A Secure User Anonymity and Authentication Scheme

0 downloads 0 Views 1MB Size Report
password-based remote user authentication scheme for the integrated EPR ...... S7) According to the assumption A2, we apply the freshness rule to get. Ui. ≡S.

J Med Syst (2015) 39:89 DOI 10.1007/s10916-015-0265-8

SYSTEMS-LEVEL QUALITY IMPROVEMENT

A Secure User Anonymity and Authentication Scheme Using AVISPA for Telecare Medical Information Systems Omid Mir 1 & Theo van der Weide 1 & Cheng-Chi Lee 2,3

Received: 11 March 2015 / Accepted: 16 June 2015 # Springer Science+Business Media New York 2015

Abstract Telecare medicine information systems (TMIS) have been known as an effective mechanism to increase quality and security of healthcare services. In other to the protection of patient privacy, several authentication schemes have been proposed in TMIS, however, most of them have a security problems. Recently, Das proposed a secure and robust password-based remote user authentication scheme for the integrated EPR information system. However, in this paper, we show that his scheme have some security flaws. Then, we shall propose a secure authentication scheme to overcome their weaknesses. We prove the proposed scheme with random oracle and also use the BAN logic to prove the correctness of the proposed scheme. Furthermore, we simulate our scheme for the formal security analysis using the AVISPA (Automated Validation of Internet Security Protocols and Applications) tool.

This article is part of the Topical Collection on Systems-Level Quality Improvement * Cheng-Chi Lee [email protected] Omid Mir [email protected] Theo van der Weide [email protected] 1

Institute for Computing and Information Sciences, Radboud University Nijmegen, Nijmegen, The Netherlands

2

Department of Library and Information Science, Fu Jen Catholic University, New Taipei City, Taiwan

3

Department of Photonics & Communication Engineering, Asia University, Taichung, Taiwan

Keywords Telecare medical information system . Authentication scheme . Smart card . Password-based remote authentication . Random oracle . AVISPA

Introduction Telecare medical information system TMIS provides healthcare services for patients in their homes. The patients are able to send and receive some health information upon a public network. Telecare system has many advantages, e.g., saving time and more efficiency in cost management etc. Technological advancement in the field of telecommunication, mobile communication, and wireless networks, cause enhanced quality in medical section. TMIS is useful for patients and healthcare service providers, because patients can receive various types of health-care delivery services through TMIS. Furthermore, physicians can monitor vital signs of patients that are in far distance. Since the database of TMIS saves patients’ electronic medical records (EMRs), proper user authentication schemes are required. Besides, the privacy and security issues become a main concern to prevent the access to health data for illegal users [1, 3]. Thus, a strong authentication scheme is necessary to protect confidentiality of EMRs, and to provide availability for the telecare medicine system. Considering the advantages of password and smart card, several passwords and smart card based user authentication schemes are proposed [16, 19, 20, 23, 41–44]. The smart cards are usually design for achieving a certain level of tamper resistance. Since, Witteman and Messerges et al. [2, 4] have shown that an adversary can extract all information that are stored in the smart card via logical or physical means, most of proposed schemes have been previously become vulnerable to password guessing attacks [5, 6]. Recently, Wu et al. [7] proposed a remote user authentication scheme for TMIS based on password and smart

89

J Med Syst (2015) 39:89

Page 2 of 16

card. But He et al. [8] showed that Wu et al.’s scheme is vulnerable to the impersonation attack and the insider attack once the user’s smart card is compromised. They also proposed an improved scheme. Nevertheless, Wei et al. [9] demonstrated that not only Wu et al.’s scheme [7], but also He et al.’s scheme [8] is vulnerable to off-line password guessing attacks. Considering the fact that an adversary is able to know all information that is stored in the smart card, they proposed an improved scheme to overcome the weakness [9]. After that, Zhu [10] showed that Wei et al.’s improved scheme [9] is still vulnerable to off-line password guessing attacks, and proposed a new improved scheme. However, all aforesaid remote user authentication schemes can’t protect user’s privacy, because everyone is able to obtain user’s identity. Initially, Das et al. [11] proposed a dynamic ID-based password authentication scheme to provide privacy. Since then, many dynamic ID-based authentication schemes have been proposed [21, 22]. In 2012, Chen et al. [12] showed that Khan et al.’s scheme [13] can’t achieve the user’s anonymity and proposed a new dynamic ID-based password authentication scheme using a smart card. After that, Lin [14] and Cao et al. [15] showed that Chen et al.’s scheme is vulnerable to off-line password guessing attacks, on-line password guessing attacks, off-line ID guessing attacks, smart card loss and dictionary attacks. From 2014 to 2015, many authentication schemes have been proposed in TMIS [27–31, 33, 45–47]. In 2014, Wen [27] proposed an efficient password-based user authentication scheme using smart card for the integrated EPR information system. Then, Das [24] have shown that their scheme is still vulnerable to two security weaknesses such as (1) design flaws in password change phase (2) privileged insider attack proposed. After that, proposed a robust password-based remote user authentication scheme using Smart cards for the Integrated EPR information system. In this paper, we show that proposed schemes [24] provide no user privacy protection. Furthermore, their schemes are vulnerable to stolen smart card attacks, off-line password guessing attacks, logged-in users’ attacks, known session-specific temporary information attack, and man-in-the attacks. Then, we will propose a new scheme to solve their security weaknesses.

Attacker model The proposed authentication scheme is executed over the insecure channel. Thus, the adversary could have the following capabilities. We considered some valid assumptions. 1. If a user’s smart card is stolen or lost, an attacker can extract the smart card information by monitoring the power consumption [2, 4]. 2. An adversary can eavesdrop all the transmitted messages between the entities of the protocol over the public channel.

3. An adversary can modify, delete and resend, reroute the eavesdrop message.

Review of Das’s scheme In this section, we present briefly of the proposed Das’s scheme [24]. His scheme consists of the four phases, namely the registration phase, the login phase, the verification phase, and the password change phase. We use the notations given in Table 1. The registration phase First, In order to access the services from the EPR server Sj, the user Ui first needs to register at the server Sj . For this purpose, the user Ui and the server Sj perform the following steps: Step 1: Ui chooses his/her own identity IDi and password PWi. Step 2: Ui generates a random secret number Xu, which is kept secret to the user Ui. For security purpose, Xu is considered as a 1024-bit number. Step 3: Ui computes the masked password RPWi =h(Xu ∥ PWi) and sends the registration request message {RPWi, IDi} to the server Sj through a secure channel. Step 4: After receiving the registration request message {RPWi, IDi} from the user Ui. The server Sj validates the identity IDi of Ui. If it is valid, the server Sj computes v= h(K⊕ IDi) that K is the secret number of the server Sj. For security purpose, K is considered as a 1024-bit number. Step 5: the server Sj computes S1 =h(RPWi‖K), S2 =h(RPWi ∥S1), and N=v⊕S2 ⊕H where H is a constant secret value known to the server Sj. For security purpose, H is also considered as a 1024-bit number. Table 1

Notations

Notations

Definitions

Sj

Trustworthy integrated EPR information system server

Ui IDi PWi h()

A user Identity of user Ui Password of user Ui A secure collision-free one-way hash function [34, 40]

d K H Xu r1 r2 ⊕ X||Y

The secret key of Sj Secret number of Sj Constant secret value of Sj Secret number of Ui only A random number chosen by Ui A random number chosen by Sj The logical operation XOR The concatenation of x and y

