs.

To improve the motivation of the A-vehicles for participating in the VANET, some incentive protocols [33], [34] can be adopted in our VANET model, which is however out of the scope of this paper. Since the PHIs are of paramount importance and the VANET is a disaster network [11] whose duty is to transmit the PHIs, it is reasonable to assume that both L-vehicles and A-vehicles have no incentives to impede the system such as launching black hole attack [23]. They are also assumed to be honest-but-curious. In addition, they are allowed to collude with each other, even with the DB in the health center. Note that we consider the extreme situation in disaster area, i.e., there are no road-side units (RSUs) in the VANET and the only communication mode is vehicle-to-vehicle (V2V). This is the fundament of that SVC does not rely on the communications infrastructure.

WBAN is a wireless network which is composed of some body sensors and a gateway (e.g., a smartphone). Body sensors monitor the patient′s health status such as heart rate, blood pressure, and body temperature, and report these information (i.e., the PHI) to the gateway. Then the gateway transmits the PHI to an L-vehicle or an A-vehicle near the house in a privacy-preserving mode. When a patient registers with TA in the health center, she/he will get some devices suitable for her/him, which can be used to deploy a WBAN at home. As there have been many researches concerning the secure communications in WBAN [24][25], we suppose that the gateway can get the PHI securely.

3.2 Security Requirement

In SVC, we aim to solve the following security and privacy problems.

3.2.1 Message Authentication

Message authentication is one of the most important requirements in SVC. The VANET should only transmit the legitimate PHI packets because of its limited computing and storing power, and only these PHI packets are accepted by DB.

3.2.2 Content Privacy

This requirement means that the PHI′s content can only be read by the corresponding physician. In other words, no adversary (including any mid-entity in the transmission process) can reveal the PHI by eavesdropping and analyzing the PHI packet transmitted over the VANET and the health center.

3.2.3 Identity Privacy

The PHI packet should not be linked with the patient′s real identity. That is, from a PHI packet transmitted in SVC, no entity can infer who is ill except the TA. On the other hand, the A-vehicle may prefer to serve as a volunteer anonymously. In this paper, we use pseudonym technique to preserve identity privacy while the side information (SI) attacks [26] are outside the scope of our work.

3.2.4 Context Privacy

Context privacy was first defined by P. Kamat et al. in sensor network [27]. It concerns protecting the context associated with message transmission. In SVC, specially, context privacy means the unlinkability between the source and the destination of a PHI packet. Context privacy is important and meaningful in healthcare system. For instance, if an adversary notices that a PHI packet is sent to a heart disease physician, she/he can deduce that the source of the PHI packet may suffer from heart disease. Interested readers can refer to [7] for a comprehensive probability analysis of context privacy.

In addition, since the VANET in SVC is a special and temporary network, we don′t consider the location privacy of the vehicles in the VANET.

3.3 Threat Model

In this paper, we use the Dolev-Yao threat model [28] that considers both inside and outside attacks. Specially, inside attack can be individually or collusively launched by the mid-entity such as L-vehicles, A-vehicles, and DB. Besides, we should also achieve the security requirements against an external global adversary. We assume the adversary does not compromise any L-vehicle and A-vehicle and the DB, but it has the ability to monitor all the traffic in SVC. Therefore, an external global adversary can log the whole path the PHI packet passed by and attempt to reveal the private content. Besides the eavesdropping, the adversary can also inject bogus packet or modify legitimate packet to disrupt the system performance, moreover, it can collude with the inside entities (i.e., L-vehicles, A-vehicles, and DB). In addition, we do not consider the revocation in this work, which is of independent interest and one can refer to [41] for detailed descriptions.

 

4. The Proposed System: SVC

In this section,we present the SVC system. Before delving into the technical protocol, we first give an overview of the system

4.1 Overview of SVC

SVC is a post-disaster healthcare system for remote healthcare monitoring in disaster area. For starting the system seamlessly as soon as the disaster happens, TA sets up the system before the disaster. When the disaster happens, L-vehicles will move into the disaster area to compose the VANET with A-vehicles. The VANET has a two-level key management model, as shown in Fig. 2. TA is the certificate-based key manager of all L-vehicles while each L-vehicle is a ID-based key manager of a group of A-vehicles. Under this key management model, an A-vehicle can register with any L-vehicle in the disaster area instead of registering with TA in the health center.

