A Secure User Anonymity-Preserving Three-Factor Remote User Authentication Scheme for the Telecare Medicine Information Systems

Transactional Processing Systems
Part of the following topical collections:
  1. Transactional Processing Systems

Abstract

Recent advanced technology enables the telecare medicine information system (TMIS) for the patients to gain the health monitoring facility at home and also to access medical services over the Internet of mobile networks. Several remote user authentication schemes have been proposed in the literature for TMIS. However, most of them are either insecure against various known attacks or they are inefficient. Recently, Tan proposed an efficient user anonymity preserving three-factor authentication scheme for TMIS. In this paper, we show that though Tan’s scheme is efficient, it has several security drawbacks such as (1) it fails to provide proper authentication during the login phase, (2) it fails to provide correct updation of password and biometric of a user during the password and biometric update phase, and (3) it fails to protect against replay attack. In addition, Tan’s scheme lacks the formal security analysis and verification. Later, Arshad and Nikooghadam also pointed out some security flaws in Tan’s scheme and then presented an improvement on Tan’s s scheme. However, we show that Arshad and Nikooghadam’s scheme is still insecure against the privileged-insider attack through the stolen smart-card attack, and it also lacks the formal security analysis and verification. In order to withstand those security loopholes found in both Tan’s scheme, and Arshad and Nikooghadam’s scheme, we aim to propose an effective and more secure three-factor remote user authentication scheme for TMIS. Our scheme provides the user anonymity property. Through the rigorous informal and formal security analysis using random oracle models and the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool, we show that our scheme is secure against various known attacks, including the replay and man-in-the-middle attacks. Furthermore, our scheme is also efficient as compared to other related schemes.

Keywords

Telecare medicine information systems Fuzzy extractor Biometrics Password User anonymity AVISPA Security 

Notes

Acknowledgments

The author would like to acknowledge the helpful suggestions of the anonymous reviewers and the Editor, which have improved the content and the presentation of this paper.