J Med Syst (2015) 39:89

Step 6: Finally, Sj issues a smart card containing the information {IDi, h(), N,S1}, and returns the smart card to the user Ui via a secure channel. After receiving the smart card from the server Sj securely, the user Ui stores the secret number Xu in its memory. The login phase If a user Ui wants to login to the server Sj, the following steps need to be executed: Step 1: Ui inserts his/her smart card into the smart card reader of a terminal, and inputs his/her identity IDi and password PWi. The smart card computes the masked password RPWi =h(Xu‖PWi) using the secret number Xu stored in its memory. Step 2: Ui’s smart card generates a random number r1 and it computes h(r1), S2 =h(RPWi ∥S1) using the stored value of S1, and C1 = r1 ⊕ S2. Note that C1 = r1 ⊕ h(RPWi‖RPWi‖K). Step 3: Ultimately, the user Ui sends the login request message (N, IDi, C1, h(r1)) using the stored N in the smart card to Sj through a public channel. The verification phase The server Sj gets the login request message (N, IDi, C1, h(r1)) from the user Ui, Then, the server Sj and the user performs the following steps: Step 1: First, Sj verifies the validity of the user Ui’s identity IDi. If it is not hold, Sj rejects this service request message and the session terminates instantly. Otherwise, Sj computes & & &

v ¼ hðK ⊕ IDi Þ ; S′2 ¼ H⊕N ⊕ v ; r′1 ¼ S′2 ⊕C 1 :

The server Sj checks whether h(r′1) and h(r1) are equal. If they are not equal, Sj terminates the session, immediately. Otherwise, Sj executes Step 2. In order to resist the replay attacks and the man-in-themiddle attacks, the server Sj stores the pair (IDi, r1) in its database, where r′1 =r1. Step 2: Sj generates a random number r2 and computes a=r2 ⊕h(r′1 ∥S′2)K ⊕ IDi and b=h(S′2 ∥r2 ∥r′1). Then, Sj sends the authentication request message {a,b} to the user Ui via a public channel. Step 3: Upon receiving the message {a, b}, Ui computes h(r1 ∥S2) and r′2 =a ⊕ h(r1 ∥S2). Next, Ui checks if the condition b=h(S2‖r′2‖r1) holds

Page 3 of 16 89

or not. If it is successful, Ui confirms that the server Sj is authenticated. Then, Ui computes C2 =h(r´2 ∥S2) ⊕ h (RPWi ∥S1) and sends the message C2 to the server Sj through a public channel. Step 4: After receiving the message C2 from the user Ui, the server Sj computes u=h (r2 ∥S′2)⊕ C2 Then Sj compares S2 and h(u). If they are equal, Sj authenticates the user Ui. Step 5: Finally, the server Sj and the user Ui can compute a secret session key shared as  0  Sk U i S j ¼ h r1 ∥r2 ∥a∥b∥N ∥IDi . The password-change phase We do not show steps of in this section because we do not need this part. Please if you need to more information refer to [24]. Just note that the password change is executed by the user Ui with the help of the server Sj. Since this phase is not executed frequently by the user Ui

Drawbacks of Das’s scheme In this section, we demonstrate that Das’s scheme has some of the weaknesses which are described in the as follows. Not providing the protection of user anonymity In TMIS, one of the important issues is the anonymity of patient. Therefore, to protect of the privacy of user the anonymity must be considered. In the Das’s scheme, the identity of the user is transmitted as plaintext over the public channel. So, it cannot provide the user anonymity. Stolen smart card attacks Unlike the claim of Das’s scheme, if the smart card is lost or stolen and the values of smart cards are extracted {IDi,h(), N, S1,Xu} [2, 4], the attacker can derive the password of the user via both online/offline guessing methods as follows: Offline password guessing attack The attacker guesses PWi* as a probably correct password and computes:     RPW *i ¼ h PW *i kX u ; S *2 ¼ h RPW *i kS 1 ; and r*1 ¼ C 1 ⊕S *2 : The attacker verify h(r*1)=h(r1), if they are equal, the guessed password was correctly. Otherwise, repeat all the steps until succeed.

89

J Med Syst (2015) 39:89

Page 4 of 16

Online password guessing attack

is insecure against the known session-specific temporary information attack.

The attacker can guess PWi as follows: &

The attacker guesses PWi* as a probably correct password and computes:     RPW *i ¼ h PW *i kX u ; S *2 ¼ h RPW *i kS 1 ; and r*1 ¼ C 1 ⊕S *2 :

&

The attacker generates a random number r*1 and computes r*1 =C1 ⊕ S*2. The login request (N, IDi, C1, h(r1)) sent to Sj. If the guessed password is wrong, The attacker does not receive any response of Sj. Therefore, he/she has to try with another password guess. When S sends the authentication message back, it implies the attacker is success and the guessed password was correctly.

The proposed scheme In this section, we propose an improved authentication scheme with anonymity preserving. The proposed scheme overcomes different of security holes, even if the smart card is compromised. Our scheme similar to the mentioned schemes consists of four phases: registration, login, verification, and password change. Details of our scheme are as follows: The registration phase Step 1: Ui chooses his identity, IDi, password, PWi, and generates a random number ri and computes PW i ¼ hðPW i ⊕ri Þ. Ui sends the registration request {IDi, PW i } through a secure channel. Step 2: upon receiving the registration request, Sj checks the specific format of IDi and aborts the registration request if IDi is not valid. Otherwise Sj computes:

The many logged-in users’ attack A suitable server allows one person at a time to achieve the account of a legitimate user. Otherwise, the inconsistency of information may occur while accessing the information reserve into the server. However, Das’s scheme cannot protect the property, since more than one person can achieve access to the same account simultaneously [25, 26]. Assume PWi is leaked to more than one person, afterwards anyone know the pair (IDi, PWi) can use the account at the same time with the personal login requests. Therefore, In Das’s scheme, every adversary can with executing the mutual authentication phase get access to Ci’s account simultaneously, because all of them are executing the similar authentication phase using the valid PWi. The server Sj can not to stop all of them to get access to account simultaneously. The known session-specific temporary information attack Chen et al. [12] shows that the generated session key should not be disclosed, even if the session temporary security parameters are leaked to an adversary. We show that Das’s scheme cannot protect this attack in the authentication phase. Shared session key  0  Sk U i S j ¼ h r1 ∥r2 ∥a∥b∥N ∥IDi , is generated between the user and the server. The session key depends just on the confidentiality of r′1 and r2. If the session temporary security parameters r ′1 and r 2 are exposed to danger from an outsider, then adversary can compute the session key Sk U i S j easily. Thus, the Das’s scheme

& & & &

J i ¼ hðd kIDi Þ; Bi ¼ J i ⊕PW i ; N IDi 0 ¼ hðIDii J i Þ; V i ¼ hðN IDi 0 kd Þ⊕PW i :

Finally, Sj stores (Bi, NIDi′, h(.)) into a smart card and sends it to Ui via the secure channel. Sj stores (NIDi′,Vi, bit) bit 0\1. When the user is logged in bit=1, otherwise bit=0. Step 3: After receiving the smart card (SC), the user computes F=ri ⊕h(IDi‖PWi) and inserts F into it. Finally the smart card contains {Bi, NIDi′, h(.), F}. The login phase When Ui wants to logon to the TMIS system and access some EMR data, he/she inserts his/her smart card into a device, then inputs IDi and PWi. The smart card performs the following calculations to login in the server. The login and authentication phases of the steps have shown in Fig. 1. & & & &

ri ¼ F⊕hðIDi kPW i Þ; PW i ¼ hðPW i ⊕ri Þ; J i ¼ Bi ⊕PW i ¼ hðIDi kd Þ;     N ID″i ¼ h IDi PW i k J i :

J Med Syst (2015) 39:89

Page 5 of 16 89

Fig. 1 The proposed scheme

The SC compares NIDi″ and NIDi′. If they are not equal, the SC terminates the session. Otherwise, the inserted identity IDi, and the password, PWi, are valid. Therefore the SC computes

transmission delay. If so, then Sj rejects the login request; otherwise computes &

&

    W i ¼ h J i PW i kN IDi 0 ;

&

&

  Gi ¼ h PW i ⊕IDi ;

& &

&

    X i ¼ h N IDi 0 PW i kW i kT 1 kIDi kGi :

&

The SC determined the current timestamp T1 and Ui sends his/her login request {T1, Xi, Gi} to the medical server Sj through a public channel.

