Content uploaded by Ruhul Amin
Author content
All content in this area was uploaded by Ruhul Amin on Sep 09, 2015
Content may be subject to copyright.
JMedSyst (2015) 39:140
DOI 10.1007/s10916-015-0318-z
SYSTEMS-LEVEL QUALITY IMPROVEMENT
Cryptanalysis and Enhancement of Anonymity Preserving
Remote User Mutual Authentication and Session Key
Agreement Scheme for E-Health Care Systems
Ruhul Amin1·SK Hafizul Islam2·G. P. Biswas1·Muhammad Khurram Khan3·
Xiong Li4
Received: 20 April 2015 / Accepted: 7 August 2015
© Springer Science+Business Media New York 2015
Abstract The E-health care systems employ IT infrastruc-
ture for maximizing health care resources utilization as well
as providing flexible opportunities to the remote patient.
Therefore, transmission of medical data over any public
networks is necessary in health care system. Note that
patient authentication including secure data transmission in
e-health care system is critical issue. Although several user
This article is part of the Topical Collection on Systems-Level
Quality Improvement
SK Hafizul Islam
hafi786@gmail.com; hafizul.ism@gmail.com;
hafizul@pilani.bits-pilani.ac.in
Ruhul Amin
amin ruhul@live.com
G. P. Biswas
gpbiswas@gmail.com
Muhammad Khurram Khan
mkhurram@ksu.edu.sa
Xiong Li
lixiong84@gmail.com
1Department of Computer Science and Engineering,
Indian School of Mines, Dhanbad, 826004, Jharkhand, India
2Department of Computer Science and Information Systems,
Birla Institute of Technology and Science, Pilani Campus,
Rajasthan 333031, India
3Center of Excellence in Information Assurance,
King Saud University, Riyadh, Saudi Arabia
4School of Computer Science and Engineering,
Hunan University of Science and Technology,
Xiangtan 411201, China
authentication schemes for accessing remote services are
available, their security analysis show that none of them
are free from relevant security attacks. We reviewed Das
et al.’s scheme and demonstrated their scheme lacks proper
protection against several security attacks such as user
anonymity, off-line password guessing attack, smart card
theft attack, user impersonation attack, server imperson-
ation attack, session key discloser attack. In order to over-
come the mentioned security pitfalls, this paper proposes an
anonymity preserving remote patient authentication scheme
usable in E-health care systems. We then validated the secu-
rity of the proposed scheme using BAN logic that ensures
secure mutual authentication and session key agreement.
We also presented the experimental results of the proposed
scheme using AVISPA software and the results ensure that
our scheme is secure under OFMC and CL-AtSe models.
Moreover, resilience of relevant security attacks has been
proved through both formal and informal security analy-
sis. The performance analysis and comparison with other
schemes are also made, and it has been found that the
proposed scheme overcomes the security drawbacks of the
Das et al.’s scheme and additionally achieves extra security
requirements.
Keywords Password ·Biometric ·Session key ·
Mutual authentication ·AVISPA tool ·BAN logic ·
E-health care systems
Introduction
While a health care system provides information to the
remote patients/users, then it is called E-health care sys-
tem. The E-health care system is playing a central role in
the medical services, even if the users/patients are far away
140 Page 2 of 21 JMedSyst (2015) 39:140
from the system. The main advantages of E-health care sys-
tem over traditional health care system are that E-health care
can save the patient’s expense and time, after successfully
login to the medical server. Basically, users/patients send
message(s) through public (insecure) networks to the med-
ical server over the internet and medical server responses
according to the patient’s demand. Since the communica-
tion channel is open, the security and privacy are key factors
in E-health care system for providing data integrity, confi-
dentiality and secure user authentication. Many remote user
authentication schemes have been proposed in the litera-
ture for achieving data integrity and confidentiality of the
message.
In the recent years, many password based user authenti-
cation schemes [5,30–32,35,46,70,72,75] using smart
card have been proposed for E-health care system. Due to
low cost and portability of the smart card [56,57,59], it has
been widely used in the user authentication schemes [27,33,
34,37,50–53]. Though, password based user authentication
schemes [29,39,40,43] are efficient in terms of security,
however, password may be cracked by using off-line dic-
tionary attack. Most of the users used meaningful text as
password for easy memorization, so the password is gener-
ally low entropy parameter, which leads to off-line password
guessing attack. In addition, a malicious user or attacker
can forcibly obtain a password from the valid user by some
means and he/she can impersonate a valid user. To overcome
these difficulties, combination of biometric such as finger-
print, iris, retina etc. with password can be used to design
strong security system. The following properties imply that
biometric based remote user authentication schemes [36,
44,54,55,63–65] are more secure than password based
authentication scheme.
– Biometric key cannot be lost or forgotten and very
difficult to copy or share.
– Biometric key is extremely hard to forge or distribute.
– Guessing of biometric key is dreadfully hard.
In Fig. 1, we presented an architecture for E-health care
system where user and remote medical server can act as
legal entity. The communication between user and server
during accessing health care information is insecure. When-
ever a new user wishes to access health care services, he/she
has to register with the remote server who provides a smart
card to the user securely (off-line mode) for further com-
munication. In Fig. 1, we shown that smart card reader
is used, whose main responsibility is to detect legal user
and transmits login message to the remote server over pub-
lic channel. Finally, both the entities (user, remote server)
perform mutual authentication and negotiate a session key
which is used to encrypt important information exchanged
between the entities.
Literature review
In the past years, many remote user authentication schemes
[1,10,17–19,25,26,28,38,42,48,60,66] with bio-
metric and password have been proposed in the literature.
In 2010, Li and Hwang [55] proposed a biometric based
remote user authentication scheme and claimed that their
proposed scheme is efficient in terms of security and com-
plexities. However, Das [21] showed that their scheme
has several security weaknesses and proposed an enhanced
scheme to withstand the attacks. Moreover, Li et al. [58]
further showed that Li and Hwang [55] scheme has secu-
rity weaknesses and they also proposed an improved scheme
for better performance and security. Then, Das [22]again
showed that Li et al.’s scheme [58] failed to provide strong
authentication in login and authentication phase, and also
cannot update his/her password locally. In 2012, An [11]
described that Das’s scheme [21] has security flaws such
as user impersonation attack, server masquerading attack,
password guessing attack, insider attack and also cannot
provide mutual authentication. An [11] also proposed a
scheme to withstand security flaws of Das’s scheme [22].
Afterward, Khan et al. [47] demonstrated that An’s scheme
[11] is suffering from online password guessing attack, user
impersonation attack, server impersonation attack and lack
of user anonymity.
In the year 2013, Chang et al. [16] proposed a remote user
authentication scheme for E-health care system for achiev-
ing user anonymity property. They used a new technique
in their scheme that after each and every transaction, the
server generates a random and temporary identity and stores
it with the corresponding user identity ID
iand also updates
every time some secret information(s) in the memory of a
smart card. They claimed that their proposed scheme is effi-
cient in terms of security and commutation cost. In the same
year, Das et al. [23] demonstrated that Chang et al. scheme
has several security weaknesses such as (1) Design flaws in
the login and authentication phase, (2) Design flaws in the
password change phase, (3) It fails to protect insider attack,
man-in-the-middle attack and also fails to provide proper
authentication. They analyze the security of the proposed
scheme using AVISPA security scheme tool and claimed that
their scheme is SAFE in terms of security. However, in this
paper, we illustrated that Chang et al.’s scheme has more
security weaknesses and Das et al.’s scheme suffers from
several security weaknesses described in “Security vulnera-
bilities of the scheme”. Afterward, we proposed an efficient
remote user authentication scheme for e-health care systems
for achieving better security.
Very recently, Lu et al. pointed out that the Arshad’s
[13] scheme cannot achieve complete security requirements
and proposed an authentication scheme based on the ellip-
tic curve cryptosystem. Zhang-Zhu [74] pointed out that the
JMedSyst (2015) 39:140 Page 3 of 21 140
Fig. 1 Architecture for E-health
care system
Internet
Doctor
Database
Medical Server
Router
Smart card reader
WLAN
Terminal
(Monitoring)
Patient's Portal
Islam-Khan’s [44] scheme is insecure against several secu-
rity weaknesses and also proposed a improved scheme to
enhance the mentioned security flaws. Thereafter, Ruhul
et al. [4] demonstrated that Giri et al.’s [27] scheme can-
not withstand off-line password guessing attack and does
not preserve user anonymity. Thereafter, they contributed an
improved scheme over [27]. Ruhul et al. further illustrated
that the schemes [64,73] are suffering from several security
weaknesses and also proposed better solution to overcome
security vulnerabilities.
Motivation and contributions
In “Literature review”, we demonstrated that most of the
hash function based schemes for TMIS are vulnerable to
common security attacks. Therefore, these schemes should
not be implemented in real-life application. In order to pro-
vide better solution than existing related research, we moti-
vated to design a secure user authentication and session key
agreement scheme using smart card. This paper achieves the
following contributions in desigining a biometric-based user
authentication system foe E-health care environments:
(1) We first reviewed Das et al.’s scheme and demon-
strated that the scheme is insecure against several
security attacks such as (1) user anonymity problem,
(2) security drawback on random identity, (3) off-line
password guessing attack, (4) Smart card theft attack,
(5) User impersonation attack, (6) Server imperson-
ation attack and (7) Session key discloser attack.
(2) We then proposed an efficient authentication scheme
to resolve security weaknesses of the scheme [23].
(3) We simulated our proposed scheme using AVISPA
software and showed that the scheme is secure under
OFMC and CL-AtSe models. Further, the BAN logic
analysis claims that our scheme achieved secure
mutual authentication and session key agreement.
(4) We also demonstrated the resilience of common secu-
rity attacks of our scheme through both formal and
informal analysis.
Outline of the paper
In “Preliminaries”, we discussed the concept and property
of cryptographic one-way hash function and bio-hashing
technique. In “Brief review of Das et al. scheme”, we
briefly reviewed Das et al.’s scheme. The security analysis
of Das et al.’s scheme are given in “Security vulnerabili-
ties of the scheme”. Section “Proposed scheme” addressed
the proposed scheme. The security analysis of the proposed
scheme appears in “Cryptanalysis of the proposed scheme”.
In “Performance comparison”, the performance study of
our scheme and the comparisons with related schemes are
provided. We conclude the paper in “Conclusion”.
Preliminaries
In this section, we discuss the cryptographic one-way hash
function and bio-hashing operation.
