1. Introduction

The fifth generation (5G) network provides fast speeds, high data rates, very low latency, and reliable connections for intelligent devices, sensors, and actuators, as well as the ability to communicate through a single device, such as a smartphone. When 5G technology matures, it will provide 100 Gbps coverage, 10 GB/s peak data rates, and more than 100 billion smart device connections to the entire Internet of Things [1]. The high capacity and speed of the 5G network will provide many opportunities for the IoT environment. The Tactile Internet (TI) represents a future development goal with respect to the Internet of Things (IoT), including human–machine interaction and machine–machine interaction, which will enable real-time collaboration and innovative applications in the industrial, social, and commercial fields of the Internet [2,3].

The Tactile Internet will use 5G URLLC (ultra-reliable and low-latency communication) functionality to provide users with ultra-fast Internet so that haptic interaction can be realized through visual feedback [3]. This visual feedback relates to audio–visual interaction, real-time control of robotic systems and actuators, and real-time control of the human body and the environment around it. With the increasing availability of high-speed Internet connections, such low-latency functions will lead to enhanced human–machine (tactile) interactions that can be transmitted to the other end of the world in real time [1,3,4]. However, such messages may face security or performance risks once they are transmitted. Therefore, any unauthorized access may lead to an unplanned or unexpected surgery, which could lead to adverse consequences or even death.

The open nature of Tactile Internet connections makes them vulnerable to a variety of security attacks, including replay, denial of service, man-in-the-middle, differential privacy, error data injection, impersonation, and modification attacks, as well as malicious software attacks, requiring secure Tactile Internet access. The remote surgery application establishes a secure user authentication protocol, which allows authorized and registered surgeons to authenticate each other and to generate a shared secure session key for secure and reliable communications with others.

1.1. The Model of a Tactile Internet Remote Surgery Application

Figure 1 illustrates a simple model of a Tactile Internet remote surgery application. A hospital operating room includes robotic arms with tactile sensors and actuators; gateways, such as access points (APs); and patients to be operated on. A remote surgeon controls the robotic arm using instructions provided by a mobile device (or multiple mobile devices) and receives the results of the operation on the screen. All devices must be registered with a trusted institution (TA).

1.2. Related Works

The Tactile Internet can allow doctors to perform accurate, remote surgery more urgently than ever before. The transmission of the data would require the surgical manipulator to move the scalpel with a delay of less than 1 ms to allow the scalpel to move in the correct direction. To obtain the real-time status of the patient, high-resolution organ images and medical equipment data must also be sent back to doctors within 1 ms. Recently, many authenticated key agreement approaches have been developed for remote medical systems. For example, in 2018, Amin et al. [5] proposed a robust and anonymous patient monitoring system based on wireless medical sensor networks to provide secure access to patient data in WMSN environments. In the same year, Wu et al. [6] developed a lightweight and robust authentication scheme for personalized healthcare systems using wireless medical sensor networks and demonstrated that their scheme meets common security requirements and prevents attackers from tracking users. Using wireless medical sensor networks, Chandrakar [7] presented a secure remote user authentication protocol for healthcare monitoring that provides privacy, data security, and user authentication to access real-time health information over an insecure channel. Kaur et al. [8] presented a protocol in 2020 that provides the surgeon, robotic arm, and trusted authority (TA) with secure communications, leveraging the advantages of elliptic curve cryptography (ECC) and biometrics. In 2020, Nykvist et al. [9] developed and implemented a lightweight, portable IDS over wireless networks and evaluated throughput, power consumption, and response time. In 2021, Bolton et al. [10] discussed and considered potential data security and privacy issues that may arise when large amounts of data are processed and stored in the cloud. Additional research on the use of the Tactile Internet in remote surgery [8,11,12] provides important background information about the use of the Tactile Internet in remote surgery. For example, Wazid et al. [12] presented a generalized authentication model that can be used to perform authentication among communicating parties to ensure secure remote surgery in the TI environment. In 2021, Kamil et al. [11] proposed an authentication and key agreement (AKA) scheme for a Tactile Internet remote surgery application using lightweight cryptographic operations, such as the one-way hash function and bitwise exclusive OR (XOR), making the scheme ultra-lightweight and suitable for the Tactile Internet environment. However, the proposed scheme directly encrypts communication messages with the constant secret keys of the remote surgeon and the long-life secret key of the robotic arm, directly storing secret keys of the robotic arm in the gateway database; therefore, the scheme cannot resist robotic arm compromise attacks and stolen verifier attacks. Additionally, the scheme proposed by Kamil et al. misuses exclusive OR operations, preventing its correct execution.

1.3. Our Motivation

Many AKA schemes have been recently developed for a Tactile Internet for remote surgery. However, most of these schemes are subject to limitations in terms of security and efficiency. Performance improvement and security considerations are two major factors associated with the Tactile Internet because inappropriate and insecure authentication key agreements for the Tactile Internet may cause misjudgment and improper operation by medical staff, endangering the life of patients.

1.4. Our Contributions

In this investigation, we discuss the limitations of the scheme proposed by Kamil et al., including the failure to resist potential attacks and incorrect execution. In order to overcome these limitations, we investigation develop an enhanced authenticated key agreement scheme based on the scheme proposed by Kamil et al. for the Tactile Internet environment. The enhanced scheme adopts a one-time key to protect communication messages such that the adversary cannot derive valuable information from previous messages and protects secret keys of robotic arms with a secret gateway key. Thus, the enhanced scheme requires more computations and response time than the protocol proposed by Kamil et al. However, the enhanced scheme solves the previous limitations, provides improved functionality, and retains a low computational cost. The contributions of this study are summarized as follows.

1. In this investigation, we develop an efficient and secure authenticated key agreement scheme based on the scheme proposed by Kamil et al. for the Tactile Internet environment.

