The telecare medical information systems (TMISs) enable patients to conveniently enjoy telecare services at home. The protection of patient’s privacy is a key issue due to the openness of communication environment. Authentication as a typical approach is adopted to guarantee confidential and authorized interaction between the patient and remote server. In order to achieve the goals, numerous remote authentication schemes based on cryptography have been presented. Recently, Arshad et al.(J Med Syst 38(12): 2014) presented a secure and efficient three-factor authenticated key exchange scheme to remedy the weaknesses of Tan et al.’s scheme (J Med Syst 38(3): 2014). In this paper, we found that once a successful off-line password attack that results in an adversary could impersonate any user of the system in Arshad et al.’s scheme. In order to thwart these security attacks, an enhanced biometric and smart card based remote authentication scheme for TMISs is proposed. In addition, the BAN logic is applied to demonstrate the completeness of the enhanced scheme. Security and performance analyses show that our enhanced scheme satisfies more security properties and less computational cost compared with previously proposed schemes.
Hinweise
This article is part of the Topical Collection on Mobile Systems
Introduction
With comprehensive employment of the mobile networks, TMISs enable telecare which builds a convenient bridge between patients at home and the remote server a reality. In such system, patients without leaving home can access the same medical services as at hospital. TMISs provide greatly facilitate for some patients who are inconvenient to go to hospital, which saves a lot of the patients’ expenses and time. The problem is that the patients’ sensitive information may be eavesdropped by an illegal entity due to the unreliable communication channel. Therefore, a feasible authentication mechanism [1‐5] is essential needed to ensure security and integrity of transmitting data for TMISs.
In 2009, Wu et al. [6] presented an authenticated key exchange scheme for TMISs and declared their scheme was more efficient compared with the previous schemes for TMISs by adding a precomputation step. However, He et al.[7] identified that the scheme was susceptible to internal and masquerade attacks. Then, He et al. introduced a more secure authentication scheme to conquer these flaws. Later, Wei et al.[8] pointed out that both Wu et al. and He et al.’s schemes were prone to suffer from off-line password guessing attack. An improved scheme with more security was designed by Wei et al. But Zhu et al. [9] discovered that Wei et al.’s scheme was still insecure against off-line password guessing attack. In order to eliminate such pitfall, Zhu et al. further proposed an enhancement based on Wei et al.’s scheme using RSA [10]. In 2013, Wu et al. [11] pointed out that Jiang et al.’s scheme [12] had some security drawbacks and proposed a new authentication scheme for TMIS. Unfortunately, Wen et al. [13] observed that Wu et al.’s scheme did not provide patient anonymity and failed to resist server spoofing and off-line password guessing attacks. In order to erase these drawbacks, Wen et al. proposed their modified scheme based on Wu et al.’s scheme. Lately, other researchers also proposed their authentication and key agreement schemes for TMISs [14‐16]. All in all, above schemes aim to achieve two factor authentication.
Anzeige
Lately, research in two factor based authenticated key exchange schemes employing biometric have attracted a lot of well-deserved attention. In comparison to password, biometrics keys have many advantages [17], such as cannot be lost or forgotten, copied or shared, hard to be forged or distributed and cannot be guessed easily. Many biometric based authentication schemes combine password and smart card were appeared [18‐23], and were becoming one of the most widely adopted authentication mechanisms. Awasthi et al. [24] presented a biometric authentication nonce based scheme for TMISs. However, Mishra et al.[25] observed that Awasthi et al.’s scheme was vulnerable to off-line password guessing attack and did not provide efficient password change option. Soon after that Tan et al.[26] found that Awasthi et al.’s scheme did not resist reflection attack and did not achieve three factor security and user anonymity. To remedy the weaknesses of Awasthi et al.’s scheme, Tan et al. presented a three factor authentication scheme and claimed that their scheme was secure against various attacks. Recently, Arshad et al.[27] pointed out that Tan et al.’s scheme did not withstand denial-of service and replay attacks. They then presented an improved elliptic curve cryptosystem (ECC)-based [28, 29] scheme to prevent the flaws.