Fig. 2.The two-level key management model in SVC

The PHI packets transmission in SVC is composed of 4 processes: 1) From WBAN gateway to L-vehicle or A-vehicle. 2) Over the VANET by V2V communications. 3) From L-vehicle or A-vehicle to DB. 4) From DB to PHs by broadcast. In the 1st process, the PHI is transmitted in a privacy-preserving mode in which the destination of the PHI packet is hidden by the PEKS scheme, i.e., encrypting the PH′s identity as the keyword under her/his public key. Combined with the broadcast in the 4th process, only the PH herself/himself can identify that the PHI packet is sent to her/him (only she/he can test whether the keyword is her/his identity). In addition, we use symmetric encryption to protect content privacy and identity-based signature for message authentication. In the 3rd process, we make the DB verify the A-vehicles (and the L-vehicles) in a batch manner to improve the system efficiency.

We present the technical protocol of SVC in the following, which includes system setup, patients registration, A-vehicles registration, and PHI packets transmission.

4.2 System Setup

To set up the SVC system, TA first generates the system parameter as follows:

1. Given a security parameter k, TA generates a 4-tuple (q, G, GT, e), in which G and GT are two multiplicative cyclic groups of the same prime order q, respectively, and e: G × G → GT is an admissible bilinear map.

2. Pick a random s ∈ as the master-key. Choose a generator g ∈ G, and compute the system public key Ppub = gs.

3. Choose three hash function H1, H2 and H3, where H1 : {0,1}* → G, H2 : GT → , and H3 : {0,1}* × G → , and a secure symmetric encryption algorithm Enc() such as AES [29].

4. Publish the system parameter param = (q, G, GT, e, g, Ppub, H1, H2, H3, Enc()), and keep the master-key s in secret.

Suppose ε is an entity in the health center ( ℇ can be the DB, the L-vehicle, or the PH) with the public and private key pair PKε = gx, SKε = x,x ∈ . To certify the validity of the public key, TA will issue a public-key certificate to ℇ using the BLS scheme [17] as follows:

where IDε is ε’s identity. Thus certε provides a binding between ε’s identity and the public key [30].

4.3 Patients Registration

When the patient registers with TA, TA chooses a random PIDPA ∈ G as her/his pseudonym and computes the private key SKPA = H1(PIDPA)s for her/him. Note that the private key is based on the identity PIDPA (i.e., IBC), the public key is PKPA = H1(PIDPA), and no public-key certificate is needed. Then, the patient selects a PH and gets some suitable sensors based on her/his requirement. Finally, TA sends (PIDPA, SKPA, PKPH) to the patient through a secure channel, where PKPH is the PH′s public key. With the body sensors, the patient can deploy a WBAN at home to monitor her/his health condition and collect the PHI. We point out that in fact TA will choose a set of N pseudonyms and compute the corresponding for the patient so that she/he can update the pseudonym to protect the identity privacy [31].

4.4 Vehicles Registration

As discussed before, at the moment the disaster happens, the L-vehicles move into the disaster area which help information transmition and take the charge of key managmant for A-vehicles...Under the two-level key management model shown in Fig. 2, the A-vehicle does not have to go to the health center for registration, instead it can register with any L-vehicle it encounters in the disaster area in the following way. First, the L-vehicle chooses a random IDAV ∈ G as the A-vehicle′s identity. Then, it computes the private key SKAV = H1(IDAV)x, and sends (IDAV, SKAV, IDLV, PKLV, CertLV) to the A-vehicle through a secure channel (there have been many researches concerning the secure channel in VANET, such as [32]), where x is the L-vehicle′s private key. To protect the identity privacy, the L-vehicle will also choose and compute the corresponding for the A-vehicle. For the system consistency, we make each L-vehicle register with itself so that it can work on the behavior of an A-vehicle in PHI packets transmission.

4.5 PHI Transformation

4.5.1 From WBAN to A-vehicle

After obtainingthe PHI M, a WBAN gateway sends M to an A-vehicle nearby in a privacy-preserving mode. This communication process is executed by the following steps:

1. The A-vehicle broadcasts the beacon message within its range. Specially, it chooses a random number γ ∈ , signs the current timestamp Tbeacon as (X, T), where

Then the A-vehicle broadcasts IDAV║IDLV║PKLV║CertLV║Tbeacon║X║Y as the beacon message, the subscript LV represents the L-vehicle with whom the A-vehicle registered.

