A Secure User Anonymity-Preserving Three-Factor Remote User Authentication Scheme for the Telecare Medicine Information Systems

Transactional Processing Systems
Part of the following topical collections:
  1. Transactional Processing Systems

Abstract

Recent advanced technology enables the telecare medicine information system (TMIS) for the patients to gain the health monitoring facility at home and also to access medical services over the Internet of mobile networks. Several remote user authentication schemes have been proposed in the literature for TMIS. However, most of them are either insecure against various known attacks or they are inefficient. Recently, Tan proposed an efficient user anonymity preserving three-factor authentication scheme for TMIS. In this paper, we show that though Tan’s scheme is efficient, it has several security drawbacks such as (1) it fails to provide proper authentication during the login phase, (2) it fails to provide correct updation of password and biometric of a user during the password and biometric update phase, and (3) it fails to protect against replay attack. In addition, Tan’s scheme lacks the formal security analysis and verification. Later, Arshad and Nikooghadam also pointed out some security flaws in Tan’s scheme and then presented an improvement on Tan’s s scheme. However, we show that Arshad and Nikooghadam’s scheme is still insecure against the privileged-insider attack through the stolen smart-card attack, and it also lacks the formal security analysis and verification. In order to withstand those security loopholes found in both Tan’s scheme, and Arshad and Nikooghadam’s scheme, we aim to propose an effective and more secure three-factor remote user authentication scheme for TMIS. Our scheme provides the user anonymity property. Through the rigorous informal and formal security analysis using random oracle models and the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool, we show that our scheme is secure against various known attacks, including the replay and man-in-the-middle attacks. Furthermore, our scheme is also efficient as compared to other related schemes.

Keywords

Telecare medicine information systems Fuzzy extractor Biometrics Password User anonymity AVISPA Security 

Introduction

The rapid development of modern information and communication technologies make people’s daily lives much easier worldwide. This has also led to the new circumstances at the all levels of the social environment [59]. Consider a healthcare system, where sensors and datalinks offer potential for constant monitoring of a patient’s symptoms and needs. It enables the doctors, nurses and other medical staffs to diagnose and monitor health problems for the patient in real-time, where a patient is either at home or outdoors [36, 45, 57].

In a telecare medical information system (TMIS), patients can send health related information or use portals for health monitoring and healthcare-related services over the Internet or mobile networks. If a patient travels to a hospital, it is desirable that the expense of the patients such as travel cost and the hospitalization time is much. In order to reduce significantly these factors, the patients can easily apply TMISs to access the healthcare delivery services. Since the telecare server keeps the electronic medical records of all registered users in the hospitals, TMIS can help the physicians to make more comprehensive decision via the cooperation of some physicians in different places. Wireless mobile telecommunications of TMIS usually work in the open environments. As a result, the security issue becomes a significant concern in TMIS. Thus, an idle secure authentication scheme is required to guarantee that only the authorized (legal) users will have the ability to access the services from TMIS or the network.

There are the following major advantages of using biometric keys (for example, fingerprints, faces, irises, hand geometry and palm-prints, etc.) as described in [33]:
  • Biometric keys can not be lost or forgotten.

  • Biometric keys are very difficult to copy or share.

  • Biometric keys are extremely hard to forge or distribute.

  • Biometric keys can not be guessed easily.

  • Someone’s biometrics is not easy to break than others.

In 2010, Li and Hwang in [33] proposed an efficient biometric-based remote user authentication scheme using smart cards. In their scheme, the biometric verification is performed using the hash value of the user’s personal biometrics. However, it was pointed out in [12, 34] that Li-Hwang’s scheme may cause a legal user unable to pass biometric verification during the login and password change phases. In the registration phase of Li-Hwang’s scheme, the registration center computes fi = h(Bi), where Bi is the user’s personal biometrics, and fi is then stored in the smart card. Note that the biometric patterns belonging to the same person may vary slightly from time to time, for example fingerprint and voiceprint. Thereupon, when the user enters next time his/her personal biometric, say \(B_{i}^{\ast }\), which may differ slightly from the biometric Bi given during the registration phase, the verification condition \(h\left (B_{i}^{\ast }\right ) = f_{i}\) may never succeed due to sensitive property of the one-way hash function h(⋅). Li et al. [34] showed that Li-Hwang’s scheme is insecure against man-in-the-middle attack and does not provide proper authentication. They provided an efficient solution to Li-Hwang’s scheme. Das [12] also pointed out that Li-Hwang’s scheme has some design flaws. To withstand the security weaknesses found in Li-Hwang’s scheme, Das proposed an efficient solution based on the same assumption of Li-Hwang’s scheme that storing the information in a tamper-resistant smart card is secure as passwords. In 2012, An [1] showed that Das’s scheme [12] is insecure when the secret information stored in the smart card are revealed to an attacker. To withstand those security flaws, An proposed an enhanced efficient scheme. However, Das and Goswami [16] analyzed the security of An’s scheme and showed that An’s scheme has three serious security flaws in the design of the scheme: (i) flaw in user’s biometric verification during the login phase, (ii) flaw in user’s password verification during the login and authentication phases, and (iii) flaw in user’s password change locally at any time by the user. Due to these security flaws, An’s scheme does not support mutual authentication between a user and the server. In addition, it was shown that An’s scheme cannot prevent insider attack. In order to remedy the security weaknesses found in An’s scheme, they proposed a new robust and secure anonymous biometric-based remote user authentication scheme using smart cards [16]. Lee and Hsu [30] proposed a biometric based remote user authentication scheme using the extended chaotic map. However, their scheme does not protect insider attack. Further, their scheme does not provide formal security analysis.

In recent years, several user authentication schemes have been proposed [5, 10, 21, 22, 25, 26, 29, 32, 35, 38, 39, 40, 41, 47, 50, 51, 52, 54, 55, 56, 60]. Most of them are either insecure against different attacks or inefficient. Wu et al. [55] proposed a password based authentication scheme for TMIS. Later, He et al. [22] pointed out that Wu et al.’s scheme is insecure against impersonation and insider attacks, and they proposed an efficient solution to overcome these security weaknesses found in Wu et al.’s scheme. However, Wei et al. [54] showed that both Wu et al.’s scheme and He et al.’s scheme fail to provide two-factor security. Again, Zhu [60] showed that Wei et al.’s scheme has some weaknesses. Tan [50] proposed a biometric based user authentication scheme for TMIS. But this scheme does not protect against replay attack. Also, this scheme does not preserve user anonymity and it does not provide any formal security analysis. Mishra et al. [39] showed that Yan et al.’s scheme [58] is vulnerable to the off-line password guessing attack and it does not provide the user anonymity property. Moreover, they pointed out that the login and password change phases are inefficient in Yan et al.’s scheme. In order to remove these weaknesses, they proposed an improved scheme for TIMS. Mishra et al. [40] further proposed an enhanced and efficient biometric-based authentication scheme for TIMS using the nonces. Awasthi and Srivastava [5] proposed a three-factor authentication scheme for TMIS. In 2014, Tan [51] analyzed the security of Awasthi-Srivastava’s scheme [5] and showed that their scheme is insecure against reflection attack. In addition, their scheme fails to provide three-factor security and the user anonymity. Tan proposed an efficient user anonymity preserving authentication scheme for TMIS. Further, Arshad and Nikooghadam [2] enhanced the security of Tan’s scheme and proposed an improvement.

In this paper, we analyze both Tan’s scheme and Arshad and Nikooghadam’s scheme [2] for the security. Unfortunately, we have seen that their schemes have still several security drawbacks. Tan [51] extended the security requirements of two-factor authentication schemes to three-factor authentication schemes, which are given below:
  • Mutual authentication. After run of the protocol, the server should believe that the remote user is a legitimate registered client. The user also believes that the communicating party is the server which the user intended to login to.

  • Server not knowing password and biometric. The registration center (server) should not have any information about the registered user’s password and personal biometrics. This is extremely required because several users may apply the same password to access different servers in the real applications. As a result, if a privileged insider of the registration center knows the password or biometrics of a user Ui, he/she may impersonate Ui for accessing the services from other servers.

  • Freedom of password and biometric update. A user should be allowed to change/update freely his/her password as well as biometric template without contacting the server. The server must be totally unaware of the change of the user’s password and biometric template.

  • Three-factor security. In the security model for three-factor authentication schemes, an adversary can have full control over the communication channel between the users and the server during the login phase and the authentication and key agreement phase. In the three-factor security adversary model, the adversary is modeled to have at most two of the following three abilities, but it is not allowed to have all the three abilities. The adversary can use the techniques in [28, 37] to extract the information from the smart card, obtain the password, or access the biometric template.

Threat model

We make use of the Dolev-Yao threat model [20] in which two communicating parties communicate over an insecure channel. Any adversary (attacker or intruder) can eavesdrop the transmitted messages over the public insecure channel and he/she has the ability to modify, delete or change the contents of the transmitted messages. Usually the smart card of a user is equipped with the tamper-resistant hardware. However, if a user’s smart card is stolen or lost, an attacker can still know all the sensitive information stored in its memory by monitoring the power consumption of the smart card [28, 37].

Our contributions

We list the following contributions made in this paper:
  • We have revisited the recently proposed Tan’s scheme and then identified that Tan’s scheme has the loopholes: (i) it fails to provide proper authentication during the login phase, (ii) it fails to provide correct updation of password and biometric of a user during the password and biometric update phase, (iii) it fails to protect against replay attack, and (iv) it lacks the formal security analysis and verification.

  • We have further shown that Arshad and Nikooghadam’s scheme fails to protect privileged-insider attack and their scheme also lacks the formal security analysis and verification.

  • In order to withstand the security drawbacks found in both Tan’s scheme, and Arshad and Nikooghadam’s scheme, we have proposed a more efficient and secure three-factor user authentication scheme in TMIS.

  • Our scheme is shown to be secure against various known attacks through the rigorous informal and formal security analysis and verification using the widely-accepted AVISPA tool.

  • Our scheme is also efficient as compared to Tan’s scheme and other related schemes.

  • High security and computational efficiency make our scheme to be feasible in order to use it for practice in TMIS applications as compared to Tan’s scheme and other related schemes.

Organization of the paper

The remainder of this paper is organized as follows. In Section “Mathematical preliminaries”, we discuss some basic mathematical preliminaries, which are essential for describing and analyzing Tan’s scheme [51], Arshad and Nikooghadam’s scheme [2] as well as our proposed scheme. In Section “Review and cryptanalysis of Tan’s scheme, and Arshad and Nikooghadam’s scheme”, we give an overview of the recently proposed Tan’s scheme. In Section “The proposed scheme”, we present the various phases of our scheme. In Section “Security analysis of the proposed scheme”, we show that our scheme is secure against various known attacks. In next section, we simulate our scheme for the formal security verification using the widely-accepted AVISPA tool in order to show that our scheme is secure. We compare the performance of our scheme with other related schemes in Section “Simulation for formal security verification of our scheme using AVISPA tool”. In next section, we conclude the paper.

