Improvement of an Anonymous and Lightweight Authentication Scheme for TMIS

DOI: 10.4236/jamp.2018.61003   PDF   HTML   XML   481 Downloads   839 Views   Citations

Abstract

Telecare Medicine Information Systems (TMIS) provides flexible and convenient healthcare for patients. However, the medical data transmitted between patients and doctors are exposed to unsecure public networks. To protect the patient’s personal information, many authentication schemes are designed. Recently, Kang et al. proposed a hash based authentication schemes for TMIS and claimed that it could resist various attacks. However, we find that their proposed scheme is unsecure to traceability attack and user impersonation attack. In order to enhance the security and preserve the efficiency of Kang et al.’s, we proposed a new anonymous and lightweight scheme. The analysis demonstrates that our proposed scheme is superior to Kang et al.’s and the related schemes in security.

Share and Cite:

Chen, C. , Xiang, B. , Ke, E. , Wu, T. and Lin, J. (2018) Improvement of an Anonymous and Lightweight Authentication Scheme for TMIS. Journal of Applied Mathematics and Physics, 6, 18-28. doi: 10.4236/jamp.2018.61003.

1. Introduction

Advances in computer networks and communications boost the development of telecare medicine information systems (TMIS), through which patients can use flexible and convenient healthcare. A typical medical application scenario of TMIS is shown as Figure 1. Patients submit their healthcare data to a telecare server via wired or wireless medical devices in their home. When the doctors receive the patient’s medical reports, they perform the diagnosis at their clinical center, and then provide the clinical decisions and treatments to the patients via the internet.

Figure 1. A typical medical application scenario of TMIS.

However, since the healthcare data transmitted through the public channel usually contains the secret information of the patients, it is essential to use authentication mechanism in the TMIS scenario. Recently, many authentication schemes for TMIS [1]-[6] have been designed to protect patient’s personal information. In 2017, Kang et al. proposed a user authentication scheme for TMIS [1], which has simple computing cost due to the only usage of hash function. They claimed that the proposed scheme could resist various attacks. Unfortunately, we find that their scheme still suffers from traceability attack and user impersonation attack. To enhance the security and preserve the efficiency of Kang et al.’s scheme, we proposed a new anonymous and lightweight scheme.

2. Review of Kang et al.’s Scheme

This section presents Kang et al.’s scheme for TMIS [1]. Their scheme consists of four phases: 1) Registration Phase, 2) Login Phase, 3) Authentication Phase and 4) Password Change Phase. For convenience, some notations used in this paper are described as follows:

u U i : Patient or user

u I D i : The identity of the ith user

u P W i : The password of the ith user

u X s : The secret number of the TMIS server

u E K ( ) : A symmetric encryption function with key K

u D K ( ) : A symmetric decryption function with key K

u h ( ) : A one-way hash function

u : Exclusive-or operation

u : Concatenation operation

2.1. Registration Phase

To access the facilities or services provided by the TMIS server, the user must register in the server first by the following steps.

Step 1. The user U i chooses the identity and password I D i , P W i and generates a random integer b. Then, he computes R P W i = h ( P W i b ) and sends the registration message { I D i , R P W i } to the TMIS server via a secure channel.

Step 2. On receiving the registration message, the server generates a random integer N s and then computes α i = h ( X s N s ) , β i = h ( α i ) , T P W i = h ( R P W i I D i ) α i , A i = α i β i . Next, the TMIS server issues a smart card and stores the data { T P W i , h ( ) , A i , N s } and sends the card to the user U i .

Step 3. When the user U i receives the card from the server, he stores b into the card. Finally, the smart card contains { T P W i , h ( ) , A i , N s , b } .

2.2. Login Phase

When a registered user U i desires to login in the TMIS, he must perform the following steps to construct a login request message.

Step 1. The user U i inserts his smart card and enters the identity I D i ' and the password P W i ' , which are chose by himself in the registration phase. Then, the smart card computes α i ' = T P W i h ( h ( P W i ' b ) I D i ' ) , β i ' = h ( α i ' ) , A i ' = α i ' β i ' and checks whether A i ' equals to A i or not. If true, the smart card believes the user is the owner and continues to execute Step 2. Otherwise, it terminates the login request.

