Security analysis and improvement of bio-hashing based three-factor authentication scheme for telecare medical information systems
- 236 Downloads
The deployment of telecare medical information system (TMIS) over public networks gives rise to the threat of exposing sensitive medical information to illegal entities. Although a number of three-factor authentication (3FA) schemes have been developed to address this challenge, most of them are found to be flawed. Understanding security and privacy failures of authentication protocols is a prerequisite to both fixing existing protocols and designing future ones. In this paper, we investigate the 3FA protocol of Lu et al. for TMIS (J Med Syst 39:32, 2015) and reveal that it cannot achieve the claimed security and privacy goals. (1) It fails to provide anonymity and untraceability, and is susceptible to the following attacks targeting user privacy: identity revelation attack, identity guessing attack and tracking attack. (2) It is susceptible to offline password guessing attack, user impersonation attack, and server impersonation attack. Then we present an improved 3FA scheme and show that the new scheme fulfills session key secrecy and mutual authentication using the formal verification tool ProVerif. Moreover, detailed heuristic security analysis is also presented to demonstrate that our new scheme is capable of withstanding various attacks, and provides desired security features. Additionally, performance analysis shows that our proposed protocol is a practical solution for TMIS.
KeywordsTelecare medical information system Authentication Key agreement Password Smart card Biometric Privacy
This work is supported by Supported by National Natural Science Foundation of China (Program Nos. 61672413, U1405255, 61372075, 61672415, 61671360, 61472310), Natural Science Basic Research Plan in Shaanxi Province of China (Program No. 2016JM6005), Fundamental Research Funds for the Central Universities (Program No. JB161501, JBG161511), China 111 Project (No. B16037), Open Research Program of Science and Technology on Communication Networks Laboratory.
- Blanchet B (2001) An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of CSFW’01. pp 82–96Google Scholar
- He DB, Zeadally S, Kumar N, Lee J-H (2016) Anonymous authentication for wireless body area networks with provable security. IEEE Syst J. doi: 10.1109/JSYST.2016.2544805
- Jiang, Q, Li, B, Ma, JF (2016d). On the security of three-factor authentication scheme for telecare medical information systems. In: International conference on broadband and wireless computing, communication and applications. pp 879–884.Google Scholar
- Kocher P, Jaffe J, Jun B (1999) Differential power analysis. Advances in cryptology—CRYPTO’99. Springer, Berlin, Heidelberg, p 789Google Scholar
- Tan Z (2013) An efficient biometrics-based authentication scheme for telecare medicine information systems. Network 2:200–204Google Scholar
- Wang D, Wang P (2016) Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans Dependable Secure Comput. doi: 10.1109/TDSC.2016.2605087
- Wei FS, Ma JF, Aijun G, et al. (2015) A provably secure three-party password authenticated key exchange protocol without using server’s public-keys and symmetric cryptosystems. Inf Technol Control 44:195–206Google Scholar