Abstract
Telecare medicine information system (TMIS) offers the patients convenient and expedite healthcare services remotely anywhere. Patient security and privacy has emerged as key issues during remote access because of underlying open architecture. An authentication scheme can verify patient’s as well as TMIS server’s legitimacy during remote healthcare services. To achieve security and privacy a number of authentication schemes have been proposed. Very recently Lu et al. (J. Med. Syst. 39(3):1–8, 2015) proposed a biometric based three factor authentication scheme for TMIS to confiscate the vulnerabilities of Arshad et al.’s (J. Med. Syst. 38(12):136, 2014) scheme. Further, they emphasized the robustness of their scheme against several attacks. However, in this paper we establish that Lu et al.’s scheme is vulnerable to numerous attacks including (1) Patient anonymity violation attack, (2) Patient impersonation attack, and (3) TMIS server impersonation attack. Furthermore, their scheme does not provide patient untraceability. We then, propose an improvement of Lu et al.’s scheme. We have analyzed the security of improved scheme using popular automated tool ProVerif. The proposed scheme while retaining the plusses of Lu et al.’s scheme is also robust against known attacks.
Similar content being viewed by others
References
Jiang, Q., Ma, J., Ma, Z., and Li, G., A privacy enhanced authentication scheme for telecare medical information systems. J. Med. Syst. 37(1), 2013. doi:10.1007/s10916-012-9897-0.
Wei, J., Hu, X., and Liu, W., An improved authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3597–3604, 2012. doi:10.1007/s10916-012-9835-1.
Wu, S., and Chen, K., An efficient key-management scheme for hierarchical access control in e-medicine system. J. Med. Syst. 36(4):2325–2337, 2012.
Irshad, A., Sher, M., Rehman, E., Ch, S. A., Hassan, M. U., and Ghani, A., A single round-trip sip authentication scheme for voice over internet protocol using smart card. Multimedia Tools and Applications 74(11): 3967–3984, 2015. doi:10.1007/s11042-013-1807-z.
Mehmood, Z., uddin, N., Ch, S. A., Nasar, W., and Ghani, A., An efficient key agreement with rekeying for secured body sensor networks. In: Digital Information Processing and Communications (ICDIPC), 2012 Second International Conference on, IEEE, pp. 164–167, 2012.
Liao, Y.-P., and Wang, S.-S., A new secure password authenticated key agreement scheme for sip using self-certified public keys on elliptic curves. Comput. Commun. 33(3):372–380, 2010.
Chaudhry, S. A., Comment on ‘robust and efficient password authenticated key agreement with user anonymity for session initiation protocol-based communications’. IET Commun 9(1):1034–1034, 2015.
Ul Amin, N., Asad, M., Din, N., and Ch, S. A., An authenticated key agreement with rekeying for secured body sensor networks based on hybrid cryptosystem. In: Networking, Sensing and Control (ICNSC), 2012 9th IEEE International Conference on, IEEE, pp. 118–121, 2012.
Debiao, H., Jianhua, C., and Jin, H., An id-based client authentication with key agreement protocol for mobile client–server environment on ecc with provable security. Information Fusion 13(3):223–230, 2012.
Islam, S., and Biswas, G., A more efficient and secure id-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. J. Syst. Softw. 84(11):1892–1898, 2011.
Islam, S., and Khan, M., Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems. J. Med. Syst. 38(10), 2014. doi:10.1007/s10916-014-0135-9.
Farash, M. S., Security analysis and enhancements of an improved authentication for session initiation protocol with provable security. Peer-to-Peer Networking and Applications,1–10, 2014. doi:10.1007/s12083-014-0315-x.
Farash, M. S., and Attari, M. A., A secure and efficient identity-based authenticated key exchange protocol for mobile client–server networks. J. Supercomput. 69(1):395–411, 2014.
Giri, D., Maitra, T., Amin, R., and Srivastava, P., An efficient and robust rsa-based remote user authentication for telecare medical information systems. J. Med. Syst. 39(1), 2015. doi:10.1007/s10916-014-0145-7.
Farash, M. S., and Attari, M. A., An enhanced and secure three-party password-based authenticated key exchange protocol without using server’s public-keys and symmetric cryptosystems. Information Technology And Control 43 (2):143–150, 2014.
Farash, M. S., An improved password-based authentication scheme for session initiation protocol using smart cards without verification table. Int. J. Commun. Syst., 2014. doi:10.1002/dac.2879.