Step 2. The smart card generates a random integer N u and the current timestamp T 1 , and then computes L 1 = T P W i h ( β i ' N u ) , L 2 = T P W i β i ' , L 3 = h ( L 2 N u β i ' T 1 ) . After that, it sends the login request message { T P W i , L 1 , L 3 , N u , N s , T 1 } to the TMIS server via a public channel.

2.3. Authentication Phase

After receiving the login request message from the user, the TMIS server performs the following steps to achieve mutual authentication and establish a shared session key.

Step 1. The TMIS server retrieves the current timestamp T 1 ' and verifies the freshness of U i ’s timestamp T 1 .

Step 2. The server then continues to compute α i = h ( X s N s ) , β i = h ( α i ) , L 2 ' = T P W i β i , L 3 ' = h ( L 2 ' N u β i T 1 ) and checks whether L 3 ' equals to L 3 . If the two values equal, then the user is authenticated and the authentication process continues.

Step 3. The server generates a random integer N a and the current timestamp T 2 , and computes S K = h ( T P W i L 2 ' N u N a β i ) , C i = h ( S K T 2 ) . After that, it sends the authentication message { N a , T 2 , C i } to user U i via a public channel.

Step 4. On receiving the authentication message form the server, the user U i retrieves the current timestamp T 2 ' and verifies the freshness of server’s timestamp T 2 .

Step 5. The user computes the key S K ' = h ( T P W i L 2 N u N a β i ' ) , C i ' = h ( S K ' T 2 ) and checks whether C i ' is equal to C i . If true, the server is authenticated. Otherwise, the authentication process is terminated.

Step 6. The user then generates the current timestamp T 3 and continues to compute D i = h ( S K ' β i ' T 3 N u N a ) . After that, he sends the response message { D i , T 3 } to the server via a public channel.

Step 7. When the server receives the response message, it retrieves the current timestamp T 3 ' and verifies the freshness of T 3 . Then it computes D i ' = h ( S K β i T 3 N u N a ) and checks whether D i ' equals to D i . If true, the server believes that they have established the session key SK.

Finally, the user and the TMIS server can use the shard session key to encrypt the information transmitted through the public channel without worrying about the privacy disclosure.

2.4. Password Change Phase

This phase is needed when a user desires to change his password. For this, the user has to perform the following steps.

Step 1. The user U i inserts his smart card and then he enters the identity I D i ' and the password P W i ' to pass the smart card verification. The smart card will compute α i ' = T P W i h ( h ( P W i ' b ) I D i ' ) , β i ' = h ( α i ' ) , A i ' = α i ' β i ' and checks whether A i ' equals to A i or not. If true, the smart card believes the user is the owner and continues to execute Step 2. Otherwise, it terminates the password change request.

Step 2. The user inputs the new password P W i n e w and the smart card computes T P W i n e w = T P W i h ( h ( P W i ' b ) I D i ' ) h ( h ( P W i n e w b ) I D i ' ) .

Step 3. The smart card replaces T P W i with the new value T P W i n e w in its memory.

3. Cryptanalysis of Kang et al.’s Scheme

In this section, we describe our findings that the scheme of Kang et al. is vulnerable to traceability attack and user impersonation attack. Before that, an attacker model [7] [8] is defined as follows.

3.1. Attacker Model

1) The adversary has full control of the public channel, but not the secure channel. That means the adversary can obtain all the transmitted data in the login and authentication phase.

2) The adversary can alter, delete or replay the data that he captured form the public channel.

3) The adversary has the ability to read or extract the secret data from the smart card issued to the user.

4) The adversary can guess either the user’s identity or the password, but not both at a time.

5) The adversary knows the authentication scheme since he can be an outsider user or a legal user.

