An improved authenticated key agreement protocol for telecare medicine information system.

In telecare medicine information systems (TMIS), identity authentication of patients plays an important role and has been widely studied in the research field. Generally, it is realized by an authenticated key agreement protocol, and many such protocols were proposed in the literature. Recently, Zhang et al. pointed out that Islam et al.'s protocol suffers from the following security weaknesses: (1) Any legal but malicious patient can reveal other user's identity; (2) An attacker can launch off-line password guessing attack and the impersonation attack if the patient's identity is compromised. Zhang et al. also proposed an improved authenticated key agreement scheme with privacy protection for TMIS. However, in this paper, we point out that Zhang et al.'s scheme cannot resist off-line password guessing attack, and it fails to provide the revocation of lost/stolen smartcard. In order to overcome these weaknesses, we propose an improved protocol, the security and authentication of which can be proven using applied pi calculus based formal verification tool ProVerif.

Background

In Internet environment, especially in the C/S model, it is crucial to authenticate both the user and the server when the user needs to access services provided by the server (Khan et al. 2014). The telecare medicine information system (TMIS) has attracted great attention of researchers to establish a convenient communication over the Internet between <span class="Species">patients at home and doctors at a clinical center or home health-care agency (Kaul and Awasthi 2013; Wen 2013). A doctor can easily get access to his patient’s medical history from TMIS, and diagnose quickly without repeating physical examination. Besides, TMIS can save the patients’ expenses and time (Xie et al. 2014). However, it is a great challenge to preserve the security and privacy of patient’s information transmitted over the Internet (Xie et al. 2013; Siddiqui et al. 2014).

Related works

Wu et al. (2010) proposed the first two-factor authentication scheme for TMIS service. Since then, a lot of two-factor authentication protocols have been proposed (He et al. 2012; Wei et al. 2012; Zhu 2012; Muhaya 2015). He et al. (2012) showed that Wu et al.’s protocol could not resist insider attack and impersonation attack. And they gave an improved protocol using smartcard. However, Wei et al. (2012) showed that He et al.’s protocol failed to resist off-line password guessing attack, and they also proposed an improved scheme, but Wei et al.’s scheme has the same security defects. In order to fix the above drawbacks, Zhu (2012) proposed an improved scheme. Unfortunately, Zhu et al.’s scheme has been proven insecure by Muhaya (2015). Wu et al. (2012) proposed a password-based user authentication scheme for the integrated EPR information system. Later, Islam and Biswas (2014) found that Wu et al.’s (2012) scheme cannot resist privileged-insider attack, off-line password guessing attack and ephemeral secret leakage attack.

It’s an interesting topic to improve security and computation efficiency of the authentication schemes. Pu et al. (2010) designed an anonymous authentication scheme for TMIS service using the elliptic curve cryptography (ECC). Chen et al. (2012) proposed a dynamic-identity based authentication scheme for <span class="Chemical">TMIS. However, Jiang et al. (2013) showed Chen et al.’s scheme (Chen et al. 2012) cannot withstand impersonation attack, off-line password guessing attack and denial-of-service attack. Recently, Xu et al. (2014) proposed a two-factor authentication key agreement protocol using ECC. Unfortunately, Islam and Khan (2014) showed that Xu et al.’s scheme (Xu et al. 2014) can neither withstand replay attack, nor provide the revocation of lost/lost smart or achieve strong authentication in login and authentication phases. In order to overcome the above defects, they proposed a new anonymous two-factor authentication protocol for TMIS. Recently, Zhang and Zhou (2015) pointed out that Islam et al.’s protocol has many security defects such as: (1) Any legal but malicious patient can reveal other user’s identity; (2) An attacker can launch off-line password guessing attack and the impersonation attack if he knows legal user’s identity. Zhang et al. then proposed a new ECC-based authenticated key agreement scheme in order to fix the above security problems. In 2015, Chaudhry et al. (2015) also showed that Islam et al.’s protocol (Islam and Khan 2014) suffers from user impersonation attacks and server impersonation attacks. And then they proposed an improved two-factor authentication protocol for TMIS. In fact, Chaudhry et al.’s scheme is insecure under lost/stolen smartcard disguised attack and off-line password guessing attack, for that an insider adversary can extract information (r, h()) from the memory of the user’s smart card. As we generally use passwords which are low-entropy keys, the following attack is feasible in practice: suppose that is the guessed password and l is the user’s identity, an insider adversary (e.g. a malicious server) can compute ; if , then the adversary successfully found the correct password PW.