In this paper, we briefly review Arshad et al.’s scheme. We demonstrate Arshad et al.’s scheme fails to protect against off-line password guessing attack. Additionally, we show that in case the adversary succeeded in getting identity and password of an arbitrary user, he can impersonate any user of the system. Furthermore, we put forward a biometric based authentication scheme for TMISs to cope with the loopholes of Arshad et al.’s scheme. The proposed scheme also employs lower computational operations such as ECC and hash function to lower its computational cost. Besides, we adopt BAN logic [30] to demonstrate the completeness of the enhanced scheme. Moreover, we present the security and performance analyses to show that our enhanced scheme satisfies more security properties and less computational cost compared with previously proposed schemes.
This section briefly reviews Arshad et al.’s biometric based password authentication scheme for TMISs. Their scheme contains three phases: registration, authentication and password change. Notations that will be used throughout the paper are listed in Table 1.
Table 1
Notations
U, S
The patient and the telecare server
IDi, PWi, Bi
Identity, password, biometric of the patient
H(⋅)
Biohash function
h1(⋅), h2(⋅)
Hash function \(h_{1}:\{0, 1\}^{\ast }\rightarrow \{0, 1\}^{l}\), hash function \(h_{2}:\{0, 1\}^{\ast }\rightarrow \ Z_{p}^{\ast }\).
x
Private key selected by S
⊕, ||
Exclusive-or operation and concatenation operation
Anzeige
Registration
(1)
U selects his identity IDi, password PWi, a random number NC and imprints his biometric Bi. Then, he computes MPWi = PWi ⊕ NC, MBi = Bi ⊕ NC and submits {IDi, MPWi, MBi} to S.
(2)
S verifies whether IDi is in his database or not. If IDi is not found, S calculates AIDi = h2(x||IDi), Vi = MPWi ⊕ MBi ⊕ IDi = PWi ⊕ Bi ⊕ IDi, and Wi = h1(MBi) ⊕ h1(MPWi) ⊕ IDi ⊕ AIDi. Furthermore, S chooses a random number NS and computes Ri = x ⊕ NS, and MIDi = IDi ⊕ h1(NS). After that, S keeps IDi in his database and the information {Vi, Wi, Ri, MIDi, τ, d(⋅), E, n, P, Y, h1(⋅), h2(⋅)} into a smart card SCi.
(3)
U stores NC into SCi. Now, SCi contains {NC, Vi, Wi, Ri, MIDi, τ, d(⋅), E, n, P, Y, h1(⋅), h2(⋅)}
Authentication
(1)
U inserts SCi into a smart card reader, inputs IDi, and PWi, and imprints biometric \(B_{i}^{\ast }\) at the sensor. Then, SCi computes Bi = Vi ⊕ PWi ⊕ IDi and verifies whether the equation \(d(B_{i}, B_{i}^{ast}) < \tau \) holds or not. If holds, SCi computes AIDi = h1(Bi ⊕ NC) ⊕ h1(PWi ⊕ NC) ⊕ IDi ⊕ Wi, selects a random number dC and continues to compute RC = AIDidCP = h2(x||IDi)dCP, and V1 = h1(IDi||RC||AIDi||TC), and sends a message REQUEST {RC, TC, V1, MIDi, Ri} to S, where TC is the current time.
(2)
When receiving the message, S checks whether the transmission delay is within the allowed time interval ΔT. If TS−TC < ΔT, S computes NS = x ⊕ Ri, derives IDi by computing MIDi ⊕ h1(NS), and checks whether IDi exists in database or not. If exists, S checks whether h1(IDi||RC||h2(x||IDi)||TC) = ?V1. If holds, S selects a random number dS and computes QS = dSP and K1 = h2(x||IDi)−1dSRC = dSdCP. Furthermore, S chooses a random number \(N_{S}^{New}\) and computes \(R_{i}^{\ast }=h_{1}(K_{1})\oplus x \oplus N_{S}^{New},\ MID_{i}^{\ast } = h_{1}(K_{1})\oplus ID_{i} \oplus h(N_{S}^{New})\), and \(V_{2}= h_{1}(MID_{i}^{\ast }||Q_{S}||K_{1}||R_{i}^{\ast }||ID_{i})\). Finally, S sends the message CHALLENGE \(\{Q_{S},\ V_{2},\ MID_{i}^{\ast },\ R_{i}^{\ast }\}\) to U.