Mathematical preliminaries

In this section, we briefly describe some mathematical preliminaries, which are essential for describing and analyzing Tan’s scheme [51], Arshad and Nikooghadam’s scheme [2] as well as our proposed scheme.

Collision-resistant one-way hash function

We define the formal definition of a one-way collision-resistant hash function as follows ([15, 46, 49]).

Definition 1 (Formal definition of one-way collision resistant hash function)

A collision-resistant one-way hash function h : AB, where A = {0, 1} and B = {0, 1}n, is a deterministic algorithm that takes an input as an arbitrary length binary string xA and produces an output yB as a binary string of fixed-length, n. Let \(Adv_{\mathcal {A}}^{HASH} (t_{1})\) denote an adversary (attacker) \(\mathcal {A}\)’s advantage in finding collision. Then, we have, \(Adv_{\mathcal {A}}^{HASH} (t_{1}) = Pr \left [(x, x^{\prime }) \Leftarrow _{R} \mathcal {A}: x \neq x^{\prime } \, \text {and} \, h(x) = h(x^{\prime })\right ]\), where Pr[E] denotes the probability of a random event E, and \(\left (x, x^{\prime }\right ) \Leftarrow _{R} \mathcal {A}\) denotes the pair (x, x′) is selected randomly by \( \mathcal {A}\). In this case, the adversary \(\mathcal {A}\) is allowed to be probabilistic and the probability in the advantage is computed over the random choices made by the adversary \(\mathcal {A}\) with the execution time t1. The hash function h(⋅) is then called collision-resistant, if \(Adv_{\mathcal {A}}^{HASH}(t_{1}) \le \epsilon _{1}\), for any sufficiently small 𝜖1 > 0.

Key data extraction process from biometric template

We briefly describe the extraction process of key data from the given biometric of a user using a fuzzy extractor method. The output of a conventional hash function h(⋅) is sensitive and it may also return completely different outputs even if there is a little variation in inputs. The biometric information is thus prone to various noises during data acquisition, and as a result, the reproduction of actual biometric is hard in common practice. In order to avoid such problem, a fuzzy extractor [7, 19, 23] is used, which has the ability to extract a uniformly random string b and a public information par from the biometric template B with the error tolerance t. In the reproduction process, the fuzzy extractor then recovers the original biometric key data b for a noisy biometric B′ using par and t. Let \(\mathcal {M} = \{0, 1\}^{v}\) be a finite v-dimensional metric space of biometric data points, \(d: \mathcal {M} \times \mathcal {M} \rightarrow \mathbb {Z}^{+}\) a distance function, which can be used to calculate the distance between two points based on the metric chosen, l the number of bits of the output string bi, and t the error tolerance, where ℤ+ represents the set of all positive integers.

Definition 2

The fuzzy extractor is a tuple (ℳ, l, t), which is defined by the following two algorithms, called Gen and Rep:
  • Gen: This probabilistic algorithm takes a biometric information \(B_{i} \in \mathcal {M}\) as input and outputs a secret key data bi ∈ {0, 1}l and a public reproduction parameter pari, where Gen(Bi) = {bi, pari}.

  • Rep: This deterministic algorithm takes a noisy biometric information \(B_{i}^{\prime } \in \mathcal {M}\) and a public parameter pari related to Bi, and then it reproduces (recovers) the biometric key data bi. In other words, \(Rep\left (B_{i}^{\prime }, par_{i}\right ) = b_{i}\) provided that the condition \(d\left (B_{i},B_{i}^{\prime }\right ) \le t\) is satisfied.

For more detailed description of the fuzzy extractor and the extraction procedure, one can refer to [7, 19].

Elliptic curve over a prime field

Let a and bZp, where Zp = {0, 1, … , p − 1} and p > 3 be a prime, such that 4a3 + 27b2 ≠ 0 (mod p). A non-singular elliptic curve y2 = x3 + ax + b over the finite field GF(p) is considered as the set Ep(a, b) of all solutions (x, y) ∈ Zp × Zp to the congruence: y2 = x3 + ax + b (mod p), where a and bZp are constants such that 4a3 + 27b2 ≠ 0 (mod p), together with a special point 𝓞 called the point at infinity or the zero point. If P = (xP, yP) and Q = (xQ, yQ) be two points in Ep(a, b), then P + Q = 𝓞 implies that xQ = xP and yQ = −yP and P + 𝓞 = 𝓞 + P = P, for all PEp(a, b). In addition, Ep(a, b) forms an abelian group or commutative group under addition modulo p operation.

Let G be the base point on Ep(a, b) whose order be n, that is, nG = G + G + …+G(n times) = 𝓞. If P = (xP, yP) and Q = (xQ, yQ) be two points on elliptic curve y2 = x3 + ax + b (mod p), with P ≠ −Q, then R = (xR, yR) = P + Q is computed as follows ([27, 48]): xR = (γ2xPxQ) (modp) and yR = (γ(xPxR)−yP) (mod p), where \(\gamma = \left \{ \begin {array}{c} \frac {y_{Q}-y_{P}} {x_{Q}-x_{P}} (\text {mod}\,{p}), \text {if} \, P \neq Q \\ \frac {{3 x_{P}}^{2} + a} {2y_{P}} (\text {mod}\,{p}), \text {if} \, P = Q. \end {array} \right .\) Moreover, in elliptic curve cryptography, scalar multiplication is defined as repeated additions. For example, if PEp(a, b), then 5P is computed as 5P = P + P + P + P + P(mod p).

The elliptic curve discrete logarithm problem (ECDLP) is formally defined as in [18] as follows.

Definition 3 (Formal definition of ECDLP)

Let Ep(a, b) be an elliptic curve modulo a prime p, and PEp(a, b) and Q = kPEp(a, b) be two points, where kRZp (We use the notation xRT to denote that the number x is chosen randomly from the set T). Instance: (P, Q, r) for some k, rRZp. Output:yes, if Q = rP, that is, k = r, and output no, otherwise. Consider the following two distributions:
$$\begin{array}{@{}rcl@{}} D_{real} & = & \{ k \Leftarrow_{R} Z_{p}, A = P, B = Q (=kP), \\ & & C = k : (A, B, C) \}, \\ D_{rand} & = & \{ k, r \Leftarrow_{R} Z_{p}, A = P, B = Q (=kP), \\ & & C = r : (A, B, C) \}. \end{array} $$
The advantage of any probabilistic, polynomial-time, 0/1-valued distinguisher \(\mathcal {D}\) in solving ECDLP on Ep(a, b) is defined as \(Adv_{\mathcal {D},E_{p}(a,b)}^{ECDLP} =| Pr[(A, B, C) \leftarrow D_{real}: \mathcal {D}(A, B, C) = 1] - Pr[(A, B, C) \leftarrow D_{rand}: \mathcal {D}(A, B, C) = 1] |\), where the probability Pr[⋅] is taken over the random choices of k and r. \(\mathcal {D}\) said to be a (t2, 𝜖2)-ECDLP distinguisher for Ep(a, b) if \(\mathcal {D}\) runs at most in time t2 such that \(Adv_{\mathcal {D},E_{p}(a,b)}^{ECDLP} (t_{2})\ge \epsilon _{2}\). ECDLP assumption: There exists no (t2, 𝜖2)-ECDLP distinguisher for Ep(a, b). In other words, for every probabilistic, polynomial-time 0/1-valued distinguisher \(\mathcal {D}\), we have \(Adv_{\mathcal {D},E_{p}(a,b)}^{ECDLP}(t_{2}) \le \epsilon _{2}\), for any sufficiently small 𝜖2 > 0.

Review and cryptanalysis of Tan’s scheme, and Arshad and Nikooghadam’s scheme

In this section, we review in brief the recently proposed Tan’s scheme [51]. We use the notations given in Table 1 for describing and analyzing Tan’s scheme. We also point out the security flaw found in Arshad and Nikooghadam’s scheme [2], which is an improvement over Tan’s scheme. We omit the review of Arshad and Nikooghadam’s scheme in this paper to reduce the space of the paper. For this purpose, one can refer the detailed description of Arshad and Nikooghadam’s scheme in [2].
Table 1

Notations used in this paper

Symbol

Description

Sj

Telecare medicine information system server

Ui

ith user

IDi

Identity of user Ui

PWi

Password of user Ui

Bi

Biometric information of Ui

K

1024-bit secret number only known to Ui

h(⋅)

Collision-free one-way hash function

Xs

1024-bit secret master key of Sj

Sj

Public key of Sj

p

A large prime number or p = 2m, for some large integer m > 0

Ep(a, b)

An elliptic curve defined over finite field GF(p) with parameters a and b such that 4a3 + 27b2 ≠ 0 (mod p)

CD

Bitwise XORed of data C with data D

C||D

Data C concatenates with data D

Tan’s scheme consists of the four phases, namely the registration phase, the login phase, the authentication and key agreement phase, and the password and biometric update phase. At first, the telecare medicine information system server, Sj selects a master key \(X_{s} \in Z_{q}^{\ast }\) and a secure collision-resistant chaotic one-way hash function \(h: \{ 0, 1\}^{\ast } \rightarrow Z_{q}^{\ast }\). Sj then computes the system’s public key Y = XsP and declares it as public.

Description of Tan’s scheme

Tan’s scheme consists of the following phases.

Registration phase

This phase consists of the following steps:
  1. Step 1.

    The user Ui first selects an identity IDi, a chosen password PWi, a random secret number N, and imprints the biometric information Bi at a sensor. Ui then computes d = h(PWi||Bi) ⊕ N and sends the message 〈IDi, d〉 to the server Sj via a secure channel.

     
  2. Step 2.

    When the server Sj receives the message in Step 1, it computes c = h(IDi||Xs) ⊕ d and issues a smart card containing the information {c, P, q, Y, h(⋅)} to the user Ui via a secure channel.

     
  3. Step 3.

    After receiving the the smart card, the user Ui computes d1 = cN and d2 = bh(PWi||Bi||IDi), and then replace c with (d1, d2) into the memory of the smart card. It is noted that N is not stored in the smart card.

     

Login phase

This phase has the following steps:
  1. Step 1.

    The user Ui first inserts his/her smart card into a card reader, and then provides his/her identity IDi, password PWi and imprints the biometric information Bi at the sensor. The smart card computes \(d_{2}^{\ast } = h(PW_{i} || B_{i} || ID_{i})\) and checks the condition \(d_{2}^{\ast } = d_{2}\). If it holds, the smart card continues the next step. Otherwise, the smart card terminates the phase.

     
  2. Step 2.

    The smart card chooses a random number \(r_{i} \in Z_{q}^{\ast }\) and then computes xi = d1h(PWiBi), R1 = riP, R2 = riY, vi = IDih(R1||R2), and zi = h(IDi||vi||R1||R2||xi). Finally, the smart card sends the message 〈R1, vi, zi〉 to the server Sj.

     

Authentication and key agreement phase

This phase consists of the following steps:
  1. Step 1.