As biometric keys can maintain uniqueness property, they can neither be forged nor guessed easily. Therefore, biometric keys have been widely adpoted in authentication protocols. In 2010, Li and Hwang (2010) proposed a biometric based remote user authentication scheme using user’s biometric key to identify the correct user. Li et al. (2011) showed that Li and Hwang’s scheme is vulnerable to <span class="Species">man-in-the-middle attack, and they proposed an improved biometrics-based remote user authentication scheme. However, Truong et al. (2012) pointed that Li et al.’s scheme cannot resist stolen verifier attack, reply attack and man-in-the-middle attack, and they proposed an improved remote user authentication scheme. However, the login and password change phase of their scheme is not efficient for practice. Later, Awasthi and Srivastava (2013) proposed a new robust biometrics-based remote user authentication scheme using smart cards in order to avoid the time-consuming exponential operations. Unfortunately, Dheerendra et al. (2014) demonstrated that Awasthi et al.’s scheme fails to resist online and off-line password guessing attack, and they proposed an improved biometrics-based authentication scheme for TMIS. In 2014, He and Wang (2014) proposed a robust multi-server authentication scheme using biometrics-based smart card. But Vanga et al. (2015) pointed that He and Wang’s scheme is vulnerable to a known session-specific temporary information attack and impersonation attack. And they proposed a secure biometrics-based multi-server authentication protocol using biometrics-based smart card, and provided simulation results of their scheme for the formal security verification using Automated Validation of Internet Security Protocols and Applications (AVISPA) tool (AVISPA; Lv et al. 2013).

Our contributions

In this paper, we show that Zhang et al.’s protocol (Zhang and Zhou 2015) is vulnerable to lost/stolen smartcard disguised attack and off-line password guessing attack. And then we propose an improved protocol using biometric keys (fingerprint, face and palm-print, etc.) to resolve the security problems. Furthermore, we provide the simulation results of our scheme for the formal security verification, using applied pi calculus based formal verification tool ProVerif. Our protocol overcomes the weaknesses of Islam et al.’s scheme and Zhang et al.’s scheme, and has the similar efficiency in comparison with their schemes.

The rest of paper is organized as follows: we first review Zhang et al.’s protocol in second section, and show the security weaknesses of Zhang et al.’s protocol in third section. Then, we propose an improved authentication protocol for TMIS is in fourth section. The security analysis of the improved scheme is given in fifth section. We prove the session key secrecy and authentication property using pi calculus based ProVerif in sixth section. In seventh section, we compare security and computation cost between our scheme and other related schemes. We conclude the paper in eighth section.

Review of Zhang et al.’s scheme

In this section, we review Zhang et al.’s scheme. There are two participants in Zhang et al.’s protocol, <span class="Species">patient U and telecare server S. Table 1 shows the notations used in this paper.

Table 1

The notations

Notations	Description
U	Patient in TMIS
S	Telecare server in TMIS
ID	Patient U’s identity
PW	Patient U’s password
s	Telecare server’s secret key
Q s	Telecare server’s public key, where Q s = sP
E k/D k	Symmetric encryption/decryption algorithm with key k
H(·)	Secure one-way collision-resistant hash function
||	String concatenation operation
⊕	Exclusive OR operation

Initialization phase

S selects an elliptic curve E(a, b) over a prime finite field F and a base point P over E(a, b). Followed that, S chooses a random number as his secret value, and computes Q = sP, and selects a one-way hash function , and publishes {E(a, b), P, H(·), Q} and keeps s as a secret value.

Registration phase

U selects his identity ID, its password PW and a random number r, and computes l = H(r||PW) and sends (ID, l) to S via a secure way.

Upon receiving (ID, l), S verifies user’s legitimacy in his database. If ID is a new patient, S sets N = 0, otherwise, U is re-registering to the system, S sets N = N + 1, and stores (ID, N, T) into its database, where T is the current registration time.