2. Upon receiving the beacon message at time , the gateway first checks whether beaconbeacon - Tbeacon ≤ ΔT, where ΔT is the expected time for transmission delay. If it doesn′t hold, the gateway thinks it is a replay attack and abandons it. Then the gateway checks whether

if both Equations 4 and 5 hold, the beacon message is accepted. The correctness and security can refer to [17] and [18], respectively.

3. The WBAN gateway makes the PHI packet as shown in Table 1 and sends it to the A-vehicle. Data is the privacy-preserving PHI data computed by Algorithm 1, in which lines 1 to 3 use Enc() with a session key k to encrypt the PHI M, and lines 4 to 5 use the PEKS scheme to encrypt the target PH′s identity IDPH as the keyword. TPHI is the current timestamp. σPA is the signature in the form of (U, V), where

r ∈ is a random number chosen by the gateway. In this step, for deceasing the time overhead, Data can be pre-computed, i.e., the gateway can compute Data before the A-vehicle coming.

Table 1.Message Format for PHI packet

4. When the A-vehicle receives the PHI packet, it first checks the timestamp TPHI, then it checks whether

the equation (8) holds. If so, the A-vehicle accepts the PHI packet and keeps Data until it is transferred to another A-vehicle or to the DB in health center. Note that from here when we say the PHI packet, we mean Data only.

4.5.2 Over the VANET

When an A-vehicle thinks it cannot carry the PHI packets any more, it will try to forward them to next-hop node of the VANET. We stress that in SVC it is assume that both L-vehicle (whose duty is to transmit the PHI packets) and A-vehicle (who volunteers to join the VANET) will not drop the PHI packets. In other word, they either carry the PHI packets or forward them to another node of the VANET. When the A-vehicle detects a nearby node willing to relay the PHI packets, it forwards them to the node. This communication process is similar to that of beacon message broadcast. In addition, some efficient incentive and routing mechanisms [33] [34] can be adopted in the VANET to improve the transmission efficiency, but they are beyond the scope of this paper.

4.5.3 From A-vehicle to DB

Suppose an A-vehicle with a PHI packet Data (in fact, an A-vehicle may carry more than one PHI packet) reaches the health center, it sends Data to DB in the form of (IDAV║IDLV║PKLV║certLV║Data║T║X′║Y′), where T is the current timestamp, (X′,Y′) is the signature of Data║T that is computed as Equation 2. After checking certLV and verifying (X′,Y′) using the way of Equations 4 and 5, respectively, DB accepts (or rejects) Data by checking the timestamp.

In fact, it is possible that many A-vehicles reach the health center at the same time. In this case, however, it is inefficient to authenticate all the A-vehicles one by one using the above method. To address this problem, we use batch verification to improve the authentication efficiency. Suppose DB receives from n different A-vehicles in a time window, it then batch checks the n public-key certificates and batch verify the n signatures by testing whether

where . If both Equations 9 and 10 hold, all the Datai are accepted. They follow since

where xi is the L-vehicle′s private key SKLVi and is the random number chosen by the A-vehicle. If Equations 9 or 10 does not hold, it means there is at least one bogus packet in the n packets. In this case, DB can identify the bogus packet(s) efficiently using the techniques in [35] or [41]. We will compare the performance between the batch verification and the individual verification comprehensively in Section 6.

4.5.3 From DB to PH

In this process, the DB broadcasts the PHI packets to all the PHs in the health center. Suppose the DB broadcasts m PHI packets Data1,⋯, Datam each time, the communication process is executed by the following steps:

1. DB broadcasts Data1║⋯║Datam║Tbroadcast║σDB, where σDB is the BLS signature of and the current timestamp Tbroadcast.

2. When the PH with identity IDPH receives the PHI packets, she/he first checks the timestamp Tbroadcast and the signature σDB. Then the PH performs Algorithm 2 to recover the PHIs sent to her/him. Line 5 tests whether Datai includes the keyword IDPH. The correctness can refer to [20] and the security will be discussed in the next section.

 

5. Security Analysis

In this section, we analyze how the security and privacy requirements are achieved in SVC system.

5.1 Message Authentication

Message authentication is performed in every communication process in SVC by using secure signature. Take the beacon message IDAV║IDLV║PKLV║certLV║Tbeacon║X║Y in the first process for example, the WBAN gateway first checks certLV after receiving the beacon message. IF and only if Equation 4 holds, the gateway believes the L-vehicle with whom the A-vehicle claimed that it registered is legitimate. Then the gateway verifies the signature (X, Y) using the L-vehicle′s public key, if and only if Equation 5 holds, the beacon message is accepted (i.e., the beacon message come from an legitimate A-vehicle and doesn′t be tampered). This is because both the adopted signature schemes [17] and [18] have been proven to be secure under chosen message attacks under the Computational Diffie-Hellman (CDH) assumption. In addition, each message in our scheme is marked by a timestamp to resist replay attacks.

