A secure and provable multi-server authenticated key ...

Multimed Tools Appl DOI 10.1007/s11042-016-3921-1

A secure and provable multi-server authenticated key agreement for TMIS based on Amin et al. scheme Azeem Irshad 1 & Muhammad Sher 1 & Omer Nawaz 2 & Shehzad Ashraf Chaudhry 1 & Imran Khan 1 & Saru Kumari 3

Received: 8 March 2016 / Revised: 13 July 2016 / Accepted: 30 August 2016 # Springer Science+Business Media New York 2016

Abstract The security for Telecare Medicine Information Systems (TMIS) has been crucial for reliable dispensing of the medical services to patients at distant locations. Security and privacy element needs to be there for any physician or caregiver to make certain an appropriate diagnosis, medical treatment or any other exchange of critical information. In this connection, many relevant TMIS-based authentication schemes have been presented, however various forms of attacks and inefficiencies render these schemes inapplicable for a practical scenario. Lately, Amin et al. proposed a scheme based on a multi-server authentication for TMIS. However, the Amin et al., scheme has been found vulnerable to user and server impersonation attacks. We have proposed an improved model with higher performance and efficiency, as

* Azeem Irshad [email protected] Muhammad Sher [email protected] Omer Nawaz [email protected] Shehzad Ashraf Chaudhry [email protected] Imran Khan [email protected] Saru Kumari [email protected]

1

Department of Computer Science and Software Engineering, International Islamic University, Islamabad, Pakistan

2

Blekinge Institute of Technology Sweden, Valhallavägen, Sweden

3

Chaudhary Charan Singh University, Meerut 250004 Uttar Pradesh, India

Multimed Tools Appl

evident from the forthcoming sections. Besides, the scheme has been backed up by formal security analysis using BAN logic to ensure the resilience of the proposed scheme. Keywords Remote authentication . Biometrics . TMIS Security . Attack . BAN logic . Cryptanalysis

1 Introduction A sound human health has been finding increasing correlation with the strengthening Telecare Medicine Information Systems (TMIS) [6, 7] in the current era, while, the credit for this growth can be attributed to modern age internet. Since, the distant patients need to communicate, possibly sensitive medical information, with their physicians on frequent basis using internet based TMIS, which is considered to be an insecure channel for the presence of adversaries. Therefore, the research on security parameters like authentication, privacy, confidentiality and untraceability, is constantly claiming an academia’ focus, particularly, for TMIS based data communication. In this connection, the session key needs to be formally established using the protocol, and mutually authenticated between the legal participants, so that both entities may encrypt their onwards communication messages using the agreed session key. Besides, establishing the session key, further objectives of our contribution can be outlined as follows. 1. The authentication protocol needs to be as efficient as possible and be able to accommodate low end computation devices along with minimum security threshold. 2. The login phase should be robust enough to validate the user before initiating a login request towards server. 3. Needless to say, the scheme must be secure against all known attacks such as impersonation attack, offline password and identity guessing attacks, perfect forward secrecy and known key secrecy violation attacks. 4. The scheme needs to provide an efficient password update mechanism for user without involving the server side.

1.1 A brief literature survey Lately, some endeavors can be seen to make the TMIS secure in such a manner that a patient could access the medical server reliably over the internet. In this connection, many authentication schemes based on smart card [2, 6, 7, 9, 13, 14, 22, 30, 35, 36, 42, 43, 46, 48, 49, 51–57, 59], have been proposed in the literature. Those schemes employed several crypto-primitives such as hash function and symmetric key cryptosystems [4, 8], RSA cryptosystem [13], chaotic maps [19, 37, 43], elliptic curve cryptography (ECC) [3, 20, 21, 26, 40, 50], ElGamal [38] and bilinear pairing [18]. Nevertheless, many of those schemes have been found prone to attacks, in subsequent schemes thereafter. For TMIS, Wu et al. presented an earlier scheme in 2010 [52], in low computational cost, though. However, He et al. [14] found that [52] was under impersonation and insider attack, and also presented an improved scheme. Afterwards, Wei et al. [51] proved that Wu et al. and He et al. were inefficient schemes to achieve two-factor authentication, and suggested an improved version. Subsequently, Zhu [59] proved Wei et al. scheme as vulnerable to

Multimed Tools Appl

offline-password guessing attack, with the introduction of an improved model for TMIS. Later, Lee and Liu [28] showed that [59] is susceptible to parallel session attack, and presented a revised scheme for TMIS. Then, Chen et al. [9] put forwarded a dynamic-ID based key agreement scheme for TMIS. Lin [36] and Xie et al. [55] challenged the scheme [9] due to the vulnerabilities of password guessing attack, and anonymity threats, with the contribution of respective improved protocols for TMIS. Thereafter, Cao and Zhai [2] found that the scheme [36] is susceptible to the same password and identity guessing attacks again, and also presented an improved TMIS scheme. Afterwards, a biometric based TMIS scheme was demonstrated by Tan et al. [48], which was found under drawbacks by Yan et al. [57], soon. Then, Yan et al. also presented an improved scheme; however, its scheme [57] was found weak by Mishra et al. [42] for having vulnerabilities like lacking anonymity, password guessing attack, inefficient login and password modification phase. Thereafter, Mishra et al. [43] presented another scheme after finding the Jiang et al. [22] scheme under weaknesses like denial of service attack, and password modification phase. Likewise, Li et al. [30] indicates the Lee et al. scheme [29] as insecure for lacking anonymity and service misuse related to non-registered users. Li et al. also presented an updated protocol, recently, which was again found to be vulnerable by Wang et al., for impersonation, and anonymity attacks. Later Xu and Wu [56] demonstrated that Xie et al. scheme [54] does not resist de-synchronization attack, and also presented an improved protocol. Then, Shen et al. [47] presented a multi-server authentication protocol, however could not provide anonymity. Recently, Amin et al. introduced a multi-server authentication scheme [1], where a patient can seek directly the services of the caregivers or doctors, in a novel way, without engaging the registration centre during mutual authentication phase. However, the scheme has been found vulnerable of offlinepassword guessing attack and impersonation attacks from both ends i.e., (user and server). The current study work reviews the Amin et al. scheme [1] with the demonstration of review along with cryptanalysis. Finally we present an improved model with the corresponding security analysis. Additionally, the scheme has been backed by BAN logic-based security analysis.

1.2 TMIS architecture The TMIS architecture has been presented in Fig. 1, which depicts that a patient may directly contact and communicate with one or many doctors or caregivers. Various entities are involved in the functioning of TMIS system, like patient (Ui), Central Medical Server (CMS), and Physician Server SPj, while j represents the jth number of the physician server. The doctor works to administer the services of a physician server. The CMS provides the services of registration to patients and issue smart cards to those patients. At the same time it also registers the doctors in the form of physician servers. Whenever, Ui wants to consult a physician, it inserts its smart card into the reader along with required parameters for sending the login request towards SPj and avails the service upon successful mutual authentication.

1.3 Motivation for further work Most of the TMIS based schemes, that have been providing services to patients, are based on single-server based schemes. In those single-server authentication schemes, a patient

Multimed Tools Appl Fig. 1 TMIS architecture

needs to register all physician servers individually for seeking their services, which runs high overhead for both, patients and physician servers. This calls for a new multi-server based TMIS architecture that not only provides authenticated key agreement but also in an efficient manner, on the part of patient and server as well. In this connection, a few schemes have been presented so far, however with security loopholes. Recently, Amin et al. presented a novel multi-server authentication scheme for TMIS, however, it has been found prone to password-guessing and impersonation attacks. Our intent, in this study work, is to propose an efficient multi-server authentication scheme based on TMIS architecture.