S computes σ = H(s ⊕ ID), v = σ ⊕ l, μ = H(ID ⊕ l) and stores {v, μ, P, H(·), N, E(a, b)} into the smart card, and sends it to U via a secure way.

On obtaining the smartcard, U stores the number r in it.

Login and authentication phase

U inserts his smart card into the terminal and inputs his identity ID and password PW. The smartcard computes l = H(r||PW), , and checks whether holds. If not, it aborts the session; otherwise, it selects a random number a and a current timestamp T1. Then, smartcard computes V = aP, I = aQ, , , and . Then, smartcard sends login information m1 = {V, G1, T1} to U via the public channel.

After receiving m1 at T2, S checks whether T2 − T1 < ∆T is valid. If it is true, S computes I = sV, , and decrypts G1 to get and , and checks if is found in the database. If not, S terminates the session; otherwise, S computes and checks whether holds. If not, this session terminates; otherwise, S selects a random number c and computes W = cP, J = cV, , , and S sends m2 = {W, G2, T2} to U via the public channel. If T2 is invalid, abort, otherwise, smartcard computes J = aW, , , and checks whether holds. If not, it aborts the session; otherwise, U authenticates S successfully.

Password updating phase

U inserts his smart card into the terminal and enter his ID and PW when he wants to update its password.

The smartcard computes , , and checks whether holds. If not, it aborts the session; otherwise, it selects a new random number and a new password , and updates corresponding value in the smart card.

The smartcard computes , , , and replaces (v, μ) with , respectively.

Lost/stolen smartcard revocation phase

When U’s smartcard is lost or stolen, it will request S for its revocation.

U chooses its new password and new random number , and computes , and submits to S over a secure channel.

S firstly checks the registration credentials of U. If the credential provided by U is valid, S updates N as N = N + 1 for the tuple (ID, N, T1) to revoke the smartcard.

S computes , , , and stores into the smart card, and sends it to U via a secure way.

On obtaining the smartcard, U stores the random number in it. Finally, the smartcard stores .

Weaknesses of Zhang et al.’s scheme

Through careful analysis, we find that Zhang et al.’s protocol is vulnerable to off-line password guessing attack and lost/stolen smartcard disguised attack. The detailed analyses are described as follows.

Off-line password guessing attack

If an insider adversary in <span class="Chemical">TMIS can extract information (r, μ) from the memory of the user’s smart card (Zhang and Zhou 2015). Generally speaking, password is not high-entropy keys (Abadi and Fournet 2001). Therefore, the following attack is feasible in practice. Suppose that is the guessed password, and an insider adversary (e.g. the user’s colleague or malicious server) may know the user’s identity easily.

The insider adversary in <span class="Chemical">TMIS who knows ID can compute , , and checks whether holds. If it is true, the insider adversary has guessed the correct password. Otherwise, it repeatedly guesses a new password until he succeeds.

Failure to provide the revocation of lost/stolen smartcard

Though the Zhang et al.’s scheme has lost/stolen smartcard revocation phase, an insider adversary can still use the lost/stolen smartcard to pass through the authentication process. The reason is that and ID in the new smart card are the same as that of the lost/stolen smartcard, and N = N + 1, according to off-line password guessing attack, the <span class="Disease">adversary can easily get PW and compute the correct authentication request message m1 = {V, G, T1}, which can pass the authentication of the server.

The improved scheme

In our improved scheme, are the same as that of Zhang et al.’s scheme.

Registration phases

When a user U wants to become a legal user, he should register to S as follows.

U selects his identity ID, password PW and a random number r, and computes , and sends (ID, l) to S via a secure way.

Upon receiving (ID, l), S verifies user’s legitimacy in his database. If ID is a new patient, S sets N = 0, otherwise, U is re-registering to the system, S sets N = N + 1, and stores the tuple (ID, N, N) to its database, where N is the identity of the smart card.

S computes , and stores into the smart card, and sends it to U via a secure way.

On obtaining the smartcard, U scans and enters his personal biometrics Bio. It is worth mentioning that no one can get Bio except U and the biometrics scanner can be combined in the smart card reader. U computes , , U stores in the smart card.

Login and authentication phases

In this phase, the user U and the server S can be authenticated each other and establish the session key sk, which showed in Algorithm 1.

