The Journal of Supercomputing

, Volume 72, Issue 10, pp 3826–3849 | Cite as

A privacy preserving three-factor authentication protocol for e-Health clouds

  • Qi JiangEmail author
  • Muhammad Khurram Khan
  • Xiang Lu
  • Jianfeng Ma
  • Debiao He


E-Health clouds are gaining increasing popularity by facilitating the storage and sharing of big data in healthcare. However, such an adoption also brings about a series of challenges, especially, how to ensure the security and privacy of highly sensitive health data. Among them, one of the major issues is authentication, which ensures that sensitive medical data in the cloud are not available to illegal users. Three-factor authentication combining password, smart card and biometrics perfectly matches this requirement by providing high security strength. Recently, Wu et al. proposed a three-factor authentication protocol based on elliptic curve cryptosystem which attempts to fulfill three-factor security and resist various existing attacks, providing many advantages over existing schemes. However, we first show that their scheme is susceptible to user impersonation attack in the registration phase. In addition, their scheme is also vulnerable to offline password guessing attack in the login and password change phase, under the condition that the mobile device is lost or stolen. Furthermore, it fails to provide user revocation when the mobile device is lost or stolen. To remedy these flaws, we put forward a robust three-factor authentication protocol, which not only guards various known attacks, but also provides more desired security properties. We demonstrate that our scheme provides mutual authentication using the Burrows–Abadi–Needham logic.


Authentication Password Biometrics Anonymity Privacy E-Health Cloud computing 



This work is supported by National Natural Science Foundation of China (Program Nos. 61202389, U1405255, U1135002, 61572379, 61372075, 61472310), National High Technology Research and Development Program (863 Program) (Program No. 2015AA011704), Fundamental Research Funds for the Central Universities (Program No. JB140302), Natural Science Foundation of Hubei Province of China under Grant 2015CFB257, the PAPD fund, and Collaborative Innovation Center of Atmospheric Environment and Equipment Technology (CICAEET). Sincere appreciations are also extended to the Deanship of Scientific Research at King Saud University for funding this Prolific Research Group (PRG-1436-16).


