An enhanced biometric-based authentication scheme for telecare medicine information systems using elliptic curve cryptosystem.

The telecare medical information systems (TMISs) enable patients to conveniently enjoy telecare services at home. The protection of patient's privacy is a key issue due to the openness of communication environment. Authentication as a typical approach is adopted to guarantee confidential and authorized interaction between the patient and remote server. In order to achieve the goals, numerous remote authentication schemes based on cryptography have been presented. Recently, Arshad et al. (J Med Syst 38(12): 2014) presented a secure and efficient three-factor authenticated key exchange scheme to remedy the weaknesses of Tan et al.'s scheme (J Med Syst 38(3): 2014). In this paper, we found that once a successful off-line password attack that results in an adversary could impersonate any user of the system in Arshad et al.'s scheme. In order to thwart these security attacks, an enhanced biometric and smart card based remote authentication scheme for TMISs is proposed. In addition, the BAN logic is applied to demonstrate the completeness of the enhanced scheme. Security and performance analyses show that our enhanced scheme satisfies more security properties and less computational cost compared with previously proposed schemes.

Introduction

With comprehensive employment of the mobile networks, TMISs enable telecare which builds a convenient bridge between patients at home and the remote server a reality. In such system, patients without leaving home can access the same medical services as at hospital. TMISs provide greatly facilitate for some patients who are inconvenient to go to hospital, which saves a lot of the patients’ expenses and time. The problem is that the patients’ sensitive information may be eavesdropped by an illegal entity due to the unreliable communication channel. Therefore, a feasible authentication mechanism [1-5] is essential needed to ensure security and integrity of transmitting data for TMISs.

In 2009, Wu et al. [6] presented an authenticated key exchange scheme for TMISs and declared their scheme was more efficient compared with the previous schemes for TMISs by adding a precomputation step. However, He et al.[7] identified that the scheme was susceptible to internal and masquerade attacks. Then, He et al. introduced a more secure authentication scheme to conquer these flaws. Later, Wei et al.[8] pointed out that both Wu et al. and He et al.’s schemes were prone to suffer from off-line password guessing attack. An improved scheme with more security was designed by Wei et al. But Zhu et al. [9] discovered that Wei et al.’s scheme was still insecure against off-line password guessing attack. In order to eliminate such pitfall, Zhu et al. further proposed an enhancement based on Wei et al.’s scheme using RSA [10]. In 2013, Wu et al. [11] pointed out that Jiang et al.’s scheme [12] had some security drawbacks and proposed a new authentication scheme for TMIS. Unfortunately, Wen et al. [13] observed that Wu et al.’s scheme did not provide patient anonymity and failed to resist server spoofing and off-line password guessing attacks. In order to erase these drawbacks, Wen et al. proposed their modified scheme based on Wu et al.’s scheme. Lately, other researchers also proposed their authentication and key agreement schemes for TMISs [14-16]. All in all, above schemes aim to achieve two factor authentication.

Lately, research in two factor based authenticated key exchange schemes employing biometric have attracted a lot of well-deserved attention. In comparison to password, biometrics keys have many advantages [17], such as cannot be lost or forgotten, copied or shared, hard to be forged or distributed and cannot be guessed easily. Many biometric based authentication schemes combine password and smart card were appeared [18-23], and were becoming one of the most widely adopted authentication mechanisms. Awasthi et al. [24] presented a biometric authentication nonce based scheme for TMISs. However, Mishra et al.[25] observed that Awasthi et al.’s scheme was vulnerable to off-line password guessing attack and did not provide efficient password change option. Soon after that Tan et al.[26] found that Awasthi et al.’s scheme did not resist reflection attack and did not achieve three factor security and user anonymity. To remedy the weaknesses of Awasthi et al.’s scheme, Tan et al. presented a three factor authentication scheme and claimed that their scheme was secure against various attacks. Recently, Arshad et al.[27] pointed out that Tan et al.’s scheme did not withstand denial-of service and replay attacks. They then presented an improved elliptic curve cryptosystem (ECC)-based [28, 29] scheme to prevent the flaws.