(3)
After receiving the message, U computes K2 = dCQS = dCdSP and checks whether \(h_{1}(MID_{i}^{\ast }||Q_{S}||K_{2}||R_{i}^{\ast }||ID_{i})\stackrel {?}=V_{2}\). If the equation is true, U computes \(MID_{i}^{New}=MID_{i}^{\ast }\oplus h_{1}(K_{2}) ID_{i} \oplus h_{1}(N_{S}^{New})\), and \(R_{i}^{New} =R_{i}^{\ast } \oplus h_{1}(K_{2}) x \oplus N_{S}^{New}\). Then, U updates the values of MIDi and Ri with the values of \(MID_{i}^{New} \)and \(R_{i}^{New}\), respectively. Finally, U computes V3 = h1(K2||QS||IDi), and the shared session key SK = h1(IDi||QS||K2), and sends a message RESPONSE {V3} to S.
(4)
After receiving the message, S checks whether h1(K1||QS||IDi) = ?V3. If equal, S accepts the shared session key SK as SK = h1(IDi||QS||K1).
Password change
U inserts SCi into the card reader, inputs identity IDi, password PWi and imprints his biometric \(B_{i}^{\ast }\) at the sensor. SCi computes Bi = Vi ⊕ PWi ⊕ IDi and checks whether the equation \(d(B_{i}, B_{i}^{\ast }) < \tau \) holds or not. If holds, U keys a new password \(PW_{i}^{New}\) and imprints a new personal biometric \(B_{i}^{New}\). Then, SCi computes \(V_{i}^{new}\) and \(W_{i}^{New}\) as follows:
\(W_{i}^{New} =h_{1}(B_{i}^{New}\oplus N_{C}) \oplus h_{1}(PW_{i}^{New}\oplus N_{C})\oplus ID_{i}\oplus AID_{i}\) and updates SCi’s memory Vi, Wi by \(V_{i}^{New},\ W_{i}^{New}\).
Weaknesses of Arshad et al.’s scheme
This section shows that Arshad et al.’s scheme [27] has two security drawbacks, which are discussed in the following subsections. The following attacks are based on the assumptions that a malicious attacker \(\mathcal {A}\) has completely monitor over the communication channel connecting U and S in login and authentication phase. So \(\mathcal {A}\) can eavesdrop, modify, insert, or delete any message transmitted via public channel [31].
Not withstanding the off-line password guessing attack
The password and identity are low entropy [32, 33]. Therefore, \(\mathcal {A}\) can guess a password \(PW^{\prime }_{i}\) and an identity IDi with the help of achieving values [34, 35] {Vi, Wi, Ri, MIDi, τ, d(⋅), E, n, P, Y, h1(⋅), h2(⋅)} from the medical device and {RC, TC, V1, MIDi, Ri} from the login request message as follows:
If the verification succeeds, considers \(ID^{\prime }_{i}\) and \(PW^{\prime }_{i}\) as the user’s identity and password. Otherwise, he repeats (1).
If \(\mathcal {A}\) successfully guesses the identity and the password of the patient, it will result into another attack. The detail of the attack is discussed as the next subsection.
Not withstanding the user impersonation attack
As described in the previous subsection, \(\mathcal {A}\) can read [34, 35] the information {Vi, Wi, Ri, MIDi, τ, d(⋅), E, n, P, Y, h1(⋅), h2(⋅)} stored in the smart card. After successfully guessing the password PWi and IDi, \(\mathcal {A}\) can launch a user impersonation attack with the eavesdropped message {RC, TC, V1, MIDi, Ri} in the following:
(1)
\(\mathcal {A}\) generates a random number \(d^{\prime }_{C}\) and computes \(R^{\prime }_{C}=AID_{i}d^{\prime }_{C}P, V^{\prime }_{1}=h_{1}(ID_{i}||R^{\prime }_{C}||ADI_{i}||T^{\prime }_{C})\). After that, he sends the REQUEST message \(\{R^{\prime }_{C},\ T^{\prime }_{C}, V^{\prime }_{1},\ MID_{i}, R_{i}\}\) to S, where \(T^{\prime }_{C}\) is the current timestamp.