    After receiving the login message 〈R1, vi, zi〉, the server Sj computes \(R_{2}^{\ast } = X_{s} R_{1}\), \(ID_{i}^{\ast } = v_{i} \oplus h\left (R_{1} || R_{2}^{\ast }\right )\), \(x_{i}^{\ast } = h\left (ID_{i}^{\ast } || X_{s}\right )\), and \(z_{i}^{\ast } = h\left (ID_{i}^{\ast } || v_{i} || R_{1} || R_{2}^{\ast } || x_{i}^{\ast }\right )\). After that Sj checks if \(z_{i}^{\ast } = z_{i}\) holds or not. If this verification passes, the server Sj authenticates the user Ui. Otherwise, Sj refuses the login request and the phase is terminated immediately.

     
  2. Step 2.

    Sj then chooses a random number \(r \in Z_{q}^{\ast }\), computes R = rP, \(z = h\left (r R_{1} || R_{2}^{\ast } || R || x_{i}^{\ast }\right )\), and sends the message 〈R, z〉 to the user Ui. Sj also computes the session key shared with the user Ui as \(sk = h\left (r R_{1} || ID_{i} || R || x_{i}^{\ast }\right )\).

     
  3. Step 3.

    After receiving the message in Step 2, the user Ui computes z = h(riR||R2||R||xi) and checks the condition z = z. If they match, Ui authenticates the server Sj and computes the same session key shared with the server Sj as sk = h(riR||IDi||R||xi).

     

Password and biometric update phase

In this phase, a user Ui can change his/her old password and biometric information locally without contacting the server Sj using the following steps:
  1. Step 1.

    Ui first inserts his/her smart card into the card reader, and then provides his/her identity IDi, old password PWi and imprints the biometric information Bi at the sensor, and issues an update request to the smart card. The smart cards then computes computes \(d_{2}^{\ast } = h\left (PW_{i} || B_{i} || ID_{i}\right )\) and checks the condition \(d_{2}^{\ast } = d_{2}\). If it holds, the smart card continues this phase. Otherwise, the smart card refuses the update request.

     
  2. Step 2.

    The smart card instructs the user Ui to choose his/her new password \(PW_{i}^{new}\) and imprint his/her new biometric template \(B_{i}^{new}\). The smart card then computes \(d_{1}^{new} = d_{1} \oplus h(PW_{i} \oplus B_{i}) \oplus h\left (PW_{i}^{new} \oplus B_{i}^{new}\right )\) and replaces the pair (d1, d2) with the computed pair \(\left (d_{1}^{new}, d_{2}^{new}\right )\).

     

Drawbacks of Tan’s scheme

In this section, we show that Tan’s scheme has the following security loopholes.

Fails to provide proper authentication during the login phase

It is known that the input biometric characteristic of the same person can be slightly different every time [12, 23, 34]. The output of a one-way hash function including the chaotic one-way hash function is sensitive, and it may return completely a different output even if there is a little variation in input. Biometric information Bi is prone to various noises during the data acquisition and thus, the production of actual biometric is hard in common practice. Suppose a user Ui enters his/her identity IDi, correct password PWi, and imprints the biometric \(B_{i}^{\ast }\), where we assume that \(B_{i}^{\ast }\) is slightly different from Bi at that time. After that the smart card computes \(d_{2}^{\ast } = h(PW_{i} || B_{i}^{\ast } || ID_{i}) \neq h(PW_{i} || B_{i} || ID_{i})\), since \(B_{i}^{\ast } \neq B_{i}\). The smart card then checks the condition \(d_{2}^{\ast } = d_{2}\). Since it is not valid, the user’s biometric and password validations fail, and it terminates the session. As a result, this may cause that the legal user is unable to pass biometric and password verification at the login phase. Thus, Tan’s scheme fails to provide proper authentication during the login phase.

Fails to provide correct updation during the password and biometric update phase

This analysis is similar to the above analysis. Assume that the user Ui enters IDi, correct old password PWi, and imprints his/her biometric template \(B_{i}^{\prime }\), which is slightly different from Bi at the time of registration due to nature of biometric template. When the smart card computes \(d_{2}^{\prime } = h(PW_{i} || B_{i}^{\prime } || ID_{i})\) and checks the condition \(d_{2}^{\prime } = d_{2}\), this condition will fail, since \(B_{i}^{\prime } \neq B_{i}\). As a result, the user Ui may never be successful in passing password and biometric verification due to application of chaotic hash function h(⋅). Thus, the smart card will refuse the update request, and hence, Tan’s scheme also fails to provide proper authentication during the password and biometric update phase.

Fails to protect against replay attack

Suppose an adversary intercepts the login request 〈R1, vi, zi〉 during the login phase and sends the message \(\langle R_{1}^{\ast }, v_{i}^{\ast }, z_{i}^{\ast } \rangle = \langle R_{1}, v_{i}, z_{i} \rangle \) to the server Sj after some time. After receiving this message, Sj computes \(R_{2}^{\ast } = X_{s} R_{1}^{\ast }, ID_{i}^{\ast } = v_{i}^{\ast } \oplus h\left (R_{1}^{\ast } || R_{2}^{\ast }\right ), x_{i}^{\ast } = h\left (ID_{i}^{\ast } || X_{s}\right ),\) and \(z_{i}^{\ast \ast } = h\left (ID_{i}^{\ast } || v_{i}^{\ast } || R_{1}^{\ast } || R_{2}^{\ast } || x_{i}^{\ast }\right ) = h\left (ID_{i} || v_{i} || R_{1} || R_{2}^{\ast } || x_{i}^{\ast }\right )\). Sj then checks the condition \(z_{i}^{\ast \ast } = z_{i}^{\ast }\). Since it is valid, Sj authenticates the user Ui, and sends backs the message 〈R, z〉 to the user Ui, where R = rP and \(z = h\left (r R_{1}^{\ast } || R_{2}^{\ast } || R || x_{i}^{\ast }\right )\). Thus, it is clear that the server Sj can not detect whether the message \(\langle R_{1}^{\ast }, v_{i}^{\ast }, z_{i}^{\ast } \rangle \) is a replay message or not. Hence, Tan’s scheme also fails to protect against replay attack. Note that the approach to address the replay attack is based on the classical methods, such as Needham-Schroeder-based approaches, which can all address this attack.

Lack of formal security analysis and verification

Tan’s scheme contains only some informal security analysis and it lacks a rigorous formal security proof and formal security verification using some widely-accepted verification tool such as AVISPA tool [3].

Drawbacks of Arshad and Nikooghadam’s scheme

In this section, we show that Arshad and Nikooghadam’s scheme [2] has the following security loopholes.

Privileged-insider attack

During the registration phase of Arshad and Nikooghadam’s scheme, a user Ui inputs an identity IDi, a password PWi, and a random number NC. After that he/she imprints his/her personal biometric Bi at a sensor, and then computes his/her masked password MPWi as MPWi = PWiNC and his/her masked biometric MBi as MBi = BiNC. Finally, Ui sends the registration request message 〈IDi, MPWi, MBi〉 to the telecare server through a secure channel. At the end of the registration phase, after getting the smart card from the telecare server, Ui stores the random number NC into his/her smart card.

Assume that the smart card of Ui is lost/stolen and a privileged-insider attacker of the telecare server attains this smart card. According to our threat model (provided in Section “Threat model”), the insider attacker can extract all the sensitive information stored in that smart card using the power analysis attacks [28, 37]. Hence, the attacker now knows NC, and also the masked password MPWi = PWiNC and the masked biometric MBi = BiNC which were provided by the user Ui during the registration phase to the telecare server. Thus, the insider attacker can easily derive the password PWi = MPWiNC and also the biometric Bi = MBiNC. This clearly shows that Arshad and Nikooghadam’s scheme is completely insecure against the privileged-insider attack.

Lack of formal security analysis and verification

Arshad and Nikooghadam’s scheme contains only some informal security analysis and it lacks a rigorous formal security proof and formal security verification using some widely-accepted verification tool such as AVISPA tool [3].

The proposed scheme

In this section, we describe the various phases of our scheme, which are given in the following subsections. We use the notations provided in Table 1 for describing our scheme.

Setup phase

In this phase, the telecare medicine information system server, Sj executes the following steps:
  1. Step S1.

    Sj first selects an elliptic curve Eq(a, b) with parameters: q is a large prime such that the elliptic curve discrete logarithm problem (ECDLP) becomes intractable, and a, bZq = {0, 1, … , q − 1} with the condition 4a3 + 27b2 ≠ 0 (mod q), such that the elliptic curve is non-singular.

     
  2. Step S2.

    Sj then selects a base point PEq(a, b), and a master secret key \(X_{s} \in Z_{q}^{\ast }\), where \(Z_{q}^{\ast } = \{a | 0 < a < q, \gcd (a,q) = 1\}\), that is, \(Z_{q}^{\ast } = \{1, 2, \ldots , q-1\}\).

     
  3. Step S3.

    Sj also selects a secure collision-resistant one-way hash function \(h: \{ 0, 1\}^{\ast } \rightarrow Z_{q}^{\ast }\) and the fuzzy extractor functions Gen(⋅) and Rep(⋅), and then computes the public key Y = XsP of the system.

     
  4. Step S4.

    The secret key of Sj is Xs. The public parameters are {P, q, Y, h(⋅), Gen(⋅), Rep(⋅)}.

     

Registration phase

The registration phase of our scheme consists of the following steps:
  1. Step R1.

    The user Ui selects an identity IDi, and chooses his/her password PWi.

     
  2. Step R2.

    Ui generates a 1024-bit secret number K and computes the masked password RPWi = h(IDi||K||PWi).

     
  3. Step R3.

    Ui imprints the biometric information Bi at a sensor and applies the fuzzy extractor to generate secret key bi and a public parameter pari as Gen(Bi) = (bi, pari), as in [16, 23].

     
  4. Step R4.

    Ui computes fi = h(RPWi||bi) and sends the registration request message 〈IDi, fi〉 to the server Sj via a secure channel.

     
  5. Step R5.

    After receiving the message in Step R4, the server Sj computes ei = h(IDi||Xs) ⊕ fi, using its own secret master key Xs, and received information IDi and fi. Sj then generates a smart card SCi for the user Ui containing the information {P, q, Y, h(⋅), Gen(⋅), Rep(⋅), fi, ei, t, pari}, where t is the error tolerance parameter used in fuzzy extractor, and sends it to the user Ui via a secure channel.

     
  6. Step R6.

    After receiving the smart card SCi from the server Sj, Ui computes di = h(IDi||bi) ⊕ K, and stores it into the smart card SCi. As a result, the smart card SCi of the user Ui finally contains the information {P, q, Y, h(⋅), Gen(⋅), Rep(⋅), fi, ei, t, pari, di}.

