An Enhanced Biometric-Based Authentication Scheme for Telecare Medicine Information Systems Using Elliptic Curve Cryptosystem

Abstract

The telecare medical information systems (TMISs) enable patients to conveniently enjoy telecare services at home. The protection of patient’s privacy is a key issue due to the openness of communication environment. Authentication as a typical approach is adopted to guarantee confidential and authorized interaction between the patient and remote server. In order to achieve the goals, numerous remote authentication schemes based on cryptography have been presented. Recently, Arshad et al.(J Med Syst 38(12): 2014) presented a secure and efficient three-factor authenticated key exchange scheme to remedy the weaknesses of Tan et al.’s scheme (J Med Syst 38(3): 2014). In this paper, we found that once a successful off-line password attack that results in an adversary could impersonate any user of the system in Arshad et al.’s scheme. In order to thwart these security attacks, an enhanced biometric and smart card based remote authentication scheme for TMISs is proposed. In addition, the BAN logic is applied to demonstrate the completeness of the enhanced scheme. Security and performance analyses show that our enhanced scheme satisfies more security properties and less computational cost compared with previously proposed schemes.

Introduction

With comprehensive employment of the mobile networks, TMISs enable telecare which builds a convenient bridge between patients at home and the remote server a reality. In such system, patients without leaving home can access the same medical services as at hospital. TMISs provide greatly facilitate for some patients who are inconvenient to go to hospital, which saves a lot of the patients’ expenses and time. The problem is that the patients’ sensitive information may be eavesdropped by an illegal entity due to the unreliable communication channel. Therefore, a feasible authentication mechanism [1–5] is essential needed to ensure security and integrity of transmitting data for TMISs.

In 2009, Wu et al. [6] presented an authenticated key exchange scheme for TMISs and declared their scheme was more efficient compared with the previous schemes for TMISs by adding a precomputation step. However, He et al.[7] identified that the scheme was susceptible to internal and masquerade attacks. Then, He et al. introduced a more secure authentication scheme to conquer these flaws. Later, Wei et al.[8] pointed out that both Wu et al. and He et al.’s schemes were prone to suffer from off-line password guessing attack. An improved scheme with more security was designed by Wei et al. But Zhu et al. [9] discovered that Wei et al.’s scheme was still insecure against off-line password guessing attack. In order to eliminate such pitfall, Zhu et al. further proposed an enhancement based on Wei et al.’s scheme using RSA [10]. In 2013, Wu et al. [11] pointed out that Jiang et al.’s scheme [12] had some security drawbacks and proposed a new authentication scheme for TMIS. Unfortunately, Wen et al. [13] observed that Wu et al.’s scheme did not provide patient anonymity and failed to resist server spoofing and off-line password guessing attacks. In order to erase these drawbacks, Wen et al. proposed their modified scheme based on Wu et al.’s scheme. Lately, other researchers also proposed their authentication and key agreement schemes for TMISs [14–16]. All in all, above schemes aim to achieve two factor authentication.

Lately, research in two factor based authenticated key exchange schemes employing biometric have attracted a lot of well-deserved attention. In comparison to password, biometrics keys have many advantages [17], such as cannot be lost or forgotten, copied or shared, hard to be forged or distributed and cannot be guessed easily. Many biometric based authentication schemes combine password and smart card were appeared [18–23], and were becoming one of the most widely adopted authentication mechanisms. Awasthi et al. [24] presented a biometric authentication nonce based scheme for TMISs. However, Mishra et al.[25] observed that Awasthi et al.’s scheme was vulnerable to off-line password guessing attack and did not provide efficient password change option. Soon after that Tan et al.[26] found that Awasthi et al.’s scheme did not resist reflection attack and did not achieve three factor security and user anonymity. To remedy the weaknesses of Awasthi et al.’s scheme, Tan et al. presented a three factor authentication scheme and claimed that their scheme was secure against various attacks. Recently, Arshad et al.[27] pointed out that Tan et al.’s scheme did not withstand denial-of service and replay attacks. They then presented an improved elliptic curve cryptosystem (ECC)-based [28, 29] scheme to prevent the flaws.

