Security analysis and improvement of bio-hashing based three-factor authentication scheme for telecare medical information systems

  • Qi Jiang
  • Zhiren Chen
  • Bingyan Li
  • Jian Shen
  • Li Yang
  • Jianfeng Ma
Original Research

Abstract

The deployment of telecare medical information system (TMIS) over public networks gives rise to the threat of exposing sensitive medical information to illegal entities. Although a number of three-factor authentication (3FA) schemes have been developed to address this challenge, most of them are found to be flawed. Understanding security and privacy failures of authentication protocols is a prerequisite to both fixing existing protocols and designing future ones. In this paper, we investigate the 3FA protocol of Lu et al. for TMIS (J Med Syst 39:32, 2015) and reveal that it cannot achieve the claimed security and privacy goals. (1) It fails to provide anonymity and untraceability, and is susceptible to the following attacks targeting user privacy: identity revelation attack, identity guessing attack and tracking attack. (2) It is susceptible to offline password guessing attack, user impersonation attack, and server impersonation attack. Then we present an improved 3FA scheme and show that the new scheme fulfills session key secrecy and mutual authentication using the formal verification tool ProVerif. Moreover, detailed heuristic security analysis is also presented to demonstrate that our new scheme is capable of withstanding various attacks, and provides desired security features. Additionally, performance analysis shows that our proposed protocol is a practical solution for TMIS.

Keywords

Telecare medical information system Authentication Key agreement Password Smart card Biometric Privacy 

Notes

Acknowledgements

This work is supported by Supported by National Natural Science Foundation of China (Program Nos. 61672413, U1405255, 61372075, 61672415, 61671360, 61472310), Natural Science Basic Research Plan in Shaanxi Province of China (Program No. 2016JM6005), Fundamental Research Funds for the Central Universities (Program No. JB161501, JBG161511), China 111 Project (No. B16037), Open Research Program of Science and Technology on Communication Networks Laboratory.