5.2 Content Privacy

It is ensured by symmetric encryption. As discussed in Algorithm 1, the PHI M is encrypted to C = Enck(M), where k = gyy′ is the session key computed by multiplying a secret random number y′ and the target PH′s public key gy. When the PH receives the PHI packet Data which includes gy′║C, she/he can compute the session key using her/his private key y. However, the adversary neither know the secret random number y′ nor the private key y. Even the adversary eavesdrops gy′ and knows the PH′s public key gy (in fact, we will demonstrate that SVC ensures the adversary does not know which PH the PHI packet is sent to, thus the adversary does not know gy), she/he cannot compute gyy′ in expected time under the Computational Diffie-Hellman (CDH) assumption. Therefore, with secure symmetric encryption Enc() (e.g, AES), the Content Privacy can be protected in SVC.

5.3 Identity Privacy

Each patient in SVC uses N pseudonyms instead of her/his real identity to protect identity privacy. The pseudonyms are chosen by TA randomly, which are independent of the real identities and indistinguishable from each other. The patient updates her/his pseudonym in different PHI packets and the adversary cannot link the pseudonym to her/his real identity. The A-vehicle identity privacy is protected in the same way except that the pseudonyms are chosen by the L-vehicle.

5.4 Context Privacy

As discussed in Section 3, context privacy requires that no adversary can link the source and the destination of the PHI packet. Here, we consider a strong attacker who can collude with the insiders. In SVC, the destination IDPH is hidden in PEKS(PKPH,IDPH) using the PEKS scheme in [20]. Before demonstrating how it achieves context privacy, we first discuss the security of the PEKS scheme.We have to ensure that PEKS(PKPH,IDPH) does not reveal any information about the recipient. In other words, PEKS(PKPH,IDPH) reveals neither PKPH nor IDPH. [20] has proven that the PEKS scheme is semantically secure under chosen keyword attack in the random oracle model under the Bilinear Diffie-Hellman (BDH) assumption (PEKS-IND-CPA security). Thus it does not reveal any information about IDPH, even under the strong attack.

Here we discuss the security of PEKS(PKPH,IDPH) with respect to PKPH. We are going to prove that the PEKS scheme in [20] is an anoymous encryption under chosen keyword attack (we call it PEKS-ANO-CPA). That is, a strong attacker cannot infer the information PKPH.

First, refering to [36], PEKS-ANO-CPA is formallly defined using the following game between a challenger and an attacker A:

The advantage of A in above game is

Definition 3 (PEKS-ANO-CPA). A PEKS scheme is PEKS-ANO-CPA secure if for any polynomial time attacker A the advantage function AdvA(k) is a negligible function.

Intuitively, note that PEKS(PKb,W) = [gr,H2(t)] = [A,B] has two part A = gr and B = H2(t). First, r is chosen uniformly at random from by the challenger, thus for any element . Second, for any element in the random oracle model. Therefore, in both b = 0 and b = 1cases of the game, the challenge ciphertext PEKS(PKb,W) has exactly the same distribution. In fact, we have the following theorem, the formal proof of this theorem can refer to the proof of Lemma 4.3 and Theorem 4.4 in [37].

Theorem 1. The PEKS scheme in [20] is PEKS-ANO-CPA secure under the BDH assumption in the random oracle model.

Based on the above analysis, PEKS(PKPH,IDPH) indeed does not reveal any information about both PKPH and IDPH to a strong attacker. Therefore from the PHI packet transmitted over the VANET and the health center, the attacker cannot infer to any information about the destination. Suppose there are n physicians in the health center, combining with the broadcast technique, every physician has 1/n possibility of being the destination from the attacker's point of view, even through the attacker colludes with the insiders (the L/A-vehicle and the DB does not know any information about the recipient, either). Therefore, the context privacy is achieved in SVC under.

