A Secure User Anonymity-Preserving Three-Factor Remote User Authentication Scheme for the Telecare Medicine Information Systems
Abstract
Recent advanced technology enables the telecare medicine information system (TMIS) for the patients to gain the health monitoring facility at home and also to access medical services over the Internet of mobile networks. Several remote user authentication schemes have been proposed in the literature for TMIS. However, most of them are either insecure against various known attacks or they are inefficient. Recently, Tan proposed an efficient user anonymity preserving three-factor authentication scheme for TMIS. In this paper, we show that though Tan’s scheme is efficient, it has several security drawbacks such as (1) it fails to provide proper authentication during the login phase, (2) it fails to provide correct updation of password and biometric of a user during the password and biometric update phase, and (3) it fails to protect against replay attack. In addition, Tan’s scheme lacks the formal security analysis and verification. Later, Arshad and Nikooghadam also pointed out some security flaws in Tan’s scheme and then presented an improvement on Tan’s s scheme. However, we show that Arshad and Nikooghadam’s scheme is still insecure against the privileged-insider attack through the stolen smart-card attack, and it also lacks the formal security analysis and verification. In order to withstand those security loopholes found in both Tan’s scheme, and Arshad and Nikooghadam’s scheme, we aim to propose an effective and more secure three-factor remote user authentication scheme for TMIS. Our scheme provides the user anonymity property. Through the rigorous informal and formal security analysis using random oracle models and the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool, we show that our scheme is secure against various known attacks, including the replay and man-in-the-middle attacks. Furthermore, our scheme is also efficient as compared to other related schemes.
Keywords
Telecare medicine information systems Fuzzy extractor Biometrics Password User anonymity AVISPA SecurityIntroduction
The rapid development of modern information and communication technologies make people’s daily lives much easier worldwide. This has also led to the new circumstances at the all levels of the social environment [59]. Consider a healthcare system, where sensors and datalinks offer potential for constant monitoring of a patient’s symptoms and needs. It enables the doctors, nurses and other medical staffs to diagnose and monitor health problems for the patient in real-time, where a patient is either at home or outdoors [36, 45, 57].
In a telecare medical information system (TMIS), patients can send health related information or use portals for health monitoring and healthcare-related services over the Internet or mobile networks. If a patient travels to a hospital, it is desirable that the expense of the patients such as travel cost and the hospitalization time is much. In order to reduce significantly these factors, the patients can easily apply TMISs to access the healthcare delivery services. Since the telecare server keeps the electronic medical records of all registered users in the hospitals, TMIS can help the physicians to make more comprehensive decision via the cooperation of some physicians in different places. Wireless mobile telecommunications of TMIS usually work in the open environments. As a result, the security issue becomes a significant concern in TMIS. Thus, an idle secure authentication scheme is required to guarantee that only the authorized (legal) users will have the ability to access the services from TMIS or the network.
Biometric keys can not be lost or forgotten.
Biometric keys are very difficult to copy or share.
Biometric keys are extremely hard to forge or distribute.
Biometric keys can not be guessed easily.
Someone’s biometrics is not easy to break than others.
In recent years, several user authentication schemes have been proposed [5, 10, 21, 22, 25, 26, 29, 32, 35, 38, 39, 40, 41, 47, 50, 51, 52, 54, 55, 56, 60]. Most of them are either insecure against different attacks or inefficient. Wu et al. [55] proposed a password based authentication scheme for TMIS. Later, He et al. [22] pointed out that Wu et al.’s scheme is insecure against impersonation and insider attacks, and they proposed an efficient solution to overcome these security weaknesses found in Wu et al.’s scheme. However, Wei et al. [54] showed that both Wu et al.’s scheme and He et al.’s scheme fail to provide two-factor security. Again, Zhu [60] showed that Wei et al.’s scheme has some weaknesses. Tan [50] proposed a biometric based user authentication scheme for TMIS. But this scheme does not protect against replay attack. Also, this scheme does not preserve user anonymity and it does not provide any formal security analysis. Mishra et al. [39] showed that Yan et al.’s scheme [58] is vulnerable to the off-line password guessing attack and it does not provide the user anonymity property. Moreover, they pointed out that the login and password change phases are inefficient in Yan et al.’s scheme. In order to remove these weaknesses, they proposed an improved scheme for TIMS. Mishra et al. [40] further proposed an enhanced and efficient biometric-based authentication scheme for TIMS using the nonces. Awasthi and Srivastava [5] proposed a three-factor authentication scheme for TMIS. In 2014, Tan [51] analyzed the security of Awasthi-Srivastava’s scheme [5] and showed that their scheme is insecure against reflection attack. In addition, their scheme fails to provide three-factor security and the user anonymity. Tan proposed an efficient user anonymity preserving authentication scheme for TMIS. Further, Arshad and Nikooghadam [2] enhanced the security of Tan’s scheme and proposed an improvement.
Mutual authentication. After run of the protocol, the server should believe that the remote user is a legitimate registered client. The user also believes that the communicating party is the server which the user intended to login to.
Server not knowing password and biometric. The registration center (server) should not have any information about the registered user’s password and personal biometrics. This is extremely required because several users may apply the same password to access different servers in the real applications. As a result, if a privileged insider of the registration center knows the password or biometrics of a user U_{i}, he/she may impersonate U_{i} for accessing the services from other servers.
Freedom of password and biometric update. A user should be allowed to change/update freely his/her password as well as biometric template without contacting the server. The server must be totally unaware of the change of the user’s password and biometric template.
Three-factor security. In the security model for three-factor authentication schemes, an adversary can have full control over the communication channel between the users and the server during the login phase and the authentication and key agreement phase. In the three-factor security adversary model, the adversary is modeled to have at most two of the following three abilities, but it is not allowed to have all the three abilities. The adversary can use the techniques in [28, 37] to extract the information from the smart card, obtain the password, or access the biometric template.
Threat model
We make use of the Dolev-Yao threat model [20] in which two communicating parties communicate over an insecure channel. Any adversary (attacker or intruder) can eavesdrop the transmitted messages over the public insecure channel and he/she has the ability to modify, delete or change the contents of the transmitted messages. Usually the smart card of a user is equipped with the tamper-resistant hardware. However, if a user’s smart card is stolen or lost, an attacker can still know all the sensitive information stored in its memory by monitoring the power consumption of the smart card [28, 37].
Our contributions
We have revisited the recently proposed Tan’s scheme and then identified that Tan’s scheme has the loopholes: (i) it fails to provide proper authentication during the login phase, (ii) it fails to provide correct updation of password and biometric of a user during the password and biometric update phase, (iii) it fails to protect against replay attack, and (iv) it lacks the formal security analysis and verification.
We have further shown that Arshad and Nikooghadam’s scheme fails to protect privileged-insider attack and their scheme also lacks the formal security analysis and verification.
In order to withstand the security drawbacks found in both Tan’s scheme, and Arshad and Nikooghadam’s scheme, we have proposed a more efficient and secure three-factor user authentication scheme in TMIS.
Our scheme is shown to be secure against various known attacks through the rigorous informal and formal security analysis and verification using the widely-accepted AVISPA tool.
Our scheme is also efficient as compared to Tan’s scheme and other related schemes.
High security and computational efficiency make our scheme to be feasible in order to use it for practice in TMIS applications as compared to Tan’s scheme and other related schemes.
Organization of the paper
The remainder of this paper is organized as follows. In Section “Mathematical preliminaries”, we discuss some basic mathematical preliminaries, which are essential for describing and analyzing Tan’s scheme [51], Arshad and Nikooghadam’s scheme [2] as well as our proposed scheme. In Section “Review and cryptanalysis of Tan’s scheme, and Arshad and Nikooghadam’s scheme”, we give an overview of the recently proposed Tan’s scheme. In Section “The proposed scheme”, we present the various phases of our scheme. In Section “Security analysis of the proposed scheme”, we show that our scheme is secure against various known attacks. In next section, we simulate our scheme for the formal security verification using the widely-accepted AVISPA tool in order to show that our scheme is secure. We compare the performance of our scheme with other related schemes in Section “Simulation for formal security verification of our scheme using AVISPA tool”. In next section, we conclude the paper.
Mathematical preliminaries
In this section, we briefly describe some mathematical preliminaries, which are essential for describing and analyzing Tan’s scheme [51], Arshad and Nikooghadam’s scheme [2] as well as our proposed scheme.
Collision-resistant one-way hash function
We define the formal definition of a one-way collision-resistant hash function as follows ([15, 46, 49]).
Definition 1 (Formal definition of one-way collision resistant hash function)
A collision-resistant one-way hash function h : A → B, where A = {0, 1}^{∗} and B = {0, 1}^{n}, is a deterministic algorithm that takes an input as an arbitrary length binary string x ∈ A and produces an output y ∈ B as a binary string of fixed-length, n. Let \(Adv_{\mathcal {A}}^{HASH} (t_{1})\) denote an adversary (attacker) \(\mathcal {A}\)’s advantage in finding collision. Then, we have, \(Adv_{\mathcal {A}}^{HASH} (t_{1}) = Pr \left [(x, x^{\prime }) \Leftarrow _{R} \mathcal {A}: x \neq x^{\prime } \, \text {and} \, h(x) = h(x^{\prime })\right ]\), where Pr[E] denotes the probability of a random event E, and \(\left (x, x^{\prime }\right ) \Leftarrow _{R} \mathcal {A}\) denotes the pair (x, x′) is selected randomly by \( \mathcal {A}\). In this case, the adversary \(\mathcal {A}\) is allowed to be probabilistic and the probability in the advantage is computed over the random choices made by the adversary \(\mathcal {A}\) with the execution time t_{1}. The hash function h(⋅) is then called collision-resistant, if \(Adv_{\mathcal {A}}^{HASH}(t_{1}) \le \epsilon _{1}\), for any sufficiently small 𝜖_{1} > 0.