Hash function
A hash function maps a string of arbitrary length to a string
of fixed length called the hashed value. It can be symbol-
ized as: h:X→Y,whereX={0,1}∗,andY={0,1}n,X
is binary string of arbitrary length and Yis a binary string
of fixed length n. It is used in many cryptographic applica-
tions such as digital signature, random sequence generators
140 Page 4 of 21 JMedSyst (2015) 39:140
in key agreement, authentication schemes and so on. The
hash function satisfies the following properties:
(1) Given m∈X, it can be easily compute h(m) ∈Y.
(2) It is hard to find mfrom given h(m) ∈Y. This property
is referred to as preimage resistant.
(3) It is hard to find input m∈Xsuch that h(m) =
h(m)for given input m∈X,however,m= m.This
property is refereed to as second-preimage resistant.
(4) It is hard to find a pair (m,m)∈X×Xsuch that h(m)
=h(m),wherem= m. This property is refereed to
as collision resistant.
(5) On any input m∈X, the hashed value h(m) ∈Yis
indistinguishable from a uniform binary string in the
interval {0,2n}. This property is refereed to as mixing-
transformation.
Bio-hashing
In order to provide genuine user authentication, the bio-
metric technology has the great importance in any authen-
tication system. During acquisition of the biometric char-
acteristics at the sensor device, the characteristics may not
be exactly same at each time because of noisy template.
Therefore, the biometric system may deny the registered
user that resulting increases high false rejection rate. In
order to reduce false rejection rate, Jina et al. [45] pro-
posed a two-factor authenticator on iterated inner products
between tokenised pseudo-random number and the user
specific fingerprint features, which produces a set of user
specific compact code that coined as Bio-Hashing. Later
on, Lumini and Nanni [61] proposed the improvement of
Bio-Hashing. As pointed out by [16], Bio-Hashing is used
to map a user/patients biometric feature onto user spe-
cific random vectors in order to generate a code, called
bio-code and then discritizes the projection coefficients
into zero and one. Bio-Hashing is secure as cryptographic
one-way hash function and holds one-way property. Still,
there are many user authentication schemes [2] utilize
bio-hashing technique on biometric template for genuine
user identification.
Brief review of Das et al. scheme
This section introduces Das et al.’s anonymity-preserving
remote user authentication scheme for connected health
care systems. This scheme consists of three phases such
as (1) registration phase, (2) login and authentication
phase and (3) password change phase. The descriptions
of all the mentioned phases are presented below and all
the notations used throughout this paper are listed in
Tabl e 1.
Tabl e 1 List of notations used
Symbol Description
Uii-th User/Patient
SjRemote medical server
SCiSmart Card of Ui
CR Smart card reader
PWiPassword of Ui
IDiIdentity of Ui
BiBiometric of Ui
SIDjIdentity of Sj
XsSecret key of Sj
NIDiUnique random identity of Ui
RcRandom nonce generated by Ui
RsRandom nonce generated by Sj
h(·)Cryptographic One-way hash function
H(·)Bio-hashing function
Concatenation operation
⊕Bit wise XOR operation
Registration phase
In order to register to the medical server, the patient per-
forms the following steps which are presented below.
Step 1: Initially, Uichooses his/her personal information
ID
i,PW
i,Bialong with a random number Kand
sends registration message ID
i,RBi,RPWito Sj
through a secure channel or in person, where RBi=
H(ID
iKBi),RPWi=h(I DiKPW
i).
Step 2: After receiving ID
i,PW
i,Bi,Sjsets fi=
RBi=H(ID
iKBi)and then computes
ri=h(RP Wifi),ei=h(I DiXs)⊕ri,
TD
i=NIDi⊕h(I Di),Di=TD
iand finally issues
a smart card SCifor Uithrough secure channel after
storing TD
i,D
i,f
i,r
i,e
i,h(·), H (·)into the memory
of SCi.
Login and authentication phase
This phase performs the following steps for achieving ses-
sion key agreement between the Uiand Sj.Uiinserts
his/her SCiinto card reader CR and provides biomet-
ric template Biand his/her identity ID
i.CR computes
fi=H(ID
iKBi)and checks the biomet-
ric verification with SCi. If matches, Uiinputs PW
iand
SCifurther computes RPW
i=h(I DiKPW
i),
r
i=h(RP W
ifi)and verifies the condition r
i=
ri. If the verification holds, executes the following two
cases accordingly.
JMedSyst (2015) 39:140 Page 5 of 21 140
Case 1:
(1). SCiselects a random number Rcand computes
NID
i=h(I Di)⊕Di,M1=ei⊕r
i=h(I Di
Xs),M2=M1⊕Rcand sends the login message
NID
i,M
2,h(ID
iRc)to Sjover any insecure
channel.
(2). After receiving NID
i,M
2,h(ID
iRc),Sj
checks the format of NID
iandfindtheentry
ID
i,NID
i
iin the ID-Table. If found, then con-
tinues, otherwise, Case 2 is executed. Sjfurther
computes M3=h(I DiXs),M4=M2⊕M3
and verifies the condition h(I DiM4)=h(I Di
Rc). If it does not hold, terminates the session,
otherwise proceeds to the next step.
(3). Sjchooses a random nonce Rsand computes M5=
M3⊕Rs,M6=h(RsM4)⊕NIDnew
i,M7=
h(M3M4RsID
iNIDnew
i)and P1=
h(I DiM4+1Rs),whereNIDnew
iis the
random and temporary identity generated by Sj.Sj
then sends M5,M6,M7,P1to SCi.
(4). After receiving M5,M6,M7,P1,SCicomputes
M8=M5⊕M1,P∗
1=h(I DiRc+1M8)and
verifies the condition P∗
1=P1. If it does not hold,
terminates the connection, otherwise further com-
putes NIDnew
i=M6⊕h(M8Rc)and verifies
whether h(M1RcM8ID
iNIDnew
i)=
M7. If it does not hold, terminates the session; oth-
erwise, SCiupdates TD
i,Diin its memory with
Diand Di⊕NID
i⊕NIDnew
i, respectively. SCi
computes M9=h(M8+1ID
iNIDnew
i
Rc+1),SKUi,Sj=h(IDiRcM8M2M1),
where SKUi,Sjis the session key between Uiand
Sj.
(5). After receiving M9,Sjcomputes M∗
9=h(Rs+1
ID
iNIDnew
iM4+1)and compares it with
the received M9. If it does not hold, terminates the
session; otherwise, Sjupdates ID
i,NID
iwith
ID
i,NIDnew
iin its ID-Table and computes the
session key SKUi,Sj=h(I DiM4RsM2
M3)
Case 2: These steps are almost same as of Case 1 of the
login and authentication phase, except NID
iis obtained
by computing h(I Di)⊕TD
iinstead of h(I Di)⊕Diin
Step 1 of Case 1 and SCineeds to only update Diwith
Di⊕NID
i⊕NIDnew
iwithout changing TD
iin Step 4
of Case 1.
Password change phase
This phase is executed by Uito update the old password
into new password. All the steps of this phase are presented
below:
Step 1: Uiinserts his/her SCiinto CR and provides Bi
and ID
i.SCicomputes fi=H(ID
iKBi)and
checks the biometric verification. If matches, Uiinputs
PW
iand SCifurther computes RPW
i=h(I DiK
PW
i),r
i=h(RP W
ifi)and verifies the condition
r
i=ri. If the verification holds, SCiasks Uifor a new
password.
Step 2: Uiinputs a new password PWnew
iinto SCi.
After receiving PWnew
i,SCicomputes e
i=ei⊕
r
i,RPWnew
i=h(I DiKPWnew
i),rnew
i=
h(RP W new
ifi)and enew
i=e
i⊕rnew
i.
Step 3: Finally, SCireplaces old ri,eiwith the new
rnew
i,enew
iand completes the password update phase.
Security vulnerabilities of the scheme [23]
In 2013, Das et al. proposed an improvement of Cheng
et al. scheme to overcome the security weaknesses and
claimed that the scheme resists different possible attacks
and achieves user anonymity property. We analyzed that Das
et al.’s scheme still vulnerable to user anonymity problem,
off-line password guessing attack, smart card theft attack,
user impersonation attack, server impersonation attack and
session key discloser attack. The descriptions of all men-
tioned security vulnerabilities are presented below.
Failure of user anonymity
In order to preserve user anonymity property, ID
iof the
legal patient should be confidential so that the attacker can-
not extract or guess it. However, we identified that Das et
al.’s scheme cannot preserve user anonymity. During the
execution of Das et al. scheme, the attacker traps the login
message message NID
i=h(I Di)⊕Di. We present two
approaches how the attacker extracts ID
iof Ui.
Approach-1: In this approach, the attacker executes the
following operations:
Step 1. The attacker chooses an identity
IDg
iand computes NID∗
i=h(I Dg
i)⊕
Di,whereDiis the smart card param-
eter extracted by monitoring the power
consumption [49,62].
Step 2. The attacker check the correct-
ness whether NID∗
i=NID
iholds
or not. If it holds, the attacker gets
the correct identity of the legal patient;
otherwise, performs step 1 until correct
identity is obtained. It is clear that the
attacker can trace the legal patient after
performing Step 1 several times.
140 Page 6 of 21 JMedSyst (2015) 39:140
Approach-2: The attacker can trace or extract patient’s
identity based on the ID-Table which is
stored in the server end. We assumed that
the ID-Table is hacked by the attacker by
some means. As the table stores the tuple
ID
i,NID
i, the attacker can find the
desired identity based on the login parame-
ter NID
i.
Security drawback on random identity NID
i
In Das et al.’s scheme, NID
iis a random identity generated
by Sjand updated after every transaction by a new NID
i,
and the server on user login request, finds the corresponding
user identity ID
istored in Sj’s database with respect to the
given NID
i.
Now, we assume Uiwants to login into Sj, and thus
provides identity ID
i,PW
iand Bito CR.SinceUiis
properly registered, login request is accepted by CR and
then SCisends a valid login message parameter NID
ito
Sj.Now,Sjsearches ID-Table to find ID
istored against
NID
i, and allows Uito login to Sj.Now,wemayassume
that there exists large number of users and since server gen-
erates NID
irandomly, there is a probability of repeating
same NID
ifor different users, and as a result, login mes-
sages may not be accepted if a match for a user other than
ID
iis found.
In addition, after each successful login, Sjgenerates a
new NID
i, updates the value of Diand TD
i, and stores
them in SCi. Thus, Das et al.’s scheme, due to generat-
ing new identity and updating smart card with new values,
requires extra computation overheads, which seem to be
avoided.
Off-line password guessing attack
It is well-known that the attacker can extract smart
card parameter TD
i,Di,ei,ri,fi,K,h(·),H(·)
by monitoring the power consumption. The attacker can
launch off-line password guessing attack successfully as
described below:
Step 1. Attacker chooses a new password PWaand com-
putes r∗
i=h(I DiKPWa),whereID
iis Ui’s
identity known to the attacker discussed earlier.