(2)
After checking the freshness of \(T^{\prime }_{C}\), S derives NS and IDi and verifies \(h_{1}(ID_{i}||R^{\prime }_{C}||h_{2}(x||ID_{i})||T^{\prime }_{C})\stackrel {?}=V_{1}\). Obviously, the equation will be held due to the true identity. S then continues to perform the original scheme without any detected. Finally, S delivers the CHALLENGE message \(\{Q_{S},\ V_{2},\ MID_{i}^{\ast },\ R_{i}^{\ast }\}\) to \(\mathcal {A}\).
(3)
\(\mathcal {A}\) imitates what the patient were doing and computes V3 and sends it to S, where \(V_{3}=h_{1}(d^{\prime }_{C}Q_{S}||Q_{S}||ID_{i})\). When receiving the value V3, \(\mathcal {A}\) will surely pass through S. As a result, S negotiates the session key \(SK=h_{1}(ID_{i}||Q_{S}||d^{\prime }_{C}Q_{S})\) with \(\mathcal {A}\) who masquerades as the legal patient.
Anzeige
Proposed scheme
This section presents a slight modification scheme to remedy the weaknesses of Arshad et al.’s scheme. The proposed scheme aims to propose an efficient improvement on Arshad et al.’s scheme to overcome the weaknesses of their scheme, while also retaining the original merits of their scheme. In the proposed scheme, in order to resist the off-line password guessing attack, we employ biometrics to conceal password. And we adopt Biohashing to protect biometrics of patients, which can resolve high false rejection and hence decrease denial of service access probability [36, 37]. And biohashing is very efficient and lightweight as compared to modular exponentiation and elliptic curve point multiplication [38, 39]. The proposed scheme also contains three phases: registration, login and authentication and password updating (Fig. 1).
×
Registration
(1)
The patient U inputs his biometric Bi, identity IDi and password PWi. Then, U calculates MPi = PWi ⊕ H(Bi) and submits {IDi, MPi} to the server S.
(2)
When receiving the message, S computes AIDi = IDi ⊕ h2(x), Vi = h1(IDi||MPi) and issues a smart card SCi which contains the information {AIDi, Vi, h1(⋅), h2(⋅), H(⋅)} to U.
Login and Authentication
(1)
U inserts SCi into a card reader and keys his identity IDi, password PWi and biometric Bi. SCi computes h1(IDi||PWi ⊕ H(Bi)) and verifies whether it is equal to the value V1. If true, U passes through the verification. Then, SCi selects a random number du and computes K = h1(IDi||IDi ⊕ AIDi), M1 = K ⊕ duP, M2 = h1(IDi||T1||duP), and transmits {M1, M2, AIDi, T1} to S.
(2)
When receiving the login request, S first examines whether |T1−Tc| < ΔT, where Tc is the current timestamp of the S. If holds, S uses his private key x to derive IDi by computing M1 ⊕ h2(x), he then computes duP = K ⊕ M1 and checks h(IDi||T1||duP) = ?M2. If correct, S then generates a random number ds and computes M3 = K ⊕ dsP, SK = dsduP, M4 = h1(K||T2||SK||duP), where T2 is the current timestamp. At last, S sends the message {M3, M4, T2} to U.
(3)
Upon receiving the message, U first checks the freshness of T2. Then, U retrieves dsP by computing M3 ⊕ K and computes \(SK=d_{u}d_{s}P,\ M^{\prime }_{4}=h_{1}(K||d_{u}P||SK||T_{2})\) to verify whether \(M^{\prime }_{4}\) is equal to the received M4. If holds, U computes M5 = h1(K||dsP||SK||T3) and then sends the message {M5, T3} to S, where T3 is the current timestamp.
(4)
After receiving {M5, T3}, S verifies whether |T3−Tc| < ΔT and \(M^{\prime }_{5}=h_{1}(K||d_{s}P||SK||T_{3})\stackrel {?}=M_{5}\). If both conditions hold, S authenticates U and accepts SK as the session key for further operations.
Password change
If U doubts his password may be leaked, he can alter the old password to a new one as follows. U inserts his SCi into the device and submits his IDi, PWi and Bi. Then SCi verifies whether h1(IDi||PW ⊕ H(Bi)) = ?Vi. If valid, U inputs a new password PWnew, SCi calculates \(V_{i}^{new}=h_{1}(ID_{i}||PW^{new}\oplus H(B_{i}))\) then replaces Vi with \(V_{i}^{new}\).
