Abstract
The telecare medicine information system (TMIS) helps the patients to gain the health monitoring facility at home and access medical services over the Internet of mobile networks. Recently, Amin and Biswas presented a smart card based user authentication and key agreement security protocol usable for TMIS system using the cryptographic one-way hash function and biohashing function, and claimed that their scheme is secure against all possible attacks. Though their scheme is efficient due to usage of one-way hash function, we show that their scheme has several security pitfalls and design flaws, such as (1) it fails to protect privileged-insider attack, (2) it fails to protect strong replay attack, (3) it fails to protect strong man-in-the-middle attack, (4) it has design flaw in user registration phase, (5) it has design flaw in login phase, (6) it has design flaw in password change phase, (7) it lacks of supporting biometric update phase, and (8) it has flaws in formal security analysis. In order to withstand these security pitfalls and design flaws, we aim to propose a secure and robust user authenticated key agreement scheme for the hierarchical multi-server environment suitable in TMIS using the cryptographic one-way hash function and fuzzy extractor. Through the rigorous security analysis including the formal security analysis using the widely-accepted Burrows-Abadi-Needham (BAN) logic, the formal security analysis under the random oracle model and the informal security analysis, we show that our scheme is secure against possible known attacks. Furthermore, we simulate our scheme using the most-widely accepted and used Automated Validation of Internet Security Protocols and Applications (AVISPA) tool. The simulation results show that our scheme is also secure. Our scheme is more efficient in computation and communication as compared to Amin-Biswas’s scheme and other related schemes. In addition, our scheme supports extra functionality features as compared to other related schemes. As a result, our scheme is very appropriate for practical applications in TMIS.
Similar content being viewed by others
References
Amin, R., and Biswas, G.P., A Novel User Authentication and Key Agreement Protocol for Accessing Multi-Medical Server Usable in TMIS. J. Med. Syst. 39(3):1–17, 2015.
AVISPA: Automated Validation of Internet Security Protocols and Applications. http://www.avispa-project.org/. Accessed on January 2013
AVISPA: AVISPA Web Tool. http://www.avispa-project.org/web-interface/expert.php/. Accessed on March 2015
Basin, D., Modersheim, S., OFMC, L.V., A symbolic model checker for security protocols. Int. J. Inf. Secur. 4(3):181–208, 2005.
Burnett, A., Byrne, F., Dowling, T., Duffy, A., A Biometric Identity Based Signature Scheme. Int. J. Netw. Secur. 5(3):317–326, 2007.
Burrows, M., Abadi, M., Needham, R., A logic of authentication. ACM Trans. Comput. Syst. 8(1):18–36, 1990.
Chatterjee, S., and Das, A.K., An effective ECC-based user access control scheme with attribute-based encryption for wireless sensor networks. Secur. Commun. Netw. 8(9):1752–1771, 2015.
Chatterjee, S., Das, A.K., Sing, J.K., A novel and efficient user access control scheme for wireless body area sensor networks. J. King Saud Univ.-Comput. Inf. Sci. 26(2):181–201, 2014.
Chuang, M.-C., and Chen, M.C., An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Syst. Appl. 41(4):1411–1418, 2014.
Chuang, Y.-H, and Tseng, Y.-M., An efficient dynamic group key agreement protocol for imbalanced wireless networks. Int. J. Netw. Manag. 20(4):167–180, 2010.
Das, A.K, Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf. Secur. 5(3):145–151, 2011.
Das, A.K., A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks. Peer-to-Peer Netw. Appl.,1–22, 2014. doi:10.1007/s12083-014-0324-9.
Das, A.K., A secure and efficient user anonymity-preserving three-factor authentication protocol for large-scale distributed wireless sensor networks. Wirel. Pers. Commun.,1–28, 2015. doi:10.1007/s11277-015-2288-3.
Das, A.K., A secure user anonymity-preserving three-factor remote user authentication scheme for the telecare medicine information systems. J. Med. Syst. 39(3):1–20, 2015.
Das, A.K., and Goswami, A., A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37(3):1–16, 2013.