Step 2. The check is done whether the computed r∗
i
matches with the stored rior not.
Step 3. If matches, the correct password is obtained, oth-
erwise continues Steps 1 and 2 until correct password is
guessed. It may be noted that the password guessing oper-
ation can be done efficiently as users in most of the cases
use low entropy password. Thus, the off-line password
guessing attack is easily launched.
Smart card theft attack
It means that an attacker may steal the smart card of
a valid user Uiand extract all the smart card informa-
tion TD
i,Di,ei,ri,fi,K,h(·),H(·)stored in it.
Then, on knowing any i−th login message of the same
user Ui, the attacker without knowing secret informa-
tion of Ui(password and biometric), can impersonate Ui.
The procedures of the smart card theft attack are given
below:
Step 1. An attacker computes A1=ei⊕ri=h(I Di
Xs)and then chooses his/her biometric and password and
computes the following operations:
ri=h(I DiKPWa
i),
fi=H(Ba
i),
ei=A1⊕ri
where ID
iis the identity of Uiand PWa
i,Ba
iare
the password and biometric, respectively, chosen by the
attacker. However, TD
iand Diare kept unchanged.
Step 2. Attacker then stores fi,ei,ri,h(·),H(·)into the
memory of a new smart card and uses as a valid smart
card of Uiuntil the card theft is not detected and blocked.
Hence, it can be concluded that Das et al.’s scheme
cannot be used in the practical applications, because
an attacker successfully login into any system without
knowing user’s personal biometric and password infor-
mation.
User impersonation attack
In order to impersonate a legitimate user, an attacker inter-
cepts the login request message of a valid user and make
a forged login message to the server. If the server accepts
the forged login message, attacker gets success on user
impersonation attack. Based on the smart card parameter
and current login message, the attacker can launch user
impersonation attack successfully as described below:
Step 1. The attacker generates a random number Raand
sends forged login message NID
i,M2,Mto Sjafter
computing the following information.
M1=ei⊕ri
M2=M1⊕Ra
M=h(I DiRa)
Step 2. After receiving NID
i,M2,M,Sjchecks the
format of NID
iand searches NID
iin the ID-Table. It
may be noted that NID
imust exist in the ID-Table, as
attacker traps the current login message.
JMedSyst (2015) 39:140 Page 7 of 21 140
Step 3. Sjthen computes the following operations:
M3=h(I DiXs)
M4=M2⊕M3=Ra
M5=h(I DiM4)
Then, Sjmatches whether computed M5is equal to
received M5or not. If matches, the attacker can success-
fully impersonate Uito Sj. Thus, the attacker success-
fully launches user impersonation attack.
Server impersonation attack
Das et al. scheme cannot resist server impersonation attack.
The procedures of server impersonation attack are given
below:
Step 1. The attacker chooses a random nonce Rsa and
computes the following information.
M5=M3⊕Rsa,
M6=h(Rsa M4)XOR operation NIDnew
i
Where M4is known to the attacker described in user
impersonation attack and NIDnew
iis the random and
temporary identity generated by the attacker. Finally, the
attacker computes M7=h(M3M4Rsa ID
i
NIDnew
i),Gi=h(I DiM4+1Rsa)and then sends
M5,M6,M7,Gito SCi.
Step 2. After receiving M5,M6,M7,Gifrom the
attacker, SCicomputes M8=M5⊕M1=Rsa,G∗
i=
h(I DiRc+1M8)and then G∗
iand Gi. If it holds,
then Uiwill be convinced the message sent from the legal
remote server Sjbut, actually the attacker impersonate
Sj.
Session key discloser attack
The authenticated session key is used for secure communi-
cation between the entities involved, and an attacker upon
disclosure of the key can decrypt the secret information. So,
the secrecy of the session key is the mandatory of any key
agreement scheme. However, Das et al.’s scheme is insecure
against the session key disclosure attack, because the ses-
sion key, which depends on the secret parameters ID
i,Rc,
Rsand h(I DiXs), can be extracted from the smart card
and the login-reply messages as follows:
An attacker have
(a) The value of h(I DiXs)by computing ei⊕ri
(b) The value of Rcby computing M1⊕M2
(c) The value of Rsby computing M5⊕M3
The attacker then easily computes the secret session key
negotiated in Das et al.’s scheme and decrypts the cipher
messages exchanged between the user and the server.
Proposed scheme
In this section, we propose an enhanced anonymity pre-
serving authenticated key agreement scheme for e-health
care systems. The proposed method consists of registration
phase, login phase, authentication and key agreement phase
and password change phase.
Registration phase
It is an initial phase of the automated health care and when-
ever a new user wants to access resources from the medical
server and/or gets treatment, he/she needs registration to the
server.
Step 1. Uiprovides the identity ID
i, masked password
PWD
i=h(I DiPW
i)and the biometric template Bi,
where PW
iis the password of Ui,toSjthrough a secure
channel or in person. In order to resist insider attack, Ui
provides masked password to the medical server instead
of plaintext password.
Step 2. After receiving the registration message, Sjgen-
erates a random unique identity NIDifor each user Ui
and computes CIDi=h(I DiBi). It then stores
CIDi,NID
ipair in the ID-Table of Sj’s database and
computes the following operations:
fi=H(B
i),
ei=h(SI DjXsfi)⊕PWD
i
Ti=NIDi⊕h(I Difi)
Step 3. Sjthen delivers the smart card SCito Uisecurely
after storing fi,e
i,T
i,h(·), H (·)into the memory of
SCi.
The registration phase of the proposed scheme is
explained in the Fig. 2.
Login phase
When a registered patient wants to enjoy medical services
from the medical server through insecure communication,
then the user executes the following steps:
Step 1. Uifirst inserts his/her SCito CR and inserts
his/her Bito SCi.
Step 2. CR then computes f∗
i=H(B
i)and verifies
whether the condition f∗
i=fiholds or not. If it holds,
it implies that Biprovided by Uiis registered and then
inputs ID
iand PW
i. If the condition f∗
i=fidoes
not hold, CR rejects the login phase. As we utilized bio-
hashing technique, the biometric template provided in the
registration phase should be same in the login message
from the same patient.
140 Page 8 of 21 JMedSyst (2015) 39:140
Fig. 2 Registration phase of the proposed scheme
Step 3. After verifying Ui,CR generates a random nonce
Rcand sends M1=fi,Gi,Li,NID∗
ito Sj
through public channel after computing the following
operations:
NIDi=Ti⊕h(I Difi),
e∗
i=ei⊕h(I DiPW
i),
Gi=e∗
i⊕Rc,
NID∗
i=NIDi⊕h(Rc)
Li=h(N I DiRc)
Authentication and key agreement phase
In order to achieve mutual authentication and session key
agreement between Uiand Sj, the scheme executes the
following steps of this phase:
Step 1. After receiving M1=fi,Gi,Li,NID∗
i,Sj
computes the following operations:
Ai=h(SI DjXsfi),
R∗
c=Gi⊕Ai
NIDi=NID∗
i⊕h(R∗
c).
Then, Sjfinds NIDiin the ID-Table in Sj’s database.
If it does not exist, Sjterminates the connection; oth-
erwise, Sjcomputes L∗
i=h(N I DiR∗
c)and
verifies whether L∗
iis matched with Li.Ifthever-
ification is correct, Sjbelieves that the login mes-
sage sent by Uiis authentic; otherwise, terminates the
connection.
Step 2. Sjgenerates a random nonce Rsand computes
Di=Ai⊕Rs,Ki=h(AiRs)and sends reply message
M2=Di,Kito Uithrough any public channel.
Step 3. After receiving M2=Di,Ki,SCifirst com-
putes R∗
s=e∗
i⊕Di,K∗
i=h(e∗
iR∗
s)and then
verifies whether computed K∗
iis identical with received
Ki. If it holds, SCibelieves that reply message sent by
Sjis authentic. It may be noted that the scheme achieves
mutual authentication in this stage. Thereafter, both Ui
and Sjagree upon a common secret session key SK
where SK =h(RcRs).Now,Uiand Sjcan exchange
important medical data securely using the session
key SK.
The login and authentication phase of the proposed
scheme are explained in the Fig. 3.
Password change phase
This phase is essential for updating the password of the
registered patients. It is practical that the password of the
patients may disclose to the other person(s)/patient(s). In
order to update password, the patient executes the following
steps as follows:
Step 1. Initially, Uiprovides his/her biometric Bion the
specific devices for biometric verification. Smart card
then computes f∗
i=H(B
i)and verifies whether f∗
i
is identical with fi. If it is not identical, terminates
the connection; otherwise, Uiprovides identity ID
iand
old password PW
ito the smart card which computes
PWD
i=h(I DiPW
i).
Step 2. The smart card now asks to input two identi-
cal new passwords, symbolized as PWnew
iand PWnew1
i
respectively. If PWnew
i= PWnew1
i, smart card shows
mismatch password message to the Uiand again requests
to enter the same; otherwise, smart card computes
PWDnew
i=h(I DiPWnew
i)and e∗
i=ei⊕PWD
i⊕
PWDnew
i.
Step 3. Finally, the smart card updates the value of e∗
iin
the memory of smart card and Uishould use current pass-
word PWnew
ifor the subsequent transaction. Thus, a user
JMedSyst (2015) 39:140 Page 9 of 21 140
Fig. 3 Login and authentication
phase of the proposed scheme
can easily change his/her password without taking any
assistance of Sj.
The password change phase of the proposed scheme are
explained in the Fig. 4.
Cryptanalysis of the proposed scheme
This section analyzes the security of our proposed
authentication scheme. Firstly, we analyzed the proposed
scheme using Burrows-Abadi-Needham (BAN) logic and
then presented an attack model which measures secu-
rity strength of the proposed scheme. Finally, the infor-
mal security analysis are also presented for ensuring that
the proposed scheme is well protected against relevant
security attacks.
Authentication proof based on BAN logic
This section introduced the security analysis of our pro-
posed scheme using Burrows-Abadi-Needham logic [3,6,
7,14], called as BAN logic model. The BAN logic model
is well-known formal model used to analyze the secu-
rity of authentication and key agreement schemes. Some
preliminaries and notations of the BAN logic model are
described as follows:
–Principals are those agents which are involved in the
scheme (usually people or programs).
–Keys are used to encrypt messages symmetrically.
–Public Keys are similar to Keys except that they are
used in pairs.
–Nonces are message parts that are not meant to be
repeated.
–Timestamps are similar to nonces in that they are
unlikely to be repeated.
Some BAN statements which are helpful for analyzing
security of the proposed scheme are given below:
–P|≡ X:Pbelieves X,orPwould be entitled to
believe X. In particular, Pcan take Xas true.