Anzeige
Analysis security
This section conducts a cryptanalysis of the enhanced scheme both through Burrows-Abadi-Needham (BAN) logic [30] and security features.
Proofing scheme with BAN logic
BAN logic [30] is a set of rules for defining and analyzing information exchange schemes (Table 2). It helps its users determine whether exchanged information is trustworthy, secured against eavesdropping, or both. It has been highly successful in analyzing the security of authentication schemes. We first introduce some notations and logical postulates of BAN logic used in our scheme.
(1)
BAN logical postulates
a.
Message-meaning rule: \(\frac {A|\equiv A\stackrel {K}\leftrightarrow B, A\triangleleft \{X\}\text {} _{K}}{A|\equiv | B\sim X}\): if A believes that K is shared by A and B, and sees X encrypted with K, then A believes that B once said X.
b.
Nonce-verification rule: \(\frac {A|\equiv \#X, A |\equiv B|\sim X}{A|\equiv B|\equiv X}\): if A believes that X could have been uttered only recently and that B once said X, then A believes that B believes X.
c.
The belief rule: \(\frac {A|\equiv X,\ A|\equiv Y}{A|\equiv (X,\ Y)}\): if A believes X and Y, then A believes (X, Y).
d.
Fresh conjuncatenation rule: \(\frac {A|\equiv \#X}{A|\equiv \#(X,\ Y)}\): if A believes freshness of X, B believes freshness of (X, Y).
e.
Jurisdiction rule: \(\frac {A|\equiv B\Rightarrow X,\ A |\equiv B|\equiv X}{A|\equiv X}\): if A believes that B has jurisdiction over X and A trusts B on the truth of X, then A believes X.
(2)
Idealized scheme
U:
< duP > U ↔ KS, < IDi > h2(x), (IDi, duP, T1),(U ↔ SKS, dsP, T3)U ↔ KS
Since p3 and U ⊲ (U ↔ SKS, duP, T2)U ↔ KS, by the message-meaning rule, we get: U| ≡ S|∼(U ↔ SKS, duP, T2).
a2.
Since p1 and a1, by the fresh conjuncatenation and nonce-verification rules, we get: U| ≡ S| ≡ (U ↔ SKS, duP, T2).
g1.
Since a2, by the belief rule, we get: U| ≡ S| ≡ U ↔ SKS.
g2.
Since p5 and g1, by the jurisdiction rule, we get: U| ≡ U ↔ SKS.
a3.
Since p4 and S ⊲ (U ↔ SKS, dsP, T3)U ↔ KS, by the message-meaning rule, we get: S| ≡ U|∼(U ↔ SKS, dsP, T3).
a4.
Since p2 and a3, by the fresh conjuncatenation and nonce-verification rules, we get: S| ≡ U| ≡ (U ↔ SKS, dsP, T3).
g3.
Since a4, by the belief rule, we get: S| ≡ U| ≡ (U ↔ SKS, dsP, T3).
g4.
Since g3 and p6, by the jurisdiction rule, we get: S| ≡ U ↔ SKS.
Table 2
BAN logic notations
A| ≡ X
A believes a statement X
\(U \stackrel {K}\leftrightarrow S\)
Share a key K between user and sever
#X
X is fresh
A ⊲ X
A sees X
A|∼X
A said X
{X, Y}K
X and Y are encrypted with the key K.
(X, Y)K
X and Y are hashed with the key K.
< X > K
X is xored with the key K
Security analysis
This section shows the enhanced scheme has the ability to endure different security attacks including the aforementioned attacks found in Arshad et al.’s scheme. The following attacks are based on the assumptions that a malicious attacker \(\mathcal {A}\) has completely control the whole communication channel connecting the patients and the telecare server in login and authentication phase. So \(\mathcal {A}\) can eavesdrop, modify, insert, or delete any message transmitted via public channel [31].
User anonymity
The patient’s identity IDi is concealed all the transmitted messages and is protected by one-way hash functions. If \(\mathcal {A}\) attempts to derive IDi, he needs to know the server’s private key x or the random numbers generated by U and S. Obviously, this values are secret only known by U and S. Therefore, it is impossible to track the patient who is involved in the authentication session.