Key data extraction process from biometric template
We briefly describe the extraction process of key data from the given biometric of a user using a fuzzy extractor method. The output of a conventional hash function h(⋅) is sensitive and it may also return completely different outputs even if there is a little variation in inputs. The biometric information is thus prone to various noises during data acquisition, and as a result, the reproduction of actual biometric is hard in common practice. In order to avoid such problem, a fuzzy extractor [7, 19, 23] is used, which has the ability to extract a uniformly random string b and a public information par from the biometric template B with the error tolerance t. In the reproduction process, the fuzzy extractor then recovers the original biometric key data b for a noisy biometric B′ using par and t. Let \(\mathcal {M} = \{0, 1\}^{v}\) be a finite v-dimensional metric space of biometric data points, \(d: \mathcal {M} \times \mathcal {M} \rightarrow \mathbb {Z}^{+}\) a distance function, which can be used to calculate the distance between two points based on the metric chosen, l the number of bits of the output string b_{i}, and t the error tolerance, where ℤ^{+} represents the set of all positive integers.
Definition 2
Gen: This probabilistic algorithm takes a biometric information \(B_{i} \in \mathcal {M}\) as input and outputs a secret key data b_{i} ∈ {0, 1}^{l} and a public reproduction parameter par_{i}, where Gen(B_{i}) = {b_{i}, par_{i}}.
Rep: This deterministic algorithm takes a noisy biometric information \(B_{i}^{\prime } \in \mathcal {M}\) and a public parameter par_{i} related to B_{i}, and then it reproduces (recovers) the biometric key data b_{i}. In other words, \(Rep\left (B_{i}^{\prime }, par_{i}\right ) = b_{i}\) provided that the condition \(d\left (B_{i},B_{i}^{\prime }\right ) \le t\) is satisfied.
For more detailed description of the fuzzy extractor and the extraction procedure, one can refer to [7, 19].
Elliptic curve over a prime field
Let a and b ∈ Z_{p}, where Z_{p} = {0, 1, … , p − 1} and p > 3 be a prime, such that 4a^{3} + 27b^{2} ≠ 0 (mod p). A non-singular elliptic curve y^{2} = x^{3} + ax + b over the finite field GF(p) is considered as the set E_{p}(a, b) of all solutions (x, y) ∈ Z_{p} × Z_{p} to the congruence: y^{2} = x^{3} + ax + b (mod p), where a and b ∈ Z_{p} are constants such that 4a^{3} + 27b^{2} ≠ 0 (mod p), together with a special point 𝓞 called the point at infinity or the zero point. If P = (x_{P}, y_{P}) and Q = (x_{Q}, y_{Q}) be two points in E_{p}(a, b), then P + Q = 𝓞 implies that x_{Q} = x_{P} and y_{Q} = −y_{P} and P + 𝓞 = 𝓞 + P = P, for all P ∈ E_{p}(a, b). In addition, E_{p}(a, b) forms an abelian group or commutative group under addition modulo p operation.
Let G be the base point on E_{p}(a, b) whose order be n, that is, nG = G + G + …+G(n times) = 𝓞. If P = (x_{P}, y_{P}) and Q = (x_{Q}, y_{Q}) be two points on elliptic curve y^{2} = x^{3} + ax + b (mod p), with P ≠ −Q, then R = (x_{R}, y_{R}) = P + Q is computed as follows ([27, 48]): x_{R} = (γ^{2} − x_{P}−x_{Q}) (modp) and y_{R} = (γ(x_{P}−x_{R})−y_{P}) (mod p), where \(\gamma = \left \{ \begin {array}{c} \frac {y_{Q}-y_{P}} {x_{Q}-x_{P}} (\text {mod}\,{p}), \text {if} \, P \neq Q \\ \frac {{3 x_{P}}^{2} + a} {2y_{P}} (\text {mod}\,{p}), \text {if} \, P = Q. \end {array} \right .\) Moreover, in elliptic curve cryptography, scalar multiplication is defined as repeated additions. For example, if P ∈ E_{p}(a, b), then 5P is computed as 5P = P + P + P + P + P(mod p).
The elliptic curve discrete logarithm problem (ECDLP) is formally defined as in [18] as follows.
Definition 3 (Formal definition of ECDLP)
Review and cryptanalysis of Tan’s scheme, and Arshad and Nikooghadam’s scheme
Notations used in this paper
Symbol | Description |
---|---|
S_{j} | Telecare medicine information system server |
U_{i} | i^{th} user |
ID_{i} | Identity of user U_{i} |
PW_{i} | Password of user U_{i} |
B_{i} | Biometric information of U_{i} |
K | 1024-bit secret number only known to U_{i} |
h(⋅) | Collision-free one-way hash function |
X_{s} | 1024-bit secret master key of S_{j} |
S_{j} | Public key of S_{j} |
p | A large prime number or p = 2^{m}, for some large integer m > 0 |
E_{p}(a, b) | An elliptic curve defined over finite field GF(p) with parameters a and b such that 4a^{3} + 27b^{2} ≠ 0 (mod p) |
C ⊕ D | Bitwise XORed of data C with data D |
C||D | Data C concatenates with data D |
Tan’s scheme consists of the four phases, namely the registration phase, the login phase, the authentication and key agreement phase, and the password and biometric update phase. At first, the telecare medicine information system server, S_{j} selects a master key \(X_{s} \in Z_{q}^{\ast }\) and a secure collision-resistant chaotic one-way hash function \(h: \{ 0, 1\}^{\ast } \rightarrow Z_{q}^{\ast }\). S_{j} then computes the system’s public key Y = X_{s}P and declares it as public.
Description of Tan’s scheme
Tan’s scheme consists of the following phases.
Registration phase
- Step 1.
The user U_{i} first selects an identity ID_{i}, a chosen password PW_{i}, a random secret number N, and imprints the biometric information B_{i} at a sensor. U_{i} then computes d = h(PW_{i}||B_{i}) ⊕ N and sends the message 〈ID_{i}, d〉 to the server S_{j} via a secure channel.
- Step 2.
When the server S_{j} receives the message in Step 1, it computes c = h(ID_{i}||X_{s}) ⊕ d and issues a smart card containing the information {c, P, q, Y, h(⋅)} to the user U_{i} via a secure channel.
- Step 3.
After receiving the the smart card, the user U_{i} computes d_{1} = c ⊕ N and d_{2} = bh(PW_{i}||B_{i}||ID_{i}), and then replace c with (d_{1}, d_{2}) into the memory of the smart card. It is noted that N is not stored in the smart card.
Login phase
- Step 1.
The user U_{i} first inserts his/her smart card into a card reader, and then provides his/her identity ID_{i}, password PW_{i} and imprints the biometric information B_{i} at the sensor. The smart card computes \(d_{2}^{\ast } = h(PW_{i} || B_{i} || ID_{i})\) and checks the condition \(d_{2}^{\ast } = d_{2}\). If it holds, the smart card continues the next step. Otherwise, the smart card terminates the phase.
- Step 2.
The smart card chooses a random number \(r_{i} \in Z_{q}^{\ast }\) and then computes x_{i} = d_{1} ⊕ h(PW_{i} ⊕ B_{i}), R_{1} = r_{i}P, R_{2} = r_{i}Y, v_{i} = ID_{i} ⊕ h(R_{1}||R_{2}), and z_{i} = h(ID_{i}||v_{i}||R_{1}||R_{2}||x_{i}). Finally, the smart card sends the message 〈R_{1}, v_{i}, z_{i}〉 to the server S_{j}.
Authentication and key agreement phase
- Step 1.
After receiving the login message 〈R_{1}, v_{i}, z_{i}〉, the server S_{j} computes \(R_{2}^{\ast } = X_{s} R_{1}\), \(ID_{i}^{\ast } = v_{i} \oplus h\left (R_{1} || R_{2}^{\ast }\right )\), \(x_{i}^{\ast } = h\left (ID_{i}^{\ast } || X_{s}\right )\), and \(z_{i}^{\ast } = h\left (ID_{i}^{\ast } || v_{i} || R_{1} || R_{2}^{\ast } || x_{i}^{\ast }\right )\). After that S_{j} checks if \(z_{i}^{\ast } = z_{i}\) holds or not. If this verification passes, the server S_{j} authenticates the user U_{i}. Otherwise, S_{j} refuses the login request and the phase is terminated immediately.
- Step 2.
S_{j} then chooses a random number \(r \in Z_{q}^{\ast }\), computes R = rP, \(z = h\left (r R_{1} || R_{2}^{\ast } || R || x_{i}^{\ast }\right )\), and sends the message 〈R, z〉 to the user U_{i}. S_{j} also computes the session key shared with the user U_{i} as \(sk = h\left (r R_{1} || ID_{i} || R || x_{i}^{\ast }\right )\).
- Step 3.