In this paper, we briefly review Arshad et al.’s scheme. We demonstrate Arshad et al.’s scheme fails to protect against off-line password guessing attack. Additionally, we show that in case the adversary succeeded in getting identity and password of an arbitrary user, he can impersonate any user of the system. Furthermore, we put forward a biometric based authentication scheme for TMISs to cope with the loopholes of Arshad et al.’s scheme. The proposed scheme also employs lower computational operations such as ECC and hash function to lower its computational cost. Besides, we adopt BAN logic [30] to demonstrate the completeness of the enhanced scheme. Moreover, we present the security and performance analyses to show that our enhanced scheme satisfies more security properties and less computational cost compared with previously proposed schemes.

The rest of this paper is organized as follows. Section “Review of Arshad et al.’s scheme” and Section “Weaknesses of Arshad et al.’s scheme”review and security analysis of Arshad et al.’s scheme, respectively. Section “Proposed scheme” and Section “Analysis security” show our proposed scheme and analyze its security. Section “Functionality and performance comparisons” depicts the functionality and performance comparison among the proposed scheme and other related ones. Section “Conclusion” is a brief conclusion.

Review of Arshad et al.’s scheme

This section briefly reviews Arshad et al.’s biometric based password authentication scheme for TMISs. Their scheme contains three phases: registration, authentication and password change. Notations that will be used throughout the paper are listed in Table 1.

Table 1 Notations

Registration

1. (1)

   U selects his identity I D _i , password P W _i , a random number N _C and imprints his biometric B _i . Then, he computes M P W _i = P W _i ⊕ N _C , M B _i = B _i ⊕ N _C and submits {I D _i , M P W _i , M B _i } to S.

2. (2)

   S verifies whether I D _i is in his database or not. If I D _i is not found, S calculates A I D _i = h ₂(x||I D _i ), V _i = M P W _i ⊕ M B _i ⊕ I D _i = P W _i ⊕ B _i ⊕ I D _i , and W _i = h ₁(M B _i ) ⊕ h ₁(M P W _i ) ⊕ I D _i ⊕ A I D _i . Furthermore, S chooses a random number N _S and computes R _i = x ⊕ N _S , and M I D _i = I D _i ⊕ h ₁(N _S ). After that, S keeps I D _i in his database and the information {V _i , W _i , R _i , M I D _i , τ, d(⋅), E, n, P, Y, h ₁(⋅), h ₂(⋅)} into a smart card S C _i .

3. (3)

   U stores N _C into S C _i . Now, S C _i contains {N _C , V _i , W _i , R _i , M I D _i , τ, d(⋅), E, n, P, Y, h ₁(⋅), h ₂(⋅)}

Authentication

1. (1)

   U inserts S C _i into a smart card reader, inputs I D _i , and P W _i , and imprints biometric \(B_{i}^{\ast }\) at the sensor. Then, S C _i computes B _i = V _i ⊕ P W _i ⊕ I D _i and verifies whether the equation \(d(B_{i}, B_{i}^{ast}) < \tau \) holds or not. If holds, S C _i computes A I D _i = h ₁(B _i ⊕ N _C ) ⊕ h ₁(P W _i ⊕ N _C ) ⊕ I D _i ⊕ W _i , selects a random number d _C and continues to compute R _C = A I D _i d _C P = h ₂(x||I D _i )d _C P, and V ₁ = h ₁(I D _i ||R _C ||A I D _i ||T _C ), and sends a message REQUEST {R _C , T _C , V ₁, M I D _i , R _i } to S, where T _C is the current time.