In this paper, we briefly review Arshad et al.’s scheme. We demonstrate Arshad et al.’s scheme fails to protect against off-line password guessing attack. Additionally, we show that in case the adversary succeeded in getting identity and password of an arbitrary user, he can impersonate any user of the system. Furthermore, we put forward a biometric based authentication scheme for TMISs to cope with the loopholes of Arshad et al.’s scheme. The proposed scheme also employs lower computational operations such as ECC and hash function to lower its computational cost. Besides, we adopt BAN logic [30] to demonstrate the completeness of the enhanced scheme. Moreover, we present the security and performance analyses to show that our enhanced scheme satisfies more security properties and less computational cost compared with previously proposed schemes.

The rest of this paper is organized as follows. Section “Review of Arshad et al.’s scheme” and Section “Weaknesses of Arshad et al.’s scheme”review and security analysis of Arshad et al.’s scheme, respectively. Section “Proposed scheme” and Section “Analysis security” show our proposed scheme and analyze its security. Section “Functionality and performance comparisons” depicts the functionality and performance comparison among the proposed scheme and other related ones. Section “Conclusion” is a brief conclusion.

Review of Arshad et al.’s scheme

This section briefly reviews Arshad et al.’s biometric based password authentication scheme for TMISs. Their scheme contains three phases: registration, authentication and password change. Notations that will be used throughout the paper are listed in Table 1.

Table 1

Notations

U, S	The patient and the telecare server
I D i, P W i, B i	Identity, password, biometric of the patient
H(⋅)	Biohash function
h 1(⋅), h 2(⋅)	Hash function h_1:{0,1}^∗→{0,1}^l, hash function h_2:{0,1}^∗→Zp∗.
x	Private key selected by S
⊕, ||	Exclusive-or operation and concatenation operation

Registration

U selects his identity ID, password PW, a random number N and imprints his biometric B. Then, he computes MPW = PW ⊕ N, MB = B ⊕ N and submits {ID, MPW, MB} to S.

S verifies whether ID is in his database or not. If ID is not found, S calculates AID = h2(x||ID), V = MPW ⊕ MB ⊕ ID = PW ⊕ B ⊕ ID, and W = h1(MB) ⊕ h1(MPW) ⊕ ID ⊕ AID. Furthermore, S chooses a random number N and computes R = x ⊕ N, and MID = ID ⊕ h1(N). After that, S keeps ID in his database and the information {V, W, R, MID, τ, d(⋅), E, n, P, Y, h1(⋅), h2(⋅)} into a smart card SC.

U stores N into SC. Now, SC contains {N, V, W, R, MID, τ, d(⋅), E, n, P, Y, h1(⋅), h2(⋅)}

Authentication

U inserts SC into a smart card reader, inputs ID, and PW, and imprints biometric at the sensor. Then, SC computes B = V ⊕ PW ⊕ ID and verifies whether the equation holds or not. If holds, SC computes AID = h1(B ⊕ N) ⊕ h1(PW ⊕ N) ⊕ ID ⊕ W, selects a random number d and continues to compute R = AIDdP = h2(x||ID)dP, and V1 = h1(ID||R||AID||T), and sends a message REQUEST {R, T, V1, MID, R} to S, where T is the current time.

When receiving the message, S checks whether the transmission delay is within the allowed time interval ΔT. If T−T < ΔT, S computes N = x ⊕ R, derives ID by computing MID ⊕ h1(N), and checks whether ID exists in database or not. If exists, S checks whether h1(ID||R||h2(x||ID)||T) = ?V1. If holds, S selects a random number d and computes Q = dP and K1 = h2(x||ID)−1dR = ddP. Furthermore, S chooses a random number and computes , and . Finally, S sends the message CHALLENGE to U.

After receiving the message, U computes K2 = dQ = ddP and checks whether . If the equation is true, U computes , and . Then, U updates the values of MID and R with the values of and , respectively. Finally, U computes V3 = h1(K2||Q||ID), and the shared session key SK = h1(ID||Q||K2), and sends a message RESPONSE {V3} to S.

After receiving the message, S checks whether h1(K1||Q||ID) = ?V3. If equal, S accepts the shared session key SK as SK = h1(ID||Q||K1).

Password change

U inserts SC into the card reader, inputs identity ID, password PW and imprints his biometric at the sensor. SC computes B = V ⊕ PW ⊕ ID and checks whether the equation holds or not. If holds, U keys a new password and imprints a new personal biometric . Then, SC computes and as follows:

and updates SC’s memory V, W by .

