J Med Syst (2015) 39:54 DOI 10.1007/s10916-015-0215-5

PATIENT FACING SYSTEMS

A Privacy Preserving Secure and Efficient Authentication Scheme for Telecare Medical Information Systems Raghavendra Mishra · Amit Kumar Barnwal

Received: 25 October 2014 / Accepted: 23 January 2015 © Springer Science+Business Media New York 2015

Abstract The Telecare medical information system (TMIS) presents effective healthcare delivery services by employing information and communication technologies. The emerging privacy and security are always a matter of great concern in TMIS. Recently, Chen at al. presented a password based authentication schemes to address the privacy and security. Later on, it is proved insecure against various active and passive attacks. To erase the drawbacks of Chen et al.’s anonymous authentication scheme, several password based authentication schemes have been proposed using public key cryptosystem. However, most of them do not present pre-smart card authentication which leads to inefficient login and password change phases. To present an authentication scheme with pre-smart card authentication, we present an improved anonymous smart card based authentication scheme for TMIS. The proposed scheme protects user anonymity and satisfies all the desirable security attributes. Moreover, the proposed scheme presents efficient login and password change phases where incorrect input can be quickly detected and a user can freely change his password without server assistance. Moreover, we demonstrate the validity of the proposed scheme by

This article is part of the Topical Collection on Patient Facing Systems R. Mishra () Department of Computer Engineering and Applications, National Institute of Technical Teacher’s Training and Research, Bhopal, India e-mail: [email protected] A. K. Barnwal Department of Applied Sciences, MMM University of Technology, Gorakhpur, India e-mail: [email protected]

utilizing the widely-accepted BAN (Burrows, Abadi, and Needham) logic. The proposed scheme is also comparable in terms of computational overheads with relevant schemes. Keywords Telecare medical information systems · Authentication · Smart card · Security · Privacy

Introduction User-friendly, omnipresence and low cost internet technology, facilities the effective E-medicine services in which a user can access the remote medical services at any instant from anywhere. One of service in E-medicine is telemedicine, which has been brought to patients’ home through the Telecare medicine information systems (TMIS). TMIS has the capability to reduce the social and medical expenses. In TMIS, the medical server maintains the electronic medical records (EMRs) of registered users and facilitates various services to the users, health educators, physicians, hospitals, caregivers, public health organizations and homecare service providers. However, user accesses these services over the public channel which is considered to be insecure as an adversary may have full control over the public channel. This increases data security and privacy threat [1]. On the contrary, remote user authentication schemes are employed to ensure secure and authorized communication between user and server [2, 3]. And, the key agreement mechanism allows the participants to draw an common key for secure communication over insecure public channel [4]. The smart card based remote user authentication and key agreement schemes present a secure and efficient solution [5]. The low cost and portability features of smart card with the cryptographic capacity, make it widely adopted in many applications [6, 7].

54

Page 2 of 10

Smart card based authentication schemes improve the quality of medical services [8–13]. These schemes presents an efficient, economical and time saving alternative compares to traditional clinical service. However, the privacy and security challenges in smart card based authentication schemes are a great concern [1, 14]. In general, smart card based authentication schemes faces various attacks such as the stolen smart card attack, password guessing attack and insider attack [4, 10, 15–17]. In 2010, Wu et al. [18] presented an efficient remote user authentication scheme for TMIS. Their scheme is better than the previously proposed schemes for low computing devices such as mobile device. However, Debiao et al. [14] identified that Wu et al.’s scheme does not resist the impersonation attack to the insider’s attack. They also presented an enhanced scheme to overcome the weakness of Wu et al.’s scheme with better performance, and claimed that their scheme is more appropriate for TMIS. In 2012, Wei et al. [17] demonstrated that both Wu et al.’s and Debiao et al.’s schemes are failed to meet two-factor authentication which an efficient smart card based password authentication schemes should support. They also presented an enhanced remote user authentication scheme for TMIS to achieve efficiency and two-factor authentication. Later on, Zhu [11] pointed out that Wei et al.’s scheme does not resist off-line password guessing attack using stolen smart card. He also presented improved authentication scheme for TMIS to overcome the weaknesses of Wei et al.’s scheme. Unfortunately, none of these proposed schemes [11, 14, 17, 18] protect user anonymity. User anonymity ensures secrecy of user’s intersection with the server, otherwise an attacker can acquire user sensitive personal information and login history. Moreover, anonymity makes remote user authentication mechanism more robust as an attacker could not track which user is interacting with server. To achieve anonymous authentication, Chen et al. [19] introduced an efficient and secure dynamic ID-based authentication scheme for TMIS. Their scheme protects anonymity. However, Xie et al. [20] identified that Chen et al.’s scheme is vulnerable to impersonation attack and off-line password guessing attack using stolen smart card. They also presented an improved scheme for TIMS to counter these attacks. Cao and Zhai [21] also demonstrated the vulnerability of Chen et al’s scheme to an off-line identity guessing attack and an undetectable online password guessing attack using stolen smart card. They also presented an improved scheme for TIMS. Lin [22] also showed that user identity is compromised under the dictionary attack and password can be derived with the stolen smart card in Chen et al.’s scheme. He proposed an improved password based authentication scheme with anonymity. Recently, Mishra [23] points out the failure of these scheme [11, 17, 20–22] to present efficient presmart card authentication. He also pointed out that how

