A Multiserver Biometric Authentication Scheme for ...

0 downloads 0 Views 3MB Size Report
proved using the popular automated tool ProVerif. Keywords Biometrics · Authentication · Multiserver ·. Impersonation attack · Smart card stolen · Stolen verifier ·.
A Multiserver Biometric Authentication Scheme for TMIS using Elliptic Curve Cryptography Shehzad Ashraf Chaudhry, Muhammad Tawab Khan, Muhammad Khurram Khan & Taeshik Shon Journal of Medical Systems ISSN 0148-5598 Volume 40 Number 11 J Med Syst (2016) 40:1-13 DOI 10.1007/s10916-016-0592-4

1 23

Your article is protected by copyright and all rights are held exclusively by Springer Science +Business Media New York. This e-offprint is for personal use only and shall not be selfarchived in electronic repositories. If you wish to self-archive your article, please use the accepted manuscript version for posting on your own website. You may further deposit the accepted manuscript version in any repository, provided it is only made publicly available 12 months after official publication or later and provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer's website. The link must be accompanied by the following text: "The final publication is available at link.springer.com”.

1 23

Author's personal copy J Med Syst (2016) 40:230 DOI 10.1007/s10916-016-0592-4

MOBILE & WIRELESS HEALTH

A Multiserver Biometric Authentication Scheme for TMIS using Elliptic Curve Cryptography Shehzad Ashraf Chaudhry1 · Muhammad Tawab Khan1 · Muhammad Khurram Khan2 · Taeshik Shon3

Received: 30 May 2016 / Accepted: 5 September 2016 © Springer Science+Business Media New York 2016

Abstract Recently several authentication schemes are proposed for telecare medicine information system (TMIS). Many of such schemes are proved to have weaknesses against known attacks. Furthermore, numerous such schemes cannot be used in real time scenarios. Because they assume a single server for authentication across the globe. Very recently, Amin et al. (J. Med. Syst. 39(11):180, 2015) designed an authentication scheme for secure communication between a patient and a medical practitioner using a trusted central medical server. They claimed their scheme to extend all security requirements and emphasized

This article is part of the Topical Collection on Mobile & Wireless Health  Shehzad Ashraf Chaudhry

[email protected] Muhammad Tawab Khan [email protected] Muhammad Khurram Khan [email protected] Taeshik Shon [email protected] 1

Department of Computer Science & Software Engineering, International Islamic University Islamabad, Islamabad, Pakistan

2

Center of Excellence in Information Assurance, King Saud University, Riyadh, Saudi Arabia

3

Division of Information and Computer Engineering, College of Information Technology, Ajou University, San 5, Woncheon-Dong, Yeongtong-Gu, Suwon 443-749, Korea

the efficiency of their scheme. However, the analysis in this article proves that the scheme designed by Amin et al. is vulnerable to stolen smart card and stolen verifier attacks. Furthermore, their scheme is having scalability issues along with inefficient password change and password recovery phases. Then we propose an improved scheme. The proposed scheme is more practical, secure and lightweight than Amin et al.’s scheme. The security of proposed scheme is proved using the popular automated tool ProVerif. Keywords Biometrics · Authentication · Multiserver · Impersonation attack · Smart card stolen · Stolen verifier · ProVerif

Introduction There have been a lot of improvement in networking and communication technologies in the recent past. This improvement has facilitated Internet users to perform various online activities from anywhere at anytime. In the current era many of the information systems make use of the services provided by the communication technologies. Telecare Medical Information System (TMIS) is one of such systems. In TMIS the user can get various health-care facilities and treatment via Internet. It enables the users to remotely access information about his/her health and to get tele-medical services. Due to the insecure nature of Internet, always there is a possibility that an adversary may analyze or modify the data transmitted. Since TMIS provides its services via Internet, therefore ensuring confidentiality, integrity and patient’s authentication is a very critical issue in the system. To fulfill the aforementioned requirements, a secure authentication and

Author's personal copy 230

J Med Syst (2016) 40:230

Page 2 of 13

session key agreement scheme is essential. Once the entities are authenticated and a session key is agreed upon, medical information intended to be exchanged are encrypted using the session key and the resulted cipher-text is transmitted. Thus the adversary without having the session key, will be unable to get any idea of the confidential information from the cipher-text. Initially, two factor authentication schemes [1–4] got research community’s abundant response. Soon, several weaknesses of two factor factor schemes were comprehend [5–7]. Hence, a way forward was found in case of biometrics. Although, several multifactor biometric schemes were designed, but numerous such scheme were articulated for single server architecture. Keeping in view the real scenarios like TMIS, these schemes were not found practical. In TMIS, a patient typically, wants to communicate the health practitioner of his desire through some central server. Henceforth, the need for multiserver authentication is obvious [8–10]. A typical multiserver TMIS architecture is shown in Fig. 1. Motivations and contributions Very recently, Amin et al. [11] identified that many existing authentication schemes are prone to several weaknesses and many such schemes [12–16] do not provide password recovery phase. Furthermore, they pointed out that such schemes are also designed for single server architecture having no room for the patient to directly communicate the doctor. Therefore, Amin et al. designed a new authentication scheme to avoid the weaknesses of existing

schemes. The scheme also introduced a password recovery phase, which can be committed if user forgets his password. However, in this paper it is analyzed that Amin et al.’s multiserver scheme is prone to several weaknesses including stolen smart card and stolen verifier attack. Furthermore, their scheme entails inefficient password change and password recovery phases. It is also shown that the scheme is having scalability issues. Then, a new multiserver authentication scheme is proposed to safeguard against such known attacks. Following are the distinct merits of proposed scheme: 1. Proposed scheme is tailored for multiserver architecture, where a patient can directly communicate to the doctor. 2. Proposed scheme is secure under the threat model of widespread automated tool ProVerif. 3. Proposed scheme is having the facility to change password without intervention of Central Management Server (CMS ). 4. Proposed scheme offers password recovery facility by the smart card, in case user forgets his/her password. 5. Proposed scheme offers less computation and communication costs as compared with Amin et al.’s scheme.