2. The enhanced scheme adopts a one-time key to protect communication messages and stores the secret keys of robotic arms, which are encrypted the secret gateway key, in the gateway database to overcome the limitations of the previous scheme.

3. Burrows–Abadi–Needham (BAN) logic provides mutual authentication and session key security through its authentication proof. The heuristic security analyses of the enhanced scheme are presented to verify other security requirements.

4. Compared with related schemes, the enhanced scheme avoids the limitations of pervious schemes, providing improved security properties and retaining low computational cost.

1.5. Organization of Paper

The rest of the paper is organized as follows. In Section 2, we introduce the scheme proposed by Kamil et al. and discuss its weaknesses. In Section 3, we introduce an enhanced authenticated key agreement scheme for the Tactile Internet environment. In Section 4, we analyze the security and performance of the enhanced scheme. Finally, in Section 5, we present our conclusions.

2. Preliminary

In this section, we review the authentication and key agreement scheme proposed by Kamil et al. and discuss its limitations. The notations used in this paper are elaborated in Table 1.

2.1. Review of the Scheme of Kamil et al.

In 2020, Kamil et al. [11] proposed an authentication and key agreement scheme using the Tactile Internet for remote surgery. Prior to the announcement, they discussed Tactile Internet technology in remote surgery, the potential of network architecture for the Internet of Thing (IoT), and the security issues of Tactile Internet technology in remote surgery.

The scheme proposed by Kamil et al. comprises four entities: a trusted authority (TA), remote surgeons, gateways, and robotic arms. Gateways act as system administrators and serve as central authentication points. Without BS, other entities would never be able to trust each other in the authentication and key agreement scheme. Kamil et al.’s scheme consists of the following phases: registration of the gateway and robotic arm, registration of the user, the authentication and key agreement phase, the password update phase, the addition of the dynamic robotic arm, and the revocation phase.

Notations.

2.1.1. Gateway and Robotic Arm Registration Phase

Before placing the gateway and robot (or robotic arm) in the hospital operating room, they must register with the TA. These devices are generated and preloaded with secrets. The registration process is performed by the TA through the following steps.

Step 1: $TA\Rightarrow G_i: M_1=\left(RI{D}_i,D_i,RI{D}_j,D_j\right)$.

The trust authority (TA) first chooses a unique identity ($RI{D}_{TA}$) and a one-way hash function operation ($h:{\{0,1\}}^{\ast }\to Z_q^{\ast }$) for itself. Next, the TA chooses $RI{D}_i$ and $RI{D}_j$ as the identities of the gateway ($G_i$) and a robotic arm ($R{M}_j$), respectively, picks a secret ($s\in Z_q^{\ast }$), and computes $D_i=h\left(s,RI{D}_{TA},RI{D}_i\right)$ and $D_j=h\left(s,RI{D}_{TA},RI{D}_j\right)$. Finally, the TA stores $\left(RI{D}_i,D_i,RI{D}_j,D_j\right)$ and sends $M_1$ to $G_i$ through a secure channel.

Step 2: $G_i\Rightarrow R{M}_j: M_2=\left(RI{D}_j,D_j\right)$.

After gateway $G_i$ receives $M_2$, $G_i$ stores $\left(RI{D}_i,D_i,RI{D}_j,D_j\right)$ and sends $M_2$ to $R{M}_j$.

2.1.2. User Registration Phase

In this stage, when the remote surgeon wants to use the robotic arm for remote surgery, they first need to register with the TA. The process is as follows.

Step 1: $S_k\Rightarrow TA: M_3=\left(D_k,HP{W}_k\right)$.

The remote surgeon ($S_k$) first picks an identity ($RI{D}_k$), a password ($P{W}_k$), and a random nonce ($B_k$) and computes $D_k=h\left(RI{D}_k,B_k\right)$ and $HP{W}_k=h\left(P{W}_k,B_k\right)$. Next, $S_k$ sends $M_3$ to the TA using a secure channel.

Step 2: $TA\Rightarrow S_k: M_4=\left(\alpha ,\beta ,h(.)\right)$.

When the TA receives $M_3$, the TA at first picks a random $C$ and then computes $\alpha =h\left(C,D_i\right)\oplus h\left(D_k,HP{W}_k\right)$ and $\beta =C\oplus h\left(RI{D}_i,D_i\right)$. After the TA stores $\left(\alpha ,\beta ,h(.)\right)$ into the memory of a mobile device, the TA sends the mobile device to the surgeon through a secure channel.

Step 3: Store $\left(A_1,A_2,h(.)\right)$ in smart card.

When $S_k$ receives the mobile device, $S_k$ uses a smart card to compute $A_1=h\left(P{W}_k,RI{D}_k\right)\oplus B_k$ and $A_2=h\left(B_k,HP{W}_k,D_k\right)$. Next, $S_k$ stores $A_1$ and $A_2$ in the smart card.

2.1.3. User Login Phase

First, $S_k$ must input his/her identity or password into the mobile device in order to access the service of robotic arms for remote surgery. Upon successful verification, the mobile device sends a login request message to the gateway ($G_i$). The login process is as follows.

$S_k$ first inputs his identity ($RI{D}_k$) and password ($P{W}_k$) and computes $B_k=A_1\oplus h\left(P{W}_k,RI{D}_k\right)$, $D_k=h\left(RI{D}_k,B_k\right)$, $HP{W}_k=h\left(P{W}_k,B_k\right)$, and $A_2^{\ast }=h\left(B_k,HP{W}_k,D_k\right)$ to verify $A_2$. The mobile device checks whether $A_2^{\ast }$ is the same as the $A_2$. If so, the identity and password of the surgeon are verified by the smart card. Otherwise, the session is aborted.

