J Med Syst (2014) 38:9994 DOI 10.1007/s10916-013-9994-8
ORIGINAL PAPER
A Secure and Efficient Authentication and Key Agreement Scheme Based on ECC for Telecare Medicine Information Systems Xin Xu & Ping Zhu & Qiaoyan Wen & Zhengping Jin & Hua Zhang & Lian He
Received: 27 August 2013 / Accepted: 21 October 2013 / Published online: 21 November 2013 # Springer Science+Business Media New York 2013
Abstract In the field of the Telecare Medicine Information System, recent researches have focused on consummating more convenient and secure healthcare delivery services for patients. In order to protect the sensitive information, various attempts such as access control have been proposed to safeguard patients’ privacy in this system. However, these schemes suffered from some certain security defects and had costly consumption, which were not suitable for the telecare medicine information system. In this paper, based on the elliptic curve cryptography, we propose a secure and efficient two-factor mutual authentication and key agreement scheme to reduce the computational cost. Such a scheme enables to provide the patient anonymity by employing the dynamic identity. Compared with other related protocols, the security analysis and performance evaluation show that our scheme overcomes some well-known attacks and has a better performance in the telecare medicine information system. Keywords Telecare medicine information system . Authentication . Key agreement . Elliptic curve cryptography
Introduction Information and communication technologies are increasingly used in telemedical to improve medical services and reduce costs. With the widespread use of electronic medical record (EMR), a X. Xu (*) : Q. Wen : Z. Jin : H. Zhang : L. He State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China e-mail: [email protected] X. Xu : P. Zhu School of Science, Beijing University of Posts and Telecommunications, Beijing 100876, China
telecare medicine information system (TMIS) enables to support more healthcare delivery services. Moreover, EMR makes it possible to move from paper-based health records to electronic ones and TMIS offers an easy and ubiquitous access to EMR. The greatest difference between the TMIS and the traditional healthcare service model is the use of information and communication technologies equipment by providing a remote service, which assists with certain healthcare activities to lower medical care costs and improve healthcare quality [1]. For instance, in TMIS, it is possible to bring the advantages of telemedical directly into the patient’s home, i.e., a connection between patients at home and doctors at a clinical center or home healthcare (HHC) agency [2, 3]. Simultaneously, EMR transmitted between patients and the telecare server is confronting some new security and privacy threats [4]. In TMIS, EMR is a significant carrier, which attaches to health information of registered patients, such as allergies, health status, medical history and telephone number. No one, especially famous ones, is willing to expose this sensitive information to light. Therefore, the secure communication connected patients and the telecare server is an essential requirement and a complex issue for TMIS. Access control is one of the crucial techniques to ensure the security of communication [5]. In TMIS, to avoid the specified EMR being eavesdropped by the illegal users, authentication is usually employed to deal with security and privacy on insecure networks. Furthermore, small battery powered devices are widely applied in this system, and patients wish they could be served anywhere for a long period. Thus, the high-efficiency is another major characteristic of authentication scheme in TMIS. Very recently, a large number of schemes have been proposed for safeguarding user privacy and providing availability. Unfortunately, many of them were vulnerable to various types of well-known attacks and consumed costly. According to the above descriptions, a secure and practical authentication scheme for TMIS should satisfy the following requirements.
9994, Page 2 of 7
1. Only a verified patient is allowed to access the telecare server and then obtain his/her EMR. 2. Mutual authentication and session key agreement could be achieved between patients and the telecare server to strength the security of transmitting information. 3. User anonymity should be guaranteed during the communication to protect patient’s privacy. 4. Patient can choose and change his/her password freely to achieve user friendly. 5. Various common known attacks could be resisted to ensure security in each session. 6. A low-cost authentication scheme is required for the limited devices. In order to reach all of the above requirements, in this paper, we propose a secure and efficient two-factor authentication and key agreement scheme based on Elliptic Curve Cryptography (ECC), which maintains a better network connectivity and resilience against some common attacks. Twofactor authentication with smart card and password can provide several advantages such as higher security compared with the traditional single-factor scheme [6]. Meanwhile, we employ ECC with shorter key length to support less computation overhead and a higher security level compared to the standard encryption techniques (RSA, AES) [7]. This paper is organized as follows, Section “Related Work” introduces some related authentication schemes in TMIS, while Section “Preliminaries” is given to briefly review a few of cryptography notions. The proposed scheme and the corresponding security and performance evaluation are put forward in Section “The proposed scheme” and Section “Analysis”, respectively. Finally, the overall conclusion is provided in Section “Conclusion”.
J Med Syst (2014) 38:9994
guessing attack and then proposed an improved authentication scheme as an alternative in 2012. Later, Lee et al. [12] analyzed the weaknesses of the authentication schemes in [8, 10] and [11], and presented an enhanced scheme to resist some well-known attacks. Furthermore, Chen et al. [2] identified the security pitfalls such as vulnerability to insider attack of Khan et al.’s authentication scheme [13] and proposed an improved scheme to address security risks in [13]. More recently, Jiang et al. [14] pointed out that the authentication scheme proposed in [2] could not resist identity guessing attack and tracking attack, and subsequently proposed their improved scheme. What is more, Lin [15] and Xie et al. [16] pointed out that the scheme in [2] was still vulnerable to dictionary attacks, off-line password guessing attack and impersonation attack. Then, they presented their enhanced authentication schemes for TMIS, respectively. In 2013, Cao et al. [6] also demonstrated that the scheme in [2] allowed the attacker to distinguish patients in different login sessions and the service server needed to exhaustive search the account database. To remedy the drawbacks in [2], they proposed an improved smart card based password authentication scheme. Regretfully, the existing related authentication schemes for TMIS mentioned above do not pay attention to the issue of user anonymity. Furthermore, some of them still consume excessive energy consumption and suffer from off-line password guessing attack and temporary secrets leaked attack.