Farash, M. S., and Attari, M. A., An efficient and provably secure three-party password-based authenticated key exchange protocol based on chebyshev chaotic maps. Nonlinear Dyn. 77(1-2):399–411, 2014.
Irshad, A., Sher, M., Faisal, M. S., Ghani, A., Ul Hassan, M., and Ch, S. A., A secure authentication scheme for session initiation protocol by using ecc on the basis of the tang and liu scheme. Secur. Commun. Netw. 7(8):1210–1218, 2014. doi:10.1002/sec.834.
Farash, M. S., Chaudhry, S. A., Heydari, M., Sajad Sadough, S. M., Kumari, S., and Khan, M. K., A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security. Int. J. Commun. Syst., 2015. doi:10.1002/dac.3019.
Ch, S. A., Uddin, N., Sher, M., Ghani, A., Naqvi, H., and Irshad, A., An efficient signcryption scheme with forward secrecy and public verifiability based on hyper elliptic curve cryptography. Multimedia Tools and Applications 74(5):1711–1723, 2015. doi:10.1007/s11042-014-2283-9.
Wu, Z.-Y., Lee, Y.-C., Lai, F., Lee, H.-C., and Chung, Y., A secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1529–1535, 2012. doi:10.1007/s10916-010-9614-9.
Debiao, H., Jianhua, C., and Rui, Z., A more secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1989–1995, 2012. doi:10.1007/s10916-011-9658-5.
Zhu, Z., An efficient authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6): 3833–3838, 2012. doi:10.1007/s10916-012-9856-9.
Wen, F., and Guo, D., An improved anonymous authentication scheme for telecare medical information systems. J. Med. Syst. 36(5):1–11, 2015. doi:10.1007/s10916-015-0244-0.
Xu, X., Zhu, P., Wen, Q., Jin, Z., Zhang, H., and He, L., A secure and efficient authentication and key agreement scheme based on ecc for telecare medicine information systems. J. Med. Syst. 38(1):1–7, 2013.
Chaudhry, S. A., Naqvi, H., Shon, T., Sher, M., and Farash, M. S., Cryptanalysis and improvement of an improved two factor authentication protocol for telecare medical information systems. J. Med. Syst. 39(6).
Kumari, S., Khan, M. K., and Kumar, R., Cryptanalysis and improvement of a privacy enhanced scheme for telecare medical information systems. J. Med. Syst. 37(4), 2013. doi:10.1007/s10916-013-9952-5.
Khan, M. K., and Kumari, S., Cryptanalysis and improvement of an efficient and secure dynamic id-based authentication scheme for telecare medical information systems. Secur. Commun. Netw. 7(2):399–408, 2014. doi:10.1002/sec.791.
Messerges, T. S., Dabbish, E. A., and Sloan, R. H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002.
Kocher, P., Jaffe, J., and Jun, B., Differential power analysis. In: Advances in Cryptology CRYPTO 99, Springer, pp. 388–397 (1999)
Li, C.-T., and Hwang, M.-S., An efficient biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 33(1):1–5, 2010.
He, D., and Wang, D., Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst. J. 4(1):253–264, 2014.
Mishra, D., Mukhopadhyay, S., Chaturvedi, A., Kumari, S., and Khan, M. K., Cryptanalysis and improvement of Yan et al.’s biometric-based authentication scheme for telecare medicine information systems. J. Med. Syst. 38 (6):1–12, 2014.
Li, X., Wen, Q., Li, W., Zhang, H., and Jin, Z., Secure privacy-preserving biometric authentication scheme for telecare medicine information systems. J. Med. Syst. 38(11):1–8, 2014.
Khan, M. K., Fingerprint biometric-based self-authentication and deniable authentication schemes for the electronic world. IETE Tech. Rev. 26(3):191–195, 2009.
Khan, M. K., and Zhang, J., An efficient and practical fingerprint-based remote user authentication scheme with smart cards. In: Information Security Practice and Experience, Springer, pp. 260–268 (2006)
Amin, R., and Biswas, G., A secure three-factor user authentication and key agreement protocol for tmis with user anonymity. J. Med. Syst. 39(8):1–19, 2015.
Amin, R., and Biswas, G., An improved RSA based user authentication and session key agreement protocol usable in TMIS. J. Med. Syst. 39(8):1–14, 2015.