3.2. Suffer from Traceability Attack

The main mechanism of the traceability attack is that the adversary can trace the user (patient) with the messages captured from the public channel. This happens when there exist invariant parameters in the login or response message. Unfortunately, in the of Kang et al.’s scheme, we find that the login messages contain T P W i , which are equal in all sessions. Through it, the adversary can trace the user.

3.3. Suffer from User Impersonation Attack

The main mechanism of the user impersonation attack is that the adversary can impersonate the user (patient) to construct the login and response message sent to the TMIS server and establish a session key with it without being found malicious. We assume that the adversary obtains the user’s login message { T P W i , L 1 , L 3 , N u , N s , T 1 } transmitted in the public channel, the he can perform the user impersonation attack by the following steps.

Step 1. The adversary registers himself in the TMIS server with the registration message { I D e , R P W e = h ( t ) } , where t is a simple integer. And obtains a smart card contains the data { T P W e , h ( ) , A e , N e , b } . Then, he use the return parameters to compute the legal values α e = h ( X s N e ) = T P W e h ( R P W e I D e ) and β e = h ( α e ) .

Step 2. The adversary generates a random integer N u and the current timestamp T 1 , and then he constructs the required login parameters L 1 = T P W i h ( β e N u ) , L 2 = T P W i β e , L 3 = h ( L 2 N u β e T 1 ) , where T P W i is obtained from the user’s old login request message. After that, it sends the login request message { T P W i , L 1 , L 3 , N u , N e , T 1 } to the TMIS server via a public channel, where N e is obtained from the adversary’s smart card.

Step 3. On receiving the login request message, the TMIS server first checks T 1 and L 3 ' by computing α e = h ( X s N e ) , β e = h ( α e ) , L 2 ' = T P W i β e , L 3 ' = h ( L 2 ' N u β e T 1 ) . These will pass the verification and the server will take the adversary as the real user who has the parameter T P W i in his smart card since there is no table to record the corresponding relations between T P W i and the generated random integer N s in the registration phase.

Step 4. The server then generates a random integer N a and the current timestamp T 2 , and computes S K = h ( T P W i L 2 ' N e N a β e ) , C i = h ( S K T 2 ) . After that, it sends the authentication message { N a , T 2 , C i } to the adversary, who he thinks is the real user.

Step 5. When receives the authentication message from the server, the adversary computes S K ' = h ( T P W i L 2 N e N a β e ) . And then generates the current timestamp T 3 and computes D i = h ( S K ' β e T 3 N u N a ) , and sends the response message { D i , T 3 } to the server via a public channel.

Step 6. When the server receives the response message, the server verifies the freshness of T 3 and checks the validity of D i ' = h ( S K β i T 3 N u N a ) by comparing the values of D i ' and D i . There is no doubt that it will pass the verification.

Finally, the adversary and the TMIS server establish a shared session key S K , with which the adversary can make requests for the private information such as medical records of the user (patient) without being detected.

4. The Proposed Scheme

In previous sections, we show that Kang et al.’s scheme fails to achieve the claimed goals since the user can be tracked through a constant quantity during the authentication process in the TMIS. To erase the mentioned security weaknesses, we present a new anonymous and lightweight authentication scheme for TMIS. The proposed scheme also consists of four phase: 1) Registration Phase, 2) Login Phase, 3) Authentication Phase and 4) Password Change Phase.

4.1. Registration Phase

When a user desires to use the facilities or services provided by the TMIS server, he must become the legal user first. For this, he needs to perform the following steps to register in the TMIS server.

Step 1. The user U i chooses the identity and password I D i , P W i and generates a random integer b. Then, he computes R P W i = h ( P W i b ) and sends the registration message { I D i , R P W i } to the TMIS server via a secure channel.

Step 2. When the server receives the registration message, he generates a random integer N i and computes P I D i = E X s ( I D i N i ) , A i = h ( I D i R P W i ) , B i = h ( I D i X s ) h ( I D i ) R P W i . Then, he issues a smart card and stores the data { P I D i , A i , B i , h ( ) } into it. After that, he sends the card to the user U i via a secure channel.

Step 3. On receiving the smart card from the server, the user U i stores b into the card. Finally, the smart card contains { P I D i , A i , B i , b , h ( ) } .