U inserts his smart card into the terminal and inputs his identity ID, password PW and Bio. The smartcard computes , , and checks whether holds. If not, it aborts the session; otherwise, it selects two random numbers a and N1. Then, smartcard computes V = aP, I = aQ, , , and . Then, smartcard sends login information m1 = {V, G1, N1} to S via the public channel.

After receiving m1, S checks whether N1 is a fresh nonce or not. If it is true, S computes I = sV, , and decrypts G1 to get , N, and N1, and checks whether or not is found in the database. If not, S terminates the session; otherwise, S computes , , and checks whether holds. If is not true, S terminates the session; otherwise, it selects two random numbers c and N2 for computing W = cP, J = cV, , and S sends m2 = {W, G2, N2} to U via the public channel. If N2 is not a fresh nonce number, abort, otherwise, smartcard computes J = aW, , and decrypts G2 to get Q and N2, and checks whether or not holds. If not, smartcard terminates the session; otherwise, U authenticates S successfully, and computes .

Algorithm 1 Login and authentication phases

Password updating phases

U inserts his smart card into the terminal and enter his ID and PW when he wants to update its password.

The smartcard computes , , and checks whether holds. If not, it aborts the session; otherwise, it selects a new random number and a new password , and updates corresponding value in the smart card.

The smartcard computes , and replaces (μ, θ) with .

Lost/stolen smartcard revocation phases

When U’s smartcard is lost or stolen, it will request S for its revocation.

U chooses its new password and new random number , and computes , , and submits to S over a secure channel.

S checks the registration credentials of U. If the credential provided by U is valid, S updates N as N = N + 1 for the tuple (ID, N, N) to revoke the smartcard, and deletes N from his database and selects a new smartcard number N for U, and returns the tuple (ID, N, N) to his database.

S computes , , , and stores into the smart card, and sends it to U via a secure way.

On obtaining the smartcard, U stores in it. Finally, the smartcard stores .

Security analysis

In this section, we analyze the security of the improved protocol. The following attacks assume that a malicious adversary can eavesdrop, modify, insert, or delete any messages <span class="Gene">transmitted via public channel.

The improved protocol can achieve mutual authentication

As V = aP, I = aQ, , and , only the legal user U can get the secret value (I, N1) to generate a <span class="Disease">legal G1. S decrypts G1 and checks whether holds. If it is true, S can authenticate U, otherwise, U cannot be authenticated by S. On the other hand, U can authenticate S by verifying whether hold. As a result, our protocol achieves the mutual authentication.

Malicious insider impersonation attack

Login phase: If a malicious user U wants to impersonate U, he must forge a valid login message where , , , and , however, U can not get I, such that it has to forge an invalid one. When S receives the login request message from U, it will decrypt and compute , but the equation does not hold, therefore, S will reject the login request. Thus, our scheme can resist insider impersonation attack.

If a malicious attacker has stolen user’s smart card, then he can extract the information {θ, μ, β, P, H(·), N, Q, E(a, b)} from the smart card, where , , . Since r is protected by Bio and PW is protected by a one-way hash function, the attacker cannot know both of the real identity ID and the correct password PW. It is impossible to guess these two parameters correctly in polynomial time. Therefore, our protocol is secure against the off-line password guessing attack.

Strong replay attack

If a malicious attacker wants to replay a previously transmitted message of the sender or the receiver, the attack will fail since U and S choose different random numbers (N1, N2) in each session. During the authentication phase, after S response the next login message using a valid nonce N1, the attacker can neither verify its validness nor obtain the session key assuming the intractability of Diffie–Hell<span class="Species">man problem.

Lost/stolen smartcard attack

When the attacker attempts to insert the lost smart card into the device, it can’t pass the authentication of the server, since the stolen card’s N is updated in the database of S.

Perfect forward secrecy

In our protocol, the session key is , where I = aQ = asP, J = cV = caP. Since a and c are random numbers chosen by U and S, their values are changed in each session run. Therefore, our protocol can provide perfect forward secrecy.