2.1.4. Authentication and Key Agreement Phase

In this phase, in order to perform remote surgery in an emergency, the remote surgeon needs to use the robotic arm to perform remote surgery on the patient through the authorization of the gateway device. The mutual authentication and key agreement process of the scheme proposed by Kamil et al. is described as follows.

Step 1: $S_k\to G_i: M_1=(A_4,A_5,A_6,T{S}_1)$.

The mobile device of the remote surgeon ($S_k$) first picks a random nonce ($R_k$) and a timestamp ($T{S}_1$) and computes $A_3=\alpha \oplus h\left(D_k,HP{W}_k\right)$, $A_4=\beta \oplus T{S}_1$, $A_5=h\left(R_k,A_3,T{S}_1\right)$, and $A_6=(R_k\Vert A_5)\oplus A_3$. Next, the remote surgeon sends a login request message ($M_1$) to $G_i$.

Step 2: $G_i\to R{M}_j:M_2=\left(A_7,A_8,A_9\right)$.

After $G_i$ receives the authentication request message ($M_1$), $G_i$ computes $C^{\ast }=A_4\oplus h\left(RI{D}_i,D_i\right)\oplus T{S}_1$ using the identity of gateway $RI{D}_i$ and $D_i$ ($A_3^{\ast }=h\left(C^{\ast },D_i\right)$) and computes $R_k^{\ast } \Vert A_5=A_6\oplus A_3^{\ast }$ to obtain the random number ($R_k^{\ast }$) of the remote surgeon. Then, $G_i$ checks the freshness of the message by verifying whether $T{R}_1-T{S}_1\le \mathsf{\Delta }T$, where $T{R}_1$ is the time at which the message is received, $T{S}_1$ is the time at which it was sent, and $\mathsf{\Delta }T$ is the transmission delay. If the timestamp is legal, $G_i$ computes $A_5^{\ast }=h\left(R_k^{\ast },A_3^{\ast },T{S}_1\right)$ to verify whether the $A_5^{\ast }$ is the same as $A_5$. If the verification is successful, the surgeon ($S_k$) is authenticated by $G_i$. Then, $G_i$ chooses a random nonce ($R_i$) and a timestamp ($T{S}_2$) and computes $A_7=C^{\ast }\oplus h\left(RI{D}_j,D_j,R_i,R_k^{\ast },T{S}_2\right)$,$A_8=D_j\oplus \left(R_i || R_k^{\ast } ||T{S}_2\right)$, and $A_9=h\left(RI{D}_j,D_j,C^{\ast },R_i,T{S}_2\right)$. Finally, $G_i$ sends $M_2$ to the robotic arm ($R{M}_j$).

Step 3: $R{M}_j\to G_i: M_3=\left(A_{10},A_{11}\right)$.

Upon receiving the tuple $\left(A_7,A_8,A_9\right)$, $R{M}_j$ computes $R_i^{\ast } || R_k^{\ast \ast } ||T{S}_2=A_8\oplus D_j$ to obtain the random numbers $R_i^{\ast }$ and $R_k^{\ast \ast }$, where $R_i^{\ast }$ belongs to the gateway and $R_k^{\ast \ast }$ belongs to the remote surgeon, and checks the freshness of the message by verifying whether $T{R}_2-T{S}_2\le \mathsf{\Delta }T$, where $T{R}_2$, $T{S}_2$, and $\mathsf{\Delta }T$ are the time at which the message was sent, the arrival time of the message, and the transmission delay, respectively. If the freshness of timestamp is verified, $R{M}_j$ computes $C^{\ast \ast }=A_7\oplus h\left(RI{D}_j,D_j,R_i^{\ast },R_k^{\ast \ast },T{S}_2\right)$ and $A_9^{\ast }=h\left(RI{D}_j,D_j,C^{\ast \ast },R_i^{\ast },T{S}_2\right)$. Finally, $R{M}_j$ verifies whether $A_9^{\ast }$ is the same as $A_9$. If verification is successful, the gateway is authenticated by $R{M}_j$. Next, $R{M}_j$ chooses a random number ($R_j$) and a timestamp ($T{S}_3$) and computes the session key $K_1=h\left(R_i^{\ast },R_k^{\ast \ast },R_j\right)$, $A_{10}=h\left(R_i^{\ast },R_j,K_1,RI{D}_j,D_j,T{S}_3\right)$, and $A_{11}=R_i^{\ast }\oplus (R_j \Vert T{S}_3)$. Finally, $R{M}_j$ sends $M_3$ to $G_i$ through a public channel.

Step 4: $G_i\to S_k: M_4=\left(A_8,A_{12},A_{13}\right)$.

When $G_i$ receives $M_3$, $G_i$ computes $R_j^{\ast } \Vert T{S}_3=A_{11}\oplus R_i$ to obtain the random number of $R{M}_j$, using the random number of $G_i$ and timestamp $T{S}_3$, and checks the freshness of the message by verifying whether $T{R}_3-T{S}_3\le \mathsf{\Delta }T$, where $T{R}_3$, $T{S}_3$, and $\mathsf{\Delta }T$ are the time at which the message was sent, the arrival time of the message, and the transmission delay, respectively. If the freshness of the timestamp is legal, $G_i$ computes the session key $K_2=h(R_i,R_k^{\ast },R_j^{\ast })$ and $A_{10}^{\ast }=h(R_i,R_j^{\ast },K_2,RI{D}_j,D_j,T{S}_3)$. $G_i$ checks whether $A_{10}^{\ast }$ is the same as $A_{10}$. If so, the robotic arm ($R{M}_j$) is authenticated by $G_i$. Next, $G_i$ computes $A_{12}=h(K_2,R_i,R_j^{\ast },A_8,T{S}_4)$ and $A_{13}=(R_i||R_j^{\ast }||T{S}_4)\oplus R_k^{\ast }$ and sends $M_4$ to $S_k$, where $T{S}_4$ is the timestamp.