     

Remark 1

Note that at the end of the registration phase of our scheme, the identity IDi, password PWi and biometric information Bi are not directly stored in the smart card SCi of the user Ui. In addition, our scheme does not reveal the password PWi and the biometric information Bi of the user Ui to the server Sj also. Thus, the privileged insider attack is completely protected by our scheme due to collision-resistant property of one-way hash function h(⋅) and difficulty of solving ECDLP. The details are explained in the stolen smart card attack while we analyze later our scheme for security in this paper.

Login phase

In order to login to the server Sj, the user Ui needs to perform the following steps:
  1. Step L1.

    Ui first inserts his/her smart card SCi into a card reader. Ui then enters his/her identity IDi, password PWi, and imprints the biometric information Bi at the sensor. Note that if the user Ui plans to use a mobile device to login the telecare medicine system, Ui can then use the scan software of the mobile device in order to obtain Bi, and input {IDi, PWi, Bi} into the login interface of the system as described in Tan’s scheme [51].

     
  2. Step L2.

    SCi computes \(b_{i}^{\prime } = Rep(B_{i}, par_{i})\) using the imprint Bi, and the parameters t and pari stored in its memory.

     
  3. Step L3.

    SCi computes \(K^{\prime } = d_{i} \oplus h(ID_{i} || b_{i}^{\prime })\), using the stored information di in its memory and computed \(B_{i}^{\prime }\) in order to obtain the secret number K.

     
  4. Step L4.

    SCi uses K′ to compute \(RPW_{i}^{\prime } = h(ID_{i} || K^{\prime } || PW_{i})\), and \(f_{i}^{\prime } = h(RPW_{i}^{\prime } || b_{i}^{\prime })\). SCi then checks the condition \(f_{i}^{\prime } = f_{i}\). If it holds, it ensures that both information PWi and Bi entered by Ui are valid, and hence, the user Ui passes both the password and biometric verifications. Otherwise, the phase is terminated immediately.

     
  5. Step L5.

    SCi computes \(x_{i} = e_{i} \oplus f_{i}^{\prime } (= h(ID_{i} || X_{s}))\), generates a random number \(r_{i} \in Z_{q}^{\ast }\), and then computes R1 = riP, R2 = riY, vi = IDih(R1||R2) ⊕ RNu, and zi = h(IDi||vi||R1||R2||xi||RNu). Here RNu is a random nonce generated by SCi on behalf of the user Ui.

     
  6. Step L6.

    Finally, the smart card SCi of the user Ui sends the login request message 〈R1, vi, zi〉 to the server Sj via a public channel.

     

Remark 2

The input biometric characteristic of the same person can be slightly different every time [12, 23, 34] and thus, the output of a one-way hash function including the chaotic one-way hash function is sensitive, and it may return completely a different output even if there is a little variation in input. Due to sensitive property of the one-way hash function h(⋅), Tan’s scheme cannot tolerate little variations of biometric feature. On the other hand, even if there is a little variation in biometrics input of a legal user Ui, due to application of fuzzy extractor functions, such as Gen(⋅) and Rep(⋅), our scheme has the ability to tolerate little variations of biometric feature as long as the condition \(d(B_{i}, B_{i}^{\prime }) \le t\) is satisfied (provided in Definition 2), where Bi and \(B_{i}^{\prime }\) are the biometrics provided by Ui at the registration time and the login time, respectively. Note that a low-entropy or simple password can be guessed using the dictionary attacks [33]. However, as pointed out in [33], as compared to low-entropy passwords, biometric keys can not be lost or forgotten, biometric keys are very difficult to copy or share, biometric keys are extremely hard to forge or distribute, and biometric keys can not be guessed easily. Therefore, it is a very difficult task for an attacker to forge or guess a legal user Ui’s biometrics Bi. As a result, that attacker will not have ability to make a little variation of the legal user Ui’s biometrics Bi, and he/she can not pass the biometric verification during the login phase.

Authentication and key agreement phase

After receiving the login request message 〈R1, vi, zi〉 from the user Ui, the server Sj authenticates Ui. In this phase, for mutual authentication purpose, Ui also authenticates Sj. Finally, both Ui and Sj establish a common secret session key SKij for their future secure communication after successful mutual authentication between them. Ui and Sj perform the following steps:
  1. Step AK1.

    Sj computes \(R_{2}^{\ast } = X_{s} R_{1} = X_{s}(r_{i} P) = r_{i} (X_{s} P) = r_{i} Y\) and \(RN_{u}^{\ast } = ID_{i} \oplus v_{i} \oplus h(R_{1} || R_{2}^{\ast })\), \(x_{i}^{\ast } = h(ID_{i} || X_{s})\), and \(z_{i}^{\ast } = h(ID_{i} || v_{i} || R_{1} || R_{2}^{\ast } || x_{i}^{\ast } || RN_{u}^{\ast })\). Note that for computing \(RN_{u}^{\ast }\), the server Sj knows IDi, because it is sent during the registration phase by the user Ui via a secure channel. Sj then compares the computed \(z_{i}^{\ast }\) with the received zi. If there is a mismatch between them, the phase is terminated immediately. Otherwise, Sj authenticates the user Ui as the valid user.

    In order to protect the replay and main-in-the-middle attacks, we adopt the similar strategy as in [12, 34]. The server Sj stores \((ID_{i}, RN_{u}^{\ast })\) in its database. When the server Sj receives another login request message \(\langle R_{1}^{\prime }, v_{i}^{\prime }, z_{i}^{\prime } \rangle \) from Ui later, it computes \(R_{2}^{\prime } = X_{s} R_{1}^{\prime }\), \(RN_{u}^{\prime } = ID_{i} \oplus v_{i}^{\prime } \oplus h(R_{1}^{\prime } || R_{2}^{\prime })\), \(x_{i}^{\prime } = h(ID_{i} || X_{s})\) and \(z_{i}^{\prime \prime } = h(ID_{i} || v_{i}^{\prime } || R_{1}^{\prime } || R_{2}^{\prime } || x_{i}^{\prime } || RN_{u}^{\prime })\). If \(z_{i}^{\prime \prime } = z_{i}\), then Sj makes sure that the login request message is a replay one, and in that case \(RN_{u}^{\prime } = RN_{u}^{\ast }\). As a result, Sj will reject this login request message. Otherwise, Sj authenticates Ui and updates the pair \((ID_{i}, RN_{u}^{\ast })\) by \((ID_{i}, RN_{u}^{\prime })\) in its database since the login request message is treated as a fresh one. Note that Sj can store \(RN_{u}^{\ast }\) for a longer time in order to ensure that the same login message will not be replayed be any attacker during the longer time period at least the expiry of the session key between a user Ui and the server Sj. One can also use the timestamp along with the random nonces to protect the replay attack strongly, if the nodes are synchronized with their clocks.

     
  2. Step AK2.

    Sj chooses a random number \(s_{i} \in Z_{q}^{\ast }\). Sj then generates a random nonce RNs, and computes the following: \(R_{3} = s_{i} P, y_{i} = x_{i}^{\ast } \oplus RN_{s} \oplus RN_{u}^{\ast },\) and \(z_{i}^{\ast \ast } = h(s_{i} R_{1} || R_{2}^{\ast } || R_{3} || y_{i} || RN_{u}^{\ast } || RN_{s} || SK_{ij}),\) where \(SK_{ij} = h(ID_{i} || x_{i}^{\ast } || RN_{u}^{\ast } || RN_{s} || R_{2}^{\ast } || R_{3})\) is the secret session key to be shared with the user Ui. Sj then sends the authentication request message \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \) to the smart card SCi (user Ui) via a public channel.

     
  3. Step AK3.

    After receiving the message in Step AK2, the smart card SCi of the user Ui computes the following: \(r_{i} R_{3} = r_{i} (s_{i} P) = s_{i} (r_{i} P) = s_{i} R_{1}, RN_{s}^{\ast } = y_{i} \oplus x_{i} \oplus RN_{u}, SK_{ji} = h(ID_{i} || x_{i} || RN_{u} || RN_{s}^{\ast } || R_{2} || R_{3}),\) and \( z_{i}^{\ast \ast \ast } = h(r_{i} R_{3} || R_{2} || R_{3} || y_{i} || RN_{u} || RN_{s}^{\ast } || SK_{ji})\). SCi then checks the condition \(z_{i}^{\ast \ast \ast } = z_{i}^{\ast \ast }\). If they are equal, Sj is authenticated by the user Ui. Otherwise, Ui refuses the authentication request.

     
  4. Step AK4.

    Finally, Ui stores SKji and Sj stores SKij for their future secure communication. Note that SKij = SKji.

     
The summary of registration phase, login phase, and authentication and key agreement phase of our scheme is given in Table 2.
Table 2

Summary of exchanged messages during the registration phase, login phase, and authentication and key agreement phase of our scheme

Phase

User (Ui)/Smart Card (SCi)

Server (Sj)

 

\(\underrightarrow {\langle ID_{i}, f_{i} \rangle }\)

 

Registration

(via a secure channel)

 
  

SmartCard(P, q, Y, h(⋅),

  

\(\underleftarrow {Gen(\cdot ), Rep(\cdot ), f_{i}, e_{i}, t, par_{i})}\)

  

(via a secure channel)

Login

\(\underrightarrow {\langle R_{1}, v_{i}, z_{i} \rangle }\)

 
 

(via a public channel)

 

Authentication

 

\(\underleftarrow {\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle }\)

and key agreement

 

(via a public channel)

 

Computes SKij = h(IDi||xi

Computes \(SK_{ij} = h(ID_{i} || x_{i}^{\ast } \)

 

\(|| RN_{u} || RN_{s}^{\ast } || R_{2} || R_{3})\).

\(|| RN_{u}^{\ast } || RN_{s} || R_{2}^{\ast } || R_{3})\).

Password and biometric update phase

In this phase, the user Ui can update/change his/her password as well as biometric template without contacting further the server Sj. The following steps are essential for this phase:
  1. Step PB1.

    Ui first inserts his/her smart card into a card reader, and inputs his/her identity IDi, old password \(PW_{i}^{old}\) and imprints old biometric information \(B_{i}^{old}\) at the sensor.

     
  2. Step PB2.

    The smart card SCi of the user Ui computes \(b_{i}^{old} = Rep(B_{i}^{old}, par_{i})\) and \(K^{\ast } = d_{i} \oplus h(ID_{i} || b_{i}^{old})\). SCi then computes \(RPW_{i}^{old} = h(ID_{i} || K^{\ast } || PW_{i}^{old})\) and \(f_{i}^{old} = h(RPW_{i}^{old} || b_{i}^{old})\).

     
  3. Step PB3.

    SCi then checks the condition \(f_{i}^{old} = f_{i}\). If it holds, both entered \(PW_{i}^{old}\) and \(B_{i}^{old}\) are authenticated by SCi. Otherwise, SCi refuses the update request.

     
  4. Step PB4.

    SCi asks the user Ui to enter his/her new chosen password \(PW_{i}^{new}\) and imprint new biometric template \(B_{i}^{new}\) at the sensor. SCi computes \(x = e_{i} \oplus f_{i}^{old} = h(ID_{i} || X_{s})\) and \(RPW_{i}^{new} = h(ID_{i} || K^{\ast } || PW_{i}^{new})\).