  1. 1.
    Pawar P, Jones V, Van Beijnum BJF et al (2012) A framework for the comparison of mobile patient monitoring systems. J Biomed Inform 45(3):544–556CrossRefGoogle Scholar
  2. 2.
    Abbas A, Khan SU (2014) A review on the state-of-the-art privacy-preserving approaches in the e-health clouds. IEEE J Biomed Health Inform 18(4):1431–1441MathSciNetCrossRefGoogle Scholar
  3. 3.
    Raghupathi W, Raghupathi V (2014) Big data analytics in healthcare: promise and potential. Health Inf Sci Syst 2(1):3CrossRefGoogle Scholar
  4. 4.
    Sun J, Reddy C (2013) Big data analytics for healthcare. In: Proc. \(19{\rm th}\) ACM SIGKDD int’l conf. knowledge discovery and data miningGoogle Scholar
  5. 5.
    Xia Z, Wang X, Sun X, Wang Q (2015) A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data. IEEE Trans Parallel Distrib Syst. doi: 10.1109/TPDS.2015.2401003
  6. 6.
    Fu Z, Sun X, Liu Q, Zhou L, Shu J (2015) Achieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computing. IEICE Trans Commun E98-B(1):190–200Google Scholar
  7. 7.
    Li H, Yang Y, Luan T, Liang X, Zhou L, Shen X (2015) Enabling fine-grained multi-keyword search supporting classified sub-dictionaries over encrypted cloud data. IEEE Trans Dependable Secur Comput. doi: 10.1109/TDSC.2015.2406704
  8. 8.
    Ren Y, Shen J, Zheng Y, Wang J, Chao H-C (2015) Efficient data integrity auditing for storage security in mobile health cloud. Peer-to-Peer Netw Appl. doi: 10.1007/s12083-015-0346-y
  9. 9.
    Ren Y, Shen J, Wang J, Han J, Lee S (2015) Mutual verifiable provable data auditing in public cloud storage. J Internet Technol 16(2):317–323Google Scholar
  10. 10.
    He D, Zeadally S, Wu L (2015) Certificateless public auditing scheme for cloud-assisted wireless body area networks. IEEE Syst J. doi: 10.1109/JSYST.2015.2428620
  11. 11.
    Li H, Lin X, Yang H, Liang X, Lu R, Shen X (2014) EPPDR: an efficient privacy-preserving demand response scheme with adaptive key evolution in smart grid. IEEE Trans Parallel Distrib Syst 25(8):2053–2064CrossRefGoogle Scholar
  12. 12.
    Jiang Q, Ma J, Li G et al (2013) An enhanced authentication scheme with privacy preservation for roaming service in global mobility networks. Wirel Pers Commun 68(4):1477–1491CrossRefGoogle Scholar
  13. 13.
    Guo P, Wang J, Li B, Variable Lee S A (2014) Threshold-value authentication architecture for wireless mesh networks. J Internet Technol 15(6):929–936Google Scholar
  14. 14.
    Zhao D, Peng H, Li L, Yang Y (2014) A secure and effective anonymous authentication scheme for roaming service in global mobility networks. Wirel Pers Commun 78(1):247–269CrossRefGoogle Scholar
  15. 15.
    O’Gorman L (2003) Comparing passwords, tokens, and biometrics for user authentication. Proc IEEE 91(12):2021–2040CrossRefGoogle Scholar
  16. 16.
    Lamport L (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772MathSciNetCrossRefGoogle Scholar
  17. 17.
    Farash MS, Attari MA (2014) An efficient client-client password-based authentication scheme with provable security. J Supercomput 70(2):1002–1022MathSciNetCrossRefGoogle Scholar
  18. 18.
    Jiang Q, Ma J, Li G et al (2013) An improved password-based remote user authentication protocol without smart cards. Inf Technol Control 42(2):113–123MathSciNetGoogle Scholar
  19. 19.
    Chen TY, Lee CC, Hwang MS, Jan JK (2013) Towards secure and efficient user authentication scheme using smart card for multi-server environments. J Supercomput 66(2):1008–1032CrossRefGoogle Scholar
  20. 20.
    Arshad H, Nikooghadam M (2015) Security analysis and improvement of two authentication and key agreement schemes for session initiation protocol. J Supercomput. doi: 10.1007/s11227-015-1434-8
  21. 21.
    Wang D, He D, Wang P, Chu C-H (2015) Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans Dependable Secur Comput 12(4):428–442. doi: 10.1109/TDSC.2014.2355850 CrossRefGoogle Scholar
  22. 22.
    Wang D, Wang N, Wang P, Qing S (2015) Preserving privacy for free: efficient and provably secure two-factor authentication scheme with user anonymity. Inf Sci. doi: 10.1016/j.ins.2015.03.070
  23. 23.
    Lee JK, Ryu SR, Yoo KY (2002) Fingerprint-based remote user authentication scheme using smart cards. Electron Lett 38(12):554–555CrossRefGoogle Scholar
  24. 24.
    Lin CH, Lai YY (2004) A flexible biometrics remote user authentication scheme. Comput Stand Interfaces 27(1):19–23CrossRefGoogle Scholar
  25. 25.
    Ku WC, Chang ST, Chiang MH (2005) Further cryptanalysis of fingerprint-based remote user authentication scheme using smartcards. Electron Lett 41(5):240–241CrossRefGoogle Scholar
  26. 26.
    Khan MK, Zhang JS (2007) Improving the security of ‘a flexible biometrics remote user authentication scheme’. Comput Stand Interfaces 29(1):82–85CrossRefGoogle Scholar
  27. 27.
    Rhee HS, Kwon JO, Lee DH (2009) A remote user authentication scheme without using smart cards. Comput Stand Interfaces 31(1):6–13CrossRefGoogle Scholar
  28. 28.
    Kim HS, Lee SW, Yoo KY (2003) ID-based password authentication scheme using smart cards and fingerprints. ACM SIGOPS Oper Syst Rev 37(4):32–41MathSciNetCrossRefGoogle Scholar
  29. 29.
    Scott M (2004) Cryptanalysis of an ID-based password authentication scheme using smart cards and fingerprints. ACM SIGOPS Oper Syst Rev 38(2):73–75CrossRefGoogle Scholar
  30. 30.
    Li CT, Hwang MS (2010) An efficient biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 33(1):1–5CrossRefGoogle Scholar
  31. 31.
    Li X, Niu JW, Ma J, Wang WD, Liu CL (2011) Cryptanalysis and improvement of a biometric-based remote authentication scheme using smart cards. J Netw Comput Appl 34(1):73–79CrossRefGoogle Scholar