Weaknesses of Arshad et al.’s scheme

This section shows that Arshad et al.’s scheme [27] has two security drawbacks, which are discussed in the following subsections. The following attacks are based on the assumptions that a malicious attacker has completely monitor over the communication channel connecting U and S in login and authentication phase. So can eavesdrop, modify, insert, or delete any message transmitted via public channel [31].

Not withstanding the off-line password guessing attack

The password and identity are low entropy [32, 33]. Therefore, can guess a password and an identity ID with the help of achieving values [34, 35] {V, W, R, MID, τ, d(⋅), E, n, P, Y, h1(⋅), h2(⋅)} from the medical device and {R, T, V1, MID, R} from the login request message as follows: If successfully guesses the identity and the password of the patient, it will result into another attack. The detail of the attack is discussed as the next subsection.

guesses and and computes , . Then, checks .

If the verification succeeds, considers and as the user’s identity and password. Otherwise, he repeats (1).

Not withstanding the user impersonation attack

As described in the previous subsection, can read [34, 35] the information {V, W, R, MID, τ, d(⋅), E, n, P, Y, h1(⋅), h2(⋅)} stored in the smart card. After successfully guessing the password PW and ID, can launch a user impersonation attack with the eavesdropped message {R, T, V1, MID, R} in the following:

generates a random number and computes . After that, he sends the REQUEST message to S, where is the current timestamp.

After checking the freshness of , S derives N and ID and verifies . Obviously, the equation will be held due to the true identity. S then continues to perform the original scheme without any detected. Finally, S delivers the CHALLENGE message to .

imitates what the patient were doing and computes V3 and sends it to S, where . When receiving the value V3, will surely pass through S. As a result, S negotiates the session key with who masquerades as the legal patient.

Proposed scheme

This section presents a slight modification scheme to remedy the weaknesses of Arshad et al.’s scheme. The proposed scheme aims to propose an efficient improvement on Arshad et al.’s scheme to overcome the weaknesses of their scheme, while also retaining the original merits of their scheme. In the proposed scheme, in order to resist the off-line password guessing attack, we employ biometrics to conceal password. And we adopt Biohashing to protect biometrics of patients, which can resolve high false rejection and hence decrease denial of service access probability [36, 37]. And biohashing is very efficient and lightweight as compared to modular exponentiation and elliptic curve point multiplication [38, 39]. The proposed scheme also contains three phases: registration, login and authentication and password updating (Fig. 1).

Fig. 1

Registration and authentication phase of the enhanced scheme

The patient U inputs his biometric B, identity ID and password PW. Then, U calculates MP = PW ⊕ H(B) and submits {ID, MP} to the server S.

When receiving the message, S computes AID = ID ⊕ h2(x), V = h1(ID||MP) and issues a smart card SC which contains the information {AID, V, h1(⋅), h2(⋅), H(⋅)} to U.

Login and Authentication

U inserts SC into a card reader and keys his identity ID, password PW and biometric B. SC computes h1(ID||PW ⊕ H(B)) and verifies whether it is equal to the value V1. If true, U passes through the verification. Then, SC selects a random number d and computes K = h1(ID||ID ⊕ AID), M1 = K ⊕ dP, M2 = h1(ID||T1||dP), and transmits {M1, M2, AID, T1} to S.

When receiving the login request, S first examines whether |T1−T| < ΔT, where T is the current timestamp of the S. If holds, S uses his private key x to derive ID by computing M1 ⊕ h2(x), he then computes dP = K ⊕ M1 and checks h(ID||T1||dP) = ?M2. If correct, S then generates a random number d and computes M3 = K ⊕ dP, SK = ddP, M4 = h1(K||T2||SK||dP), where T2 is the current timestamp. At last, S sends the message {M3, M4, T2} to U.

Upon receiving the message, U first checks the freshness of T2. Then, U retrieves dP by computing M3 ⊕ K and computes to verify whether is equal to the received M4. If holds, U computes M5 = h1(K||dP||SK||T3) and then sends the message {M5, T3} to S, where T3 is the current timestamp.