Insider attack
The patient registers to S by presenting PWi ⊕ H(Bi) instead of plaintext PWi. Since Bi is unknown to the insider, it will be difficult to retrieve PWi from PWi ⊕ H(Bi). Therefore, a privileged insider S cannot attain the plain-text password and hence he cannot pretend the patient to login other telecare servers.
Off-line password guessing attack
Assume that \(\mathcal {A}\) reads [34, 35] the information {Vi, AIDi} stored in the smart card and tries to guess a password in an off-line manner. To verify the correctness of password, \(\mathcal {A}\) needs to know patients’s IDi and biometric Bi at the same time. To obtain IDi from AIDi, the telecare server’s private key x is needed. Since \(\mathcal {A}\) cannot know the biometric Bi and x which is only with U and S, respectively, it is hard for \(\mathcal {A}\) to plot an off-line password guessing attack with smart card.
Impersonation attack
\(\mathcal {A}\) does not impersonate a legal patient to server since he cannot generate a valid login request {M1, M2, AIDi, T1} without the knowledge of U’s identity IDi and S’s private key x. Both the two values IDi and x are unknown to \(\mathcal {A}\). Similarly, \(\mathcal {A}\) cannot impersonate as a server to cheat a legal patient without knowledge of x. Only when \(\mathcal {A}\) knows x he will derive IDi from intercepted messages. But x is the secret key of S, \(\mathcal {A}\) cannot know. In a word, it is infeasible for \(\mathcal {A}\) to launch an impersonation attack.
The session key perfect forward secrecy
Even if the patient’s password PWi and server’s private key x are compromised by \(\mathcal {A}\), the session key SK for the previous sessions is still kept unrevealed. On the one hand, the password PWi and server’s private key x are not utilized for computing the session key. On the other hand, it is impractical to compute SK = dudsP without knowledge of du and ds. As a result, the enhanced scheme achieves the session key perfect forward secrecy.
Mutual authentication
U validates S’s message {AIDi, M1, M2, T1} by checking whether the timestamp T1 and the condition \(M^{\prime }_{2}= M_{2}\) are valid. S validates U’s message {M3, M4, T2} by checking whether the timestamp T2 and the condition \(M^{\prime }_{2}= M_{2}\) hold.
Replay attack
Assume that \(\mathcal {A}\) intends to resend the old message {M1, M2, AIDi, T1} to login to S. The attack will be immediately detected by S by verifying the freshness of T1. Besides, S will also discover the forged message by verifying the correctness of the value M2 = h1(IDi||duP||T1). Therefore, it is impossible for \(\mathcal {A}\) to plot the replay attack.
Modification attack
Both the patient’s identity IDi and the server’s private key x are hidden in all the transmitted messages. Any forged messages will be examined by U or S. It seems impossible for \(\mathcal {A}\) to intercept the transmitted messages and hence modify them without knowledge of the two values.
Functionality and performance comparisons
In this section, we compare the functionality and performance analyses of the enhanced scheme with the previous related schemes [13, 24, 26, 27]. Table 3 shows that the enhanced scheme is more secure than other related schemes. In the performance comparison, define pm, m, inv, s, F, e and h be the time for performing an elliptic curve point multiplication, a modular multiplication, a modular inversion, a symmetric encryption/decryption, a pseudo-random function, a modular exponentiation and a one-way hash function. From Table 4 we can see that the overall computational cost for the enhanced scheme is less computationally costly than those of schemes [13, 24, 26, 27].
We have discussed the security of Arshad et al.’s scheme and discovered that their scheme was vulnerable to off-line password guessing attack which leads to an adversary could impersonate as a legal user to access any services provided by telecare server. We employ hash function, ECC nonce and biometric based authenticated key exchange scheme as the primitives to improve the security and efficiency of Arshad et al.’s scheme. The enhanced scheme not only satisfies many security features but also has the lowest computational cost among other related schemes.
Acknowledgments
The authors would like to thank all the anonymous reviewers for their helpful advice. This paper is supported by the National Natural Science Foundation of China (Grant No. 61121061), the Beijing Natural Science Foundation (Grant No. 4142016), and the Asia Foresight Program under NSFC Grant (Grant No. 61411146001).
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0), which permits use, duplication, adaptation, distribution, and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.