A Password-Based User Authentication Scheme for the Integrated EPR Information System
- First Online:
- Cite this article as:
- Wu, Z., Chung, Y., Lai, F. et al. J Med Syst (2012) 36: 631. doi:10.1007/s10916-010-9527-7
- 245 Views
With the rapid development of the Internet, digitization and electronic orientation are required in various applications of our daily life. For e-medicine, establishing Electronic patient records (EPRs) for all the patients has become the top issue during the last decade. Simultaneously, constructing an integrated EPR information system of all the patients is beneficial because it can provide medical institutions and the academia with most of the patients’ information in details for them to make correct decisions and clinical decisions, to maintain and analyze patients’ health. Also beneficial to doctors and scholars, the EPR system can give them record linkage for researches, payment audits, or other services bound to be developed and integrated into medicine. To tackle the illegal access and to prevent the information from theft during transmission over the insecure Internet, we propose a password-based user authentication scheme suitable for information integration.
KeywordsE-medicineElectronic patient recordsIntegrated EPR information systemPasswordAuthentication
Recently, with the rapid development of the Internet, various technologies for applications are maturing and leading to digitization and electronic orientation in daily life such as e-commerce, e-banking, e-government, e-society, and e-medicine. Most hospitals or medical institutes have well-developed Electronic patient records (EPRs) for e-medicine during the last decade and the technology for EPRs remains as one of the most popular researches in e-medicine [1–5].
Traditionally, the written medical record of the patient is the most important data for a doctor during consultations. Most major medical institutions around the world relied on paper and pen for recording patients’ medical problems. Patients obviously left behind their medical histories with each medical institution they visited, while medical institutions retained the rights to the medical records of their patients. Today, due to loss of medical integration or failure of medical-history retrieval from other institutions, diagnoses are often delayed or made incorrectly. At the same time, medical-resource is wasted as a result of repeating rounds of exhaustive queries, tests, and diagnoses [1, 6, 7].
EPR’s goal is to record patients’ medical information and histories by digitizing them into a pile of electronic documents that can be stored, utilized, and modified. Not only do EPRs provide doctors with the usual diagnosis records, nursing records, reports, and other image records, but EPRs also provide patients with their complete and correct medical problems along with other functions such as medical alerts or reminders, clinical decision supports, and links to their medical support groups [1–3, 8].
The ultimate aim of EPRs is to allow the sharing of patients’ medical histories scattered among medical institutions through the Internet. With comprehensive information in hand, every doctor in any medical institution can make the proper diagnosis and treatment for a patient in the very first time correctly. It is quite clear that the buildup of EPRs can facilitate real-time diagnosis and correct treatment for each patient without being held up by the need to rerun tests due to lack of information. At present, many organizations have drawn up protocols such as HL7 [5, 9, 10] and DICOM [11–14] for sharing patients’ medical information. However, the establishment of medical information systems remains as the core in future development. A highly feasible information system can supply electronic treatment services for medical users. For example, it can provide conversion and integration of EPRs in different formats, extensive medical history exchange services, and even translation services for medical records. These are highly recommended supplement electronic treatment systems in the future.
Obviously, the security issue for the integrated EPR information system becomes a significant concern. Speaking specifically, the most concerned security issue is of how to ensure information privacy and security during transmission through the insecure Internet. Relevant user authentication schemes or secret-key distribution protocols are generally used to solve this kind of problem because these protocols are regarded as the primary safeguards in network electronic applications [7, 18–21]. Among these protocols, the password-based mechanism is the most widely employed method because of its efficiency [22–25]. Under such mechanism, each user is allowed to select his password and keep in mind without any additional assistant device for the further authentication process. Therefore, we would like to propose an efficient password-based scheme in this paper suitable for Integrated EPR Information System, namely a password-based user authentication scheme.
The rest of this paper is organized as follows. “Preliminary” introduces the corresponding techniques applied in our proposal. “The proposed scheme” illustrates the proposed password-based user authentication scheme. Security analyses are done in “Security analysis”, and finally, conclusions are drawn in “Conclusions”.
Our scheme employs three techniques related to computer science. They are smart card, one-way hash function, and bitwise operations. Below is the detailed explanation of them.