Preliminaries This section presents list of notations in Table 1, along with the primitives concerning biohashing and the widely accepted adversarial model. BioHashing The biometrics is now being commonly used for authentication. It provides a reliable and quantifiable way to identify a specified human. Generally, biometric way of identification counters noise which causes slightly different value in each imprint. Such noise may lead to false rejection problem. Fortunately, biohashing [17–20] provides a solution to false rejection by mapping the imprinted biometrics onto some

Table 1 Notation Guide

Fig. 1 A typical multiserver TMIS architecture

Notations

Description

Ux , CMS PS y , A

Patient, Central Management Server Physician Server, Attacker Ux ’s identity, Ux ’s Password Shared key between CMS and PS y Hash, Encryption/Decryption operations Concatenation, Xor operators

I Dx , P Wx , Xy h(.), Ex /Dx (.) , ⊕

Author's personal copy J Med Syst (2016) 40:230

predefined random token. The biohashing has been proved a very useful and compatible method and is now being used for numerous smart devices like phone, card etc [17–19]. Adversarial model Here, we briefly present the adversarial model which has been used several times in literature [21–23]. We consider following capabilities of the the adversary A. 1. A controls the communication channel. A can access all the transmitted messages. Furthermore, A may modifiy, replay and can insert a self created message. A is also allowed to delete any message between the two communicating parties. 2. Out of the two factors (i.e smart card and P Wx ), A can compromise any one but not both simultaneously. 3. The information stored in card can be extracted using power monitoring [24, 25]. 4. The public identities of both the patient and user are known to A.

Review of Amin et al.’s scheme Amin et al.’s scheme is reviewed in this section. Three primitive phases of the scheme encompassing registration, login and authentication phases that are manifested in Figs. 2 and 3 are narrated as under: Registration phase This phase describes the registration process that entails three steps as shown in Fig. 2. In order to access the medical aids, each user Ux has to register itself with central management server CMS . Therefore, the registration strides are emanated as follows: Step AR1: Ux opts I Dx , P Wx as his/her identity and password, respectively. Then, r0 is engendered and is XORed beside P Wx to furnish P Wx∗ . Ux directs Fig. 2 Registration Phase of Amin et al.’s scheme

Page 3 of 13 230

the {I Dx , P Wx∗ } towards CMS through impregnable conduit. Step AR2: Greeting {I Dx , P Wx∗ }, CMS determines Mx = I Dx .P = (Px , Py ), Ox = h(I Dx P Wx∗ ) and Nx = EPx (h(I Dx s)), where Px and Py are utilized as the x and y axis of P, correspondingly. CMS then dispenses smart card to each user Ux in response to initial registration request, confining values Ox , Nx , T I Dx , h(), Ek /Dk in it. Step AR3: Ux now determines Qx = r0 ⊕ h(I Dx h(Py )) after acquiring the smart card and also store this value alongside the already stored values. Moreover, bonafide table is also maintained at the CMS , containing tupple of the form T I Dx , I Dx and P Wx∗ . It is presumed that bonafides of user are secure from adversary. Login phase This phase as shown in Fig. 3 proceeds as follows, once user Ux inserts the smart card into specific card reader and insets the identity I Dx and password P Wx : Step AL1: The smart card reader compute Mx = I Dx .P = (Px , Py ), r0 = Qx ⊕ h(I Dx h(Py )), (P Wx∗ ) = P Wx ⊕ r0 , Ox∗ = h(I Dx (P Wx∗ ) ) and corroborates whether (Ox∗  = Ox ) detains, incorrect condition leads to the refusal of Ux by smart card, otherwise next step is taken. Step AL2: Meanwhile, request is made to CMS to demand information table apropos availability. CMS then return the table containing physician server PS y ’s identity. Step AL3: The smart card perform decryption Nx using Px and then acquires Nx∗ = h(I Dx s) = DPx (Nx ). Moreover, random number r1 ∈R Zq∗ is chosen by smart card and then calculates L1 = r1 .P , L2 = r1 .P ub, L3 = T I Dx ⊕ h(L2 ) and L4 = h(Nx∗ I Dx L2 Txo ). Here, Txo refers to timestamp selected by Ux . Step AL4: Login request is then initiated {I DP Sy , L1 , L3 , L4 , Txo } and sent to CMS through an insecure channel. Here, I DP Sy refers to the physician server PS y ’s identity.