Preliminaries In this section, we introduce some elementary notions related to ECC system and a computational problem. &
Related work A number of schemes [2, 6, 8–12, 14–16] about TMIS have been introduced for secure authentication and key agreement in recent years. In 2010, Wu et al. [8] raised an efficient authentication scheme which added a pre-computing phase and claimed that their scheme was secure and suitable for TMIS. Although their scheme is superior to the previous solutions for implementation of mobile devices, He et al. [9] pointed out that Wu et al.’s scheme suffered from the impersonation attack to the insider attack and put forward their enhanced scheme. Unfortunately, Wei et al. [10] stated that both of the mentioned authentication schemes above [8, 9] failed to achieve a two-factor authentication and were vulnerable for off-line password guessing attack. In order to overcome these weaknesses, the authors presented an improved scheme and demonstrated their scheme was more secure and efficient. However, Zhu et al. [11] showed the authentication scheme in [10] could not resist an off-line password
&
Elliptic curve cryptosystem Let E p (a,b) be a set of elliptic curve points over the prime field F p , defined by the non-singular elliptic curve equation: y 2 =(x 3 +ax +b)modp with a,b ∊F p and (4a 3 + 27b 2)modp ≠0. The additive elliptic curve group is defined as G p ={(x ,y ): x ,y ∈F p ,(x ,y )∈E p (a ,b )}∪ {O }, where the point O is known as “point at infinity”. The scalar multiplication of the cyclic group G P is defined as k ⋅P =P +P +⋯+P (k times). A point P has order n if n ⋅ P =O for the smallest integer n >0 [17]. Computational problem There exists a computational problem over the elliptic curve group which is used to design our scheme.
Definition 1 Elliptic curve discrete logarithm problem (ECDLP) Given two points P,Q ∊G p , find an integer k ∊[1,n −1] such that Q =k ⋅P is computationally infeasible. Up to now, there is no efficient polynomial time algorithm which can solve the ECDLP.
J Med Syst (2014) 38:9994
Page 3 of 7, 9994
The proposed scheme This section introduces our proposed two-factor authentication with key agreement scheme based on ECC for TMIS. The proposed scheme is composed of four phases, which are registration phase, login phase, authentication phase, and password update phase. The notions used in our paper are defined in Table 1. Before the registration phase, the telecare server S in TMIS chooses an elliptic curve E :y 2 ≡x 3 +ax +b(modp) and generates a group E p (a,b) with order n, where n is a large prime number. Then S selects a base point P =(x 0,y 0), where P satisfies n ⋅P = O. After that, S chooses a random number s ∊Z p * as its private key and computes corresponding public key Y =s ⋅P. Besides, S chooses two one-way hash functions h() and h 1(), respectively. These operations are finished off-line to save the computing resources. &
&
Registration phase When a patient U i wants to be a legal user of TMIS, it should be performed as follows: 1. U i chooses his/her password PW and a random number r, and then U i sends his/her ID ∊Z p * and A =h(PW‖r) to the telecare server S through a secure channel. 2. Upon receiving ID and A from U i , S computes M = h(s ⊕ID) and B =M ⊕A . Then S stores {E p ,P,Y,B, h(),h 1()} into a smart card and sends it to U i via a secure channel. 3. After receiving the smart card, U i stores r into it. Finally, the smart card contains {E p ,P,Y,B,r,h(),h 1()}. Login phase As shown in Fig. 1, when U i wants to enjoy the services from S, he/she needs to send a login message to S. The steps should be performed as follows: 1. U i inserts his/her smart card into the smart device and inputs ID and PW, and then the smart card computes A ¼ h ðPW krÞ ; B ⊕ A ¼ M ; C1 ¼ a ⋅ P ; C2 ¼ a ⋅ Y ; CID ¼ ID⊕h1 ðC 2 Þ; F ¼ hðIDkM kT 1 Þ:
Table 1 The notions used in our paper ID PW S s Y Z p* h() h 1() P
The patient U i ’s identity The patient U i ’s password The telecare server in TMIS The telecare server’s private key The telecare server’s public key The multiplicative group of Z p A secure one-way hash function: {0,1}* →Z p * A secure one-way hash function: G p ×G p →Z p * A base point of E p (a,b)
Fig. 1 The proposed scheme
Here, a is a secret nonce chosen by U i and T 1 is the current timestamp. 2. On the behalf of U i , the smart card sends the login message m 1 ={C 1,CID,F,T 1} to S. &
Authentication phase In this phase, U i and S will perform the following steps to authenticate each other: 1. Upon receiving m 1 from U i , S checks whether T 1 is valid or not. If T 1 is a null timestamp, S cancels this session. Otherwise, S uses its private key s to compute C 2 0 ¼ s⋅C 1 ; ID 0 ¼ CID⊕h1 ðC 2 0 Þ; M 0 ¼ hðs⊕ID0 Þ; F 0 ¼ hðID0 kM 0 kT 1 Þ:
Then, S checks whether F′ is equal to F. If they are equal, S considers that U i is a legal user. Otherwise, abort. 2. Upon confirming the legality of U i , S continues to compute D1 ¼ c ⋅ P ; D2 ¼ c ⋅ C 1 ; sk ¼ hðID0 kh1 ðD2 ÞkM 0 Þ; G ¼ hðsk kM 0 kT 2 Þ:
9994, Page 4 of 7
&
J Med Syst (2014) 38:9994
Here, c is a secret nonce chosen by S and T 2 is the current timestamp. Then, S sends m 2 ={D 1,G ,T 2} to U i . receiving m 2 from S, U i checks whether T 2 is 3. Upon valid or not. If it is valid, U i computes D 2 ′=a ⋅D 1, sk ′=h(ID ∥h 1(D 2 ′)∥M) and checks whether G ′=h(sk ′∥M ∥T 2) is equal to G. If they are equal, U i considers that S is the legal telecare server. Then, U i and S share the agreed session key sk =h (ID ∥h 1(D 2)∥M ) for subsequent communications. Password update phase This phase supports that the patient U i freely changes his/her password when he/she considers the existing password unsafe. It needs to perform the following steps: 1. The patient U i firstly enters ID and PW, and then the smart card computes A =h(PW ∥r), B ⊕A =M. 2. Then, U i is asked to input a new password PW inew and the smart card computes A new =h (PW new ∥r ), B new =A new ⊕M. Thereafter, the smart card replaces the original B with B new, which means the password is updated successfully.
proposed in Section “Introduction”. In Table 2, it demonstrates the functionality comparisons between our scheme and others. User anonymity User anonymity requires that any third party cannot know the identity of the patient U i , except the U i himself and the telecare server S [14]. The anonymity is essential in TMIS since some sensitive information about patients such as address, phone number or medical history is involved in EMR. Our scheme preserves user anonymity in the whole system. In the registration phase, the identity of U i is submitted via a secure channel, which means that any adversary cannot obtain ID. What is more, in remaining phases, instead of the patient’s original identity ID, a dynamic identity CID =ID ⊕h 2(C 2) is computed, which is unknown to the adversary because the parameter C 2 is only published to the patient U i and the telecare server S . Therefore, the adversary has no the capability of extracting the real identity of U i from CID. Hence, our scheme enables to guarantee user anonymity.