References

  1. Amin R, Biswas GP (2015) A secure three-factor user authentication and key agreement protocol for TMIS with user anonymity. J Med Syst 39:78CrossRefGoogle Scholar
  2. Arshad H, Nikooghadam M (2014) Three-factor anonymous authentication and key agreement scheme for Telecare medicine information systems. J Med Syst 38:136CrossRefGoogle Scholar
  3. Arshad H, Nikooghadam M (2015) Security analysis and improvement of two authentication and key agreement schemes for session initiation protocol. J Supercomput 71:3163–3180CrossRefGoogle Scholar
  4. Awasthi AK, Srivastava K (2013) A biometric authentication scheme for telecare medicine information systems with nonce. J Med Syst 37:9964. doi: 10.1007/s10916-013-9964-1 CrossRefGoogle Scholar
  5. Blanchet B (2001) An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of CSFW’01. pp 82–96Google Scholar
  6. Das AK (2015) A secure user anonymity-preserving three-factor remote user authentication scheme for the telecare medicine information systems. J Med Syst 39:30CrossRefGoogle Scholar
  7. Das AK, Goswami A (2014) An enhanced biometric authentication scheme for telecare medicine information systems with nonce using chaotic hash function. J Med Syst 38:27CrossRefGoogle Scholar
  8. Farash MS, Attari MA (2014) An efficient client-client password-based authentication scheme with provable security. J Supercomput 70:1002–1022. doi: 10.1007/s11227-014-1273-z CrossRefGoogle Scholar
  9. Fu Z, Sun X, Liu Q, Zhou L, Shu J (2015) Achieving Efficient Cloud Search Services: Multi-Keyword Ranked Search over Encrypted Cloud Data Supporting Parallel Computing. IEICE T Commun E98.B:190–200. doi: 10.1587/transcom.E98.B.190 CrossRefGoogle Scholar
  10. Fu Z, Huang F, Sun X, Vasilakos A, Yang C-N (2016a) Enabling semantic search based on conceptual graphs over encrypted outsourced data. IEEE Trans Serv Comput. doi: 10.1109/TSC.2016.2622697 Google Scholar
  11. Fu Z, Ren K, Shu J, Sun X, Huang F (2016b) Enabling personalized search over encrypted outsourced data with efficiency improvement. IEEE Trans Parallel Distrib Syst 27:2546–2559CrossRefGoogle Scholar
  12. Fu Z, Wu X, Guan C, Sun X, Ren K (2016c) Toward efficient multi-keyword fuzzy search over encrypted outsourced data with accuracy improvement. IEEE Trans Inf Forensics Secur 11:2706–2716CrossRefGoogle Scholar
  13. Guo D, Wen Q, Li W, Zhang H, Jin Z (2015) An improved biometrics-based authentication scheme for telecare medical information systems. J Med Syst 39:20CrossRefGoogle Scholar
  14. He DB, Wang D (2015) Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst J 9:816–823. doi: 10.1109/Jsyst.2014.2301517 CrossRefGoogle Scholar
  15. He DB, Kumar N, Chilamkurti N (2015) A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Inf Sci 321:263–277. doi: 10.1016/j.ins.2015.02.010 CrossRefGoogle Scholar
  16. He DB, Zeadally S, Kumar N, Lee J-H (2016) Anonymous authentication for wireless body area networks with provable security. IEEE Syst J. doi: 10.1109/JSYST.2016.2544805
  17. Jiang Q, Ma JF, Tian YL (2015) Cryptanalysis of smart-card-based password authenticated key agreement protocol for session initiation protocol of Zhang et al. Int J Commun Syst 28:1340–1351. doi: 10.1002/dac.2767 CrossRefGoogle Scholar
  18. Jiang Q, Ma JF, Wei FS, Tian YL, Shen J, Yang YY (2016a) An untraceable temporal-credential-based two-factor authentication scheme using ECC for wireless sensor networks. J Netw Comput Appl 76:37–48. doi: 10.1016/j.jnca.2016.10.001 CrossRefGoogle Scholar
  19. Jiang Q, Wei FS, Fu S, Ma JF, Li GS, Alelaiwi A (2016b) Robust extended chaotic maps-based three-factor authentication scheme preserving biometric template privacy. Nonlinear. Dynamics 83:2085–2101. doi: 10.1007/s11071-015-2467-5 MathSciNetMATHGoogle Scholar
  20. Jiang Q, Khan MK, Lu X, Ma JF, He DB (2016c) A privacy preserving three-factor authentication protocol for e-Health clouds. J Supercomput 72:3826–3849. doi: 10.1007/s11227-015-1610-x CrossRefGoogle Scholar
  21. Jiang, Q, Li, B, Ma, JF (2016d). On the security of three-factor authentication scheme for telecare medical information systems. In: International conference on broadband and wireless computing, communication and applications. pp 879–884.Google Scholar
  22. Jiang Q, Ma J, Wei F (2016e) On the security of a privacy-aware authentication scheme for distributed mobile cloud computing services. IEEE Syst J. doi: 10.1109/JSYST.2016.2574719 Google Scholar
  23. Jiang Q, Ma J, Yang C, Ma X, Shen J, Chaudhry SA (2017a) Efficient end-to-end authentication protocol for wearable health monitoring systems. Comput Electr Eng. doi: 10.1016/j.compeleceng.2017.03.016 Google Scholar
  24. Jiang Q, Zeadally S, Ma JF, He DB (2017b) Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks. IEEE Access 5:3376–3392. doi: 10.1109/Access.2017.2673239 CrossRefGoogle Scholar
  25. Kocher P, Jaffe J, Jun B (1999) Differential power analysis. Advances in cryptology—CRYPTO’99. Springer, Berlin, Heidelberg, p 789Google Scholar
  26. Lamport L (1981) Password authentication with insecure communication. Commun ACM 24:770–772CrossRefGoogle Scholar