1.4 Organization of the paper As far the organization of this study work, the section 2 describes the preliminary concepts as used in the paper. The section 3 relates to review and cryptanalysis of Amin et al. scheme. The section 4 describes the proposed model. The section 5–6 exhibits the security analysis, formal security analysis and performance analysis. The last Section concludes the findings.

2 Preliminaries This section briefly describes the hash function and elliptic curve cryptography.

2.1 Hash function In order to ensure the security, a one-way hash operation h: {0, 1}* → Z*q, must contain these four features: 1. The hash function h takes a random length message as input and generates a fixed-length message digest. 2. Assuming h(m) = n, it would be a hard problem to compute h-1(n) = m; 3. Given m, it would be infeasible to find m', such that m’ ≠ m, but h(m') = h(m);

Multimed Tools Appl

4. Moreover, it is computationally infeasible to find any pair m, m' such that m’ ≠ m, but h(m') = h(m).

2.2 Elliptic curve essentials Here, we define E/Fq to be a set of points over a prime field (Fq), using the following nonsingular elliptic curve [3, 26, 40]: y2 mod q ¼ x3 þ ax þ b mod q ð1Þ where a, b, x, y ϵ Fq and (4a3 + 27b2) mod q ≠ 0. We call a point P(x, y) as an elliptic curve point if the Eq. (1) is conformed, while, Q(x, -y) will be negative of P (i.e. Q = -P). Assume, P(x1, y1) and Q(x2, y2) be two different points on Eq. 1, while the line l, being tangent to Eq. 1 (if P = Q), meet P and Q intersecting the Eq. 1 curve at –R(x3, -y3) and its reflection w.r.t x-axis is R(x3, y3), that is, P + Q = R. These set of points E/Fq, along with point at infinity (O), constitute an additive elliptic curve cyclic group Gq = {(x, y) : x, y ϵ Fq and (x, y) ϵ E/Fq} U {O}. Here, a scalar point multiplication on Gq can be stated as v.P = P + P + ….. + P (v times), while the point Pϵ Gq will be of order n, given that n is the smallest integer (positive) and n . P = O.

2.3 Fuzzy extractor Fuzzy extractor transforms the inputted biometric data into uniform random strings acting as a biometric key. To make the biometric data noise-tolerant, fuzzy extractors are used to generate uniformly random biometric keys, and using those keys, the authenticity of a source entity can be duly verified. By the use of fuzzy extractor, a uniformly random string Ri can be reconstructed each time with the combination of noisy biometric input Bi and helper string Pi. The fuzzy extractor setup requires two functions for its operation, i.e. Gen and Rep. The function Gen, being a probabilistic generation procedure, inputs the biometric data Bi and outputs a binary string Ri ∈ {0, 1}l and a helper binary string Pi ∈ {0, 1}*. The parameter Ri remains a secret string, while Pi is made public. For the recovery of Ri, another deterministic reproduction procedure Rep is used to reconstruct Ri with the help of biometric input Bi* and helper string Pi. As for correctness, if dis(Bi, Bi*) < = t and Gen (Bi) → (Ri, Pi), then we get Rep (Bi*, Pi) → Ri, where dis represents distance function and t be the error threshold. Hence, the error-tolerant function recovers the uniformly random string Ri by the input of Pi and Bi*, as long as the distance ∈ from the original input Bi remains sufficiently small. For more details on fuzzy extractors, the references [10, 11] can be further explored.

3 Working and cryptanalysis of Amin et al. scheme Amin et al. [1] introduced a multi-server authentication scheme, where a patient can directly benefit from the services of the caregivers or doctors, in a novel way, without engaging the registration centre during mutual authentication phase. However, the scheme has been found vulnerable of offline-password guessing attack and impersonation attacks from both ends i.e., (user and server). The working and cryptanalysis of Amin et al. scheme has been illustrated below:

Multimed Tools Appl

3.1 Working of Amin et al. scheme The Amin et al. scheme [1] consists of two phases: Registration and Login & Authentication phase, and has been shown in Figs. 2 and 3. The scheme makes a use of a few notations as mentioned in Table 1. The Amin et al. scheme comprises three participants, i.e., User Ui, Physician Server PSj, and Central Medical Server CMS. The Ui gets registered through CMS on a secure channel, and avails the medical services through PSj, onwards, by performing login and authentication procedure. The registration, and login and authentication phases for Amin et al. are described below.

3.1.1 The registration phase In this phase Ui gets registered with Central Medical Server (CMS) as shown in Fig. 2. It performs the following steps with CMS for registration: 1.

The Ui selects IDi, PWi, and generates a random number r. It then, computes TPWi = PWi ⊕ r and sends {IDi, TPWi} to CMS for registration. 2. CMS, then computes Ki = IDi . P = (Px, Py), Li = h(IDi || TPWi), Mi = EPx (h (IDi || s)) and stores (Li, Mi, TIDi, h(), Ek / Dk) in smart card and sends to Ui. 3. Ui upon receiving the smart card, computes Ni = r ⊕ h(IDi || h(Py), and stores Ni in the same SC finally.

User (Ui)

Central Medical Server (CMS)

REGISTRATION PHASE: Selects IDi, PWi, r Computes TPWi=PWi r

RZq

*

Ui receives the SC and computes Ni =r h(IDi||h(Py). It stores Ni into smart card additionally

{IDi , TPWi } Secure Channel

SC (Li, Mi, TIDi, h(), Ek / Dk)

Ki = IDi . P = (Px, Py) Li = h(IDi || TPWi) Mi = EPx (h (IDi || s)) Store (Li, Mi, TIDi, h(), Ek() / Dk() in smart card

Secure Channel

User (Ui)

Central Medical Server (CMS)

LOGIN PHASE: Input IDi*, PWi* Compute Ki = IDi* . P = (P x, Py) r = Ni h (IDi* h (Py)), TPWi = PWi* r, Li* = h (IDi || TPWi ) , Checking (Li* = Li) , If true then Generate a RZq* Decrypt Mi and get Mi* = h(IDi || s) A1= a . P, A2 = a . Pub, A3 = TIDi h (A2) A4 = h (Mi* || IDi || A2 || TS1)

Fig. 2 Registration and login phase of Amin et al. scheme

Multimed Tools Appl

Fig. 3 Amin et al. model authentication phase

3.1.2 The login and authentication phase 1. In login phase the Ui gets authenticated access from PSj through CMS as shown in Fig. 2. For this purpose the Ui inputs its IDi*, PWi*. Then smart card computes Ki = IDi*. P = (Px, Py), r = Ni ⊕ h (IDi* ⊕ h (Py)), TPWi = PWi* ⊕ r, Li* = h (IDi* || TPWi ), and checks the equality for (Li* = Li), If true then generates a random number a and computes A1 = a . P, A2 = a . Pub. Then it decrypts Mi and get Mi* = h(IDi || s). Then, further computes A3 = TIDi ⊕ h (A2), A4 = h (Mi* || IDi || A2 || TS1). Finally, it sends the message < IDPSj, A1, A3, A4, TS1 > towards CMS for verification. 2. In this authentication phase, the CMS, initially generates timestamp TS2 and checks the inequality threshold (TS2-TS1) ≤ ΔT. If true, then computes A2 = s. A1, TIDi = A3 ⊕ h(A2 ). Then, it aborts the session, if the computed TIDi is not found not in database, otherwise recovers IDi from TIDi. Then, it computes Mi = h(IDi || s), A4* = h(Mi || IDi || A2 || TS1), and compares the equation (A4* ?=A4), If true, then further computes B2 = h(IDi || IDPSj || s), B3 = Xj . P = (XP, YP), B4 = h (TS || Mi ),

Multimed Tools Appl Table 1 Notations description Notations

Description

Ui, IDi, PWi, Bi

ith User, Ui’s identity, password, and biometric identity

PSj, IDPSj

Physician Server, PSj identity

CMS

Central Medical Server

s a, b

CMS master key Random numbers generated

Xj

Pre-shared secret between CMS and PSj

SKuj/SKju Ek(.)/Dk(.)