References

  1. 1.
    An, Y., Security Analysis and Enhancements of an Effective Biometric-Based Remote User Authentication Scheme Using Smart Cards. J. Biomed. Biotechnol. 2012:1–6, 2012. Article ID 519723.CrossRefGoogle Scholar
  2. 2.
    Arshad, H., and Nikooghadam, M., Three-Factor Anonymous Authentication and Key Agreement Scheme for Telecare Medicine Systems Information. J. Med. Syst. 38(6):1–12, 2014.Google Scholar
  3. 3.
    AVISPA: Automated Validation of Internet Security Protocols and Applications. Accessed on January 2013. http://www.avispa-project.org/
  4. 4.
    AVISPA: AVISPA Web Tool. Accessed on April 2014. http://www.avispa-project.org/web-interface/expert.php/
  5. 5.
    Awasthi, A.K., and Srivastava, K., A Biometric Authentication Scheme for Telecare Medicine Information Systems with Nonce. J. Med. Syst. 37(5):1–4, 2013.CrossRefGoogle Scholar
  6. 6.
    Basin, D., Modersheim, S., Vigano, L., OFMC: A symbolic model checker for security protocols. Int. J. Inf. Secur. 4(3):181–208, 2005.CrossRefGoogle Scholar
  7. 7.
    Burnett, A., Byrne, F., Dowling, T., Duffy, A., A Biometric Identity Based Signature Scheme. Int. J. Netw. Secur. 5(3):317–326, 2007.Google Scholar
  8. 8.
    Chatterjee, S., and Das, A.K., An effective ECC-based user access control scheme with attribute-based encryption for wireless sensor networks. Security and Communication Networks, 2014. doi: 10.1002/sec.1140.
  9. 9.
    Chatterjee, S., Das, A.K., Sing, J.K., An Enhanced Access Control Scheme in Wireless Sensor Networks. Ad Hoc & Sensor Wireless Networks 21(1–2):121–149, 2014.Google Scholar
  10. 10.
    Chen, B.-L., Kuo, W.-C., Wuu, L.-C., Robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst. 27(2):377–389, 2014.CrossRefGoogle Scholar
  11. 11.
    Chuang, Y.-H., and Tseng, Y.-M., An efficient dynamic group key agreement protocol for imbalanced wireless networks. Int. J. Netw. Manag. 20(4):167–180, 2010.Google Scholar
  12. 12.
    Das, A.K., Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf. Secur. 5(3):145–151, 2011.CrossRefGoogle Scholar
  13. 13.
    Das, A.K., A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Netw. Sci. 2(1–2):12–27, 2013.CrossRefGoogle Scholar
  14. 14.
    Das, A.K., Chatterjee, S., Sing, J.K., A novel efficient access control scheme for large-scale distributed wireless sensor networks. Int. J. Found. Comput. Sci. 24(5):625–653, 2013.CrossRefMATHMathSciNetGoogle Scholar
  15. 15.
    Das, A.K., and Goswami, A., A Secure and Efficient Uniqueness-and-Anonymity-Preserving Remote User Authentication Scheme for Connected Health Care. J. Med. Syst. 37(3):1–16, 2013.CrossRefGoogle Scholar
  16. 16.
    Das, A.K., and Goswami, A.: A robust anonymous biometric-based remote user authentication scheme using smart cards. Journal of King Saud University - Computer and Information Sciences (Elsevier). In Press (2014)Google Scholar
  17. 17.
    Das, A.K., Massand, A., Patil, S., A novel proxy signature scheme based on user hierarchical access control policy. Journal of King Saud University - Comput. Inform. Sci. 25(2):219–228, 2013.CrossRefGoogle Scholar
  18. 18.
    Das, A.K., Paul, N.R., Tripathy, L., Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem . Inf. Sci. 209(C):80–92, 2012.CrossRefMATHMathSciNetGoogle Scholar
  19. 19.
    Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Proceedings of the Advances in Cryptology (Eurocrypt’04), LNCS, Vol. 3027, pp. 523–540 (2004)Google Scholar
  20. 20.
    Dolev, D., and Yao, A., On the security of public key protocols. IEEE Trans. Inf. Theory 29(2):198–208, 1983.CrossRefMATHMathSciNetGoogle Scholar
  21. 21.
    Giri, D., Maitra, T., Amin, R., Srivastava, P.D., An efficient and robust rsa-based remote user authentication for systems telecare medical information. J. Med. Syst. 39(1):1–9, 2014.Google Scholar
  22. 22.
    He, D., Chen, J., Zhang, R., A More Secure Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(3):1989–1995, 2012.CrossRefGoogle Scholar
  23. 23.
    He, D., Kumar, N., Lee, J.-H., Sherratt, R.S., Enhanced three-factor security protocol for consumer USB mass storage devices. IEEE Trans. Consum. Electron. 60(1):30–37, 2014.CrossRefGoogle Scholar
  24. 24.
    Islam, S.H., and Biswas, G.P., A provably secure identity-based strong designated verifier proxy signature scheme from pairings bilinear. Journal of King Saud University - Comput. Inform. Sci. 26(1):55–67, 2014.CrossRefGoogle Scholar
  25. 25.
    Islam, S.K.H., and Khan, M.K., Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems. J. Med. Syst. 38(10):1–16, 2014.CrossRefGoogle Scholar
  26. 26.
    Khan, M.K., and Kumari, S., Cryptanalysis and improvement of an efficient and secure dynamic id-based authentication scheme for telecare medical information systems. Security and Communication Networks 7(2):399–408, 2014.CrossRefGoogle Scholar
  27. 27.
    Koblitz, N., Elliptic Curves Cryptosystems. Math. Comput. 48:203–209, 1987.CrossRefMATHMathSciNetGoogle Scholar
  28. 28.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Proceedings of Advances in Cryptology - CRYPTO’99, LNCS, Vol. 1666, pp. 388–397 (1999)Google Scholar
  29. 29.
    Kumari, S., Khan, M.K., Kumar, R., Cryptanalysis and improvement of a privacy enhanced scheme for telecare medical information systems. J. Med. Syst. 37(4):1–11, 2013.CrossRefGoogle Scholar
  30. 30.
    Lee, C.-C., and Hsu, C.-W., A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps. Nonlinear Dyn. 71(1–2):201–211, 2013.CrossRefMathSciNetGoogle Scholar
  31. 31.
    Lee, C.-C., Li, C.-T., Chiu, S.-T., Lai, Y.-M., A new three-party-authenticated key agreement scheme based on chaotic maps without password table. Nonlinear Dyn.,1–11, 2014. doi: 10.1007/s11071-014-1827-x.
  32. 32.