     
  5. Step PB5.

    SCi then applies the fuzzy extractor function Gen(⋅) on \(B_{i}^{new}\) to generate secret key \(B_{i}^{new}\) and public parameter \(par_{i}^{new}\) as \(Gen(B_{i}^{new}) = (b_{i}^{new}, par_{i}^{new})\). SCi further computes \(f_{i}^{new} = h(RPW_{i}^{new} || b_{i}^{new}), e_{i}^{new} = x \oplus f_{i}^{new} = h(ID_{i} || X_{s}) \oplus f_{i}^{new},\) and \(d_{i}^{new} = h(ID_{i} || b_{i}^{new}) \oplus K^{\ast }\).

     
  6. Step PB6.

    Finally, the smart card SCi replaces fi, ei, di and pari by \(f_{i}^{new}\), \(e_{i}^{new}\), \(d_{i}^{new}\) and \(par_{i}^{new}\), respectively, into its memory.

     

Security analysis of the proposed scheme

In this section, we show that our scheme is secure against various known attacks.

Informal security analysis

Through the informal security analysis, we show that our scheme has the ability to defend/provide the following attacks and features.

Reflection attack

Suppose that an attacker (adversary) intercepts a login request message 〈R1, vi, zi〉. To mount the reflection attack, the attacker needs to replace yi with vi and \(z_{i}^{\ast \ast }\) with zi as a valid login request message 〈R3, vi, zi〉 in the authentication request message. Upon receiving this login request message, the server Sj computes \(R_{2}^{\ast } = X_{s} R_{3} = s_{i} Y \neq r_{i} Y, RN_{u}^{\ast } = ID_{i} \oplus v_{i} \oplus h(R_{3} || R_{2}^{\ast }) \neq RN_{u}, x_{i}^{\ast } = h(ID_{i} || X_{s}), z_{i}^{\ast } = h(ID_{i} || v_{i} || R_{3} || R_{2}^{\ast } || x_{i}^{\ast } || RN_{u}^{\ast }) \neq h(ID_{i} || v_{i} || R_{1} || R_{2} || x_{i} || RN_{u})\), since R3R1. As a result, the verification condition \(z_{i}^{\ast } = z_{i}\) will fail, and the server Sj will terminate this request. Hence, it is clear that as in Tan’s scheme, our scheme also protects the reflection attack.

Replay attack

Suppose an attacker intercepts the login request message 〈R1, vi, zi〉 during the login phase, and sends the message \(\langle R_{1}^{\prime }, v_{i}^{\prime }, z_{i}^{\prime } \rangle = \langle R_{1}, v_{i}, z_{i} \rangle \) to the server Sj again. However, according to the strategy suggested in Step AK1 of our authentication and key agreement phase, this message will be detected as a replay message, since Sj keeps the track of the pair \((ID_{i}, RN_{u}^{\ast })\) in its database for a longer time period. Hence, the replay attack is protected in our scheme.

Man-in-the-middle attack

Assume that an attacker intercepts the login request message 〈R1, vi, zi〉 during the login phase. Note that P and Y are public, whereas Xs is secret to Sj only and IDi is known to both Ui and Sj only. Let the attacker select a random number \(r_{i}^{\prime } \in Z_{q}^{\ast }\) and then compute \(R_{1}^{\prime } = r_{i}^{\prime } P\) and \(R_{2}^{\prime } = r_{i}^{\prime } Y\). Furthermore, the attacker generates a random nonce \(RN_{u}^{\prime }\). To compute \(v_{i}^{\prime } = ID_{i} \oplus h(R_{1}^{\prime } || R_{2}^{\prime }) \oplus RN_{u}^{\prime }\), it is clear that the attacker needs to know IDi. However, IDi is unknown to the attacker. Thus, the attacker has no way to compute \(v_{i}^{\prime }\) and also \(z_{i}^{\prime } = h(ID_{i} || v_{i}^{\prime } || R_{1}^{\prime } || R_{2}^{\prime } || x_{i}^{\prime } || RN_{u}^{\prime })\) as computation of \(x_{i}^{\prime } = h(ID_{i} || X_{s})\) is a computationally infeasible problem and IDi is unknown to that attacker. Hence, the attacker does not have any ability to modify the message 〈R1, vi, zi〉 as a valid login request message \(\langle R_{1}^{\prime }, v_{i}^{\prime }, z_{i}^{\prime } \rangle \) in between the communication, and our scheme protects against man-in-the-middle attacks.

Many logged-in users with the same login-id attack

The systems which maintain the password/verifier table in order to verify the user login are usually vulnerable to many logged-in users with the same login-id attack. In our scheme, the server Sj and the user Ui do not maintain any verifier table. To login to the server, a user Ui must have a valid triple 〈IDi, PWi, Bi〉 and a smart card corresponding to these information. Note that our scheme requires on-card computation for password and biometric verification. Further, PWi and bi of the user Ui are protected by h(⋅). Even two users Ui and Uj have the same password PWi, the hash values fi = h(h(IDi||Ki||PWi)||bi) and fj = h(h(IDj||Kj||PWj)||bj) are distinct due to the properties of personal biometrics, random numbers Ki and Kj selected by the users Ui and Uj, respectively, and IDi and IDj. Since our scheme requires on-card computation to login in the server, once the smart card is removed from the system, the login session is terminated. As a result, our scheme prevents the many logged-in users with the same login-id attack.

Session key security

Suppose an attacker intercepts the login message 〈R1, vi, zi〉 during the login phase and the authentication request message \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \) during the authentication and key agreement phase. The secret session key \(SK_{ij} = h(ID_{i} || x_{i}^{\ast } || RN_{u}^{\ast } || RN_{s} || R_{2}^{\ast } || R_{3})\) is embedded in \(z_{i}^{\ast \ast }\) and also protected by the one-way hash function h(⋅). In addition, to compute SKij the attacker needs to know IDi, \(x_{i}^{\ast }\), RNu, RNs and \(R_{2}^{\ast }\). Hence, due to the collision-resistant one-way property of h(⋅), it is a computationally infeasible problem for the attacker to derive SKij.

Parallel session attack

When an attacker wants to start another parallel session using the previous session login request message 〈R1, vi, zi〉 to the server Sj, Sj detects the message as a previous one because the random nonce contained in the message is matched with the stored random nonce in Sj’s database corresponding to that user Ui. Further, the attacker does not have any ability to change this message, because the attacker does not know IDi. The parallel session attack is then completely solved in our scheme.

Protection of user anonymity

Suppose an attacker intercepts the login request message 〈R1, vi, zi〉 during the login phase and the authentication request message \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \) during the authentication and key agreement phase of our scheme. Note that these values are protected by the one-way collision-resistant hash function h(⋅) and also determined by two random numbers ri and si, and two random nonces RNu and RNs. Due to this, these messages are different in each protocol run and as a result, the attacker can not link two login messages of a particular user Ui. Hence, our scheme preserves the user anonymity property.

Stolen smart card attack

Suppose an attacker obtains a stolen/lost smart card SCi of a legal user Ui. Then according to our threat model, the attacker can easily extract all the sensitive information {P, q, Y, h(⋅), Gen(⋅), Rep(⋅), fi, ei, t, pari, di} from the memory of the smart card SCi by monitoring the power consumption of the smart card [28, 37]. Using fi and ei, the attacker can compute h(IDi||Xs) = eifi. However, both the identity IDi of the user Ui and the secret master key Xs of the server Sj are unknown to the attacker. Due to the one-way collision-resistant property of h(⋅), it is computationally infeasible task for the attacker to derive Xs. We have, fi = h(RPWi||bi) = h(h(IDi||K||PWi)||bi) and di = h(IDi||bi) ⊕ K. Again, the attacker does not know IDi, K, bi and PWi. To guess PWi and bi correctly, the attacker needs to know IDi and K. Due to secure one-way hash function h(⋅), the attacker does not have any ability to derive PWi and bi. Thus, our scheme is secure against the stolen smart card attacks.

Offline password guessing attack

As in stolen smart card attacks discussed above, the attacker does not have any ability to derive the password PWi of a legal user Ui even if the attacker obtains the user Ui’s stolen/lost smart card. This is because the attacker needs to know IDi, K and bi to derive PWi. As a result, our scheme has the ability to resist the offline password guessing attack.

Online password guessing attack

In this attack, an attacker tries to derive the password PWi of a user Ui by intercepting all messages during various phases. Note that during the registration phase, the messages are transmitted securely between the user and the server. Suppose an attacker tries to retrieve secret data by intercepting all transmitted messages 〈R1, vi, zi〉 and \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \) in a previous session. None of these messages involves the user’s password PWi directly or indirectly. As a result, these messages are not helpful for deriving the password PWi of a user Ui. Hence, our scheme is also secure against online password guessing attack.

Privileged insider attack

During the registration phase, an insider being an attacker at the server Sj may try to know PWi and bi of a user Ui. However, in our scheme during the registration phase Sj receives the registration request message 〈IDi, fi〉 from Ui. Note that fi = h(RPWi||bi) = h(h(IDi||K||PWi)||bi), and Gen(Bi) = (bi, pari). Since K is not revealed to the server Sj and it is only known to Ui, Sj does not have any ability to determine or guess correctly PWi and Bi, since PWi and bi are protected by h(⋅). Hence, the insider attack is eliminated from our scheme.

Mutual authentication

In our scheme, after receiving the login request message 〈R1, vi, zi〉 from the user Ui, the server Sj checks the condition whether \(z_{i}^{\ast } = z_{i}\). If they are equal, Sj authenticates the user Ui as a valid user. On the other hand, after receiving the authentication request message \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \), the smart card SCi of the user Ui checks the condition \(z_{i}^{\ast \ast } = z_{i}^{\ast }\). If this condition is valid, Ui authenticates Sj as a valid server. Thus, our scheme provides the mutual authentication between Ui and Sj.

Server not knowing password and biometric

During the registration phase of our scheme, the user Ui sends the registration request message 〈IDi, fi〉 to the server Sj via a secure channel, where fi = h(RPWi||bi) = h(h(IDi||K||PWi)||bi), and Gen(Bi) = (bi, pari). Note that Sj does not know K, PWi and bi. To know PWi, the server Sj needs to know K and bi. Due to the collision-resistant property of h(⋅), it is a computationally infeasible problem for Sj to derive PWi and Bi since K is a 1024-bit secret number only known to the user Ui.

Freedom of password and biometric update

In our scheme, before the user Ui updates his/her old password and biometric pair \(\{PW_{i}^{old}, B_{i}^{old} \}\) by new password and biometric pair \(\{PW_{i}^{new}, B_{i}^{new} \}\), the smart card SCi of the user Ui computes \(b_{i}^{old} = Rep(B_{i}^{old}, par_{i})\), \(K^{\ast } = d_{i} \oplus h(ID_{i} || b_{i}^{old})\), \(RPW_{i}^{old} = h(ID_{i} || K^{\ast } || PW_{i}^{old})\) and also \(f_{i}^{old} = h(RPW_{i}^{old} || b_{i}^{old})\). After that SCi compares \(f_{i}^{old}\) with the stored fi. If they match, then only SCi continues the update phase. Also, it is noted that during the entire duration of the password and biometric update phase, SCi executes these operations without involving the server Sj. As a result, Sj is totally unaware of the password as well as biometric update.