PW i ¼ V i ⊕ hðN ID0 i kd Þ;   IDi ¼ Gi ⊕h PW i ; J i ¼ hðIDi kd Þ;     W i 0 ¼ h J i PW i kN I Di 0 ;     X i 0 ¼ h N IDi PW i kW i 0 kT 1 kIDi kGi :

S compares Xi′ and Xi, if they are not equal, S terminates the session; otherwise, it implies that U is a legitimate user. Step 2: S generates a random number rs and computes

The verification phase When Sj receives the login request {T1, Xi, Gi} from Ui, following steps are performed by Ui and Sj to achieve mutual authentication and to agree upon a session-key. Step 1: Sj acquires the current timestamp T2 and checks if (T2_T1)>ΔT, where ΔT is the maximum time interval for

&

SK ¼ hðrs k J i kIDi kW i 0 Þ;

&

H 1 ¼ hðSK krs kN I Di 0 k J i kIDi kT 3 Þ;

&

K ¼ rs ⊕W i :

0

Step 3: S sends the response message {K, H1, T3} to Ui through a public channel.

89

J Med Syst (2015) 39:89

Page 6 of 16

Step 4: Upon receiving the response message {K, H1, T3} of the server, Ui computes & & &

0

rs ¼ rs ⊕W i ⊕W i ; SK ¼ hðrs k J i kIDi kW i Þ;        0 0      H 1 ¼ h SK rsN IDi J iIDiT 3 :

Ui compares H1′ and H1. if they are equal, S and SK is authenticated; Otherwise, terminates the session. Ui computes H2 = h(SK) and send it to the user. Step 5: S computes H2′ = h(SK) and checks H2′ = H2, If it is holds the session key is valid. The password change phase In order to increase system security, Ui can change his password PWi by a new one password as PW inew . For this purpose, Ui inserts his/her SC into a terminal, then SC performs the following steps to update the stored values according to the new password PW inew . 1) SC retrieves the random number ri as ri =F⊕h(IDi‖PWi) and computes & & &

PW i ¼ hðPW i ⊕ri Þ; J i ¼ Bi ⊕PW i ¼ hðIDi kd Þ;    N IDi 0 0 ¼ h IDi PW i k J i : SC checks NIDi ″ = NIDi ′. If the equivalence does not hold, SC denies password updating. If the equivalence holds, it implies correctness of inserted identity IDi and password PWi. Therefore, SC asks for Ui to enter the new password.

2) Ui enters a new password PW inew . Later, SC computes & & & &

PW inew ¼ hðPW inew ⊕ri Þ; N ID0 inew ¼ hðIDi kPW inew Þ; F new ¼ ri ⊕hðIDi kPW inew Þ; Binew ¼ Bi ⊕PW inew ⊕PW i : Finally, SC replaces Binew , Fnew, and N I D0 inew instead of Bi, F, and NIDi', respectively. Note: Ui can also change the random number ri.

Security analysis of the proposed scheme In this section, first we show that the proposed scheme can secure under the random oracle model. Then, we use of the BAN to the correctness of our scheme [32]. After that, we simulate our scheme for the formal security verification using the AVISPA tool [37].

Formal security analysis In this section, we show that the formal security analysis of proposed scheme using the random oracle model. Definition 1 One-way hash function [34]: It is considered as a function that is not possible to reverse. It inputs a binary string x∈{0,1}* with arbitrary length and generates a binary string h(x)∈{0,1}n with constant length. Features of one-way hash function: & & & &

Easy to compute h(x) for any x It is very hard to find x by given h(x). This refers to oneway feature of hash function. It is very hard to find another input x' (x≠x') that has equal hash outputs h(x)=h(x') by given x. It is very hard to find two inputs that have equal hash outputs. This refers to resistant of hash function against collision.

Advantage of adversary A to find collision in hash function is as follows:   *   * i AdvHASH ⇐A : x≠x and h ð x Þ ¼ h x ; ð t Þ ¼ Pr x; x A The Pr[E] is the probability of occurring E in random space, and (x,x*)⇐A indicant the pair (x,x*) is chosen randomly by A. The hash function resists collision if for any ϵ>0, we have Advhash A ðt Þ ≤ ϵ. We assume the following random oracle for our formal security analysis: Reveal This oracle will unconditionally output of the input string x from the corresponding hash value y=h(x). The following two theorems provide the formal security of our scheme against an adversary. Theorem 1 based on the assumption that the one-way hash function h() acts like an oracle, the proposed scheme is secure against the identity IDi of a legal user Ui, the private key d of the server Sj, and the session key SK between Ui and Sj. Proof We create an adversary A who will has ability to extract the identity IDi of a legal user Ui, the private key d of the server Sj, and the session key SK between Ui and Sj. The adversary A uses the Reveal oracle for executing the experimental algorithm, called EXP1HASH SAKTMIS for our proposed biometric-based multi-server authenticated key agreement scheme, called SAKTMIS, which is provided in Algorithm 1. We describe the success probability for EXP1HASH SAKTMIS as HASH Succ1HASH SAKTMIS =[Pr [EXP1SAKTMIS =1]−1]. Then the advanHASH tage becomes AdvHASH SAKTMIS (t1,qR)= maxA{Succ1SAKTMIS},

J Med Syst (2015) 39:89

Page 7 of 16 89

Advantage function with the execution time t and number of random oracle reveal queries qr is maximized on A. We call our scheme is provably secure against the adversary A for deriving IDi, d and SK, if AdvHASH SAKTMIS (t1,qR)0. Consider the experiment based on Algorithm 1. According to this experiment, if the adversary A has the ability to invert the hash function h(), then only he/she can IDi, d and SK and win the game. However, According to Definition 1, it is a computationally infeasible (hard) problem for inverting a one-way hash function h(). Since AdvHASH (t)≤ε, for any sufficiently small ε >0, we have A AdvHASH (t ,q )≤ε, as it is dependent on the former. ThereA 1 R fore, our scheme is provably secure against an adversary for deriving IDi, d and SK. Algorithm 1. EXP1HASH SAKTMIS 1: Eavesdrop the login request message {T1,Xi,Gi} during the login phase, where Xi = h(NIDi

          0 0 0 X i ¼ h N IDi jjPW i kW i kT 1 kIDi kGi ; Gi ¼ h PW i ]IDi ; PW I ¼ hðPW i ]ri Þ; W i ¼ h J i PW i N IDi ; N I F i ¼ h IDi PW i k J i

, 2.Call Reveal oracle Xi to retrieve ID i, Wi Gi,  on0 input  0 0 0 0 0 PW i ; NIDi ; T 1 as NIDi jj PW i jjW i jjT 1 jjIDi jjGi ←reveal ðX i Þ   0