Das, A.K., Paul, N.R., Tripathy, L., Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem. Inf. Sci. 209(C):80–92, 2012.
Das, A.K., Sharma, P., Chatterjee, S., Sing, J.K., A dynamic password-based user authentication scheme for hierarchical wireless sensor networks. J. Netw. Comput. Appl. 35(5):1646–1656, 2012.
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Proceedings of the Advances in Cryptology (Eurocrypt’04), Vol. 3027, pp. 523–540. LNCS (2004)
Dolev, D., and Yao, A., On the security of public key protocols. IEEE Trans. Inf. Theory 29(2):198–208, 1983.
Guo, P., Wang, J., Geng, X.H., Kim, C.S., Kim, J.-U., A variable threshold-value authentication architecture for wireless mesh networks. J. Internet Technol. 15(6):929–936, 2014.
He, D., Kumar, N., Chen, J., Lee, C.-C., Chilamkurti, N., Yeo, S.-S., Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimed. Syst. 21(1): 49–60, 2015.
He, D., Kumar, N., Chilamkurti, N., A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks: Information Sciences, 2015. doi:10.1016/j.ins.2015.02.010.
He, D., Kumar, N., Chilamkurti, N., Lee, J.-H., Lightweight ECC based RFID authentication integrated with an ID verifier transfer protocol. J. Med. Syst. 38(10), 2014.
He, D., Kumar, N., Lee, J.-H., Sherratt, R.S., Enhanced three-factor security protocol for consumer USB mass storage devices. IEEE Trans. Consum. Electron. 60(1):30–37, 2014.
He, D., and Zeadally, S., Authentication protocol for an ambient assisted living system. IEEE Commun. Mag. 53(1):71–77, 2015.
Islam, S. K. H., and Khan, M.K., Cryptanalysis and Improvement of Authentication and Key Agreement Protocols for Telecare Medicine Information Systems. J. Med. Syst. 38(10):135, 2014.
Jina, A.T.B., Linga, D.N.C., Biohashing, A. G., Two factor authentication featuring fingerprint data and tokenized random number. Pattern Recogn. 37(11):2245–2255, 2004.
Khan, M.K., and Kumari, S., An authentication scheme for secure access to healthcare services. J. Med. Syst. 37(4), 2013.
Khan, M.K., and Kumari, S., Cryptanalysis and Improvement of “An Efficient and Secure Dynamic ID-based Authentication Scheme for Telecare Medical Information Systems. Secur. Commun. Netw. 7(2):399–408, 2014.
Khan, M.K., and Kumari, S., An improved user authentication protocol for healthcare services via wireless medical sensor networks. Int. J. Distrib. Sensor Netw. 2014:1–10, 2014. doi:10.1155/2014/347169. Article ID 347169.
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Proceedings of Advances in Cryptology - CRYPTO’99, Vol. 1666, pp. 388–397. LNCS (1999)
Kumari, S., Khan, M.K., Kumar, R., Cryptanalysis and improvement of ‘a privacy enhanced scheme for telecare medical information systems. J. Med. Syst. 37(4), 2013.
Li, X., Niu, J.-W., Ma, J., Wang, W.-D., Liu, C.-L., Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 34(1):73–79, 2011.
Li, X., Xiong, Y., Ma, J., Wang, W., An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. J. Netw. Comput. Appl. 35(2):763–769, 2012.
Lumini, A., and Nanni, L., An improved biohashing for human authentication. Pattern Recogn. 40(3): 1057–1065, 2007.
Maitra, T., and Giri, D., An efficient biometric and password-based remote user authentication using smart card for telecare medical information systems in multi-server environment. J. Med. Syst. 38(12):1–19, 2014.
Messerges, T. S., Dabbish, E. A., Sloan, R.H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002.
Messerges, T.S., Dabbish, E.A., Sloan, R.H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002.
Mishra, D., On the security flaws in ID-based password authentication schemes for telecare medical information systems. J. Med. Syst. 39(1):154, 2014.
Mishra, D., Understanding security failures of two authentication and key agreement schemes for telecare medicine information systems. J. Med. Syst. 39(3):19, 2015.
