Abstract
Recent advanced technology enables the telecare medicine information system (TMIS) for the patients to gain the health monitoring facility at home and also to access medical services over the Internet of mobile networks. Several remote user authentication schemes have been proposed in the literature for TMIS. However, most of them are either insecure against various known attacks or they are inefficient. Recently, Tan proposed an efficient user anonymity preserving three-factor authentication scheme for TMIS. In this paper, we show that though Tan’s scheme is efficient, it has several security drawbacks such as (1) it fails to provide proper authentication during the login phase, (2) it fails to provide correct updation of password and biometric of a user during the password and biometric update phase, and (3) it fails to protect against replay attack. In addition, Tan’s scheme lacks the formal security analysis and verification. Later, Arshad and Nikooghadam also pointed out some security flaws in Tan’s scheme and then presented an improvement on Tan’s s scheme. However, we show that Arshad and Nikooghadam’s scheme is still insecure against the privileged-insider attack through the stolen smart-card attack, and it also lacks the formal security analysis and verification. In order to withstand those security loopholes found in both Tan’s scheme, and Arshad and Nikooghadam’s scheme, we aim to propose an effective and more secure three-factor remote user authentication scheme for TMIS. Our scheme provides the user anonymity property. Through the rigorous informal and formal security analysis using random oracle models and the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool, we show that our scheme is secure against various known attacks, including the replay and man-in-the-middle attacks. Furthermore, our scheme is also efficient as compared to other related schemes.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
An, Y., Security Analysis and Enhancements of an Effective Biometric-Based Remote User Authentication Scheme Using Smart Cards. J. Biomed. Biotechnol. 2012:1–6, 2012. Article ID 519723.
Arshad, H., and Nikooghadam, M., Three-Factor Anonymous Authentication and Key Agreement Scheme for Telecare Medicine Systems Information. J. Med. Syst. 38(6):1–12, 2014.
AVISPA: Automated Validation of Internet Security Protocols and Applications. Accessed on January 2013. http://www.avispa-project.org/
AVISPA: AVISPA Web Tool. Accessed on April 2014. http://www.avispa-project.org/web-interface/expert.php/
Awasthi, A.K., and Srivastava, K., A Biometric Authentication Scheme for Telecare Medicine Information Systems with Nonce. J. Med. Syst. 37(5):1–4, 2013.
Basin, D., Modersheim, S., Vigano, L., OFMC: A symbolic model checker for security protocols. Int. J. Inf. Secur. 4(3):181–208, 2005.
Burnett, A., Byrne, F., Dowling, T., Duffy, A., A Biometric Identity Based Signature Scheme. Int. J. Netw. Secur. 5(3):317–326, 2007.
Chatterjee, S., and Das, A.K., An effective ECC-based user access control scheme with attribute-based encryption for wireless sensor networks. Security and Communication Networks, 2014. doi:10.1002/sec.1140.
Chatterjee, S., Das, A.K., Sing, J.K., An Enhanced Access Control Scheme in Wireless Sensor Networks. Ad Hoc & Sensor Wireless Networks 21(1–2):121–149, 2014.
Chen, B.-L., Kuo, W.-C., Wuu, L.-C., Robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst. 27(2):377–389, 2014.
Chuang, Y.-H., and Tseng, Y.-M., An efficient dynamic group key agreement protocol for imbalanced wireless networks. Int. J. Netw. Manag. 20(4):167–180, 2010.
Das, A.K., Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf. Secur. 5(3):145–151, 2011.
Das, A.K., A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Netw. Sci. 2(1–2):12–27, 2013.
Das, A.K., Chatterjee, S., Sing, J.K., A novel efficient access control scheme for large-scale distributed wireless sensor networks. Int. J. Found. Comput. Sci. 24(5):625–653, 2013.
Das, A.K., and Goswami, A., A Secure and Efficient Uniqueness-and-Anonymity-Preserving Remote User Authentication Scheme for Connected Health Care. J. Med. Syst. 37(3):1–16, 2013.