    Lee, T.-F., and Liu, C.-M., A Secure Smart-Card Based Authentication and Key Agreement Scheme for Telecare Medicine Information Systems. J. Med. Syst. 37(3):1–8 , 2013.Google Scholar
  33. 33.
    Li, C.-T., and Hwang, M.-S., An efficient biometric-based remote authentication scheme using smart cards. J. Netw. Comput. Appl. 33(1):1–5, 2010.CrossRefGoogle Scholar
  34. 34.
    Li, X., Niu, J.-W., Ma, J., Wang, W.-D., Liu, C.-L., Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 34(1):73–79, 2011.CrossRefMATHGoogle Scholar
  35. 35.
    Maitra, T., and Giri, D., An efficient biometric and password-based remote user authentication using smart card for telecare medical information systems in multi-server environment. J. Med. Syst. 38(12):1–19, 2014.CrossRefGoogle Scholar
  36. 36.
    Massey, T., Marfia, G., Stoelting, A., Tomasi, R., Spirito, M.A., Sarrafzadeh, M., Pau, G., Leveraging Social System Networks in Ubiquitous High-Data-Rate Health Systems. IEEE Trans. Inf. Technol. Biomed. 15(3):491–498, 2011.CrossRefGoogle Scholar
  37. 37.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002.CrossRefMathSciNetGoogle Scholar
  38. 38.
    Mishra, D., On the security flaws in id-based password authentication schemes for telecare medical information systems. J. Med. Syst. 39(1):1–16, 2015.CrossRefGoogle Scholar
  39. 39.
    Mishra, D., Mukhopadhyay, S., Chaturvedi, A., Kumari, S., Khan, M.K., Cryptanalysis and improvement of Yan et al.’s biometric-based authentication scheme for telecare medicine information systems. J. Med. Syst. 38(6):1–12, 2014.CrossRefGoogle Scholar
  40. 40.
    Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M.K., Chaturvedi, A., Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J. Med. Syst. 38(5): 1–11, 2014.CrossRefGoogle Scholar
  41. 41.
    Mishra, D., Srinivas, J., Mukhopadhyay, S., A secure and efficient chaotic map-based authenticated key agreement scheme for telecare medicine information systems. J. Med. Syst. 38(10):1–10, 2014.CrossRefGoogle Scholar
  42. 42.
    Odelu, V., Das, A.K., Goswami, A., An Effective and Secure Key-Management Scheme for Hierarchical Access Control in E-Medicine System. J. Med. Syst. 37(2):1–18, 2013.CrossRefGoogle Scholar
  43. 43.
    Odelu, V., Das, A.K., Goswami, A., A secure effective key management scheme for dynamic access control in a large leaf class hierarchy. Inf. Sci. 269(C):270–285, 2014.CrossRefMathSciNetGoogle Scholar
  44. 44.
    Odelu, V., Das, A.K., Goswami, A., A secure and efficient ECC-based user anonymity preserving single sign-on scheme for distributed computer networks. Security and Communication Networks, 2014. doi: 10.1002/sec.1139.
  45. 45.
    Patel, M., and Wang, J., Applications, challenges, and prospective in emerging body area networking technologies. IEEE Wirel. Commun. 17(1):80–88, 2010.CrossRefGoogle Scholar
  46. 46.
    Sarkar, P., A Simple and Generic Construction of Authenticated Encryption with Associated Data. ACM Trans. Inf. Syst. Secur. 13(4):1–16, 2010.CrossRefGoogle Scholar
  47. 47.
    Siddiqui, Z., Abdullah, A.H., Khan, M.K., Alghamdi, A., Smart environment as a service: Three factor cloud based user authentication for telecare medical information system. J. Med. Syst. 38(1):1–14, 2013.Google Scholar
  48. 48.
    Stallings, W., Cryptography and Network Security: Principles and Practices. 3rd edition: Pearson Education India, 2003.Google Scholar
  49. 49.
    Stinson, D.R., Some Observations on the Theory of Cryptographic Hash Functions. Des. Codes Crypt. 38(2):259–277 , 2006.CrossRefMATHMathSciNetGoogle Scholar
  50. 50.
    Tan, Z., An efficient biometrics-based authentication scheme for telecare medicine information systems. Przegl. Elctrotech. 89(5):200–204, 2013.Google Scholar
  51. 51.
    Tan, Z., A User Anonymity Preserving Three-Factor Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 38(3):1–9, 2014.CrossRefGoogle Scholar
  52. 52.
    Tang, H., and Liu, X., Cryptanalysis of a dynamic ID-based remote user authentication with key agreement scheme. Int. J. Commun. Syst. 25(12):1639–1644, 2012.CrossRefGoogle Scholar
  53. 53.
    von Oheimb, D.: The high-level protocol specification language hlpsl developed in the eu project avispa. In: Proceedings of APPSEM 2005 Workshop (2005)Google Scholar
  54. 54.
    Wei, J., Hu, X., Liu, W., An Improved Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(6):3597–3604, 2012.CrossRefGoogle Scholar
  55. 55.
    Wu, Z.Y., Lee, Y.-C., Lai, F., Lee, H.-C., Chung, Y.-F., A Secure Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(3):1529–1535, 2012.CrossRefGoogle Scholar
  56. 56.
    Xie, Q., A new authenticated key agreement for session initiation protocol. Int. J. Commun. Syst. 25(1):47–54, 2012.CrossRefGoogle Scholar
  57. 57.
    Yan, H., Huo, H., Xu, Y., Gidlund, M., Wireless sensor network based E-health system implementation and experimental results. IEEE Trans. Consum. Electron. 56(4):2288–2295, 2010.CrossRefGoogle Scholar
  58. 58.
    Yan, X., Li, W., Li, P., Wang, J., Hao, X., Gong, P., A secure biometrics-based authentication scheme for telecare medicine information systems. J. Med. Syst. 37(5):1–6, 2013.CrossRefMATHGoogle Scholar
  59. 59.
    Yang, H., Kim, H., Mtonga, K., An efficient privacy-preserving authentication scheme with adaptive key evolution in remote health monitoring system. Peer-to-Peer Networking and Applications, 1–11, 2014. doi: 10.1007/s12083-014-0299-6.
  60. 60.
    Zhu, Z., An Efficient Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(6): 3833–3838, 2012.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  1. 1.Center for SecurityTheory and Algorithmic Research International Institute of Information TechnologyHyderabadIndia

Personalised recommendations