2. (2)

   When receiving the message, S checks whether the transmission delay is within the allowed time interval Δ T. If T _S −T _C < Δ T, S computes N _S = x ⊕ R _i , derives I D _i by computing M I D _i ⊕ h ₁(N _S ), and checks whether I D _i exists in database or not. If exists, S checks whether h ₁(I D _i ||R _C ||h ₂(x||I D _i )||T _C ) = ?V ₁. If holds, S selects a random number d _S and computes Q _S = d _S P and K ₁ = h ₂(x||I D _i )⁻¹ d _S R _C = d _S d _C P. Furthermore, S chooses a random number \(N_{S}^{New}\) and computes \(R_{i}^{\ast }=h_{1}(K_{1})\oplus x \oplus N_{S}^{New},\ MID_{i}^{\ast } = h_{1}(K_{1})\oplus ID_{i} \oplus h(N_{S}^{New})\), and \(V_{2}= h_{1}(MID_{i}^{\ast }||Q_{S}||K_{1}||R_{i}^{\ast }||ID_{i})\). Finally, S sends the message CHALLENGE \(\{Q_{S},\ V_{2},\ MID_{i}^{\ast },\ R_{i}^{\ast }\}\) to U.

3. (3)

   After receiving the message, U computes K ₂ = d _C Q _S = d _C d _S P and checks whether \(h_{1}(MID_{i}^{\ast }||Q_{S}||K_{2}||R_{i}^{\ast }||ID_{i})\stackrel {?}=V_{2}\). If the equation is true, U computes \(MID_{i}^{New}=MID_{i}^{\ast }\oplus h_{1}(K_{2}) ID_{i} \oplus h_{1}(N_{S}^{New})\), and \(R_{i}^{New} =R_{i}^{\ast } \oplus h_{1}(K_{2}) x \oplus N_{S}^{New}\). Then, U updates the values of M I D _i and R _i with the values of \(MID_{i}^{New} \)and \(R_{i}^{New}\), respectively. Finally, U computes V ₃ = h ₁(K ₂||Q _S ||I D _i ), and the shared session key S K = h ₁(I D _i ||Q _S ||K ₂), and sends a message RESPONSE {V ₃} to S.

4. (4)

   After receiving the message, S checks whether h ₁(K ₁||Q _S ||I D _i ) = ?V ₃. If equal, S accepts the shared session key SK as S K = h ₁(I D _i ||Q _S ||K ₁).

Password change

U inserts S C _i into the card reader, inputs identity I D _i , password P W _i and imprints his biometric \(B_{i}^{\ast }\) at the sensor. S C _i computes B _i = V _i ⊕ P W _i ⊕ I D _i and checks whether the equation \(d(B_{i}, B_{i}^{\ast }) < \tau \) holds or not. If holds, U keys a new password \(PW_{i}^{New}\) and imprints a new personal biometric \(B_{i}^{New}\). Then, S C _i computes \(V_{i}^{new}\) and \(W_{i}^{New}\) as follows:

\(V_{i}^{New}=PW_{i}^{New}\oplus B_{i}^{New}\oplus PW_{i}\oplus B_{i}\oplus V_{i}= PW_{i}^{New}\oplus B_{i}^{New}\oplus ID_{i}\)

\(W_{i}^{New} =h_{1}(B_{i}^{New}\oplus N_{C}) \oplus h_{1}(PW_{i}^{New}\oplus N_{C})\oplus ID_{i}\oplus AID_{i}\) and updates S C _i ’s memory V _i , W _i by \(V_{i}^{New},\ W_{i}^{New}\).

Weaknesses of Arshad et al.’s scheme

This section shows that Arshad et al.’s scheme [27] has two security drawbacks, which are discussed in the following subsections. The following attacks are based on the assumptions that a malicious attacker \(\mathcal {A}\) has completely monitor over the communication channel connecting U and S in login and authentication phase. So \(\mathcal {A}\) can eavesdrop, modify, insert, or delete any message transmitted via public channel [31].