After receiving the message in Step 2, the user U_{i} computes z^{∗} = h(r_{i}R||R_{2}||R||x_{i}) and checks the condition z^{∗} = z. If they match, U_{i} authenticates the server S_{j} and computes the same session key shared with the server S_{j} as sk = h(r_{i}R||ID_{i}||R||x_{i}).
Password and biometric update phase
- Step 1.
U_{i} first inserts his/her smart card into the card reader, and then provides his/her identity ID_{i}, old password PW_{i} and imprints the biometric information B_{i} at the sensor, and issues an update request to the smart card. The smart cards then computes computes \(d_{2}^{\ast } = h\left (PW_{i} || B_{i} || ID_{i}\right )\) and checks the condition \(d_{2}^{\ast } = d_{2}\). If it holds, the smart card continues this phase. Otherwise, the smart card refuses the update request.
- Step 2.
The smart card instructs the user U_{i} to choose his/her new password \(PW_{i}^{new}\) and imprint his/her new biometric template \(B_{i}^{new}\). The smart card then computes \(d_{1}^{new} = d_{1} \oplus h(PW_{i} \oplus B_{i}) \oplus h\left (PW_{i}^{new} \oplus B_{i}^{new}\right )\) and replaces the pair (d_{1}, d_{2}) with the computed pair \(\left (d_{1}^{new}, d_{2}^{new}\right )\).
Drawbacks of Tan’s scheme
In this section, we show that Tan’s scheme has the following security loopholes.
Fails to provide proper authentication during the login phase
It is known that the input biometric characteristic of the same person can be slightly different every time [12, 23, 34]. The output of a one-way hash function including the chaotic one-way hash function is sensitive, and it may return completely a different output even if there is a little variation in input. Biometric information B_{i} is prone to various noises during the data acquisition and thus, the production of actual biometric is hard in common practice. Suppose a user U_{i} enters his/her identity ID_{i}, correct password PW_{i}, and imprints the biometric \(B_{i}^{\ast }\), where we assume that \(B_{i}^{\ast }\) is slightly different from B_{i} at that time. After that the smart card computes \(d_{2}^{\ast } = h(PW_{i} || B_{i}^{\ast } || ID_{i}) \neq h(PW_{i} || B_{i} || ID_{i})\), since \(B_{i}^{\ast } \neq B_{i}\). The smart card then checks the condition \(d_{2}^{\ast } = d_{2}\). Since it is not valid, the user’s biometric and password validations fail, and it terminates the session. As a result, this may cause that the legal user is unable to pass biometric and password verification at the login phase. Thus, Tan’s scheme fails to provide proper authentication during the login phase.
Fails to provide correct updation during the password and biometric update phase
This analysis is similar to the above analysis. Assume that the user U_{i} enters ID_{i}, correct old password PW_{i}, and imprints his/her biometric template \(B_{i}^{\prime }\), which is slightly different from B_{i} at the time of registration due to nature of biometric template. When the smart card computes \(d_{2}^{\prime } = h(PW_{i} || B_{i}^{\prime } || ID_{i})\) and checks the condition \(d_{2}^{\prime } = d_{2}\), this condition will fail, since \(B_{i}^{\prime } \neq B_{i}\). As a result, the user U_{i} may never be successful in passing password and biometric verification due to application of chaotic hash function h(⋅). Thus, the smart card will refuse the update request, and hence, Tan’s scheme also fails to provide proper authentication during the password and biometric update phase.
Fails to protect against replay attack
Suppose an adversary intercepts the login request 〈R_{1}, v_{i}, z_{i}〉 during the login phase and sends the message \(\langle R_{1}^{\ast }, v_{i}^{\ast }, z_{i}^{\ast } \rangle = \langle R_{1}, v_{i}, z_{i} \rangle \) to the server S_{j} after some time. After receiving this message, S_{j} computes \(R_{2}^{\ast } = X_{s} R_{1}^{\ast }, ID_{i}^{\ast } = v_{i}^{\ast } \oplus h\left (R_{1}^{\ast } || R_{2}^{\ast }\right ), x_{i}^{\ast } = h\left (ID_{i}^{\ast } || X_{s}\right ),\) and \(z_{i}^{\ast \ast } = h\left (ID_{i}^{\ast } || v_{i}^{\ast } || R_{1}^{\ast } || R_{2}^{\ast } || x_{i}^{\ast }\right ) = h\left (ID_{i} || v_{i} || R_{1} || R_{2}^{\ast } || x_{i}^{\ast }\right )\). S_{j} then checks the condition \(z_{i}^{\ast \ast } = z_{i}^{\ast }\). Since it is valid, S_{j} authenticates the user U_{i}, and sends backs the message 〈R, z〉 to the user U_{i}, where R = rP and \(z = h\left (r R_{1}^{\ast } || R_{2}^{\ast } || R || x_{i}^{\ast }\right )\). Thus, it is clear that the server S_{j} can not detect whether the message \(\langle R_{1}^{\ast }, v_{i}^{\ast }, z_{i}^{\ast } \rangle \) is a replay message or not. Hence, Tan’s scheme also fails to protect against replay attack. Note that the approach to address the replay attack is based on the classical methods, such as Needham-Schroeder-based approaches, which can all address this attack.
Lack of formal security analysis and verification
Tan’s scheme contains only some informal security analysis and it lacks a rigorous formal security proof and formal security verification using some widely-accepted verification tool such as AVISPA tool [3].
Drawbacks of Arshad and Nikooghadam’s scheme
In this section, we show that Arshad and Nikooghadam’s scheme [2] has the following security loopholes.
Privileged-insider attack
During the registration phase of Arshad and Nikooghadam’s scheme, a user U_{i} inputs an identity ID_{i}, a password PWi, and a random number N_{C}. After that he/she imprints his/her personal biometric B_{i} at a sensor, and then computes his/her masked password MPW_{i} as MPW_{i} = PW_{i} ⊕ N_{C} and his/her masked biometric MB_{i} as MB_{i} = B_{i} ⊕ N_{C}. Finally, U_{i} sends the registration request message 〈ID_{i}, MPW_{i}, MB_{i}〉 to the telecare server through a secure channel. At the end of the registration phase, after getting the smart card from the telecare server, U_{i} stores the random number N_{C} into his/her smart card.
Assume that the smart card of U_{i} is lost/stolen and a privileged-insider attacker of the telecare server attains this smart card. According to our threat model (provided in Section “Threat model”), the insider attacker can extract all the sensitive information stored in that smart card using the power analysis attacks [28, 37]. Hence, the attacker now knows N_{C}, and also the masked password MPW_{i} = PW_{i} ⊕ N_{C} and the masked biometric MB_{i} = B_{i} ⊕ N_{C} which were provided by the user U_{i} during the registration phase to the telecare server. Thus, the insider attacker can easily derive the password PW_{i} = MPW_{i} ⊕ N_{C} and also the biometric B_{i} = MB_{i} ⊕ N_{C}. This clearly shows that Arshad and Nikooghadam’s scheme is completely insecure against the privileged-insider attack.
Lack of formal security analysis and verification
Arshad and Nikooghadam’s scheme contains only some informal security analysis and it lacks a rigorous formal security proof and formal security verification using some widely-accepted verification tool such as AVISPA tool [3].
The proposed scheme
In this section, we describe the various phases of our scheme, which are given in the following subsections. We use the notations provided in Table 1 for describing our scheme.
Setup phase
- Step S1.
S_{j} first selects an elliptic curve E_{q}(a, b) with parameters: q is a large prime such that the elliptic curve discrete logarithm problem (ECDLP) becomes intractable, and a, b ∈ Z_{q} = {0, 1, … , q − 1} with the condition 4a^{3} + 27b^{2} ≠ 0 (mod q), such that the elliptic curve is non-singular.
- Step S2.
S_{j} then selects a base point P ∈ E_{q}(a, b), and a master secret key \(X_{s} \in Z_{q}^{\ast }\), where \(Z_{q}^{\ast } = \{a | 0 < a < q, \gcd (a,q) = 1\}\), that is, \(Z_{q}^{\ast } = \{1, 2, \ldots , q-1\}\).
- Step S3.
S_{j} also selects a secure collision-resistant one-way hash function \(h: \{ 0, 1\}^{\ast } \rightarrow Z_{q}^{\ast }\) and the fuzzy extractor functions Gen(⋅) and Rep(⋅), and then computes the public key Y = X_{s}P of the system.
- Step S4.
The secret key of S_{j} is X_{s}. The public parameters are {P, q, Y, h(⋅), Gen(⋅), Rep(⋅)}.
Registration phase
- Step R1.
The user U_{i} selects an identity ID_{i}, and chooses his/her password PW_{i}.
- Step R2.
U_{i} generates a 1024-bit secret number K and computes the masked password RPW_{i} = h(ID_{i}||K||PW_{i}).
- Step R3.
U_{i} imprints the biometric information B_{i} at a sensor and applies the fuzzy extractor to generate secret key b_{i} and a public parameter par_{i} as Gen(B_{i}) = (b_{i}, par_{i}), as in [16, 23].
- Step R4.
U_{i} computes f_{i} = h(RPW_{i}||b_{i}) and sends the registration request message 〈ID_{i}, f_{i}〉 to the server S_{j} via a secure channel.
- Step R5.