Amin, R., and Biswas, G., A novel user authentication and key agreement protocol for accessing multi-medical server usable in TMIS. J. Med. Syst. 39(3):1–17, 2015.
Awasthi, A. K., and Srivastava, K., A biometric authentication scheme for telecare medicine information systems with nonce. J. Med. Syst. 37(5):1–4, 2013.
Tan, Z., A user anonymity preserving three-factor authentication scheme for telecare medicine information systems. J. Med. Syst. 38(3):1–9, 2014.
Arshad, H., and Nikooghadam, M., Three-factor anonymous authentication and key agreement scheme for telecare medicine information systems. J. Med. Syst. 38(12):1–12, 2014.
Lu, Y., Li, L., Peng, H., and Yang, Y., An enhanced biometric-based authentication scheme for telecare medicine information systems using elliptic curve cryptosystem. J. Med. Syst. 39(3):1–8, 2015.
Jin, A. T. B., Ling, D. N. C., and Goh, A., Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recogn. 37(11):2245–2255, 2004.
Lumini, A., and Nanni, L., An improved biohashing for human authentication. Pattern Recogn. 40(3): 1057–1065 , 2007.
Leng, L., Teoh, A. B. J., Li, M., and Khan, M. K., A remote cancelable palmprint authentication protocol based on multi-directional two-dimensional palmphasor-fusion. Secur. Commun. Netw. 7(11):1860–1871, 2014.
Leng, L., and Teoh, A. B. J., Alignment-free row-co-occurrence cancelable palmprint fuzzy vault. Pattern Recogn. 48(7):2290–2303, 2015.
Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M. K., and Chaturvedi, A., Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J. Med. Syst. 38(5):1–11, 2014.
Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., and Shalmani, M., On the power of power analysis in the real world: A complete break of the keeloq code hopping scheme. In: Wagner, D. (Ed.) Advances in Cryptology, CRYPTO 2008, Vol. 5157 of Lecture Notes in Computer Science, pp. 203–220. Berlin Heidelberg: Springer, 2008. doi:10.1007/978-3-540-85174-5_12
Chaudhry, S. A., Naqvi, H., Sher, M., Farash, M. S., and ul Hassan, M., An improved and provably secure privacy preserving authentication protocol for SIP. Peer-to-Peer Networking and Applications, 2015. doi:10.1007/s12083-015-0400-9.
Kumari, S., Chaudhry, S. A., Wu, F., Li, X., Farash, M. S., and Khan, M. K., An improved smart card based authentication scheme for session initiation protocol. Peer-to-Peer Networking and Applications, 2015. doi:10.1007/s12083-015-0409-0.
Dolev, D., and Yao, A. C., On the security of public key protocols. IEEE Trans. Inf. Theory 29(2):198–208, 1983.
Cao, X., and Zhong, S., Breaking a remote user authentication scheme for multi-server architecture. IEEE Commun. Lett. 10(8):580–581, 2006.
Abadi, M., Blanchet, B., and Comon-Lundh, H., Models and proofs of protocol security: A progress report. In: Computer Aided Verification, Springer, pp. 35–49, 2009.
Chaudhry, S. A., Farash, M. S., Naqvi, H., and Sher, M., A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography. Electron. Commer. Res., 1–27, 2015. doi:10.1007/s10660-015-9192-5.
Chaudhry, S. A., Farash, M. S., Naqvi, H., Kumari, S., and Khan, M. K., An enhanced privacy preserving remote user authentication scheme with provable security. Secur. Commun. Netw., 1–13, 2015. doi:10.1002/sec.1299.
Xie, Q., Hu, B., Dong, N., and Wong, D. S., Anonymous three-party password-authenticated key exchange scheme for telecare medical information systems. PloS one 9(7):e102747, 2014.
Acknowledgments
Authors extend their sincere appreciations to the Deanship of Scientific Research at King Saud University for its funding this Prolific Research Group (PRG-1436-16) 2. Authors would also like to thank Prof. Muhammad Arshad Zia, anonymous reviewers and the guest editor Prof. Mu-Yen Chen for their valuable and constructive comments.
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Smart Living in Healthcare and Innovations
Rights and permissions
About this article
Cite this article
Chaudhry, S.A., Mahmood, K., Naqvi, H. et al. An Improved and Secure Biometric Authentication Scheme for Telecare Medicine Information Systems Based on Elliptic Curve Cryptography. J Med Syst 39, 175 (2015). https://doi.org/10.1007/s10916-015-0335-y
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-015-0335-y