Analysis
Mutual authentication and key agreement
We analyze the security and efficiency of our scheme in this section, and the subsequent comparisons between related authentication schemes and ours show that the proposal can resist some well-known attacks and work more efficiently.
Mutual authentication means that both the telecare server and the patient can authenticate each other [11]. According to the security criteria mentioned above in section “Introduction”, in the proposed scheme, the telecare server S can verify the patient U i by step 1 in Authentication phase, and U i can authenticate S by step 3. Therefore, S and U i successfully run a mutual authentication to support only a verified patient is allowed to access his/her medical information. After that, a session key sk = h (ID ∥ h 1 (D 2 ) ∥ M ) is calculated for
Security analysis We will illustrate that our scheme can meet the following security attributes based on the security requirements Table 2 Functionality comparisons
Y: prevents the attack or provides the security property N: does not prevent or not provides the property NR: the feature is not refereed
Type of security
[2]
[8]
[9]
[10]
[11]
[16]
Ours
User anonymity Two-factor authentication Key agreement User untraceability Impersonation attack Insider attack Replay attack On-line password guessing attack Off-line password guessing attack Perfect forward security Stolen smart-card attack Temporary secrets leaked attack No key control Known-key security Session key confidentiality
N Y Y N N N Y Y N N N N Y Y N
N N Y N N N Y N N N NR NR Y N N
N N Y N Y Y Y Y N Y NR NR Y Y N
N N Y N Y Y Y N N N NR N Y Y Y
N Y N N Y Y Y Y Y NR NR NR NR NR NR
N Y Y N Y Y Y Y Y Y Y N Y Y Y
Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
J Med Syst (2014) 38:9994
encrypting the coming transmitted data which can ensure the confidentiality and integrity of the patient’s medical information. Hence, our scheme can provide a mutual authentication and key agreement. Impersonation attack For an adversary, in order to impersonate a legal patient U i to fool the telecare server S , the identity ID and M in the authentication value F =h (ID ∥M ∥T 1) need to be forged firstly. However, since ID is protected by a secure channel and covered by a dynamic identity CID, the adversary cannot get a certified ID. Meanwhile, even if the adversary obtains B and r from the smart card, he cannot compute the right M without PW. Also, a valid C 1 cannot be calculated because of the secret nonce a. Therefore, the adversary fails to elicit the vital useful parameters ID, a and M to forge a valid login message m 1 =h(ID ∥M ∥T 1), which means that he is unable to act as a legal U i , and our scheme can resist impersonation attack. On-line password guessing attack An on-line password guessing attack occurs when an unauthorized user repeatedly logins to the telecare server S on-line in order to obtain the correct password [2]. Suppose that an adversary guesses a candidate password to login to S . Then it is necessary to concoct a useable m 1 ={C 1,CID ,F,T 1}. Since F is composed by ID, M and the timestamp T 1, and the password PW is involved in M, it is difficult for the adversary to generate F without the identity ID and the password PW. Moreover, the tolerate time of wrong password can be preseted. For instance, after three bad guesses, the user is forced to change his password. Under such a setting, our scheme can resist on-line password guessing attack. Off-line password guessing attack Off-line password guessing attack means that an adversary can eavesdrop any intercepted information or the selfgenerated parameters to guess the password of a specific user [9]. Assume that an adversary guesses a password PW’ from the dictionary, and he computes A ′=h(PW ′∥r), B ⊕A ′=M ′. However, other information cannot be calculated due to the lack of C 2 and ID, which means the guessed password PW′ and the corrected parameters cannot be compared to determine whether these values are correct. Hence, our scheme can resist off-line password guessing attack. Insider attack There exists a legitimate but malicious patient to act as an insider adversary to cheat the telecare server S for others’
Page 5 of 7, 9994
sensitive information. In our scheme, we consider an insider attack in the following case: a malicious patient U j attempts to forge a patient U i who has ever accessed to S. For forging U i to login to S , he must fake an available login message m 1 ={C 1,CID,F,T 1} firstly to pass the verification procedure. This attack fails in our scheme since U j cannot compute the exact CID and F without the correct ID, C 2 and M. For an insider adversary U j , even if he intercepts m 1 ={C 1,CID ,F, T 1} to obtain C 1, the different secret value a for each patient is still blind to U j because of the ECDLP problem. Therefore, he cannot compute C 2 and launch an insider attack without the login message m 1. Hence, our scheme can resist insider attack. Known-key security Known-key security means that the authentication and key agreement scheme allows the user and server to generate a unique secret session key. If this session key is compromised, it should have no impact on other session keys [5]. In this scheme, due to the randomness and independence of the generations of a and c, which are indispensable components of D 2, the session key sk =h(ID ∥h (D 2)∥M) of each session is independent of any other sessions. That is, the adversary has no ability of computing the previous and further session keys from this one. Hence, our scheme can ensure known-key security. Stolen smart card attack Assume that U i ’s smart card was stolen and an adversary breaches the secret information {E p ,P,Y,B,r,h (),h 1()} in it. Meanwhile, the adversary also intercepts m 1 ={C 1,CID,F, T 1} through the open channel. Although B and r are revealed, the adversary is still unable to compute M without U i ’s password PW. What is more, the parameter C 2, as an important component of CID , is also unknown to the adversary because of the secret nonce a. Then, the adversary cannot imitate a validated U i to cheat S even if he extracts the information from the smart card. Hence, our scheme can resist stolen smart card attack. Perfect forward security Forward security means that the past session key will not be compromised even if the current key is revealed. In our scheme, the session key sk =h(ID ∥h(D 2)∥M) changes with different communication sessions. Even if the private key s of the telecare server S is compromised, the adversary cannot derive the previous session key because of D 2, which is composed by the secret nonce a, c and P. Since a and c are independently generated in each session and have not correlated for each other, an adversary fails to get the previous
9994, Page 6 of 7
J Med Syst (2014) 38:9994
Table 3 Computational cost comparisons
Phase
[10]
[11]
[16]
[17]
Ours
Registration Login Authentication Total Time
3T H +T E 2T H +T E 8T H 13T H +3T E 5730 ms
2T H 2T H +T E 6T H +T E 10T H +2T E 3820 ms
2T H +T S 2T H +2T E 6T H +4T E +T S 10T H +6T E +2T S 11460.1 ms
T H +T M T H +2T M 3T H +5T M 5T H +8T M 11.92 ms
2T H 2T H +2T M 9T H +4T M 13T H +6T M 8.94 ms
session key even if he has obtained the private key s of S. Hence, our scheme can ensure perfect forward security. Performance analysis Due to the resource constraints of the smart card, the authentication and key agreement scheme in TMIS must take the efficiency into consideration. In the following, we will measure the computational and communication costs. In Table 3, we evaluate the performance of our proposed scheme and make comparisons with others in TMIS [10, 11, 16, 17]. To analyze the computational complexity of the schemes, we introduce some notations as follows. & & & &
T H : the time cost of a hash operation. T M : the time cost of a point multiplication in a group. T E : the time cost of an exponentiation operation. T S : the time cost of a symmetric encryption or decryption operation.