Author's personal copy 230

Page 4 of 13

J Med Syst (2016) 40:230

Fig. 3 Login and Authentication Phases of Amin et al.’s scheme

Authentication phase In order to establish session key agreement and perform mutual authentication between Ux and PS y via CMS . This phase as shown in Fig. 3 describes how this is achieved through following steps performed by Ux , PS y and CMS . Step AA 1: CMS verifies the the time-stamp (Tc − Txo ) ≤ T , received in login request. After successful time-stamp verification, CMS will be able to calculate L2 = s.L1 and T I Dx = L3 ⊕ h(L2 ). Then CMS confirms the presence of T I Dx in the concerned repository

and if it is present only then CMS can retrieve I Dx from T I Dx otherwise session is terminated. Step AA 2: CMS calculates Nx = h(I Dx s) and L∗4 = h(Nx I Dx L2 Txo ). Moreover, CMS proves the authenticity of Ux by checking the (L∗4  = L4 ). Step AA 3: CMS calculates G1 = h(I Dx I DP Sy s), G2 = Xy .P = (XP , YP ), G3 = h(T SNx ), G4 = I Dx ⊕ h(G3 .P ), G5 = h(I DP Sy I Dx G3 Tc YP ) and G6 = EXP (G1 , G3 , G4 ) and transmits {G5 , G6 , L1 , Tc } to PS y via an insecure channel. Step AA 4: PS y verifies the the time-stamp (Ty − Tc ) ≤ T . After successful time-stamp verification, PS y and compute G2 = Xy .P = (XP , YP ), G6 =

Author's personal copy J Med Syst (2016) 40:230

DXP (EXP (G1 , G3 , G4 ) = (G1 , G3 , G4 ), I Dx∗ = G4 ⊕ h(G3 .P ) and G∗5 = h(I DP Sy I Dx∗ Tc YP ). PS y then verifies the condition (G∗5  = G5 ) and if it holds the proves the authenticity of Ux and CMS otherwise terminates the session. Step AA 5: PS y produces random number r2 ∈R Zq∗ and computes SKy = r2 .L1 = r1 r2 P , H1 = r2 .P , H2 = h(G1 H2 L1 Ty ), H3 = EPX (H1 , H2 , G1 ) and transmits {H3 , Ty } to Ux . Step AA 6: Ux verifies the the time-stamp (Tx1 − Ty ) ≤ T and after successful verification H3 is decrypted. Then, Ux calculates H2∗ = h(G1 H1 L1 Ty ) and checks (H2∗ = H2 ) in order to evaluate the authenticity of CMS and PS y . Step AA 7: Ux determine session key SKu = r1 .H1 = r1 r2 P , SKV = h(“111”SKu ) and transmits {SKV } to PS y . Step AA 8: PS y determines SKV ∗ = h(”111”SKy ) and verifies the condition (SKV ∗  = SKV ), if it holds then Ux and PS y can interchange the secret data using shared session key SK. Password change phase of Amin et al.’s scheme To commit this phase Ux submits his identity I Dx and password P Wx . The smart card computes: Mx = I Dx .P = (Px , Py ), r0 = Qx ⊕ h(I Dx h(Py )), (P Wx∗ ) = P Wx ⊕ r0 and Ox∗ = h(I Dx (P Wx∗ ) ). Then smart card verifies (Ox∗ = Ox ) aborts the session if invalid otherwise ask for a new password. Ux enters new password P Wxnew , smart card computes P Wx∗new = P Wxnew ⊕ r0 , Oxnew = h(I Dx P Wx∗new ) and assign Oxnew to Ox . Smart card further computes: Nx∗ = h(I Dx s) = DPx (Nx ), Zx = Nx∗ ⊕ P Wxnew and sends password change request {Zx T I Dx } to CMS . Upon reception of password change request CMS first extract corresponding I Dx and computes: Nx∗ = h(I Dx s) and P Wx∗new = Zx ⊕ Nx∗ . Finally, CMS replaces P Wx∗ by P Wx∗new . Password recovery phase of Amin et al.’s scheme The phase is committed if some user forgets his password. To retrieve password Ux enters his smart card and submits his identity, the smart card selects a random number cx and computes: Mx = I Dx .P = (Px , Py ), r0 = Qx ⊕ h(I Dx h(Py )), h(I Dx s) = DPx (Nx ), Wx = h(h(I Dx s)cx ). The smart card then sends password recovery request {T I Dx , Wx , cx } to CMS . Upon reception of recovery request CMS extracts corresponding I Dx ?

and checks Wx = h(h(I Dx s)cx ), aborts the request session if not valid. Otherwise computes and sends Vx = h(I Dx s)⊕P Wx∗ to Ux . Then, smart card computes P Wx = Vx ⊕ h(I Dx s) and displays P Wx on output screen.

Page 5 of 13 230

Cryptanalysis of Amin et al.’s scheme This section shows that an active adversary A just having the information of the public identity of some user Ux can easily impersonate him under the adversarial model described in Section “Adversarial model”. Note that the mentioned adversarial model is very common and realistic. Unfortunately, we find that the security of Amin et al.’s scheme relies on public identity. Furthermore, Amin et al. considers the verifier as protected. However, it is commonly understood and an agreed upon opinion that identities are public and known to insiders as well as outsiders. Furthermore, the verifier do not assumed to be protected and can be accessible to insiders. Based on these assumption, following subsections describe the weaknesses of Amin et al.’s scheme: Stolen smart card attack To mount this attack, A first gets the parameters Ox , Nx , T I Dx , Qx stored in Ux ’s smart card using power analysis. A then performs following operation in-conjunction with CMS and PS y for successful forgery attack: Step UI1: A selects a random number ra ∈R Zq∗ and computes: Mx = I Dx .P = (Px , Py ) Nx∗

= h(I Dx s) = DPx (Nx )

(1) (2)

L1 = r1 .P

(3)

L2 = r1 .P ub

(4)

L3 = T I Dx ⊕ h(L2 )

(5)

L4 =

h(Nx∗ I Dx L2 Txo )

(6)

Step UI2: A then sends I DP Sy , L1 , L3 , L4 , Txo to CMS . Step UI3: Upon reception of the request message CMS first verifies the time stamp Txo if it is not with in acceptable range CMS aborts the session. Otherwise CMS computes: L2 = s.L1 T I Dx