Not withstanding the off-line password guessing attack

The password and identity are low entropy [32, 33]. Therefore, \(\mathcal {A}\) can guess a password \(PW^{\prime }_{i}\) and an identity I D _i with the help of achieving values [34, 35] {V _i , W _i , R _i , M I D _i , τ, d(⋅), E, n, P, Y, h ₁(⋅), h ₂(⋅)} from the medical device and {R _C , T _C , V ₁, M I D _i , R _i } from the login request message as follows:

1. (1)

   \(\mathcal {A}\) guesses \(PW^{\prime }_{i}\) and \(ID^{\prime }_{i}\) and computes \(AID^{\prime }_{i}=h_{1}(V_{i}\oplus ID^{\prime }_{i}\oplus PW^{\prime }_{i}\oplus N_{C})\oplus h_{2}(PW^{\prime }_{i}\oplus N_{C})\oplus ID^{\prime }_{i}\oplus W_{i}\), \(V^{\prime }_{1}=h_{1}(ID^{\prime }_{i}||R_{C}||AID^{\prime }_{i}||T_{C})\). Then, \(\mathcal {A}\) checks \(V^{\prime }_{1}\stackrel {?}=V_{1}\).

2. (2)

   If the verification succeeds, considers \(ID^{\prime }_{i}\) and \(PW^{\prime }_{i}\) as the user’s identity and password. Otherwise, he repeats (1).

If \(\mathcal {A}\) successfully guesses the identity and the password of the patient, it will result into another attack. The detail of the attack is discussed as the next subsection.

Not withstanding the user impersonation attack

As described in the previous subsection, \(\mathcal {A}\) can read [34, 35] the information {V _i , W _i , R _i , M I D _i , τ, d(⋅), E, n, P, Y, h ₁(⋅), h ₂(⋅)} stored in the smart card. After successfully guessing the password P W _i and I D _i , \(\mathcal {A}\) can launch a user impersonation attack with the eavesdropped message {R _C , T _C , V ₁, M I D _i , R _i } in the following:

1. (1)

   \(\mathcal {A}\) generates a random number \(d^{\prime }_{C}\) and computes \(R^{\prime }_{C}=AID_{i}d^{\prime }_{C}P, V^{\prime }_{1}=h_{1}(ID_{i}||R^{\prime }_{C}||ADI_{i}||T^{\prime }_{C})\). After that, he sends the REQUEST message \(\{R^{\prime }_{C},\ T^{\prime }_{C}, V^{\prime }_{1},\ MID_{i}, R_{i}\}\) to S, where \(T^{\prime }_{C}\) is the current timestamp.

2. (2)

   After checking the freshness of \(T^{\prime }_{C}\), S derives N _S and I D _i and verifies \(h_{1}(ID_{i}||R^{\prime }_{C}||h_{2}(x||ID_{i})||T^{\prime }_{C})\stackrel {?}=V_{1}\). Obviously, the equation will be held due to the true identity. S then continues to perform the original scheme without any detected. Finally, S delivers the CHALLENGE message \(\{Q_{S},\ V_{2},\ MID_{i}^{\ast },\ R_{i}^{\ast }\}\) to \(\mathcal {A}\).

3. (3)

   \(\mathcal {A}\) imitates what the patient were doing and computes V ₃ and sends it to S, where \(V_{3}=h_{1}(d^{\prime }_{C}Q_{S}||Q_{S}||ID_{i})\). When receiving the value V ₃, \(\mathcal {A}\) will surely pass through S. As a result, S negotiates the session key \(SK=h_{1}(ID_{i}||Q_{S}||d^{\prime }_{C}Q_{S})\) with \(\mathcal {A}\) who masquerades as the legal patient.

Proposed scheme

This section presents a slight modification scheme to remedy the weaknesses of Arshad et al.’s scheme. The proposed scheme aims to propose an efficient improvement on Arshad et al.’s scheme to overcome the weaknesses of their scheme, while also retaining the original merits of their scheme. In the proposed scheme, in order to resist the off-line password guessing attack, we employ biometrics to conceal password. And we adopt Biohashing to protect biometrics of patients, which can resolve high false rejection and hence decrease denial of service access probability [36, 37]. And biohashing is very efficient and lightweight as compared to modular exponentiation and elliptic curve point multiplication [38, 39]. The proposed scheme also contains three phases: registration, login and authentication and password updating (Fig. 1).

Fig. 1

Registration and authentication phase of the enhanced scheme

Registration

1. (1)

   The patient U inputs his biometric B _i , identity I D _i and password P W _i . Then, U calculates M P _i = P W _i ⊕ H(B _i ) and submits {I D _i , M P _i } to the server S.