After receiving the message in Step R4, the server S_{j} computes e_{i} = h(ID_{i}||X_{s}) ⊕ f_{i}, using its own secret master key X_{s}, and received information ID_{i} and f_{i}. S_{j} then generates a smart card SC_{i} for the user U_{i} containing the information {P, q, Y, h(⋅), Gen(⋅), Rep(⋅), f_{i}, e_{i}, t, par_{i}}, where t is the error tolerance parameter used in fuzzy extractor, and sends it to the user U_{i} via a secure channel.
- Step R6.
After receiving the smart card SC_{i} from the server S_{j}, U_{i} computes d_{i} = h(ID_{i}||b_{i}) ⊕ K, and stores it into the smart card SC_{i}. As a result, the smart card SC_{i} of the user U_{i} finally contains the information {P, q, Y, h(⋅), Gen(⋅), Rep(⋅), f_{i}, e_{i}, t, par_{i}, d_{i}}.
Remark 1
Note that at the end of the registration phase of our scheme, the identity ID_{i}, password PW_{i} and biometric information B_{i} are not directly stored in the smart card SC_{i} of the user U_{i}. In addition, our scheme does not reveal the password PW_{i} and the biometric information B_{i} of the user U_{i} to the server S_{j} also. Thus, the privileged insider attack is completely protected by our scheme due to collision-resistant property of one-way hash function h(⋅) and difficulty of solving ECDLP. The details are explained in the stolen smart card attack while we analyze later our scheme for security in this paper.
Login phase
- Step L1.
U_{i} first inserts his/her smart card SC_{i} into a card reader. U_{i} then enters his/her identity ID_{i}, password PW_{i}, and imprints the biometric information B_{i} at the sensor. Note that if the user U_{i} plans to use a mobile device to login the telecare medicine system, U_{i} can then use the scan software of the mobile device in order to obtain B_{i}, and input {ID_{i}, PW_{i}, B_{i}} into the login interface of the system as described in Tan’s scheme [51].
- Step L2.
SC_{i} computes \(b_{i}^{\prime } = Rep(B_{i}, par_{i})\) using the imprint B_{i}, and the parameters t and par_{i} stored in its memory.
- Step L3.
SC_{i} computes \(K^{\prime } = d_{i} \oplus h(ID_{i} || b_{i}^{\prime })\), using the stored information d_{i} in its memory and computed \(B_{i}^{\prime }\) in order to obtain the secret number K.
- Step L4.
SC_{i} uses K′ to compute \(RPW_{i}^{\prime } = h(ID_{i} || K^{\prime } || PW_{i})\), and \(f_{i}^{\prime } = h(RPW_{i}^{\prime } || b_{i}^{\prime })\). SC_{i} then checks the condition \(f_{i}^{\prime } = f_{i}\). If it holds, it ensures that both information PW_{i} and B_{i} entered by U_{i} are valid, and hence, the user U_{i} passes both the password and biometric verifications. Otherwise, the phase is terminated immediately.
- Step L5.
SC_{i} computes \(x_{i} = e_{i} \oplus f_{i}^{\prime } (= h(ID_{i} || X_{s}))\), generates a random number \(r_{i} \in Z_{q}^{\ast }\), and then computes R_{1} = r_{i}P, R_{2} = r_{i}Y, v_{i} = ID_{i} ⊕ h(R_{1}||R_{2}) ⊕ RN_{u}, and z_{i} = h(ID_{i}||v_{i}||R_{1}||R_{2}||x_{i}||RN_{u}). Here RN_{u} is a random nonce generated by SC_{i} on behalf of the user U_{i}.
- Step L6.
Finally, the smart card SC_{i} of the user U_{i} sends the login request message 〈R_{1}, v_{i}, z_{i}〉 to the server S_{j} via a public channel.
Remark 2
The input biometric characteristic of the same person can be slightly different every time [12, 23, 34] and thus, the output of a one-way hash function including the chaotic one-way hash function is sensitive, and it may return completely a different output even if there is a little variation in input. Due to sensitive property of the one-way hash function h(⋅), Tan’s scheme cannot tolerate little variations of biometric feature. On the other hand, even if there is a little variation in biometrics input of a legal user U_{i}, due to application of fuzzy extractor functions, such as Gen(⋅) and Rep(⋅), our scheme has the ability to tolerate little variations of biometric feature as long as the condition \(d(B_{i}, B_{i}^{\prime }) \le t\) is satisfied (provided in Definition 2), where B_{i} and \(B_{i}^{\prime }\) are the biometrics provided by U_{i} at the registration time and the login time, respectively. Note that a low-entropy or simple password can be guessed using the dictionary attacks [33]. However, as pointed out in [33], as compared to low-entropy passwords, biometric keys can not be lost or forgotten, biometric keys are very difficult to copy or share, biometric keys are extremely hard to forge or distribute, and biometric keys can not be guessed easily. Therefore, it is a very difficult task for an attacker to forge or guess a legal user U_{i}’s biometrics B_{i}. As a result, that attacker will not have ability to make a little variation of the legal user U_{i}’s biometrics B_{i}, and he/she can not pass the biometric verification during the login phase.
Authentication and key agreement phase
- Step AK1.
S_{j} computes \(R_{2}^{\ast } = X_{s} R_{1} = X_{s}(r_{i} P) = r_{i} (X_{s} P) = r_{i} Y\) and \(RN_{u}^{\ast } = ID_{i} \oplus v_{i} \oplus h(R_{1} || R_{2}^{\ast })\), \(x_{i}^{\ast } = h(ID_{i} || X_{s})\), and \(z_{i}^{\ast } = h(ID_{i} || v_{i} || R_{1} || R_{2}^{\ast } || x_{i}^{\ast } || RN_{u}^{\ast })\). Note that for computing \(RN_{u}^{\ast }\), the server S_{j} knows ID_{i}, because it is sent during the registration phase by the user U_{i} via a secure channel. S_{j} then compares the computed \(z_{i}^{\ast }\) with the received z_{i}. If there is a mismatch between them, the phase is terminated immediately. Otherwise, S_{j} authenticates the user U_{i} as the valid user.
In order to protect the replay and main-in-the-middle attacks, we adopt the similar strategy as in [12, 34]. The server S_{j} stores \((ID_{i}, RN_{u}^{\ast })\) in its database. When the server S_{j} receives another login request message \(\langle R_{1}^{\prime }, v_{i}^{\prime }, z_{i}^{\prime } \rangle \) from U_{i} later, it computes \(R_{2}^{\prime } = X_{s} R_{1}^{\prime }\), \(RN_{u}^{\prime } = ID_{i} \oplus v_{i}^{\prime } \oplus h(R_{1}^{\prime } || R_{2}^{\prime })\), \(x_{i}^{\prime } = h(ID_{i} || X_{s})\) and \(z_{i}^{\prime \prime } = h(ID_{i} || v_{i}^{\prime } || R_{1}^{\prime } || R_{2}^{\prime } || x_{i}^{\prime } || RN_{u}^{\prime })\). If \(z_{i}^{\prime \prime } = z_{i}\), then S_{j} makes sure that the login request message is a replay one, and in that case \(RN_{u}^{\prime } = RN_{u}^{\ast }\). As a result, S_{j} will reject this login request message. Otherwise, S_{j} authenticates U_{i} and updates the pair \((ID_{i}, RN_{u}^{\ast })\) by \((ID_{i}, RN_{u}^{\prime })\) in its database since the login request message is treated as a fresh one. Note that S_{j} can store \(RN_{u}^{\ast }\) for a longer time in order to ensure that the same login message will not be replayed be any attacker during the longer time period at least the expiry of the session key between a user U_{i} and the server S_{j}. One can also use the timestamp along with the random nonces to protect the replay attack strongly, if the nodes are synchronized with their clocks.
- Step AK2.
S_{j} chooses a random number \(s_{i} \in Z_{q}^{\ast }\). S_{j} then generates a random nonce RN_{s}, and computes the following: \(R_{3} = s_{i} P, y_{i} = x_{i}^{\ast } \oplus RN_{s} \oplus RN_{u}^{\ast },\) and \(z_{i}^{\ast \ast } = h(s_{i} R_{1} || R_{2}^{\ast } || R_{3} || y_{i} || RN_{u}^{\ast } || RN_{s} || SK_{ij}),\) where \(SK_{ij} = h(ID_{i} || x_{i}^{\ast } || RN_{u}^{\ast } || RN_{s} || R_{2}^{\ast } || R_{3})\) is the secret session key to be shared with the user U_{i}. S_{j} then sends the authentication request message \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \) to the smart card SC_{i} (user U_{i}) via a public channel.
- Step AK3.
After receiving the message in Step AK2, the smart card SC_{i} of the user U_{i} computes the following: \(r_{i} R_{3} = r_{i} (s_{i} P) = s_{i} (r_{i} P) = s_{i} R_{1}, RN_{s}^{\ast } = y_{i} \oplus x_{i} \oplus RN_{u}, SK_{ji} = h(ID_{i} || x_{i} || RN_{u} || RN_{s}^{\ast } || R_{2} || R_{3}),\) and \( z_{i}^{\ast \ast \ast } = h(r_{i} R_{3} || R_{2} || R_{3} || y_{i} || RN_{u} || RN_{s}^{\ast } || SK_{ji})\). SC_{i} then checks the condition \(z_{i}^{\ast \ast \ast } = z_{i}^{\ast \ast }\). If they are equal, S_{j} is authenticated by the user U_{i}. Otherwise, U_{i} refuses the authentication request.