=

L3 ⊕ h(L2 )

(7) (8)

Step UI4: CMS then checks the validity of T I Dx and extracts corresponding I Dx , if T I Dx is valid. Further, CMS computes: Nx = h(I Dx s) L∗4

=

h(Nx I Dx L2 Txo )

(9) (10)

Step UI5: CMS verifies whether the received L4 is same as computed L∗4 in above (10). If both are not same

Author's personal copy 230

J Med Syst (2016) 40:230

Page 6 of 13

G1 = h(I Dx I DP Sy s)

(11)

G2 = Xy .P = (XP , YP )

(12)

h(T SNx )

(13)

G4 = I Dx ⊕ h(G3 .P )

(14)

is maintained. The verifier also contains P Wx∗ which is a serious threat as these verifier tables are accessible to privileged insiders and can be used for mounting several attacks including password guessing and impersonation. Furthermore such verifier table also incurs extra storage and computation against each login request.

G5 = h(I DP Sy I Dx G3 Tc YP )

(15)

G6 = EXP (G1 , G3 , G4 )

Inefficient password change

(16)

session is aborted. CMS , otherwise computes:

G3 =

Step UI6: CMS then sends G5 , G6 , L1 along with current time stamp Tc to physician server PS y . Step UI7: PS y after receiving message from CMS first verifies the freshness of Tc . If Tc founds to be fresh. PS y computes: G2 = Xy .P = (XP , YP ) G6

= DXP (EXP (G1 , G3 , G4 )

The password change phase of Amin et al.’s is also inefficient. The password change phase can be committed by the help of CMS , which is old fashioned and inefficient. Now a number of authentication schemes facilitates the user to change his password by an interactive session with smart card only.

(17) (18)

= (G1 , G3 , G4 )

(19)

I Dx∗ = G4 ⊕ h(G3 .P ) G∗5 = h(I DP Sy I Dx∗ Tc YP )

(20) (21)

Step UI8: PS y then checks whether G5 received is same as G∗5 computed in above (21). Abort if both are not same. Otherwise, PS y engenders a random number r2 ∈R Zq∗ and computes: SKy = r2 .L1 = r1 r2 P

(22)

H1 = r2 .P

(23)

H2 = h(G1 H2 L1 Ty )

(24)

H3 = EPX (H1 , H2 , G1 )

(25)

Step UI9: PS y sends H3 , Ty to Ux . Step UI10: A captures and block the message. Then computes:

Inefficient password recovery Although a novel contribution of Amin et al. is the introduction of password recovery facility, which can be committed if user forgets his password. But their password recovery phase is faulty and inefficient. Each time user forgets his password, requests CMS for recovery. Furthermore, CMS maintains a verifier table for password which can be vulnerable to stolen verifier attack. Furthermore, if smart card is stolen then an adversary can make use of identity and smart card parameters to recover the password of any user of the system. The adversary can then change the password and can execute several attacks on Amin et al.’s scheme.

Proposed scheme

(H1 , H2 , G1 ) = DPX (H3 )

(26)

This section explains the proposed scheme in following subsections:

H2∗

(27)

Proposed registration phase

= h(G1 H1 L1 Ty )

SKu = r1 .H1 = r1 r2 P

(28)

SKV = h(”111”SKu )

(29)

Step UI11: Step UI12:

A sends SKV to PS y . PS y upon reception of SKV computes:

SKV ∗ = h(”111”SKy )

(30)

Step UI13: Finally, PS y checks SKV is equal to SKV ∗ . Aborts the session if false. Otherwise accepts SKy = SKu as session key and A as legitimate user Ux . Stolen verifier attack and scalability issues It is also very unfortunate that in Amin et al.’s scheme a verifier table with entries of the form {I Dx , T I Dx , P Wx∗ }

This phase describes the registration process as shown in Fig. 4 that entails three steps. In order to access the medical aids, each user Ux has to register itself with central management server CMS . Therefore, the registration strides are emanated as follows: Step PR2: Ux opts I Dx , P Wx as his/her identity and password, respectively and imprints his biometrics BI Ox . Then, r0 is engendered and is XORed beside P Wx to furnish P Wx∗ . Ux directs the {I Dx , P Wx∗ , H (BI Ox )} towards CMS . Step PR3: Greeting {I Dx , P Wx∗ , H (BI Ox )}, CMS determines Mx = h(P Wx∗ H (BI Ox )).P = (Px , Py ), Ox = EH (BI Ox ) (P Wx∗ ⊕H (BI Ox )) and Nx = EPx (h(I Dx s)),

Author's personal copy J Med Syst (2016) 40:230

Page 7 of 13 230

Fig. 4 Registration Phase of Proposed scheme

where Px and Py are utilized as the x and y axis of P , correspondingly. CMS then dispenses smart card to user Ux in response to initial registration request, confining values {Ox , Nx , h(), Ek /Dk } in it. Step PR4: Ux now determines Qx = r0 ⊕ h(I Dx h(Py )) after acquiring the smart card and also store this value alongside the already stored values. Note in proposed Fig. 5 Login and Authentication Phases of Proposed Scheme

registration phase the verifier is with Ux while CMS does not store any verifier. Proposed login phase This phase as shown in Fig. 5 proceeds as follows, once user Ux inserts the smart card into specific card reader and

Author's personal copy 230

J Med Syst (2016) 40:230

Page 8 of 13

insets the identity I Dx , password P Wx and imprints his biometrics BI Ox . Following are the next steps: Step PLP1: The smart card reader compute Mx = h(P Wx ⊕ r0 H (BI Ox )).P = (Px , Py ), r0 = Qx ⊕ h(I Dx h(Py )), Zx = DH (BI Ox ) (Ox ) and corroborates ?