Smart card is a plastic card that is similar in size to the credit card or the ATM card. The difference being there is an additional Integrated Circuit (IC) chip on smart card. Besides memory function, this IC chip can compute and process data, in addition to statistical functions. Therefore, this card can store the personal information of the cardholder, such as, in terms of medicine, identity, password, secret values, prescriptions and various related personal diagnostic records; in paired with the system operation, it can even acquire calculating, integrated, and statistical functions .
Includes a CPU, and a preprogrammed Card Operating System (COS),
Capable of hierarchal access security control and information verification,
Has larger memory storage space than other cards, where information can be modified or deleted,
Has higher security, and cannot be easily replicated,
Can operate off-line, thereby cuts down communication costs
Has encryption programs such as Data Encryption Standard (DES) and RSA to provide active protection.
In sum, development on the smart card over the past decade has turned it into a widely applied technology in electronics.
h can be applied to a block of data of any size.
h(x) is efficient to derive any given x so that the implementation of both hardware and software can be more practicable.
The output of h is limited to a fixed length no matter the length of the input.
For any given H, it is computationally infeasible to find x so that H = h(x) can be derived. This is defined as the one-way property.
For any given block x, it is computationally infeasible to find y ≠ x but satisfy h(y) = h(x). This is defined as weak collision resistance.
It is computationally infeasible to find any pair (x, y) so that h(x) = h(y). This is defined as strong collision resistance.
One normally used cryptographic hash function is the secure hash algorithm SHA-256 whose fixed-size output digest has a length of 256 bits. Besides, SHA-384 or SHA 512 algorithm will be able to replace the recommended SHA-256 algorithm if there are security or efficiency concerns in the future .
Cryptosystems are used to transform a plaintext into an unreadable ciphertext to prevent unauthorized disclosure. They can be classified into two main groups: symmetric and asymmetric cryptosystems . Symmetric cryptosystem’s approach involves interaction between parties, for example: a requester and a server shares a secret (or session) key, and uses it to encrypt messages sent over the internet. By using the same session key, the receiver of the message can decrypt the message. Advanced Encryption Standard (AES) , one of the most famous symmetric cryptosystems nowadays, has vastly superior security and good throughput, so it is recommended in many electronic applications, including e-medicine, for its proper secret (session) key to guarantee confidentiality and efficiency [4, 6, 29].
The proposed scheme
Our password-based user authentication scheme is composed of four phases. They are registration phase, login phase, verification phase, and password change phase. The main entities include users and the remote server. Users are patients, physicians, doctors, nurses, or researchers. The remote server is a trusted center, the integrated EPR information system, which provides many services related to the electronic patient records such as integration, investigation, recording, modification, and maintenance. The system also restricts rights to access and change according to different levels, such as only doctors can alter relating EPRs.
Notation defined and used in our scheme
the medical service requester (user)
the password of user U
the identity of user U
the integrated EPR information system
a public one-way hash function
a bit-wise XOR operation
- Step 1:
U submits his own identity ID and the chosen password pw to S.
- Step 2:
S checks the validity of ID, and then computes the related hash value v = h(K ⊕ ID), where K is the secret number belonging to S.
- Step 3:
S finds a appropriate value N and makes the sum of v∙pw + N being equal to a constant secret value H. Then S computes s = h(pw || K), where || is a bit concatenation operator. For example, 0 || 1 would become 01.
- Step 4:
S personalizes U’s medical smart card included with the above parameters [h (∙), N, s, pw]. The number s is well protected by the device of smart card, and no other user, except the smart card holder, can catch the value of s.
- Step 5:
S returns the medical smart card to U through a secure channel.
- Step 1:
Choose a random number r1 to compute C1 and C2, where C1 = h(s || r1), C2 = r1∙pw.
- Step 2:
Retrieve the smart card’s saved value N and user’s ID, with C1 and C2 and passes them on to the remote integrated EPR information system S through the common network channel.
- Step 1:
Check the validity of user’s identity ID. If the ID is legal, S accepts the service request; otherwise, the service request is rejected.
- Step 2:
Apply the owned secret values K and H, and the obtained N to restore user’s password pw: Compute v = h(K ⊕ ID), and pw = (H – N)∙v−1.