The XOR operation, string concatenation operation and a point addition in a group are negligible during the evaluating process. In our proposal, the computation cost of registration phase is 2T H . Besides, in login and authentication phase, it costs 11T H +6T M . Finally, the total computation cost of ours is 13T H +6T M . We also evaluate the cryptographic operations by using C++ in the environment (CPU: 1.6 GHz, RAM: 2.0 G) and obtain the average running time of each cryptography operation. For a symmetric encryption or decryption operation T S , we get the average time is 0.05 ms with a 128 bits key. For an exponentiation operation T E , we get the average time is 1910 ms, and for a point multiplication in a group operation T M , the average time is 1.49 ms with a 160 bits key. At last, we assume that the running time of a hash operation T H is negligible. For the computation cost, we compare it in the different schemes by the method of [18, 19]. For instance, in this Table 4 Communication cost comparisons Bandwidth (bytes)
[10]
[11]
[16]
[17]
Ours
Maximum
164
148
168
60
80
scheme, there are thirteen hash operations and six point multiplications in a group to finish the mutual authentication and key agreement between the patient and the telecare sever. Thus, the operation time of ours is approximately 6×1.49= 8.94 ms. More computational cost details about others are demonstrated in Table 3. Besides, we measure communication cost in terms of the maximum bandwidth of these schemes. Since ECC is employed, we assume that the parameter in our scheme is 160 bits in length. Meanwhile the length of the identification and timestamp are defined as 160 bits in length. For others, the length of parameter in the multiplicative group is set as 1024 bits. A hash function h(⋅) is typically instantiated with the 160 bits SHA-1. In our scheme, the longest message m 1 ={C 1, CID,F,T 1} contains four points. Therefore, the maximum bandwidth of ours is (160×4)/8=80 bytes. More communication cost details about others are shown in Table 4. In light of the above comparisons, we can summarize that our scheme can achieve the essential requirements of a secure authentication and key agreement scheme in TMIS. Moreover, our scheme has the less computational and communication cost among the existing related works. Therefore, our scheme is applicable to the restricted consumption scenarios of TMIS.
Conclusion In the paper, we propose a secure and efficient two-factor mutual authentication and key agreement scheme based on elliptic curve cryptography for TMIS. The security analysis shows that our scheme achieves the essential requirements in such a system and resists some common attacks. Besides, according to performance analysis, we demonstrate that our scheme has the lowest computational cost among other related schemes and the less communication cost. These attributes render the proposed scheme is a promising approach for TMIS. Acknowledgments This work is supported by NSFC (Grant Nos. 61070251, 61272057, 61202434, 61170270, 61100203, 61003286, 61121061), the Fundamental Research Funds for the Central Universities (Grant No. 2012RC0612, 2011YB01) and China Postdoctoral Science Foundation (Grant No. 2013M530561).
J Med Syst (2014) 38:9994
References 1. Li, S. H., Wang, C. Y., Lu, W. H., Lin, Y. Y., and Yen, D. C., Design and implementation of a telecare information platform. J. Med. Syst. 36(3):1629–1650, 2012. 2. Chen, H. M., Lo, J. W., and Yeh, C. K., An efficient and secure dynamic ID-based authentication scheme for telecare medical information systems. J. Med. Syst. 36(6):3907–3915, 2012. 3. Lambrinoudakis, C., and Gritzalis, S., Managing medical and insurance information through a smart-card-based information system. J. Med. Syst. 24(4):213–234, 2000. 4. Fernández-Alemán, J. L., Señor, I. C., Lozoya, P. A. O., and Toval, A., Security and privacy in electronic health records: A systematic literature review. J. Biomed. Inform. 46(3):541–62, 2013. 5. Li, X., Niu, J. W., Khan, M. K., and Liao, J. G., An enhanced smart card based remote password authentication scheme. J. Netw. Comput. Appl. 36(5):1365–1371, 2013. 6. Cao, T. J., and Zhai, J. X., Improved dynamic ID-based authentication scheme for telecare medical information systems. J. Med. Syst. 37:9912, 2013. 7. Khan, S. U., Pastrone, C., Lavagno, L., and Spirito, M. A., An authentication and Key establishment scheme for the IP-based wireless sensor networks. Proc. Comput. Sci. 10:1039–1045, 2012. 8. Wu, Z. Y., Lee, Y. C., Lai, F., Lee, H. C., and Chung, Y., A secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1529–1535, 2012. 9. He, D., Chen, J., and Zhang, R., A more secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1989–1995, 2012.
Page 7 of 7, 9994 10. Wei, J., Hu, X., and Liu, W., An improved authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3597– 3604, 2012. 11. Zhu, Z., An efficient authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3833–3838, 2012. 12. Lee, T. F., and Liu, C. M., A secure smart-card based authentication and Key agreement scheme for telecare medicine information systems. J. Med. Syst. 37:9933, 2013. 13. Khan, M. K., et al., Cryptanalysis and security enhancement of a more efficient & secure dynamic id-based remote user authentication scheme. Comput. Commun. 34(3):305–309, 2010. 14. Jiang, Q., Ma, J. F., Ma, Z., and Li, G. S., A privacy enhanced authentication scheme for telecare medical information systems. J. Med. Syst. 37:9897, 2013. 15. Lin, H. Y., On the security of a dynamic ID-based authentication scheme for telecare medical information systems. J. Med. Syst. 37: 9929, 2013. 16. Xie, Q., Zhang, J., and Dong, N., Robust anonymous authentication scheme for telecare medical information systems. J. Med. Syst. 37: 9911, 2013. 17. Islam, SK. H., and Biswas, G. P., A more efficient and secure IDbased remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem, J. Syst. Software. 84: 1892-1898, 2011. 18. Ren, K., Lou, W., Zeng, K., and Moran, P. J., On broadcast authentication in wireless sensor networks. IEEE T. Wirel. Commun. 6(11): 4136–4144, 2007. 19. Guo, R., Wen, Q.Y., Jin, Z.P., Zhang, H., An Efficient and Secure Certificateless Authentication Protocol for Healthcare System on Wireless Medical Sensor Networks, Sci. World. J. Volume 2013, Article ID 761240, 7 pages.