0

0

3. computes Gi ¼ IDi ]h PW i

4. If (Gi ' = Gi) then 5. Accept IDi′ as the correct IDi of user 6. Eavesdrop the authentication message (K, H1, T3) during the authentication phase, where H1 =h(SK||rs||NID′i ||Ji||IDi||T3), K=(rs ]Wi′), Ji =h(IDi||d) 7. Call Reveal oracle on input H2 to retrieve SK, rs, NIDi, IDi, Ji, T3 as (SK′||rs′||NIDi′||Ji′ ||IDi′||T3′)←reveal (H1) 8. Call Reveal oracle on input u to retrieve the private key d of the server S as (IDi|d)←reveal (Ji ) 9. Computes SK″=h(rs′||J′i ||ID′i ||Wi ′), H1″=h(SK′||rs′||NIDi ′||J′i ||ID′i ||T′3) 10. If (H1′ = H1″) than 11. Accept IDi, x_, and SK as the correct identity IDi of the user, the private key d of the server S, and the session key SK between Ui and Sj, respectively. return 1 (Success) 12: else 13: return 0 (Failure) 14: end if 15: else 16: return 0 (Failure)

Theorem 2. based the assumption that the one-way hash function h() acts like an oracle, the proposed scheme is secure against an adversary for deriving the password PWi of a user Ui, even if the smart card of Ui is lost or stolen by that an adversary. Proof We create an adversary A who will has ability to derive the password PWi of the user Ui correctly, after extracting the information stored in the stolen or lost

smart card of Ui . So, the adversary A executes the experiment EXP2HASH SAKTMIS which is provided in Algorithm 2. We also define the success probability for EXP2HASH SAKTMIS as HASH HASH Succ2SAKTMIS =[Pr [EXP2SAKTMIS =1]−1] and the advantage HASH of EXP2HASH SAKTMIS as Adv2SAKTMIS (t2, qR)= maxA{Succ2HASH }, where advantage function with the execution SAKTMIS time t and number of random oracle reveal queries qr is maximized on A. Our scheme is secure against the adversary A for deriving the password PWi of the user Ui. If Adv2HASH SAKTMIS (t2, qR)0. Assume the adversary A extract all secrets {Bi, NIDi′, h(.), F} from the stolen or lost smart card of the user Ui. According to the experiment provided in Algorithm 2, if the adversary A has the ability to invert the oneway hash function h(), he/she can derive the password PWi of the user Ui and win the game. Based on definition of hash function, AdvHASH (t)≤ε, for any sufficientA ly small ε > 0. We have AdvHASH (t1, qR) ≤ ε, as it is A ð t Þ. So, inverting the one-way hash dependent on Advhash A function h() is computationally impractical. As a result, our scheme is secure against an adversary for deriving the password PWi of a user Ui, even if the smart card of Ui is lost or stolen by an adversary. Algorithm 2. EXP2HASH BAKATN 1: Extract all the secret information {Bi, NIDi′, h(.), F} from the memory of the stolen or lost smart card Ci of the user Ui using the power analysis attacks [2],    [4]. Where Bi ¼ J i ]PW i ; NIDi 0 ¼ h IDi PW i k J i , F=ri ]h(IDi||PWi) 2. Call Reveal   on  oracle  input NIDi′ to retrieve PW i , Ji and IDi as IDi PW i  J i ←reveal ðM i Þ, 3. Call Reveal oracle on input  PW i to retrieve PWi, ri, and IDi as ðPW i ; ri Þ←reveal PW i , 4. computes F*=ri ]h(IDi||PWi()) 5. if (F * = F) then 6. Accept PWi as the correct password of the user Ui. 7: return 1 (Success) 8: else 9: return 0 (Failure) 10: end if

According to the experiment provided in Algorithm 2. After extracting all the secret {Bi, NIDi′, h(.), F} from the stolen or lost smart card of the user Ui, if the adversary A has the ability to invert the one-way hash function h() then he/she can derive the password PWi of the user Ui and win the game. Based on definition of hash function, AdvHASH (t)≤ε, for any sufficientA ly small ε > 0, we have AdvHASH (t1, qR) ≤ ε, as it is A hash dependent on AdvA ðt Þ. So, inverting the one-way hash function h() is computationally impractical. As a result, our scheme is secure against an adversary for deriving

89

J Med Syst (2015) 39:89

Page 8 of 16

the password PWi of a user Ui, even if the smart card of Ui is lost or stolen by an adversary.

According to the above assumptions and BAN logic rules, we execute the verification of the proposed scheme.

Authentication proof based on BAN logic The BAN logic is an authentication protocol analysis model. It is used to prove the validity of authentication and key establishment protocols [32]. The notations and logical rules used in BAN logic are described in Table 2. The protocol messages should be change to the idealized form, which is as follows: 

Message 1. U i→S : ðIDi ÞhðPW ⊕ r Þ; ðIDi jjGi jjN IDi 0 jjT 1 ÞhðhðID jjdÞjjhðPW ⊕ r Þ; Þ Message 2. S→U i : ð S ! U Þ ; ðU ! Sjj S ! U jjN ID jjID jjT Þ Message 3. S→Ui:(rs||Ji||IDi||Wi′)SK i

rs

i

i hðhðIDi jjd ÞjjhðPW i ⊕ ri ÞÞ

i

i

SK

rs

i

i

i

0

i

i

T1

For formal analysis using BAN logic, the following assumptions are needed: A1) Ui|≡#(T1) hðhðID kd ÞkhðPW ⊕r ÞÞ A2) U i j≡ðU i ←  → SÞ hðhðIDi jjd ÞjjhðPW i ⊕ ri ÞÞ A3) S j≡ðU i ←→ SÞ hðP ri Þ A4) U i j≡ðU i ←  → SÞ i

Lemma 1 The server S can correctly verify the authenticity of the user Ui’s login message. Proof The user Ui sends the login message to the server S. Then, S receives the timestamp along with other values and it can prove the correctness of the message source as follows: 

3 SK

Assumption

i

Analysis

i

hðPW ⊕ r ÞÞ

i SÞ A5) Sj≡ðU i ←i→ A6) Sj|≡#(T3)

hðhðIDi jjd Þjj hðPW i ⊕ ri ÞÞ

A7) S j j≡U i j≡U i ←→ S hðhðIDi jjd ÞjjhðPW i ⊕ ri ÞÞ

A8) U i j≡ S j j≡U i ←→ S

Message 1 U i →S : ðIDi ÞhðPW ⊕ r Þ ; ðIDi jjGi jjN IDi 0 jjT 1 ÞhðhðID kID dkdÞkhðPW ⊕r Þ ; T 1 Þ S1) S|⊲:(IDi),(IDi||Gi||NIDi ′||T1), T1 // According to seeing rule S2) S|≡Ui|∼(IDi),(IDi||Gi||NIDi ′||T1), T1// According to A3, A5, S1, message-meaning rule S3) S|≡Ui|≡(IDi),(IDi||Gi||NIDi ′||T1), T1 // According to A1, the freshness-conjuncatenation rule to S2 S4) S |≡T1, // According to A1, S3 The server S believes that the timestamp in the message is fresh. This proves the correctness of message source. i

i

i



The message-meaning rule:

Pj≡p

i

hðhðIDi jjd ÞjjhðPW i ⊕ ri ÞÞ

i

i

i

0

i

3

SK

i

   SK  ! U i ; U i ! S  S

rs

rs

s

i

     U i ≡S ∼ S

SK

i

       ! U i N IDi 0 IDi T 3

rs

SK

S7) According to the assumption A2, we apply the freshness rule to get      U i ≡S ≡ S

       rs SK     ! U i ; U i ! S  S ! U i N IDi 0 IDi T 3

rs

SK

!K Q;p sees fX gK Pj≡ Q │e X

Pj≡#ðX Þ The freshness-conjuncatenation rule: Pj≡# ðX ;Y Þ

The nonce-verification rule:



Message 2 S→U :  S !U  ; U ! Sjj S ! U jjN I D jjID jjT S5) U i ⊲ ðS !r U i ÞhðhðID jjdÞjjhðPW ⊕ r ÞÞ ; ðU i !SK SjjS !r U i jjN IDi 0 jjIDi jjT 3 ÞSK S6) According to the assumption A3, S5 we apply the message meaning rule to get s