J Med Syst (2015) 39:54

inefficient password change phase can leads to denial of service attack. Many of the existing anonymous authentication schemes [11, 17, 20–22] ignore input verification condition, which may lead to a denial of service scenario for authorized users in case of incorrect input in password change phase. A single mistake in password change phase should not cause denial of service attack. It cause unfriendly environment in online services. Security pitfall as user’s single mistake causes denial of service attack. In other words, a user can himself cause denial of service attack. In general, a user cannot be considered an expert which will never commit a mistake. It is possible that a human may sometimes forget the password or commit some mistake while entering the password. Moreover, a user may have several accounts and may use different passwords for different accounts in that case it is also possible to use one account password in another account by mistake. Thus the incorrect input should be detected in an efficient scheme so that the mistake in password change phase should not outcome denial of service attack. In this article, we propose an improved remote user authentication scheme for TMIS to provide efficient login and password change phase. In precise, the proposed scheme comprises of following merits: (i) Present efficient login phase where incorrect input can be quickly detected; (ii) Present efficient and user-friendly password change phase where user can change his password without server assistant; (iii) Provide user anonymity with un-likability; (iv) Support mutual authentication and session key agreement; (v) The communication cost and the computational cost is comparable with similar schemes; (vi) Satisfy all desired security attributes. The article is organized as follows: The proposed scheme is presented in “Proposed scheme”. The security and performance analysis is presented in “Security analysis” and “Performance analysis”. Finally, conclusion is drawn in “Conclusion”.

Proposed scheme In this section, we aim to propose a password based anonymous authentication scheme which can present efficient and user-friendly password change phase. To achieve efficiency, we introduced pre-smart card authentication where smart card can verify the correctness of input. To present userfriendly password change phase, we present a mechanism where smart card can correctly identify the correctness of input, and user can change the password without server assistance. Additionally, the proposed scheme supports smart card revocation where user can retrieve his lost smart card without a new registration. The proposed anonymous

J Med Syst (2015) 39:54

Page 3 of 10 54

authentication scheme works in the following five phases. Table 1 discuss the symbols and notations used through out the paper. 1. 2. 3. 4. 5.

Registration phase Login phase Verification phase Password change phase Smart card revocation phase

Server generates two large primes p and q of 1024-bits, then computes n = pq. It also chooses a prime number e and an integer X such that eX ≡ 1 (mod (p − 1)(q − 1)). It keeps p, q and X secret while makes n and e public. Notations Table 1 Meaning of symbols used throughout the paper Notation

Descryption

U S E SC ID PW B X h(·) H (·) ⊕ ||

User/paitient A trustworthy medical server Attacker/ Adversary A smart card unique serial number Unique identity of U Unique password of U Biometric key of U Secret value (master key) of S A collision resistant one-way hash function Biohashing function XOR String concatenation operation

Step R2. Upon receiving the U ’s registration request, S checks the legitimacy of I D. If this is invalid, it terminates the session. Otherwise, it assigns a card number SC, then computes J = h(X||I D||N||SC), where SC is smart card serial number and N = 0 if U is a new user, otherwise N = N + 1. Step R3. S embeds the values {J, n, e, h(·)} into the smart card and then returns the medical smart card to U via secure channel. Additionally, S maintains patient record table and add the entry (I D, RI D) into the table, where RI D = (N||SC||Tr ) and Tr is registration time. Step R4. Upon receiving the medical smart card, U imprints his biometric B and computes L = J ⊕ h(I D||P W ) and V = h(I D||H (B)||P W ), where H is a biohashing function. Then, he replaces J with L and stores V into smart card. Finally, smart card stores the values {V , L, n, e, h(·)}. Login phase

Registration phase In this phase, a new user registers his identity to the server and achieves the personalized smart card from the server. The summary of registration phase is given in Fig. 1 Step R1. U selects his identity I D and chooses a password P W of his choice, then submits I D with registration request to the medical server. Fig. 1 Registration phase of our scheme

A user who wishes to login to the server, he/she inserts his smart card into a device, and inputs the identity and password, and imprints biometric. he summary of logun phase is given in Fig. 2. ?