ORIGINAL PAPER
A Secure and Efficient Authentication and Key Agreement Scheme Based on ECC for Telecare Medicine Information Systems Xin Xu & Ping Zhu & Qiaoyan Wen & Zhengping Jin & Hua Zhang & Lian He
Received: 27 August 2013 / Accepted: 21 October 2013 / Published online: 21 November 2013 # Springer Science+Business Media New York 2013
Abstract In the field of the Telecare Medicine Information System, recent researches have focused on consummating more convenient and secure healthcare delivery services for patients. In order to protect the sensitive information, various attempts such as access control have been proposed to safeguard patients’ privacy in this system. However, these schemes suffered from some certain security defects and had costly consumption, which were not suitable for the telecare medicine information system. In this paper, based on the elliptic curve cryptography, we propose a secure and efficient two-factor mutual authentication and key agreement scheme to reduce the computational cost. Such a scheme enables to provide the patient anonymity by employing the dynamic identity. Compared with other related protocols, the security analysis and performance evaluation show that our scheme overcomes some well-known attacks and has a better performance in the telecare medicine information system. Keywords Telecare medicine information system . Authentication . Key agreement . Elliptic curve cryptography
Introduction Information and communication technologies are increasingly used in telemedical to improve medical services and reduce costs. With the widespread use of electronic medical record (EMR), a X. Xu (*) : Q. Wen : Z. Jin : H. Zhang : L. He State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China e-mail: [email protected] X. Xu : P. Zhu School of Science, Beijing University of Posts and Telecommunications, Beijing 100876, China
telecare medicine information system (TMIS) enables to support more healthcare delivery services. Moreover, EMR makes it possible to move from paper-based health records to electronic ones and TMIS offers an easy and ubiquitous access to EMR. The greatest difference between the TMIS and the traditional healthcare service model is the use of information and communication technologies equipment by providing a remote service, which assists with certain healthcare activities to lower medical care costs and improve healthcare quality [1]. For instance, in TMIS, it is possible to bring the advantages of telemedical directly into the patient’s home, i.e., a connection between patients at home and doctors at a clinical center or home healthcare (HHC) agency [2, 3]. Simultaneously, EMR transmitted between patients and the telecare server is confronting some new security and privacy threats [4]. In TMIS, EMR is a significant carrier, which attaches to health information of registered patients, such as allergies, health status, medical history and telephone number. No one, especially famous ones, is willing to expose this sensitive information to light. Therefore, the secure communication connected patients and the telecare server is an essential requirement and a complex issue for TMIS. Access control is one of the crucial techniques to ensure the security of communication [5]. In TMIS, to avoid the specified EMR being eavesdropped by the illegal users, authentication is usually employed to deal with security and privacy on insecure networks. Furthermore, small battery powered devices are widely applied in this system, and patients wish they could be served anywhere for a long period. Thus, the high-efficiency is another major characteristic of authentication scheme in TMIS. Very recently, a large number of schemes have been proposed for safeguarding user privacy and providing availability. Unfortunately, many of them were vulnerable to various types of well-known attacks and consumed costly. According to the above descriptions, a secure and practical authentication scheme for TMIS should satisfy the following requirements.
9994, Page 2 of 7
1. Only a verified patient is allowed to access the telecare server and then obtain his/her EMR. 2. Mutual authentication and session key agreement could be achieved between patients and the telecare server to strength the security of transmitting information. 3. User anonymity should be guaranteed during the communication to protect patient’s privacy. 4. Patient can choose and change his/her password freely to achieve user friendly. 5. Various common known attacks could be resisted to ensure security in each session. 6. A low-cost authentication scheme is required for the limited devices. In order to reach all of the above requirements, in this paper, we propose a secure and efficient two-factor authentication and key agreement scheme based on Elliptic Curve Cryptography (ECC), which maintains a better network connectivity and resilience against some common attacks. Twofactor authentication with smart card and password can provide several advantages such as higher security compared with the traditional single-factor scheme [6]. Meanwhile, we employ ECC with shorter key length to support less computation overhead and a higher security level compared to the standard encryption techniques (RSA, AES) [7]. This paper is organized as follows, Section “Related Work” introduces some related authentication schemes in TMIS, while Section “Preliminaries” is given to briefly review a few of cryptography notions. The proposed scheme and the corresponding security and performance evaluation are put forward in Section “The proposed scheme” and Section “Analysis”, respectively. Finally, the overall conclusion is provided in Section “Conclusion”.
J Med Syst (2014) 38:9994
guessing attack and then proposed an improved authentication scheme as an alternative in 2012. Later, Lee et al. [12] analyzed the weaknesses of the authentication schemes in [8, 10] and [11], and presented an enhanced scheme to resist some well-known attacks. Furthermore, Chen et al. [2] identified the security pitfalls such as vulnerability to insider attack of Khan et al.’s authentication scheme [13] and proposed an improved scheme to address security risks in [13]. More recently, Jiang et al. [14] pointed out that the authentication scheme proposed in [2] could not resist identity guessing attack and tracking attack, and subsequently proposed their improved scheme. What is more, Lin [15] and Xie et al. [16] pointed out that the scheme in [2] was still vulnerable to dictionary attacks, off-line password guessing attack and impersonation attack. Then, they presented their enhanced authentication schemes for TMIS, respectively. In 2013, Cao et al. [6] also demonstrated that the scheme in [2] allowed the attacker to distinguish patients in different login sessions and the service server needed to exhaustive search the account database. To remedy the drawbacks in [2], they proposed an improved smart card based password authentication scheme. Regretfully, the existing related authentication schemes for TMIS mentioned above do not pay attention to the issue of user anonymity. Furthermore, some of them still consume excessive energy consumption and suffer from off-line password guessing attack and temporary secrets leaked attack.