 

6. Performance Evaluation

6.1 Computation Overhead

We choose the Type A pairing of PBC Library [38] and jPBC Library [39] which is implemented on the curve y2 = x3 + x over the field Fp with 512 bits p and the embedding degree is 2 for our system. G is a subgroup of the curve E(Fp) and GT is a subgroup of the field Fq2. Thus the size of the elements in G and GT is 512 + 1 bits (using point compression) and 1024 bits, respectively. The order q of G and GT is 160 bits. We analyze the computation overhead using the benchmarks from PBC and jPBC on the following simulation platforms:

Note that we only count the computation overhead for pairing and exponentiation in G. Other computations such as hashing, addition/multiplication in are negligible compared with the two computations. The measured results on the PC and on the smartphone are given in Table 2 and Table 3, respectively. The preprocessing applies to the pairings with one constant G element and the exponentiations with the constant base.

Table 2.Benchmark of PBC on PC

Table 3.Benchmark of jPBC on smartphone

Table 4 gives the computation cost of each side in a WBAN to A-vehicle process. Specifically, the A-vehicle first broadcasts the beacon message, it needs 2Cpe to compute (X,Y). Then the WBAN gateway costs 3Cjpp + Cjp + Cje to check the beacon message. After that, the gateway runs 2Cjpe to generates σPA in the PHI packet. Note that we do not count the computation overhead of Data because it can be pre-computed before the A-vehicle comes. Finally, the A-vehicle takes 2Cpp + Ce to verify σPA. Thus for the gateway the total computation overhead is 3Cjpp + Cjp + Cje + 2Cjpe = 1.5s and 2Cpe + 2Cpp + Ce = 6.3ms for the A-vehicle in this process.

Table 4.The computation cost in a WBAN to A-vehicle process

In the process from A-vehicle to DB, suppose that DB receives in a time window. For the public-key certificates, if there is no forged one among them, it only needs 2Cpp = 2.2ms for DB to batch verify them. If there are k forged signatures, the computation overhead is (k + 2)log(n/k) + 4k - 2 by using binary authentication algorithm [35]. In contrast, if DB individually verifies certLVi for i = 1 to i = n, the computation overhead is 2nCpp. For the signatures, if all of them were signed by legitimate A-vehicles, the computation overhead for DB to batch verify them is Cpp + nCp + nCe, and if there exist k forged signatures, it is [(k/2 + 1)log(n/k) + 2k - 1]Cpp + nCp + nCe. In contrast, if DB individually verifies them, the computation overhead is nCpp + nCp + nCe. Fig. 3 gives the computation overhead compare between individual verification and batch verification with different k/n of .

Fig. 3.The computation overhead of verifying

In the last process, suppose that the PH with IDPH receives n PHI packets. For each packet, she/he takes one Cpp to test whether this packet is sent to her/him, thus the total computation overhead is nCpp. Given n=1000, then the computation overhead is only 1.1 s.

Base on the above analysis, we conclude that the computation overhead of SVC is very acceptable.

6.1 Storage Overhead

In SVC, both DB and A-vehicles (and L-vehicles) are required to store the PHI packets. DB is a commonly powerful and resource-abundant server so that the storage overhead is not stringent. Therefore we only discuss the storage overhead of A-vehicles. For each A-vehicle, the stored contents consist of the ID, public key, and certificate of the L-vehicle, i.e., (IDLV,PKLV,certLV), a sequence of pseudonyms and private keys issued by the L-vehicle and a number of PHI packets it collected. We assume that both IDLV and IDAVi are 16 bits, Ci is 120 bytes. Then the storage overhead of an A-vehicle approximately equals 130 + 68n + 268m bytes. This value is acceptable for the storage capability of modern vehicle (e.g., the BMW iDrive system is equipped with an on-board computer with 20 GB hard disk).

 

7. Related Works

In recent years, many research works have improved the development of health information transmission of remote healthcare monitoring (RHM) [3-10]. Application of IEEE 802.16/WiMAX-based broadband wireless acess technology for health information transmission (e.g., communication between an ambulance and the health center) was discussed in [3] and the followup work [4] presented a RHM system using heterogeneous wireless networks (WiMAX-based WMAN and WiFi-based WLAN). Both of the works were concerned on broadband allocation, traffic scheduling and network optimization. To improve transmission performance of RHM system, a handoff protocol between WBAN and a fixed access point (AP) was proposed in [6] to address the poor signal reception in AP when patient moves. [5] employed Reed-Solomon coding and point-coordination fucntion (PCF) to reduce the error-prone nature of wireless channel and the unpredictable delay due to the nondeterministic nature of acess to wireless medium. The problems these works researched were important in RHM, however, none of them referred to the security and privacy problems.