  32. 32.
    Das AK (2012) Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf Secur 5(3):145–151CrossRefGoogle Scholar
  33. 33.
    An Y (2012) Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards. J Biomed Biotechnol. doi: 10.1155/2012/519723
  34. 34.
    Chen C, Lee C, Hsu C (2012) Mobile device integration of a fingerprint biometric remote authentication scheme. Int J Commun Syst 25(2):585–97CrossRefGoogle Scholar
  35. 35.
    Khan MK, Kumari S, Gupta MK (2014) More efficient key-hash based fingerprint remote authentication scheme using mobile device. Computing 96(9):793–816MathSciNetCrossRefGoogle Scholar
  36. 36.
    Tan Z (2014) A user anonymity preserving three-factor authentication scheme for telecare medicine information systems. J Med Syst 38(3):1–9CrossRefGoogle Scholar
  37. 37.
    Yoon EJ, Yoo KY (2013) Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. J Supercomput 63(1):235–255CrossRefGoogle Scholar
  38. 38.
    Fan CI, Lin YH (2009) Provably secure remote truly three factor authentication scheme with privacy protection on biometrics. IEEE Trans Inf Forensics Secur 4(4):933–945CrossRefGoogle Scholar
  39. 39.
    Dodis Y, Reyzin L, Smith (2004) A fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Proceedings of EUROCRYPT, pp 523–540Google Scholar
  40. 40.
    Huang X, Xiang Y, Chonka A, Zhou J, Deng RH (2011) A generic framework for three-factor authentication: preserving security and privacy in distributed systems. IEEE Trans Parallel Distrib Syst 22(8):1390–1397CrossRefGoogle Scholar
  41. 41.
    Li X, Niu J, Wang Z, Chen C (2013) Applying biometrics to design three-factor remote user authentication scheme with key agreement. Secur Commun Netw 7(10):1488–1497Google Scholar
  42. 42.
    Li X, Niu JW, Khan MK, Liao JG, Zhao XK (2014) Robust three-factor remote user authentication scheme with key agreement for multimedia systems. Secur Commun Netw. doi: 10.1002/sec.961
  43. 43.
    Mishra D, Kumari S, Khan MK et al (2015) An anonymous biometric—based remote user—authenticated key agreement scheme for multimedia systems. Int J Commun Syst. doi: 10.1002/dac.2946
  44. 44.
    He D, Kumar N, Lee J-H (2014) Enhanced three-factor security protocol for USB consumer storage devices. IEEE Trans Consum Electron 60(1):30–37CrossRefGoogle Scholar
  45. 45.
    He D, Wang D (2015) Robust biometrics-based authentication scheme for multi-server environment. IEEE Syst J 9(3):816–823CrossRefGoogle Scholar
  46. 46.
    Odelu V, Das AK, Goswami A (2015) A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans Inf Forensics Secur 10(9):1953–1966CrossRefGoogle Scholar
  47. 47.
    Wu F, Xu L, Kumari S, Li X (2015) A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client–server networks. Comput Electr Eng. doi: 10.1016/j.compeleceng.2015.02.015
  48. 48.
    Yu J, Wang G, Mu Y, Gao W (2014) An efficient and improved generic framework for three-factor authentication with provably secure instantiation. IEEE Trans Inf Forensics Secur 9(12):2302–2313CrossRefGoogle Scholar
  49. 49.
    Juels A, Sudan M (2002) A fuzzy vault scheme. In: Proceedings of international symposium on information theory (ISIT), p 408Google Scholar
  50. 50.
    Nagar A, Nandakumar K, Jain A K (2008) Securing fingerprint template: fuzzy vault with minutiae descriptors. In: Proceedings of 19th international conference on pattern recognition, pp 1–4Google Scholar
  51. 51.
    Mishra D, Mukhopadhyay S, Kumari S, Khan MK, Chaturvedi A (2014) Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J Med Syst 38(5):1–11CrossRefGoogle Scholar
  52. 52.
    Jin ATB, Ling DNC, Goh A (2004) Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recognit 37(11):2245–2255CrossRefGoogle Scholar
  53. 53.
    Hankerson D, Menezes A, Vanstone S (2004) Guide to elliptic curve cryptography. In: Lecture notes in computer science. Springer, BerlinGoogle Scholar
  54. 54.
    Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Proceedings of advances in cryptology (Crypto’99). LNCS, pp 388–397Google Scholar
  55. 55.
    Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 51(5):541–552MathSciNetCrossRefGoogle Scholar
  56. 56.
    Jiang Q, Ma J, Li G, Yang L (2014) An efficient ticket based authentication protocol with unlinkability for wireless access networks. Wirel Pers Commun 77(2):1489–1506CrossRefGoogle Scholar
  57. 57.
    Jiang Q, Ma J, Lu X, Tian Y (2015) An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks. Peer-to-Peer Netw Appl 8(6):1070–1081CrossRefGoogle Scholar
  58. 58.
    Mishra D (2015) On the security flaws in id-based password authentication schemes for telecare medical information systems. J Med Syst 39(1):1–16CrossRefGoogle Scholar
  59. 59.
    Mishra D (2015) Understanding security failures of two authentication and key agreement schemes for telecare medicine information systems. J Med Syst 39(3):1–8CrossRefGoogle Scholar
  60. 60.
    Burrows M, Abadi M, Needham R (1990) A logic of authentication. ACM Trans Comput Syst 8(1):18–36zbMATHCrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  • Qi Jiang
    • 1
    • 2
    Email author
  • Muhammad Khurram Khan
    • 3
  • Xiang Lu
    • 4
  • Jianfeng Ma
    • 1
  • Debiao He
    • 5
  1. 1.School of Cyber EngineeringXidian UniversityXi’anChina
  2. 2.School of Computer and SoftwareNanjing University of Information Science and TechnologyNanjingChina
  3. 3.Center of Excellence in Information AssuranceKing Saud UniversityRiyadhKingdom of Saudi Arabia
  4. 4.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  5. 5.School of Computer Science and TechnologyWuhan UniversityWuhanChina

Personalised recommendations