whether Zx = P Wx ⊕ r0 ⊕ H (BI Ox ) detains, incorrect condition leads to the refusal of Ux by smart card, otherwise next step is taken. Step PLP2: Meanwhile, request is made to CMS to demand information table apropos availability. CMS then return the table containing physician server PS y ’s identity. Step PLP3: The smart card performs decryption Nx using Px and then acquires Nx∗ = DPx (Nx ) = h(I Dx s). Moreover, random number r1 ∈R Zq∗ is chosen by smart card and then smart card calculates L1 = r1 .P , L2 = r1 .P ub, L3 = I Dx ⊕ h(L2 ) and L4 = h(Nx∗ I Dx L2 Txo ). Here, Txo refers to fresh timestamp selected by Ux . Step PLP4: Login request is then initiated {I DP Sy , L1 , L3 , L4 , Txo } and sent to CMS through an insecure channel. Here, I DP Sy refers to the physician server PS y ’s identity. Proposed authentication phase In order to establish session key agreement and perform mutual authentication between Ux and PS y via CMS . This phase as shown in Fig. 5 describes how this is achieved through following steps performed by Ux , PS y and CMS . Step PAP 1: CMS verifies the time-stamp (Tc − Txo ) ≤ T , received in login request. After successful timestamp verification, CMS will be able to calculate L2 = s.L1 and I Dx = L3 ⊕ h(L2 ). Then CMS confirms the validity of I Dx in the concerned repository and if it is not valid, CMS terminates the session. Otherwise authentication request is processed as per next steps. Step PAP 2: CMS calculates Nx = h(I Dx s) and L∗4 = h(Nx I Dx L2 Txo ). Moreover, CMS proves the authenticity of Ux by checking the (L∗4  = L4 ). Step PAP 3: CMS calculates the parameters G1 and G2 as: G1 = h(I Dx I DP Sy Tc L2x L2y ) and G2 = EXy (G1 I Dx I DP Sy Tc L2x L2y ) and transmits {G2 , Tc } to PS y via an insecure channel. Step PAP 4: PS y verifies the the time-stamp (Ty − Tc ) ≤ T . After successful time-stamp verification, PS y , decrypts G2 using pre-shared key Xy and gets (G1 I Dx I DP Sy Tc L2x L2y ). Further PS y verifies the legality of CMS using the relationship

if it does not holds. Otherwise CMS is treated as authenticated. Step PAP 5: PS y produces random number r2 ∈R Zq∗ and computes SKy = r2 .L1 = r1 r2 P , H1 = r2 .P , H2 = h(G1 H1 L1 Ty ), H3 = EL2x (H1 , H2 , G1 ) and transmits {H3 , Ty } to Ux . Step PAP 6: Ux verifies the the time-stamp (Tx1 − Ty ) ≤ T and after successful verification decrypts H3 using L2x as decryption key and gets (H1 , H2 , G1 ) . Then, Ux calculates H2∗ = h(G1 H1 L1 Ty ) and checks (H2∗ = H2 ) in order to evaluate the authenticity of CMS and PS y . Step PAP 7: Ux determines session key SKu = r1 .H1 = r1 r2 P , SKV = h(”111”SKu ) and transmits {SKV } to PS y . Step PAP 8: PS y determines SKV ∗ = h(”111”SKy ) and verifies the condition (SKV ∗  = SKV ), if it holds then Ux and PS y can interchange the secret data using shared session key SK = SKx = SKy . Proposed password change phase In proposed scheme the user does not need to interact with CMS for password change. User password change as shown in Fig. 6 can be done by the smart card only . To commit this phase Ux submits his identity I Dx , password P Wx and scans his biometric BI Ox . The smart card computes: Mx = h(P Wx ⊕ r0 H (BI Ox )).P = (Px , Py ), r0 = Qx ⊕ h(I Dx h(Py )), Zx = DH (BI Ox ) (Ox ). Then smart card ver?

ifies Zx = P Wx ⊕ r0 ⊕ H (BI Ox ) aborts the session if invalid. Otherwise, smart card asks for a new password. Ux enters new password P Wxnew , smart card computes Zx = Zx ⊕ P Wx ⊕ P Wxnew , Oxnew = EH (BI Ox ) (Zx ) and assigns Oxnew to Ox . Password recovery phase In proposed scheme the user does not need to interact with CMS for password recovery. The recovery as shown in

?

G1 = h(I Dx I DP Sy Tc L2x L2y ). Aborts the session

Fig. 6 Proposed Password Change Phase

Author's personal copy J Med Syst (2016) 40:230

Page 9 of 13 230

During login and authentication phase CMS authenticates ?

Fig. 7 Proposed Password Recovery Phase

Fig. 7 is carried by the smart card alone. The phase is committed if some user forgets his password. To retrieve password Ux enters his smart card and submits his identity I Dx , and scans his biometrics BI Ox . The smart card computes: (P Wx∗ ⊕ H (BI Ox )) = EH (BI Ox ) (Ox ), h(I Dx s) = DPx (Nx ), P Wx∗ = (P Wx∗ ⊕H (BI Ox ))⊕H (BI Ox ), Mx = h(P Wx∗ H (BI Ox )).P = (Px , Py ) and P Wx = r0 ⊕ P Wx∗ . Finally, smart card displays P Wx on the output screen.