Established session key between Ui and PSj

TS1-TS6

Timestamps

h(.)

hash function

?=, ≠

Equality comparison,

⊕, ||

XOR, Concatenation

Symmetric encryption and decryption

B5 = IDi ⊕ h (B4 . P), B6 = h(IDPSj || IDi || B4 || TS3 || YP), and B7 = EXP (B2, B4, B5). Finally, it sends the message < B6, B7, A1, TS3 > to PSj for verification as shown in Fig. 3. 3. The PSj, upon receiving the message from CMS, generates timestamp TS4, and checks the equality (TS4-TS3) ≤ ΔT against the threshold. On positive verification, it computes B3 = Xj . P = (XP , YP ), (B2, B4, B5) = DXP (B7), IDi* = B5 ⊕ h(B4.P), B6* = h(IDPSj || IDi* || B4 || TS3 || YP ). Next, it checks the equality for (B6* ? = B6), If true, then generates b ϵ RZq*. Next, it further computes SKj = b. A1 = a.b.P, C1 = b . P, C2 = h (B2 || C1 || A1 || TS5), and C3 = EPx (C1, C2, B2). Finally, it sends the message < C3, TS5 > to Ui for verification. 4. Next, the Ui generates timestamp TS6 and check the difference against the threshold ΔT as (TS6-TS5) ≤ ΔT. If true, then decrypts C3 and gets (C1, C2, B2), and computes C2* = h (B2 || C1 || A1 || TS5). Then it compares the equation (C2* ? = C2). If true, then computes SKu = a . C1 = abP and SKV = h (“111” || SKu). Finally, it sends the message < SKV > to PSj for further verification. 5. The PSj, upon receiving < SKV > message, computes SKV* = h (“111” || SKj), and compares the equality check (SKV* = SKV). If true, then verifies the generated session key as valid. Otherwise, aborts the session.

3.2 Cryptanalysis of the Amin et al. scheme The Amin et al. scheme has been found vulnerable to password guessing and impersonation attacks [31–34], subject to the exposure of smart card contents accidentally or deliberately.

3.2.1 Password guessing attack An adversary Ⱥ may launch a password guessing attack in Amin et al, if it somehow, manages to get the SC information accidentally or deliberately by using differential power analysis [27,

Multimed Tools Appl

39]. The smart card bears the (Ni, Li, Mi, TIDi, h(), Ek / Dk) parameters. Ⱥ might get the user IDi accidentally and launch the password guessing attack by adopting the following steps. 1. Ⱥ, after having come to know about IDi, computes Ki* = IDi*. P = (Px*, Py*). 2. Next, it computes r = Ni ⊕ h(IDi||h(Py*). 3. Then, the attacker selects a password PWi*, and checks the following equality:

Li ? ¼ hðIDi jj PWi* ⊕ rÞ

ð1Þ

4. This way, it tries all the possible combinations of PWi* until the equation (1) becomes true.

3.2.2 Impersonation attack The impersonation attacks in Amin et al. can be initiated in two ways by an adversary Ⱥ., i.e., User impersonation attack and server impersonation attack. An adversary may impersonate as a user towards CMS subject to having the information of smart card contents {Ni, Li, Mi, TIDi, h(), Ek(.)/ Dk(.)}. Additionally, it may impersonate as PSj towards user Ui as well, in case Ⱥ steals user’s ID. These two attacks are illustrated as below: a) User impersonation attack An adversary may get the SC contents not only by stealing the smart card physically, but also by analyzing the SC contents through power analysis. Ⱥ could generate a fake message < IDPSj, A1, A3, A4, TS1 > by adopting the following procedure: Ⱥ,, after having come to know about IDi, computes Ki* = IDi*. P = (Px*, Py*). Next, it decrypts Mi using Px*, i.e., h(IDi || s) = DPx* (Mi) Then, the adversary generates a random number a and computes A1’ = a . P, and A2 = a . Pub. Next, having the knowledge of TIDi and Mi, Ⱥ computes A3 = TIDi ⊕ h (A2) and A4 = h(h(IDi || s)|| IDi || A2 || TS1) 5. In this manner, the adversary may launch a successful impersonation attack by constructing and sending the < IDPSj, A1’, A3, A4, TS1 > message towards CMS.

1. 2. 3. 4.

b) Server impersonation attack (PSj) An adversary may get the user’s IDi and generate IDi. P = (Px, Py), then it may construct the message < C3, TS5 > and sends towards Ui to initiate the server impersonation attack by adopting the following steps. 1. Assuming, Ⱥ approaches A1 parameter by listening to the insecure channel between user Ui and CMS.

Multimed Tools Appl

2. Using the Ui’s messages of earlier sessions, Ⱥ approaches B2 by decrypting any message C3 = EPx (C1, C2, B2) using Px. 3. Next, creates C1 = b . P by generating a random number b. 4. Then, it may compute C2 = h (B2 || C1 || A1 || TS5) for the current session against the Ui’s new login request. 5. Finally, it generates the message < C3, TS5 > by assuming the fresh timestamp. 6. Hence, Ⱥ may launch a successful server impersonation attack against the user.

4 Proposed model The proposed scheme, like Amin et al., comprises three participants, i.e., User Ui, Physician Server PSj, and Central Medical Server CMS. The Ui gets registered through CMS using a secure channel, while it seeks the medical services through PSj, onwards, by performing mutual authentication in login and authentication phase. This section comprises registration phase, and login and authentication phase, and password modification phase. The details for the respective phases are given below.

4.1 The registration phase In this phase Ui gets registered with Central Medical Server (CMS) as shown in Fig. 4. It performs the following steps with CMS for registration:

Fig. 4 Proposed model registration and login phase

Multimed Tools Appl

1. The Ui selects IDi, PWi, and generates a random number r. It then imprints Bi and computes Gen(Bi) → (Ri, Pi), TPWi = h(PWi || Ri) ⊕ r and sends {IDi, TPWi} to CMS for registration. 2. CMS, then computes Ki = IDi . P = (Px, Py), Li = h(IDi || TPWi), Oi = EPx (h (IDi || s)), Mi = TPWi ⊕ Oi, and stores (Li, Mi, TIDi, h(), Ek / Dk) in smart card and sends to Ui. 3. Ui upon receiving the smart card, computes Ni = r ⊕ h(IDi || h(Py), and stores Ni and Pi in the same SC finally. The CMS after the issuance of smart card maintains the Ui’s information in a credential table that bears the three parameters in the stored record of Ui, i.e., . These records enable the CMS to locate the IDi of user on the basis of sent TIDi.