Three-factor security

In the three-factor security model, the main goals of an attacker are to mount an impersonation attack where the attacker has learned at most two elements of the triple {PWi, SCi, Bi}, in order to obtain the last element or to compromise the user anonymity. As in the analysis of Tan’s scheme, it is also clear that our scheme provides the three-factor security.

Formal security analysis

In this section, using the formal security analysis under the random oracle model we show that our scheme is secure. We use the proof of the formal security by the method of contradiction as in [11]. We follow the similar analysis as in [8, 9, 13, 14, 16, 18, 42, 43, 44]. Note that one can also prove the formal security in the standard model. However, in this paper, we perform the formal security analysis under the generic group model of cryptography.

In order to use the method of contradiction proof [11] for our formal security analysis, we assume that there exist the following two oracles for an adversary:
  • Reveal1: This oracle will unconditionally output the input x from the corresponding hash value y = h(x).

  • Reveal2: Given PEq(a, b) and the public key Q = kPEq(a, b), this oracle will unconditionally output the private key k.

Theorem 1

Under the elliptic curve discrete logarithm problem (ECDLP) assumption, our proposed scheme is secure against an adversary for deriving the identity IDiand session key SKijbetween a user Uiand the server Sj, if the one-way hash function h(⋅) closely behaves like a random oracle.

Proof

In this proof, we need to construct an adversary (attacker) \(\mathcal {A}\) who will have the ability to derive both IDi and SKij. The adversary \(\mathcal {A}\) uses the random oracles Reveal1 and Reveal2 for running the experimental algorithm, say \(EXP1_{\mathcal {A}, UA}^{HASH,ECDLP}\) provided in Algorithm 1 for our proposed three-factor remote user authentication scheme, say UA. Define the success probability for \(EXP1_{\mathcal {A}, UA}^{HASH, ECDLP}\) as \(Succ1 = 2 Pr[EXP1_{\mathcal {A}, UA}^{HASH,ECDLP} = 1] -1\), where Pr[E] denotes the probability of an event E. The advantage function for this experiment becomes \(Adv1(et_{1}, q_{R_{1}}, q_{R_{2}}) = \max _{\mathcal {A}}\{Succ1\}\), where the maximum is taken over all \(\mathcal {A}\) with execution time et1, and the number of queries \(q_{R_{1}}\) and \(q_{R_{2}}\) made to the Reveal1 and Reveal2 oracles, respectively. We call ourscheme is provably secure against an adversary \(\mathcal {A}\) for
deriving IDi and SKij, if \(Adv1 (et_{1}, q_{R_{1}}, q_{R_{2}}) \le \epsilon \), for any sufficiently small 𝜖 > 0. According to this experiment if the adversary \(\mathcal {A}\) has the ability to invert the one-way hash function h(⋅) and solve ECDLP, he/she can easily derive both IDi and SKij, and win the game. However, by Definition 2.1, it is a computationally infeasible problem to invert h(⋅), that is, \(Adv_{\mathcal {A}}^{HASH} (t_{1}) \le \epsilon _{1}\), for any sufficiently small 𝜖1 > 0. Also, by Definition 2.3, it is computationally infeasible to derive k from P and Q = kP in Eq(a, b), that is, \(Adv_{\mathcal {D},E_{p}(a,b)}^{ECDLP}(t_{2}) \le \epsilon _{2}\), for any sufficiently small 𝜖2 > 0. Hence, we have \(Adv1 (et_{1}, q_{R_{1}}, q_{R_{2}}) \le \epsilon \), since \(Adv1\, (et_{1}, q_{R_{1}}, q_{R_{2}})\) depends on other advantages \(Adv_{\mathcal {A}}^{HASH} (t_{1})\) and \(Adv_{\mathcal {D},E_{p}(a,b)}^{ECDLP}(t_{2})\). □

Theorem 2

Under the assumption that the one-way hash function h(⋅) closely behaves like an oracle, our proposed scheme is secure against an adversary for deriving the secret key Xsof the server Sj, and the password PWiand the biometric key biof the user Ui.

Proof

We construct an adversary \(\mathcal {A}\) who will have the ability to derive the secret key Xs of the server Sj, and the password PWi and the biometric key bi of the user Ui. For this purpose, the adversary \(\mathcal {A}\) can run the experiment provided in Algorithm 2 for our proposed three-factor remote user authentication scheme. We define the success probability for this experiment as \(Succ2 = Pr[EXP2_{\mathcal {A}, UA}^{HASH} = 1] -1\). The advantage function for this experiment is \(Adv2\,(et_{2}, q_{R_{1}}) = \max _{\mathcal {A}}\{Succ2\}\), where the maximum is taken over all \(\mathcal {A}\) with execution time et2, and the number of queries \(q_{R_{1}}\) made to the Reveal1 oracles. Our scheme is said to be provably secure against an adversary \(\mathcal {A}\) for deriving the secret key Xs of the server Sj, and the password PWi and the biometric key bi of the user Ui, if \(Adv2 (et_{2}, q_{R_{1}}) \le \epsilon \), for any sufficiently small 𝜖 > 0. According to the experiment provided in Algorithm 2, if the adversary \(\mathcal {A}\) has the ability to invert the one-way hash function h(⋅), he/she can easily derive Xs, PWi and bi, and win the game. However, by Definition 2.1, it is a computationally infeasible problem to invert h(⋅), that is, \(Adv_{\mathcal {A}}^{HASH} (t_{1}) \le \epsilon _{1}\), for any sufficiently small 𝜖1 > 0. Hence, we have \(Adv2\,(et_{2}, q_{R_{1}}) \le \epsilon \), since \(Adv2\,(et_{2}, q_{R_{1}})\) depends on the advantage \(Adv_{\mathcal {A}}^{HASH} (t_{1})\). □

Simulation for formal security verification of our scheme using AVISPA tool

In this section, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool in order to show that our scheme is secure. We have further simulate Tan’s scheme for the formal security analysis, and show that Tan’s scheme is not secure.

AVISPA overview

AVISPA stands for a push-button tool for the automated validation of Internet security-sensitive protocols and applications. It basically provides a modular and expressive formal language for specifying protocols and their security properties, and integrates different back-ends that implement a variety of state-of-the-art automatic analysis techniques [3]. We have used the widely-accepted AVISPA back-end for our formal security verification [9, 13, 14, 17, 24]. AVISPA consists of four back-ends, which are OFMC, CL-AtSe, SATMC and TA4SP. A static analysis needs to perform in order to check the executability of the protocol, and then the protocol and the intruder actions are compiled into an intermediate format (If). If is the start point for the four automated protocol analysis techniques. It is a lower-level language than HLPSL, and is read directly by the back-ends to the AVISPA tool. The detailed descriptions of these back-ends are given in [3].

In AVISPA, the designed protocols need to be specified in HLPSL language [53]. HLPSL is based on roles: the basic roles represent each participant role, and composition roles represent the scenarios of basic roles. Each role is independent from the others, which gets some initial information by parameters, and then communicates with the other roles by channels. In HLPSL, the intruder is always modeled using the Dolev-Yao model [20] (as in the threat model used in this paper) with the possibility for the intruder to assume a legitimate role in a protocol run. The role system defines the number of sessions, and the number of principals and the roles. The output format (OF) of AVISPA is generated by using one of the four back-ends. When the analysis of a protocol has been successful (by finding an attack or not), the output describes precisely what is the result, and under what conditions it has been obtained. The detailed formats of the OF can be found in [53].

Specifying our scheme

We have implemented the registration phase, the login phase and the authentication and key agreement phase of our scheme in HLPSL language. In our implementation, we have two basic roles: alice and bob, which represent the participants as the user Ui and the telecare medicine information system server Sj, respectively. The specification in HLPSL language for the role of the initiator, that is, the user Ui is shown in Fig. 1. The user Ui first receives the start signal and changes its state from 0 to 1, and then sends the registration request message 〈IDi, fi〉 to the server Sj securely using the Snd() operation. The user Ui is issued with a smart card by the server Sj with the information (P, q, Y, h(⋅), Gen(⋅), Rep(⋅), fi, ei, t, pari) securely with the Rcv() operation. During the login phase, Ui sends the login request message 〈R1, vi, zi〉 to Sj via a public channel. Finally, Ui receives the authentication request message \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \) from Sj via a public channel. Note that the type declaration channel (dy) declares that the channel is for the Dolev-Yao threat model. As a result, the intruder, which is always denoted by i, has the ability to intercept, analyze, and/or modify messages transmitted over the insecure channel. In HLPSL language, witness(A,B,id,E) declares for a (weak) authentication property of A by B on E, declares that agent A is witness for the information E; this goal will be identified by the constant id in the goal section [3]. On the other hand, request(B,A,id,E) is for a strong authentication property of A by B on E, declares that agent B requests a check of the value E; this goal will be identified by the constant id in the goal section [3]. The declaration witness(Ui, Sj, alice_bob_rnu, RNu’) tells that Ui has freshly generated the value RNu for Sj. request(Sj, Ui, bob_alice_rns, RNs’) is a declaration to mean that Ui’s acceptance of the value RNs generated for Ui by Sj. In other words, Ui authenticates Sj based on RNs. The declaration secret(X, id, A) indicates that the information X is kept secret permanently to the agent A, and the label id (of type protocol_id) is used to identify the goal.
Fig. 1

Role specification in HLPSL for the user Ui and the server Sj of our scheme

In Fig. 1, we have also implemented the specification in HLPSL language for the role of the responder, the server Sj. During the registration phase, after receiving the registration request message 〈IDi, fi〉 securely from the user Ui, the server Sj issues a smart card SCi and sends it with the information (P, q, Y, h(⋅), Gen(⋅), Rep(⋅), fi, ei, t, pari) securely to Ui. During the authentication and key agreement phase, after receiving the login request message 〈R1, vi, zi〉 in the login phase via a public channel, the server Sj sends the authentication request message \(\langle R_{3}, y_{i}, z_{i}^{\ast \ast } \rangle \) to Ui via a public channel.