Ux if L4 = h(Nx I Dx L2 Txo ). Here Nx and L2 are secret value and are not sent over the public communication channel. Only valid user Ux who knows the password and possesses the smart card can compute these values. Furthermore, these values also require Ux to imprint correct biometrics BI Ox . CMS then using the shared key Xy computes and sends G2 to PS y . Hence only legal PS y can decrypt G2 to acquire G1 . PS y then sends H3 = EL2x (H1 , H2 , G1 ) to Ux . The valid G1 and encryption key L2x can only be computed by legal PS y . Therefore, both PS y and Ux authenticates each other.

Patient anonymity and untraceability During authentication phase, the patient Ux sends a dynamic identity L3 = I Dx ⊕ h(L2 ) instead of his identity I Dx . This dynamic identity is computed freshly in each session. Therefore, proposed scheme provides patient anonymity and untraceability.

Security analysis

Replay and modification attacks

This section elaborates the security of proposed scheme under the common threat model as described Section 3. The following subsections show that proposed scheme provides all security featurs and is secure against the known attacks.

Proposed scheme makes use of freshly generated timestamp for login and authentication. Furthermore, in each communication message the fresh time stamp is send in plain text as well as embedded in some secret message. Therefore, if some adversary replays the old message it will not pass the freshness test. Furthermore, if adversary may send a new timestamp along with the old message. It will not pass the next verification test where the proposed scheme checks the embedded timestamp.

Mutual authentication Proposed scheme provides mutual authentication between patient Ux and physician PS y with the help of CMS . Fig. 8 Declarations

Author's personal copy 230

J Med Syst (2016) 40:230

Page 10 of 13

Impersonation attack During authentication phase of proposed scheme an attacker A needs to compute a valid L1 , L3 , L4 tuple. A can select a random number ra further he can compute L1¯ = ra .P , L2¯ = ra .P ub and L3¯ = I Dx ⊕ h(L2¯ ). However to compute L4 = h(Nx∗ I Dx L2 Txo ), he has to compute Nx∗ which can only be extracted from smart card if he possess Ux ’s biometrics BI Ox . Hence A can not impersonate as a valid user Ux . Similarly to impersonate CMS , A needs to know CMS ’s private key s. Likewise A needs to know the shared secret key Xy between CMS and PS y to impersonate as PS y . Therefore, proposed scheme resists patients and server impersonation attacks.

key or patient’s password along with CMS ’s private key s is compromised it will have no effect on the previous session keys. Therefore, perfect forward secrecy is maintained by proposed scheme.

Privileged insider & stolen verifier attacks To register with the CMS , the patient Ux passes P Wx∗ = P Wi ⊕ r0 and H (BI Ox ). Hence no insider can access the password P Wx . Moreover, CMS does not store the verifier. The authentication is performed using CMS ’s own private key s. Therefore, insider and stolen verifier attacks are not feasible on proposed scheme. Man-in-middle attack A can mount man in middle attack if can pass authentication test from both S and Ux . As it has already been described in Section “Mutual authentication”, that A can pass this test from CMS and PS y if he possess patient’s password, smart card as well as biometrics. Similarly, to pass same test from Ux he needs CMS ’s private key s. Therefore, it can be rightly said that proposed scheme resists man in middle attack.

Off line password guessing attack In proposed scheme, Ux ’s smart card contains a single parameter Ox = EH (BI Ox ) (P Wx∗ ⊕H (BI Ox )). Even if this parameter is revealed to adversary and he tries to guess some password and biometrics together, he will have no other parameter to check the correctness of his guessed password. Likewise, no public message contains any information relating to patient’s password. Hence offline password guessing attack is not viable on proposed scheme. Perfect forward secrecy In proposed scheme, the computed session key SK = r1 r2 P contains temporary session specific parameters from both the patient and physician server. Therefore, if any session

Fig. 9 Processes

Author's personal copy J Med Syst (2016) 40:230

Verification through ProVerif An automated security verification of proposed scheme using well known verification tool ProVerif [26] is performed here. ProVerif is designed on the principles of applied  calculus is a popular tool to verify several properties including secrecy, authentication and correctness [27]. ProVerif has been used in several protocol [26, 28, 29] for automated security validation. ProVerif can be used to simulate almost all primitives relating to cryptography including: symmetric/asymmetric encryption & decryption, mac/hash functions, signatures etc. In this Section, a simulation of the steps shown in Figs. 4, 5 and explicated in Section “Proposed scheme” is performed using ProVerif. Mainly, ProVerif concerns three fragment (i) the declarations, (ii) the process, and (iii) the main. The declaration fragment is reserved to declare the security primitives and related variables/constants and private/public channels. This fragment is shown in Fig. 8, where all the primitives are modeled as per the proposed scheme. The process fragment is earmarked to define the processes/sub-processes. As illustrated in Fig. 9, the process fragment contains three processes: (i) UserUx, (ii)CMS and (iii) PhysicianServerPSy modeled for patient, CMS server and physician server respectively. The main fragment contains the start and end event for each participating entity (i.e. patient, CMS and physician). Furthermore, the proposed scheme is also simulated as the parallel execution of the process of patient, CMS server and physician server. Main segment also contains four queries to check session key secrecy and correctness of the proposed scheme. This fragment is illustrated in Fig. 10. The simulation results are as follows: 1. RESULT inj-event(endPhysicianServerPSy(id)) ==> inj-event(beginPhysicianServerPSy(id)) is true. ==> 2. RESULT inj-event(endCMS(id 2677)) inj-event(beginCMS(id 2677)) is true.