4.2 The login and authentication phase 1. In login phase the Ui gets authenticated access from PSj through CMS as shown in Fig. 4. For this purpose the Ui inputs its IDi*, PWi*, imprints Bi* and computes Rep (Bi*, P i ) → R i . Then smart card computes Ki = IDi*. P = (P x , P y ), r = Ni ⊕ h (IDi* ⊕ h (Py)), TPWi’ = h(PWi* || Ri) ⊕ r, Li* = h (IDi* || TPWi ), and checks the equality for (Li* ? = Li), If true then generates a random number a and computes A1 = a . P, A2 = a . Pub, A3 = TIDi ⊕ h (A2). Next, it computes Oi = TPWi ⊕ Mi, decrypts Oi, i.e., h(IDi || s) = DPx (Oi). Then, further computes, A4 = h (h(IDi || s)|| IDi || A2 || TS1). Finally, it sends the message < IDPSj, A1, A3, A4, TS1 > towards CMS for verification. 2. The CMS, initially generates timestamp TS2 and checks the inequality threshold (TS2-TS1) ≤ ΔT. If true, then computes A2 = s. A1, TIDi = A3 ⊕ h(A2 ). Then, it aborts the session, if the computed TIDi is not found not in database, otherwise recovers IDi from TIDi. Then, it computes h(IDi || s), A4* = h(h(IDi || s)|| IDi || A2 || TS1), and compares the equation (A4* ? = A4), If true, then further computes Gi = h(IDi || IDPSj || s), B2 = (Gi || TPWi || TS1) ⊕ TPWi, B3 = Xj . P = (XP, YP), B4 = h (TS3 || Mi ), B5 = IDi ⊕ h (B4 . P), B6 = h(IDPSj || IDi || B4 || TS3 || YP), and B7 = EXp (B2, B4, B5, Gi). Finally, it sends the message < B6, B7, A1, TS3 > to PSj for verification as shown in Fig. 5. 3. The PSj, upon receiving the message from CMS, generates timestamp TS4, and checks the equality (TS4-TS3) ≤ ΔT against the threshold. On positive verification, it computes B3 = Xj . P = (XP , YP ), (B2, B4, B5, Gi) = DXP (B7), IDi* = B5 ⊕ h(B4 . P), B6* = h(IDPSj || IDi* || B4 || TS3 || YP ). Next, it checks the equality for (B6* ? = B6), If true, then generates bϵ R Zq * . Next, it further computes Sk j = b. A1 = a.b.P, SKju = h(Skj || IDi), C1 = b . P, C2 = h (SKju ||Gi || C1 || A1 || TS5), and C3 = EPx (C1, C2, B2). Finally, it sends the message < C3, TS5 > to Ui for verification. 4. Next, the Ui generates timestamp TS6 and check the difference against the threshold ΔT as (TS6-TS5) ≤ ΔT. If true, then decrypts C3 and gets (C1, C2, B2), and computes (Gi || TPWi || TS1’) = B2 ⊕ TPWi, Sku = a . C1 = abP, SKuj = h(Sku || IDi), C2* = h (SKuj ||Gi || C1 || A1 || TS5). Then it checks the equation (C2* = = C2) AND (TS1’ == TS1), and verifies CMS and PSj as valid entities, and confirms the shared session key with Ui as SKuj = h(Sku || IDi), otherwise, aborts the session.

Multimed Tools Appl

Fig. 5 Proposed model authentication phase

4.3 Password modification phase Ui changes its password into a new password PWinew by invoking the following procedure. 1. The Ui inserts its smart card into the device and inputs its identity IDi *, password PWi *, and also imprints its biometric identity Bi* into the sensor device as shown in Fig. 6. The device computes Rep (Bi*, Pi) → Ri. Next, the smart card computes Ki = IDi* . P = (Px, Py), r = Ni ⊕ h (IDi* ⊕ h (Py)), TPWi* = h(PWi* || Ri) ⊕ r, Li* = h (IDi* || TPWi*). If (Li* ≠ Li), then the session will be aborted as shown in Fig. 6. 2. Otherwise, the user inputs new password as PWi new. Next the SC computes TPWinew = h(PWinew || Ri) ⊕ r, Linew = h (IDi || TPWinew), and replaces Li with Linew. 3. Next, SC computes Oi = TPWi* ⊕ Mi, decrypts Oi, and gets h(IDi || s). Further, it computes Qi = h(IDi || s) ⊕ TPWinew and sends the message < Qi, TIDi > to CMS for verification and updating the database. 4. The CMS extracts IDi from TIDi and computes h(IDi || s). Then it computes TPWinew = h(IDi || s) ⊕ Qi. 5. Finally, it replaces TPWinew with TPWi in the database.

Multimed Tools Appl

5 Security analysis The security analysis of the proposed protocol has been presented as under: Proposition 1 The proposed authentication scheme is robust against replay attacks. Proof. The replay attacks can be initiated by an attacker on replaying the original message parameters to impersonate any legal participant. An adversary Ⱥ, may intercept the exchanged messages’ parameters between the legal participants on insecure channel i.e., , and might try to replay the message to deceive the participants. However, the proposed scheme employs the timestamps to avoid replay attacks in the exchanged messages A4, B6, and C2. Ⱥ The adversary might not be able to construct the alike messages (A4, B6, and C2) bearing the timestamps (TS1, TS3, TS5) due to the inability to approach h(IDi || s) or h(IDi || IDPSj ||s) parameters of the user. Hence, the proposed scheme may thwart a replay attack comfortably. Proposition 2 The proposed authentication scheme is robust against password guessing attacks. Proof. An adversary Ⱥ may try to obtain either a Ui’s password PWi on the basis of acquired smart card contents (Li, Mi, TIDi, h(), Ek ()/ Dk()) or it may intercept the public messages and access the parameters < IDPSj, A1, A3, A4, TS1, B6, B7, A1, TS3, C3, TS5>, after the observation of an insecure channel. However, Ⱥ might not recover the PWi from the public messages, since PWi is not used in any function in the publicly exchanged messages. Besides, unlike Amin et al., the SC parameters Li, Mi and TIDi may not contribute as well in the extraction of Ui’s password PWi. The calculation of PWi from Li = h(IDi || TPWi) and Mi = TPWi ⊕ Oi, requires the knowledge of Bi parameter. Even, if the IDi, or r secrets are disclosed in some manner, yet the construction of TPWi i.e., TPWi = h(PWi || Ri) ⊕ r requires Ri parameter, and in return Bi biometric to be known in advance. While, the Oi parameter can never be derived without TPWi, which proves the fact that the password PWi cannot be guessed from either the intercepted public messages or acquired SC contents. Proposition 3 The proposed authentication scheme provides anonymity and untraceability to the User Ui. Proof. The anonymous authentication schemes [5, 12, 15] authenticate the user Ui to PSj without exposing the user’s identity IDi in the public messages. Alternatively, cannot tell the identity of the communicating participants by utilizing publicly open message parameters, or associate any exchanged messages to a particular identity. In proposed model, Ui sends its identity IDi in the message A4 = h (h(IDi || s)|| IDi || A2 || TS1), which is recovered by CMS by locating against the TIDi in its database. Hence, Ⱥ has no way for finding the true user’s identity, at least from the exchange of messages in the protocol. While, the untraceability refers to user’s protection from location disclosure, following the exchange of messages in authentication protocol among the participants. This feature ensures that an attacker will not be able to distinguish the user’s location by detecting the identical messages among different sessions of the same user in

Multimed Tools Appl

Fig. 6 Password modification procedure of proposed scheme

different periods of time. The exchanged messages between the participants bearing the < IDPSj, A1, A3, A4, TS1, B6, B7, A1, TS3, C3, TS5 > parameters do not carry anything in common for various sessions among the same entities. Alternatively, these parameters change each time a new session is established among the participants. This ensures the untraceability of the user’s location. Hence, the proposed scheme provides anonymity and resistance against trace attack to the legal participants. Proposition 4 The proposed authentication scheme is secure against the user/patient impersonation attack. Proof. A malicious adversary Ⱥ may try to impersonate as a patient towards CMS or PSj. If Ⱥ tries to construct the message < IDPSj, A1, A3, A4, TS1>, it needs to approach the patient specific h(IDi || s) parameter for constructing the valid A4 = h (h(IDi || s)|| IDi || A2 || TS1) message with a fresh timestamp. However, access to h(IDi || s) parameter requires the knowledge of smart card contents and Bi parameter as well. Since the calculation of PWi from Li = h(IDi || TPWi) and Mi = TPWi ⊕ Oi, requires the knowledge of Ri or Bi parameter. Even, if the IDi, or r secrets are disclosed in some manner, yet the construction of TPWi i.e., TPWi = h(PWi || Ri) ⊕ r requires Ri parameter to be known in advance. At the same time, the Oi parameter cannot be derived without TPWi. Hence, the proposed authentication scheme is secure against the patient impersonation attack.