- Step 3:
Apply restored pw to calculate the user chosen random number r1′ through the equation r1′ = pw−1∙C2 = pw−1∙pw∙r1. Simultaneously, the secret value of user s′ by h(pw || K) is computed.
- Step 4:
Check whether the value of h(s′ || r1′) is equal to C1. If the two values are the same, go to Step 5; otherwise, stop and reply the error message to U.
- Step 5:
Generate the message pair (a, b) for a mutual authentication between S and U. a is equal to r2 ⊕ h(s′), where r2 is a random number chosen by S, and b is equal to h(pw || r2 || r1′).
- Step 6:
Send (a, b) to U through the common network channel.
- Step 1:
Restore the server chosen random number r2′ through the equation r2′ = a ⊕ h(s).
- Step 2:
Verify whether b is equivalent to h(pw || r2′ || r1). If they are equivalent, user U confirms that S is valid.
- Step 3:
Send back c = h(pw || r1 || r2′) to server S for another side authentication.
- Step 1:
Compare c with the value h(pw || r1′ || r2) calculated to check whether both of them are equivalent or not. If equivalent, U is authenticated and granted access to obtain the services and resources of S. A session key sk = h(r1′ || r2) = h(r1 || r2′) will be generated and used for secure transmission at the following operations after the mutual authentication process is done.
Password change phase
- Step 1:
U sends his identity ID, the old password pw and the new chosen password pwnew to the integrated EPR information system S through a secure channel.
- Step 2:
S finds another appropriate N* to make the value v∙pwnew + N* being equal to the secret value H. Then S creates the new s = h(pwnew || K), and sends it with the N* to U through the secure channel.
A password-based user authentication scheme for an integrated EPR information system is said to be effective when it can assure the system’s security in terms of password protection, data transmission, user masquerading and system spoofing. In other words, the scheme can resist various malicious attacks, including stolen-verifier attacks, on-line and off-line password guessing attacks, replay attacks, and server spoofing attacks. In this section, we will analyze each in details and show how the proposed scheme satisfying with the above-mentioned security criteria.
Here the passwords play a very important role for each user, such as a doctor, a nurse, a patient, or a scholar, for logging into the integrated EPR information system. Assuring the security of a password is the most crucial key-point in our security analysis. Thus, we would like to prove that our password authentication scheme can withstand two kinds of attacks aimed at passwords. They are the stolen-verifier attack, and the password guessing attack. The password guessing attack can further be classified into on-line and off-line attacks.
Stolen-verifier attacks mean that some machinated insiders of a remote server are able to steal or modify the users’ legitimate passwords or update the password-verification tables stored in the server’s database. This attack would not succeed in our scheme because the password of a user is instantaneously generated and verified by the server, who uses its secret value K upon the login phase. No passwords or verification tables have to be kept in the server’s database; therefore, the insiders would not be able to steal or modify the passwords.
On-line password guessing attacks mean that an attacker continuously guesses the possible passwords and tries each of them to log into the server till he is successful. In our scheme, such attack will be perceived immediately. Suppose an eavesdropper attempts to identify the password of a legal user. He would guess a possible password to go through Step 1 in the login phase to obtain corresponding parameters, such as C1 and C2. However, the probability of knowing the correct password is only 2−k, where k is the length of the password. On the other hand, the server can rapidly detect this kind of attack by confirming whether h(s || r1) is equal to C1 or not. Generally, when the third guess goes wrong, the attacker would be kicked out. Therefore, on-line password guessing attacks cannot work in our scheme.
Off-line password guessing attacks mean that an attacker employs some intercepted information or some self-generating parameters to guess the password of a specific user. To render this kind of attack ineffectual, our scheme protects the password-related parameters, i.e. the random numbers r1, r2 and secret number s, with the cryptographic hash function. Now, assume that an eavesdropper can obtain the following parameters C1, C2, or a, b, c in the login and verification phase. However, without s, he cannot know the right r1 by C1 = h(s || r1). Similarly, it is also unable for him to guess the correct password pw by a = r2 ⊕ h(s), b = h(pw || r2 || r1), c = h(pw || r1 || r2) without r1 and r2. Therefore, off-line password guessing attacks can be withstood.