Fig. 10 Main

Page 11 of 13 230

3. RESULT inj-event(endUserUx(id 5833)) ==> injevent(beginUserUx(id 5833)) is true. 4. RESULT not attacker(SK[]) is true. The results (1-3) verify that all three processes (i.e. patient, physician server and central management server) successfully initiated and finished. (1-3) also verify the correctness of the scheme. While (4) corroborates that the attack on SK (the session key) is not successful.

Performance and security comparisons As mentioned in Section “Motivations and contributions” the proposed scheme is designed for a multi-server architecture, where the user (patient) is able to communicate and exchange his/her medical information with his/her doctor directly. Furthermore it is a fact that for any cryptographic scheme the most important issue is its security and its ability to withstand against security attacks with reasonable computation and communication cost complexities. Therefore to analyze and evaluate the performance of proposed scheme, in this section, we have measured computation and communication costs for login and authentication phase of the proposed scheme. And then we have compared the resultant costs with the corresponding costs of those authentication schemes which are based on elliptic curve and can be used in multi-server architecture i.e. the schemes in [8, 11, 30–32]. For evaluation purposes the following time complexities were used: – – –

Tha : Time required for executing the operation of oneway hash function. Teds Time required for executing the operation of symmetric key encryption/decryption Tmec Time required for executing the operation of elliptic curve scalar point multiplication operation.

Author's personal copy 230

J Med Syst (2016) 40:230

Page 12 of 13

Table 2 Login and authentication phase computation cost comparison

Schemes:

Computation Cost

Execution Time

Communication Cost

He and Wang [8] Yoon and Yoo [32] Kim et al. [31] Kalra and Sood [30] Amin et al. [11] Proposed

9Tmec + 12Tha 4Tmec + 10Tha 4Tmec + 10Tha 12Tmec + 3Tha 11Tmec + 17Tha + 4Teds 7Tmec + 13Tha + 6Teds

≈ 20.0616 ms ≈ 8.9270 ms ≈ 8.9270 ms ≈ 26.7189 ms ≈ 24.5435 ms ≈ 15.6395 ms

2720 bits 1856 bits 1856 bits 1728 bits 2048 bits 1664 bits

The experiment results in [33] is being used here. In [33] authors performed the experiment on Ubuntu operating system using the PBC library on a system with RAM size 2048 MB and 2.20 GHZ Dual CPU E2200. Computation time of each cryptographic operation, given the above system specifications, is as follow : Tha ≈ 0.0023ms, Teds ≈ 0.0046ms and Tmec ≈ 2.226ms. The concatenation () and XOR (⊕) operations are not considered in the comparison table, because when compared with other operations the computation cost of both these operations is negligible. From the comparison Table 2 it is evident that the computation cost of the proposed scheme is less than that of [8, 11, 30] schemes, the other schemes [31, 32] take less computation cost but they are not suitable for the given multi-server architecture due to their security weaknesses. Therefore, our scheme is more efficient than others in terms of computation complexity cost and security. Communication cost comparison of the proposed scheme and the schemes in [8, 11, 30–32] is also presented in the Table 2. For the purpose of evaluating communication cost, the length of elliptic curve point and output of hash are assumed to be 160 bits each while the lengths of user identity and timestamp are considered 32 bits each. It is evident from the Table 2 that proposed scheme is better than all the competitive schemes [8, 11, 30–32] in terms of communication cost.

Conclusion In this study, a new authentication scheme is proposed for multiserver TMIS architecture. The proposed authentication scheme uses elliptic curve cryptography and smart card to establish session key agreement. This authentication scheme enables the user (patient) to communicate and exchange his/her medical information with his/her doctor securely over an insecure communication channel. A comprehensive analysis of the proposed scheme has been conducted to elaborate its security under the common threat model. Security correctness of the scheme is proved by using automated formal tool ProVerif. It is found that our proposed scheme is perfectly resistant against all known attacks. Furthermore,

the scheme successfully offers session key agreement establishment, mutual authentication, efficient password change, efficient password recovery, patient anonymity and perfect forward secrecy. Performance evaluation of the proposed scheme shows that our scheme is more efficient in terms of computation and communication costs as compared with the existing schemes. Perfect security and enhanced efficiency and light-weightlessness of the proposed scheme make it suitable to be used in practical applications. Acknowledgments Authors extend their sincere appreciations to the Deanship of Scientific Research at King Saud University for its funding this Prolific Research Group (PRG-1436-16). This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(MSIP) (No.B0713-15-0007, Development of International Standards Smart Medical Security Platform focused on the Field Considering Life Cycle of Medical Information).

References 1. Alizadeh, M., Zamani, M., Baharun, S., Manaf, A. A., Sakurai, K., Anada, H., Keshavarz, H., Chaudhry, S. A., and Khan, M. K., Cryptanalysis and improvement of a secure password authentication mechanism for seamless handover in proxy mobile ipv6 networks. PloS one 10(11):e0142716, 2015. 2. Mir, O., and Nikooghadam, M.: A secure biometrics based authentication with key agreement scheme in telemedicine networks for e-health services. 3. He, D., Kumar, N., Chen, J., Lee, C.-C., Chilamkurti, N., and Yeo, S.-S., Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimed. Syst. 21(1):49–60, 2013. 4. Maitra, T., Obaidat, M. S., Islam, S. H., Giri, D., and Amin, R.: Security analysis and design of an efficient ecc-based two-factor password authentication scheme. Security and Communication Networks (2016) n/a–n/aSec 1596 doi:10.1002/sec.1596. 5. Wang, D., and Wang, P., On the anonymity of two-factor authentication schemes for wireless sensor networks: attacks, principle and solutions. Comput. Netw. 73:41–57, 2014. 6. Wang, D., He, D., Wang, P., and Chu, C., Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans Depend Secur Comput 99:1–1, 2014. doi:10.1109/TDSC.2014.2355850. 7. He, D., Zeadally, S., Kumar, N., and Lee, J. H., Anonymous authentication for wireless body area networks with provable security. IEEE Syst J 99:1–12, 2016. doi:10.1109/JSYST.2016.2544805.