2. (2)

   When receiving the message, S computes A I D _i = I D _i ⊕ h ₂(x), V _i = h ₁(I D _i ||M P _i ) and issues a smart card S C _i which contains the information {A I D _i , V _i , h ₁(⋅), h ₂(⋅), H(⋅)} to U.

Login and Authentication

1. (1)

   U inserts S C _i into a card reader and keys his identity I D _i , password P W _i and biometric B _i . S C _i computes h ₁(I D _i ||P W _i ⊕ H(B _i )) and verifies whether it is equal to the value V ₁. If true, U passes through the verification. Then, S C _i selects a random number d _u and computes K = h ₁(I D _i ||I D _i ⊕ A I D _i ), M ₁ = K ⊕ d _u P, M ₂ = h ₁(I D _i ||T ₁||d _u P), and transmits {M ₁, M ₂, A I D _i , T ₁} to S.

2. (2)

   When receiving the login request, S first examines whether |T ₁−T _c | < Δ T, where T _c is the current timestamp of the S. If holds, S uses his private key x to derive I D _i by computing M ₁ ⊕ h ₂(x), he then computes d _u P = K ⊕ M ₁ and checks h(I D _i ||T ₁||d _u P) = ?M ₂. If correct, S then generates a random number d _s and computes M ₃ = K ⊕ d _s P, S K = d _s d _u P, M ₄ = h ₁(K||T ₂||S K||d _u P), where T ₂ is the current timestamp. At last, S sends the message {M ₃, M ₄, T ₂} to U.

3. (3)

   Upon receiving the message, U first checks the freshness of T ₂. Then, U retrieves d _s P by computing M ₃ ⊕ K and computes \(SK=d_{u}d_{s}P,\ M^{\prime }_{4}=h_{1}(K||d_{u}P||SK||T_{2})\) to verify whether \(M^{\prime }_{4}\) is equal to the received M ₄. If holds, U computes M ₅ = h ₁(K||d _s P||S K||T ₃) and then sends the message {M ₅, T ₃} to S, where T ₃ is the current timestamp.

4. (4)

   After receiving {M ₅, T ₃}, S verifies whether |T ₃−T _c | < Δ T and \(M^{\prime }_{5}=h_{1}(K||d_{s}P||SK||T_{3})\stackrel {?}=M_{5}\). If both conditions hold, S authenticates U and accepts SK as the session key for further operations.

Password change

If U doubts his password may be leaked, he can alter the old password to a new one as follows. U inserts his S C _i into the device and submits his I D _i , P W _i and B _i . Then S C _i verifies whether h ₁(I D _i ||P W ⊕ H(B _i )) = ?V _i . If valid, U inputs a new password P W ^new, S C _i calculates \(V_{i}^{new}=h_{1}(ID_{i}||PW^{new}\oplus H(B_{i}))\) then replaces V _i with \(V_{i}^{new}\).

Analysis security

This section conducts a cryptanalysis of the enhanced scheme both through Burrows-Abadi-Needham (BAN) logic [30] and security features.

Proofing scheme with BAN logic

BAN logic [30] is a set of rules for defining and analyzing information exchange schemes (Table 2). It helps its users determine whether exchanged information is trustworthy, secured against eavesdropping, or both. It has been highly successful in analyzing the security of authentication schemes. We first introduce some notations and logical postulates of BAN logic used in our scheme.

1. (1)

   BAN logical postulates

   1. a.

      Message-meaning rule: \(\frac {A|\equiv A\stackrel {K}\leftrightarrow B, A\triangleleft \{X\}\text {} _{K}}{A|\equiv | B\sim X}\): if A believes that K is shared by A and B, and sees X encrypted with K, then A believes that B once said X.

   2. b.

      Nonce-verification rule: \(\frac {A|\equiv \#X, A |\equiv B|\sim X}{A|\equiv B|\equiv X}\): if A believes that X could have been uttered only recently and that B once said X, then A believes that B believes X.

   3. c.