–PX:Psees X.Phas received some message Xand
is capable of reading and repeating it (Seeing rule).
–P|∼ X:Ponce said X.Pat some time sent a message
including the statement X. It is not known whether this
140 Page 10 of 21 JMedSyst (2015) 39:140
Fig. 4 Password Change phase of the proposed scheme
is a replay, though it is known that Pbelieved Xwhen
he sent it.
–P⇒X:Phas jurisdiction over X. The principal Pis
an authority on Xand should be trusted on this matter.
–(X) :The message Xis fresh.
–(X,Y): The formulae Xor Yis one part of the formulae
(X,Y).
–<X>
Y:The formulae Xcombined with the formulae
Y.
–{X}K:The formulae Xis encrypted under the key K.
–(X)K:The formulae Xis hashed with the key K.
–PK
←→ Q: Principals Pand Qcommunicate via
shared key K.
–PX
Q: The formula Xis a secret known only to P
and Q, and possibly to principals trusted by them.
–K
→ P:PrincipalPhas Kas its public key.
–SK :The session key used in the current session.
Some main logical postulates of the BAN logic model are
as follows:
–Message-meaning rule: P|≡PK
Q, P <X>K
P|≡Q|∼X
If the principal Pbelieves that the secret Kis shared
with Qand sees XK,thenPbelieves that Qonce said
X.
–Freshness-conjuncatenation rule: P|≡(X )
P|≡(X,Y )
If the principal believes that Xis fresh, then the
principal Pbelieves freshness of (X,Y).
–Belief rule: P|≡(X),P |≡Y
P|≡(X,Y )
If the principal Pbelieves Xand Y, then the princi-
pal Pbelieves (X,Y).
–Nonce-verification rule: P|≡(X, P|≡Q|∼X
P|≡Q|≡X
If the principal Pbelieves that Xis fresh and the
principal Qonce sent X, then principal Pbelieves that
Qbelieves X.
–Jurisdiction rule: P|≡Q⇒X, P|≡Q|≡X
P|≡X
If the principal believes that Qhas jurisdiction over
Xand Qbelieves X,thenPbelieves that Xis true.
–Session key rule: P|≡(X),P |≡Q|≡X
P|≡PK
←→Q
If the principal Pbelieves that the session key is
fresh and the principal Pand Qbelieves X, which are
the necessary parameters of the session key, then prin-
cipal Pbelieves that she/he shares the session key K
with Q.
To prove an authentication scheme secure, the following
process should be performed:
(1) Idealize the proposed authentication scheme in the
language of formal logic.
(2) Identify the assumptions about the initial state of the
proposed authentication scheme.
(3) Use the production and use of rules of the logic to
deduce new predicates.
(4) Use logic to discover the beliefs held by the parties in
the proposed scheme.
In order to prove the proposed scheme secure, the pro-
posed scheme must satisfy the following goals based on the
BAN logic which are given as follows:
–Goal 1: Ui|≡ Ui
SK
←→ Sj
–Goal 2: Ui|≡ Sj|≡ Ui
SK
←→ Sj
–Goal 3: Sj|≡ Sj
SK
←→ Ui
–Goal 4: Sj|≡ Ui|≡ Sj
SK
←→ Ui
First the proposed scheme is transformed into idealized
form:
–M1: Ui→Sj:fi,G
i,NID
∗
i,L
i:RcNIDi
–M2: Sj→Ui:Di,K
i:RsAi
JMedSyst (2015) 39:140 Page 11 of 21 140
Second, the following assumptions about the initial state
of the scheme are made to analyze the proposed scheme:
–A1: Ui|≡ (Rc)
–A2: Sj|≡ (Rs)
–B1: Sj|≡ Ui⇒Rc
–B2: Ui|≡ Sj⇒Rs
–C1: Ui|≡ Ui
NIDi
←→ Sj
–C2: Sj|≡ Sj
Ai
←→ Ui
Third, the idealized form of the proposed scheme is ana-
lyzed based on the BAN logic rules and the assumptions.
The main proofs are stated as follows:
–M1: Ui→Sj:fi,G
i,NID
∗
i,L
i:RcNIDi
– According to seeing rule, we get S1: Sj
fi,G
i,NID
∗
i,L
i:RcNIDi
– According to C1,S1 and message meaning rule,weget
S2: Sj|≡ Ui|∼ Rc
– According to A2,S2 and freshness-conjuncatenation
rule and nonce verification rule is applied, we get S3:
Sj|≡ Ui|≡ Rc,whereRcis the necessary parameter
of the session key of the proposed scheme.
– According to B1,S3 and jurisdiction rule is applied, we
get S4: Sj|≡ Rc
– According to A2,S4 and session key rule is applied, we
get S5: Sj|≡ Sj
SK
←→ Ui(Goal 3)
– According to A2,S5 and nonce verification rule is
applied, we get S6: Sj|≡ Ui|≡ Sj
SK
←→ Ui
(Goal 4)
–M2: Sj→Ui:Di,K
i:RsAi
– According to seeing rule,wegetS7: UiDi,K
i:
RsAi
– According to C2,S7 and message meaning rule,weget
S8: Ui|≡ GW Nh|∼ Rs
– According to A3,S8 and freshness-conjuncatenation
rule and nonce verification rule is applied, we get
S9: Ui|≡ Ui|≡ Rs,whereRsis the neces-
sary parameter of the session key of the proposed
scheme.
– According to B2,S9 and jurisdiction rule is applied, we
get S10: Ui|≡ Rs
– According to A3,S10 and session key rule is applied,
we get S11: Ui|≡ Ui
SK
←→ Sj(Goal 1)
– According to A3,S11 and nonce verification rule is
applied, we get S12: Ui|≡ Sj|≡ Ui
SK
←→ Sj
(Goal 2)
The above discussion proves our objectives mentioned
above using BAN logic and it is clear that the Ui,SNjand
the gateway node performs mutual authentication property
and session key agreement securely.
Formal security verification using AVISPA simulation
tool
This section is provided to draw the formal security
verification using AVISPA simulator to demonstrate that
the proposed scheme is secure against active and pas-
sive attacks including replay attack and man-in-the-middle
attack. Many user authentication schemes [4,8,9,41]have
been simulated using AVISPA software. In the following,
we described the AVISPA simulator and then presented the
HLPSL codes along with simulation results.
Specification of the proposed scheme
The AVISPA is widely-accepted formal security verifica-
tion tool which measures whether the scheme is SAFE
or UNSAFE against active attack and passive attack. The
AVISPA supports High Level Scheme Specification Lan-
guage (HLPSL). The structure of AVISPA tool is shown
in Fig. 5. Currently, AVI S PA [67] supports four differ-
ent back-ends and abstraction based methods which are
integrated through HLPSL. The First back-end, called On-
the-fly Model-Checker (OFMC), used different symbolic
techniques to explore the state space in a demand-driven
way. The second back-end, called Constraint-Logic-based
Attack Searcher (CL-AtSe), provides the translation from
any security scheme specification written as transition rela-
tion in intermediate format (IF) into a set of constraints,
which are effectively used to find whether there are attacks
on the scheme. The third back-end, called SAT based Model
checker, which generates a propositional formulae and then
fed to a state-of-the-art SAT solver and any model found
is translated back into an attack. The Tree Automata based
on Automatic Approximations for the Analysis of Secu-
rity Schemes (TA4SP) is the last back-end of the AVI S PA
tool, which is responsible for approximates the intruder
knowledge by using regular tree languages. As mentioned
earlier, HLPSL specification is translated into the interme-
diate form (IF) using the hlpsl2if translator. Intermediate
form (IF) is a lower level language than HLPSL is read
directly by the back-ends to the AVISPA tool. It may be
noted that this intermediate translation step is transparent
to user.
AVISPA is a role-oriented language in which each partici-
pants play a role during the scheme execution. Each roles is
independent of the others, getting some initial information
by parameters, communicating with the other roles by chan-
nels. The intruder is modeled using the Dolev-Yao model
[24] with the possibility for the intruder to assume a legit-
imate role in a scheme run. The role system also describes
the number of sessions, the number of principals and the
roles. Based on the four back-ends, the OUTPUT FORMAT
140 Page 12 of 21 JMedSyst (2015) 39:140
(OF) is generated and after successful execution, the (OF)
describes the result whether the scheme is safe or unsafe or
under what condition the output is obtained.
Brief specification of the proposed scheme
In this section, we presented the scheme specification of
the proposed scheme using HLPSL for the roles of the
user, server, session and the environment. In Fig. 6,we
implemented the role of the user Ui. During the execu-
tion of registration phase,Ui submits IDi.PWDi.Bi
to Sj through a secure channel using Snd() operation
and symmetric key SKas. The type declaration chan-
nel(dy) means that the channel follows Dolev Yao threat
model. The declaration secret({IDi},subs1, {Ui,Sj})
indicates that IDiis only known to Ui and Sj and
if this violates, the proposed scheme fails to preserve
user anonymity. After submitting registration message, Ui
receives Rcv({Fi.Ei .T i}SK as) securely using the sym-
metric key SKas. After that, Ui generates a random number
Rcusing new() operation and sends the login message
Snd(Fi.Gi .Li.NI D ii )to Sj through public channel.
The declaration witness(Ui,Sj ,alice server,Rc)indi-
cates that Ui has generated freshly R
cfor Sj in the login
phase. Furthermore, the declarations secret({Rc},subs3,
{Ui,Sj})tells that the random number Rcis known to Ui
and Sj . In the authentication phase, Ui receives reply mes-
sage Rcv(Ki.Di)using Rcv() operation and computes the
session key according to our scheme.
In Fig. 7, we implemented the role for the remote
server Sj in HLPSL language. During the registration
phase, Sj receives registration message, then Sj computes
{Fi.Ei .T i}SKas and sends Snd({Fi.Ei.T i}SKas)
to Ui securely. During the login phase, Sj receives the
login message Rcv(Fi.Gi .Li.NI D ii )over public chan-
nel. After that, Sj computes a reply message after gener-
ating the random number Rsand sends Snd(Ki.Di )to
Ui through an open channel. The statement secret({Rs},
subs6, {Sj , U i })tells that Rsis only known to Sj and Ui,
and witness(Sj,Ui,server alice,Rs)indicates that Sj
freshly generates Rsfor Ui. The declaration request(Ui,
Sj ,server alice,Rs)states that Ui authenticates Sj based
on Rs.
In Fig. 8, we provided the specification for the roles
of session and environment in HLPSL. In the session seg-
ment, all the basic roles including the roles for Ui and Sj
are instanced with concrete arguments. The environment
section contains the global constant and composition of one
or more session and the intruder knowledge is also given.