Step L1. Verify V = h(I D||H (B)||P W ). If verification does not hold, terminate the session. Otherwise, compute J = L ⊕ h(I D||P W ). Step L2. Select a random number ru and compute A = J ru (mod n) and Cu = h(I D||A||J ||Tu ), then send the login message < AI D > to S, where AI D = (I D||Tu ||A||Cu )e (mod n) and Tu is the current timestamp. Verification phase In general, only server verifies the legitimacy of user. However, a user should also verify the correctness of source so that server masquerading attack can be resisted. In proposed scheme, both user and server verify the authenticity of each other and draw a session key for secure communication. The mutual authentication mechanism is summarized in Fig. 3

54

Page 4 of 10

J Med Syst (2015) 39:54

Fig. 2 Login phase of our scheme

Step V1. Upon receiving the message < AI D >, S computes AI D X (mod n) and achieves (I D||Tu || A||Cu ). It extracts the entry RI D = (N||SC||Tr ) corresponding to I D from the patient record table. Then, S verifies the freshness of timestamp Tu . If Tu is fresher than the last used Tr , i.e., Tu > Tr . S computes J = ?

h(X||I D||N||SC) and verifies Cu = h(I D||A||J ||Tu ). If verification does not hold, it terminates the session. Otherwise, U is authenticated by S. Additionally, S replaces RI D with RI D ∗ (= (N||SC||Tu )) and runs Step V2. Step V2. S selects a random number rs , and then computes D = J rs (mod n), Kus = Ars (mod n) = J ru rs (mod n). It computes the session key skus = h(I D ||Kus ||J ||Tu ) and computes Cs = h(I D||skus ||B||Tu ). Finally, S considers skus as session key and sends the message < D, Cs > to U . Step V3. Upon receiving S’s message < D, Cs >, the smart card computes Ksu = D (mod n) = J rs ru (mod n) and then the session key sksu = h(I D||Ksu ||J ||Tu ). It also computes Cs = h(I D||sksu ||B||Tu ) and verifies ?

Cs = Cs . If verification does not hold, the session is terminated. Otherwise, S is authenticated by U and U agrees upon the session key sksu . Both the agreed session keys skus and sksu are equal, since Ksu = J rs ru (mod n) = J ru rs (mod n) = Kus . Fig. 3 Verification phase of our scheme

Password change phase A user can change his password without server assistance. The summary of password change phase is given in Fig. 4. Step P1. U inserts his smart card into the card reader, imprints biometric B, and then inputs the identity I D, old password P W and a new password P Wnew . ?

Step P2. Smart card verifies V = h(I D||H (B)||P W ). If verification does not hold, terminates the session. Otherwise, it computes J = L ⊕ h(I D||P W ). Step P3. Smart card computes Lnew = J ⊕ h(I D|| P Wnew ) and Vnew = h(I D||H (B)||P Wnew ). Then, it replaces L with Lnew and V with Vnew . Smart card revocation If a legal user lost his smart card, he can recover lost smart card from server. The summary of smart card revocation phase is given in Fig. 5 Step S1. U submits its new smart card request with his identity I D to S. Step S2. S verifies the credentials of U . If U is unauthorized or I D is invalid, it terminates the session. Otherwise, goto Step S3.

J Med Syst (2015) 39:54

Page 5 of 10 54

Fig. 4 Password change phase of our scheme

Step S3. S extracts RI D = (N||SC) corresponding to I D from its database. Step S4. It personalizes U ’s smart card by embedding the values {Jnew , n, e, h(·)} into the smart, where Jnew = h(X||I D||N + 1||SCnew ) and SCnew is new smart card serial number. Then, it provides the smart card to U via secure channel and updates RI D with RI Dnew , where RI Dnew = (N + 1||SCnew ). In other words, smart cards updates N with N + 1 and SC with SCnew . Step S5. Upon receiving the smart card, U takes the Step R4 of registration phase.