Multimed Tools Appl

Proposition 5 The proposed authentication scheme is secure against the CMS impersonation attack. Proof. A malicious adversary may try to impersonate as CMS towards PSj by trying to construct < B6, B7, A1, TS3 >. However, to an adversary disappointment, the CMS already shares the secret Xj with SPj. Hence, these entities, whenever communicate or exchange messages to each other, will compute B3 = Xj . P = (XP, YP) and encrypt or decrypt the messages with Xp. The encrypted message B7 could not be constructed by Ⱥ as its construction is dependent on the creation of B4 = h (TS3 || Mi ). At the same time, B4 needs to be generated with a fresh timestamp, and might not be possible for Ⱥ on account of not having the XP parameter. Proposition 6 The proposed authentication scheme stands secure against the Physical Server impersonation attack. Proof. An adversary Ⱥ may try to impersonate as PSj by trying to construct < C3, TS5>. If the user’s IDi gets stolen, Ⱥ may decrypt and recover B2 then using the calculated point Px. Then, it may, onwards compute C2 easily on the basis of B2, and in turn constructs C3. However, unlike Amin et al., in proposed scheme the adversary cannot construct C2 = h (SKuj ||Gi || C1 || A1 || TS5) for not having access to Gi, or the decryption key XP. On receiving any engineered message on the part of adversary, the Ui first checks the timestamp freshness. Then, it decrypts C3 out of XP symmetric key. Then, Gi can only be recovered by a valid user using its TPWi. After that, Ui computes C2* and checks the equation (C2* == C2) AND (TS1’ == TS1), if true, then confirms CMS and PSj as legal participants. Hence, the proposed scheme is warranted to be secure against PSj impersonation attack. Proposition 7 The proposed authentication scheme stands secure against the smart card stolen attack. Proof. A malicious adversary Ⱥ may access the smart card, its contents i.e. {Li, Mi, TIDi} and intercept the public messages. Nevertheless, the proposition 2 demonstrates the infeasibility of Ⱥ for guessing the password in polynomial time due to the lack of knowledge of Bi or Ri, in case the SC gets stolen. Based on this fact, we can safely deduce that the stolen SC does not allow the adversary to either login for initiating a login request, or extract any parameters responsible for mutual authentication among the legitimate participants. Hence, the proposed authentication scheme is secure against stolen SC attack. Proposition 8 The proposed authentication scheme provides known-key secrecy. Proof. The known-key security claims the security of previous session keys of the involved participants, once the current session key has been compromised. If the current session key SKuj/SKju = h(abP || IDi) between the participants gets exposed to the adversary, then it may not help the later in determining the past and future session keys, since Ⱥ cannot construct the respective session keys without the knowledge of the secret a or b, belonging to the particular sessions. While, guessing a or b from aP or bP is nearly improbable due to the hardness of CDHP. Hence, the proposed scheme provides known-key secrecy. Proposition 9 The proposed scheme provides mutual authentication to participants. Proof. The mutual authentication defines that both entities authenticate

Multimed Tools Appl

each other in the same authentication protocol. In proposed protocol, both participants mutually authenticate each other on the basis of comparison checking for (C2* ? = C2) and (TS1’ ? = TS1) on the part of user, while (B6* ? = B6) on the part of server. If any of the above equality checks fails to match, the mutual authentication cannot take place. Hence, the proposed scheme provides mutual authentication to the intended participants based on the successful equality checks. Proposition 10 The proposed scheme provides secure password modification phase. Proof. The password can be securely modified by the user only after having verified the PWi and biometric parameters, provided to the smart card, as shown in Fig. 3. For verification, the smart card computes TPWi* and Li* parameters, and matches the equality check for (Li* ? = Li), while the successful match for this condition allows the user to proceed for modifying its password. Hence, no adversary may update the password without employing PWi and Ri parameters, which can only be available to a legitimate user. Hence, the proposed scheme provides a secure technique for the password modification to a user. Proposition 11 The proposed scheme provides resistance to session-specific temporary information attack. Proof. If the user’s session-specific variables are exposed, then an adversary may construct the corresponding session key in this attack. However, in proposed scheme an adversary cannot access C1 without compromising user’s IDi or accessing Px. In this scenario, if the user’s session specific variable a gets exposed, then adversary may not be able to access C1 and IDi and construct a valid session key SKuj. Hence, the proposed scheme is immune to session-specific temporary information attack.

6 Formal security analysis This section covers the formal security analysis of our proposed protocol under Burrows-AbadiNeedham logic (BAN) logic [43], while, this model analyzes the security based on mutual authentication, key distribution, and the strength against session key disclosure. Some notations, as used in the BAN logic are described as follows. Principals Keys Nonces

are such agents that participate in the interaction of a protocol. are meant to be used for symmetric message encryption. are such parts of message that do not repeat in a protocol.

Few notations that have been used in the BAN security analysis are given as follows: P |≡X P⊲X P| ~ X P⇒X ♯ (X)

The principal P believes X, or alternatively, P believes the statement X. P sees X. P receives some message X and may read or repeat it in any message. P once said X. Earlier in time; P had sent some message X and P believed that message when sent. P has got jurisdiction over X; or P has authority over X and could be trusted. The message X may be treated as fresh.

Multimed Tools Appl

(X, Y) XY {X, Y}K (X, Y)K

P K! Q:

X or Y being the part of message (X, Y). The formulae X is combined with formulae Y. X or Y is encrypted with the key K. X or Y is hashed with the key K. P and Q can communicate with the shared key K.

Some rules or logical postulates used in the BAN Logic are given as follows: K Q;

Y Rule 1 Message meaning rule: Pj≡P P! j≡Qj ∼ X If P believes that it shares key K with Q, and also sees the message 〈X〉Y, then P could rightly believe that Q once said the message X. Þ; Pj≡Qj ∼ X Rule 2 Nonce verification rule: Pj≡ ♯ ðPXj≡Q j≡ X If P believes the message X as fresh, and also believes that Q once sent the message X, then P believes that Q also believes X. ; Pj≡Qj ≡ X Rule 3 Jurisdiction rule: Pj≡Q ⇒XPj≡ X If P believes that Q has jurisdiction or authority over X, and also believes that Q believes X, then P also believes the message X. Rule 4 Freshness conjuncatenation rule: Pj≡Pj≡♯ ð♯X;ðXÞYÞ If P believes that X is fresh, then it also believes the freshness of (X, Y). ðX Þ; Pj≡ðY Þ Rule 5 Belief rule: Pj≡Pj≡ ðX ; Y Þ If P believes the messages, X and Y individually, then the statement P | ≡ (X, Y) gives the same meaning. Rule 6 Session keys rule: Pj≡ ♯ ðXÞ; PKj≡Qj ≡ X Pj≡P ! Q If P believes the freshness of X, and also believes that Q believes X, then P can rightly believe that K is the shared key between P and Q.

P⊲〈X〉

The proposed protocol needs to satisfy the following goals to ensure its security under BAN logic, using the above assumptions and postulates. Goal1 Goal2 Goal3 Goal4 Goal5 Goal6

SK

ju Ui PSj | ≡ PSj ! SK ju Ui PSj | ≡ Ui | ≡ PSj ! SK u j Ui | ≡ PSj ! Ui SK u j Ui Ui | ≡ PSj | ≡ PSj ! iDi;TIDi CMS | ≡ CMS ←→ Ui iDi;TIDi CMS | ≡ PSj | ≡ CMS ← → Ui

Initially, the messages exchanged in the proposed protocol can be transformed into idealized form in the following manner. s M 2 : CM S → PS j : B6; B7; A1; T S3 : hIDi; B2; B4; B5; Gi; T S3iX P M 3 : PS j → U i : C3; T S5 : hB2; Gi; C1; A1; T S5iPx

M 1 : U i → CM S : IDPSj; A1; A3; A4; T S1 : hIDi; A2; T S1i

h IDi

Secondly, the following premises have been established to prove the security of proposed protocol.