After receiving {M5, T3}, S verifies whether |T3−T| < ΔT and . If both conditions hold, S authenticates U and accepts SK as the session key for further operations.

If U doubts his password may be leaked, he can alter the old password to a new one as follows. U inserts his SC into the device and submits his ID, PW and B. Then SC verifies whether h1(ID||PW ⊕ H(B)) = ?V. If valid, U inputs a new password PW, SC calculates then replaces V with .

Analysis security

This section conducts a cryptanalysis of the enhanced scheme both through Burrows-Abadi-Needham (BAN) logic [30] and security features.

Proofing scheme with BAN logic

BAN logic [30] is a set of rules for defining and analyzing information exchange schemes (Table 2). It helps its users determine whether exchanged information is trustworthy, secured against eavesdropping, or both. It has been highly successful in analyzing the security of authentication schemes. We first introduce some notations and logical postulates of BAN logic used in our scheme.

Table 2

BAN logic notations

A| ≡ X	A believes a statement X
U↔KS	Share a key K between user and sever
#X	X is fresh
A ⊲ X	A sees X
A|∼X	A said X
{X, Y}K	X and Y are encrypted with the key K.
(X, Y)K	X and Y are hashed with the key K.
< X > K	X is xored with the key K

BAN logical postulates

Message-meaning rule: : if A believes that K is shared by A and B, and sees X encrypted with K, then A believes that B once said X.

Nonce-verification rule: : if A believes that X could have been uttered only recently and that B once said X, then A believes that B believes X.

The belief rule: : if A believes X and Y, then A believes (X, Y).

Fresh conjuncatenation rule: : if A believes freshness of X, B believes freshness of (X, Y).

Jurisdiction rule: : if A believes that B has jurisdiction over X and A trusts B on the truth of X, then A believes X.

Idealized scheme

< dP > , < ID > , (ID, dP, T1),(U ↔ SKS, dP, T3)

< dP > , (U ↔ SKS, dP, T2)

Establishment of security goals

S| ≡ U| ≡ U ↔ SKS

S| ≡ U ↔ SKS

U| ≡ S| ≡ U ↔ SKS

U| ≡ U ↔ SKS

Initiative premises

U| ≡ #d

S| ≡ #d

U| ≡ U ↔ KS

S| ≡ U ↔ KS

Scheme analysis

Since p3 and U ⊲ (U ↔ SKS, dP, T2), by the message-meaning rule, we get: U| ≡ S|∼(U ↔ SKS, dP, T2).

Since p1 and a1, by the fresh conjuncatenation and nonce-verification rules, we get: U| ≡ S| ≡ (U ↔ SKS, dP, T2).

Since a2, by the belief rule, we get: U| ≡ S| ≡ U ↔ SKS.

Since p5 and g1, by the jurisdiction rule, we get: U| ≡ U ↔ SKS.

Since p4 and S ⊲ (U ↔ SKS, dP, T3), by the message-meaning rule, we get: S| ≡ U|∼(U ↔ SKS, dP, T3).

Since p2 and a3, by the fresh conjuncatenation and nonce-verification rules, we get: S| ≡ U| ≡ (U ↔ SKS, dP, T3).

Since a4, by the belief rule, we get: S| ≡ U| ≡ (U ↔ SKS, dP, T3).

Since g3 and p6, by the jurisdiction rule, we get: S| ≡ U ↔ SKS.

Security analysis

This section shows the enhanced scheme has the ability to endure different security attacks including the aforementioned attacks found in Arshad et al.’s scheme. The following attacks are based on the assumptions that a malicious attacker has completely control the whole communication channel connecting the patients and the telecare server in login and authentication phase. So can eavesdrop, modify, insert, or delete any message transmitted via public channel [31].

User anonymity

The patient’s identity ID is concealed all the transmitted messages and is protected by one-way hash functions. If attempts to derive ID, he needs to know the server’s private key x or the random numbers generated by U and S. Obviously, this values are secret only known by U and S. Therefore, it is impossible to track the patient who is involved in the authentication session.

Insider attack

The patient registers to S by presenting PW ⊕ H(B) instead of plaintext PW. Since B is unknown to the insider, it will be difficult to retrieve PW from PW ⊕ H(B). Therefore, a privileged insider S cannot attain the plain-text password and hence he cannot pretend the patient to login other telecare servers.