Security analysis Authentication proof based on BAN logic Some notations used in BAN logic analysis are described as follows: – – – – –

P |≡ X: The principal P believes the statement X. P  X: P sees X, means that P has received a message combine X. P |∼ X: P once said X, means that P |≡ X when P sent it. P |⇒ X: P controls X, P has an authority on X (Jurisdiction over X). (X): The message X is fresh. k

– – –

P |≡ Q ←→ P : P and Q use K (shared key), to communicate with each other. x A ←→ B : x is a shared secret information between A and B. {X}K : The formula X is encrypted under k. < X >Y : The formula X is combined with formula Y . (X)K : The formula X is hashed with the key K.

–

→ P : K is public key of P .

– –

k

Fig. 5 Smart card revocation phase of our scheme

–

X

P  Q: X is a secret formula, known only to P and Q.

In order to describe logical postulates of BAN logic in formal terms [24, 25], we present the following rules: Rule (1). Message meaning rule: For shared secret keys: k

P |≡ Q ←→ P , P  {X}k P |≡ Q|∼ X

(3.1)

If P believes that k is shared with Q and sees X encrypted under k, then P believes that Q once said X. Rule (2). The nonce verification rule: P |≡ (X), P |≡ Q|∼ X P |≡ Q|≡ X

(3.2)

If P believes that X has been uttered recently (freshness) and P believes that Q once said X, and then P believes that Q believes X. Rule (3). The jurisdiction rule: P |≡ Q|≡ X, P |≡ Q|⇒ X P |≡ X

(3.3)

If P believes that Q has jurisdiction over X, and P believes that Q believes a message X, then P believes X. Rule (4). The freshness rule: P |≡ (X) P |≡ (X, Y )

(3.4)

If one part known to be fresh, then the entire formula must be fresh. According to the analytic procedures of BAN logic, the proposed protocol will satisfy the following goals:   SK Goal 1. U |≡ U ←→ S ;   SK Goal 2. S|≡ U ←→ S ;

Page 6 of 10

54

J Med Syst (2015) 39:54

The protocol generic type: Message 1. Message 2.

U → S : (I D||Tu ||J ru ||Cu )e (mod n), Tu S → U : h(I D||skus ||J rs ||Tu ), J rs

J

Idealize form of the protocol: Message 1. Message 2.

ru ru T ) } , T U → S : {I u J e u  D, J , (I D,skJ ,  r s S → U : I D, J , U ←→ S , J rs J

We make the following assumptions about the initial state of the protocol to analyze the proposed protocol: A1: A2: A3: A4: A5: A6:

U |≡ (Tu ); S|≡ (r  s );

S  {I D, J ru , (I D, J ru , Tu )J }e , Tu

S|≡ U |∼ Tu

S|≡  (I D, J ru , Tu )J

According to the S2 and S3 , we apply nonce verification rule to obtain S4 :

S|≡ U |≡ (I D, J ru , Tu )J

According to the assumption A4 and S4 , we apply the jurisdiction rule to get: S5 :

S|≡ Tu

According to sk = h(I D||Kus ||J ||Tu ), S5 and A2, we could obtain   sk S|≡ U ←→ S (Goal 2.) S6 : According to the message 2, we could obtain:   sk U  I D, U ←→ S , J rs S7 : J

According to the assumption A3, we apply the message meaning rule to get: S8 :

U |≡ S|∼ J rs

U |≡ J rs

Discussion on the possible attacks

According to the assumption A1, we apply the freshness conjuncatenation rule to get: S3 :

J

According to the assumption A1 and S10 , we apply the jurisdiction rule to get:

According to sk = h(I D||Kus ||J ||Tu ), S11 and A1, we could obtain   sk S12 : U |≡ U ←→ S (Goal 1.)

According to the assumption A4, we apply the message meaning rule to get: S2 :

According to the S8 and S9 , we apply nonce verification rule to obtain   sk S10 : U |≡ S|≡ I D, U ←→ S

S11 :

 U |≡ U ←→ S ;   H S|≡ U ←→ S ;   H U |≡ S|≡ U ←→ S ;   H S|≡ U |≡ U ←→ S ; H

We analyze the idealized form of the proposed protocol based on the BAN logic rules and the assumptions. The main proofs are described as follows: According to the message 1, we could get: S1 :

According to the assumption A1, we apply the freshness conjuncatenation rule to get:   sk S9 : U |≡  I D, U ←→ S

