Browse > Article
http://dx.doi.org/10.9708/jksci.2021.26.09.089

Analysis of Al-Saggaf et al's Three-factor User Authentication Scheme for TMIS  

Park, Mi-Og (Dept. of Computer Engineering, Sungkyul University)
Publication Information
Journal of the Korea Society of Computer and Information / v.26, no.9, 2021 , pp. 89-96 More about this Journal
Abstract
In this paper, we analyzed that the user authentication scheme for TMIS(Telecare Medicine Information System) proposed by Al-Saggaf et al. In 2019, Al-Saggaf et al. proposed authentication scheme using biometric information, Al-Saggaf et al. claimed that their authentication scheme provides high security against various attacks along with very low computational cost. However in this paper after analyzing Al-Saggaf et al's authentication scheme, the Al-Saggaf et al's one are missing random number s from the DB to calculate the identity of the user from the server, and there is a design error in the authentication scheme due to the lack of delivery method. Al-Saggaf et al also claimed that their authentication scheme were safe against a variety of attacks, but were vulnerable to password guessing attack using login request messages and smart cards, session key exposure and insider attack. An attacker could also use a password to decrypt the stored user's biometric information by encrypting the DB with a password. Exposure of biometric information is a very serious breach of the user's privacy, which could allow an attacker to succeed in the user impersonation. Furthermore, Al-Saggaf et al's authentication schemes are vulnerable to identity guessing attack, which, unlike what they claimed, do not provide significant user anonymity in TMIS.
Keywords
User authentication; TMIS; Smart-card; Password guessing attack; Biometrics;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Keewon Kim, "Cryptanalysis and Improvement of RSA-based Authentication Scheme for Telecare Medical Information Systems," Journal of the Korea society of computer and information Vol. 25 No. 2, pp. 93-103, Feb. 2020.   DOI
2 A. A. Al-Saggaf and T. R. Sheltami, "Renewable and Anonymous Biometrics-Based Remote User Authentication Scheme Using Smart Cards for Telecare Medicine Information System," 2019 Advances in Science and Engineering Technology International Conferences (ASET), pp. 1-6, 2019. DOI: 10.1109/ICASET.2019.8714479   DOI
3 A. K. Das and A. Goswami, "A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care," Journal of Medical Systems, Vol. 37, No. 3, May 2013.
4 D. Mishra, S. Mukhopadhyay, S. Kumari, M. Khan, and A. Chaturvedi, "Security enhancement of a biometrics based authentication scheme for telecare medicine information systems with nonce," Journal of Medical Systems, Vol. 38, No. 5, Apr. 2014.
5 Kwang-Cheul, Shin, "Structural vulnerability analysis and improvement of a biometrics-based remote user authentication scheme of Li and Hwang's," Journal of the Korea society of computer and information Vol. 17 No. 7, pp. 107-115, Jul. 2012.   DOI
6 Younghwa An, "A Strong Biometric-based Remote User Authentication Scheme for Telecare Medicine Information Systems with Session Key Agreement," International Journal of Internet, Broadcasting and Communication, Vol. 8 No. 3, pp. 41-49, Aug. 2016.   DOI
7 A. K. Awasthi and K. Srivastava, "A biometric authentication scheme for telecare medicine information systems with nonce," Journal of Medical Systems, Vol. 37, Issue. 5, Aug. 2013.
8 Z. Tan, "A user anonymity preserving three-factor authentication scheme for telecare medicine information systems," Journal of Medical Systems, Vol. 38, Issue. 3, Mar. 2014.
9 H. Arshad and M. Nikooghadam, "Three-Factor Anonymous Authentication and Key Agreement Scheme for Telecare Medicine Information Systems,"Journal of Medical Systems, Vol. 38, Issue. 12, Oct. 2014. DOI: 10.1007/s10916-014-0136-8   DOI
10 Q. Xie, B. Hu, N. Dong, and D. S. Wong, "Anonymous three party password-authenticated key exchange scheme for telecare medical information systems," PLoS One, Vol. 9, No. 7, e102,747, Jul. 2014.
11 Chang, Y.F., Yu, S.H., and Shiao, D.R. , "A Uniqueness-andAnonymity-Preserving Remote User Authentication Scheme for Connected Health Care," Journal of Medical Systems, Vol. 37, Issue. 2, Jan. 2013. DOI: 10.1007/s10916-012-9902-7   DOI
12 Y. Lu, L. Li, H. Peng, and Y. Yang, "An Enhanced Biometric-Based Authentication Scheme for Telecare Medicine Information Systems Using Elliptic Curve Cryptosystem," Journal of Medical Systems, Vol. 39, Issue. 3, Mar. 2015.
13 Q. Xie, L. Wenhao, Wang. Shengbao, Han. Lidong, H. Bin, and W. Ting, "Improvement of a Uniqueness-and-Anonymity-Preser ving User Authentication Scheme for Connected Health Care," Journal of Medical Systems, Vol. 38, Issue. 9, Jul. 2014.
14 A. K. Awasthi, , and A. Goswami, "An enhanced biometric authentication scheme for telecare medicine information systems with nonce using chaotic hash function," Journal of Medical Systems, Vol. 38, Issue: 6, Jun. 2014.
15 L. Xu and F. Wu, "Cryptanalysis and Improvement of a User Authentication Scheme Preserving Uniqueness and Anonymity for Connected Health Care," Journal of Medical Systems, Vol. 39, Issue. 10, Jan. 2015.
16 L. Zhang, S. Zhu, and S. Tang, "Privacy Protection for Telecare Medicine Information Systems using a Chaotic Map-Based Three Factor Authenticated Key Agreement Scheme," IEEE Journal of Biomedical and Health Informatics, Vol. 21, No. 2, pp. 465-475, Mar. 2017.   DOI
17 Mi-Og, Park, "Design Flaws and Cryptanalysis of Cui et al's User Authentication Scheme," Journal of the Korea society of computer and information, Vol. 24, No. 10, pp. 41-48, Oct. 2019.