In the following, we review the most relevant works that are concerned on the security and privacy problems in RHM. Lin et al. proposed a strong privacy-preserving scheme for eHealth system, named SAGE [7]. The PHIs were transmitted from WBAN to a WiFi access point connected with Internet in the system, and both content privacy and contextual privacy were achieved. In SAGE, each physician and each patient share a static key, and broadcast technique combined with Hash Message Authentication Code (HMAC) was used to protect contextual privacy. HMAC is indeed more efficient than PEKS, however, the static shared keys management is a troublesome task for each physician because of the huge and dynamic number of the keys. Liang et al. presented a new RHM system model in a smart community environment [8], that was, a patient taking a walk in the smart community can use the multi-hop community network composed of smart homes instead of 3G cellular network to transmit his/her PHI so that the high cost of the latter can be economized. The privacy problems they solved in the system were identity privacy and location privacy. The same to the economic motivation, to minimize the overall health care cost in rural area, Barua et al. proposed a delay-tolerant secure long-term health care system, RCare, in which VANET was used to transmit the PHIs from Rural Access Points (RAPs) to Road-Side Units (RSUs) in the city [9]. RCare's primary concerns were on the communication in the WBAN and the incentive for the VANET. A secure communication protocol between the WBAN gateway and the sensors and a privacy-preserved incentive scheme for the VANET were presented in this work.

To improve the computation efficiency, Lin et al. presented CAM, a cloud-assisted privacy-preserving mobile health monitoring system [10]. In this system, both the clients' monitored data (PHIs) and the service providers' monitoring programs were placed in cloud so that the most cumbersome computation can be performed by the powerful cloud. In addition to the clients' privacy, the intellectual property of monitoring service providers, i.e. the monitoring programs, were also protected in this work.

The works above presented four different environments of RHM, a normal one in [7], smart community in [8], rural area with VANET in [9], and a cloud solution in [10]. However, as discussed in Section 1, none of these works are suitable for the disaster area because of the unpredictable network connectivity in the disaster. Note that even though [9] used VANET to transmit PHIs, the system application environment, the system model, and the security and privacy concerns are all different from SVC such that it can not be adopted in disaster area directly.

In the technical view, the batch verification in VANET was first used in [40]. In this paper, we use the similar technique to improve the efficiency at the PH’s end.

 

8. Conclusion

In this paper, we present SVC, an RHM system working in a disaster area. Instead of using the traditional communication networks, the emerging VANET is employed to assist the PHIs transmission to eliminate the damage to communication infrastructure caused by the disaster. A two-level key management model is designed to manage the trust of vehicles, and under which the security of each communication process is ensured. In addition, the strong context privacy is achieved in our scheme, that is, any attacker can't link the destination and the source of a PHI packet.