The detailed security analysis of the proposed scheme to verify ‘how the scheme satisfying the security requirements’ is as follows: User anonymity In the proposed scheme, only login message includes the user identity. However, the login message is encrypted with public key of server, which security is based on the hardness of factorization problem. Therefore, user identity can not be extracted from the login message. Moreover, the login message includes random number, which are different for each session. Therefore, an attacker can not identify the link between transmitted login messages. This unlinkability and encryption of login message ensures the user anonymity. Known-key security The session key is the hashed output of secret values, where a hash function can not be reverted. Thus, an attacker can not extract or know any secret with compromised session key. Moreover, each session key involves random secret session values, which are different for each session. This guarantees the unique key for each session. Therefore, a compromise session key will not provide any information about other session key. Stolen smart card attack An attacker can achieve the parameters {V , L, n, e, h(·)}. However, to generate the valid login message, user identity I D and secret key J = h(X||I D||N||SC) are needed. The secret key J cannot be calculated with publicly known

J Med Syst (2015) 39:54

Page 7 of 10 54

parameters, as to construct it, server master key is needed. Moreover, J is protected with password, where the password is only known to the patient. The identity is also associated with V = h(I D||H (B)||P W ), which is a hashed output of two secret values. Since, the attacker cannot achieve I D and secret value J from the known values, as both the values are protected with password. Therefore, an attacker cannot generate valid login message to forge the server using stolen smart card.

Known session-specific temporary information attack If the short term secret values ru and rs are leaked. Then, the adversary can calculate Ksu = B ru (mod n) = J rs ru (mod n), as he can achieve B from public channel. However, he can not calculate the session key sksu = h(I D||Ksu ||J ||Tu ||Ts ), as the session key involves user secret key J , which is unknown to attacker. Replay attack

Off-line password guessing attack An attacker can extract the values {V , L, n, e, h(·)} from the stolen smart card. However, an attacker can not successfully guess the password, as to verify the guessed password,

In proposed scheme, login messages includes random number and timestamp, where timestamp is unique for each session. The uniqueness property of timestamp, does not allow replay attack.

?

he has to satisfy the condition V = h(I D||H (B)||P W ), which is the hashed output of password along with user identity and secret key J with L = J ⊕ h(I D||P W ), an attacker has to know the identity I D. Since the identity is secret, an attacker can not successfully guess the password. Password guessing attack Let an attacker achieves {V , L, n, e, h(·)} from stolen smart card. Then he can try to perform online password guessing attack by guessing the user’s password. However, the password guessing is not enough, as L = J ⊕ h(I D||P W ). Therefore, he has to guess two values I D and P W simultaneous to achieve the secret value J , which is an infeasible scenario. Hence, in the proposed scheme, online password guessing attack is not possible. Perfect forward secrecy If an attacker achieves the master key X of the server, then he can not calculate the session key. This is clear from the following facts: –

– –

An attacker can achieve the parameters {V , L, n, e, h(·)} from the stolen smart card and can record transmitted messages AI D = (I D||Tu ||A||Cu )e (mod n) and < B = J rs (mod n), Cs = h(I D||skus ||B||Tu || Ts ) >. E can achieve (I D||Tu ||A||Cu ) by decrypting AI D with X. E can compute J = h(X||I D||N||SC) in case if he gets stored values from server database. However, he cannot achieve the session key sksu = h(I D ||Ksu ||J ||Tu ||Ts ), as to compute Ksu = J rs ru (mod n) from given J rs (mod n) and J ru (mod n) is equivalent to computational Diffie Hellman problem, which is considered to be hard problem.

Key freshness property Each session key involves random number and timestamp, where timestamp is unique for each session. This guarantees that each session key construction is unique for each session. The unique key construction for each session ensures the key freshness property. Mutual authentication In mutual authentication mechanism, user must prove its identity to the server and server must prove its identity to user. In proposed scheme, user and server both authenticate each other. To achieve it, user and server exchange Cu and Cs respectively, which includes entities identities along with secret key. To forge user or server, secret key is needed, which are only known to user and server. Therefore, in authentication phase, server verifies user authenticity and user identifies the correctness of source. Session key In proposed scheme, the session key (sk) is constructed with the shared secret of both the user and server. Moreover, the user verifies the shared session key to ensure the correctness of the key. Efficient login and password change phase In both login and password change phase, user verifies the ?

condition V = h(I D||H (B)||P W ), which includes both identity, password and biometric. If user inputs wrong iden?

tity or password, the condition V = h(I D||H (B)||P W ) does not hold and smart card terminates the session. The quick detection of incorrect identity and password make the proposed scheme efficient.