Formal verification

Some formal verification tools are used to prove the security of cryptographic protocols, such as BAN logic, AVISPA and ProVerif (Abadi et al. 2009). In this section, we prove the session key secrecy and authentication using formal verification tool ProVerif, which is based on applied pi calculus (Ab<span class="Disease">adi and Fournet 2001). The reason is that ProVerif is performed automatically, and the errors can be detected easily, while the formal security proof is artificial structured, and the errors may not easy to be found.

The ProVerif code for the definition of functions, reduction, equation, free names and constants is as follows.

We perform the above process in the latest version 1.88 of ProVerif. The performance results as shown in the Fig. 1. The experimental results show that our scheme is security.

Fig. 1

The performance result

Security and computation cost comparisons

The security comparison between our scheme and other recently proposed related schemes are given in Table 2.

Table 2

Security comparison between our scheme and other schemes

Security attributes/schemes	Li and Hwang (2010)	Li et al. (2011)	Truong et al. (2012)	Awasthi and Srivastava (2013)	Dheerendra et al. (2014)	He and Wang (2014)	Vanga et al. (2015)	Ours
Provide user anonymity	N	N	Y	Y	N	N	Y	Y
Insider attack	N	Y	Y	Y	N	Y	Y	Y
Stolen smart card attack	Y	Y	Y	Y	N	Y	Y	Y
Replay attack	Y	Y	Y	Y	Y	N	Y	Y
Off-line password guessing attack	Y	Y	Y	N	Y	Y	Y	Y
Mutual authentication	N	Y	Y	N	Y	Y	Y	Y
Known session-specific temporary information attack	N	N	N	N	N	N	Y	Y
Perfect forward secrecy	N	N	N	N	N	Y	Y	Y
Impersonation attack	N	N	N	N	N	N	Y	Y
Provide lost smartcard revocation	N	N	N	N	N	N	Y	Y
Server spoofing attack	N	N	N	N	N	Y	Y	Y
Efficient login phase	N	N	N	Y	Y	Y	Y	Y
Efficient password change phase	N	N	N	N	Y	Y	Y	Y
Biometric update phase	N	N	N	N	N	Y	Y	Y

Let T be the time complexity of point multiplication in a group, T be the time complexity of point addition in a group, T be a symmetric key encryption/decryption operation and T be a one-way hash operation. Table 3 illustrates the average running times of some commonly used operations estimated by Kilinc and Yanik (2014), and shows that point multiplication in a group is slower than point <span class="Disease">addition, hash function and symmetric encryption/decryption operation.

Table 3

The running time of different operations

Operations	Point multiplication	Point addition	Hash function	Symmetric encryption/decryption
Time (ms)	2.226	0.0288	0.0023	0.0046

Since Islam et al.’s scheme (Islam and Khan 2014) and Zhang et al.’s scheme (Zhang and Zhou 2015) are more efficient than other schemes. Therefore, in this section, we only present the computation comparison between our scheme and Islam et al.’s and Zhang et al.’s schemes, and very recently proposed related schemes, which showed in Table 4. From Table 4, we can see that our protocol is almost efficient than that of Zhang et al.’s and Islam et al.’s schemes. However, our protocol overcomes the weaknesses of Islam et al.’s and Zhang et al.’s schemes.

Table 4

Computation cost comparison in login and authentication phase

	Islam and Khan (2014)	Zhang and Zhou (2015)	Chaudhry et al. (2015)	Vanga et al. (2015)	Ours
Computational cost	6T m + 1T a + 10T h	6T m + 2T s + 11T h	7T m + 8T h	5T m + 3T s + 13T h	6T m + 4T s + 11T h
Estimated time (ms)	13.4078	13.3905	15.6004	13.4767	13.3997

If the scheme can prevent the attack or satisfy the property, the symbol ‘Y’ is used. Otherwise, the symbol ‘N’ is used.

Conclusion

In this paper, we have shown that Zhang et al.’s protocol cannot achieve some secure properties, including security against off-line password guessing attacks, and it fails to provide the revocation of lost/stolen smartcard. Technically, we adopt random numbers based authentication mechanism, inste<span class="Disease">ad of the timestamps that may cause time synchronization problem. An improved protocol is proposed in order to overcome those weaknesses. The simulation results show that when compared with existing protocols, our protocol provides the same level of efficiency and better security guarantees for TMIS applications.