Preliminaries In this section, we introduce some elementary notions related to ECC system and a computational problem. &
Related work A number of schemes [2, 6, 8–12, 14–16] about TMIS have been introduced for secure authentication and key agreement in recent years. In 2010, Wu et al. [8] raised an efficient authentication scheme which added a pre-computing phase and claimed that their scheme was secure and suitable for TMIS. Although their scheme is superior to the previous solutions for implementation of mobile devices, He et al. [9] pointed out that Wu et al.’s scheme suffered from the impersonation attack to the insider attack and put forward their enhanced scheme. Unfortunately, Wei et al. [10] stated that both of the mentioned authentication schemes above [8, 9] failed to achieve a two-factor authentication and were vulnerable for off-line password guessing attack. In order to overcome these weaknesses, the authors presented an improved scheme and demonstrated their scheme was more secure and efficient. However, Zhu et al. [11] showed the authentication scheme in [10] could not resist an off-line password
&
Elliptic curve cryptosystem Let E p (a,b) be a set of elliptic curve points over the prime field F p , defined by the non-singular elliptic curve equation: y 2 =(x 3 +ax +b)modp with a,b ∊F p and (4a 3 + 27b 2)modp ≠0. The additive elliptic curve group is defined as G p ={(x ,y ): x ,y ∈F p ,(x ,y )∈E p (a ,b )}∪ {O }, where the point O is known as “point at infinity”. The scalar multiplication of the cyclic group G P is defined as k ⋅P =P +P +⋯+P (k times). A point P has order n if n ⋅ P =O for the smallest integer n >0 [17]. Computational problem There exists a computational problem over the elliptic curve group which is used to design our scheme.
Definition 1 Elliptic curve discrete logarithm problem (ECDLP) Given two points P,Q ∊G p , find an integer k ∊[1,n −1] such that Q =k ⋅P is computationally infeasible. Up to now, there is no efficient polynomial time algorithm which can solve the ECDLP.
J Med Syst (2014) 38:9994
Page 3 of 7, 9994
The proposed scheme This section introduces our proposed two-factor authentication with key agreement scheme based on ECC for TMIS. The proposed scheme is composed of four phases, which are registration phase, login phase, authentication phase, and password update phase. The notions used in our paper are defined in Table 1. Before the registration phase, the telecare server S in TMIS chooses an elliptic curve E :y 2 ≡x 3 +ax +b(modp) and generates a group E p (a,b) with order n, where n is a large prime number. Then S selects a base point P =(x 0,y 0), where P satisfies n ⋅P = O. After that, S chooses a random number s ∊Z p * as its private key and computes corresponding public key Y =s ⋅P. Besides, S chooses two one-way hash functions h() and h 1(), respectively. These operations are finished off-line to save the computing resources. &
&
Registration phase When a patient U i wants to be a legal user of TMIS, it should be performed as follows: 1. U i chooses his/her password PW and a random number r, and then U i sends his/her ID ∊Z p * and A =h(PW‖r) to the telecare server S through a secure channel. 2. Upon receiving ID and A from U i , S computes M = h(s ⊕ID) and B =M ⊕A . Then S stores {E p ,P,Y,B, h(),h 1()} into a smart card and sends it to U i via a secure channel. 3. After receiving the smart card, U i stores r into it. Finally, the smart card contains {E p ,P,Y,B,r,h(),h 1()}. Login phase As shown in Fig. 1, when U i wants to enjoy the services from S, he/she needs to send a login message to S. The steps should be performed as follows: 1. U i inserts his/her smart card into the smart device and inputs ID and PW, and then the smart card computes A ¼ h ðPW krÞ ; B ⊕ A ¼ M ; C1 ¼ a ⋅ P ; C2 ¼ a ⋅ Y ; CID ¼ ID⊕h1 ðC 2 Þ; F ¼ hðIDkM kT 1 Þ:
Table 1 The notions used in our paper ID PW S s Y Z p* h() h 1() P
The patient U i ’s identity The patient U i ’s password The telecare server in TMIS The telecare server’s private key The telecare server’s public key The multiplicative group of Z p A secure one-way hash function: {0,1}* →Z p * A secure one-way hash function: G p ×G p →Z p * A base point of E p (a,b)
Fig. 1 The proposed scheme
Here, a is a secret nonce chosen by U i and T 1 is the current timestamp. 2. On the behalf of U i , the smart card sends the login message m 1 ={C 1,CID,F,T 1} to S. &
Authentication phase In this phase, U i and S will perform the following steps to authenticate each other: 1. Upon receiving m 1 from U i , S checks whether T 1 is valid or not. If T 1 is a null timestamp, S cancels this session. Otherwise, S uses its private key s to compute C 2 0 ¼ s⋅C 1 ; ID 0 ¼ CID⊕h1 ðC 2 0 Þ; M 0 ¼ hðs⊕ID0 Þ; F 0 ¼ hðID0 kM 0 kT 1 Þ:
Then, S checks whether F′ is equal to F. If they are equal, S considers that U i is a legal user. Otherwise, abort. 2. Upon confirming the legality of U i , S continues to compute D1 ¼ c ⋅ P ; D2 ¼ c ⋅ C 1 ; sk ¼ hðID0 kh1 ðD2 ÞkM 0 Þ; G ¼ hðsk kM 0 kT 2 Þ:
9994, Page 4 of 7
&
J Med Syst (2014) 38:9994
Here, c is a secret nonce chosen by S and T 2 is the current timestamp. Then, S sends m 2 ={D 1,G ,T 2} to U i . receiving m 2 from S, U i checks whether T 2 is 3. Upon valid or not. If it is valid, U i computes D 2 ′=a ⋅D 1, sk ′=h(ID ∥h 1(D 2 ′)∥M) and checks whether G ′=h(sk ′∥M ∥T 2) is equal to G. If they are equal, U i considers that S is the legal telecare server. Then, U i and S share the agreed session key sk =h (ID ∥h 1(D 2)∥M ) for subsequent communications. Password update phase This phase supports that the patient U i freely changes his/her password when he/she considers the existing password unsafe. It needs to perform the following steps: 1. The patient U i firstly enters ID and PW, and then the smart card computes A =h(PW ∥r), B ⊕A =M. 2. Then, U i is asked to input a new password PW inew and the smart card computes A new =h (PW new ∥r ), B new =A new ⊕M. Thereafter, the smart card replaces the original B with B new, which means the password is updated successfully.
proposed in Section “Introduction”. In Table 2, it demonstrates the functionality comparisons between our scheme and others. User anonymity User anonymity requires that any third party cannot know the identity of the patient U i , except the U i himself and the telecare server S [14]. The anonymity is essential in TMIS since some sensitive information about patients such as address, phone number or medical history is involved in EMR. Our scheme preserves user anonymity in the whole system. In the registration phase, the identity of U i is submitted via a secure channel, which means that any adversary cannot obtain ID. What is more, in remaining phases, instead of the patient’s original identity ID, a dynamic identity CID =ID ⊕h 2(C 2) is computed, which is unknown to the adversary because the parameter C 2 is only published to the patient U i and the telecare server S . Therefore, the adversary has no the capability of extracting the real identity of U i from CID. Hence, our scheme enables to guarantee user anonymity.
Analysis
Mutual authentication and key agreement
We analyze the security and efficiency of our scheme in this section, and the subsequent comparisons between related authentication schemes and ours show that the proposal can resist some well-known attacks and work more efficiently.