- Step AK4.
Finally, U_{i} stores SK_{ji} and S_{j} stores SK_{ij} for their future secure communication. Note that SK_{ij} = SK_{ji}.
Summary of exchanged messages during the registration phase, login phase, and authentication and key agreement phase of our scheme
Phase | User (U_{i})/Smart Card (SC_{i}) | Server (S_{j}) |
---|---|---|
\(\underrightarrow {\langle ID_{i}, f_{i} \rangle }\) | ||
Registration | (via a secure channel) | |
SmartCard(P, q, Y, h(⋅), | ||
\(\underleftarrow {Gen(\cdot ), Rep(\cdot ), f_{i}, e_{i}, t, par_{i})}\) | ||
(via a secure channel) | ||
Login | \(\underrightarrow {\langle R_{1}, v_{i}, z_{i} \rangle }\) | |
(via a public channel) | ||
Authentication | \(\underleftarrow {\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle }\) | |
and key agreement | (via a public channel) | |
Computes SK_{ij} = h(ID_{i}||x_{i} | Computes \(SK_{ij} = h(ID_{i} || x_{i}^{\ast } \) | |
\(|| RN_{u} || RN_{s}^{\ast } || R_{2} || R_{3})\). | \(|| RN_{u}^{\ast } || RN_{s} || R_{2}^{\ast } || R_{3})\). |
Password and biometric update phase
- Step PB1.
U_{i} first inserts his/her smart card into a card reader, and inputs his/her identity ID_{i}, old password \(PW_{i}^{old}\) and imprints old biometric information \(B_{i}^{old}\) at the sensor.
- Step PB2.
The smart card SC_{i} of the user U_{i} computes \(b_{i}^{old} = Rep(B_{i}^{old}, par_{i})\) and \(K^{\ast } = d_{i} \oplus h(ID_{i} || b_{i}^{old})\). SC_{i} then computes \(RPW_{i}^{old} = h(ID_{i} || K^{\ast } || PW_{i}^{old})\) and \(f_{i}^{old} = h(RPW_{i}^{old} || b_{i}^{old})\).
- Step PB3.
SC_{i} then checks the condition \(f_{i}^{old} = f_{i}\). If it holds, both entered \(PW_{i}^{old}\) and \(B_{i}^{old}\) are authenticated by SC_{i}. Otherwise, SC_{i} refuses the update request.
- Step PB4.
SC_{i} asks the user U_{i} to enter his/her new chosen password \(PW_{i}^{new}\) and imprint new biometric template \(B_{i}^{new}\) at the sensor. SC_{i} computes \(x = e_{i} \oplus f_{i}^{old} = h(ID_{i} || X_{s})\) and \(RPW_{i}^{new} = h(ID_{i} || K^{\ast } || PW_{i}^{new})\).
- Step PB5.
SC_{i} then applies the fuzzy extractor function Gen(⋅) on \(B_{i}^{new}\) to generate secret key \(B_{i}^{new}\) and public parameter \(par_{i}^{new}\) as \(Gen(B_{i}^{new}) = (b_{i}^{new}, par_{i}^{new})\). SC_{i} further computes \(f_{i}^{new} = h(RPW_{i}^{new} || b_{i}^{new}), e_{i}^{new} = x \oplus f_{i}^{new} = h(ID_{i} || X_{s}) \oplus f_{i}^{new},\) and \(d_{i}^{new} = h(ID_{i} || b_{i}^{new}) \oplus K^{\ast }\).
- Step PB6.
Finally, the smart card SC_{i} replaces f_{i}, e_{i}, d_{i} and par_{i} by \(f_{i}^{new}\), \(e_{i}^{new}\), \(d_{i}^{new}\) and \(par_{i}^{new}\), respectively, into its memory.
Security analysis of the proposed scheme
In this section, we show that our scheme is secure against various known attacks.
Informal security analysis
Through the informal security analysis, we show that our scheme has the ability to defend/provide the following attacks and features.
Reflection attack
Suppose that an attacker (adversary) intercepts a login request message 〈R_{1}, v_{i}, z_{i}〉. To mount the reflection attack, the attacker needs to replace y_{i} with v_{i} and \(z_{i}^{\ast \ast }\) with z_{i} as a valid login request message 〈R_{3}, v_{i}, z_{i}〉 in the authentication request message. Upon receiving this login request message, the server S_{j} computes \(R_{2}^{\ast } = X_{s} R_{3} = s_{i} Y \neq r_{i} Y, RN_{u}^{\ast } = ID_{i} \oplus v_{i} \oplus h(R_{3} || R_{2}^{\ast }) \neq RN_{u}, x_{i}^{\ast } = h(ID_{i} || X_{s}), z_{i}^{\ast } = h(ID_{i} || v_{i} || R_{3} || R_{2}^{\ast } || x_{i}^{\ast } || RN_{u}^{\ast }) \neq h(ID_{i} || v_{i} || R_{1} || R_{2} || x_{i} || RN_{u})\), since R_{3} ≠ R1. As a result, the verification condition \(z_{i}^{\ast } = z_{i}\) will fail, and the server S_{j} will terminate this request. Hence, it is clear that as in Tan’s scheme, our scheme also protects the reflection attack.
Replay attack
Suppose an attacker intercepts the login request message 〈R_{1}, v_{i}, z_{i}〉 during the login phase, and sends the message \(\langle R_{1}^{\prime }, v_{i}^{\prime }, z_{i}^{\prime } \rangle = \langle R_{1}, v_{i}, z_{i} \rangle \) to the server S_{j} again. However, according to the strategy suggested in Step AK1 of our authentication and key agreement phase, this message will be detected as a replay message, since S_{j} keeps the track of the pair \((ID_{i}, RN_{u}^{\ast })\) in its database for a longer time period. Hence, the replay attack is protected in our scheme.
Man-in-the-middle attack
Assume that an attacker intercepts the login request message 〈R_{1}, v_{i}, z_{i}〉 during the login phase. Note that P and Y are public, whereas X_{s} is secret to S_{j} only and ID_{i} is known to both U_{i} and S_{j} only. Let the attacker select a random number \(r_{i}^{\prime } \in Z_{q}^{\ast }\) and then compute \(R_{1}^{\prime } = r_{i}^{\prime } P\) and \(R_{2}^{\prime } = r_{i}^{\prime } Y\). Furthermore, the attacker generates a random nonce \(RN_{u}^{\prime }\). To compute \(v_{i}^{\prime } = ID_{i} \oplus h(R_{1}^{\prime } || R_{2}^{\prime }) \oplus RN_{u}^{\prime }\), it is clear that the attacker needs to know ID_{i}. However, ID_{i} is unknown to the attacker. Thus, the attacker has no way to compute \(v_{i}^{\prime }\) and also \(z_{i}^{\prime } = h(ID_{i} || v_{i}^{\prime } || R_{1}^{\prime } || R_{2}^{\prime } || x_{i}^{\prime } || RN_{u}^{\prime })\) as computation of \(x_{i}^{\prime } = h(ID_{i} || X_{s})\) is a computationally infeasible problem and ID_{i} is unknown to that attacker. Hence, the attacker does not have any ability to modify the message 〈R_{1}, v_{i}, z_{i}〉 as a valid login request message \(\langle R_{1}^{\prime }, v_{i}^{\prime }, z_{i}^{\prime } \rangle \) in between the communication, and our scheme protects against man-in-the-middle attacks.
Many logged-in users with the same login-id attack
The systems which maintain the password/verifier table in order to verify the user login are usually vulnerable to many logged-in users with the same login-id attack. In our scheme, the server S_{j} and the user U_{i} do not maintain any verifier table. To login to the server, a user U_{i} must have a valid triple 〈ID_{i}, PW_{i}, B_{i}〉 and a smart card corresponding to these information. Note that our scheme requires on-card computation for password and biometric verification. Further, PW_{i} and b_{i} of the user U_{i} are protected by h(⋅). Even two users U_{i} and U_{j} have the same password PW_{i}, the hash values f_{i} = h(h(ID_{i}||K_{i}||PW_{i})||b_{i}) and f_{j} = h(h(ID_{j}||K_{j}||PW_{j})||b_{j}) are distinct due to the properties of personal biometrics, random numbers K_{i} and K_{j} selected by the users U_{i} and U_{j}, respectively, and ID_{i} and ID_{j}. Since our scheme requires on-card computation to login in the server, once the smart card is removed from the system, the login session is terminated. As a result, our scheme prevents the many logged-in users with the same login-id attack.
Session key security
Suppose an attacker intercepts the login message 〈R_{1}, v_{i}, z_{i}〉 during the login phase and the authentication request message \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \) during the authentication and key agreement phase. The secret session key \(SK_{ij} = h(ID_{i} || x_{i}^{\ast } || RN_{u}^{\ast } || RN_{s} || R_{2}^{\ast } || R_{3})\) is embedded in \(z_{i}^{\ast \ast }\) and also protected by the one-way hash function h(⋅). In addition, to compute SK_{ij} the attacker needs to know ID_{i}, \(x_{i}^{\ast }\), RN_{u}, RN_{s} and \(R_{2}^{\ast }\). Hence, due to the collision-resistant one-way property of h(⋅), it is a computationally infeasible problem for the attacker to derive SK_{ij}.