Mishra, D., Das, A.K., Mukhopadhyay, S., A secure and efficient ECC-based user anonymity-preserving session initiation authentication protocol using smart card. Peer-to-Peer Netw. Appl.,1–22, 2014. doi:10.1007/s12083-014-0321-z.
Mishra, D., Das, A. K., Mukhopadhyay, S., A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst. Appl. 41(18):8129–8143, 2014.
Mishra, D., and Mukhopadhyay, S.: Cryptanalysis of Pairing-Free Identity-Based Authenticated Key Agreement Protocols. In: Information Systems Security, volume 8303 of Lecture Notes in Computer Science, pp. 247–254. Springer Berlin Heidelberg (2013)
Mishra, D., Mukhopadhyay, S., Chaturvedi, A., Kumari, S., Khan, M.K., et al., Cryptanalysis and Improvement of Yan Biometric-Based Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 38(6):24, 2014.
Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M.K., Chaturvedi, A., Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J. Med. Syst. 38(5):41, 2014.
Mishra, D., Srinivas, J., Mukhopadhyay, S., A secure and efficient chaotic map-based authenticated key agreement scheme for telecare medicine information systems. J. Med. Syst. 38(10), 2014.
Mishra, R., and Barnwal, A.K., A privacy preserving secure and efficient authentication scheme for telecare medical information systems. J. Med. Syst. 39(5):54, 2015.
Odelu, V., Das, A. K., Goswami, A., A secure and efficient ecc-based user anonymity preserving single sign-on scheme for distributed computer networks. Secur. Commun. Netw. 8(9):1732–1751, 2015.
Odelu, V., Das, A.K., Goswami, A., A secure and scalable group access control scheme for wireless sensor networks: Wireless Personal Communications, 2015. doi:10.1007/s11277-015-2866-4.
Odelu, V., Das, A.K., Goswami, A., A secure biometricsbased multi-server authentication protocol using smart cards. IEEE Trans. Inf. Forensic. Secur. 10(9):1953–1966, 2015. doi:10.1109/TIFS.2015.2439964.
Sarkar, P., A simple and generic construction of authenticated encryption with associated data. ACM Trans. Inf. Syst. Secur. 13(4):1–16, 2010.
Siddiqui, Z., Abdullah, A.-H., Khan, M.K., Alghamdi, A.S., Smart environment as a service, three factor cloud based user authentication for telecare medical information system. J. Med. Syst. 38(1):9997, 2014.
Sood, S.K., Sarje, A.K., Singh, K., A secure dynamic identity based authentication protocol for multi-server architecture. J. Netw. Comput. Appl. 34(2):609–618, 2011.
Stinson, D.R., Some Observations on the Theory of Cryptographic Hash Functions. Des., Codes Crypt. 38(2): 259–277, 2006.
Von Oheimb, D.: The high-level protocol specification language hlpsl developed in the eu project avispa , pp. 1–17. Tallinn (2005)
Wang, B., and Ma, M., A smart card based efficient and secured multi-server authentication scheme. Wirel. Pers. Commun. 68(2):361–378, 2013.
Xue, K., Hong, P., Ma, C., A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. J. Comput. Syst. Sci. 80(1):195–206, 2014.
Yang, D., and Yang, B.: A biometric password-based multi-server authentication scheme with smart card. In: 2010 International Conference on Computer Design and Applications (ICCDA), Vol. 5, pp. 554–559. IEEE (2010)
Acknowledgments
The authors would like to acknowledge the helpful suggestions of the anonymous reviewers and the Editor, which have improved the content and the presentation of this paper.
Conflict of interests
The authors declare that there is no conflict of interest.
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Patient Facing Systems
Rights and permissions
About this article
Cite this article
Das, A.K., Odelu, V. & Goswami, A. A Secure and Robust User Authenticated Key Agreement Scheme for Hierarchical Multi-medical Server Environment in TMIS. J Med Syst 39, 92 (2015). https://doi.org/10.1007/s10916-015-0276-5
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-015-0276-5