Mutual authentication means that both the telecare server and the patient can authenticate each other [11]. According to the security criteria mentioned above in section “Introduction”, in the proposed scheme, the telecare server S can verify the patient U i by step 1 in Authentication phase, and U i can authenticate S by step 3. Therefore, S and U i successfully run a mutual authentication to support only a verified patient is allowed to access his/her medical information. After that, a session key sk = h (ID ∥ h 1 (D 2 ) ∥ M ) is calculated for
Security analysis We will illustrate that our scheme can meet the following security attributes based on the security requirements Table 2 Functionality comparisons
Y: prevents the attack or provides the security property N: does not prevent or not provides the property NR: the feature is not refereed
Type of security
[2]
[8]
[9]
[10]
[11]
[16]
Ours
User anonymity Two-factor authentication Key agreement User untraceability Impersonation attack Insider attack Replay attack On-line password guessing attack Off-line password guessing attack Perfect forward security Stolen smart-card attack Temporary secrets leaked attack No key control Known-key security Session key confidentiality
N Y Y N N N Y Y N N N N Y Y N
N N Y N N N Y N N N NR NR Y N N
N N Y N Y Y Y Y N Y NR NR Y Y N
N N Y N Y Y Y N N N NR N Y Y Y
N Y N N Y Y Y Y Y NR NR NR NR NR NR
N Y Y N Y Y Y Y Y Y Y N Y Y Y
Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
J Med Syst (2014) 38:9994
encrypting the coming transmitted data which can ensure the confidentiality and integrity of the patient’s medical information. Hence, our scheme can provide a mutual authentication and key agreement. Impersonation attack For an adversary, in order to impersonate a legal patient U i to fool the telecare server S , the identity ID and M in the authentication value F =h (ID ∥M ∥T 1) need to be forged firstly. However, since ID is protected by a secure channel and covered by a dynamic identity CID, the adversary cannot get a certified ID. Meanwhile, even if the adversary obtains B and r from the smart card, he cannot compute the right M without PW. Also, a valid C 1 cannot be calculated because of the secret nonce a. Therefore, the adversary fails to elicit the vital useful parameters ID, a and M to forge a valid login message m 1 =h(ID ∥M ∥T 1), which means that he is unable to act as a legal U i , and our scheme can resist impersonation attack. On-line password guessing attack An on-line password guessing attack occurs when an unauthorized user repeatedly logins to the telecare server S on-line in order to obtain the correct password [2]. Suppose that an adversary guesses a candidate password to login to S . Then it is necessary to concoct a useable m 1 ={C 1,CID ,F,T 1}. Since F is composed by ID, M and the timestamp T 1, and the password PW is involved in M, it is difficult for the adversary to generate F without the identity ID and the password PW. Moreover, the tolerate time of wrong password can be preseted. For instance, after three bad guesses, the user is forced to change his password. Under such a setting, our scheme can resist on-line password guessing attack. Off-line password guessing attack Off-line password guessing attack means that an adversary can eavesdrop any intercepted information or the selfgenerated parameters to guess the password of a specific user [9]. Assume that an adversary guesses a password PW’ from the dictionary, and he computes A ′=h(PW ′∥r), B ⊕A ′=M ′. However, other information cannot be calculated due to the lack of C 2 and ID, which means the guessed password PW′ and the corrected parameters cannot be compared to determine whether these values are correct. Hence, our scheme can resist off-line password guessing attack. Insider attack There exists a legitimate but malicious patient to act as an insider adversary to cheat the telecare server S for others’
Page 5 of 7, 9994
sensitive information. In our scheme, we consider an insider attack in the following case: a malicious patient U j attempts to forge a patient U i who has ever accessed to S. For forging U i to login to S , he must fake an available login message m 1 ={C 1,CID,F,T 1} firstly to pass the verification procedure. This attack fails in our scheme since U j cannot compute the exact CID and F without the correct ID, C 2 and M. For an insider adversary U j , even if he intercepts m 1 ={C 1,CID ,F, T 1} to obtain C 1, the different secret value a for each patient is still blind to U j because of the ECDLP problem. Therefore, he cannot compute C 2 and launch an insider attack without the login message m 1. Hence, our scheme can resist insider attack. Known-key security Known-key security means that the authentication and key agreement scheme allows the user and server to generate a unique secret session key. If this session key is compromised, it should have no impact on other session keys [5]. In this scheme, due to the randomness and independence of the generations of a and c, which are indispensable components of D 2, the session key sk =h(ID ∥h (D 2)∥M) of each session is independent of any other sessions. That is, the adversary has no ability of computing the previous and further session keys from this one. Hence, our scheme can ensure known-key security. Stolen smart card attack Assume that U i ’s smart card was stolen and an adversary breaches the secret information {E p ,P,Y,B,r,h (),h 1()} in it. Meanwhile, the adversary also intercepts m 1 ={C 1,CID,F, T 1} through the open channel. Although B and r are revealed, the adversary is still unable to compute M without U i ’s password PW. What is more, the parameter C 2, as an important component of CID , is also unknown to the adversary because of the secret nonce a. Then, the adversary cannot imitate a validated U i to cheat S even if he extracts the information from the smart card. Hence, our scheme can resist stolen smart card attack. Perfect forward security Forward security means that the past session key will not be compromised even if the current key is revealed. In our scheme, the session key sk =h(ID ∥h(D 2)∥M) changes with different communication sessions. Even if the private key s of the telecare server S is compromised, the adversary cannot derive the previous session key because of D 2, which is composed by the secret nonce a, c and P. Since a and c are independently generated in each session and have not correlated for each other, an adversary fails to get the previous
9994, Page 6 of 7
J Med Syst (2014) 38:9994
Table 3 Computational cost comparisons
Phase
[10]
[11]
[16]
[17]
Ours
Registration Login Authentication Total Time
3T H +T E 2T H +T E 8T H 13T H +3T E 5730 ms
2T H 2T H +T E 6T H +T E 10T H +2T E 3820 ms
2T H +T S 2T H +2T E 6T H +4T E +T S 10T H +6T E +2T S 11460.1 ms
T H +T M T H +2T M 3T H +5T M 5T H +8T M 11.92 ms
2T H 2T H +2T M 9T H +4T M 13T H +6T M 8.94 ms
session key even if he has obtained the private key s of S. Hence, our scheme can ensure perfect forward security. Performance analysis Due to the resource constraints of the smart card, the authentication and key agreement scheme in TMIS must take the efficiency into consideration. In the following, we will measure the computational and communication costs. In Table 3, we evaluate the performance of our proposed scheme and make comparisons with others in TMIS [10, 11, 16, 17]. To analyze the computational complexity of the schemes, we introduce some notations as follows. & & & &
T H : the time cost of a hash operation. T M : the time cost of a point multiplication in a group. T E : the time cost of an exponentiation operation. T S : the time cost of a symmetric encryption or decryption operation.