Step 5: Verification of the remote surgeon.

When $S_k$ receives $M_4$, $S_k$ first computes $R_i^{\ast } || R_j^{\ast \ast } || T{S}_4=A_{13}\oplus R_k$ using the random number ($R_k$) and then checks the freshness of the message by verifying whether $T{R}_4-T{S}_4\le \mathsf{\Delta }T$, where $T{R}_4$, $T{S}_4$, and $\Delta T$ are the time at which the message was sent, the arrival time of the message, and the transmission delay, respectively. If the timestamp is fresh, $S_k$ computes the session key $K_3=h(R_i^{\ast },R_j^{\ast \ast },R_k)$ and $A_{12}^{\ast }=h(K_3,R_i^{\ast },R_j^{\ast \ast },A_8,T{S}_4)$ to verify $A_{12}$. If the verification is successful, $G_i$ and $R{M}_j$ are authenticated by $S_k$.

The mutual authentication of the remote surgeon and the robotic arm requires the assistance of the gateway for remote authentication. Additionally, secure communication during remote surgery is achieved with the secret session key, $K=K_1=K_2=K_3$.

2.1.5. Password Updating Phase

In this phase, when the remote surgeon thinks that his password has been leaked, for security reasons, he can change his password at any time. The password renewal phase is as follows.

The remote surgeon ($S_k$) inputs his original password ($P{W}_k^{\ast }$) and identity ($RI{D}_k^{\ast }$) into the mobile device, and the mobile device computes $B_k^{\ast }=A_1\oplus h\left(P{W}_k^{\ast },RI{D}_k^{\ast }\right)$, $HP{W}_k^{\ast }=h\left(P{W}_k^{\ast },B_k^{\ast }\right)$, $D_k^{\ast }=h\left(RI{D}_k^{\ast },B_k^{\ast }\right)$, and $A_2^{\ast \ast }=h\left(B_k^{\ast },HP{W}_k^{\ast },D_k^{\ast }\right)$ to check whether $A_2^{\ast \ast }$ is the same as $A_2$. If the verification is successful, the password and identity of the surgeon are verified. Next, the card reader prompts $S_k$ to input a new password ($P{W}_k^{new}$) and a nonce ($B_k^{new}$). Then, it computes $HP{W}_k^{new}=h\left(P{W}_k^{new},B_k^{new}\right)$, $D_k^{new}=h\left(RI{D}_k,B_k^{new}\right)$, $A_1^{new}=h\left(P{W}_k^{new},RI{D}_k\right)\oplus B_k^{new}$, $A_2^{new}=h\left(B_k^{new},HP{W}_k^{new},D_k^{new}\right)$, and ${\alpha }^{new}=\alpha \oplus h\left(D_k^{\ast },HP{W}_k^{\ast }\right)\oplus h\left(D_k^{new},HP{W}_k^{new}\right)$. Finally, the mobile device replaces $\alpha$, $A_1$, and $A_2$, with ${\alpha }^{new}$, $A_1^{new}$, and $A_2^{new}$, respectively.

2.1.6. Dynamic Robotic Arm Addition Phase

After placing these robotic arms in the operation room, additional robots may be required for improved service delivery. The following steps are required.

The TA first chooses a new identity ($RI{D}_j^{+}$) and computes $D_j^{+}=h(s,RI{D}_{TA},RI{D}_j^{+})$. The TA stores $(RI{D}_j^{+}, D_j^{+})$ in the memory of the new robotic arm and sends the tuple to the gateway ($G_i$) through a secure channel. When $G_i$ receives the tuple $(RI{D}_j^{+}, D_j^{+})$, $G_i$ stores it in its repository.

2.1.7. Revocation Phase

When the remote surgeon’s mobile device is stolen by an attacker, the attacker can reuse the data from the mobile device, thus impersonating the legitimate doctor. The same method is applied to the robot arm; the attacker can analyze the sensitive information in the robotic arm and compute the session key to execute an attack. In addition, attackers can swap out a robotic arm with a cloned robotic arm, which can lead to life-threatening conditions in patients who require medical attention. The proposed scheme involves two revocation processes: revocation of compromised mobile devices and revocation of compromised robotic arms.

1. Revocation of Smart Card: Steps can be taken to prevent compromised mobile devices from gaining access to the network. The TA first chooses a new identity ($RI{D}_i^{new}$) and computes $D_i^{new}=h(s,RI{D}_{TA},RI{D}_i^{new})$. Next, the TA sends the tuple $\left(RI{D}_i^{new},D_i^{new}\right)$ to $G_i$. When $G_i$ receives $\left(RI{D}_i^{new},D_i^{new}\right)$, $G_i$ replaces $\left(RI{D}_i,D_i\right)$ with $\left(RI{D}_i^{new},D_i^{new}\right)$ and stores it in its database.

2. Revocation of Robotic Arm: Suppose $RI{D}_j$ is the identity of the malicious or compromised robot. In order to prevent the malicious or damaged robotic arm from being verified by the remote surgeon and accessing the network, the following steps are performed in order to log off the manipulator. The TA computes $\Pi =\left(RI{D}_j || D_j)\oplus h(RI{D}_i,D_i\right)$ and sends $\left(\Pi ,r{\mathrm{ev}}_{req}\right)$ to $G_i$, where $r{\mathrm{ev}}_{req}$ is the revocation request. When $G_i$ receives the tuple $\left(\Pi ,r{\mathrm{ev}}_{req}\right)$, $G_i$ computes $RI{D}_j \Vert D_j=\Pi \oplus h(RI{D}_i,D_i)$. Finally, $G_i$ deletes the tuple $(RI{D}_i,D_i)$ from its database.