Off-line password guessing attack

Assume that reads [34, 35] the information {V, AID} stored in the smart card and tries to guess a password in an off-line manner. To verify the correctness of password, needs to know patients’s ID and biometric B at the same time. To obtain ID from AID, the telecare server’s private key x is needed. Since cannot know the biometric B and x which is only with U and S, respectively, it is hard for to plot an off-line password guessing attack with smart card.

Impersonation attack

does not impersonate a legal patient to server since he cannot generate a valid login request {M1, M2, AID, T1} without the knowledge of U’s identity ID and S’s private key x. Both the two values ID and x are unknown to . Similarly, cannot impersonate as a server to cheat a legal patient without knowledge of x. Only when knows x he will derive ID from intercepted messages. But x is the secret key of S, cannot know. In a word, it is infeasible for to launch an impersonation attack.

The session key perfect forward secrecy

Even if the patient’s password PW and server’s private key x are compromised by , the session key SK for the previous sessions is still kept unrevealed. On the one hand, the password PW and server’s private key x are not utilized for computing the session key. On the other hand, it is impractical to compute SK = ddP without knowledge of d and d. As a result, the enhanced scheme achieves the session key perfect forward secrecy.

Mutual authentication

U validates S’s message {AID, M1, M2, T1} by checking whether the timestamp T1 and the condition are valid. S validates U’s message {M3, M4, T2} by checking whether the timestamp T2 and the condition hold.

Replay attack

Assume that intends to resend the old message {M1, M2, AID, T1} to login to S. The attack will be immediately detected by S by verifying the freshness of T1. Besides, S will also discover the forged message by verifying the correctness of the value M2 = h1(ID||dP||T1). Therefore, it is impossible for to plot the replay attack.

Modification attack

Both the patient’s identity ID and the server’s private key x are hidden in all the transmitted messages. Any forged messages will be examined by U or S. It seems impossible for to intercept the transmitted messages and hence modify them without knowledge of the two values.

Functionality and performance comparisons

In this section, we compare the functionality and performance analyses of the enhanced scheme with the previous related schemes [13, 24, 26, 27]. Table 3 shows that the enhanced scheme is more secure than other related schemes. In the performance comparison, define pm, m, inv, s, F, e and h be the time for performing an elliptic curve point multiplication, a modular multiplication, a modular inversion, a symmetric encryption/decryption, a pseudo-random function, a modular exponentiation and a one-way hash function. From Table 4 we can see that the overall computational cost for the enhanced scheme is less computationally costly than those of schemes [13, 24, 26, 27].

Table 3

Functionality comparison

	Ours	Arshad et al. [27]	Tan et al. [26]	Awasthi et al. [24]	Wen et al. [13]
User anonymity	Yes	Yes	Yes	No	Yes
Mutual authentication	Yes	Yes	Yes	Yes	Yes
The session key perfect forward secrecy	Yes	Yes	-	-	Yes
Insider attack	Yes	Yes	Yes	Yes	Yes
Impersonation attack	Yes	No	Yes	-	-
Off-line password guessing attack	Yes	No	Yes	Yes	Yes
Replay attack	Yes	Yes	No	Yes	Yes
Modification attack	Yes	Yes	Yes	-	-

Table 4

Performance comparison

	Ours	Arshad et al. [27]	Tan et al. [26]	Awasthi et al. [24]	Wen et al. [13]
Registration	3T h	4T h	3T h	3T h	3T h
Login and authentication	4T pm+11T h	4T pm+15T h+2T m+	6T pm+11T h	6T pm+9T h	1T m+4T s+8T e+
		+1T inv			+1T F+5T h
Password change	3T h	4T h	4T h	4T h	4T h

Conclusion

We have discussed the security of Arshad et al.’s scheme and discovered that their scheme was vulnerable to off-line password guessing attack which leads to an adversary could impersonate as a legal user to access any services provided by telecare server. We employ hash function, ECC nonce and biometric based authenticated key exchange scheme as the primitives to improve the security and efficiency of Arshad et al.’s scheme. The enhanced scheme not only satisfies many security features but also has the lowest computational cost among other related schemes.