Multimed Tools Appl

P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 P13

Ui | ≡ ♯(a, TS1) PSj | ≡ ♯(b, TS5) CMS | ≡ ♯TS3 hðIDi jj sÞ Ui | ≡ Ui ← → CMS Gi;Px Ui | ≡ Ui ← → PSj Gi; Px PSj | ≡ PSj ← → Ui Xj PSj | ≡ PSj ! CMS ðIDi jj sÞ CMS | ≡ CMS h← → Ui Xj CMS | ≡ CMS ! PSj Ui | ≡ PSj ⇒ C1 PSj | ≡ Ui ⇒ A1 CMS | ≡ Ui ⇒ A1 PSj | ≡ CMS ⇒ Gi

Thirdly, the idealized form i.e., M1 and M2 of the proposed protocol can be examined and verified in the light of above mentioned postulates and assumptions. Considering the first message of the idealized form: M 1 : U i → CM S : IDPSj; A1; A3; A4; T S1 : hIDi ; A2 ; T S1ihðIDi jj sÞ By applying seeing rule, we get D1 : CM S⊲ IDPSj; A1; A3; A4; T S1 : hIDi ; A2 ; T S1ihðIDi jj sÞ According to D1, P8 and message meaning rule, we get D2 : CM Sj ≡ U i ∼ ðIDi ; A2 ; T S1Þ According to D2, P1, freshness conjucatenation and nonce verification rules we get D3 : CM Sj ≡ U ij ≡ ðIDi ; A2 ; T S1Þ According to D3, P12, and Jurisdiction rule D4 : CM Sj ≡ ðIDi ; A2 ; T S1Þ According to D4, P1, and session key rule, we get D5 : CM S j ≡ U i j ≡ CM S

iDi; TIDi

←→

Ui

ðGoal 6Þ

According to D5, P1, and Jurisdiction rule D6 : CM S j ≡ CM S

iDi; TIDi

←→

Ui

ðGoal 5Þ

Considering the second message of the idealized form as: M 2 : CM S → PS j : B6; B7; A1; T S3 : hIDi; B2; B4; B5; Gi; T S3iX P

Multimed Tools Appl

By applying seeing rule, we get D7 : PS j⊲ B6; B7; A1; T S3 : hIDi; B2; B4; B5; Gi; T S3iX P According to D7, P7 and message meaning rule, we get D8 : PS jj ≡ CM S ∼ ðIDi; B2; B4; B5; Gi; T S3Þ According to D8, P3, freshness conjucatenation and nonce verification rules we get D9 : PS jj ≡ CM Sj ≡ ðIDi; B2; B4; B5; Gi; T S3Þ According to D9, P13, and Jurisdiction rule D10 : PS jj ≡ ðIDi; B2; B4; B5; Gi; T S3Þ Since, A1 is the necessary parameter for the session key creation between Ui and PSj, while D10 provides sufficient evidence for PSj to believe that Ui has only jurisdiction over A1. According to D6, D10, P1, P3, P11 and session key rule, we get SK ju

D11 : PS j j ≡ U i j ≡ PS j

←→

U i ðGoal 2Þ

According to D11, P1, P3, P11 and Jurisdiction rule D12 : PS j j ≡ PS j

SK ju

←→

Ui

ðGoal 1Þ

Considering the third message of the idealized form as: M 3 : PS j → U i : C3; T S5 : hB2; Gi; C1; A1; T S5iPx By applying seeing rule, we get D13 : U i⊲ C3; T S5 : hB2; Gi; C1; A1; T S5iPx According to D13, P5 and message meaning rule, we get D14 : U ij ≡ PS j ∼ ðB2; Gi; C1; A1; T S5Þ According to D14, P2, freshness conjucatenation and nonce verification rules we get D15 : U ij ≡ PS jj ≡ ðB2; Gi; C1; A1; T S5Þ According to D15, P10, and Jurisdiction rule D16 : U ij ≡ ðB2; Gi; C1; A1; T S5Þ Since, C1 is the necessary parameter for the session key creation between Ui and PSj, while D16 provides sufficient evidence for Ui to believe that PSj has only jurisdiction over C1.

Multimed Tools Appl Table 2 Comparison of security features He and Wang [17]

Yoon and Yoo [58]

Kalra and Sood [23]

Shen [47]

Amin et al. [1]

Our protocol

Anonymity

No

Yes

No

No

Yes

Yes

Mutual Authentication

No

Yes

Yes

Yes

Yes

Yes

Resist Insider Attack

No

Yes

Yes

Yes

Yes

Yes

Resist Offline-password guessing attack Resist Stolen smart card attack

Yes

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

Yes

Masquerading attack

No

No

No

Yes

No

Yes

Resist Replay attack

No

Yes

Yes

Yes

Yes

Yes

Successful Password modification

No

Yes

Yes

Yes

Yes

Yes

Perfect forward secrecy Session-specific temporary information attack

Yes Yes

Yes Yes

Yes Yes

Yes No

Yes Yes

Yes Yes

According to D10, D16, P2, P10 and session key rule, we get SK u j

D17 : U i j ≡ PS j j ≡ PS j

←→

U i ðGoal 4Þ

According to D11, P1, P3, P11 and Jurisdiction rule D18 : U i j ≡ PS j

SK u j

←→

U i ðGoal 3Þ

The above BAN logic analysis formally proves that the proposed protocol achieves mutual authentication and the session key SKuj/Skju = h(a.b.P || IDi) is mutually established between Ui and SPj.

Table 3 Computational cost for various multi-server authentication schemes He and Wang [17]

Yoon and Yoo [58]

Kalra and Sood Shen [47] Amin et al. [1] Our protocol [23]

Registration 2 Tm +9TH

5TH

2 Tm +2TH

1Tm +2TH

Login & Auth

5 Tm +12TH

4 Tm +10TH

12 Tm +3TH

6 Tm 11 Tm +18TH +17TH +4Ts

11 Tm +17TH +4Ts

Total

7 Tm +21TH

4 Tm +15TH

13 Tm +5TH

7 Tm 12 Tm +21TH +19TH +5Ts

12 Tm +21TH +5Ts

Execution time

15.62 ms

8.94 ms

28.9 ms

15.63 ms

26.8 ms

1 Tm +3TH +1Ts

26.8 ms

1 Tm +4TH +1Ts

Multimed Tools Appl Table 4 Communicational cost (bits)

Rm

He and Wang [17]

Yoon and Yoo [58]

Kalra and Sood [23]

Shen [47]

640

Amin et al. [1]

Proposed protocol

800

480

640

320

320

Lm + Am 3520

2560

3840

2880

2336

2176

4160

3360

4320

3520

2656

2496

Tm

Rm: Registration messages, Lm: Login messages, Am: Authentication messages, Tm : Total messages