P|≡ X : The principal P believes a statement X, or P is entitled to believe X. #(X) : The formula X is fresh. P ⇒ X : The principal P has competence over the statement X. P |∼ X : The principal P once said the statement X. < X >Y : The formula X combined with the formula Y . {X}Y: The formula X is encrypted with the key K. (X)Y: The formula X is hash with the key K. P←K→Q : The principal’s P and Q use the shared key K to encrypt data . The key K will never be disclosed by any principal except P and Q.

i

Proof After confirm the correctness of a legal user Ui’s login message, the server S responds with a message, which includes the server S’s timestamp. Then, Ui can prove the authenticity of S’s message as follows: rs

The notations and logical rules used in BAN logic

i

Lemma 2 The user Ui can verify the correctness of the responded message by the server S.

i

Table 2

i

P j≡#ðX Þ;pj≡Q│eX Pj≡Qj≡X

;Pj≡Qj≡X The jurisdiction rule: Pj≡Q⇒ ≡X Pj≡X

S8) According to A3, A6 and S7, we apply the jurisdiction rule to get   S ≡ S

fi

! U i; T 3

J Med Syst (2015) 39:89

This shows that Ui can correctly verify the correctness of message source and its freshness. Lemma 3 the user Ui and the server S compute a common session key, if the message authentication holds. Proof In our proposed scheme, the user Ui and the server S compute the session key SK =h(rs||Ji||IDi||Wi ′) after the verification of timestamps and random number freshness. According to Lemmas 1 and 2, Ui and S correctly verify the authenticity of each other. So, each session key that is to be made using the fresh timestamps or random number, which ensures the different session keys for the different sessions. Ui and S believe that the negotiated session key is correctly computed as follows: S9) according to SKh(rs‖Ji‖IDi‖Wi ′) we could get  U i ≡U i !SK S j S10) According to the message 3 we get  0 S⊲ S !rs U i jj J i jjIDi jjW i SK  0 S11) S j≡U i je S !rs U i jj J i jjIDi jjW i SK / according to S10, A3,  0 S12) S j≡U i j≡ S !rs U i jj J i jjIDi jjW i S13) According to the SK=h(rs‖Ji‖IDi‖Wi ′) we could get S j≡U i !SK S j

Discussions on some attacks Stolen smart card attack In this attack, assume an attacker stolen or find the smart card of the user then he/she can extract all the information that are stored of the smart card {Bi, NIDi′, h(.), F} by the power analysis attack [2, 4] as described in our tread model and similar to [24]. In order to login to the server Sj, the attacker needs to guess the correct password PWi of the user Ui. However, we show the attacker cannot compute the valid values of PWi and IDi which has been proved as follows:

Offline password guessing attack In order to guess the user’s password by an offline method, the attacker needs to know the secret key d, the random number ri, and IDi. The   user’s password PWi is used only inside Gi ¼ h PW i ⊕IDi and   X i ¼ h N IDi 0 jjPW i jjW i jjT 1 jjIDi jjGi . It is evident that to guess the correct password, the adversary needs to concurrent guess two correct values IDi and PWi concurrently but the probability of guessing the correct IDi

Page 9 of 16 89

of length exact m bits and PWi of length exact n char1 acters at the same time is approximately 26nþm , which is very negligible and it is not possible in polynomial time [35]. Therefore, the proposed scheme is resistant against the offline password guessing attack. User’s stolen/lost smart card is untraceable The adversary can intercept all transmitted messages {T1,Xi, Gi}, {K, H1, T3} and {H2} during login and authentication messages, he can also extract {Bi, NIDi′, h(.), F} of SC. The identity of the user is available inside Gi   ¼ h PW i ⊕IDi But the attacker cannot obtain the correct identity of the user, because he/she needs to have IDi and PWi simultaneously. As mentioned above, it is not possible in a polynomial time [35]. Also SC does not store the plaintext identity of its holder. So, the proposed scheme dos not allow tracing of the holder of a smart card. Denial-of-service attack In the proposed scheme, when Ui inserts his identity IDi and password PWi, the smart card does not instantly compute the login message. It first checks the correctitude of inserted IDi and PWi. SC retrieves the random number ri =F⊕h(IDi‖PWi) and computes   PW i ¼ hðPW i ⊕ri Þ, N I Di ″ ¼ h IDi jjPW i jj J i , and compares NIDi″ with the stored NIDi ′. Obviously, if NIDi″ = NIDi′ it is holds, the password is correct. Otherwise, the password has entered is incorrect and SC epilogue the session. It is obvious that even a legal user is unable to activate his smart card with a wrong password. It prevents the user from the mistake of inserting false identifiers. Now the user can use access of healthcare services instead of facing denial-of-service. Therefore, the proposed scheme resists against the denial of a service attack. Replaying attack If the adversary, AD, replays the login message to S, the proposed scheme can resist the replaying attack, because we use timestamps. If an adversary replays m (resp. m′), then S (resp. Ui) may detects the invalid timestamp Ti (resp. Ts). Stolen verifier attack In the proposed scheme, the server stored (NIDi′, Vi, bit) as cipher-text, V i ¼ hðN IDi 0 kd Þ ⊕PW i and N I Di 0 ¼ h   IDi jjPW i in its database. Only Sj knows the secret

89

J Med Syst (2015) 39:89

Page 10 of 16 role alice (Ui, Sj : agent,

/\ secret({D}, subs1, Sj) /\ secret({PWi, Ri}, subs2, Ui)

SK : symmetric_key, % H is hash function H : hash_func, Snd, Rcv: channel(dy))

% Receive the smart card from the registration server Sj 2. State = 1 /\ Rcv({H(H(IDi.PWi.Ri).H(IDi.D).IDi). xor(H(IDi.D),H(xor(PWi,Ri))).

% Ui is the user; Sj is the server

xor(Ri,H(IDi.PWi)).

played_by Ui

H }_SK) =|>

def= % Login phase

local State : nat,

State' := 2 /\ T1' := new()

IDi, PWi, RPWi, Ri, Rs : text,

/\ Ri' := new()

% Ri is a secret number to Ui

/\ NIDi' := H(IDi.H(xor(PWi,Ri)).H(IDi.D))

% D and RS is a secret number to Sj

/\ Wi' := H(NIDi'.H(xor(PWi,Ri).H(IDi.D)))

T1, T2, T3, Xi, Gi, D : text,

/\ Gi' := xor(IDi, H(H(xor(PWi,Ri))))

ADD : hash_func, H1, K, H2, NIDi, Wi, RPwi : text const alice_bob_T1, bob_alice_T3,

/\ Xi' := H(NIDi'.H(xor(PWi,Ri)).Wi'.IDi.Gi'.T1') % Send the login request message /\ Snd (Xi', Gi', T1') /\ witness(Ui, Sj, alice_bob_Ri, Ri')

alice_bob_Ri, bob_alice_Rs,

% Ui has freshly generated the timestamp T1 for Sj

subs1, subs2 : protocol_id

/\ witness(Ui, Sj, alice_bob_t1, T1')

init State := 0

% Authentication phase

transition

% Receive the authentication request message

% Registration phase

3. State = 2 /\ Rcv (xor(Rs,H(NIDi'.H(xor(PWi,Ri).H(IDi.D)), H(H(Rs.NIDi'.H(IDi.D).IDi.T3).Rs.NIDi'.H(IDi.D). IDi.T3),

1. State = 0 /\ Rcv(start) =|> State' := 1 /\

T3'))) =|>

Ri' := new() /\ RPWi' := H(xor(PWi,Ri)) % Send the registration request message /\ Snd({IDi.RPWi'}_SK) % Keep d secret to Sj and PWi, Ri to Ui

% Send the authentication acknowlegement message State' := 3 /\ Rs' := xor(Rs,H(NIDi'.H(xor(PWi,Ri).H(IDi.D)),H(NIDi'. H(xor(PWi,Ri).H(IDi.D))))) /\ Wi' := H(NIDi'.H(xor(PWi,Ri).H(IDi.D))) /\ SK' := H(Rs'.H(IDi.D).IDi.Wi')

Fig. 2 Role specification in HLPSL for the user

/\ H1' := H(H(Rs'.H(IDi.D).IDi.Wi').Rs'.NIDi'.H(IDi.D).IDi. T3')

key d and PW i, hence, nobody can use stored values in the database except Sj. Thus, the proposed scheme can protects against the stolen verifier attack.