The XOR operation, string concatenation operation and a point addition in a group are negligible during the evaluating process. In our proposal, the computation cost of registration phase is 2T H . Besides, in login and authentication phase, it costs 11T H +6T M . Finally, the total computation cost of ours is 13T H +6T M . We also evaluate the cryptographic operations by using C++ in the environment (CPU: 1.6 GHz, RAM: 2.0 G) and obtain the average running time of each cryptography operation. For a symmetric encryption or decryption operation T S , we get the average time is 0.05 ms with a 128 bits key. For an exponentiation operation T E , we get the average time is 1910 ms, and for a point multiplication in a group operation T M , the average time is 1.49 ms with a 160 bits key. At last, we assume that the running time of a hash operation T H is negligible. For the computation cost, we compare it in the different schemes by the method of [18, 19]. For instance, in this Table 4 Communication cost comparisons Bandwidth (bytes)
[10]
[11]
[16]
[17]
Ours
Maximum
164
148
168
60
80
scheme, there are thirteen hash operations and six point multiplications in a group to finish the mutual authentication and key agreement between the patient and the telecare sever. Thus, the operation time of ours is approximately 6×1.49= 8.94 ms. More computational cost details about others are demonstrated in Table 3. Besides, we measure communication cost in terms of the maximum bandwidth of these schemes. Since ECC is employed, we assume that the parameter in our scheme is 160 bits in length. Meanwhile the length of the identification and timestamp are defined as 160 bits in length. For others, the length of parameter in the multiplicative group is set as 1024 bits. A hash function h(⋅) is typically instantiated with the 160 bits SHA-1. In our scheme, the longest message m 1 ={C 1, CID,F,T 1} contains four points. Therefore, the maximum bandwidth of ours is (160×4)/8=80 bytes. More communication cost details about others are shown in Table 4. In light of the above comparisons, we can summarize that our scheme can achieve the essential requirements of a secure authentication and key agreement scheme in TMIS. Moreover, our scheme has the less computational and communication cost among the existing related works. Therefore, our scheme is applicable to the restricted consumption scenarios of TMIS.
Conclusion In the paper, we propose a secure and efficient two-factor mutual authentication and key agreement scheme based on elliptic curve cryptography for TMIS. The security analysis shows that our scheme achieves the essential requirements in such a system and resists some common attacks. Besides, according to performance analysis, we demonstrate that our scheme has the lowest computational cost among other related schemes and the less communication cost. These attributes render the proposed scheme is a promising approach for TMIS. Acknowledgments This work is supported by NSFC (Grant Nos. 61070251, 61272057, 61202434, 61170270, 61100203, 61003286, 61121061), the Fundamental Research Funds for the Central Universities (Grant No. 2012RC0612, 2011YB01) and China Postdoctoral Science Foundation (Grant No. 2013M530561).
J Med Syst (2014) 38:9994
References 1. Li, S. H., Wang, C. Y., Lu, W. H., Lin, Y. Y., and Yen, D. C., Design and implementation of a telecare information platform. J. Med. Syst. 36(3):1629–1650, 2012. 2. Chen, H. M., Lo, J. W., and Yeh, C. K., An efficient and secure dynamic ID-based authentication scheme for telecare medical information systems. J. Med. Syst. 36(6):3907–3915, 2012. 3. Lambrinoudakis, C., and Gritzalis, S., Managing medical and insurance information through a smart-card-based information system. J. Med. Syst. 24(4):213–234, 2000. 4. Fernández-Alemán, J. L., Señor, I. C., Lozoya, P. A. O., and Toval, A., Security and privacy in electronic health records: A systematic literature review. J. Biomed. Inform. 46(3):541–62, 2013. 5. Li, X., Niu, J. W., Khan, M. K., and Liao, J. G., An enhanced smart card based remote password authentication scheme. J. Netw. Comput. Appl. 36(5):1365–1371, 2013. 6. Cao, T. J., and Zhai, J. X., Improved dynamic ID-based authentication scheme for telecare medical information systems. J. Med. Syst. 37:9912, 2013. 7. Khan, S. U., Pastrone, C., Lavagno, L., and Spirito, M. A., An authentication and Key establishment scheme for the IP-based wireless sensor networks. Proc. Comput. Sci. 10:1039–1045, 2012. 8. Wu, Z. Y., Lee, Y. C., Lai, F., Lee, H. C., and Chung, Y., A secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1529–1535, 2012. 9. He, D., Chen, J., and Zhang, R., A more secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1989–1995, 2012.
Page 7 of 7, 9994 10. Wei, J., Hu, X., and Liu, W., An improved authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3597– 3604, 2012. 11. Zhu, Z., An efficient authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3833–3838, 2012. 12. Lee, T. F., and Liu, C. M., A secure smart-card based authentication and Key agreement scheme for telecare medicine information systems. J. Med. Syst. 37:9933, 2013. 13. Khan, M. K., et al., Cryptanalysis and security enhancement of a more efficient & secure dynamic id-based remote user authentication scheme. Comput. Commun. 34(3):305–309, 2010. 14. Jiang, Q., Ma, J. F., Ma, Z., and Li, G. S., A privacy enhanced authentication scheme for telecare medical information systems. J. Med. Syst. 37:9897, 2013. 15. Lin, H. Y., On the security of a dynamic ID-based authentication scheme for telecare medical information systems. J. Med. Syst. 37: 9929, 2013. 16. Xie, Q., Zhang, J., and Dong, N., Robust anonymous authentication scheme for telecare medical information systems. J. Med. Syst. 37: 9911, 2013. 17. Islam, SK. H., and Biswas, G. P., A more efficient and secure IDbased remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem, J. Syst. Software. 84: 1892-1898, 2011. 18. Ren, K., Lou, W., Zeng, K., and Moran, P. J., On broadcast authentication in wireless sensor networks. IEEE T. Wirel. Commun. 6(11): 4136–4144, 2007. 19. Guo, R., Wen, Q.Y., Jin, Z.P., Zhang, H., An Efficient and Secure Certificateless Authentication Protocol for Healthcare System on Wireless Medical Sensor Networks, Sci. World. J. Volume 2013, Article ID 761240, 7 pages.