7 Comparison and performance analysis In this section, we analyze the security and performance of proposed model against recent multi-server authentication protocols [1, 17, 23, 47, 58]. The proposed scheme presents a secure and improved TMIS based multi-server authentication model, following the discovered attacks in Amin et al. scheme [1]. Table 2 shows the strength of different schemes against the identified threats, which signifies towards the robustness of proposed protocol in comparison with other contemporary schemes. It is obvious from Table 2, the schemes [1, 17, 23, 58] are vulnerable to masquerading attacks, while, [1, 58] do not provide resistance to offline-password guessing attack, and schemes [17, 23, 47] do not provide anonymity and hence, vulnerable to trace attack. We have used few notations for various cost operations in Table 3, that is, we represent hash operation with TH, elliptic scalar multiplication TM, symmetric key encryption TS, and ignoring XOR operation for its negligible cost. The computational costs of various operations [24] become obvious by showing an order of cost from maximum to minimum, i.e. TM > > TS > > TH. The computational time (in milliseconds) for different crypto-primitives can be defined as [24]: TH ≈ 0.0023 ms, TS ≈ 0.0046 ms, and TM ≈ 2.226 ms. We ignored the cost of exclusive-OR (XOR) operation for negligible time delay (Table 4). The Table 3 demonstrate the comparison for He and Wang [17], Yoon and Yoo [58], Kalra and Sood [23], Shen [47] and Amin et al. [1] against proposed scheme in terms of computational cost. The table 3 suggests that [58] is a low computational cost of 8.94 ms, however this scheme is vulnerable to offline-password guessing and masquerading attack [40]. The scheme [47] and [17] bear an average computational cost of 15.62 ms, however these schemes are prone to session-specific temporary information attack, anonymity failure, offline password guessing, impersonation and replay attacks. The scheme [23] incurs the highest computational delay of 28.9 ms, however, despite highest execution cost, it is vulnerable to stolen smart card attack and masquerading attack, and it does not provide anonymity as well. The proposed scheme bears a bit low computational cost than [23], higher than [17, 47, 58], and equivalent to [1]. However, the proposed scheme is resistant to all limitations that these schemes [1, 17, 23, 47, 58] were found to be involved in, as depicted in Table 2. For calculating the communicational cost, we assume that hash digest function (SHA-1) takes 160 bits, user identity takes 160 bits, random number takes 160 bits, and elliptic curve point takes 320 bits [41]. The proposed scheme has lesser communication cost i.e. 2496 bits as compared to other schemes, and at the same time is immune to all threats as identified in Table 2. Hence, in the light of above

Multimed Tools Appl

performance analysis, we can say that the proposed scheme is more secure than [1, 17, 23, 47, 58] and also cost efficient in terms of communication.

8 Conclusion The multi-server authentication has been regarded as one of the key requirements of the existing internet authentication paradigm. A lot of schemes have been presented in the last decade by the research academia. This paper studies Amin et al. scheme and presents its review thoroughly, which is based on multi-server remote authentication based on TMIS. An enhanced multi-server authentication scheme for TMIS has been proposed, following the identified limitations in Amin et al. Our cryptanalysis reveals the two ways, in which the Amin scheme could be attacked, that is, it is found vulnerable to password guessing attack and masquerading attack. Thereafter, we proposed an improved scheme against Amin et al., and the security features, particularly, session key security and mutual authentication, are analyzed using BAN logic. Besides, this research work is backed by performance evaluation analysis along with cost comparison with other contemporary schemes.

References 1. Amin R, Islam SH, Biswas GP, Khan MK, Kumar N (2015) An efficient and practical smart card based anonymity preserving user authentication scheme for TMIS using elliptic curve cryptography. J Med Syst 39(11):1–18 2. Cao T, Zhai J (2013) Improved dynamic id-based authentication scheme for telecare medical information systems. J Med Syst 37(2):1–7 3. Certicom Research Standard for efficient cryptography, SEC 1 (2000) EC cryptography. ver. 1.0 4. Chang C-C, Cheng T-F, Hsueh W-Y (2014) A robust and efficient dynamic identity-based multi-server authentication scheme using smart cards. Inter J Comm Sys 5. Chaudhry SA, Farash MS, Naqvi H, Kumari S, Khan MK (2015) An enhanced privacy preserving remote user authentication scheme with provable security. Sec Commun Networks. doi:10.1002/sec.1299 6. Chaudhry SA, Mahmood K, Naqvi H, Khan MK (2015) An improved and secure biometric authentication scheme for telecare medicine information systems based on elliptic curve cryptography. J Med Syst 39(11):1–12 7. Chaudhry SA, Naqvi H, Shon T, Sher M, Farash MS (2015) Cryptanalysis and improvement of an improved two factor authentication protocol for telecare medical information systems. J Med Syst 39(6):1–11 8. Chen C-T, Lee C-C (2015) A two-factor authentication scheme with anonymity for multi-server environments. Sec Comm Networks 8(8):1608–1625 9. Chen HM, Lo JW, Yeh CK (2012) An efficient and secure dynamic id-based authentication scheme for telecare medical information systems. J Med Syst 36(6):3907–3915 10. Dodis Y, Kanukurthi B, Katz J, Reyzin L, Smith A (2012) Robust fuzzy extractors and authenticated key agreement from close secrets. IEEE Trans Inf Theory 58(9):6207–6222. doi:10.1109/TIT.2012.2200290 11. Dodis Y, Reyzin L (2004) Smith A (2004) Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. Adv Cryptol—EUROCRYPT 2004 3027:523–540. doi:10.1007/978-3-540-24676-3_31 12. Farash MS, Chaudhry SA, Heydari M, Sajad Sadough SM, Kumari S, Khan MK (2015) A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security. Int J Commun Syst. doi:10.1002/dac.3019 13. Giri D, Maitra T, Amin R, Srivastava P (2014) An efficient and robust RSA-based remote user authentication for telecare medical information systems. J Med Syst 39(1):145. doi:10.1007/s10916-014-0145-7 14. He D, Jianhua C, Rui Z (2012) A more secure authentication scheme for telecare medicine information systems. J Med Syst 36(3):1989–1995 15. He D, Kumar N, Chen J, Lee CC, Chilamkurti N, Yeo SS (2015) Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimedia Systems 21(1):49–60. doi:10.1007/s00530-013-0346-9

Multimed Tools Appl 16. He D, Kumar N, Chilamkurti N (2015) A secure temporal credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Inf Sci 321:263–277. doi:10.1016/j. ins.2015.02.010 17. He D, Wang D (2015) Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst J 9(3):816–823. doi:10.1109/JSYST.2014.2301517 18. Hsu CL, Chuang YH, Kuo Cl (2015) A novel remote user authentication scheme from bilinear pairings via internet. Wirel Pers Commun: 1–12 19. Irshad A, Sher M, Chaudhary SA, Naqvi H, Farash MS (2016) An efficient and anonymous multi-server authenticated key agreement based on chaotic map without engaging Registration Centre. J Supercomput 72(4):1623–1644 20. Irshad A, Sher M, Faisal MS, Ghani A, Ul Hassan M, Ashraf Ch S (2014) A secure authentication scheme for session initiation protocol by using ECC on the basis of the Tang and Liu scheme. Sec Comm Networks 7(8):1210–1218 21. Irshad A, Sher M, Rehman E, Ch SA, Hassan MU, Ghani A (2015) A single round-trip SIP authentication scheme for voice over internet protocol using smart card. Multimed Tools Appl 74(11):3967–3984 22. Jiang Q, Ma J, Lu X, Tian Y (2014) Robust chaotic map-based authentication and key agreement scheme with strong anonymity for telecare medicine information systems. J Med Syst 38(2):1–8 23. Kalra S, Sood S (2013) Advanced remote user authentication protocol for multi-server architecture based on ECC. J Inform Sec Appl 18(2):98–107 24. Kilinc HH, Yanik T (2014) A survey of SIP authentication and key agreement schemes. Commun Surv Tutor, IEEE 16(2):1005–1023 25. Kim H, Jeon W, Lee K, Lee Y, Won D (2012) Cryptanalysis and improvement of a biometrics-based multiserver authentication with key agreement scheme. Comput Sci Its Appl–ICCSA 2012, 391–406: Springer 26. Koblitz N (1987) Elliptic curve cryptosystems. Math Comput 48:203–209 27. Kocher P, Jaffe J, Jun B (1999) Differential power analysis. Adv Cryptol CRYPTO 99, Lect Notes Comput Sci 1666:388–397 28. Lee TF, Chang IP, Lin TH, Wang CC (2013) A secure and efficient password-based user authentication scheme using smart cards for the integrated epr information system. J Med Syst 37(3):1–7 29. Lee CC, Hsu CW, Lai YM, Vasilakos A (2013) An enhanced mobile-healthcare emergency system based on extended chaotic maps. J Med Syst 37(5):1–12 30. Li CT, Lee CC, Weng CY (2014) A secure chaotic maps and smart cards based password authentication and key agreement scheme with user anonymity for telecare medicine information systems. J Med Syst 38(9):1–11 31. Li X, Ma J, Wang W, Xiong Y, Zhang J (2013) A novel smart card and dynamic id based remote user authentication scheme for multi-server environments. Math Comput Model 58(1):85–95 32. Li X, Niu J, Khan MK, Liao J (2013) An enhanced smart card based remote user password authentication scheme. J Netw Comput Appl 36(5):1365–1371 33. Li X, Niu JW, Ma J, Wang WD, Liu CL (2011) Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 34(1):73–79 34. Li X, Xiong Y, Ma J, Wang W (2012) An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. J Netw Comput Appl 35(2):763–769 35. Liao X, Shu C (2015) Reversible data hiding in encrypted images based on absolute mean difference of multiple neighboring pixels. J Vis Commun Image Represent 28(4):21–27 36. Lin HY (2013) On the security of a dynamic id-based authentication scheme for telecare medical information systems. J Med Syst 37(2):9929. doi:10.1007/s10916-013-9929-4 37. Lin HY (2014) Chaotic map based mobile dynamic id authenticated key agreement scheme. Wirel Pers Commun 78(2):1487–1494 38. Lin I, Hwang M, Li L (2003) A new remote user authentication scheme for multi-server architecture. Futur Gener Comput Syst 19(1):13–22 39. Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 51(5):541–552 40. Miller V D1986] Uses of elliptic curves in cryptography. Adv Cryptol CRYPTO’85 Lecture Notes Comput Sci 218:417–426, Springer-Verlag 41. Mishra D (2015) Design of a password-based authenticated key exchange protocol for SIP. Multimed Tools Appl: 1–22 42. Mishra D, Mukhopadhyay S, Chaturvedi A, Kumari S, Khan MK (2014) Cryptanalysis and improvement of Yan et al’.s biometric-based authentication scheme for telecare medicine information systems. J Med Syst 38(6):1–12 43. Mishra D, Srinivas J, Mukhopadhyay S (2014) A secure and efficient chaotic map-based authenticated key agreement scheme for telecare medicine information systems. J Med Syst 38(10):1–10