The current version (2006/02/2013) of HLPSL supports the
standard authentication and secrecy goals. In our imple-
mentation, the scheme achieves six secrecy properties (1-6)
and two authentication goals (7, 8) which are discussed
below.
(1) secrecy of subs 1: It represents the identity IDi of Ui
is only known to Ui,Sjthat means the proposed
scheme provides user anonymity.
(2) secrecy of subs 2: It represents that the confidential
information PWi is only known to Ui.
(3) secrecy of subs 3: It represents that the confidential
information Rc is only known to Ui.
Fig. 5 Architecture of the
AVIS PA tool
HLPSL (High−Level Protocol Specification Language)
Translator
HLPSL2IF
IF
(Intermediate Format)
OFMC
(On-the-fly Model-
Checker)
CL-AtSe
(Constraint-Logic-
based Attack Searcher)
SATMC
(SAT-based Model-
Checker)
TA4SP
(Tree Automata−based
Protocol Analyzer)
OF
(Output Format)
JMedSyst (2015) 39:140 Page 13 of 21 140
role alice (Ui, Sj: agent,
SKas : symmetric_key,
H: hash_func,
Snd, Rcv: channel(dy))
played_by Ui
def=
local State : nat,
IDi, PWi, PWDi, NIDi, Bi, NIDii, SIDj, Xs, Rc, Ti: text,
Eii, Gi, Li, Rs, SK, Ki, Di, Fi, Ei: message,
Inc : hash_func
const alice_server, server_alice, subs1, subs2, subs3,
subs4, subs5, subs6: protocol_id
init State :=0
transition
1. State = 0 /\ Rcv(start) =|>
State' := 1 /\ PWDi' := H(IDi.PWi)
/\ Snd({IDi.PWDi'.Bi}_SKas)
/\ secret({IDi}, subs1, {Ui,Sj})
/\ secret({PWi}, subs2, {Ui})
2. State = 1 /\ Rcv({Fi'.Ei'.Ti'}_SKas) =|>
State' := 2 /\ Rc' := new()
/\ NIDi' := xor(Ti, H(IDi.Fi))
/\ Eii' := xor(Ei, H(IDi.PWi))
/\ Gi' := xor(Eii',Rc')
/\ NIDii' := xor(NIDi', H(Rc'))
/\ Li' := H(NIDi'.Rc)
/\ Snd(Fi'.Gi'.Li'.NIDii')
/\ secret({Rc'}, subs3, {Ui,Sj})
/\ witness(Ui, Sj, alice_server, Rc')
3. State = 2 /\ Rcv(Ki'.Di') =|>
State' := 3 /\ Rs' := xor(Eii,Di)
/\ Ki' := H(Eii.Rs')
/\ SK' := H(Rc.Rs)
/\ secret({SK'}, subs4, {Ui,Sj})
end role
Fig. 6 Role specification of the user Uiin HLPSL
(4) secrecy of subs 4: It represents that the session key SK
of the proposed scheme is only known to Ui and Sj .
(5) secrecy of subs 5: It represents that the private key Xs
of Sj is kept secret.
(6) secrecy of subs 6: It represents that the confidential
information Rs is only known to Sj .
(7) authentication on alice server rc:Itmeansthatthe
Ui generates a random nonce rc,whererc is only
known to Ui and if Sj receives rc securely, Sj then
authenticates Ui.
(8) authentication on server alice rs: It means that the
Sj generates a random nonce rs,wherers is only
known to Sj and if Ui receives rs securely, Ui then
authenticates Sj .
Simulation results
In this section, the simulation results of our scheme is pre-
sented. In Figs. 9and 10, we shown the simulation results
for the two back-ends such as OFMC and CL-AtSe.The
role server (Sj, Ui: agent,
SKas : symmetric_key,
H: hash_func,
Snd, Rcv: channel(dy) )
played_by Sj
def=
local State : nat,
IDi, PWi, PWDi, Bi, NIDi, NIDii, SIDj, Xs, Rc, Ti: text,
Eii, Gi, Li, Rs, SK, Ki, Di, Ai, Fi, CIDi, Ei : message,
Inc : hash_func
const alice_server, server_alice, subs1, subs2, subs3,
subs4, subs5, subs6: protocol_id
init State :=0
transition
1. State = 0 /\ Rcv(IDi.PWDi'.Bi) =|>
State' := 1 /\ NIDi' := new()
/\ CIDi' := H(IDi.Bi)
/\ Fi' := H(Bi)
/\ Ei' := xor(H(SIDj.Xs.Fi'),PWDi)
/\ Ti' := xor(NIDi, H(IDi.Fi'))
/\ Snd({Fi'.Ei'.Ti'}_SKas)
/\ secret({Xs}, subs5, {Sj})
2. State = 1 /\ Rcv(Fi'.Gi'.Li'.NIDii') =|>
State' := 2 /\ Rs' := new()
/\ Ai' := H(SIDj.Xs.Fi)
/\ Di' := xor(Ai',Rs')
/\ Ki' := H(Ai.Rs')
/\ witness(Sj, Ui, server_alice, Rs')
/\request(Ui, Sj, server_alice, Rs')
/\secret({Rs'},subs6,{Sj})
/\ Snd(Ki'.Di')
end role
Fig. 7 Role specification of the server Sjin HLPSL
simulation results confirm that our scheme is SAFE under
the mentioned models. The simulation result SAFE means
that the scheme is secure against active and passive attacks
including replay and man-in-the-middle attacks.
Formal security analysis in the random oracle model
This section is described to present the formal security anal-
ysis of the proposed scheme based on the random oracle
model. We defined the success probability and advantage in
the Definition 2 of the attacker for finding collision resistant
property as well as definition of reveal oracle in Definition 3
is given as follows:
Definition 1 A function (k) is said to be negligible if, for
every c>0, there exists k0such that (k) ≤1
kcfor every
k≥k0.
Definition 2 The advantages of an attacker Afor finding
collision against the one-way hash function is given as fol-
lows: AdvH
A(t) =Prb[(m, m)⇐=RAand h(m) =
h(m)],wherePrb[E]represents the probability of an event
(E) in a random experiment, ⇐=RArepresents messages
(m, m)is selected by Arandomly and AdvH
A(t) represents
the advantages of the probability over random choice by A
140 Page 14 of 21 JMedSyst (2015) 39:140
for the time duration t. The hash function h(·)is said to
collision-resistant, if AdvH
A(t) ≤, for any small values
>0.
Definition 3 It is the oracle which will unconditionally out-
put the input string mfrom the corresponding hash value
y=h(m). It is denoted as RORACLE(·).
role session(Ui, Sj: agent,
SKas : symmetric_key,
H: hash_func)
def=
local SI, SJ, RI, RJ: channel (dy)
composition
alice(Ui, Sj, SKas, H, SI, RI)
/\ server(Ui, Sj, SKas, H, SJ, RJ)
end role
role environment()
def=
const ui, sj: agent,
skas : symmetric_key,
h, mul, add, sub: hash_func,
idi, pwi, nidi, nidii, sidj, xs, ri, ti, rs: text,
alice_server_rc, server_alice_rs, subs1,
subs2, subs3, subs4, subs5, subs6: protocol_id
intruder_knowledge = {ui, sj, h}
composition
session( ui, sj, skas, h)
/\ session(sj, ui, skas, h)
end role
goal
secrecy_of subs1
secrecy_of subs2
secrecy_of subs3
secrecy_of subs4
secrecy_of subs5
secrecy_of subs6
authentication_on alice_server_rc
authentication_on server_alice_rs
end goal
environment()
Fig. 8 Role specification of session and environment in HLPSL
Theorem 1 It is our assumption that the cryptographic
one-way hash function closely behaves like an oracle, the
proposed scheme is provably secure against an attacker
for deriving the ID
i,PW
i,B
iof a legal user Uieven if
the attacker knows all the smart card information(s) and
communicating message via public channel.
Proof Initially, we consider an attacker Awho has the
ability to derive the user’s identity ID
i, password PW
i
and the biometric template Bifrom the proposed scheme
() . We supposed that Agot the smart card of Uiby
some means and extracted all the confidential parameters
fi,e
i,T
i,h(·), H (·)by monitoring the power consump-
tion [49,62]. According to the threat model assumption,
Acan trap the login message fi,G
i,L
i,NID
∗
iand the
JMedSyst (2015) 39:140 Page 15 of 21 140
reply message Di,K
i.Athen executes the algorithm
Algo1H
A, for deriving ID
i,PW
i,B
iof Uias given in the
Algorithm 1.
We define the success probability as Algo1H
A,:
SUCC1H
A, =Prb[Algo1H
A, =1]−1. Then, the advan-
tage of Algo1H
A, is given below: Adv1H
A,(t 1,qr1)=
MaxA[Adv1H
A,], where the maximum is taken over all
Awith the execution time t1andqr1 indicates that the
number of queries made to RORACLE() oracle. The pro-
posed scheme is said to be provably secure against A
for deriving ID
i,PW
i,B
i,ifAdv1H
A,(t 1,qr1)≤
for any small value >0. Based on Algo1H
A,,if
Ahas the ability to invert the hash function h(·),then
only he/she can easily derive ID
i,PW
i,B
iand win
the game. However, it is computationally infeasible in
polynomial time that is AdvH
A(t) ≤for any small
>0 (Definition 2). Therefore, Adv1H
A,(t 1,qr1)≤
,asAdv1H
A,(t 1,qr1)depends on the advantage
AdvH
A(t). This proves that the proposed scheme is secure
for deriving Ui’s information ID
i,PW
i,B
iagainst
an attacker.
Theorem 2 It is our assumption that the cryptographic
one-way hash function closely behaves like an oracle, the
proposed scheme is provably secure against an attacker
for deriving the secret key Xsand the session key SK
between the Uiand Sjeven if the Aknows all the informa-
tion including smart card parameters and communicating
messages.
Proof We considered an attacker A(similar to Theo-
rem 1) who has the ability to derive the long-term con-
fidential parameters like secret key of Sjof our pro-
posed scheme (). It is our assumption that Anot only
knows all the smart card parameters fi,e
i,T
i,h(·), H (·)
by monitoring power consumption [49,62], she/he also
knows all the transmitted messages fi,G
i,L
i,NID
∗
i,
Di,K
iof our proposed scheme. Athen executes the
algorithm Algo2H
A, for deriving Xs,SKof Sjand
the session key of the proposed scheme as given in the
Algorithm 2.