Parallel session attack
When an attacker wants to start another parallel session using the previous session login request message 〈R_{1}, v_{i}, z_{i}〉 to the server S_{j}, S_{j} detects the message as a previous one because the random nonce contained in the message is matched with the stored random nonce in S_{j}’s database corresponding to that user U_{i}. Further, the attacker does not have any ability to change this message, because the attacker does not know ID_{i}. The parallel session attack is then completely solved in our scheme.
Protection of user anonymity
Suppose an attacker intercepts the login request message 〈R_{1}, v_{i}, z_{i}〉 during the login phase and the authentication request message \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \) during the authentication and key agreement phase of our scheme. Note that these values are protected by the one-way collision-resistant hash function h(⋅) and also determined by two random numbers r_{i} and s_{i}, and two random nonces RN_{u} and RN_{s}. Due to this, these messages are different in each protocol run and as a result, the attacker can not link two login messages of a particular user U_{i}. Hence, our scheme preserves the user anonymity property.
Stolen smart card attack
Suppose an attacker obtains a stolen/lost smart card SC_{i} of a legal user U_{i}. Then according to our threat model, the attacker can easily extract all the sensitive information {P, q, Y, h(⋅), Gen(⋅), Rep(⋅), f_{i}, e_{i}, t, par_{i}, d_{i}} from the memory of the smart card SC_{i} by monitoring the power consumption of the smart card [28, 37]. Using f_{i} and e_{i}, the attacker can compute h(ID_{i}||X_{s}) = e_{i} ⊕ f_{i}. However, both the identity ID_{i} of the user U_{i} and the secret master key X_{s} of the server S_{j} are unknown to the attacker. Due to the one-way collision-resistant property of h(⋅), it is computationally infeasible task for the attacker to derive X_{s}. We have, f_{i} = h(RPW_{i}||b_{i}) = h(h(ID_{i}||K||PW_{i})||b_{i}) and d_{i} = h(ID_{i}||b_{i}) ⊕ K. Again, the attacker does not know ID_{i}, K, b_{i} and PW_{i}. To guess PW_{i} and b_{i} correctly, the attacker needs to know ID_{i} and K. Due to secure one-way hash function h(⋅), the attacker does not have any ability to derive PW_{i} and b_{i}. Thus, our scheme is secure against the stolen smart card attacks.
Offline password guessing attack
As in stolen smart card attacks discussed above, the attacker does not have any ability to derive the password PW_{i} of a legal user U_{i} even if the attacker obtains the user U_{i}’s stolen/lost smart card. This is because the attacker needs to know ID_{i}, K and b_{i} to derive PW_{i}. As a result, our scheme has the ability to resist the offline password guessing attack.
Online password guessing attack
In this attack, an attacker tries to derive the password PW_{i} of a user U_{i} by intercepting all messages during various phases. Note that during the registration phase, the messages are transmitted securely between the user and the server. Suppose an attacker tries to retrieve secret data by intercepting all transmitted messages 〈R_{1}, v_{i}, z_{i}〉 and \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \) in a previous session. None of these messages involves the user’s password PW_{i} directly or indirectly. As a result, these messages are not helpful for deriving the password PW_{i} of a user U_{i}. Hence, our scheme is also secure against online password guessing attack.
Privileged insider attack
During the registration phase, an insider being an attacker at the server S_{j} may try to know PW_{i} and b_{i} of a user U_{i}. However, in our scheme during the registration phase S_{j} receives the registration request message 〈ID_{i}, f_{i}〉 from U_{i}. Note that f_{i} = h(RPW_{i}||b_{i}) = h(h(ID_{i}||K||PW_{i})||b_{i}), and Gen(B_{i}) = (b_{i}, par_{i}). Since K is not revealed to the server S_{j} and it is only known to U_{i}, S_{j} does not have any ability to determine or guess correctly PW_{i} and B_{i}, since PW_{i} and b_{i} are protected by h(⋅). Hence, the insider attack is eliminated from our scheme.
Mutual authentication
In our scheme, after receiving the login request message 〈R_{1}, v_{i}, z_{i}〉 from the user U_{i}, the server S_{j} checks the condition whether \(z_{i}^{\ast } = z_{i}\). If they are equal, S_{j} authenticates the user U_{i} as a valid user. On the other hand, after receiving the authentication request message \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \), the smart card SC_{i} of the user U_{i} checks the condition \(z_{i}^{\ast \ast } = z_{i}^{\ast }\). If this condition is valid, U_{i} authenticates S_{j} as a valid server. Thus, our scheme provides the mutual authentication between U_{i} and S_{j}.
Server not knowing password and biometric
During the registration phase of our scheme, the user U_{i} sends the registration request message 〈ID_{i}, f_{i}〉 to the server S_{j} via a secure channel, where f_{i} = h(RPW_{i}||b_{i}) = h(h(ID_{i}||K||PW_{i})||b_{i}), and Gen(B_{i}) = (b_{i}, par_{i}). Note that S_{j} does not know K, PW_{i} and b_{i}. To know PW_{i}, the server S_{j} needs to know K and b_{i}. Due to the collision-resistant property of h(⋅), it is a computationally infeasible problem for S_{j} to derive PW_{i} and B_{i} since K is a 1024-bit secret number only known to the user U_{i}.
Freedom of password and biometric update
In our scheme, before the user U_{i} updates his/her old password and biometric pair \(\{PW_{i}^{old}, B_{i}^{old} \}\) by new password and biometric pair \(\{PW_{i}^{new}, B_{i}^{new} \}\), the smart card SC_{i} of the user U_{i} computes \(b_{i}^{old} = Rep(B_{i}^{old}, par_{i})\), \(K^{\ast } = d_{i} \oplus h(ID_{i} || b_{i}^{old})\), \(RPW_{i}^{old} = h(ID_{i} || K^{\ast } || PW_{i}^{old})\) and also \(f_{i}^{old} = h(RPW_{i}^{old} || b_{i}^{old})\). After that SC_{i} compares \(f_{i}^{old}\) with the stored f_{i}. If they match, then only SC_{i} continues the update phase. Also, it is noted that during the entire duration of the password and biometric update phase, SC_{i} executes these operations without involving the server S_{j}. As a result, S_{j} is totally unaware of the password as well as biometric update.
Three-factor security
In the three-factor security model, the main goals of an attacker are to mount an impersonation attack where the attacker has learned at most two elements of the triple {PW_{i}, SC_{i}, B_{i}}, in order to obtain the last element or to compromise the user anonymity. As in the analysis of Tan’s scheme, it is also clear that our scheme provides the three-factor security.
Formal security analysis
In this section, using the formal security analysis under the random oracle model we show that our scheme is secure. We use the proof of the formal security by the method of contradiction as in [11]. We follow the similar analysis as in [8, 9, 13, 14, 16, 18, 42, 43, 44]. Note that one can also prove the formal security in the standard model. However, in this paper, we perform the formal security analysis under the generic group model of cryptography.
Reveal1: This oracle will unconditionally output the input x from the corresponding hash value y = h(x).
Reveal2: Given P ∈ E_{q}(a, b) and the public key Q = kP ∈ E_{q}(a, b), this oracle will unconditionally output the private key k.
Theorem 1
Under the elliptic curve discrete logarithm problem (ECDLP) assumption, our proposed scheme is secure against an adversary for deriving the identity ID_{i}and session key SK_{ij}between a user U_{i}and the server S_{j}, if the one-way hash function h(⋅) closely behaves like a random oracle.
Proof
Theorem 2
Under the assumption that the one-way hash function h(⋅) closely behaves like an oracle, our proposed scheme is secure against an adversary for deriving the secret key X_{s}of the server S_{j}, and the password PW_{i}and the biometric key b_{i}of the user U_{i}.
Proof
Simulation for formal security verification of our scheme using AVISPA tool
In this section, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool in order to show that our scheme is secure. We have further simulate Tan’s scheme for the formal security analysis, and show that Tan’s scheme is not secure.
AVISPA overview
AVISPA stands for a push-button tool for the automated validation of Internet security-sensitive protocols and applications. It basically provides a modular and expressive formal language for specifying protocols and their security properties, and integrates different back-ends that implement a variety of state-of-the-art automatic analysis techniques [3]. We have used the widely-accepted AVISPA back-end for our formal security verification [9, 13, 14, 17, 24]. AVISPA consists of four back-ends, which are OFMC, CL-AtSe, SATMC and TA4SP. A static analysis needs to perform in order to check the executability of the protocol, and then the protocol and the intruder actions are compiled into an intermediate format (If). If is the start point for the four automated protocol analysis techniques. It is a lower-level language than HLPSL, and is read directly by the back-ends to the AVISPA tool. The detailed descriptions of these back-ends are given in [3].
In AVISPA, the designed protocols need to be specified in HLPSL language [53]. HLPSL is based on roles: the basic roles represent each participant role, and composition roles represent the scenarios of basic roles. Each role is independent from the others, which gets some initial information by parameters, and then communicates with the other roles by channels. In HLPSL, the intruder is always modeled using the Dolev-Yao model [20] (as in the threat model used in this paper) with the possibility for the intruder to assume a legitimate role in a protocol run. The role system defines the number of sessions, and the number of principals and the roles. The output format (OF) of AVISPA is generated by using one of the four back-ends. When the analysis of a protocol has been successful (by finding an attack or not), the output describes precisely what is the result, and under what conditions it has been obtained. The detailed formats of the OF can be found in [53].