/\ H2' := H(H(Rs'.H(IDi.D).IDi.Wi')) /\ Snd(H2') /\ request(Sj, Ui, bob_alice_Rs, Rs') % Ui’s acceptance of the value T3 generated for Ui by Sj

Impersonation attack In this attack, an attacker tries to impersonate the server Sj or a legal user Ui. For this purpose, the adversary try to forge a valid login request {T1,Xi,Gi}, where X i ¼ h

/\ request(Sj, Ui, bob_alice_T3 , T3') end role

Fig. 2 continued.

J Med Syst (2015) 39:89

Page 11 of 16 89

role bob (Ui, Sj : agent,

% Login phase

SK : symmetric_key,

% Receive the login request message

% H is hash function

2. State = 1 /\ Rcv(H(NIDi'.H(xor(PWi,Ri)).Wi'.IDi.Gi'.T1'),xor(IDi, H(H(xor(PWi,Ri))),

H : hash_func, Snd, Rcv: channel(dy))

T1)) =|>

% Ui is the user; Sj is the server % Authentication phase

played_by Sj State' := 2 /\

def= % generate a random nonce

local State : nat, Rs' := new()

IDi, PWi, RPWi, Ri, Xi, K, D, H1, T3, Rs : text, % T3 is the current system timestamp

% Ri is a secret number to Ui /\ T3' := new()

% D is a secret number to Sj /\ Ji' := H(IDi.D)

T1, H2, Gi, T2, T4, Wi, SKi, NIDi, Bi,Ji,Vi : text /\ Vi' := xor(H(NIDi'.D),H(xor(PWi,Ri)))

const alice_bob_t1, bob_alice_T3, /\ NIDi' := H(IDi.H(xor(PWi,Ri)).H(IDi.D))

alice_bob_Ri, bob_alice_Rs, /\ RPWi' := xor(Vi',H(NIDi'.D))

subs1, subs2 : protocol_id /\ IDi' := xor(RPWi',xor(IDi, H(H(xor(PWi,Ri)))))

init State := 0 /\ Wi' := H(NIDi'.H(xor(PWi,Ri).H(IDi.D)))

transition /\ Xi' := H(NIDi'.H(xor(PWi,Ri)).Wi'.IDi.Gi'.T1')

% Registration phase /\ Rs' := new()

% Receive the registration request message from the user /\ SK' := H(Rs'.H(IDi.D).IDi.Wi')

1. State = 0 /\ Rcv({IDi.H(xor(PWi,Ri))}_SK) =|> /\ K' := xor(Rs',Wi')

% Keep d secret to Sj and PWi, Ri to Ui /\ H1' := H(SK'.Rs'.NIDi'.Ji'.IDi'.T3')

State' := 1 /\ secret({D}, subs1, Sj) % Send the authentication request message

/\ secret({PWi,Ri}, subs2, Ui) /\ Snd(K'.H1'.T3')

% Send the smart card to the user % Sj has freshly generated the random nonce Rs for Ui

/\ NIDi' := H(IDi.H(xor(PWi,Ri)).H(IDi.D)) /\ witness(Sj, Ui, bob_alice_Rs, Rs')

/\ Bi' := xor(H(IDi.D),H(xor(PWi,Ri))) % Sj has freshly generated the timestamp T3 for Ui

/\ Snd({NIDi'.Bi'.H}_SK) /\ witness(Sj, Ui, bob_alice_T3, T3')

Fig. 3 Role specification in HLPSL for the server

% Receive the authentication acknowledgement message 3. State = 2 /\ Rcv(H(H(Rs'.H(IDi.D).IDi.Wi')))

  N IDi jjPW i kW i kT 1 kIDi kGi a n d Gi ¼ h PW i ⊕IDi . However, the adversary is unable to compute Xi, without knowing ID and PW, in addition as mentioned in “offline password guessing attack section” the attacker cannot guess a correct password of the user. So he/she cannot generate the correct login request, even if the attacker has extracted the secret information {Bi, NIDi′, h(.), F} that stored in Ui’s smart card. Therefore, the proposed scheme can resists user impersonation attack. On the other hand, the attacker may want to impersonate the server Sj. In order to, the adversary try to forge the correct response message {K, H1, T3} where H 1 = h(SK‖r s ‖NID i ′ ‖J i ‖ID i ‖T 3 ) and K = (r s ⊕ Wi ′). It is clear, the adversary needs to know S’s secret key x. so he/she is unable to generate the valid response message. Therefore, the proposed scheme resists impersonation attack. 

0



=|>

% Sj’s acceptance of the value Sk generated for Sj by Ui State' := 3 /\ request(Ui, Sj, alice_bob_Ri, Ri) % Sj’s acceptance of the value T1 generated for Sj by Ui /\ request(Ui, Sj, alice_bob_t1, T1) end role

Fig. 3 continued.

Privileged insider attack In our scheme, Ui does not send his/her password as plaintext. Ui sends PW i ¼ hðPW i ⊕ri Þ using a random number ri . Thereupon, an insider at S side cannot obtain user’s password from a registration request phase. In addition, it is not possible to retrieve PWi from PW i , therefore, the proposed scheme resists to privileged insider attack.

89

J Med Syst (2015) 39:89

Page 12 of 16

Forward secrecy

Many logged-in users’ attacks

Suppose the server’s secret key x is leaked. Yet, the adversary cannot compute the session keys, because, the adversary needs to know the identity of the user to obtain the session key SK=h(rs‖Ji‖IDi‖Wi ′). Thus, the session key is not acquired. As a result, the forward secrecy is provided in the proposed scheme.

The “many logged-in users attacks” means that if the user smart is lost or stolen and his/her identity IDi, and password PWi are disclosed to other users. Then, everyone who has a smart card and knows the password PWi can be logged to the server simultaneously [25, 26]. However, a suitable server does not allow more

role environment() def= const ui, sj: agent, sk : symmetric_key, h : hash_func, alice_bob_T1, bob_alice_T3, alice_bob_Ri, bob_alice_Rs, subs1, subs2 : protocol_id intruder_knowledge = {ui, sj, h} composition session(ui, sj, sk, h) /\ session(ui, sj, sk, h) end role goal secrecy_of subs1 secrecy_of subs2 authentication_on alice_bob_T1 authentication_on alice_bob_Ri authentication_on bob_alice_T3 authentication_on bob_alice_Rs end goal environment() Fig. 4 Role in HLPSL for the goal and environment of our scheme

J Med Syst (2015) 39:89

Page 13 of 16 89

role session(Ui, Sj: agent, SK : symmetric_key, H : hash_func) def= local SI, SJ, RI, RJ: channel (dy) composition alice(Ui, Sj, SK, H, SI, RI) /\ bob(Ui, Sj, SK, H, SJ, RJ) end role Fig. 5 Role specification in HLPSL for the session of our scheme

than one person to access the account of a legitimate user simultaneously. In the proposed scheme, we assume

that Ui’s identity IDi, password PWi, and parameters {Bi, NID i ′, h(.), F} are leaked to more than one non-

