Browse > Article
http://dx.doi.org/10.3837/tiis.2017.07.023

Robust Biometric-based Anonymous User Authenticated Key Agreement Scheme for Telecare Medicine Information Systems  

Jung, Jaewook (Department of Computer Engineering, Sungkyunkwan University)
Moon, Jongho (Department of Computer Engineering, Sungkyunkwan University)
Won, Dongho (Department of Computer Engineering, Sungkyunkwan University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.11, no.7, 2017 , pp. 3720-3746 More about this Journal
Abstract
At present, numerous hospitals and medical institutes have implemented Telecare Medicine Information Systems (TMIS) with authentication protocols to enable secure, efficient electronic transactions for e-medicine. Numerous studies have investigated the use of authentication protocols to construct efficient, robust health care services, and recently, Liu et al. presented an authenticated key agreement mechanism for TMIS. They argued that their mechanism can prevent various types of attacks and preserve a secure environment. However, we discovered that Liu et al.'s mechanism presents some vulnerabilities. First, their mechanism uses an improper identification process for user biometrics; second, the mechanism is not guaranteed to protect against server spoofing attacks; third, there is no session key verification process in the authentication process. As such, we describe how the above-mentioned attacks operate and suggest an upgraded security mechanism for TMIS. We analyze the security and performance of our method to show that it improves security relative to comparable schemes and also operates in an efficient manner.
Keywords
Authentication; Fuzzy extractor; Session key verification; Telecare Medicine Information Systems (TMIS);
Citations & Related Records
연도 인용수 순위
  • Reference
1 J. Wei, X. Hu and W. Liu, "An improved authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 36, no. 6, pp. 3597-3604, 2012.   DOI
2 D. Mishra, S. Mukhopadhyay, S. Kumari, M.K. Khan and A. Chaturvedi, "Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce," Journal of medical systems, vol. 38, no. 5, pp. 41, 2014.   DOI
3 Z.Y. Wu, Y. Chung, F. Lai and T.S. Chen, "A password-based user authentication scheme for the integrated EPR information system," Journal of medical systems, vol. 36, no. 2, pp. 631-638, 2012.   DOI
4 T.F. Lee, I.P. Chang, T.H. Lin and C.C. Wang, "A secure and efficient password-based user authentication scheme using smart cards for the integrated epr information system," Journal of medical systems, vol. 37, no. 3, pp. 1-7, 2013.
5 F. Wen, "A more secure anonymous user authentication scheme for the integrated EPR information system," Journal of medical systems, vol. 38, no. 5, pp. 1-7, 2014.   DOI
6 M.K. Khan, A. Chaturvedi, D. Mishra and S. Kumari, "On the security enhancement of integrated electronic patient records information systems," Computer Science and Information Systems, vol. 12, no. 2, pp. 857-872, 2015.   DOI
7 A.K. Das, "A secure and robust password-based remote user authentication scheme using smart cards for the integrated epr information system," Journal of medical systems, vol. 39, no. 3, pp. 1-14, 2015.   DOI
8 C.T. Li, C.Y. Weng, C.C. Lee and C.C. Wang, "A hash based remote user authentication and authenticated key agreement scheme for the integrated EPR information system," Journal of medical systems, vol. 39, no. 11, pp. 1-11, 2015.   DOI
9 D. Mishra, S. Mukhopadhyay, A. Chaturvedi, S. Kumari and M.K. Khan, "Cryptanalysis and improvement of Yan et al.'s biometric-based authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 38, no. 6, pp. 24, 2014.   DOI
10 X. Xu, P. Zhu, Q. Wen, Z. Jin, H. Zhang and L. He, "A secure and efficient authentication and key agreement scheme based on ecc for telecare medicine information systems," Journal of medical systems, vol. 38, no. 1, pp. 1-7, 2014.   DOI
11 S.H. Islam and M.K. Khan, "Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems," Journal of medical systems, vol. 38, no. 10, pp. 1-16, 2014.   DOI
12 D. Mishra, "Understanding Security Failures of Two Authentication and Key Agreement Schemes for Telecare Medicine Information Systems," Journal of medical systems, vol. 39, no. 3, pp. 19, 2015.   DOI
13 T.F. Lee, "An efficient chaotic maps-based authentication and key agreement scheme using smartcards for telecare medicine information systems," Journal of medical systems, vol. 37, no. 6, pp. 9985, 2013.   DOI
14 S.A. Chaudhry, H. Naqvi, T. Shon, M. Sher and M.S. Farash, "Cryptanalysis and improvement of an improved two factor authentication protocol for telecare medical information systems," Journal of Medical Systems, vol. 39, no. 6, pp. 66, 2015.   DOI
15 M. Wazid, A.K. Das, S. Kumari, X. Li and F. Wu, "Design of an efficient and provably secure anonymity preserving three-factor user authentication and key agreement scheme for TMIS," Security and Communication Networks, vol. 9, no. 13, pp. 1983-2001, 2016.