We define the success probability for the Algorithm 2 is
SUCC2H
A, =Prb[Algo2H
A, =1]−1. The advantage
of Algo2H
A, is Adv2H
A,(t 2,qr2)=MaxA[Adv2H
A,],
where the maximum is taken over all Awith the execution
time t2andtheqr2 indicates that the number of queries
made to RORACLE() oracle. The proposed scheme is said
to be provably secure against the Afor deriving Xs,SK,
if Adv2H
A,(t 2,qr2)≤for any small value >0. If
Ahas the ability based on the Algo2H
A,,toinverth(·),
then only she/he can easily derive Xs,SKand win the
game. However, it is computationally infeasible in poly-
nomial time that is AdvH
A(t) ≤for any small >0
(Definition 2). Therefore, we have Adv2H
A,(t 2,qr2)≤,
as Adv2H
A,(t 2,qr2)depends on the advantage Ad vH
A(t).
This proves that the proposed scheme is secure for deriving
Xs,SKagainst A.
Informal security analysis of our scheme
In this section, we discussed the capabilities of the attacker
including some assumptions regarding remote user authen-
tication scheme over insecure communication medium.
140 Page 16 of 21 JMedSyst (2015) 39:140
% OFMC
% Version of 2006/02/13
SUMMARY
SAFE
DETAILS
BOUNDED_NUMBER_OF_SESSIONS
PROTOCOL
/home/avispa/web-interface-computation/./tempdir/workfile32HZmJ.if
GOAL
as_specified
BACKEND
OFMC
COMMENTS
STATISTICS
parseTime: 0.00s
searchTime: 0.09s
visitedNodes: 4 nodes
depth: 2 plies
Fig. 9 Simulation result of the proposed scheme in OFMC backend
(i) An attacker (A) is able to extract the smart card infor-
mation by monitoring the power consumption [49,
62]. For example if an attacker gets the smart card
of the valid user, she/he then may get all the stored
information of the smart card.
(ii) Amay eavesdrop all the communication between the
entities involved of the scheme over the public chan-
nel. It is also assume that an attacker cannot intercept
the message over the secure channel.
(iii) Acan guess low entropy password and identity indi-
vidually easily but, guessing two secret parameters
(e.g. password, identity) is computationally infeasi-
ble in polynomial time.
(iv) Acan modify, delete and resend, reroute the eaves-
drops message.
SUMMARY
SAFE
DETAILS
BOUNDED_NUMBER_OF_SESSIONS
TYPED_MODEL
PROTOCOL
/home/avispa/web-interface-computation/
./tempdir/workfile32HZmJ.if
GOAL
As Specified
BACKEND
CL-AtSe
STATISTICS
Analysed : 0 states
Reachable : 0 states
Translation: 0.02 seconds
Computation: 0.00 seconds
Fig. 10 Simulation result of the proposed scheme in CL-AtSe
backend
(v) Amay be a legitimate user or server.
(vi) Aknows the scheme description that means the
scheme is public.
(vii) If we assume that the length of the user’s identity
andpasswordisncharacter, then the probability of
guessing approximately equals to 1
26n[16].
Here, we informally analyzed the security of the pro-
posed scheme and proved that the scheme is protected
against user anonymity problem, off-line password guessing
attack, insider attack, smart card theft attack, impersonation
attack and session key discloser attack.
User anonymity
In order to trace a legal user, it is our assumption that the
attacker knows smart card parameters fi,e
i,T
i,h(·), H (·)
and login-reply messages fi,G
i,L
i,NID
∗
i,D
i,K
i,
where fi=H(B
i),ei=h(SI DjXsfi)⊕PWD
i,
Ti=NIDi⊕h(I Difi),Gi=e∗
i⊕Rc,
NID∗
i=NIDi⊕h(Rc),Li=h(N I DiRc),
Di=Ai⊕Rsand Ki=h(AiRs). However, the attacker
cannot trace the legal user due to following reasons.
(1) Since fiis protected by the non-invertible bio-hashing
function H(·), the adversary cannot extract the biomet-
ric template Bi( high entropy) and also cannot guess
it in polynomial time. Moreover, the attacker cannot
extract PWD
i=h(I DiPW
i)from eiwithout
knowing the secret key Xsof Sj. If the attacker wants
to guess ID
iby utilizing ei, the guessing probabil-
ity would be 1
212+1024 which is negligible. On the other
hand, the attacker cannot extract ID
ifrom h(I Di
fi)due to one-way property of h(·)and cannot guess
in polynomial time.
(2) It is noticeable that Ui’s identity ID
iis not depen-
dent on the the login-reply messages. Therefore, the
attacker has no way to extract or guess ID
iafter
intercepting login-reply messages.
The above description concludes that the attacker cannot not
extract or guess Ui’s identity. Therefore, the attacker cannot
trace legal patient and the scheme achieves user anonymity.
Off-line password guessing attack
The user’s password is the main security key in any pass-
word based user authentication scheme. Therefore, the pass-
word should be used securely so that the attacker cannot
extract or guess. The password PW
iof Uiis involved in
ei=h(SI DjXsfi)⊕h(I DiPW
i). Since,
PW
iis protected by h(·), the attacker cannot extract it.
Moreover, the attacker is not able to guess PW
iwithout
knowing ID
i,X
s. If the attacker wants to guess using ei,
JMedSyst (2015) 39:140 Page 17 of 21 140
the probability would be approximately 1
26n+1024 which is
extremely negligible.
Insider attack
Most of the today’s security system is insecure due to the
insider attack. So, it is an important task of the scheme
designer that always keeps user’s confidential information
secret from the server (though the server is trusted). If an
insider of the server (system manager or administrator) gets
the user’s correct password by some means, then he/she
may use that password to login to other servers where the
user registered himself/herself using the same identity and
password. During the registration, the insider only knows
PWD
i=h(I DiPW
i)and it is confirmed that he/she
cannot extract PW
idue to non-invertible cryptographic
one-way hash function h(·). If the attacker tries to guess
it, the probability would be approximately 1
26nwhich is not
feasible in polynomial time.
Smart card theft attack
In order to launch this attack, an attacker has to compute
valid smart card information fi,e
i,T
i,h(·), H (·),where
fi=H(B
i),ei=h(SI DjXsfi)⊕PWD
iand
Ti=NIDi⊕h(I Difi). It is practical that the attacker
cannot compute valid and forged f
i=H(Ba
i),whereBa
i
is the attacker’s biometric template. We assumed that the
attacker chooses a password PWa
iand tries to compute
valid e
i. However, the attacker is not able to compute valid
e
iwithout knowing Sj’s secret key. It is very important
for launching the above attack that the attacker must know
patient’s identity. We mentioned earlier that the attacker has
no way to extract or guess ID
ifrom the scheme description.
Therefore, we conclude that the proposed scheme resists
smart card theft attack.
Impersonation attack
In this attack, an attacker tries to impersonate the patient
to the medical server after intercepting the login message
during execution of the scheme. Therefore, the attacker
should generates another login message which should be
authenticated to the medical server. The login message of
the scheme is fi,G
i,L
i,NID
∗
i,whereGi=e∗
i⊕Rc,
NID∗
i=NIDi⊕h(Rc)and Li=h(N I DiRc).It
is noted that the attacker can generate random number for
computing valid Gi,L
i,NID
∗
i. It is noticeable that the
Tabl e 2 Security attacks and attributes comparison of proposed scheme with related schemes
Schemes ⇒Ref. [55]Ref.[16]Ref.[23]Ref.[68]Ref.[69]Ref.[71]Ref.[20]Ref.[12]Ref.[15]Our
A1 ×××××××××√
A2 NA √√NA NA NA NA NA NA √
A3 ×××××××××√
A4 √×√×√××√×√
A5 √××××××√×√
A6 ×××××××××√
A7 ×××√××√××√
A8 NA NA ××NA ××√NA √
A9 ××√√×√√√×√
A10 ×××××××××√
A1 Resist user anonymity
A2 Drawback on random identity NIDi
A3 Resist off-line password guessing attack
A4 Resist insider attack
A5 Resist smartcard theft attack
A6 Resist user impersonation attack
A7 Resist server impersonation attack
A8 Resist session key discloser attack
A9 Session key agreement between the user and the server
A10 Mutual authentication
×NO
√YES
NA Not Applicable
140 Page 18 of 21 JMedSyst (2015) 39:140
Tabl e 3 Storage and communication cost comparisons of proposed scheme with related schemes
Schemes ⇒Ref. [55]Ref.[16]Ref.[23]Ref.[68]Ref.[69]Ref.[71]Ref.[20]Ref.[12]Ref.[15]Our
SC 640 960 1280 640 384 384 896 640 384 800
CC 800 960 1280 768 768 1152 1080 896 768 960
SC Storage cost in the smart card (bits)
CC Communication cost (bits)
needs valid e∗
i=h(SI DjXsfi)and NIDito com-
pute valid Giand Li,NID
∗
irespectively. Therefore, the
proposed scheme provides strong security protection on the
patient impersonation attack, as the attacker does not know
valid e∗
i,NID
iparameters.
On the other hand, an attacker also tries to impersonate
the medical server after replying valid reply message during
execution of the proposed scheme. Therefore, the attacker
should compute the valid reply message, which should be
authenticated to the patient. During the authentication phase
execution, the proposed scheme generates the reply message
Di,K
i,whereDi=Ai⊕Rsand Ki=h(AiRs).We
assumed that the attacker traps the message Di,K
ifrom
the insecure channel and tries to compute another valid mes-
sage. It is noticeable that the attacker cannot compute valid
reply message without knowing Ai, which is relies on the
secret key of Sj. Therefore, we claimed that the proposed
scheme is secure against server impersonation attack.
Session key discloser attack
The security of the session key SK =h(RcRs)of
the proposed scheme is based on the “one-way” property
of h(·). Moreover, the session key depends on the ran-
dom nonce Rc,R
sof the scheme. We described earlier
that the attacker has no way to compute random numbers
Rc,R
sof the scheme. Therefore, the attacker cannot com-
pute the session key. It is noted that the attacker is not
able to guess high entropy parameter random numbers in
polynomial time.
Performance comparison
This section evaluates the performance of the proposed
scheme with related existing schemes [12,15,16,20,23,
55,68,69,71] against storage cost, communication cost,
computation cost and security aspects. The reason for com-
paring the proposed scheme with the mentioned scheme is
that the security of these schemes are reliant on the diffi-
culty of cryptographic one-way function (Th) except [12]
scheme. The scheme [12] uses modular exponentiation (Te)
operation. In order to measure the storage cost and com-
munication cost, we took the length of the identity ID
i,
password PW
i, random number, bio-hashing operation and
message digest is 128 bits each. Comparing with the compu-
tation cost of the hash function, the X-OR (⊕)and concate-
nation ()operations take very less amount of computation
time. Therefore, we avoided X-OR and concatenation oper-
ations in computation comparison. Additionally, we only
considered login and authentication phase in our compari-
son, as the execution of the registration phase happens less
frequently and the password change phase is rarely used
depending on the user demand.