Author's personal copy J Med Syst (2016) 40:230 8. He, D., and Wang, D., Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst J 9(3):816–823, 2015. doi:10.1109/JSYST.2014.2301517. 9. Farash, M. S., Ahmadian-Attari, M., and Bayat, M., A certificateless multiple-key agreement protocol based on bilinear pairings. IACR Crypt ePrint Arch 2012:393, 2012. 10. Farash, M. S., Attari, M. A., Atani, R. E., and Jami, M., A new efficient authenticated multiple-key exchange protocol from bilinear pairings. Comput Elect Eng 39(2):530–541, 2013. 11. Amin, R., Islam, S. H., Biswas, G., Khan, M. K., and Kumar, N., An efficient and practical smart card based anonymity preserving user authentication scheme for tmis using elliptic curve cryptography. J Med Syst 39(11):1–18, 2015. 12. Alizadeh, M., Baharun, S., Zamani, M., Khodadadi, T., Darvishi, M., Gholizadeh, S., and Ahmadi, H., Anonymity and untraceability assessment of authentication protocols in proxy mobile ipv6. Jurnal Teknologi 72(5). 13. He, D., Kumar, N., and Chilamkurti, N.: A secure temporalcredential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Inf. Sci. 14. Arshad, H., and Nikooghadam, M., An efficient and secure authentication and key agreement scheme for session initiation protocol using ecc. Multimed Tools Appl. 1–17, 2014. 15. He, D., Kumar, N., Shen, H., and Lee, J.-H., One-to-many authentication for access control in mobile pay-tv systems. Sci. Chin. Inf. Sci. 1–14, 2015. 16. He, D., Zeadally, S., and Wu, L., Certificateless public auditing scheme for cloud-assisted wireless body area networks. IEEE Syst. J. 99:1–10, 2015. doi:10.1109/JSYST.2015.2428620. 17. Jin, A. T. B., Ling, D. N. C., and Goh, A., Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recog. 37(11):2245–2255, 2004. 18. Lumini, A., and Nanni, L., An improved biohashing for human authentication. Pattern Recog. 40(3):1057–1065, 2007. 19. Leng, L., Teoh, A. B. J., Li, M., and Khan, M. K., A remote cancelable palmprint authentication protocol based on multidirectional two-dimensional palmphasor-fusion. Secur. Commun. Netw. 7(11):1860–1871, 2014. 20. Leng, L., and Teoh, A. B. J., Alignment-free row-co-occurrence cancelable palmprint fuzzy vault. Pattern Recog. 48(7):2290– 2303, 2015. 21. Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., and Shalmani, M., On the power of power analysis in the real

Page 13 of 13 230

22.

23.

24.

25.

26. 27.

28.

29.

30.

31.

32.

33.

world: A complete break of the keeloq code hopping scheme. In: Wagner, D. (Ed.) Advances in Cryptology, CRYPTO 2008, Vol. 5157 of Lecture Notes in Computer Science, pp. 203–220. Berlin: Springer, 2008. doi:10.1007/978-3-540-85174-5 12. Dolev, D., and Yao, A. C., On the security of public key protocols. IEEE Trans. Inform. Theory 29(2):198–208, 1983. doi:10.1109/TIT.1983.1056650. Cao, X., and Zhong, S., Breaking a remote user authentication scheme for multi-server architecture. IEEE Commun. Lett. 10(8):580–581, 2006. doi:10.1109/LCOMM.2006.1665116. Messerges, T. S., Dabbish, E. A., and Sloan, R. H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002. Kocher, P., Jaffe, J., and Jun, B., Differential power analysis. In: Advances in Cryptology CRYPTO 99, pp. 388–397: Springer, 1999. Xie, Q., A new authenticated key agreement for session initiation protocol. Int. J. Commun. Syst. 25(1):47–54, 2012. Xie, Q., Hu, B., Dong, N., and Wong, D. S., Anonymous threeparty password-authenticated key exchange scheme for telecare medical information systems. PloS one 9(7):e102747, 2014. Wu, F., Xu, L., Kumari, S., and Li, X., An improved and provably secure three-factor user authentication scheme for wireless sensor networks. Peer-to-Peer Netw. Appl. 1–20, 2016. Chaudhry, S. A., Farash, M. S., Naqvi, H., Kumari, S., and Khan, M. K., An enhanced privacy preserving remote user authentication scheme with provable security. Secur. Commun. Netw. 1–13, 2015. doi:10.1002/sec.1299. Kalra, S., and Sood, S., Advanced remote user authentication protocol for multi-server architecture based on ecc. J. Inf. Secur. Appl. 18(2):98–107, 2013. Kim, H., Jeon, W., Lee, K., Lee, Y., and Won, D., Cryptanalysis and improvement of a biometrics-based multi-server authentication with key agreement scheme. In: Computational Science and Its Applications–ICCSA 2012, pp. 391–406: Springer, 2012. Yoon, E.-J., and Yoo, K.-Y., Robust biometrics-based multiserver authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. J. Supercomput. 63(1):235–255, 2013. Kilinc, H. H., and Yanik, T., A survey of sip authentication and key agreement schemes. IEEE Commun. Surveys Tutor. 16(2):1005– 1023, 2014.