A Secure User Anonymity-Preserving Three-Factor Remote User Authentication Scheme for the Telecare Medicine Information Systems
- 513 Downloads
Recent advanced technology enables the telecare medicine information system (TMIS) for the patients to gain the health monitoring facility at home and also to access medical services over the Internet of mobile networks. Several remote user authentication schemes have been proposed in the literature for TMIS. However, most of them are either insecure against various known attacks or they are inefficient. Recently, Tan proposed an efficient user anonymity preserving three-factor authentication scheme for TMIS. In this paper, we show that though Tan’s scheme is efficient, it has several security drawbacks such as (1) it fails to provide proper authentication during the login phase, (2) it fails to provide correct updation of password and biometric of a user during the password and biometric update phase, and (3) it fails to protect against replay attack. In addition, Tan’s scheme lacks the formal security analysis and verification. Later, Arshad and Nikooghadam also pointed out some security flaws in Tan’s scheme and then presented an improvement on Tan’s s scheme. However, we show that Arshad and Nikooghadam’s scheme is still insecure against the privileged-insider attack through the stolen smart-card attack, and it also lacks the formal security analysis and verification. In order to withstand those security loopholes found in both Tan’s scheme, and Arshad and Nikooghadam’s scheme, we aim to propose an effective and more secure three-factor remote user authentication scheme for TMIS. Our scheme provides the user anonymity property. Through the rigorous informal and formal security analysis using random oracle models and the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool, we show that our scheme is secure against various known attacks, including the replay and man-in-the-middle attacks. Furthermore, our scheme is also efficient as compared to other related schemes.
KeywordsTelecare medicine information systems Fuzzy extractor Biometrics Password User anonymity AVISPA Security
The author would like to acknowledge the helpful suggestions of the anonymous reviewers and the Editor, which have improved the content and the presentation of this paper.
- 2.Arshad, H., and Nikooghadam, M., Three-Factor Anonymous Authentication and Key Agreement Scheme for Telecare Medicine Systems Information. J. Med. Syst. 38(6):1–12, 2014.Google Scholar
- 3.AVISPA: Automated Validation of Internet Security Protocols and Applications. Accessed on January 2013. http://www.avispa-project.org/
- 4.AVISPA: AVISPA Web Tool. Accessed on April 2014. http://www.avispa-project.org/web-interface/expert.php/
- 7.Burnett, A., Byrne, F., Dowling, T., Duffy, A., A Biometric Identity Based Signature Scheme. Int. J. Netw. Secur. 5(3):317–326, 2007.Google Scholar
- 8.Chatterjee, S., and Das, A.K., An effective ECC-based user access control scheme with attribute-based encryption for wireless sensor networks. Security and Communication Networks, 2014. doi: 10.1002/sec.1140.
- 9.Chatterjee, S., Das, A.K., Sing, J.K., An Enhanced Access Control Scheme in Wireless Sensor Networks. Ad Hoc & Sensor Wireless Networks 21(1–2):121–149, 2014.Google Scholar
- 11.Chuang, Y.-H., and Tseng, Y.-M., An efficient dynamic group key agreement protocol for imbalanced wireless networks. Int. J. Netw. Manag. 20(4):167–180, 2010.Google Scholar
- 16.Das, A.K., and Goswami, A.: A robust anonymous biometric-based remote user authentication scheme using smart cards. Journal of King Saud University - Computer and Information Sciences (Elsevier). In Press (2014)Google Scholar
- 19.Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Proceedings of the Advances in Cryptology (Eurocrypt’04), LNCS, Vol. 3027, pp. 523–540 (2004)Google Scholar
- 21.Giri, D., Maitra, T., Amin, R., Srivastava, P.D., An efficient and robust rsa-based remote user authentication for systems telecare medical information. J. Med. Syst. 39(1):1–9, 2014.Google Scholar
- 28.Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Proceedings of Advances in Cryptology - CRYPTO’99, LNCS, Vol. 1666, pp. 388–397 (1999)Google Scholar
- 31.Lee, C.-C., Li, C.-T., Chiu, S.-T., Lai, Y.-M., A new three-party-authenticated key agreement scheme based on chaotic maps without password table. Nonlinear Dyn.,1–11, 2014. doi: 10.1007/s11071-014-1827-x.
- 32.Lee, T.-F., and Liu, C.-M., A Secure Smart-Card Based Authentication and Key Agreement Scheme for Telecare Medicine Information Systems. J. Med. Syst. 37(3):1–8 , 2013.Google Scholar
- 44.Odelu, V., Das, A.K., Goswami, A., A secure and efficient ECC-based user anonymity preserving single sign-on scheme for distributed computer networks. Security and Communication Networks, 2014. doi: 10.1002/sec.1139.
- 47.Siddiqui, Z., Abdullah, A.H., Khan, M.K., Alghamdi, A., Smart environment as a service: Three factor cloud based user authentication for telecare medical information system. J. Med. Syst. 38(1):1–14, 2013.Google Scholar
- 48.Stallings, W., Cryptography and Network Security: Principles and Practices. 3rd edition: Pearson Education India, 2003.Google Scholar
- 50.Tan, Z., An efficient biometrics-based authentication scheme for telecare medicine information systems. Przegl. Elctrotech. 89(5):200–204, 2013.Google Scholar
- 53.von Oheimb, D.: The high-level protocol specification language hlpsl developed in the eu project avispa. In: Proceedings of APPSEM 2005 Workshop (2005)Google Scholar
- 59.Yang, H., Kim, H., Mtonga, K., An efficient privacy-preserving authentication scheme with adaptive key evolution in remote health monitoring system. Peer-to-Peer Networking and Applications, 1–11, 2014. doi: 10.1007/s12083-014-0299-6.