Finally, we have specified The roles for the session, and the goal and environment of our scheme are specified in Fig. 2. In the session role, all the basic roles: alice and bob are considered as the instances with concrete arguments. The top-level role (environment) is always defined in the specification of HLPSL language. The intruder participates in the execution of protocol as a concrete session.
Fig. 2

Role specification in HLPSL for the session, and the goal and environment of our scheme

In the HLPSL implementation of our scheme, we have five secrecy goals and two authentication goals. For example, the secrecy goal secrecy_of subs1 tells that Xs is kept secret to the server Sj only, which is indicated by the protocol id subs1. Similarly, we have given other secrecy goals for the protocol ids subs2, subs3, subs4 and subs5. On the other hand, the authentication goal authentication_on alice_bob_rnu presents that Ui(Ci) generates a random nonce RNu, where RNu is only known to Ui. When the server Sj receives RNu from other messages from Ui, the server Sj performs a strong authentication for Ui based on RNu. Other authentication goal authentication_on bob_alice_rns indicates Sj generates a random nonce RNs, where RNs is only known to Sj. If the user Ui receives RNs from other messages from Sj, the user Ui (the smart card SCi) performs a strong authentication for Sj based on RNs.

Simulation results

We have chosen the back-end OFMC for an execution test and a bounded number of sessions model checking [6]. For the replay attack checking, this back-end checks whether the legitimate agents can execute the specified protocol by performing a search of a passive intruder. After that this back-end gives the intruder the knowledge of some normal sessions between the legitimate agents. For the Dolev-Yao model check, this back-end also checks whether there is any man-in-the-middle attack possible by the intruder. We have simulated our scheme for formal security verification using OFMC back-end under the AVISPA web tool [4]. The simulation results for the formal security verification of our scheme using OFMC are shown in Fig. 3. In this figure, the first printed section, called the SUMMARY, indicates whether the protocol is safe, unsafe, or whether the analysis is inconclusive. It is clear that our scheme is safe from the printed SUMMARY section. DETAILS section explains under what condition the protocol is declared safe, or what conditions have been used for finding an attack, or finally why the analysis was inconclusive. It is also noted that our scheme is declared as safe, and no attack is found in our scheme. As a result, the result in this figure ensures that our scheme is secure against passive and active attacks including the replay and man-in-the-middle attacks.
Fig. 3

The result of the analysis using OFMC backend of our scheme

Since our scheme is an improved three-factor remote user authentication scheme for TMIS over Tan’s scheme, we have further simulated Tan’s scheme for the formal security verification using AVISPA tool. We have implemented the roles for user, server, session, goal and environment in HLPSL for Tan’s scheme, and then simulated using the OFMC backend. The simulation results for the formal security verification of Tan’s scheme are shown in Fig. 4. The results clearly indicate that Tan’s scheme is not secure against passive and active attacks including the replay and man-in-the-middle attacks.
Fig. 4

The result of the analysis using OFMC backend of Tan’s scheme

Performance comparison with other related schemes

In this section, we compare the functionality features and performance of our scheme with those for other related three-factor authentication schemes [2, 5, 12, 30, 50, 51].

For the performance comparison, we use the notations listed in Table 3. As pointed out in [23], the computational time of a one-way hashing operation h(⋅), a symmetric encryption/decryption, a modular exponentiation, and an elliptic curve point multiplication are 0.00032 s, 0.0056 s, 0.0192 s, and 0.0171 s, respectively. For asymmetric cryptosystem (for example, RSA), the computational time for executing encryption/decryption is taken as that for a modular exponentiation operation. According to the experiments in [31], the time for executing a Chebyshev chaotic map operation is 0.0322 s. As in [23], we also assume that the time for executing a fuzzy extractor is also same as that for an elliptic curve point multiplication at the most. We have compared the performance of our scheme with other related three-factor schemes in Table 4 for all the phases. Note that the portion of same data presented in Table 4 is taken from [51]. It is assumed that the time for executing an XOR operation is negligible. It is observed that the rough computational costs of our scheme and other schemes [2, 5, 12, 30, 50, 51] are 0.19514 s, 0.01696 s, 0.0048 s, 0.26432 s, 0.04256 s, 0.12482 s, and 0.07608 s respectively. Note that the registration phase is only one time process, and the password and biometric update phase is not executed frequently. Thus, the computational complexity of our scheme for the login phase, and the authentication and key agreement phase becomes 0.12386 s only.
Table 3

Notations used for the computational complexity

Symbol

Description

Th

Time for performing a one-way hashing operation h(⋅)

TX

Time for performing an XOR operation

TE

Time for performing a symmetric encryption operation

TD

Time for performing a symmetric decryption operation

TPE

Time for executing an asymmetric encryption operation

TPD

Time for executing an asymmetric decryption operation

TC

Time for executing a Chebyshev chaotic map operation

TM

Time for executing an ECC point multiplication

TFE

Time for executing a fuzzy extractor

Table 4

Comparison of performance

Phase

Node

[50]

[12]

[30]

[5]

[51]

[2]

Ours

R

Ui

2Th

3Th+TX

2TX+TPE

2Th+3TX

2TX

2Th+TFE

 

Sj

2Th+TX

3Th+3TX

2Th+2TX

3Th+4TX

Th+TX

4Th+7TX

2Th+2TX

     

+TPD

   

L

Ui

4Th+2TX

2Th+3TX

5Th+4TX

3Th+3TX

4Th+3TX

3Th+5TX

5Th+4TX

  

+TE

 

+2Tc

 

+2TM

+TM

+2TM+TFE

 

Sj

 

AK

Ui

2Th

3Th+TX

2Th+2TC

Th+TX

Th+2TM

5Th+2TX

5Th+4TX+

       

+TM

2TM+TFE

 

Sj

3Th+TX

5Th+2TX

5Th+TX

4Th+4TX

4Th+TX

8Th+6TX

2Th+2TX

  

+TD

 

+4TC

 

+3TM

+2TM

+3TM

PB

Ui

5Th+2TX

2Th+TX

4Th+5TX

2Th+4TX

4Th+4TX

4Th+14TX

6Th+

        

4TX+2TFE

 

Sj

 

 

Total

18Th+6TX

15Th+9TX

21Th+13TX

13Th+18TX

16Th+12TX

24Th+36TX

22Th+4TFE+

  

+TE+TD

 

+8TC

+TPE+TPD

+7TM

+4TM

14TX+7TM

  

≈0.01696 s

≈0.0048 s

≈0.26432 s

≈0.04256 s

≈0.12482 s

≈0.07608 s

≈0.19514 s

Note: R: Registration phase; L: Login phase; AK: Authentication and key agreement phase; PB: Password and biometric update phase

We have compared the functionality analysis in terms of security properties of our scheme with other related schemes in Table 5. It is clear that our scheme is superior than other schemes. Our scheme provides all the functionality such as mutual authentication, server not knowing password and biometric, replay attack protection, reflection attack protection, freedom of password and biometric update, three-factor security, user anonymity, key agreement, formaljj security analysis under random oracle models and formal security verification using the widely-accepted AVISPA tool. In addition, our scheme protects other attacks, which are described in Section “Security analysis of the proposed scheme”. All other schemes do not provide formal security analysis and verification. The replay attack is not protected in [50, 51]. The user anonymity property is not supported in [5, 12, 50]. Moreover, Arshad and Nikooghadam’s scheme [2] fails to protect the privileged-insider attack. As compared to other three-factor schemes, our scheme is suitable for real-life practical applications due to its high security.
Table 5

Functionality comparison

 

[50]

[12]

[30]

[5]

[51]

[2]

Ours

F1

Yes

Yes

Yes

Yes

Yes

Yes

Yes

F2

Yes

No

Yes

Yes

Yes

No

Yes

F3

Yes

No

No

Yes

Yes

No

Yes

F4

Yes

Yes

Yes

Yes

Yes

Yes

Yes

F5

No

Yes

Yes

Yes

No

Yes

Yes

F6

Yes

Yes

Yes

No

Yes

Yes

Yes

F7

Yes

No

Yes

No

Yes

Yes

Yes

F8

No

No

Yes

No

Yes

Yes

Yes

F9

Yes

No

Yes

No

Yes

Yes

Yes

F10

No

No

No

No

No

No

Yes

F11

No

No

No

No

No

No

Yes

Note: F1: mutual authentication; F2: server not knowing password; F3: server not knowing biometrics; F4: freedom of password and biometric update; F5: replay attack protec- tion; F6: reflection attack protection; F7: three-factor sec- urity; F8: user anonymity; F9: key agreement; F10: formal security analysis; F11: formal security verification using AVISPA tool

Conclusion

We have revisited the recently proposed Tan’s three-factor authentication scheme for the telecare medicine information systems and shown that though Tan’s scheme is efficient, it has several security drawbacks. After that we have also shown that Arshad and Nikooghadam’s scheme, which is an improvement of Tan’s scheme, fails to protect the privileged-insider attack. To remedy such weaknesses, we have proposed an efficient scheme. Our scheme is shown to be secure through the rigorous formal and informal security analysis. In addition, we have shown that our scheme is secure under the formal security verification. Though our scheme requires little more computational cost as compared to Tan’s scheme, Arshad and Nikooghadam’s scheme, and other schemes, our scheme is more suitable for practical applications due to its high security. Furthermore, it is shown that our scheme preserves the user anonymity property and all other features which are required for an idle three-factor authentication scheme for the telecare medicine information systems.

Notes

Acknowledgments

The author would like to acknowledge the helpful suggestions of the anonymous reviewers and the Editor, which have improved the content and the presentation of this paper.