      The belief rule: \(\frac {A|\equiv X,\ A|\equiv Y}{A|\equiv (X,\ Y)}\): if A believes X and Y, then A believes (X, Y).

   4. d.

      Fresh conjuncatenation rule: \(\frac {A|\equiv \#X}{A|\equiv \#(X,\ Y)}\): if A believes freshness of X, B believes freshness of (X, Y).

   5. e.

      Jurisdiction rule: \(\frac {A|\equiv B\Rightarrow X,\ A |\equiv B|\equiv X}{A|\equiv X}\): if A believes that B has jurisdiction over X and A trusts B on the truth of X, then A believes X.

2. (2)

   Idealized scheme

   U::

   < d _u P > _{U ↔ K S} , < I D _i > _h2(x), (I D _i , d _u P, T ₁),(U ↔ S K S, d _s P, T ₃) _{U ↔ K S}

   S::

   < d _s P > _{U ↔ K S} , (U ↔ S K S, d _u P, T ₂) _{U ↔ K S}

3. (3)

   Establishment of security goals

   g ₁.:

   S| ≡ U| ≡ U ↔ S K S

   g ₂.:

   S| ≡ U ↔ S K S

   g ₃.:

   U| ≡ S| ≡ U ↔ S K S

   g ₄.:

   U| ≡ U ↔ S K S

4. (4)

   Initiative premises

   p ₁.:

   U| ≡ #d _u

   p ₂.:

   S| ≡ #d _s

   p ₃.:

   U| ≡ U ↔ K S

   p ₄.:

   S| ≡ U ↔ K S

   p ₅.:

   \( U|\equiv S\Rightarrow (U\stackrel {SK}\longleftrightarrow S)\)

   p ₆.:

   \( S|\equiv U\Rightarrow (U\stackrel {SK}\longleftrightarrow S)\)

5. (5)

   Scheme analysis

   a ₁.:

   Since p ₃ and U ⊲ (U ↔ S K S, d _u P, T ₂) _{U ↔ K S} , by the message-meaning rule, we get: U| ≡ S|∼(U ↔ S K S, d _u P, T ₂).

   a ₂.:

   Since p ₁ and a ₁, by the fresh conjuncatenation and nonce-verification rules, we get: U| ≡ S| ≡ (U ↔ S K S, d _u P, T ₂).

   g ₁.:

   Since a ₂, by the belief rule, we get: U| ≡ S| ≡ U ↔ S K S.

   g ₂.:

   Since p ₅ and g ₁, by the jurisdiction rule, we get: U| ≡ U ↔ S K S.

   a ₃.:

   Since p ₄ and S ⊲ (U ↔ S K S, d _s P, T ₃) _{U ↔ K S} , by the message-meaning rule, we get: S| ≡ U|∼(U ↔ S K S, d _s P, T ₃).

   a ₄.:

   Since p ₂ and a ₃, by the fresh conjuncatenation and nonce-verification rules, we get: S| ≡ U| ≡ (U ↔ S K S, d _s P, T ₃).

   g ₃.:

   Since a ₄, by the belief rule, we get: S| ≡ U| ≡ (U ↔ S K S, d _s P, T ₃).

   g ₄.:

   Since g ₃ and p ₆, by the jurisdiction rule, we get: S| ≡ U ↔ S K S.

Table 2 BAN logic notations

Security analysis

This section shows the enhanced scheme has the ability to endure different security attacks including the aforementioned attacks found in Arshad et al.’s scheme. The following attacks are based on the assumptions that a malicious attacker \(\mathcal {A}\) has completely control the whole communication channel connecting the patients and the telecare server in login and authentication phase. So \(\mathcal {A}\) can eavesdrop, modify, insert, or delete any message transmitted via public channel [31].

User anonymity

The patient’s identity I D _i is concealed all the transmitted messages and is protected by one-way hash functions. If \(\mathcal {A}\) attempts to derive I D _i , he needs to know the server’s private key x or the random numbers generated by U and S. Obviously, this values are secret only known by U and S. Therefore, it is impossible to track the patient who is involved in the authentication session.