16 A. Irshad, M. Sher, O. Nawaz, S.A. Chaudhry, I. Khan and S. Kumari, "A secure and provable multi-server authenticated key agreement for TMIS based on Amin et al. scheme," Multimedia Tools and Applications, pp. 1-27, 2016.
17 W. Dai, Crypto++ Library, 5.6.1., http://www.cryptopp.com, 2011.
18 D. von Oheimb, "The high-level protocol specification language HLPSL developed in the EU project AVISPA," in Proc. of APPSEM workshop, pp. 1-17, 2005.
19 D. Dolev and A. Yao, "On the security of public key protocols," IEEE Transactions on information theory, vol. 29, no. 2, pp. 198-208, 1983.   DOI
20 A. K. Das, "A secure user anonymity-preserving three-factor remote user authentication scheme for the telecare medicine information systems," Journal of medical systems, vol. 39, no. 3, pp. 1-20, 2015.   DOI
21 A. K. Sutrala, A. K. Das, V. Odelu, M. Wazid and S. Kumari, "Secure anonymity-preserving password-based user authentication and session key agreement scheme for telecare medicine information systems," Computer Methods and Programs in Biomedicine, vol. 135, pp. 167-185, 2016.   DOI
22 M. H. Ibrahim, S. Kumari, A. K. Das, M. Wazid and V. Odelu, "Secure anonymous mutual authentication for star two-tier wireless body area networks," Computer methods and programs in biomedicine, vol. 135, pp. 37-50, 2016.   DOI
23 M. Wazid, A. K. Das, S. Kumari, X. Li and F. Wu, "Provably secure biometric-based user authentication and key agreement scheme in cloud computing," Security and Communication Networks, vol. 9, no. 17, pp. 4103-4119, 2016.   DOI
24 M. Wazid, S. Zeadally, A. K. Das and V. Odelu, "Analysis of Security Protocols for Mobile Healthcare," Journal of medical systems, vol. 40, no. 11, pp. 1-10, 2016.   DOI
25 S. Challa, M. Wazid, A. K. Das, N. Kumar, A. G. Reddy, E. J. Yoon and K. Y. Yoo, "Secure Signature-Based Authenticated Key Establishment Scheme for Future IoT Applications," IEEE Access, vol. 5, pp. 3028-3043, 2017.   DOI
26 W. Liu, Q. Xie, S. Wang and B. Hu, "An improved authenticated key agreement protocol for telecare medicine information system," SpringerPlus, vol. 5, no. 1, pp. 555, 2016.   DOI
27 S.A. Chaudhry, M.T. Khan, M.K. Khan and T. Shon, "A multiserver biometric authentication scheme for TMIS using elliptic curve cryptography," Journal of medical systems, vol. 40, no. 11, pp. 230.   DOI
28 D. Giri, T. Maitra, R. Amin and P.D. Srivastava, "An Efficient and Robust RSA-Based Remote User Authentication for Telecare Medical Information Systems," Journal of medical systems, vol. 39, no. 1, pp. 1-9, 2015.   DOI
29 R, Amin and G.P. Biswas, "An improved rsa based user authentication and session key agreement protocol usable in TMIS," Journal of Medical Systems, vol. 39, no. 8, pp. 1-14, 2015.   DOI
30 N. Koblitz, "Elliptic curve cryptosystems," Mathematics of computation, vol. 48, no. 177, pp. 203-209, 1987.   DOI
31 Y. Dodis, L. Reyzin, and A. Smith, "Fuzzy extractors: How to generate strong keys from biometrics and other noisy data," in Proc. of International Conference on the Theory and Applications of Cryptographic Techniques, pp. 523-540, 2004.
32 X. Li, Q. Wen, W. Li, H. Zhang and Z. Jin, "Secure privacy-preserving biometric authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 38, no. 11, pp. 1-8, 2014.   DOI
33 M. Zhang, J. Zhang and Y. Zhang, "Remote three-factor authentication scheme based on Fuzzy extractors," Security and Communication Networks, vol. 8, no. 4, pp. 682-693, 2015.   DOI
34 Y. Choi, Y. Lee and D. Won, "Security improvement on biometric based authentication scheme for wireless sensor networks using fuzzy extraction," International Journal of Distributed Sensor Networks, vol. 2016, pp. 2, 2016.