2.2. Limitations of the Authenticated Key Agreement Proposed by Kamil et al.

The authenticated key agreement scheme proposed by Kamil et al. directly encrypts communication messages between the gateway and the remote surgeon with the constant secret keys of the remote surgeon and directly encrypts communication messages between the gateway and the robot arm with the long-life secret key of the robotic arm so that an attacker who has captured a robotic arm can derive secret keys of the remote surgeon from previous messages and successfully impersonate the remote surgeon and the robotic arm. The attacker can successfully compute session keys from previous messages to decrypt communication messages between the remote surgeon, the gateway, and the robotic arm to trick legal participants. Additionally, the scheme of Kamil et al. directly stores secret keys of robot arms, so an attacker who has stolen the verifier table can successfully impersonate the robot arm. Accordingly, the scheme proposed by Kamil et al. cannot resist robotic arm compromise attacks and stolen verifier attacks. Moreover, the scheme proposed by Kamil et al. misuses exclusive OR operations, preventing its correct execution.

Below, we discuss the limitations of the scheme proposed by Kamil et al. in detail.

2.2.1. Failure to Resist Robotic Arm Compromise Attacks

1. Scenario I: Impersonation of a surgeon.

In the scheme proposed by Kamil et al., when a robotic arm ($R{M}_j$) is compromised, an attacker ($\mathcal{A}$) can obtain $RI{D}_j$ and $D_j$. The attacker ($\mathcal{A}$) obtains $A_8$ from previous communication messages and computes $R_i||R_k||T{S}_2=A_8\oplus D_j$ to obtain the random secrets ($R_i$) of the gateway ($G_i$) and $R_k$ of the remote surgeon ($S_k$). Next, $\mathcal{A}$ computes $C=A_7\oplus h(RI{D}_j,D_j,R_i,R_k,T{S}_2)$ to obtain the random secret ($C$) of TA. $\mathcal{A}$ obtains previous communication messages ($A_4$,$A_5$,$A_6$,$T{S}_1)$ of $S_k$ and computes $\beta =A_4\oplus T{S}_1$, $A_3=(R_k||A_5)\oplus A_6\left(=h(C,D_i\right))$. $\mathcal{A}$ can compute $\widetilde{A_4}=\beta \oplus T{S}_1^{\ast }$, $\widetilde{A_5}=h(\widetilde{R_k},A_3,\widetilde{T{S}_1})$ and $\widetilde{A_6}=\widetilde{R_k}||\widetilde{A_5}\oplus A_3$ and send out a service request ($\widetilde{M_1}=(\widetilde{A_4},\widetilde{A_5},\widetilde{A_6},\widetilde{T{S}_1})$) to impersonate $S_k$, where $\widetilde{R_k}$ is a nonce selected by $\mathcal{A}$, and $\widetilde{T{S}_1}$ is the current timestamp.

Upon receiving $M_4=\left(A_8,A_{12},A_{13}\right)$ form $G_i$, $\mathcal{A}$ can compute $R_i^{*} || R_j^{**}||T{S}_4=A_{13}\oplus \widetilde{R_k}$ and the session key ($K_3=h(R_i^{*},R_j^{**},\widetilde{R_k})$) shared with $G_i$ and $R{M}_j$ and successfully impersonate the surgeon ($S_k$). Therefore, the scheme proposed by Kamil et al. fails to resist robotic arm compromise attacks.

2. Scenario II: Impersonation of a gateway.

According to the analyses of Scenario I, the attacker ($\mathcal{A}$) can easily derive $A_3\left(=h(C,D_i\right))$, the random secret ($C$) from previous communication messages. Upon receiving $M_1=\left(A_4,A_5, A_6,T{S}_1\right)$ from $S_k$, $\mathcal{A}$ computes $h\left(RI{D}_i,D_i\right)=A_4\oplus C\oplus T{S}_1$ and $R_k^{\ast } || A_5=A_6\oplus A_3$. Then, $\mathcal{A}$ chooses a nonce ($\widetilde{R_i}$) and picks the current timestamp ($\widetilde{T{S}_2})$ and then computes $\widetilde{A_7}=C\oplus h(RI{D}_j,D_j,\widetilde{R_i},R_k^{\ast },\widetilde{T{S}_2})$, $\widetilde{A_8}=D_j\oplus (\widetilde{R_i} || R_k^{\ast } ||\widetilde{T{S}_2})$, and $\widetilde{A_9}=h(RI{D}_j,D_j,C,\widetilde{R_i},\widetilde{T{S}_2})$ and sends $\widetilde{M_2}=(\widetilde{A_7},\widetilde{A_8}, \widetilde{A_9})$ to $R{M}_j$.

Upon receiving $M_3=\left(A_{10},A_{11}\right)$, $\mathcal{A}$ computes $R_j^{\ast } || T{S}_3=A_{11}\oplus \widetilde{R_i}$ and the session key ($K_2=h(\widetilde{R_i},R_k^{\ast },R_j^{\ast })$) shared with $G_i$ and $R{M}_j$. Next, $\mathcal{A}$ computes $\widetilde{A_{12}}=h(K_2,\widetilde{R_i},R_j^{\ast },\widetilde{A_8},\widetilde{T{S}_4})$ and $\widetilde{A_{13}}=(\widetilde{R_i}||R_j^{\ast }||\widetilde{T{S}_4})\oplus R_k^{\ast }$, and sends $\widetilde{M_4}=(\widetilde{A_8},\widetilde{A_{12}}, \widetilde{A_{13}})$ to $S_k$, where $\widetilde{T{S}_4}$ is the current timestamp. $\mathcal{A}$ successfully impersonates the gateway ($G_i$); therefore, the scheme proposed by Kamil et al. fails to resist robotic arm compromise attacks.