54

Page 8 of 10

J Med Syst (2015) 39:54

Table 2 Security attributes comparison with some password based schemes for TMIS Security attributes \ Schemes User anonymity Insider Attack Password guessing attack Stolen smart card attack Impersonation attack Stolen verifier attack Replay attack Temporary information attack Perfect forward secrecy Session key agreement Session key verification Efficient password change User-friendly password change Efficient login

[17] × √

[11] × √ √ √ √ √ √ √

× √ √ √ √ × × √ √

[19]

[21]

[20]

[22]

Proposed

√ √ √ √ √ √ √

√ √ √ √

√ √

√ √

× √ √ √

× √ √ √ √

√ √ √ √ √ √ √ √

√ √ √ √ √ √ √ √ √ √ √ √ √ √

× √ √ √

× × √ √

× × − × × ×

× × ×

[26]

× √ × √ √ √

× × ×

User-friendly password change phase In proposed scheme, a user can change his password freely without server assistance assistance as smart card is efficient in the proposed scheme that it can verify the correctness of input. This makes the password change phase efficient.

Comparison We compare our scheme with some recently published password based schemes for TMIS [11, 17, 19–22, 26] in Table 2. If the scheme prevents attack or satisfies the prop√ erty, the symbol ’ ’ is used and if it fails to prevent attack or does not satisfy the attribute, the symbol × is used. The

× × × √ √ √ × ×

× √ √

× √

× × √

× × √

×

×

password guessing attack for online of off-line password guessing attack in table. The ’temporary information attack’ is written in place of Known session-specific temporary information attack in table. We will also compare the security attributes of our scheme with some biometric based authentication schemes such as Li and Hwang’s [27], Li et al.’s [28], Troung et al.’s [29], Chang’s et al.’s [30] and Yan et al.’s [31] schemes in Table 3.

Performance analysis In general, the smart cards have limited storage space and limited computation power. Therefore, the authentication

Table 3 Security attributes comparisons of the proposed scheme with other relevant biometric based authentication schemes Security attributes \ Schemes

[27]

[28]

User anonymity Insider Attack User impersonation attack Stolen smart card attack Replay attack Man-in-the middle attack Denial of service attack Password guessing attack User-friendly password selection Session key agreement Session key verification Efficient login Efficient password change

× × × √ √

× √ √ √ √

× √ √ √ × − × ×

[29]

[30] √

× √ √ √ √

√ √ √ √ √ √ √ √ √ √

× × ×

× × ×

× √ √ √ √ √ × √ × × × ×

[31] × √ √ √ √ √ × × √ √ √ × ×

[10]

Ours

√ √

√ √ √ √ √ √ √ √ √ √ √ √ √

× √ √ × √ √ √ √ √ √ √

J Med Syst (2015) 39:54 Table 4 Computation cost comparison of our scheme with existing schemes

Page 9 of 10 54

Scenarios \ Schemes

Cao and Zhai [21]

Lin’s [22]

Xie et al.’s [20]

Ours

Memory needed in smart Card Communication overhead Login phase cost Verification Phase cost Message exchange