4.2. Login Phase

A registered user U i can construct a login request message to login in the TMIS by the following steps.

Step 1. The user U i inserts his smart card and enters the identity I D i ' and the password P W i ' . Then, the smart card computes R P W i ' = h ( P W i ' b ) , A i ' = h ( I D i ' R P W i ' ) and checks whether A i ' equals to A i or not. If true, the smart card believes the user is the owner and continues. Otherwise, it terminates the login request.

Step 2. The smart card generates a random integer r u and the current timestamp T 1 , and then computes C i = B i h ( I D i ' ) R P W i ' , D i = C i r u , E i = h ( I D i ' D i C i T 1 ) . After that, he sends the login request message { P I D i , D i , E i , T 1 } to the TMIS server via a public channel.

4.3. Authentication Phase

After receiving the login request message from the user, the TMIS server performs the following steps to build up a shared session key with the user.

Step 1. The TMIS server retrieves the current timestamp T 1 ' and verifies the freshness of U i ’s timestamp T 1 .

Step 2. The TMIS server then obtains ( I D i N i ) = D X s ( P I D i ) and computes C i ' = h ( I D i X s ) , E i ' = h ( I D i D i C i ' T 1 ) , and checks whether E i ' is equal to E i or not. If true, the user is authenticated and the authentication process continued. Otherwise, the server aborts the authentication process.

Step 3. The server generates two random integers N i n e w , r s and the current timestamp T 2 , and then continues to compute P I D i n e w = E X s ( I D i N i n e w ) , r u ' = D i C i ' , F i = C i ' r s , S K = h ( I D i r u ' r s C i ' ) , H i = h ( I D i F i C i ' S K T 2 ) . After that, he sends the authentication message { P I D i n e w , F i , H i , T 2 } to the user U i via a public channel.

Step 4. On receiving the authentication message form the server, the user U i retrieves the current timestamp T 2 ' and verifies the freshness of server’s timestamp T 2 .

Step 5. The user then continues to compute r s ' = F i C i , S K ' = h ( I D i ' r u r s ' C i ) , H i ' = h ( I D i ' F i C i S K ' T 2 ) and checks whether H i ' , H i are equal or not. If true, the server is authenticated and P I D i n e w is used to replace P I D i in the smart card’s memory. Otherwise, the authentication process is terminated.

Step 6. The user generates the current timestamp T 3 and computes M i = h ( S K ' C i T 3 ) , and sends the response message { M i , T 3 } to the server via a public channel.

Step 7. When the server receives the response message, it retrieves the current timestamp T 3 ' and verifies the freshness of T 3 . Then it computes M i ' = h ( S K C i ' T 3 ) and checks whether M i ' equals to M i . If the two values equal, the server believes that they have established the session key SK.

4.4. Password Change Phase

When a user desires to change his password, he can perform the following steps without any assistance from the TMIS server.

Step 1. The user U i inserts his smart card and enters the identity I D i ' and the password P W i ' . Then, the smart card computes R P W i ' = h ( P W i ' b ) , A i ' = h ( I D i ' R P W i ' ) and checks whether A i ' equals to A i or not. If true, the smart card believes the user is the owner and continues. Otherwise, it terminates the password change request.

Step 2. The user then inputs the new password P W i n e w and the smart card computes A i n e w = h ( I D i ' h ( P W i n e w b ) ) , B i n e w = B i R P W i ' h ( P W i n e w b ) .

Step 3. The smart card replaces A i , B i with A i n e w , B i n e w in its memory.

5. Security Analysis

Various authentication schemes have been demonstrated insecure [9] [10] [11] [12]. Thus, in this section we discuss the security features of the proposed scheme under the adversary model mentioned in the Section 3.

5.1. User Anonymity

Anonymity is a mechanism that there is no adversary having the capacity to compromise the user’s (patient’s) real identity. In the proposed scheme, the user’s identity is masked in parameters P I D i = E X s ( I D i N i ) , E i = h ( I D i ' D i C i T 1 ) , P I D i n e w = E X s ( I D i N i n e w ) and H i = h ( I D i F i C i ' S K T 2 ) . With the protection of the one-way hash function, the adversary has no way to retrieve the user’s identity.

