Due to the outbreak of COVID-19, the Internet of Medical Things (IoMT) has enabled the doctors to remotely diagnose the patients, control the medical equipment, and monitor the quarantined patients through their digital devices. Security is a major concern in IoMT because the Internet of Things (IoT) nodes exchange sensitive information between virtual medical facilities over the vulnerable wireless medium. Hence, the virtual facilities must be protected from adversarial threats through secure sessions. This article proposes a lightweight and physically secure mutual authentication and secret key establishment protocol that uses physical unclonable functions (PUFs) to enable the network devices to verify the doctor's legitimacy (user) and sensor node before establishing a session key. PUF also protects the sensor nodes deployed in an unattended and hostile environment from tampering, cloning, and side-channel attacks. The proposed protocol exhibits all the necessary security properties required to protect the IoMT networks, like authentication, confidentiality, integrity, and anonymity. The formal AVISPA and informal security analysis demonstrate its robustness against attacks like impersonation, replay, a man in the middle, etc. The proposed protocol also consumes fewer resources to operate and is safe from physical attacks, making it more suitable for IoT-enabled medical network applications.
Keywords: COVID-19; Internet of Medical Things (IoMT); cyber–physical system; key management; security.