3. Scenario III: Violation of session key security.

According to the analyses of Scenario I, the attacker ($\mathcal{A}$) can easily derive $A_3\left(=h(C,D_i\right))$, the random secret ($C$) from previous communication messages. First, $\mathcal{A}$ impersonate $S_k$ to compute $\widetilde{A_4}=\beta \oplus T{S}_1^{\ast }$, $\widetilde{A_5}=h(\widetilde{R_k},A_3,\widetilde{T{S}_1})$, and $\widetilde{A_6}=\widetilde{R_k}||\widetilde{A_5}\oplus A_3$, and to send a service request ($\widetilde{M_1}=(\widetilde{A_4},\widetilde{A_5},\widetilde{A_6},\widetilde{T{S}_1})$) to $G_i$, where $\widetilde{R_k}$ is a nonce selected by $\mathcal{A}$, and $\widetilde{T{S}_1}$ is the current timestamp.

Then, $\mathcal{A}$ eavesdrops on communications between $G_i$ and another robotic arm ($R{M}_j^{\prime }$) and obtains $M_2=\left(A_7,A_8,A_9\right)$ and $M_3=\left(A_{10},A_{11}\right)$, where $RI{D}_j^{\prime }$ is the identity of $R{M}_j^{\prime }$, $D_j^{\prime }$ is the secret key of $R{M}_j^{\prime }$, $A_7=C^{\ast }\oplus h(RI{D}_j^{\prime },D_j^{\prime },R_i,\widetilde{R_k},T{S}_2)$, $A_8=D_j^{\prime }\oplus (R_i || \widetilde{R_k} ||T{S}_2)$, $A_9=h(RI{D}_j^{\prime },D_j^{\prime },C^{\ast },R_i,T{S}_2)$, $A_{10}=h\left(R_i^{\ast },R_j,K_1,RI{D}_j,D_j,T{S}_3\right)$, and $A_{11}=R_i^{\ast }\oplus (R_j || T{S}_3)$. Upon receiving $M_4=\left(A_8,A_{12},A_{13}\right)$ from $G_i$, where $A_{12}=h(K_2,R_i,R_j^{\ast },A_8,T{S}_4)$ and $A_{13}=(R_i||R_j^{\ast }||T{S}_4)\oplus \widetilde{R_k}$, $\mathcal{A}$ can compute $R_i^{\ast } || R_j^{\ast \ast } || T{S}_4=A_{13}\oplus \widetilde{R_k}$ and the secret key of $R{M}_j^{\prime }$, $D_j^{\prime }=A_8\oplus (R_i^{\ast }|| \widetilde{R_k} ||T{S}_2)$.

Although the attacker ($\mathcal{A}$) does not have $R{M}_j^{\prime }$’s identity ($RI{D}_j^{\prime }$), $\mathcal{A}$ can still monitor other communications between $S_k$, $G_i$, and some robotic arms ($R{M}_j^{\ast }$). $\mathcal{A}$ computes $(R_1 \Vert R_2 ||T{S}_2)=(A_8\oplus D_j^{\prime })$ and verifies whether $T{S}_2$ is a current timestamp. If successful, $\mathcal{A}$ makes sure that $R{M}_j^{\ast }$ is $R{M}_j^{\prime }$ and $R_1$ is $R_i$ from $G_i$ and that $R_2$ is $R_k$ from $S_k$. Then, $\mathcal{A}$ computes $(R_i||R_j||T{S}_4)=A_{13}\oplus R_k$. Accordingly, $\mathcal{A}$ can obtain the session key ($K=h\left(R_i,R_k,R_j\right)$) of $S_k$, $G_i$, and $R{M}_j^{\prime }$ to decrypt communication messages between $S_k$, $G_i$, and $R{M}_j^{\prime }$ to perform man-in-the-middle attacks and modification attacks and to trace $R{M}_j^{\prime }$.

2.2.2. Failure to Resist Stolen Verifier Attacks

In the register phase of the scheme proposed by Kamil et al., the gateway ($G_i$) stores $RI{D}_j$ and $D_j$ for each robotic arm ($R{M}_j$). An attacker who has stolen the verifier table can impersonate the robotic arm ($R{M}_j$), as it obtains the secrets ($RI{D}_j,D_j)$ of $R{M}_j$ and has the same ability as $R{M}_j$.

2.2.3. Failure to Execute Correctly

In the scheme proposed by Kamil et al., the surgeon ($S_k$) cannot correctly compute $A_6=(R_k\Vert A_5)\oplus A_3$ in Step 1. Because $(R_k\Vert A_5)$ is longer than $A_3$, where $A_3=h(C,D_i)$ and $A_5=h\left(R_k,A_3,T{S}_1\right)$, $S_k$ cannot directly execute an exclusive OR operation of $(R_k\Vert A_5)$ and $A_3$. Similar problems also occur in that $G_i$ cannot correctly compute $A_8=D_j\oplus \left(R_i || R_k^{\ast } ||T{S}_2\right)$ in Step 2, $R{M}_j$ cannot correctly compute $A_{11}=R_i^{\ast }\oplus (R_j \Vert T{S}_3)$ in Step 3, and $G_i$ cannot correctly compute $A_{13}=R_i||R_j^{\ast }||T{S}_4\oplus R_k^{\ast }$ in Step 4.

