Abstract
The deployment of telecare medical information system (TMIS) over public networks gives rise to the threat of exposing sensitive medical information to illegal entities. Although a number of three-factor authentication (3FA) schemes have been developed to address this challenge, most of them are found to be flawed. Understanding security and privacy failures of authentication protocols is a prerequisite to both fixing existing protocols and designing future ones. In this paper, we investigate the 3FA protocol of Lu et al. for TMIS (J Med Syst 39:32, 2015) and reveal that it cannot achieve the claimed security and privacy goals. (1) It fails to provide anonymity and untraceability, and is susceptible to the following attacks targeting user privacy: identity revelation attack, identity guessing attack and tracking attack. (2) It is susceptible to offline password guessing attack, user impersonation attack, and server impersonation attack. Then we present an improved 3FA scheme and show that the new scheme fulfills session key secrecy and mutual authentication using the formal verification tool ProVerif. Moreover, detailed heuristic security analysis is also presented to demonstrate that our new scheme is capable of withstanding various attacks, and provides desired security features. Additionally, performance analysis shows that our proposed protocol is a practical solution for TMIS.
Similar content being viewed by others
References
Amin R, Biswas GP (2015) A secure three-factor user authentication and key agreement protocol for TMIS with user anonymity. J Med Syst 39:78
Arshad H, Nikooghadam M (2014) Three-factor anonymous authentication and key agreement scheme for Telecare medicine information systems. J Med Syst 38:136
Arshad H, Nikooghadam M (2015) Security analysis and improvement of two authentication and key agreement schemes for session initiation protocol. J Supercomput 71:3163–3180
Awasthi AK, Srivastava K (2013) A biometric authentication scheme for telecare medicine information systems with nonce. J Med Syst 37:9964. doi:10.1007/s10916-013-9964-1
Blanchet B (2001) An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of CSFW’01. pp 82–96
Das AK (2015) A secure user anonymity-preserving three-factor remote user authentication scheme for the telecare medicine information systems. J Med Syst 39:30
Das AK, Goswami A (2014) An enhanced biometric authentication scheme for telecare medicine information systems with nonce using chaotic hash function. J Med Syst 38:27
Farash MS, Attari MA (2014) An efficient client-client password-based authentication scheme with provable security. J Supercomput 70:1002–1022. doi:10.1007/s11227-014-1273-z
Fu Z, Sun X, Liu Q, Zhou L, Shu J (2015) Achieving Efficient Cloud Search Services: Multi-Keyword Ranked Search over Encrypted Cloud Data Supporting Parallel Computing. IEICE T Commun E98.B:190–200. doi:10.1587/transcom.E98.B.190
Fu Z, Huang F, Sun X, Vasilakos A, Yang C-N (2016a) Enabling semantic search based on conceptual graphs over encrypted outsourced data. IEEE Trans Serv Comput. doi:10.1109/TSC.2016.2622697
Fu Z, Ren K, Shu J, Sun X, Huang F (2016b) Enabling personalized search over encrypted outsourced data with efficiency improvement. IEEE Trans Parallel Distrib Syst 27:2546–2559
Fu Z, Wu X, Guan C, Sun X, Ren K (2016c) Toward efficient multi-keyword fuzzy search over encrypted outsourced data with accuracy improvement. IEEE Trans Inf Forensics Secur 11:2706–2716
Guo D, Wen Q, Li W, Zhang H, Jin Z (2015) An improved biometrics-based authentication scheme for telecare medical information systems. J Med Syst 39:20
He DB, Wang D (2015) Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst J 9:816–823. doi:10.1109/Jsyst.2014.2301517
He DB, Kumar N, Chilamkurti N (2015) A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Inf Sci 321:263–277. doi:10.1016/j.ins.2015.02.010
He DB, Zeadally S, Kumar N, Lee J-H (2016) Anonymous authentication for wireless body area networks with provable security. IEEE Syst J. doi:10.1109/JSYST.2016.2544805
Jiang Q, Ma JF, Tian YL (2015) Cryptanalysis of smart-card-based password authenticated key agreement protocol for session initiation protocol of Zhang et al. Int J Commun Syst 28:1340–1351. doi:10.1002/dac.2767
Jiang Q, Ma JF, Wei FS, Tian YL, Shen J, Yang YY (2016a) An untraceable temporal-credential-based two-factor authentication scheme using ECC for wireless sensor networks. J Netw Comput Appl 76:37–48. doi:10.1016/j.jnca.2016.10.001
Jiang Q, Wei FS, Fu S, Ma JF, Li GS, Alelaiwi A (2016b) Robust extended chaotic maps-based three-factor authentication scheme preserving biometric template privacy. Nonlinear. Dynamics 83:2085–2101. doi:10.1007/s11071-015-2467-5
Jiang Q, Khan MK, Lu X, Ma JF, He DB (2016c) A privacy preserving three-factor authentication protocol for e-Health clouds. J Supercomput 72:3826–3849. doi:10.1007/s11227-015-1610-x
Jiang, Q, Li, B, Ma, JF (2016d). On the security of three-factor authentication scheme for telecare medical information systems. In: International conference on broadband and wireless computing, communication and applications. pp 879–884.