5.2. Mutual Authentication

In the proposed scheme, the user (patient) and the TMIS server achieve mutual authentication with the assistance of E i = h ( I D i ' D i C i T 1 ) and H i = h ( I D i F i C i ' S K T 2 ) . That means, the user is authenticated by the server according to the value E i since no one knows all the values needed to construct E i besides the real user. Also, only the TMIS server can construct H i for verification.

5.3. Session Key Security

In the proposed scheme, only the user (patient) and TMIS server can compute the shared session key S K = h ( I D i r u ' r s C i ' ) = h ( I D i ' r u r s ' C i ) since all the values required to calculated the key is only known to the user and TMIS. With knowing the parameters transmitted in the authentication process, the adversary cannot construct the key.

5.4. Traceability Attack

In different sessions of the proposed scheme, the parameters in the user’s (patient’s) login request message { P I D i , D i , E i , T 1 } and response message { M i , T 3 } are changeable. Thus, with the transmitted messages captured from different, the adversary cannot trace the user. Our proposed scheme resists traceability attack.

5.5. Replay Attack

When the adversary eavesdrops the whole transmitted message between the user (patient) and the TMIS server and replay it later, it will be immediately detected as the timestamp is outdate in the parameters E i = h ( I D i ' D i C i T 1 ) and H i = h ( I D i F i C i ' S K T 2 ) . Then the adversary may try to reconstruct the two parameters. However, with the protection of the parameters I D i ( I D i ' ) and C i ( C i ' ), the adversary cannot realize it. Thus, our proposed scheme resists replay attack.

5.6. Offline Password Guessing Attack

In the proposed scheme, the adversary can only guess the user’s (patient’s) password through A i = h ( I D i R P W i ) or B i = h ( I D i X s ) h ( I D i ) R P W i in the smart card. However, without the knowledge of the user’s real identity I D i , the adversary cannot compute the values required.

5.7. Impersonation Attack

When the adversary desires to impersonate the user (patient), he needs to construct the login request message first. However, the adversary is no way to know the user’s identity I D i and C i , which are required to construct the parameter E i = h ( I D i ' D i C i T 1 ) in the login request message. Thus, he cannot impersonate the user. On the other hand, without knowing the server’s secret key X s , the adversary cannot decrypt P I D i and computes the parameter C i ' = h ( I D i X s ) and H i = h ( I D i F i C i ' S K T 2 ) . Thus, he cannot impersonate the server. Our proposed scheme resists impersonation attack.

5.8. Stolen Verifier Attack

The stolen verifier attack means that the adversary gets some precious information that is stored in the server’s end. This happens especially when the server maintains the database of the user’s information like password. In the proposed scheme, the TMIS server does not keep any storage database, which is an essential requirement to launch this attack. Thus, our proposed scheme resists stolen verifier attack.

6. Performance Analysis

In this section, we compare the communication cost and compare the security features with the related schemes [1]-[6]. We only compare the time cost in the login and authentication phase of the proposed scheme and Kang et al.’s since the two phases are performed frequently. During the login and authentication phase of our proposed scheme, hash function is used 12 times. However, Kang et al.’s uses 14 times. Next, we compare the security features with Kang et al.’s and the other related schemes. From the Table 1, we can see that our proposed

Table 1. Comparison of security features. (O: Satisfy X: Not Satisfy).

F1. Insider Attack; F2. User Anonymity; F3. Traceability Attack; F4. Offline Password Guessing Attack; F5. User Impersonation Attack; F6. Replay Attack; F7. No Verification Table; F8. Session Key Agreement; F9. Detect Wrong Password Quickly; F10. Mutual Authentication.

scheme performs better in terms of providing security features.

7. Conclusion

In this paper, we analyze Kang et al.’s scheme which was designed for TMIS using hash function and claimed to resist various attacks. However, we still find that the scheme is susceptible to traceability attack and user impersonation attack. In order to erase the secure drawbacks we found, we present a new anonymous and lightweight scheme and prove that our proposed scheme has better performance in terms of communication cost and security.