% OFMC % Version of 2006/02/13 SUMMARY SAFE DETAILS BOUNDED_NUMBER_OF_SESSIONS PROTOCOL /home/avispa/web-interfacecomputation/./tempdir/workfileigssLF.if GOAL as_specified BACKEND OFMC COMMENTS STATISTICS parseTime: 0.00s searchTime: 0.19s visitedNodes: 24 nodes depth: 4 plies Fig. 6 The result of the analysis using OFMC

89

J Med Syst (2015) 39:89

Page 14 of 16

Table 3 Comparison of computational overhead

Login and authentication Total time

Lee et al. [39]

Lin [14]

Cao et al. [15]

Maitra et al.[18]

Guo et al. [31]

Das [24]

Our scheme

2Tme+ 10Th 41.6 ms

2Tme+ 11Th 49.2 ms

2Tme+8Th

10Th + 2Ts + 1Tme 33.6 ms

5Th+5Ts

14 Th

17Th

29.6 ms

4.4 ms

5.4 ms

registered user. However,the server does not allow more than one user to login the server simultaneously, because, the server S maintained a status-bit field in its identity table. For example suppose that the first user enters into the S. Then, S sets the status-bit to one. Now, if the second user wants to login to S, the server S rejects the second user’s request, because, the statusbit shows there is someone inside the server. Thus, the proposed scheme is secure against many logged-in users attacks.

Simulation for formal security verification of the proposed scheme using AVISPA tool In order to show that our scheme is secure against passive and active attack, we simulate proposed scheme for the formal security verification using the AVISPA (Automated Validation of Internet Security Protocols and Applications) tool [37]. We follow the formal security analysis of our scheme similar to in proposed scheme in [30, 34, 38]. HLPSL (High Level Protocols Specification Language) that is a role-oriented language [36] is employed to specify security protocols for verification using AVIS PA tool. The output format (OF) of AVISPA is generated using one of the following four back-ends [36, 37]. 1. 2. 3. 4.

the On-the-fly Model-Checker (OFMC) Constraint Logic based Attack Searcher (CL-AtSe) SAT-based Model-Checker (SATMC) Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP)

The first printed section of OF is called “SUMMARY”. This section determines whether the protocol is safe, or not. Furthermore, it may reports inconclusively of analyzing the protocol. “DETAILS” is the second section which presents three types of reports. If the protocol is recognized as unsafe in the “SUMMARY” section, the “DETAILS” section determines some conditions that should be hold for this safety. It also determines that performing an attack needs to assume what conditions. Finally, if the r e s u l t o f t h e “ S U M M E RY ” s e c t i o n i s t h e

40.9 ms

inconclusiveness, its cause is analyzed. At the end of the analysis, the trace of the attack (if any) is also possible in the usual Alice-Bob format.

Specifying our scheme Based on HPLSL, as a role based language [36], we have two roles: one for alice, which demonstrates the participant as the user Ui and another for bob, which demonstrates the remote server Sj. The role of the user Ui is shown in Fig. 2. In this role, Ui first achieves the start signal and then sends the registration request message {PW i , IDi} via a secure channels to the server Sj using a symmetric key SK that shared between Ui and Sj via the Snd() operation. In the registration phase, the user Ui achieves a smart card including the information {Bi, NIDi′, h(.), F} through a secure channels from Sj by the Rcv() operation. Some basic terms that are supported by HLPSL are listed as follows: & & & & &

Agent: It is used for a principal entity. An intruder is always assumed to has the special identifier i. Symmetric key: It shows a key for a symmetric-key cryptosystem. Text: It is used for messages, in form of a nonce. Nat: type represents the natural numbers in non-message contexts Hash func: cryptographic hash functions.

In the login phase phase of our scheme, the user Ui sends the login request message {T1,Xi,Gi}to the server Sj . During the authentication phase, Ui after receiving the authentication request message {K, H1, T3} from S, Table 4

The communication cost

Number of massages Communication cost (bit) of login and authentication

Guo et al. [31]

Arshad et al. [29]

Sarkar Das [34] [24]

3 1080

3 1920

2 1184

Our scheme

3 3 1120 864

J Med Syst (2015) 39:89

it sends the authentication acknowledgment message {H2} to S. The role of the responder, the server S is shown in Fig. 3. In the registration phase, after receiving the registration request message {PW i , IDi} via a secure channels from the user, S then issues a smart card and sends it including the information {Bi, NIDi′, h(.), F} securely to Ui. In the login phase phase, after receiving the login request message, S sends the authentication request message {K, H1, T3} to Ui. Finally, S waits for the authentication acknowledgment message {H2} from Ui. Finally, in Figs. 4 and 5, we have described the roles for the session, and the goal and environment of our scheme respectively. The simulation results of proposed scheme using the AVIS PA web tool [37] for OFMC back-end are shown in Fig. 6.

Performance comparison In this section, the performance of the proposed scheme is compared with proposed schemes [14, 15, 18, 24, 31, 39]. For the performance comparisonand according to [17], we define several notations as following. Tme is the time for executing a modular exponentiation 0.0192 s = 19.2 ms, Th is the time for executing a one-way hash function 0.00032 s = 0.32 ms, Ts is the time for executing a symmetric key encryption/ decryption operation; 0.0056 s = 5.6 ms, T m an elliptic curve point multiplication 0.0171 s = 17.1 ms. We have focused on the computation time of login and verification phases that are the main part of the authentication scheme. We have compared the performance of our scheme with other related schemes in Table 3. Note that it is supposed that the time for executing an XOR operation is negligible. As shown in Table 3, the proposed scheme is much more efficient than related schemes. Furthermore, it does not have some security problem such as stolen smart card attack, offline password guessing attack, the many logged-in users’ attack, and the known session-specific temporary information attack. In Table 4, we demonstrate the communication cost based the number of message and required bandwidth used during the login and authentication phases and compared them with other relevant scheme. In this table we assume the output of hash function h() has 160bit length, the random numbers are 160bit length, timestamp is 32 bits, user identity is 160 bits, Point on the elliptic curve 320, and the AES a symmetric encryption 128 bit. According to the assumed in the proposed scheme, the login {T1, Xi, Gi} requires (160+160+32) =352 and the authentication phase {K, H1, T3} and {H2} requires (160+160+32+160) = 512. Finally, the proposed scheme

Page 15 of 16 89

requires to 1024 bit. The communication cost of other relevant schemes have shown in Table 4.

Conclusions In this paper, we have analyzed Das’s scheme as a secure and robust password-based remote user authentication scheme using smart cards for the integrated EPR information system and showed that his scheme was vulnerable to offline password guessing attack, online password guessing attack, the many logged-in users’ attack, the known session-specific temporary information attack. In order to overcome their weaknesses, we have proposed a new scheme that is secure by the formal security verification. In the security analysis, we showed that the proposed scheme was secure by both informal and formal security analysis. Furthermore, we demonstrated the completeness of our scheme via BAN logic. Then, we used the simulation results using the AVISPA back-end, OFMC for the formal security verification, thus our scheme is safe against passive and active attacks.

References 1. 2.

3.

4. 5.

6.

7.

8.

9.

10. 11.