Insider attack

The patient registers to S by presenting P W _i ⊕ H(B _i ) instead of plaintext P W _i . Since B _i is unknown to the insider, it will be difficult to retrieve P W _i from P W _i ⊕ H(B _i ). Therefore, a privileged insider S cannot attain the plain-text password and hence he cannot pretend the patient to login other telecare servers.

Off-line password guessing attack

Assume that \(\mathcal {A}\) reads [34, 35] the information {V _i , A I D _i } stored in the smart card and tries to guess a password in an off-line manner. To verify the correctness of password, \(\mathcal {A}\) needs to know patients’s I D _i and biometric B _i at the same time. To obtain I D _i from A I D _i , the telecare server’s private key x is needed. Since \(\mathcal {A}\) cannot know the biometric B _i and x which is only with U and S, respectively, it is hard for \(\mathcal {A}\) to plot an off-line password guessing attack with smart card.

Impersonation attack

\(\mathcal {A}\) does not impersonate a legal patient to server since he cannot generate a valid login request {M ₁, M ₂, A I D _i , T ₁} without the knowledge of U’s identity I D _i and S’s private key x. Both the two values I D _i and x are unknown to \(\mathcal {A}\). Similarly, \(\mathcal {A}\) cannot impersonate as a server to cheat a legal patient without knowledge of x. Only when \(\mathcal {A}\) knows x he will derive I D _i from intercepted messages. But x is the secret key of S, \(\mathcal {A}\) cannot know. In a word, it is infeasible for \(\mathcal {A}\) to launch an impersonation attack.

The session key perfect forward secrecy

Even if the patient’s password P W _i and server’s private key x are compromised by \(\mathcal {A}\), the session key SK for the previous sessions is still kept unrevealed. On the one hand, the password P W _i and server’s private key x are not utilized for computing the session key. On the other hand, it is impractical to compute S K = d _u d _s P without knowledge of d _u and d _s . As a result, the enhanced scheme achieves the session key perfect forward secrecy.

Mutual authentication

U validates S’s message {A I D _i , M ₁, M ₂, T ₁} by checking whether the timestamp T ₁ and the condition \(M^{\prime }_{2}= M_{2}\) are valid. S validates U’s message {M ₃, M ₄, T ₂} by checking whether the timestamp T ₂ and the condition \(M^{\prime }_{2}= M_{2}\) hold.

Replay attack

Assume that \(\mathcal {A}\) intends to resend the old message {M ₁, M ₂, A I D _i , T ₁} to login to S. The attack will be immediately detected by S by verifying the freshness of T ₁. Besides, S will also discover the forged message by verifying the correctness of the value M ₂ = h ₁(I D _i ||d _u P||T ₁). Therefore, it is impossible for \(\mathcal {A}\) to plot the replay attack.

Modification attack

Both the patient’s identity I D _i and the server’s private key x are hidden in all the transmitted messages. Any forged messages will be examined by U or S. It seems impossible for \(\mathcal {A}\) to intercept the transmitted messages and hence modify them without knowledge of the two values.

Functionality and performance comparisons

In this section, we compare the functionality and performance analyses of the enhanced scheme with the previous related schemes [13, 24, 26, 27]. Table 3 shows that the enhanced scheme is more secure than other related schemes. In the performance comparison, define pm, m, inv, s, F, e and h be the time for performing an elliptic curve point multiplication, a modular multiplication, a modular inversion, a symmetric encryption/decryption, a pseudo-random function, a modular exponentiation and a one-way hash function. From Table 4 we can see that the overall computational cost for the enhanced scheme is less computationally costly than those of schemes [13, 24, 26, 27].

Table 3 Functionality comparison

Table 4 Performance comparison

Conclusion

We have discussed the security of Arshad et al.’s scheme and discovered that their scheme was vulnerable to off-line password guessing attack which leads to an adversary could impersonate as a legal user to access any services provided by telecare server. We employ hash function, ECC nonce and biometric based authenticated key exchange scheme as the primitives to improve the security and efficiency of Arshad et al.’s scheme. The enhanced scheme not only satisfies many security features but also has the lowest computational cost among other related schemes.