Das, A.K., and Goswami, A.: A robust anonymous biometric-based remote user authentication scheme using smart cards. Journal of King Saud University - Computer and Information Sciences (Elsevier). In Press (2014)
Das, A.K., Massand, A., Patil, S., A novel proxy signature scheme based on user hierarchical access control policy. Journal of King Saud University - Comput. Inform. Sci. 25(2):219–228, 2013.
Das, A.K., Paul, N.R., Tripathy, L., Cryptanalysis and improvement of an access control in user hierarchy based on elliptic curve cryptosystem . Inf. Sci. 209(C):80–92, 2012.
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Proceedings of the Advances in Cryptology (Eurocrypt’04), LNCS, Vol. 3027, pp. 523–540 (2004)
Dolev, D., and Yao, A., On the security of public key protocols. IEEE Trans. Inf. Theory 29(2):198–208, 1983.
Giri, D., Maitra, T., Amin, R., Srivastava, P.D., An efficient and robust rsa-based remote user authentication for systems telecare medical information. J. Med. Syst. 39(1):1–9, 2014.
He, D., Chen, J., Zhang, R., A More Secure Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(3):1989–1995, 2012.
He, D., Kumar, N., Lee, J.-H., Sherratt, R.S., Enhanced three-factor security protocol for consumer USB mass storage devices. IEEE Trans. Consum. Electron. 60(1):30–37, 2014.
Islam, S.H., and Biswas, G.P., A provably secure identity-based strong designated verifier proxy signature scheme from pairings bilinear. Journal of King Saud University - Comput. Inform. Sci. 26(1):55–67, 2014.
Islam, S.K.H., and Khan, M.K., Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems. J. Med. Syst. 38(10):1–16, 2014.
Khan, M.K., and Kumari, S., Cryptanalysis and improvement of an efficient and secure dynamic id-based authentication scheme for telecare medical information systems. Security and Communication Networks 7(2):399–408, 2014.
Koblitz, N., Elliptic Curves Cryptosystems. Math. Comput. 48:203–209, 1987.
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Proceedings of Advances in Cryptology - CRYPTO’99, LNCS, Vol. 1666, pp. 388–397 (1999)
Kumari, S., Khan, M.K., Kumar, R., Cryptanalysis and improvement of a privacy enhanced scheme for telecare medical information systems. J. Med. Syst. 37(4):1–11, 2013.
Lee, C.-C., and Hsu, C.-W., A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps. Nonlinear Dyn. 71(1–2):201–211, 2013.
Lee, C.-C., Li, C.-T., Chiu, S.-T., Lai, Y.-M., A new three-party-authenticated key agreement scheme based on chaotic maps without password table. Nonlinear Dyn.,1–11, 2014. doi:10.1007/s11071-014-1827-x.
Lee, T.-F., and Liu, C.-M., A Secure Smart-Card Based Authentication and Key Agreement Scheme for Telecare Medicine Information Systems. J. Med. Syst. 37(3):1–8 , 2013.
Li, C.-T., and Hwang, M.-S., An efficient biometric-based remote authentication scheme using smart cards. J. Netw. Comput. Appl. 33(1):1–5, 2010.
Li, X., Niu, J.-W., Ma, J., Wang, W.-D., Liu, C.-L., Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 34(1):73–79, 2011.
Maitra, T., and Giri, D., An efficient biometric and password-based remote user authentication using smart card for telecare medical information systems in multi-server environment. J. Med. Syst. 38(12):1–19, 2014.
Massey, T., Marfia, G., Stoelting, A., Tomasi, R., Spirito, M.A., Sarrafzadeh, M., Pau, G., Leveraging Social System Networks in Ubiquitous High-Data-Rate Health Systems. IEEE Trans. Inf. Technol. Biomed. 15(3):491–498, 2011.
Messerges, T.S., Dabbish, E.A., Sloan, R.H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002.
Mishra, D., On the security flaws in id-based password authentication schemes for telecare medical information systems. J. Med. Syst. 39(1):1–16, 2015.
Mishra, D., Mukhopadhyay, S., Chaturvedi, A., Kumari, S., Khan, M.K., Cryptanalysis and improvement of Yan et al.’s biometric-based authentication scheme for telecare medicine information systems. J. Med. Syst. 38(6):1–12, 2014.
Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M.K., Chaturvedi, A., Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J. Med. Syst. 38(5): 1–11, 2014.
Mishra, D., Srinivas, J., Mukhopadhyay, S., A secure and efficient chaotic map-based authenticated key agreement scheme for telecare medicine information systems. J. Med. Syst. 38(10):1–10, 2014.
Odelu, V., Das, A.K., Goswami, A., An Effective and Secure Key-Management Scheme for Hierarchical Access Control in E-Medicine System. J. Med. Syst. 37(2):1–18, 2013.
Odelu, V., Das, A.K., Goswami, A., A secure effective key management scheme for dynamic access control in a large leaf class hierarchy. Inf. Sci. 269(C):270–285, 2014.
Odelu, V., Das, A.K., Goswami, A., A secure and efficient ECC-based user anonymity preserving single sign-on scheme for distributed computer networks. Security and Communication Networks, 2014. doi:10.1002/sec.1139.
Patel, M., and Wang, J., Applications, challenges, and prospective in emerging body area networking technologies. IEEE Wirel. Commun. 17(1):80–88, 2010.
Sarkar, P., A Simple and Generic Construction of Authenticated Encryption with Associated Data. ACM Trans. Inf. Syst. Secur. 13(4):1–16, 2010.
Siddiqui, Z., Abdullah, A.H., Khan, M.K., Alghamdi, A., Smart environment as a service: Three factor cloud based user authentication for telecare medical information system. J. Med. Syst. 38(1):1–14, 2013.
Stallings, W., Cryptography and Network Security: Principles and Practices. 3rd edition: Pearson Education India, 2003.
Stinson, D.R., Some Observations on the Theory of Cryptographic Hash Functions. Des. Codes Crypt. 38(2):259–277 , 2006.
Tan, Z., An efficient biometrics-based authentication scheme for telecare medicine information systems. Przegl. Elctrotech. 89(5):200–204, 2013.
Tan, Z., A User Anonymity Preserving Three-Factor Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 38(3):1–9, 2014.
Tang, H., and Liu, X., Cryptanalysis of a dynamic ID-based remote user authentication with key agreement scheme. Int. J. Commun. Syst. 25(12):1639–1644, 2012.
von Oheimb, D.: The high-level protocol specification language hlpsl developed in the eu project avispa. In: Proceedings of APPSEM 2005 Workshop (2005)
Wei, J., Hu, X., Liu, W., An Improved Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(6):3597–3604, 2012.
Wu, Z.Y., Lee, Y.-C., Lai, F., Lee, H.-C., Chung, Y.-F., A Secure Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(3):1529–1535, 2012.
Xie, Q., A new authenticated key agreement for session initiation protocol. Int. J. Commun. Syst. 25(1):47–54, 2012.
Yan, H., Huo, H., Xu, Y., Gidlund, M., Wireless sensor network based E-health system implementation and experimental results. IEEE Trans. Consum. Electron. 56(4):2288–2295, 2010.
Yan, X., Li, W., Li, P., Wang, J., Hao, X., Gong, P., A secure biometrics-based authentication scheme for telecare medicine information systems. J. Med. Syst. 37(5):1–6, 2013.
Yang, H., Kim, H., Mtonga, K., An efficient privacy-preserving authentication scheme with adaptive key evolution in remote health monitoring system. Peer-to-Peer Networking and Applications, 1–11, 2014. doi:10.1007/s12083-014-0299-6.
Zhu, Z., An Efficient Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 36(6): 3833–3838, 2012.
Acknowledgments
The author would like to acknowledge the helpful suggestions of the anonymous reviewers and the Editor, which have improved the content and the presentation of this paper.
Author information
Authors and Affiliations
Corresponding author
Additional information
Conflict of interests
The author declares that there is no conflict of interest.
This article is part of the Topical Collection on Transactional Processing Systems
Rights and permissions
About this article
Cite this article
Das, A.K. A Secure User Anonymity-Preserving Three-Factor Remote User Authentication Scheme for the Telecare Medicine Information Systems. J Med Syst 39, 30 (2015). https://doi.org/10.1007/s10916-015-0218-2
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-015-0218-2