1280 1408 Th + TE 7Th + TE 3

2304 bits 1536 bits 3Th + TE 7Th + TE 2

2660 bits 2432 bits 2Th + 2TE 6Th + TS + 4TE 2

2432 bits 2176 bits 3Th + 2TE 6Th + 4TE 2

protocol must give priority to the efficiency due to resource constraints in smart card [32]. In this section, we show the efficiency analysis of proposed schemes with similar password based remote user authentication protocols based on smart card for the telecare medical information systems. If the user identity I D, password P W , random variables, time stamp and output size of hash function is 128-bits while e, X, n all are of 1024-bits. Let Th , TE and TX denote the time complexity of hash function, exponential operation and XOR operation, respectively. It is well known that the time complexity of XOR operation is negligible as compared to two other operations. So, we do not take TX into account. In general, the time complexity associated with Th , TE and TX can be more or less expressed as TE >> Th >> TX [33, 34]. Then, the extra communication and computation overheads are as follows: In Xie et al.’s scheme, user’s smart card computes h(P W ), A, C1 and AI D in login phase. Therefore, computation cost in login phase is 2Th +2TE . In verification phase, smart card computes Ksu , sksu and Cu while server computes AI D X (mod n), Dsym(X) (RI D), J , Cs , B, Kus , skus and Cs . Therefore, the computation overhead in verification phase is 6Th + TS + 4TE . The user transmits the message < AI D, Tu > and < C2 , Ts , B >, therefore the communication overhead is 2432(= 3 × 128 + 2 × 1024) bits. The smart card stores the values {I D, SC, N, L, n, e}, therefore, the memory required is 2660(= 4 × 128 + 2 × 1024) bits. In Cao and Zhai’s scheme, user’s smart card computes h(b||P W ) and AI D in login phase. Therefore, computation cost in login phase is Th + TE . In verification phase, smart card computes Ksu , Cs and Cu while server computes AI D X (mod n), J , Ks , Cs and Cu . Therefore, the computation overhead in verification phase is 7Th + TE . The user transmits the message < AI D >, < rs , Cs > and Cu . Therefore the communication overhead is 1408(= 3 × 128 + 1024) bits. The smart card stores the values {L, n, b}, therefore, the memory required is 1280(= 2 × 128 + 1024) bits. In Lin’s scheme, computation of W , CI D, R, X is required in login phase, and Xd mod N, H , R, CI D, λ, V , λ and V  is required in verification phase. So the computation overhead in login phase is 3Th + TE and verification phase is 7Th +TE . The user and server transmit the messages

< X, R, T1 > and < V , λ >, therefore the communication overhead is 1536(= 4 × 128 + 1024) bits. The smart card stores the values N, v, e and t, therefore, the memory required is 2304(= 2 × 128 + 2 × 1024). In proposed scheme, user computes in login phase h(I D||P W ), V , A, Cu , and AI D. So, the computation cost in login phase is 3Th + 2TE . In verification phase, user computes Ksu , sksu and Cs while server computes AI D X (mod n), J , B, Cu , Kus , sk and Cs . Then, the computation overhead in verification phase is 6Th + 4TE . The user transmits the message < AI D > while server transmits the message < Cs , B >, therefore the communication overhead is 2176(= 128 + 2 × 1024) bits. Moreover, the smart card stores the values {V , L, n, e}, therefore, the memory required is 2304(= 2 × 128 + 2 × 1024) bits (Table 4).

Conclusion In this article, we have discussed the merits and demerits of the existing smart card based authentication schemes for TMIS in the literature. We have proposed an improved anonymous authentication scheme for TMIS which preserves user privacy and ensures un-likability. The proposed scheme also maintains efficient login and password change phases where incorrect input can be quickly detected, and user can freely change his password without server assistant. The proposed scheme supports mutual authentication and session key agreement. The correctness of mutual authentication is shown using the widely-accepted BAN logic. The proposed scheme is resilient to replay attack, man-in-the middle attack and impersonation attack. The proposed scheme also withstands off-line password guessing attack, insider attack and stolen smart card attack. Through the security analysis, we have shown that the proposed scheme is secure against various known attacks including the attacks found in earlier proposed schemes. In addition, the proposed scheme is comparable in terms of communication and computational overheads with related schemes. Conflict of interests of interest.