In Table 2, we provided a comparison of the proposed
scheme with existiong schemes in terms of different secu-
rity features. It is noticeable from Table 2that the schemes
[12,15,16,20,23,55,68,69,71] do not support user
anonymity and also the schemes [12,15,16,20,23,55,
68,69,71] do not withstand the off-line password guessing
attack. Note that the schemes [12,15,16,20,23,55,68,
69,71] do not resist many security attacks including mutual
authentication, session key agreement, etc.
As depicted in Table 3, the proposed scheme takes rel-
atively better storage cost than the schemes [16,20,23],
whereas our scheme is comparatively better than schemes
proposed in [20,23,71] in terms of communication cost.
It is most important and desirable property for any remote
mutual authentication scheme that the complexities should
be better along with complete security requirements than
related existing schemes. Since the proposed scheme pro-
vides strong security protection on the relevant security
Tabl e 4 Computation cost comparison of proposed scheme with related schemes
Schemes ⇒Ref. [55]Ref.[16]Ref.[23]Ref.[68]Ref.[69]Ref.[71]Ref.[20]Ref.[12]Ref.[15]Our
TC 8Th10Th18Th8Th6Th20Th22Th8Th+2Te10Th12Th
TC Total computation cost
JMedSyst (2015) 39:140 Page 19 of 21 140
attacks, it is our strong contribution that the complexities
of the proposed scheme is reasonable in compared with the
schemes [12,15,16,20,23,55,68,69,71].
In Table 4, we provided computation cost comparison
of the proposed scheme with the existing schemes. In
Tabl e 2, we observed that our scheme provides resilience
against common security attacks whereas other schemes are
not completely free from security weaknesses. Note that
the proposed scheme takes nearly equal computation cost
compared to other schemes.
Conclusion
In this paper, we reviewed and demonstrated that Das et
al.’s scheme [23] cannot withstand several common attacks
such as (1) user anonymity, (2) off-line password guessing
attack, (3) smart card theft attack, (4) user impersonation
attack, (5) server impersonation attack and (6) session key
discloser attack. Moreover, we also justified security pit-
fall on using the random identity. In order to get rid of
the mentioned security loopholes, this paper proposed an
enhanced remote mutual authentication scheme using smart
card, biometric and has function. The security validation of
the proposed scheme is proved on BAN logic that ensured
that our scheme achieves mutual authentication and ses-
sion key agreement securely. The proposed scheme can
withstand relevant security attacks and satisfies all desir-
able security attributes which are demonstrated through
both informal and formal security analysis. We simulated
our scheme for the formal security verification on AVISPA
tool and shown that our scheme is secured against active
attack and passive attack including replay attack and man-
in-the-middle attacks. The performance comparison of the
proposed scheme with competitive related schemes have
also made and showed that our scheme is comparatively
reasonable in terms of complexities. Additionally, the pro-
posed scheme achieves desirable security attributes such as
user anonymity, mutual authentication, efficient password
change phase, session key establishment.
Acknowledgments The second author is supported by the Outstand-
ing Potential for Excellence in Research and Academics (OPERA)
award, Birla Institute of Technology and Science (BITS) Pilani, Pilani
Campus, Rajasthan, India. The authors extend their sincere apprecia-
tions to the Deanship of Scientific Research at King Saud University
for its funding this Prolific Research Group (PRG-1436-16). This
research is also partially supported by the National Natural Science
Foundation of China under Grant No. 61300220.
References
1. Amin, R., Cryptanalysis and an efficient secure id-based remote
user authentication using smart card. Int. J. Comput. Appl.
75(13):43–48, 2013.
2. Amin, R., and Biswas, G. P., Cryptanalysis and design of a three-
party authenticated key exchange protocol using smart card. Arab.
J. Sci. Eng. 1–15, 2015. doi:10.1007/s13369-015-1743-5.
3. Amin, R., and Biswas, G. P., Design and analysis of bilinear
pairing based mutual authentication and key agreement protocol
usable in multi-server environment. Wirel. Pers. Commun. 1–24,
2015. doi:10.1007/s11277-015-2616-7.
4. Amin, R., and Biswas, G. P., An improved rsa based user authenti-
cation and session key agreement protocol usable in tmis. J. Med.
Syst. 39(8):79, 2015. doi:10.1007/s10916-015-0262-y.
5. Amin, R., and Biswas, G. P., A novel user authentication and
key agreement protocol for accessing multi-medical server usable
in tmis. J. Med. Syst. 39(3):33, 2015. doi:10.1007/s10916-015-
0217-3.
6. Amin, R., and Biswas, G. P., Remote access control mechanism
using rabin public key cryptosystem. In: Information Systems
Design and Intelligent Applications, Advances in Intelligent Sys-
tems and Computing. Vol. 339, pp. 525–533. Springer, India.
2015. doi:10.1007/978-81-322-2250-7 52.
7. Amin, R., and Biswas, G. P., A secure light weight scheme
for user authentication and key agreement in multi-gateway
based wireless sensor networks. Ad Hoc Netw., 2015.
doi:10.1016/j.adhoc.2015.05.020.
8. Amin, R., and Biswas, G. P., A secure three-factor user authenti-
cation and key agreement protocol for tmis with user anonymity.
J. Med. Syst. 39(8):78, 2015. doi:10.1007/s10916-015-0258-7.
9. Amin, R., Islam, S. H., Biswas, G. P., and Khan, M. K.: An effi-
cient remote mutual authentication scheme using smart mobile
phone over insecure networks. In: Cyber Situational Awareness,
2015 International Conference on Data Analytics and Assessment
(CyberSA). pp. 1–7, 2015, doi:10.1109/CyberSA.2015.7166114.
10. Amin, R., Maitra, T., and Rana, S. P., An improvement of Wang et.
al.’s remote user authentication scheme against smart card security
breach. Int. J. Comput. Appl. 75(13):37–42, 2013.
11. An, Y., Security analysis and enhancements of an effective
biometric-based remote user authentication scheme using smart
cards. J. Biomed. Biotechnol. 6, 2012. doi:10.1155/2012/519723.
12. An, Y. H.: Security improvements of dynamic id-based remote
user authentication scheme with session key agreement. In: 2013
15th International Conference on Advanced Communication Tech-
nology (ICACT), pp. 1072–1076, 2013.
13. Arshad, H., and Nikooghadam, M., Three-factor anony-
mous authentication and key agreement scheme for telecare
medicine information systems. J. Med. Syst. 38(12):1–12, 2014.
doi:10.1007/s10916-014-0136-8.
14. Burrows, M., Abadi, M., and Needham, R., A logic of
authentication. ACM Trans. Comput. Syst. 8(1):18–36, 1990.
doi:10.1145/77648. 77649.
15. Chang, Y. F., Tai, W. L., and Chang, H. C., Untraceable dynamic-
identity-based remote user authentication scheme with verifiable
password update. Int. J. Commun. Syst. 27(11):3430–3440, 2014.
doi:10.1002/dac.2552.
16. Chang, Y. F., Yu, S. H., and Shiao, D. R., A uniqueness-
and-anonymity-preserving remote user authentication scheme
for connected health care. J. Med. Syst. 37(2):9902, 2013.
doi:10.1007/s10916-012-9902-7.
17. Chaudhry, S. A., Farash, M. S., Naqvi, H., Kumari, S., and Khan,
M. K., An enhanced privacy preserving remote user authentica-
tion scheme with provable security. Security and Communication
Networks, 2015. doi:10.1002/sec.1299.
18. Chaudhry, S. A., Naqvi, H., Shon, T., Sher, M., and Farash, M. S.,
Cryptanalysis and improvement of an improved two factor authen-
tication protocol for telecare medical information systems. J. Med.
Syst. 39(6):66, 2015. doi:10.1007/s10916-015-0244-0.
19. Chaudhry, S. A., Uddin, N., Sher, M., Ghani, A., Naqvi, H., and
Irshad, A., An efficient signcryption scheme with forward secrecy
140 Page 20 of 21 JMedSyst (2015) 39:140
and public verifiability based on hyper elliptic curve cryptogra-
phy. Multimedia Tools and Applications 74(5):1711–1723, 2015.
doi:10.1007/s11042-014-2283-9.
20. Chou, J. S., Huang, C. H., Huang, Y. S., and Chen4, Y.: Efficient
two-pass anonymous identity authentication using smart card.
Cryptology ePrint Archive, Report 2013/402, 2013.
21. Das, A., Analysis and improvement on an efficient biometric-
based remote user authentication scheme using smart cards. Inf.
Secur., IET 5(3):145–151, 2011. doi:10.1049/iet-ifs.2010.0125.
22. Das, A. K., Cryptanalysis and further improvement of a biometric-
based remote user authentication scheme using smart cards.
International Journal of Network Security and Its Applications
3(2):13–28, 2011.
23. Das, A. K., and Goswami, A., A secure and efficient uniqueness-
and-anonymity-preserving remote user authentication scheme for
connected health care. J. Med. Syst. 37:9948, 2013. doi:10.1007/
s10916-013-9948-1.
24. Dolev, D., and Yao, A. C., On the security of public key protocols.
IEEE Trans. Inf. Theory 29(2):198–208, 1983.
25. Farash, M. S., Chaudhry, S. A., Heydari, M., Sajad Sadough,
S. M., Kumari, S., and Khan, M. K., A lightweight anony-
mous authentication scheme for consumer roaming in ubiquitous
networks with provable security. Int. J. Commun. Syst., 2015.
doi:10.1002/dac.3019.
26. Fu, Z., Sun, X., Liu, Q., Zhou, L., and Shu, J., Achieving efficient
cloud search services: Multikeyword ranked search over encrypted
cloud data supporting parallel computing. IEICE Trans. Commun.
E98B(1):190–200, 2015.
27. Giri, D., Maitra, T., Amin, R., and Srivastava, P. D., An effi-
cient and robust rsa-based remote user authentication for telecare
medical information systems. J. Med. Syst. 39(1):145, 2014.
doi:10.1007/s10916-014-0145-7.
28. Guo, P., Wang, J., Li, B., and Lee, S., A variable threshold-value
authentication architecture for wireless mesh networks. J. Internet
Technol. 15(6):929–936, 2014.
29. Islam, S. H., and Biswas, G. P., Dynamic id-based remote
user mutual authentication scheme with smartcard using elliptic
curve cryptography. J. Electron. (China) 31(5):473–488, 2014.
doi:10.1007/s11767-014-4002-0.