References

  1. 1.
    An, Y., Security Analysis and Enhancements of an Effective Biometric-Based Remote User Authentication Scheme Using Smart Cards. J. Biomed. Biotechnol. 2012:1–6, 2012. Article ID 519723.CrossRefGoogle Scholar
  2. 2.
    Arshad, H., and Nikooghadam, M., Three-Factor Anonymous Authentication and Key Agreement Scheme for Telecare Medicine Systems Information. J. Med. Syst. 38(6):1–12, 2014.Google Scholar
  3. 3.
    AVISPA: Automated Validation of Internet Security Protocols and Applications. Accessed on January 2013. http://www.avispa-project.org/
  4. 4.
    AVISPA: AVISPA Web Tool. Accessed on April 2014. http://www.avispa-project.org/web-interface/expert.php/
  5. 5.
    Awasthi, A.K., and Srivastava, K., A Biometric Authentication Scheme for Telecare Medicine Information Systems with Nonce. J. Med. Syst. 37(5):1–4, 2013.CrossRefGoogle Scholar
  6. 6.
    Basin, D., Modersheim, S., Vigano, L., OFMC: A symbolic model checker for security protocols. Int. J. Inf. Secur. 4(3):181–208, 2005.CrossRefGoogle Scholar
  7. 7.
    Burnett, A., Byrne, F., Dowling, T., Duffy, A., A Biometric Identity Based Signature Scheme. Int. J. Netw. Secur. 5(3):317–326, 2007.Google Scholar
  8. 8.
    Chatterjee, S., and Das, A.K., An effective ECC-based user access control scheme with attribute-based encryption for wireless sensor networks. Security and Communication Networks, 2014. doi:10.1002/sec.1140.
  9. 9.
    Chatterjee, S., Das, A.K., Sing, J.K., An Enhanced Access Control Scheme in Wireless Sensor Networks. Ad Hoc & Sensor Wireless Networks 21(1–2):121–149, 2014.Google Scholar
  10. 10.
    Chen, B.-L., Kuo, W.-C., Wuu, L.-C., Robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst. 27(2):377–389, 2014.CrossRefGoogle Scholar
  11. 11.
    Chuang, Y.-H., and Tseng, Y.-M., An efficient dynamic group key agreement protocol for imbalanced wireless networks. Int. J. Netw. Manag. 20(4):167–180, 2010.Google Scholar
  12. 12.
    Das, A.K., Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf. Secur. 5(3):145–151, 2011.CrossRefGoogle Scholar
  13. 13.
    Das, A.K., A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Netw. Sci. 2(1–2):12–27, 2013.CrossRefGoogle Scholar
  14. 14.
    Das, A.K., Chatterjee, S., Sing, J.K., A novel efficient access control scheme for large-scale distributed wireless sensor networks. Int. J. Found. Comput. Sci. 24(5):625–653, 2013.CrossRefMATHMathSciNetGoogle Scholar
  15. 15.
    Das, A.K., and Goswami, A., A Secure and Efficient Uniqueness-and-Anonymity-Preserving Remote User Authentication Scheme for Connected Health Care. J. Med. Syst. 37(3):1–16, 2013.CrossRefGoogle Scholar
  16. 16.
    Das, A.K., and Goswami, A.: A robust anonymous biometric-based remote user authentication scheme using smart cards. Journal of King Saud University - Computer and Information Sciences (Elsevier). In Press (2014)Google Scholar
  17. 17.
    Das, A.K., Massand, A., Patil, S., A novel proxy signature scheme based on user hierarchical access control policy. Journal of King Saud University - Comput. Inform. Sci. 25(2):219–228, 2013.CrossRefGoogle Scholar
  18. 18.
    Das, A.K., Paul, N.R., Tripathy, L., Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem . Inf. Sci. 209(C):80–92, 2012.CrossRefMATHMathSciNetGoogle Scholar
  19. 19.
    Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Proceedings of the Advances in Cryptology (Eurocrypt’04), LNCS, Vol. 3027, pp. 523–540 (2004)Google Scholar
  20. 20.
    Dolev, D., and Yao, A., On the security of public key protocols. IEEE Trans. Inf. Theory 29(2):198–208, 1983.CrossRefMATHMathSciNetGoogle Scholar
  21. 21.
    Giri, D., Maitra, T., Amin, R., Srivastava, P.D., An efficient and robust rsa-based remote user authentication for systems telecare medical information. J. Med. Syst. 39(1):1–9, 2014.Google Scholar
  22. 22.
    He, D., Chen, J., Zhang, R., A More Secure Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(3):1989–1995, 2012.CrossRefGoogle Scholar
  23. 23.
    He, D., Kumar, N., Lee, J.-H., Sherratt, R.S., Enhanced three-factor security protocol for consumer USB mass storage devices. IEEE Trans. Consum. Electron. 60(1):30–37, 2014.CrossRefGoogle Scholar
  24. 24.
    Islam, S.H., and Biswas, G.P., A provably secure identity-based strong designated verifier proxy signature scheme from pairings bilinear. Journal of King Saud University - Comput. Inform. Sci. 26(1):55–67, 2014.CrossRefGoogle Scholar
  25. 25.
    Islam, S.K.H., and Khan, M.K., Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems. J. Med. Syst. 38(10):1–16, 2014.CrossRefGoogle Scholar
  26. 26.
    Khan, M.K., and Kumari, S., Cryptanalysis and improvement of an efficient and secure dynamic id-based authentication scheme for telecare medical information systems. Security and Communication Networks 7(2):399–408, 2014.CrossRefGoogle Scholar
  27. 27.
    Koblitz, N., Elliptic Curves Cryptosystems. Math. Comput. 48:203–209, 1987.CrossRefMATHMathSciNetGoogle Scholar
  28. 28.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Proceedings of Advances in Cryptology - CRYPTO’99, LNCS, Vol. 1666, pp. 388–397 (1999)Google Scholar
  29. 29.
    Kumari, S., Khan, M.K., Kumar, R., Cryptanalysis and improvement of a privacy enhanced scheme for telecare medical information systems. J. Med. Syst. 37(4):1–11, 2013.CrossRefGoogle Scholar
  30. 30.
    Lee, C.-C., and Hsu, C.-W., A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps. Nonlinear Dyn. 71(1–2):201–211, 2013.CrossRefMathSciNetGoogle Scholar
  31. 31.
    Lee, C.-C., Li, C.-T., Chiu, S.-T., Lai, Y.-M., A new three-party-authenticated key agreement scheme based on chaotic maps without password table. Nonlinear Dyn.,1–11, 2014. doi:10.1007/s11071-014-1827-x.
  32. 32.
    Lee, T.-F., and Liu, C.-M., A Secure Smart-Card Based Authentication and Key Agreement Scheme for Telecare Medicine Information Systems. J. Med. Syst. 37(3):1–8 , 2013.Google Scholar
  33. 33.
    Li, C.-T., and Hwang, M.-S., An efficient biometric-based remote authentication scheme using smart cards. J. Netw. Comput. Appl. 33(1):1–5, 2010.CrossRefGoogle Scholar
  34. 34.
    Li, X., Niu, J.-W., Ma, J., Wang, W.-D., Liu, C.-L., Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 34(1):73–79, 2011.CrossRefMATHGoogle Scholar
  35. 35.
    Maitra, T., and Giri, D., An efficient biometric and password-based remote user authentication using smart card for telecare medical information systems in multi-server environment. J. Med. Syst. 38(12):1–19, 2014.CrossRefGoogle Scholar
  36. 36.
    Massey, T., Marfia, G., Stoelting, A., Tomasi, R., Spirito, M.A., Sarrafzadeh, M., Pau, G., Leveraging Social System Networks in Ubiquitous High-Data-Rate Health Systems. IEEE Trans. Inf. Technol. Biomed. 15(3):491–498, 2011.CrossRefGoogle Scholar
  37. 37.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002.CrossRefMathSciNetGoogle Scholar
  38. 38.
    Mishra, D., On the security flaws in id-based password authentication schemes for telecare medical information systems. J. Med. Syst. 39(1):1–16, 2015.CrossRefGoogle Scholar
  39. 39.
    Mishra, D., Mukhopadhyay, S., Chaturvedi, A., Kumari, S., Khan, M.K., Cryptanalysis and improvement of Yan et al.’s biometric-based authentication scheme for telecare medicine information systems. J. Med. Syst. 38(6):1–12, 2014.CrossRefGoogle Scholar
  40. 40.
    Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M.K., Chaturvedi, A., Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J. Med. Syst. 38(5): 1–11, 2014.CrossRefGoogle Scholar
  41. 41.
    Mishra, D., Srinivas, J., Mukhopadhyay, S., A secure and efficient chaotic map-based authenticated key agreement scheme for telecare medicine information systems. J. Med. Syst. 38(10):1–10, 2014.CrossRefGoogle Scholar
  42. 42.
    Odelu, V., Das, A.K., Goswami, A., An Effective and Secure Key-Management Scheme for Hierarchical Access Control in E-Medicine System. J. Med. Syst. 37(2):1–18, 2013.CrossRefGoogle Scholar
  43. 43.
    Odelu, V., Das, A.K., Goswami, A., A secure effective key management scheme for dynamic access control in a large leaf class hierarchy. Inf. Sci. 269(C):270–285, 2014.CrossRefMathSciNetGoogle Scholar
  44. 44.
    Odelu, V., Das, A.K., Goswami, A., A secure and efficient ECC-based user anonymity preserving single sign-on scheme for distributed computer networks. Security and Communication Networks, 2014. doi:10.1002/sec.1139.
  45. 45.
    Patel, M., and Wang, J., Applications, challenges, and prospective in emerging body area networking technologies. IEEE Wirel. Commun. 17(1):80–88, 2010.CrossRefGoogle Scholar
  46. 46.
    Sarkar, P., A Simple and Generic Construction of Authenticated Encryption with Associated Data. ACM Trans. Inf. Syst. Secur. 13(4):1–16, 2010.CrossRefGoogle Scholar
  47. 47.
    Siddiqui, Z., Abdullah, A.H., Khan, M.K., Alghamdi, A., Smart environment as a service: Three factor cloud based user authentication for telecare medical information system. J. Med. Syst. 38(1):1–14, 2013.Google Scholar
  48. 48.
    Stallings, W., Cryptography and Network Security: Principles and Practices. 3rd edition: Pearson Education India, 2003.Google Scholar
  49. 49.
    Stinson, D.R., Some Observations on the Theory of Cryptographic Hash Functions. Des. Codes Crypt. 38(2):259–277 , 2006.CrossRefMATHMathSciNetGoogle Scholar
  50. 50.
    Tan, Z., An efficient biometrics-based authentication scheme for telecare medicine information systems. Przegl. Elctrotech. 89(5):200–204, 2013.Google Scholar
  51. 51.
    Tan, Z., A User Anonymity Preserving Three-Factor Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 38(3):1–9, 2014.CrossRefGoogle Scholar
  52. 52.
    Tang, H., and Liu, X., Cryptanalysis of a dynamic ID-based remote user authentication with key agreement scheme. Int. J. Commun. Syst. 25(12):1639–1644, 2012.CrossRefGoogle Scholar
  53. 53.
    von Oheimb, D.: The high-level protocol specification language hlpsl developed in the eu project avispa. In: Proceedings of APPSEM 2005 Workshop (2005)Google Scholar
  54. 54.
    Wei, J., Hu, X., Liu, W., An Improved Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(6):3597–3604, 2012.CrossRefGoogle Scholar
  55. 55.
    Wu, Z.Y., Lee, Y.-C., Lai, F., Lee, H.-C., Chung, Y.-F., A Secure Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(3):1529–1535, 2012.CrossRefGoogle Scholar
  56. 56.
    Xie, Q., A new authenticated key agreement for session initiation protocol. Int. J. Commun. Syst. 25(1):47–54, 2012.CrossRefGoogle Scholar
  57. 57.
    Yan, H., Huo, H., Xu, Y., Gidlund, M., Wireless sensor network based E-health system implementation and experimental results. IEEE Trans. Consum. Electron. 56(4):2288–2295, 2010.CrossRefGoogle Scholar
  58. 58.
    Yan, X., Li, W., Li, P., Wang, J., Hao, X., Gong, P., A secure biometrics-based authentication scheme for telecare medicine information systems. J. Med. Syst. 37(5):1–6, 2013.CrossRefMATHGoogle Scholar
  59. 59.
    Yang, H., Kim, H., Mtonga, K., An efficient privacy-preserving authentication scheme with adaptive key evolution in remote health monitoring system. Peer-to-Peer Networking and Applications, 1–11, 2014. doi:10.1007/s12083-014-0299-6.
  60. 60.
    Zhu, Z., An Efficient Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(6): 3833–3838, 2012.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  1. 1.Center for SecurityTheory and Algorithmic Research International Institute of Information TechnologyHyderabadIndia

Personalised recommendations