Skip to main content
SpringerLink
Log in

On the Security of Two Remote User Authentication Schemes for Telecare Medical Information Systems

  • SYSTEMS-LEVEL QUALITY IMPROVEMENT
  • Published:
Journal of Medical Systems Aims and scope Submit manuscript

Abstract

The telecare medical information systems (TMISs) support convenient and rapid health-care services. A secure and efficient authentication scheme for TMIS provides safeguarding patients’ electronic patient records (EPRs) and helps health care workers and medical personnel to rapidly making correct clinical decisions. Recently, Kumari et al. proposed a password based user authentication scheme using smart cards for TMIS, and claimed that the proposed scheme could resist various malicious attacks. However, we point out that their scheme is still vulnerable to lost smart card and cannot provide forward secrecy. Subsequently, Das and Goswami proposed a secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. They simulated their scheme for the formal security verification using the widely-accepted automated validation of Internet security protocols and applications (AVISPA) tool to ensure that their scheme is secure against passive and active attacks. However, we show that their scheme is still vulnerable to smart card loss attacks and cannot provide forward secrecy property. The proposed cryptanalysis discourages any use ofthe two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

References

  1. Lambrinoudakis, C., and Gritzalis, S., Managing medical and insurance information through a smart-card-based information system. J. Med. Syst. 2000. doi:10.1023/A:1005549330655.

  2. Das, M. L., Saxena, A., Gulati, V P., A dynamic ID-based remote user authentication scheme. IEEE Trans. Consum. Electron 2004. doi:10.1109/TCE.2004.1309441.

  3. Wang, Y. Y., Kiu, J. Y., Xiao, F. X., Dan, J., A more scheme, secure dynamic ID-based remote user authentication. Comput. Commun. 2009. doi:10.1016/j.comcom.2008.11.008.

  4. Tsai, J.- L, Wu, T.- C, Tsai, K.- Y, New dynamic I D authentication scheme using smart cards. Int. J. Commun. Syst. 2010. doi:10.1002/dac.1118.

  5. Khan, M. K., Kim, S. K., Alghathbar, K., Cryptanalysis and security enhancement of a ‘more efficient & secure dynamic id-based remote user authentication scheme’. Comput. Commun. 2010. doi:10.1016/j.comcom.2010.02.011.

  6. Chen, H. M., Lo, J. W., Yeh, C. K., An efficient secure dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 2012. doi:10.1007/s10916-012-9862-y.

  7. Ma, C.- G, Wang, D., Zhao, S.- D., Security flaws in two improved remote user authentication schemes using smart cards. Int. J. Commun. Syst. 2012. doi:10.1002/dac.2468.

  8. Jiang, Q., Ma, J., Ma, Z., Li, G., A privacy enhanced authentication scheme for telecare medical information systems. J. Med. Syst. 2013. doi:10.1007/s10916-012-9897-0.

  9. Kumari, S., and Khan, M. K., Cryptanalysis and improvement of ‘a robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst. 2013. doi:10.1002/dac.2590.

  10. Jiang, Q., Ma, J., Li, G., Li, X., Improvement of robust smart-card-based password authentication scheme. Int. J. Commun. Syst. 2013. doi:10.1002/dac.2644.

  11. Li, X., Niu, J., Liao, J., Liang, W., Cryptanalysis of a dynamic identity-based remote user authentication scheme with verifiable password update. Int. J. Commun. Syst. 2013. doi:10.1002/dac.2676.

  12. Kumari, S., Khan, M. K., Kumar, R., Cryptanalysis and improvement of ‘a privacy enhanced scheme for telecare medical information systems. J. Med. Syst. 2013. doi:10.1007/s10916-013-9952-5.

  13. Li, C. T., and Hwang, M. S., An efficient biometrics-based remote user authentication scheme using smart cards. J. Comput. Appl. 2010. doi:10.1016/j.jnca.2009.08.001.

  14. Das A K., Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inform. Secur. 2011. doi:10.1049/iet-ifs.2010.0125.

  15. Li, X., Niu, J.- W, Ma, J., Wang, W.- D, Liu, C.- L., Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 2011. doi:10.1016/j.jnca.2010.09.003.

  16. Chang, Y.- F, Yu, S.- H, Shiao, D.- R., An uniqueness-and -anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 2013. doi:10.1007/s10916-012-9902-7.