  27. Li SH, Wang CY, Lu WH, Lin YY, Yen DC (2012) Design and implementation of a telecare information platform. J Med Syst 36:1629–1650. doi: 10.1007/s10916-010-9625-6 CrossRefGoogle Scholar
  28. Li X, Wen Q, Li W, Zhang H, Jin Z (2014) Secure privacy-preserving biometric authentication scheme for telecare medicine information systems. J Med Syst 38:139CrossRefGoogle Scholar
  29. Li X, Wang KH, Shen J, Kumari S, Wu F, Hu YH (2016) An enhanced biometrics-based user authentication scheme for multi-server environments in critical systems. J Ambient Intell Humaniz Comput 7:427–443. doi: 10.1007/s12652-015-0338-z CrossRefGoogle Scholar
  30. Lu Y, Li L, Peng H, Yang Y (2015) An enhanced biometric-based authentication scheme for telecare medicine information systems using elliptic curve cryptosystem. J Med Syst 39:32. doi: 10.1007/s10916-015-0221-7 CrossRefGoogle Scholar
  31. Maitra T, Giri D (2014) An efficient biometric and password-based remote user authentication using smart card for Telecare medical information systems in multi-server environment. J Med Syst 38:142. doi: 10.1007/s10916-014-0142-x CrossRefGoogle Scholar
  32. Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 51:541–552. doi: 10.1109/Tc.2002.1004593 MathSciNetCrossRefGoogle Scholar
  33. Mir O, van der Weide T, Lee CC (2015) A secure user anonymity and authentication scheme using AVISPA for telecare medical information systems. J Med Syst 39:89. doi: 10.1007/s10916-015-0265-8 CrossRefGoogle Scholar
  34. Mishra D, Mukhopadhyay S, Chaturvedi A, Kumari S, Khan MK (2014a) Cryptanalysis and improvement of Yan et al.’s biometric-based authentication scheme for telecare medicine information systems. J Med Syst 38:24. doi: 10.1007/s10916-014-0024-2 CrossRefGoogle Scholar
  35. Mishra D, Mukhopadhyay S, Kumari S, Khan MK, Chaturvedi A (2014b) Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J Med Syst 38:41. doi: 10.1007/s10916-014-0041-1 CrossRefGoogle Scholar
  36. Nikooghadam M, Jahantigh R, Arshad H (2017) A lightweight authentication and key agreement protocol preserving user anonymity. Multimed Tools Appl 76:13401–13423CrossRefGoogle Scholar
  37. O’Gorman L (2003) Comparing passwords, tokens, and biometrics for user authentication. Proc IEEE 91:2021–2040CrossRefGoogle Scholar
  38. Odelu V, Das AK, Goswami A (2015) A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans Inf Forensics Secur 10:1953–1966CrossRefGoogle Scholar
  39. Ren YJ, Shen J, Zheng YH, Wang J, Chao HC (2016) Efficient data integrity auditing for storage security in mobile health cloud. Peer Peer Netw Appl 9:854–863CrossRefGoogle Scholar
  40. Shen J, Tan HW, Moh S, Chung I, Liu Q, Sun XM (2015) Enhanced secure sensor association and key management in wireless body area networks. J Commun Netw 17:453–462. doi: 10.1109/Jcn.2015.000083 CrossRefGoogle Scholar
  41. Tan Z (2013) An efficient biometrics-based authentication scheme for telecare medicine information systems. Network 2:200–204Google Scholar
  42. Tan Z (2014) A user anonymity preserving three-factor authentication scheme for telecare medicine information systems. J Med Syst 38:16. doi: 10.1007/s10916-014-0016-2 CrossRefGoogle Scholar
  43. Wang D, Wang P (2016) Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans Dependable Secure Comput. doi: 10.1109/TDSC.2016.2605087
  44. Wang D, He DB, Wang P, Chu CH (2015) Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans Dependable Secure Comput 12:428–442. doi: 10.1109/Tdsc.2014.2355850 CrossRefGoogle Scholar
  45. Wei FS, Ma JF, Aijun G, et al. (2015) A provably secure three-party password authenticated key exchange protocol without using server’s public-keys and symmetric cryptosystems. Inf Technol Control 44:195–206Google Scholar
  46. Wu F, Xu L (2013) Security analysis and improvement of a privacy authentication scheme for telecare medical information systems. J Med Syst 37:9958. doi: 10.1007/s10916-013-9958-z CrossRefGoogle Scholar
  47. Wu F, Xu LL, Kumari S, Li X (2015) A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client-server networks. Comput Electr Eng 45:274–285. doi: 10.1016/j.compeleceng.2015.02.015 CrossRefGoogle Scholar
  48. Xia ZH, Wang XH, Sun XM, Wang Q (2016a) A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data. IEEE Trans Parallel Distrib Syst 27:340–352. doi: 10.1109/Tpds.2015.2401003 CrossRefGoogle Scholar
  49. Xia ZH, Wang XH, Zhang L, Qin Z, Sun XM, Ren K (2016b) A privacy-preserving and copy-deterrence content-based image retrieval scheme in cloud computing. IEEE Trans Inf Forensics Secur 11:2594–2608CrossRefGoogle Scholar
  50. Xu L, Wu F (2015) Cryptanalysis and improvement of a user authentication scheme preserving uniqueness and anonymity for connected health care. J Med Syst 39:10CrossRefGoogle Scholar
  51. Yan X, Li W, Li P, Wang J, Hao X, Gong P (2013) A secure biometrics-based authentication scheme for telecare medicine information systems. J Med Syst 37(5):1–6CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2017

Authors and Affiliations

  1. 1.School of Cyber EngineeringXidian UniversityXi’anChina
  2. 2.School of Computer and SoftwareNanjing University of Information Science and TechnologyNanjingChina
  3. 3.Science and Technology on Communication Networks LaboratoryShijiazhuangChina

Personalised recommendations