Designing a secure anonymous group-oriented key agreement protocol for the internet of medical things
摘要
Telemonitoring in the Internet of Medical Things (IoMT) requires secure and efficient authentication and key agreement protocols to ensure timely access to sensitive resources–such as patients’ medical records–by authorized groups of physicians. Recently, Chen and Lee proposed an anonymous, group-oriented, time-bound key agreement protocol based on extended chaotic maps, claiming to achieve a high level of security. In this article, we are the first, to the best of our knowledge, to rigorously examine the actual security of this scheme by revealing critical vulnerabilities affecting seven of the eight stated security objectives in its design. Specifically, we demonstrate that the protocol is susceptible to replay, traceability, information disclosure, and impersonation attacks. As a consequence of the impersonation attack, when group members attempt to access a legitimate service provider, an adversary can successfully redirect them to a counterfeit one. Such an attack could have serious implications for patient care, as physicians might receive incorrect medical records purportedly associated with their patients. We implemented the Chen–Lee’s protocol on a Raspberry Pi–based testbed and demonstrated several practical attacks, confirming its weaknesses in real-world scenarios. To mitigate these vulnerabilities, we propose modifications that address the identified flaws while preserving the overall structure of the original protocol. The communications and computation overhead of the proposed protocol is approximately 4% higher than that of the Chen–Lee protocol.