3. Enhanced Authenticated Key Agreement Scheme for Tactile Internet Environment

In this section, we develop an enhanced AKA scheme based on the AKA scheme proposed by Kamil et al. for the Tactile Internet environment. In order to overcome the limitations of the AKA scheme proposed by Kamil et al., the enhanced scheme adopts a one-time key to protect communication messages such that an attacker who captures the robotic arm cannot derive valuable information from previous messages to perform impersonation attacks. To avoid stolen verifier attacks, $G_i$ does not directly store the secret key ($D_j$) of $R{M}_j$ in its database and protects $D_j$ with the secret key ($D_i$) of $G_i$. Even if the attacker steals the verification table, he/she still cannot obtain the secret key ($D_j$) of $R{M}_j$ to successfully impersonate $R{M}_j$.

A number of phases are involved in the enhanced scheme, including registration of gateways and robotic arms, registration of remote surgeons, login of remote surgeons, authentication and key agreement, updating of passwords, adding dynamic robotic arms, and revocation. Because the password updating phase, dynamic robotic arm addition phase, and revocation phase of the enhanced scheme are similar to the scheme proposed by Kamil et al., they are not discussed here. Below, we provide a detailed description of the gateway and robotic arm registration phase, the remote surgeon registration phase, the remote surgeon login phase, the authentication phase, and the key agreement phase. Figure 2 shows a flow chart of the enhanced scheme.

3.1. Registration Phase of Gateway and Robotic Arms

This phase provides the registration process for the gateway and robotic arms with the TA, as shown in Figure 3. The registration process is as follows.

Step 1: $TA\Rightarrow G_i: M_1=\left(RI{D}_i,D_i,RI{D}_j,D_j\right)$.

The trust authority (TA) at first chooses a unique identity ($RI{D}_{TA}$) and a one-way hash function operation ($h:{\{0,1\}}^{\ast }\to Z_q^{\ast }$). Next, the $TA$ chooses $RI{D}_i$ and $RI{D}_j$ as the identities of the gateway ($G_i$) and the robotic arm ($R{M}_j$), respectively, picks a secret ($s\in Z_q^{\ast }$), and computes $D_i=h\left(s,RI{D}_{TA},RI{D}_i\right)$ and $D_j=h\left(s,RI{D}_{TA},RI{D}_j\right)$. Finally, the $TA$ stores $\left(RI{D}_i,D_i,RI{D}_j,D_j\right)$ and sends $M_1$ to $G_i$ through a secure channel.

Step 2: $G_i\Rightarrow R{M}_j: M_2=\left(RI{D}_j,D_j\right)$.

After the gateway ($G_i$) receives $M_2$, $G_i$ computes $C{D}_j=h(RI{D}_j \Vert D_i) \oplus D_j$ and stores $\left(RI{D}_i,D_i,RI{D}_j,C{D}_j\right)$. Finally, $G_i$ sends $M_2$ to $R{M}_j$.

3.2. User Registration Phase

In this phase, the remote surgeon ($S_k$) registers with the trusted authority ($TA$). Each surgeon ($S_k$) has a smart card with the information of the surgeon. The registration process of the remote surgeon is shown in Figure 4.

Step 1: $S_k\Rightarrow TA: M_1=\left(RI{D}_k,D_k,HP{W}_k\right)$.

The remote surgeon ($S_k$) first picks his/her own identity ($RI{D}_k$), password ($P{W}_k$), and a random number $B_k$ and computes $D_k=h\left(RI{D}_k,B_k\right)$ and $HP{W}_k=h\left(P{W}_k,B_k\right)$. Finally, $S_k$ sends $M_1$ to the $TA$ through a secure channel.

Step 2: $TA\Rightarrow S_k:M_2=\left(TI{D}_k,\alpha ,h(.)\right)$.

After receiving $M_1$, the $TA$ first picks a random identity ($TI{D}_k$) and computes $\alpha =h\left(TI{D}_k,D_i\right)\oplus h\left(D_k,HP{W}_k\right)$. Then, the $TA$ stores ($\alpha$,$TI{D}_k$) in the memory of a mobile device and sends it to $S_k$ through a secure channel. Upon receiving the mobile device, $S_k$ computes $A_1=h\left(P{W}_k,RI{D}_k\right)\oplus B_k$ and the verification message, $V{M}_1=h\left(B_k,HP{W}_k,D_k\right)$. Then, $S_k$ stores $A_1$, $V{M}_1$, $TI{D}_k$, and $\alpha$ in the smart card.

3.3. Login, Authentication, and Session Key Agreement Phase

In order to perform remote operations in case of an emergency, the remote surgeon ($S_k$) needs to log in to a smart card and send a verification message to access the gateway ($G_i$). The gateway ($G_i$) sends a verification message to the robot after the remote surgeon has been identified. The robot passes the authentication message to the remote surgeon via the gateway. Finally, the gateway, remote coverage, and robotic arm establish a session key for the current login session. The authentication and key agreement of the proposed protocol is shown in Figure 5, and the details are summarized below.

Step 1: $S_k\to G_i: M_1=\left(TI{D}_k,A_3,V{M}_2,T{S}_1\right)$.

The remote surgeon ($S_k$) inputs his/her $RI{D}_k$ and $P{W}_k$ into the mobile device; then, mobile device computes $B_k=A_1\oplus h\left(RI{D}_k,P{W}_k\right)$ to obtain the random number ($B_k$) and computes $D_k=h\left(RI{D}_k,B_k\right)$, $HP{W}_k=h\left(P{W}_k,B_k\right)$, and $V{M}_1^{\ast }=h\left(B_k,HP{W}_k,D_k\right)$ to verify $V{M}_1^{\ast }=?V{M}_1$. If successful, the mobile device picks the current timestamp ($T{S}_1$) and a random number ($R_k$) and computes $A_2=\alpha \oplus h\left(D_k,HP{W}_k\right)$ and $A_3=h\left(A_2,HP{W}_k\right)\oplus R_k$ and verification the message, $V{M}_2=h\left(R_k,A_2,T{S}_1\right)$. Finally, $S_k$ sends $M_1$ to the gateway ($G_i$).