Specifying our scheme
In Fig. 1, we have also implemented the specification in HLPSL language for the role of the responder, the server S_{j}. During the registration phase, after receiving the registration request message 〈ID_{i}, f_{i}〉 securely from the user U_{i}, the server S_{j} issues a smart card SC_{i} and sends it with the information (P, q, Y, h(⋅), Gen(⋅), Rep(⋅), f_{i}, e_{i}, t, par_{i}) securely to U_{i}. During the authentication and key agreement phase, after receiving the login request message 〈R_{1}, v_{i}, z_{i}〉 in the login phase via a public channel, the server S_{j} sends the authentication request message \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \) to U_{i} via a public channel.
In the HLPSL implementation of our scheme, we have five secrecy goals and two authentication goals. For example, the secrecy goal secrecy_of subs1 tells that X_{s} is kept secret to the server S_{j} only, which is indicated by the protocol id subs1. Similarly, we have given other secrecy goals for the protocol ids subs2, subs3, subs4 and subs5. On the other hand, the authentication goal authentication_on alice_bob_rnu presents that U_{i}(C_{i}) generates a random nonce RN_{u}, where RN_{u} is only known to U_{i}. When the server S_{j} receives RN_{u} from other messages from U_{i}, the server S_{j} performs a strong authentication for U_{i} based on RN_{u}. Other authentication goal authentication_on bob_alice_rns indicates S_{j} generates a random nonce RN_{s}, where RN_{s} is only known to S_{j}. If the user U_{i} receives RN_{s} from other messages from S_{j}, the user U_{i} (the smart card SC_{i}) performs a strong authentication for S_{j} based on RN_{s}.
Simulation results
Performance comparison with other related schemes
In this section, we compare the functionality features and performance of our scheme with those for other related three-factor authentication schemes [2, 5, 12, 30, 50, 51].
Notations used for the computational complexity
Symbol | Description |
---|---|
T_{h} | Time for performing a one-way hashing operation h(⋅) |
T_{X} | Time for performing an XOR operation |
T_{E} | Time for performing a symmetric encryption operation |
T_{D} | Time for performing a symmetric decryption operation |
T_{PE} | Time for executing an asymmetric encryption operation |
T_{PD} | Time for executing an asymmetric decryption operation |
T_{C} | Time for executing a Chebyshev chaotic map operation |
T_{M} | Time for executing an ECC point multiplication |
T_{FE} | Time for executing a fuzzy extractor |
Comparison of performance
Phase | Node | [50] | [12] | [30] | [5] | [51] | [2] | Ours |
---|---|---|---|---|---|---|---|---|
R | U_{i} | 2T_{h} | − | 3T_{h}+T_{X} | 2T_{X}+T_{PE} | 2T_{h}+3T_{X} | 2T_{X} | 2T_{h}+T_{FE} |
S_{j} | 2T_{h}+T_{X} | 3T_{h}+3T_{X} | 2T_{h}+2T_{X} | 3T_{h}+4T_{X} | T_{h}+T_{X} | 4T_{h}+7T_{X} | 2T_{h}+2T_{X} | |
+T_{PD} | ||||||||
L | U_{i} | 4T_{h}+2T_{X} | 2T_{h}+3T_{X} | 5T_{h}+4T_{X} | 3T_{h}+3T_{X} | 4T_{h}+3T_{X} | 3T_{h}+5T_{X} | 5T_{h}+4T_{X} |
+T_{E} | +2T_{c} | +2T_{M} | +T_{M} | +2T_{M}+T_{FE} | ||||
S_{j} | – | − | – | – | – | − | ||
AK | U_{i} | 2T_{h} | 3T_{h}+T_{X} | 2T_{h}+2T_{C} | T_{h}+T_{X} | T_{h}+2T_{M} | 5T_{h}+2T_{X} | 5T_{h}+4T_{X}+ |
+T_{M} | 2T_{M}+T_{FE} | |||||||
S_{j} | 3T_{h}+T_{X} | 5T_{h}+2T_{X} | 5T_{h}+T_{X} | 4T_{h}+4T_{X} | 4T_{h}+T_{X} | 8T_{h}+6T_{X} | 2T_{h}+2T_{X} | |
+T_{D} | +4T_{C} | +3T_{M} | +2T_{M} | +3T_{M} | ||||
PB | U_{i} | 5T_{h}+2T_{X} | 2T_{h}+T_{X} | 4T_{h}+5T_{X} | 2T_{h}+4T_{X} | 4T_{h}+4T_{X} | 4T_{h}+14T_{X} | 6T_{h}+ |
4T_{X}+2T_{FE} | ||||||||
S_{j} | – | – | – | – | – | – | ||
Total | 18T_{h}+6T_{X} | 15T_{h}+9T_{X} | 21T_{h}+13T_{X} | 13T_{h}+18T_{X} | 16T_{h}+12T_{X} | 24T_{h}+36T_{X} | 22T_{h}+4T_{FE}+ | |
+T_{E}+T_{D} | +8T_{C} | +T_{PE}+T_{PD} | +7T_{M} | +4T_{M} | 14T_{X}+7T_{M} | |||
≈0.01696 s | ≈0.0048 s | ≈0.26432 s | ≈0.04256 s | ≈0.12482 s | ≈0.07608 s | ≈0.19514 s |
Functionality comparison
Conclusion
We have revisited the recently proposed Tan’s three-factor authentication scheme for the telecare medicine information systems and shown that though Tan’s scheme is efficient, it has several security drawbacks. After that we have also shown that Arshad and Nikooghadam’s scheme, which is an improvement of Tan’s scheme, fails to protect the privileged-insider attack. To remedy such weaknesses, we have proposed an efficient scheme. Our scheme is shown to be secure through the rigorous formal and informal security analysis. In addition, we have shown that our scheme is secure under the formal security verification. Though our scheme requires little more computational cost as compared to Tan’s scheme, Arshad and Nikooghadam’s scheme, and other schemes, our scheme is more suitable for practical applications due to its high security. Furthermore, it is shown that our scheme preserves the user anonymity property and all other features which are required for an idle three-factor authentication scheme for the telecare medicine information systems.
Notes
Acknowledgments
The author would like to acknowledge the helpful suggestions of the anonymous reviewers and the Editor, which have improved the content and the presentation of this paper.
References
- 1.An, Y., Security Analysis and Enhancements of an Effective Biometric-Based Remote User Authentication Scheme Using Smart Cards. J. Biomed. Biotechnol. 2012:1–6, 2012. Article ID 519723.CrossRefGoogle Scholar
- 2.Arshad, H., and Nikooghadam, M., Three-Factor Anonymous Authentication and Key Agreement Scheme for Telecare Medicine Systems Information. J. Med. Syst. 38(6):1–12, 2014.Google Scholar
- 3.AVISPA: Automated Validation of Internet Security Protocols and Applications. Accessed on January 2013. http://www.avispa-project.org/
- 4.AVISPA: AVISPA Web Tool. Accessed on April 2014. http://www.avispa-project.org/web-interface/expert.php/
- 5.Awasthi, A.K., and Srivastava, K., A Biometric Authentication Scheme for Telecare Medicine Information Systems with Nonce. J. Med. Syst. 37(5):1–4, 2013.CrossRefGoogle Scholar
- 6.Basin, D., Modersheim, S., Vigano, L., OFMC: A symbolic model checker for security protocols. Int. J. Inf. Secur. 4(3):181–208, 2005.CrossRefGoogle Scholar
- 7.Burnett, A., Byrne, F., Dowling, T., Duffy, A., A Biometric Identity Based Signature Scheme. Int. J. Netw. Secur. 5(3):317–326, 2007.Google Scholar
- 8.Chatterjee, S., and Das, A.K., An effective ECC-based user access control scheme with attribute-based encryption for wireless sensor networks. Security and Communication Networks, 2014. doi:10.1002/sec.1140.