35 D. Kang, J. Jung, J. Mun, D. Lee, Y. Choi and D. Won, "Efficient and robust user authentication scheme that achieve user anonymity with a Markov chain," Security and Communication Networks, vol. 9, no. 11, pp. 1462-1476, 2016.   DOI
36 P. Kocher, J. Jaffe, and B. Jun, "Differential power analysis," in Proc. of Advances in Cryptology (CRYPTO'99), 388-397, 1999.
37 J. Kim, D. Lee, W. Jeon, Y. Lee and D. Won, "Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks," Sensors, vol. 14, no. 4, pp. 6443-6462, 2014.   DOI
38 J. Moon, Y. Choi, J. Kim and D. Won, "An Improvement of Robust and Efficient Biometrics Based Password Authentication Scheme for Telecare Medicine Information Systems Using Extended Chaotic Maps," Journal of medical systems, vol. 40, no. 3, pp. 1-11, 2016.   DOI
39 W. Stallings, Cryptography and network security: principles and practices, Pearson Education India, 2006.
40 H.C. Hsiang and W.K. Shih, "Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment," Computer Standards & Interfaces, vol. 31, no. 6, pp. 1118-1123, 2009.   DOI
41 S. Blake-Wilson, D. Johnson, and A. Menezes, "Key agreement protocols and their security analysis," in Proc. of IMA International Conference on Cryptography and Coding, pp. 30-45, 1997.
42 S.H. Islam, M.K. Khan and X. Li, "Security analysis and improvement of 'a more secure anonymous user authentication scheme for the integrated EPR information system'," PloS one, vol. 10, no. 8, pp. e0131368, 2015.   DOI
43 M. Burrows, M. Abadi and R. Needham, "A logic of authentication," ACM Transactions on Computer System, vol. 8, pp. 18-36, 1990.   DOI
44 T. F. Lee, "Provably secure anonymous single-sign-on authentication mechanisms using extended Chebyshev chaotic maps for distributed computer networks," IEEE Systems Journal, 2015.
45 M. Abdalla, P. A. Fouque and D. Pointcheval, "Password-based authenticated key exchange in the three-party setting," in Proc. of International Workshop on Public Key Cryptography, Springer Berlin Heidelberg, pp. 65-84, 2005.
46 AVISPA, Automated validation of internet security protocols and applications, http://www.avispa-project.org/.
47 O. Mir, J. Munilla and S. Kumari, "Efficient anonymous authentication with key agreement protocol for wireless medical sensor networks," Peer-to-Peer Networking and Applications, vol. 10, no. 1, pp. 79-91, 2017.   DOI
48 V. Boyko, P. MacKenzie and S. Patel, "Provably secure password-authenticated key exchange using Diffie-Hellman," in Proc. of International Conference on the Theory and Applications of Cryptographic Techniques, Springer Berlin Heidelberg, pp. 156-171, 2000.
49 A.T. Chan, J. Cao, H. Chan and G. Young, "A web-enabled framework for smart card applications in health services," Communications of the ACM, vol. 44, no. 9, pp. 76-82, 2001.   DOI
50 H. Takeda, Y. Matsumura, S. Kuwata, H. Nakano, N. Sakamoto and R. Yamamoto, "Architecture for networked electronic patient record systems," International journal of medical informatics, vol. 60, no. 2, pp. 161-167, November, 2000.   DOI
51 S.H. Li, C.Y. Wang, W.H. Lu, Y.Y. Lin and D.C. Yen, "Design and implementation of a telecare information platform," Journal of medical systems, vol. 36, no. 3, pp. 1629-1650, 2012.   DOI
52 S. Gritzalis, C. Lambrinoudakis, D. Lekkas and S. Deftereos, "Technical guidelines for enhancing privacy and data protection in modern electronic medical environments," IEEE Transactions on Information Technology in Biomedicine, vol. 9, no. 3, pp. 413-423, 2005.   DOI
53 J. Hur and K. Kang, "Dependable and secure computing in medical information systems," Computer Communications, vol. 36, no. 1, pp. 20-28, 2012.   DOI
54 M. Nikooghadam and A. Zakerolhosseini, "Secure communication of medical information using mobile agents," Journal of medical systems, vol. 36, no. 6, pp. 3839-3850, 2012.   DOI
55 L. Lamport, "Password authentication with insecure communication," Communications of the ACM, vol. 24, no. 11, pp. 770-772, 1981.   DOI
56 Z.Y. Wu, Y.C. Lee, F. Lai, H.C. Lee and Y. Chung, "A secure authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 36, no. 3, pp. 1529-1535, 2010.   DOI
57 D. He, J. Chen and R. Zhang, "A more secure authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 36, no. 3, pp. 1989-1995, 2012.   DOI