Acknowledgements

The work of Chien-Ming Chen was supported in part by the Project NSFC (National Natural Science Foundation of China) under Grant number 61402135 and in part by Shenzhen Technical Project under Grant number JCYJ20170307151750788 and in part by Shenzhen Technical Project under Grant number KQJSCX20170327161755. The work of Eric Ke Wang was supported in part by National Natural Science Foundation of China (No. 61572157), grant No. 2016A030313660 from Guangdong Province Natural Science Foundation, JCYJ20160608161351559 from Shenzhen Municipal Science and Technology Innovation Project.

Conflicts of Interest

The authors declare no conflicts of interest.

References

[1] Kang, D., Lee, D., Cho, S., Jung, J. and Won, D. (2017) Cryptanalysis and Improvement of Robust Authentication Scheme for Telecare Medicine Information Systems. In Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication, ACM, 18.
[2] Zhu, Z. (2012) An Efficient Authentication Scheme for Telecare Medicine Information Systems. Journal of Medical Systems, 36, 3833-3838. https://doi.org/10.1007/s10916-012-9856-9
[3] Wei, J., Hu, X. and Liu, W. (2012) An Improved Authentication Scheme for Telecare Medicine Information Systems. Journal of Medical Systems, 36, 3597-3604. https://doi.org/10.1007/s10916-012-9835-1
[4] Debiao, H., Jianhua, C. and Rui, Z. (2012) A More Secure Authentication Scheme for Telecare Medicine Information Systems. Journal of Medical Systems, 36, 1989-1995. https://doi.org/10.1007/s10916-011-9658-5
[5] Wu, Z.Y., Lee, Y.C., Lai, F., Lee, H.C. and Chung, Y. (2012) A Secure Authentication Scheme for Telecare Medicine Information Systems. Journal of Medical Systems, 36, 1529-1535. https://doi.org/10.1007/s10916-010-9614-9
[6] Arya, K. and Vidwansh, A. (2015) A Robust Authentication Scheme for Telecare Medicine Information Systems. International Journal of Computer Applications, 123, No. 6. https://doi.org/10.5120/ijca2015905341
[7] Kocher, P., Jaffe, J. and Jun, B. (1999) Differential Power Analysis. In: Advances in cryptology—CRYPTO’99, Springer, Berlin, 789-789. https://doi.org/10.1007/3-540-48405-1_25
[8] Messerges, T.S., Dabbish, E.A. and Sloan, R.H. (2002) Examining Smart-Card Security under the Threat of Power Analysis Attacks. IEEE Transactions on Computers, 51, 541-552. https://doi.org/10.1109/TC.2002.1004593
[9] Chen, C.M., Li, C.T., Liu, S., Wu, T.Y. and Pan, J.S. (2017) A Provable Secure Private Data Delegation Scheme for Mountaineering Events in Emergency System. IEEE Access, 5, 3410-3422. https://doi.org/10.1109/ACCESS.2017.2675163
[10] Sun, H.M., He, B.Z., Chen, C.M., Wu, T.Y., Lin, C.H. and Wang, H. (2015) A Provable Authenticated Group Key Agreement Protocol for Mobile Environment. Information Sciences, 321, 224-237. https://doi.org/10.1016/j.ins.2015.01.037
[11] Chen, C.M., Fang, W., Wang, K.H. and Wu, T.Y. (2017) Comments on “An Improved Secure and Efficient Password and Chaos-Based Two-Party Key Agreement Protocol”. Nonlinear Dynamics, 87, 2073-2075. https://doi.org/10.1007/s11071-016-3171-9
[12] Chen, C.M., Xu, L., Wu, T.Y. and Li, C.R. (2016) On the Security of a Chaotic Maps-Based Three-Party Authenticated Key Agreement Protocol. Journal of Network Intelligence, No. 2, 61-65.

  
comments powered by Disqus

Copyright © 2020 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.