References

  1. Telehealth to reach 1.8 million patients by 2017. Article (CrossRef Link).
  2. A. Tesanovic, G. Manev, M. Pechenizkiy and E. Vasilyeva, "Ehealth personalization in the next generation rpm systems," in Proc. of 22nd IEEE International Symposium on Computer-Based Medical Systems, pp. 1-8, 2009. Article (CrossRef Link).
  3. D. Niyato, E. Hossain and J. Diamond, “IEEE 802.16/wimax-based broadband wireless access and its application for telemedicine/e-health services,” IEEE Wireless Communications Magazine, vol. 14, no. 1, pp. 72-83, 2007. Article (CrossRef Link). https://doi.org/10.1109/MWC.2007.314553
  4. D. Niyato, E. Hossain and S. Camorlinga, “Remote patient monitoring service using heterogeneous wireless access networks: architecture and optimization,” IEEE Journal on Selected Areas in Communications, vol. 27, no. 4, pp. 412-423, 2009. Article (CrossRef Link). https://doi.org/10.1109/JSAC.2009.090506
  5. K. Kang, K. J. Park, J. J. Song and C. H. Yoon, L. Sha, “A medical-grade wireless architecture for remote electrocardiography,” IEEE Transactions on Information Technology in Biomedicine, vol. 15, no. 2, pp. 260-267, 2011. Article (CrossRef Link). https://doi.org/10.1109/TITB.2011.2104365
  6. S. Gonzalez-Valenzuela, M. Chen and V. C. Leung, “Mobility support for health monitoring t home using wearable sensors,” IEEE Transactions on Information Technology in Biomedicine, vol. 15, no. 4, pp. 539-549, 2011. Article (CrossRef Link). https://doi.org/10.1109/TITB.2010.2104326
  7. X. Lin, R. Lu, X. Shen, Y. Nemoto and N. Kato, “Sage: a strong privacy-preserving scheme against global eavesdropping for ehealth systems,” IEEE Journal on Selected Areas in Communications, vol. 27, no. 4, pp.365-378, 2009. Article (CrossRef Link). https://doi.org/10.1109/JSAC.2009.090502
  8. X. Liang, X. Li, R. Lu, X. Lin, and X. Shen, "Enabling pervasive healthcare with privacy preservation in smart community," in Proc. of IEEE International Conference on Communications, pp. 3451-3455, 2012. Article (CrossRef Link).
  9. M. Barua, X. Liang, R. Lu and X. Shen, “Rcare: extending secure health care to rural area using VANETs,” Mobile Networks and Applications, vol. 19, no. 3, pp. 318-330, 2014. Article (CrossRef Link). https://doi.org/10.1007/s11036-013-0446-y
  10. H. Lin, J. Shao, C. Zhang and Y. Fang, “Cam: cloud-assisted privacy preserving mobile health monitoring,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 6, pp. 985-997, 2013. Article (CrossRef Link). https://doi.org/10.1109/TIFS.2013.2255593
  11. J. Sun, X. Zhu, C. Zhang and Y. Fang, “RescueMe: location-based secure and dependable VANETs for disaster rescue,” IEEE Journal on Selected Areas in Communications, vol. 29, no. 3, pp. 659-669, 2011. Article (CrossRef Link). https://doi.org/10.1109/JSAC.2011.110314
  12. Ponemon Institute LLC, American's opinions about healthcare privacy, 2010. Article (CrossRef Link).
  13. A. Shamir, "Identity-based cryptosystems and signature schemes," Advances in cryptology, pp. 47-53, 1985. Article (CrossRef Link).
  14. D. Boneh, M. Franklin, "Identity-based encryption from the weil pairing," Advances in Cryptology—CRYPTO 2001, pp. 213-229, 2001. Article (CrossRef Link).
  15. A. Joux, "The weil and tate pairings as building blocks for public key cryptosystems," in Proc. of Algorithmic Number Theory, pp. 20-32, 2002. Article (CrossRef Link).
  16. A. Fiat, "Batch RSA," Advances in Cryptology—CRYPTO 89, pp. 175-185, 1990. Article (CrossRef Link).
  17. D. Boneh, B. Lynn and H. Shacham, "Short signatures from weil pairing," Advances in Cryptology—ASIACRYPT 2001, pp. 514-532, 2001. Article (CrossRef Link).
  18. J. C. Cha and J. H. Cheon, "An identity-based signature from gap diffie-hellman groups," in Proc. of Public key cryptography (PKC), pp. 18-30, 2003. Article (CrossRef Link).
  19. A. L. Ferrara, M. Green, S. Hohenberger and M. Ø. Pedersen, "Practical short signature batch verification," Topics in Cryptology—CT-RSA 2009, pp. 309-324, 2009. Article (CrossRef Link).
  20. D. Boneh, G. Di Crescenzo, R. Ostrovsky and G. Persiano, "Public key encryption with keyword search," Advances in Cryptology—EUROCRYPT 2004, pp. 506-522, 2004. Article (CrossRef Link).
  21. J. Sun, X. Zhu, C. Zhang and Y. Fang, "HCPP: cryptography based secure EHR system for patient privacy and emergency healthcare," in Proc. of 31st International Conference on Distributed Computing Systems, pp. 373-382, 2011. Article (CrossRef Link).