Khan, M. K., and Kumari, S., An authentication scheme for secure access to healthcare services. J. Med. Syst. 37(4):9954, 2013. Messerges, T. S., Dabbish, E. A., and Sloan, R. H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002. Khan, M. K., and Kumari, S., Cryptanalysis and improvement of “An efficient and secure dynamic ID-based authentication scheme for Telecare medical information systems”. Secur. Commun. Netw. 7(2):399–408, 2014. Witteman, M., Advances in smartcard security. Inf. Secur. Bull. 7: 11–22, 2002. Lee, N. Y., and Chen, J. C., Improvement of one-time password authentication scheme using smart card. IEICE Trans. Commun. E88-B(9):3765–3769, 2005. Chen, T. H., Hsiang, H. C., and Shih, W. K., Security enhancement on an improvement on two remote user authentication schemes using smart cards. Futur. Gener. Comput. Syst. 27(4):377–380, 2011. Wu, Z. Y., Lee, Y. C., Lai, F., Lee, H. C., and Chung, Y., A secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1529–1535, 2012. He, D. B., Chen, J. H., and Zhang, R., A more secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36: 1989–1995, 2012. Wei, J., Hu, X., and Liu, W., An improved authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6): 3597–3604, 2012. Zhu, Z., An efficient authentication scheme for telecare medicine information systems. J. Med. Syst. 36:3833–3838, 2012. Das, M. L., Saxana, A., and Gulati, V. P., A dynamic ID-based remote user authentication scheme. IEEE Trans. Consum. Electron. 50(2):629–631, 2004.

89 12.

J Med Syst (2015) 39:89

Page 16 of 16

Chen, H. M., Lo, J. W., and Yeh, C. K., An efficient and secure dynamic ID-based authentication scheme for telecare medical information systems. J. Med. Syst. 36(6):3907–3915, 2012. 13. Khan, M. K., et al., Cryptanalysis and security enhancement of a more efficient and secure dynamic id-based remote user authentication scheme. Comput. Commun. 34(3):305–309, 2010. 14. Lin, H. Y., On the security of a dynamic ID-based authentication scheme for telecare medical information systems. J. Med. Syst. 37: 9929, 2013. 15. Cao, T., and Zhai, J., Improved dynamic ID-based authentication scheme for telecare medical information systems. J. Med. Syst. 37: 9912, 2013. 16. Sood, S. K., Sarjee, A. K., and Singh, K., An improvement of Liao et al.’s authentication scheme using smart card. IEEE 2nd International Advance Computing Conference (IACC2010), Patiala, India, pp. 240–245, 2010. 17. He, D., Kumar, N., Lee, J. H., and Sherratt, R. S., Enhanced three factor security protocol for consumer USB mass storage devices. IEEE Trans. Consum. Electron. 60(1):30–37, 2014. 18. Maitra, T., and Giri, D., An efficient biometric and password based remote user authentication using smart card for telecare medical information systems in multi-server environment. J. Med. Syst. 38(12):142, 2014. 19. He, D., Kumar, N., Chilamkurti, N., and Lee, J. H., Lightweight ECC based RFID authentication integrated with an ID verifier transfer protocol. J. Med. Syst. 38(10):1–6, 2014. 20. Hwang, M. S., and Li, L. H., A new remote user authentication scheme using smart cards. IEEE Trans. Consum. Electron. 46(1): 28–30, 2000. 21. Wen, F., and Li, X., An improved dynamic ID-based remote user authentication with key agreement scheme. Comput. Electr. Eng. 38(2):381–387, 2011. 22. Chen, C., He, D., Chan, S., Bu, S. J., Gao, Y., and Fan, R., Lightweight and provably secure user authentication with anonymity for the global mobility network. Int. J. Commun. Syst. 24(3): 347–362, 2011. 23. Lee, T. F., Chang, J. B., Chan, C. W., and Liu, H. C., Passwordbased mutual authentication scheme using smart cards. The Elearning and Information Technology Symposium (EITS2010), Tainan, Taiwan, 2010. 24. Das, A., A secure and robust password-based remote user authentication scheme using smart cards for the integrated EPR information system. J. Med. Syst. 39:25, 2015. 25. Li, C. T., Lee, C. C., Weng, C. Y., and Fan, C. I., An extended multiserver-based user authentication and key agreement scheme with user anonymity. KSII Trans. Internet Inf. Syst. 7:119–131, 2013. 26. Li, C. T., A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card. IET Inf. Secur. 7:3–10, 2013. 27. Wen, F., A more secure anonymous user authentication scheme for the integrated EPR information system. J. Med. Syst. 38(5):42, 2014. 28. Wen, F. T., and Guo, D. L., An improved anonymous authentication scheme for telecare medical information systems. J. Med. Syst. 38(5):26, 2014. 29. Arshad, H., and Nikooghadam, M., Three-factor anonymous authentication and key agreement scheme for telecare medicine information systems. J. Med. Syst. 38:136, 2014.

30.

Das, A., A secure user anonymity-preserving three-factor remote user authentication scheme for the telecare medicine information systems. J. Med. Syst. 39:218, 2015. 31. Guo, D., Wen, Q., Li, W., Zhang, H., and Jin, Z., An improved biometrics-based authentication scheme for telecare medical information systems. J. Med. Syst. 39:20, 2015. 32. Burrows, M., Abadi, M., and Needham, R., A logic of authentication. ACM Trans. Comput. Syst. 8(1):18–36, 1990. 33. He, D., and Zeadally, S., An analysis of RFID authentication schemes for internet of things in healthcare environment using elliptic curve cryptography. IEEE Internet Things J. 2(1):72–83, 2015. 34. Sarkar, P., A Simple and generic construction of authenticated encryption with associated data. ACM Trans. Inf. Syst. Secur. 13(4): 33, 2010. 35. Chang, Y. F., Yu, S. H., and Shiao, D. R., An uniqueness-and anonymity preserving remote user authentication scheme for connected health care. J. Med. Syst. 37:9902, 2013. 36. The AVISPA Project, HLPSL tutorial: a beginner’s guide to modelling and analysing Internet security protocols. Available at URL: www.avispa-project.org, 2005. 37. AVISPA. Automated Validation of Internet Security Protocols and Applications. http://www.avispa-project.org/. Accessed on January 2013. 38. Mishraa, D., Das, A. K., and Mukhopadhyay, S., A secure user anonymity-preserving biometric-based multi-server authenticated key agreement scheme using smart cards. Expert Syst. Appl. 41(18):8129–8143, 2014. 39. Lee, T. F., and Liu, C. M., A secure smart-card based authentication and key agreement scheme for telecare medicine information systems. J. Med. Syst. 37:9933, 2013. 40. Stallings, W., Cryptography and network security: principles and practices, 3rd edition. Englewood Cliffs, Prentice Hall, 2003. 41. Li, C. T., Lee, C. C., and Weng, C. Y., A secure chaotic maps and smart cards based password authentication and key agreement scheme with user anonymity for telecare medicine information systems. J. Med. Syst. 38(9):77, 2014. 42. He, D., Kumar, N., and Chilamkurti, N., A secure temporalcredential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Inf. Sci. 2015. doi:10.1016/j.ins.2015.02.010. 43. He, D., and Zeadally, S., Authentication protocol for ambient assisted living system. IEEE Commun. Mag. 35(1):71–77, 2015. 44. Chen, C. L., Yang, T. T., Chiang, M. L., and Shih, T. F., A privacy authentication scheme based on cloud for medical environment. J. Med. Syst. 38(11):143, 2014. 45. Arshad, H., and Nikooghadam, M., An efficient and secure authentication and key agreement scheme for session initiation protocol using ECC. Multimedia Tool Appl. 2014. doi:10.1007/s11042-0142282-x. 46. Mir, O., and Nikooghadam, M., A secure biometrics based authentication with key agreement scheme in telemedicine networks for Ehealth services. Wirel. Pers. Commun. 2015. doi:10.1007/s11277015-2538-4. 47. He, D., Zhang, Y., and Chen, J., Cryptanalysis and improvement of an anonymous authentication protocol for wireless access networks. Wirel. Pers. Commun. 74(2):229–243, 2014.

Suggest Documents