- 9.Chatterjee, S., Das, A.K., Sing, J.K., An Enhanced Access Control Scheme in Wireless Sensor Networks. Ad Hoc & Sensor Wireless Networks 21(1–2):121–149, 2014.Google Scholar
- 10.Chen, B.-L., Kuo, W.-C., Wuu, L.-C., Robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst. 27(2):377–389, 2014.CrossRefGoogle Scholar
- 11.Chuang, Y.-H., and Tseng, Y.-M., An efficient dynamic group key agreement protocol for imbalanced wireless networks. Int. J. Netw. Manag. 20(4):167–180, 2010.Google Scholar
- 12.Das, A.K., Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf. Secur. 5(3):145–151, 2011.CrossRefGoogle Scholar
- 13.Das, A.K., A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Netw. Sci. 2(1–2):12–27, 2013.CrossRefGoogle Scholar
- 14.Das, A.K., Chatterjee, S., Sing, J.K., A novel efficient access control scheme for large-scale distributed wireless sensor networks. Int. J. Found. Comput. Sci. 24(5):625–653, 2013.CrossRefMATHMathSciNetGoogle Scholar
- 15.Das, A.K., and Goswami, A., A Secure and Efficient Uniqueness-and-Anonymity-Preserving Remote User Authentication Scheme for Connected Health Care. J. Med. Syst. 37(3):1–16, 2013.CrossRefGoogle Scholar
- 16.Das, A.K., and Goswami, A.: A robust anonymous biometric-based remote user authentication scheme using smart cards. Journal of King Saud University - Computer and Information Sciences (Elsevier). In Press (2014)Google Scholar
- 17.Das, A.K., Massand, A., Patil, S., A novel proxy signature scheme based on user hierarchical access control policy. Journal of King Saud University - Comput. Inform. Sci. 25(2):219–228, 2013.CrossRefGoogle Scholar
- 18.Das, A.K., Paul, N.R., Tripathy, L., Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem . Inf. Sci. 209(C):80–92, 2012.CrossRefMATHMathSciNetGoogle Scholar
- 19.Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Proceedings of the Advances in Cryptology (Eurocrypt’04), LNCS, Vol. 3027, pp. 523–540 (2004)Google Scholar
- 20.Dolev, D., and Yao, A., On the security of public key protocols. IEEE Trans. Inf. Theory 29(2):198–208, 1983.CrossRefMATHMathSciNetGoogle Scholar
- 21.Giri, D., Maitra, T., Amin, R., Srivastava, P.D., An efficient and robust rsa-based remote user authentication for systems telecare medical information. J. Med. Syst. 39(1):1–9, 2014.Google Scholar
- 22.He, D., Chen, J., Zhang, R., A More Secure Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(3):1989–1995, 2012.CrossRefGoogle Scholar
- 23.He, D., Kumar, N., Lee, J.-H., Sherratt, R.S., Enhanced three-factor security protocol for consumer USB mass storage devices. IEEE Trans. Consum. Electron. 60(1):30–37, 2014.CrossRefGoogle Scholar
- 24.Islam, S.H., and Biswas, G.P., A provably secure identity-based strong designated verifier proxy signature scheme from pairings bilinear. Journal of King Saud University - Comput. Inform. Sci. 26(1):55–67, 2014.CrossRefGoogle Scholar
- 25.Islam, S.K.H., and Khan, M.K., Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems. J. Med. Syst. 38(10):1–16, 2014.CrossRefGoogle Scholar
- 26.Khan, M.K., and Kumari, S., Cryptanalysis and improvement of an efficient and secure dynamic id-based authentication scheme for telecare medical information systems. Security and Communication Networks 7(2):399–408, 2014.CrossRefGoogle Scholar
- 27.Koblitz, N., Elliptic Curves Cryptosystems. Math. Comput. 48:203–209, 1987.CrossRefMATHMathSciNetGoogle Scholar
- 28.Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Proceedings of Advances in Cryptology - CRYPTO’99, LNCS, Vol. 1666, pp. 388–397 (1999)Google Scholar
- 29.Kumari, S., Khan, M.K., Kumar, R., Cryptanalysis and improvement of a privacy enhanced scheme for telecare medical information systems. J. Med. Syst. 37(4):1–11, 2013.CrossRefGoogle Scholar
- 30.Lee, C.-C., and Hsu, C.-W., A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps. Nonlinear Dyn. 71(1–2):201–211, 2013.CrossRefMathSciNetGoogle Scholar
- 31.Lee, C.-C., Li, C.-T., Chiu, S.-T., Lai, Y.-M., A new three-party-authenticated key agreement scheme based on chaotic maps without password table. Nonlinear Dyn.,1–11, 2014. doi:10.1007/s11071-014-1827-x.
- 32.Lee, T.-F., and Liu, C.-M., A Secure Smart-Card Based Authentication and Key Agreement Scheme for Telecare Medicine Information Systems. J. Med. Syst. 37(3):1–8 , 2013.Google Scholar
- 33.Li, C.-T., and Hwang, M.-S., An efficient biometric-based remote authentication scheme using smart cards. J. Netw. Comput. Appl. 33(1):1–5, 2010.CrossRefGoogle Scholar
- 34.Li, X., Niu, J.-W., Ma, J., Wang, W.-D., Liu, C.-L., Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 34(1):73–79, 2011.CrossRefMATHGoogle Scholar
- 35.Maitra, T., and Giri, D., An efficient biometric and password-based remote user authentication using smart card for telecare medical information systems in multi-server environment. J. Med. Syst. 38(12):1–19, 2014.CrossRefGoogle Scholar
- 36.Massey, T., Marfia, G., Stoelting, A., Tomasi, R., Spirito, M.A., Sarrafzadeh, M., Pau, G., Leveraging Social System Networks in Ubiquitous High-Data-Rate Health Systems. IEEE Trans. Inf. Technol. Biomed. 15(3):491–498, 2011.CrossRefGoogle Scholar
- 37.Messerges, T.S., Dabbish, E.A., Sloan, R.H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002.CrossRefMathSciNetGoogle Scholar
- 38.Mishra, D., On the security flaws in id-based password authentication schemes for telecare medical information systems. J. Med. Syst. 39(1):1–16, 2015.CrossRefGoogle Scholar
- 39.Mishra, D., Mukhopadhyay, S., Chaturvedi, A., Kumari, S., Khan, M.K., Cryptanalysis and improvement of Yan et al.’s biometric-based authentication scheme for telecare medicine information systems. J. Med. Syst. 38(6):1–12, 2014.CrossRefGoogle Scholar
- 40.Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M.K., Chaturvedi, A., Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J. Med. Syst. 38(5): 1–11, 2014.CrossRefGoogle Scholar
- 41.Mishra, D., Srinivas, J., Mukhopadhyay, S., A secure and efficient chaotic map-based authenticated key agreement scheme for telecare medicine information systems. J. Med. Syst. 38(10):1–10, 2014.CrossRefGoogle Scholar
- 42.Odelu, V., Das, A.K., Goswami, A., An Effective and Secure Key-Management Scheme for Hierarchical Access Control in E-Medicine System. J. Med. Syst. 37(2):1–18, 2013.CrossRefGoogle Scholar
- 43.Odelu, V., Das, A.K., Goswami, A., A secure effective key management scheme for dynamic access control in a large leaf class hierarchy. Inf. Sci. 269(C):270–285, 2014.CrossRefMathSciNetGoogle Scholar
- 44.Odelu, V., Das, A.K., Goswami, A., A secure and efficient ECC-based user anonymity preserving single sign-on scheme for distributed computer networks. Security and Communication Networks, 2014. doi:10.1002/sec.1139.
- 45.Patel, M., and Wang, J., Applications, challenges, and prospective in emerging body area networking technologies. IEEE Wirel. Commun. 17(1):80–88, 2010.CrossRefGoogle Scholar
- 46.Sarkar, P., A Simple and Generic Construction of Authenticated Encryption with Associated Data. ACM Trans. Inf. Syst. Secur. 13(4):1–16, 2010.CrossRefGoogle Scholar
- 47.Siddiqui, Z., Abdullah, A.H., Khan, M.K., Alghamdi, A., Smart environment as a service: Three factor cloud based user authentication for telecare medical information system. J. Med. Syst. 38(1):1–14, 2013.Google Scholar
- 48.Stallings, W., Cryptography and Network Security: Principles and Practices. 3rd edition: Pearson Education India, 2003.Google Scholar
- 49.Stinson, D.R., Some Observations on the Theory of Cryptographic Hash Functions. Des. Codes Crypt. 38(2):259–277 , 2006.CrossRefMATHMathSciNetGoogle Scholar
- 50.Tan, Z., An efficient biometrics-based authentication scheme for telecare medicine information systems. Przegl. Elctrotech. 89(5):200–204, 2013.Google Scholar
- 51.Tan, Z., A User Anonymity Preserving Three-Factor Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 38(3):1–9, 2014.CrossRefGoogle Scholar
- 52.Tang, H., and Liu, X., Cryptanalysis of a dynamic ID-based remote user authentication with key agreement scheme. Int. J. Commun. Syst. 25(12):1639–1644, 2012.CrossRefGoogle Scholar
- 53.von Oheimb, D.: The high-level protocol specification language hlpsl developed in the eu project avispa. In: Proceedings of APPSEM 2005 Workshop (2005)Google Scholar
- 54.Wei, J., Hu, X., Liu, W., An Improved Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(6):3597–3604, 2012.CrossRefGoogle Scholar
- 55.Wu, Z.Y., Lee, Y.-C., Lai, F., Lee, H.-C., Chung, Y.-F., A Secure Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(3):1529–1535, 2012.CrossRefGoogle Scholar
- 56.Xie, Q., A new authenticated key agreement for session initiation protocol. Int. J. Commun. Syst. 25(1):47–54, 2012.CrossRefGoogle Scholar
- 57.Yan, H., Huo, H., Xu, Y., Gidlund, M., Wireless sensor network based E-health system implementation and experimental results. IEEE Trans. Consum. Electron. 56(4):2288–2295, 2010.CrossRefGoogle Scholar
- 58.Yan, X., Li, W., Li, P., Wang, J., Hao, X., Gong, P., A secure biometrics-based authentication scheme for telecare medicine information systems. J. Med. Syst. 37(5):1–6, 2013.CrossRefMATHGoogle Scholar
- 59.Yang, H., Kim, H., Mtonga, K., An efficient privacy-preserving authentication scheme with adaptive key evolution in remote health monitoring system. Peer-to-Peer Networking and Applications, 1–11, 2014. doi:10.1007/s12083-014-0299-6.
- 60.Zhu, Z., An Efficient Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(6): 3833–3838, 2012.CrossRefGoogle Scholar