Jiang Q, Ma J, Wei F (2016e) On the security of a privacy-aware authentication scheme for distributed mobile cloud computing services. IEEE Syst J. doi:10.1109/JSYST.2016.2574719
Jiang Q, Ma J, Yang C, Ma X, Shen J, Chaudhry SA (2017a) Efficient end-to-end authentication protocol for wearable health monitoring systems. Comput Electr Eng. doi:10.1016/j.compeleceng.2017.03.016
Jiang Q, Zeadally S, Ma JF, He DB (2017b) Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks. IEEE Access 5:3376–3392. doi:10.1109/Access.2017.2673239
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. Advances in cryptology—CRYPTO’99. Springer, Berlin, Heidelberg, p 789
Lamport L (1981) Password authentication with insecure communication. Commun ACM 24:770–772
Li SH, Wang CY, Lu WH, Lin YY, Yen DC (2012) Design and implementation of a telecare information platform. J Med Syst 36:1629–1650. doi:10.1007/s10916-010-9625-6
Li X, Wen Q, Li W, Zhang H, Jin Z (2014) Secure privacy-preserving biometric authentication scheme for telecare medicine information systems. J Med Syst 38:139
Li X, Wang KH, Shen J, Kumari S, Wu F, Hu YH (2016) An enhanced biometrics-based user authentication scheme for multi-server environments in critical systems. J Ambient Intell Humaniz Comput 7:427–443. doi:10.1007/s12652-015-0338-z
Lu Y, Li L, Peng H, Yang Y (2015) An enhanced biometric-based authentication scheme for telecare medicine information systems using elliptic curve cryptosystem. J Med Syst 39:32. doi:10.1007/s10916-015-0221-7
Maitra T, Giri D (2014) An efficient biometric and password-based remote user authentication using smart card for Telecare medical information systems in multi-server environment. J Med Syst 38:142. doi:10.1007/s10916-014-0142-x
Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 51:541–552. doi:10.1109/Tc.2002.1004593
Mir O, van der Weide T, Lee CC (2015) A secure user anonymity and authentication scheme using AVISPA for telecare medical information systems. J Med Syst 39:89. doi:10.1007/s10916-015-0265-8
Mishra D, Mukhopadhyay S, Chaturvedi A, Kumari S, Khan MK (2014a) Cryptanalysis and improvement of Yan et al.’s biometric-based authentication scheme for telecare medicine information systems. J Med Syst 38:24. doi:10.1007/s10916-014-0024-2
Mishra D, Mukhopadhyay S, Kumari S, Khan MK, Chaturvedi A (2014b) Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J Med Syst 38:41. doi:10.1007/s10916-014-0041-1
Nikooghadam M, Jahantigh R, Arshad H (2017) A lightweight authentication and key agreement protocol preserving user anonymity. Multimed Tools Appl 76:13401–13423
O’Gorman L (2003) Comparing passwords, tokens, and biometrics for user authentication. Proc IEEE 91:2021–2040
Odelu V, Das AK, Goswami A (2015) A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans Inf Forensics Secur 10:1953–1966
Ren YJ, Shen J, Zheng YH, Wang J, Chao HC (2016) Efficient data integrity auditing for storage security in mobile health cloud. Peer Peer Netw Appl 9:854–863
Shen J, Tan HW, Moh S, Chung I, Liu Q, Sun XM (2015) Enhanced secure sensor association and key management in wireless body area networks. J Commun Netw 17:453–462. doi:10.1109/Jcn.2015.000083
Tan Z (2013) An efficient biometrics-based authentication scheme for telecare medicine information systems. Network 2:200–204
Tan Z (2014) A user anonymity preserving three-factor authentication scheme for telecare medicine information systems. J Med Syst 38:16. doi:10.1007/s10916-014-0016-2
Wang D, Wang P (2016) Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans Dependable Secure Comput. doi:10.1109/TDSC.2016.2605087
Wang D, He DB, Wang P, Chu CH (2015) Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans Dependable Secure Comput 12:428–442. doi:10.1109/Tdsc.2014.2355850
Wei FS, Ma JF, Aijun G, et al. (2015) A provably secure three-party password authenticated key exchange protocol without using server’s public-keys and symmetric cryptosystems. Inf Technol Control 44:195–206
Wu F, Xu L (2013) Security analysis and improvement of a privacy authentication scheme for telecare medical information systems. J Med Syst 37:9958. doi:10.1007/s10916-013-9958-z
Wu F, Xu LL, Kumari S, Li X (2015) A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client-server networks. Comput Electr Eng 45:274–285. doi:10.1016/j.compeleceng.2015.02.015
Xia ZH, Wang XH, Sun XM, Wang Q (2016a) A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data. IEEE Trans Parallel Distrib Syst 27:340–352. doi:10.1109/Tpds.2015.2401003
Xia ZH, Wang XH, Zhang L, Qin Z, Sun XM, Ren K (2016b) A privacy-preserving and copy-deterrence content-based image retrieval scheme in cloud computing. IEEE Trans Inf Forensics Secur 11:2594–2608
Xu L, Wu F (2015) Cryptanalysis and improvement of a user authentication scheme preserving uniqueness and anonymity for connected health care. J Med Syst 39:10
Yan X, Li W, Li P, Wang J, Hao X, Gong P (2013) A secure biometrics-based authentication scheme for telecare medicine information systems. J Med Syst 37(5):1–6
Acknowledgements
This work is supported by Supported by National Natural Science Foundation of China (Program Nos. 61672413, U1405255, 61372075, 61672415, 61671360, 61472310), Natural Science Basic Research Plan in Shaanxi Province of China (Program No. 2016JM6005), Fundamental Research Funds for the Central Universities (Program No. JB161501, JBG161511), China 111 Project (No. B16037), Open Research Program of Science and Technology on Communication Networks Laboratory.
Author information
Authors and Affiliations
Corresponding author
Additional information
This is an extended full version of a conference paper published at BWCCA 2016 (Jiang et al. 2016d).
Rights and permissions
About this article
Cite this article
Jiang, Q., Chen, Z., Li, B. et al. Security analysis and improvement of bio-hashing based three-factor authentication scheme for telecare medical information systems. J Ambient Intell Human Comput 9, 1061–1073 (2018). https://doi.org/10.1007/s12652-017-0516-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-017-0516-2