Data transmission security
After a user logs into the remote integrated EPR information system successfully, another crucial security issue upon authentication arises, which is assuring data integrity and security during transmission. Safeguarding confidential data from revelation, modification, or deletion during its transmission is the major concern in this stage.
A session key is used in our scheme to protect the confidential data from being revealed, modified, or deleted during its transmission. The session key is generated via hashing two random numbers r1 and r2 after the verification process. All of the confidential data are encrypted by the session key, which means that without the session key, no attacker can eavesdrop, modify, or delete the transmitting data.
Furthermore, the session key in our scheme will be invalid whenever the communication between the user and the integrated system server goes to the end. This means the key will have expired its period of usage and cannot be used any more so that it is revoked. When the user enters the system again, a new session key will be generated for him to encrypt his information during the current communication process. Therefore, there will be much difficulty for anyone to calculate any of the probable previous session keys despite using all his known information.
Therefore, unless the user shares his session key on purpose with the third party, our scheme shows the ability to achieve the requirement of data transmission security with the help of the session key.
User masquerading detection
While the password authentication is being processed, conspiring attackers may impersonate the identities of the medical staff, patients, or researchers in order to pass the authentication phase and gain the right to access the data in the remote integrated EPR information system. To prevent the disclosure of users’ privacy, protocols are necessary to fend off replay attacks. A replay attack is a kind of network attack where a valid data transmission is maliciously repeated by some machinated eavesdropper. Generally, the eavesdropper intercepts the data from a certain user and transmits it repeatedly to log into the integrated EPR information system by masquerading. To prevent such attack, we make use of two fresh and random variables r1 and r2 in our scheme during the login and verification phases. Suppose that an eavesdropper intentionally intercepts (ID, N, C1, C2) from the login phase, and impersonates the legal user to log into the server by replaying this message. However, without knowing the random number r1, he cannot restore the correct r2 to compute c for server S and furthermore, he is unable to confirm his identity, even though he may have received the replied message (a, b) in the verification phase. Therefore, the replay attacks will fail.
Actually, the password in our scheme is protected by the cryptographic hash function, and thus an attacker is unable to generate and interpret authentication messages correctly without the knowledge of a user’s password. It is obviously impossible for a person in our scheme to masquerade as a legitimate user to log into an integrated system server and acquire system services.
Server spoofing detection
Similar to “User masquerading detection”, the attack by someone masquerading as the server to cheat other users is another security concern. An attacker may masquerade the identity of the remote integrated EPR information system to carry out illegal, imperceptible authentication behavior, and consequently obtain the private information of some user through the transmitted data. This is known as server spoofing attacks: someone masquerades as the server to cheat other users.
There are two possible ways to let a conspiring attacker successfully spoof the other users in our scheme. One is when the attacker obtains the secret values K and H of a remote system, he can impersonate the server; the other is when the attacker guesses correctly the password of a certain user, he can directly perform partial phases at the server part without secret values. However, the secret values K and H are never transmitted via a common network channel and are stored on the server computer’s hard drive which only the administrator has the right to control and access; so it is impossible for anyone to acquire them. In addition to that, the user’s password is protected by the cryptographic hash function. Therefore, the server spoofing attacks will be detected and prevented.
Comparison with other related schemes
Lu et al. (2008)
Wang et al. (2009)
Computational operations in registration phase
Computational operations in login phase
Computational operations in verification phase
Suffer insecure attacks
In this paper, we aim to propose a password-based user authentication scheme appropriate for the integrated EPR medical information system. Not only did we explain what security requirements EPR medical information systems need, but we have also showed how this proposed scheme can satisfy those requirements. Namely, the security requirements are password protection, data transmission security, user masquerading detection, and system spoofing detection. Besides, this proposed scheme can also resist several malicious attacks, including stolen-verifier attacks, on-line and off-line password guessing attacks, replay attacks, and server spoofing attacks. Analyses show that the scheme is secure and efficient to be implemented under the medical application environments.
This work was supported partially by National Science Council, Taiwan under Grants NSC 98-2221-E-029-025.