Step 2: $G_i\to R{M}_j: M_2=\left(TI{D}_k,A_4,A_5,V{M}_3,T{S}_2\right)$.

When $G_i$ receives $M_1$, $G_i$ checks whether the timestamp ($T{R}_1-T{S}_1$) is less than $\Delta T$. If successful, $G_i$ computes $A_2^{\ast }=h\left(TI{D}_k,D_i\right)$, $R_k^{\ast }=A_3\oplus h\left(A_2^{\ast },T{S}_1\right)$, and $V{M}_2^{\ast }=h\left(R_k^{\ast },A_2^{\ast },T{S}_1\right)$ to verify $V{M}_2^{\ast }=?V{M}_2$. If successful, $G_i$ picks a random number ($R_i$) and the current timestamp ($T{S}_2$) and computes $D_j=h(RI{D}_j \Vert D_i) \oplus C{D}_j$ to obtain the $D_j$ of $R{M}_j$, then computes $A_4=h\left(D_j,T{S}_2,0\right)\oplus R_i$, $A_5=h\left(D_j,T{S}_2,1\right)\oplus R_k^{\ast }$, and a verification message, $V{M}_3=h\left(RI{D}_j,D_j,TI{D}_k,R_i,T{S}_2\right)$, where $D_j$ is the secret of the robotic arm, and $T{S}_2$ ensures the freshness of messages.

Step 3: $R{M}_j\to G_i: M_3=\left(A_6,V{M}_4,T{S}_3\right)$.

After receiving $M_2$ from $G_i$, $R{M}_j$ checks whether the timestamp ($T{R}_2-T{S}_2$) is less than $\Delta T$. If successful, $R{M}_j$ computes $R_i^{\ast }=A_4\oplus h\left(D_j,T{S}_2,0\right)$, $R_k^{\ast \ast }=A_5\oplus h\left(D_j,T{S}_2,1\right)$, and $V{M}_3^{\ast }=h\left(RI{D}_j,D_j,TI{D}_k,R_i^{\ast }T{S}_2\right)$ to verify $V{M}_3^{\ast }=?V{M}_3$. If successful, $R{M}_j$ picks a random number ($R_j$) and the current timestamp ($T{S}_3$) and computes the session key ($K_1=h\left(R_i^{\ast },R_k^{\ast \ast },R_j\right)$), $A_6=h\left(R_i^{\ast },T{S}_3\right)\oplus R_j$, and the verification message ($V{M}_4=h(R_i^{\ast },R_j,K_1,RI{D}_j,D_j,T{S}_3)$). Then, $R{M}_j$ sends $M_3$ to $G_i$.

Step 4: $G_i\to S_k: M_4=\left(A_7,A_8,A_9,V{M}_5,T{S}_4\right)$.

When $G_i$ receives $M_1$, $G_i$ checks whether the timestamp ($T{R}_3-T{S}_3$) is less than $\mathsf{\Delta }T$. If successful, $G_i$ computes $R_j^{\ast }=A_6\oplus h\left(R_i,T{S}_3\right)$, $K_2=h(R_i,R_k^{\ast },R_j^{\ast })$, and the verification message ($V{M}_4^{\ast }=h(R_i,R_j^{\ast },K_2,RI{D}_j,D_j,T{S}_3)$) to verify $V{M}_4^{\ast }=?V{M}_4$. If successful, $G_i$ picks the current timestamp ($T{S}_4$) and computes $A_7=h(A_2^{\ast },T{S}_4,0)\oplus R_i$, $A_8=h(A_2^{\ast },T{S}_4,1)\oplus R_j^{\ast }$, $TI{D}_k^{new}=h(A_2^{\ast },K_2)$, $A_2^{new}=h(TI{D}_k^{new},D_i)$, $A_9=h\left(A_2^{\ast },T{S}_4,2\right)\oplus A_2^{new}$, and $V{M}_5=h(K_2,A_2^{new},T{S}_4)$. Finally, $G_i$ sends $M_4$ to $S_k$.

Step 5: Update ${\mathrm{TID}}_{\mathrm{k}}$ and $\mathsf{\alpha }$ in ${\mathrm{S}}_{\mathrm{k}}$.

After $S_k$ receives $M_4$, $S_k$ checks whether the timestamp ($T{R}_4-T{S}_4$) is less than $\Delta T$. If successful, $S_k$ computes $R_i^{\ast }=h\left(A_2^{\ast },T{S}_4,0\right)\oplus A_7$ and $R_j^{\ast \ast }=h\left(A_2^{\ast },T{S}_4,1\right)\oplus A_8$ to obtain the random number ($R_i^{\ast }$) of $G_i$ and the random number ($R_j^{\ast \ast }$) of $R{M}_j$. Next, $S_k$ computes the session key ($K_3=h( R_i^{\ast }, R_j^{\ast \ast },R_k)$), $A_2^{new}=A_9\oplus h\left(A_2,T{S}_4,2\right)$, and $TI{D}_k^{new}=h\left(A_2,K_3\right)$. Then, $S_k$ computes $V{M}_5^{\ast }=h\left(K_3,A_2^{new},T{S}_4\right)$ to verify $V{M}_5^{\ast }=?V{M}_5$. If successful, $S_k$ computes ${\alpha }^{new}=A_2^{new}\oplus h\left(D_k,HP{W}_k\right)$ and updates $\alpha$ and $TI{D}_k$ via ${\alpha }^{new}$ and $TI{D}_k^{new}$ in the smart card.

4. Security and Performance Analysis

An analysis and comparison of the performance and security of the enhanced scheme are provided in this section.

4.1. Authentication Proof of the Proposed Scheme Using BAN Logic