  17. Das, A. K., and Goswami A., A secure efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 2013. doi:10.1007/s10916-013-9948-1.

  18. Islam, S., and Biswas, G., A more efficient and secure id-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem. J. Syst. Software. 2011. doi:10.1016/j.jss.2011.06.061.

  19. Bellare, M., Pointcheval, D., Rogaway, P., Authenticated key exchange secure against dictionary attacks. EUROCRYPT 2000. In: Lecture Notes in Computer Science, 2000. doi:10.1007/3-540-45539-6_11.

  20. Katz, J., and Yung, M., Scalable protocols for authenticated group key exchange. J. Cryptol. 2007. doi:10.1007/s00145-006-0361-5.

  21. Tseng, Y., A communication-efficient and fault-tolerant conference-key agreement protocol with forward secrecy. J. Syst. Software. 2007. doi:10.1016/j.jss.2006.10.053.

  22. Dworkin, M., Recommendation for Block Cipher Modes of Operation: Methods and Techniques. NIST Special Publication 800-38A, 2001.

  23. AVISPA, Automated Validation of Internet Security Protocols and Applications. http://www.avispa-project.org/. Accessed on Dec 2013.

  24. AVISPA: AVISPA Web Tool. http://www.avispa-project.org/web-interface/basic.php/. Accessed on Dec 2013.

  25. Krawczyk, H., HMQV: A high-performance secure Diffie-Hellman protocol. Crypto2005. In: Lecture Notes in Computer Science, 2005. doi:10.1007/11535218_33.

  26. ANSI, 2001 ANSI X9.63, Public key cryptography for the financial services industry: Key agreement and key transport using Elliptic Curve cryptography, ANSI, 2001.

  27. Kocher, P., Jaffe, J., Jun, B., Differential power analysis. CRYPTO 99, 1999. doi:10.1007/3-540-48405-1_25.

  28. Messerges, T., Dabbish, E., Sloan, R., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 2002. doi:10.1109/TC.2002.1004593.

  29. Gong, L., A security risk of depending on synchronized clocks. ACM SIGOPS Oper. Syst. Rev. 1992. doi:10.1145/130704.130709.

  30. Giridhar, A., and Kumar, P., Distributed clock synchronization over wireless networks: algorithms and analysis. In: Proceedings of the 45th IEEE Conference on Decision and Control pp. 4915–4920, 2006. doi:10.1109/CDC.2006.377325.

  31. Mills, D., Internet time synchronization: The network time protocol. IEEE Trans. Commun. 1991. doi:10.1109/26.103043.

  32. Han, J., and Jeong, D., A practical implementation of ieee 1588-2008 transparent clock for distributed measurement and control systems. IEEE Trans. Actions Instrum. Meas. 2010. doi:10.1109/TIM.2009.2024371.

  33. Baldoni, R., Corsaro, A., Querzoni, L., Scipioni, S., Piergiovanni, S., Coupling-based internal clock synchronization for large-scale dynamic distributed systems. IEEE Trans. Parallel Distrib. Syst. 2010. doi:10.1109/TPDS.2009.111.

  34. Chang, C., and Lee, C., A secure single sign-on mechanism for distributed computer networks. IEEE Trans. Ind. Electron. 2012. doi:10.1109/TIE.2011.2130500.

Download references

Acknowledgments

The authors would like to thank the editor and the anonymous referees for their valuable comments. This research is supported by Ministry of Culture, Sports and Tourism (MCST) and Korea Creative Content Agency (KOCCA) in the Culture Technology (CT) Research & Development Program.

Author information

Authors and Affiliations

  1. College of Convergence Technology, Dankook University, Cheonan, 330-714, Korea

    Kee-Won Kim

  2. Department of Software Science, Dankook University, Yongin, 448-701, Korea

    Jae-Dong Lee

Authors
  1. Kee-Won Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jae-Dong Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jae-Dong Lee.

Additional information

This article is part of the Topical Collection on Systems-Level Quality Improvement

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kim, KW., Lee, JD. On the Security of Two Remote User Authentication Schemes for Telecare Medical Information Systems. J Med Syst 38, 17 (2014). https://doi.org/10.1007/s10916-014-0017-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10916-014-0017-1

Keywords

Search

Navigation