  22. M. Li, S. Yu, Y. Zheng, K. Ren and W. Lou, “Scalable and secure sharing of personal healh records in cloud computing using attribute-based encryption,” IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 1, pp. 131-143, 2013. Article (CrossRef Link). https://doi.org/10.1109/TPDS.2012.97
  23. H. Deng, W. Li and D. P. Agrawal, “Routing security in wireless ad hos networks,” IEEE Communications Magazine, vol. 40, no. 10, pp. 70-75, 2002. Article (CrossRef Link). https://doi.org/10.1109/MCOM.2002.1039859
  24. M. Li, S. Yu, J. D. Guttman and W. Lou, K. Ren, “Secure ad hoc trust initialization and key management in wireless body area networks,” ACM Transactions on Sensor Networks, vol. 9, no. 2, 2013. Article (CrossRef Link). https://doi.org/10.1145/2422966.2422975
  25. X. Liang, X. Li, Q. Shen, R. Lu, X. Lin, X. Shen and W. Zhuang, "Exploiting prediction to enable secure and reliable routing in wireless body area networks," in Proc. of IEEE INFOCOM, pp. 388-396, 2012. Article (CrossRef Link).
  26. R. A. Popa, A. J. Blumberg, H. Balakrishnan and F. H. Li, "Privacy and accountability for location-based aggregate statistics," in Proc. of 18th ACM Conference on Computer and Communications Security, pp. 653-666, 2011. Article (CrossRef Link).
  27. P. Kamat, Y. Zhang, W. Trappe and C. Ozturk, "Enhancing source-location privacy in sensor network routing," in Proc. of 25th IEEE International Conference on Distributed Computing Systems, pp. 599-608, 2005. Article (CrossRef Link).
  28. D. Dolev and A. Yao, “On the security of public key protocols,” IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198-208, 1983. Article (CrossRef Link). https://doi.org/10.1109/TIT.1983.1056650
  29. J. Daemen and V. Rijmen, “The design of Rijndael: AES – the advanced encryption standard,” Springer, 2002. Article (CrossRef Link).
  30. W. Mao, “Modern cryptography: theory and practice,” Prentice Hall PTR, 2003. Article (CrossRef Link).
  31. Z. Zhu and G. Cao, “Toward privacy preserving and collusion resistance in a location proof updating system,” IEEE Transactions on Mobile Computing, vol. 12, no. 1, pp. 51-64, 2013. Article (CrossRef Link). https://doi.org/10.1109/TMC.2011.237
  32. R. Lu, X. Lin, X. Shen, "Spring: a social-based privacy-preserving packet forwarding protocol for vehicular delay tolerant networks," in Proc. of IEEE INFOCOM, pp. 1-9, 2010. Article (CrossRef Link).
  33. R. Lu, X. Lin, H. Zhu, X. Shen and B. Preiss, “Pi: a practical incentive protocol for delay tolerant networks,” IEEE Transactions on Wireless Communications, vol. 9, no. 4, pp. 1483-1493, 2010. Article (CrossRef Link). https://doi.org/10.1109/TWC.2010.04.090557
  34. U. Shevade, H. H. Song, L. Qiu and Y. Zhang, "Incentive-aware routing in DTNs," IEEE International Conference on Network Protocols, pp. 238-247, 2008. Article (CrossRef Link).
  35. Y. Jiang, M. Shi, X. Shen and C. Lin, “Bat: a robust signature scheme for vehicular networks using binary authentication tree,” IEEE Transactions on Wireless Communications, vol. 8, no. 4, pp. 1974-1983, 2009. Article (CrossRef Link). https://doi.org/10.1109/T-WC.2008.080280
  36. M. Bellare, A. Boldyreva, A. Desai and D. Pointcheval, "Key-privacy in public-key encryption," Advances in Cryptology—ASIACRYPT 2001, pp. 566-582, 2001. Article (CrossRef Link).
  37. M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi, "Searchable encryption revisited: Consistency properties, relation to anonymous IBE, and extension," Advances in Cryptology-CRYPTO 2005, pp. 205-222, 2005. Article (CrossRef Link).
  38. The pairing based cryptography library (PBC). Article (CrossRef Link).
  39. The java pairing based cryptography library (jPBC). Article (CrossRef Link).
  40. C. Zhang, R. Lu, X. Lin, P.H. Ho and X. Shen, "An efficient identity-based batch verification scheme for vehicular sensor networks," in Proc. of IEEE INFOCOM, 2008. Article (CrossRef Link).
  41. C. Zhang, P.H. Ho and J. Tapolcai, "On batch verification with group testing for vehicular communications," Wireless Networks, vol. 17, no. 8, pp. 1851-1865, 2011. Article (CrossRef Link). https://doi.org/10.1007/s11276-011-0383-2
  42. X. Lin, R. Lu, C. Zhang, H. Zhu, P. Ho and X. Shen, "Security in vehicular ad hoc networks," IEEE Communications Magazine, vol. 46, no. 4, pp. 88-95, 2008. Article (CrossRef Link). https://doi.org/10.1109/MCOM.2008.4481346

Cited by

  1. A Simulation Tool for Evaluating Video Streaming Architectures in Vehicular Network Scenarios vol.9, pp.11, 2016, https://doi.org/10.3390/electronics9111970