The authors declare that they have no conflict

54

Page 10 of 10

References 1. Mishra, D., Das, A. K., and Mukhopadhyay, S., A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst. Appl. 41(18):8129–8143, 2014. 2. Chaturvedi, A., Mishra, D., and Mukhopadhyay, S., Improved biometric-based three-factor remote user authentication scheme with key agreement using smart card. In: Information Systems Security. pp. 63–77. Springer, 2013. 3. He, D., Chen, Y., and Chen, J., Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol. Nonlinear Dyn. 69(3):1149–1157, 2012. 4. Mishra, D., Cryptanalysis of sun and cao’s remote authentication scheme with user anonymity, arXiv preprint arXiv:1310.6422. 5. He, D., Chen, J., and Zhang, R., Weaknesses of a dynamic idbased remote user authentication scheme. Int. J. Electron. Secur. Digit. Forensic 3(4):355–362, 2010. 6. Uslu, A. M., and Stausberg, J., Value of the electronic patient record: an analysis of the literature. J. Biomed. Inform. 41(4): 675–682, 2008. 7. He, D., Kumar, N., Chen, J., Lee, C.-C., Chilamkurti, N., and Yeo, S.-S., Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimedia Systems 1–12, 2013. doi:10.1007/s00530-013-0346-9. 8. Mishra, D., Srinivas, J., and Mukhopadhyay, S., A secure and efficient chaotic map-based authenticated key agreement scheme for telecare medicine information systems. J. Med. Syst. 38(10). doi:10.1007/s10916-014-0120-3. 9. He, D., Kumar, N., Chilamkurti, N., and Lee, J.-H., Lightweight ecc based rfid authentication integrated with an id verifier transfer protocol. J. Med. Syst. 38(10):1–6, 2014. 10. Mishra, D., Mukhopadhyay, S., Chaturvedi, A., Kumari, S., and Khan, M. K., Cryptanalysis and improvement of yan et al.’s biometric-based authentication scheme for telecare medicine information systems. J. Med. Syst. 38(6):1–12, 2014. 11. Zhu, Z., An efficient authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3833–3838, 2012. 12. Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M. K., and Chaturvedi, A., Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J. Med. Syst. 38(5):1–11, 2014. 13. Li, X., Niu, J., Khurram Khan, M., and Liao, J., An enhanced smart card based remote user password authentication scheme. J. Netw. Comput. Appl. 36(5):1365–1371, 2013. 14. Debiao, H., Jianhua, C., and Rui, Z., A more secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1989–1995, 2012. 15. Mishra, D., On the security flaws in id-based password authentication schemes for telecare medical information systems. J. Med. Syst. 39(1):1–16, 2015. 16. Srivastava, K., Awasthi, A. K., and Mittal, R., A review on remote user authentication schemes using smart cards. In: Quality, Reliability, Security and Robustness in Heterogeneous Networks. pp. 729–749. Springer, 2013. 17. Wei, J., Hu, X., and Liu, W., An improved authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3597–3604, 2012.

J Med Syst (2015) 39:54 18. Wu, Z.-Y., Lee, Y.-C., Lai, F., Lee, H.-C., and Chung, Y., A secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1529–1536, 2012. 19. Chen, H.-M., Lo, J.-W., and Yeh, C.-K., An efficient and secure dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 36(6):3907–3915, 2012. 20. Xie, Q., Zhang, J., and Dong, N., Robust anonymous authentication scheme for telecare medical information systems. J. Med. Syst. 37(2):1–8, 2013. 21. Cao, T., and Zhai, J., Improved dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 37(2):1–7, 2013. 22. Lin, H.-Y., On the security of a dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 37(2):1–5, 2013. 23. Mishra, D., A study on id-based authentication schemes for telecare medical information system, arXiv preprint arXiv:1311.0151. 24. Burrows, M., Abadi, M., and Needham, R. M., A logic of authentication. Proc. R. Soc. Lond. A Math. Phys. Sci. 426(1871):233–271, 1989. 25. Syverson, P., and Cervesato, I., The logic of authentication protocols. In: Foundations of Security Analysis and Design. pp. 63–137. Springer, 2001. 26. Lee, T.-F., Chang, I.-P., Lin, T.-H., and Wang, C.-C., A secure and efficient password-based user authentication scheme using smart cards for the integrated epr information system. J. Med. Syst. 37(3):1–7, 2013. 27. Li, C.-T., and Hwang, M.-S., An efficient biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 33(1):1–5, 2010. 28. Li, X., Niu, J.-W., Ma, J., Wang, W.-D., and Liu, C.-L., Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 34(1):73–79, 2011. 29. Truong, T. T., Tran, M.-T., and Duong, A.-D., Robust biometrics-based remote user authentication scheme using smart cards. In: Network-Based Information Systems (NBiS), 2012 15th International Conference on, IEEE. pp. 384–391. 2012. 30. Chang, Y.-F., Yu, S.-H., and Shiao, D.-R., A uniqueness-andanonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37(2):1–9, 2013. 31. Yan, X., Li, W., Li, P., Wang, J., Hao, X., and Gong, P., A secure biometrics-based authentication scheme for telecare medicine information systems. J. Med. Syst. 37(5): 1–6, 2013. doi:10.1007/s10916-013-9972-1. 32. Liao, Y.-P., and Wang, S.-S., A secure dynamic id based remote user authentication scheme for multi-server environment. Comput. Stand. Interfaces 31(1):24–29, 2009. 33. Potlapally, N. R., Ravi, S., Raghunathan, A., and Jha, N. K., A study of the energy consumption characteristics of cryptographic algorithms and security protocols. IEEE Trans. Mob. Comput. 5(2):128–143, 2006. 34. Wong, D. S., Fuentes, H. H., and Chan, A. H., The performance measurement of cryptographic primitives on palm devices. In: Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual, IEEE. pp. 92–101. 2001.