Multimed Tools Appl 44. Odelu V, Das AK, Goswami A (2014) Cryptanalysis on robust biometrics-based authentication scheme for multiserver environment. Tech. rep., Cryptology ePrint Archive, eprint. iacr.org/2014/715.pdf 45. Odelu V, Das AK, Goswami A (2015) A secure biometrics-based multi-server authentication protocol using smart cards. Inform Forensics Sec, IEEE Trans 10(9):1953–1966 46. Ren Y, Shen J, Wang J, Han J, Lee S (2015) Mutual verifiable provable data auditing in public cloud storage. J Internet Technol 16(2):317–323 47. Shen H, Gao C, He D, Wu L (2015) New biometrics-based authentication scheme for multi-server environment in critical systems. J Ambient Intell Humaniz Comput 6(6):825–834 48. Tan Z (2013) An efficient biometrics-based authentication scheme for telecare medicine information systems. Network 2(3):200–204 49. Wang Z, Huo Z, Shi W (2015) A dynamic identity based authentication scheme using chaotic maps for telecare medicine information systems. J Med Syst 39(1):1–8 50. Wang D, Ping W (2014) Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks. Ad Hoc Netw 20:1–15 51. Wei J, Hu X, Liu W (2012) An improved authentication scheme for telecare medicine information systems. J Med Syst 36(6):3597–3604 52. Wu ZY, Lee YC, Lai F, Lee HC, Chung Y (2012) A secure authentication scheme for telecare medicine information systems. J Med Syst 36(3):1529–1535 53. Xia Z, Wang X, Sun X, Wang Q (2015) A Secure and Dynamic Multi-keyword Ranked Search Scheme over Encrypted Cloud Data. IEEE Trans Parallel Distrib Syst 27(2):340–352 54. Xie Q, Liu W, Wang S, Han L, Hu B, Wu T (2014) Improvement of a uniqueness-and-anonymity-preserving user authentication scheme for connected health care. J Med Syst 38(9):1–10 55. Xie Q, Zhang J, Dong N (2013) Robust anonymous authentication scheme for telecare medical information systems. J Med Syst 37(2):1–8 56. Xu L, Wu F (2015) Cryptanalysis and improvement of a user authentication scheme preserving uniqueness and anonymity for connected health care. J Med Syst 39(2):1–9 57. Yan X, Li W, Li P, Wang J, Hao X, Gong P (2013) A secure biometrics-based authentication scheme for telecare medicine information systems. J Med Syst 37(5):9972. doi:10.1007/s10916-013-9972-1 58. Yoon EJ, Yoo KY (2013) Robust biometrics-based multiserver authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. J Supercomput 63(1):235–255 59. Zhu Z (2012) An efficient authentication scheme for telecare medicine information systems. J Med Syst 36(6):3833–3838. doi:10.1007/s10916-012-9856-9

Azeem Irshad received Master's degree from Arid Agriculture University, Rawalpindi, Pakistan. Currently, he is persuing his PhD in security for multi-server architectures, from International Islamic University, Islamabad, Pakistan. His research interests include strengthening of authenticated key agreements in SIP multimedia, IoT, WBAN, TMIS, WSN, Ad hoc Networks, e-health clouds and multi-server architectures.

Multimed Tools Appl

Muhammad Sher is a Professor having more than 120 scientific publications. He is chairman of the Department of Computer Science & Software Engineering, International Islamic University. He is also Dean of the Faculty of Basic & Applied Sciences. He did his Ph.D. Computer Science from TU Berlin, Germany and M. Sc. from Quaid-e-Azam University, Islamabad. His research interests include Next Generation Networks and Network Security.

Omer Nawaz is received his Master degree in Computer Science from International Islamic University Islamabad, Pakistan in 2003. Currently, he is a PhD candidate at Blekinge Institute of Technology Karlskrona, Blekinge, Sweden. He is also working as an Assistant Professor at University of the Punjab, Pakistan. His research interests include Next Generation Networks and Network Security, Quality of Experience, Secure mobile Social Networking etc.

Multimed Tools Appl

Shehzad Ashraf Chaudhry received distinction in his Masters and PhD from International Islamic University Islamabad, Pakistan in 2009 and 2016 respectively. He was awarded Gold Medal for achieving 4.0/4.0 CGPA in his Masters. Currently, he is working as an Assistant Professor at the Department of Computer Science & Software Engineering, International Islamic University, Islamabad. He authored more than 35 scientific publications appeared in different international journals and proceedings including 25 in SCI/E journals. His research interests include Lightweight Cryptography, Elliptic/Hyper Elliptic Curve Cryptography, Multimedia Security, EPayment systems, MANETs, SIP authentication, IP Multimedia sub-system and Next Generation Networks.

Imran Khan received his Masters degree from International Islamic University Islamabad, Pakistan. Currently working towards his PhD, he is also working as Lecturer in IIUI. His research interests include Lightweight Cryptography, Medical Drop Box Security, Multimedia Security, MANETs, IP Multimedia sub-system and Next Generation Networks.

Multimed Tools Appl

Saru Kumari is currently an Assistant Professor with the Department of Mathematics, Ch. Charan Singh University, Meerut, Uttar Pradesh, India. She received her Ph.D. degree in Mathematics in 2012 from CCS University, Meerut, UP, India. She has published more than 42 research papers in reputed International journals and conferences. She is a reviewer of more than a dozen of reputed journals including SCI-Indexed. Her current research interests include information security, digital authentication, security of wireless sensor networks, and applied mathematics.