30. He, D., Jianhua, C., and Rui, Z., A more secure authentication
scheme for telecare medicine information systems. J. Med. Syst.
36(3):1989–1995, 2012.
31. He, D., and Khan, M. K., Cryptanalysis of a key agreement proto-
col based on chaotic hash. Int. J. Electron. Secur. Digit. Forensic.
5(3–4):172–177, 2013. doi:10.1504/IJESDF.2013.058650.
32. He, D., Khan, M. K., and Kumar, N., A new handover authen-
tication protocol based on bilinear pairing functions for wireless
networks. Int. J. Ad Hoc Ubiquit. Comput. 18(1–2):67–74, 2015.
doi:10.1504/IJAHUC.2015.067774.
33. He, D., Kumar, N., Chen, J., Lee, C. C., Chilamkurti, N., and
Yeo, S. S., Robust anonymous authentication protocol for health-
care applications using wireless medical sensor networks. Mul-
timedia Systems. 21(1):49–60, 2015. doi:10.1007/s00530-013-
0346-9.
34. He, D., Kumar, N., and Chilamkurti, N., A secure temporal-
credential-based mutual authentication and key agreement scheme
with pseudo identity for wireless sensor networks. Inf. Sci
321:263–277, 2015. doi:10.1016/j.ins.2015.02.010.
35. He, D., Kumar, N., Chilamkurti, N., and Lee, J. H.,
Lightweight ecc based rfid authentication integrated with an
id verifier transfer protocol. J. Med. Syst. 38(10):116, 2014.
doi:10.1007/s10916-014- 0116-z.
36. He, D., Kumar, N., Lee, J. H., and Sherratt, R., Enhanced
three-factor security protocol for consumer usb mass storage
devices. IEEE Trans. Consum. Electron. 60(1):30–37, 2014.
doi:10.1109/TCE. 2014.6780922.
37. He, D., and Zeadally, S., Authentication protocol for an ambient
assisted living system. Commun. Mag. IEEE 53(1):71–77, 2015.
doi:10.1109/MCOM.2015.7010518.
38. Islam, S. H., Khan, M. K., Obaidat, M. S., and Muhaya,
F.T.B., Provably secure and anonymous password authentica-
tion protocol for roaming service in global mobility networks
using extended chaotic maps. Wirel. Pers. Commun. 1–22, 2015.
doi:10.1007/s11277-015-2542-8.
39. Islam, S. H., Design and analysis of an improved smartcard based
remote user password authentication scheme. Int. J. Commun.
Syst., 2014. doi:10.1002/dac.2793.
40. Islam, S. H., A provably secure id-based mutual authentication
and key agreement scheme for mobile multi-server environment
without esl attack. Wirel. Pers. Commun. 79(3):1975–1991, 2014.
doi:10.1007/s11277-014-1968-8.
41. Islam, S. H., Design and analysis of a three party password-based
authenticated key exchange protocol using extended chaotic maps.
Inf. Sci. 312:104–130, 2015. doi:10.1016/j.ins.2015.03.050.
42. Islam, S. H., and Biswas, G. P., A more efficient and secure id-
based remote mutual authentication with key agreement scheme
for mobile devices on elliptic curve cryptosystem. J. Syst. Softw.
84(11):1892–1898, 2011.
43. Islam, S. H., and Biswas, G. P., Design of improved pass-
word authentication and update scheme based on elliptic curve
cryptography. Math. Comput. Model. 57(1112):2703–2717, 2013.
doi:10.1016/j.mcm.2011.07.001. Information System Security
and Performance Modeling and Simulation for Future Mobile
Networks.
44. Islam, S. H., and Khan, M. K., Cryptanalysis and improve-
ment of authentication and key agreement protocols for telecare
medicine information systems. J. Med. Syst. 38(10):135, 2014.
doi:10.1007/s10916-014-0135-9.
45. Jina, A.T.B., Ling, D.N.C., and Goh, A., Biohashing: Two fac-
tor authentication featuring fingerprint data and tokenised random
number. Pattern Recogn. 37(11):2245–2255, 2004.
46. Khan, M. K., and He, D., A new dynamic identity-based authen-
tication protocol for multi-server environment using elliptic curve
cryptography. Sec. and Commun. Netw. 5(11):1260–1266, 2012.
doi:10.1002/sec.573.
47. Khan, M. K., and Kumari, S., An improved biometrics-based
remote user authentication scheme with user anonymity. BioMed
Res. Int. 9, 2013. doi:10.1155/2013/491289.
48. Khan, M. K., and Zhang, J., Improving the security of a flexi-
ble biometrics remote user authentication scheme. Comput. Stand.
Interfaces. 29(1):82–85, 2007. doi:10.1016/j.csi.2006.01.002.
49. Kocher, P., Jaffe, J., and Jun, B.: Differential power analysis. In:
Advances in Cryptology CRYPTO 99, Lecture Notes in Computer
Science, Vol. 1666, pp. 388–397, 1999.
50. Kumari, S., and Khan, M. K., More secure smart card-based
remote user password authentication scheme with user anonymity.
Secur. Commun. Netw. 7(11):2039–2053, 2014. doi:10.1002/
sec.916.
51. Kumari, S., Khan, M. K., and Atiquzzaman, M., User authenti-
cation schemes for wireless sensor networks: A review. Ad Hoc
Netw. 27:159–194, 2015. doi:10.1016/j.adhoc.2014.11.018.
52. Kumari,S.,Khan,M.K.,andLi,X.,Animprovedremoteuser
authentication scheme with key agreement. Comput. Electr. Eng.
40(6):1997–2012, 2014. doi:10.1016/j.compeleceng.2014.05.007.
53. Kumari, S., Khan, M. K., Li, X., and Wu, F., Design
of a user anonymous password authentication scheme with-
out smart card. Int. J. Commun. Syst. 27(10):609–618, 2014.
doi:10.1002/dac.2853.
JMedSyst (2015) 39:140 Page 21 of 21 140
54. Lee, J. K., Ryu, S. R., and Yoo, K. Y., Fingerprint-based remote
user authentication scheme using smart cards. Electron. Lett.
38(12):554–555, 2002.
55. Li, C. T., and Hwang, M. S., An efficient biometrics-based remote
user authentication scheme using smart cards. J. Netw. Comput.
Appl. 33(1):1–5, 2010.
56. Li, X., Ma, J., Wang, W., Xiong, Y., and Zhang, J., A novel smart
card and dynamic ID based remote user authentication scheme for
multi-server environments. Math. Comput. Model. 58(12):85–95,
2013. doi:10.1016/j.mcm.2012.06.033.
57. Li, X., Niu, J., Khan, M. K., and Liao, J., An enhanced
smart card based remote user password authentication
scheme. J. Netw. Comput. Appl. 36(5):1365–1371, 2013.
doi:10.1016/j.jnca.2013.02.034.
58. Li, X., Niu, J. W., Ma, J., Wang, W. D., and Liu, C. L., Crypt-
analysis and improvement of a biometrics-based remote user
authentication scheme using smart cards. J. Netw. Comput. Appl.
34(1):73–79, 2011.
59. Li, X., Xiong, Y., Ma, J., and Wang, W., An efficient and security
dynamic identity based authentication protocol for multi-server
architecture using smart cards. J. Netw. Comput. Appl. 35(2):763–
769, 2012. doi:10.1016/j.jnca.2011.11.009.
60. Lin, C. H., and Lai, Y. Y., A flexible biometrics remote
user authentication scheme. Computer Standards & Interfaces
27(1):19–23, 2004. doi:10.1016/j.csi.2004.03.003.
61. Lumini, A., and Nanni, L., An improved biohashing for human
authentication. Pattern Recogn. 40(3):1057–1065, 2007.
62. Messerges, T. S., Dabbish, E. A., and Sloan, R. H., Examining
smart-card security under the threat of power analysis attacks.
IEEE Trans. Comput. 51(5):541–552, 2002.
63. Mishra, D.: A study on id-based authentication schemes for tele-
care medical information system. CoRR arXiv:1311.0151, 2013.
64. Mishra, D., Mukhopadhyay, S., Chaturvedi, A., Kumari, S.,
and Khan, M. K., Cryptanalysis and improvement of yan
et al.’s biometric-based authentication scheme for telecare
medicine information systems. J. Med. Syst. 38(6):24, 2014.
doi:10.1007/s10916-014-0024-2.
65. Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M.,
and Chaturvedi, A., Security enhancement of a biometric
based authentication scheme for telecare medicine infor-
mation systems with nonce. J. Med. Syst. 38(5):41, 2014.
doi:10.1007/s10916-014-0041-1.
66. Ren, Y., Shen, J., Wang, J., Han, J., and Lee, S., Mutual verifiable
provable data auditing in public cloud storage. J. Internet Technol.
16(2):317–323, 2014.
67. Tool, A. W.: http://www.avispa-project.org/web-interface/expert.
php/ use on febraury, 2015.
68. Wang, X. M., Zhang, W. F., Zhang, J. S., and Khan, M. K.,
Cryptanalysis and improvement on two efficient remote user
authentication scheme using smart cards. Computer Standards &
Interfaces 29(5):507–512, 2007. doi:10.1016/j.csi.2006.11.005.
69. Yan Wang, Y., Yong Liu, J., Xia Xiao, F., and Dan, J.,
A more efficient and secure dynamic id-based remote user
authentication scheme. Comput. Commun. 32(4):583–585, 2009.
doi:10.1016/j.comcom.2008.11.008.
70. Wei, J., Hu, X., and Liu, W., An improved authentication
scheme for telecare medicine information systems. J. Med. Syst.
36(6):3597–3604, 2012.
71. Wen, F., and Li, X., An improved dynamic id-based remote user
authentication with key agreement scheme. Comput. Electr. Eng.
38(2):381–387, 2012. doi:10.1016/j.compeleceng.2011.11.010.
72. Wu, Z. Y., Lee, Y. C., Lai, F., Lee, H. C., and Chung, Y., A secure
authentication scheme for telecare medicine information systems.
J. Med. Syst. 36(3):1529–1535, 2012.
73. Xu, X., Zhu, P., Wen, Q., Jin, Z., Zhang, H., and He, L., A
secure and efficient authentication and key agreement scheme
based on ecc for telecare medicine information systems. J. Med.
Syst. 38(6):24, 2014. doi:10.1007/s10916-013-9994-8.
74. Zhang, L., and Zhu, S., Robust ecc-based authenticated
key agreement scheme with privacy protection for telecare
medicine information systems. J. Med. Syst. 39(5):49, 2015.
doi:10.1007/s10916-015-0233-3.
75. Zhu, Z., An efficient authentication scheme for telecare medicine
information systems. J. Med. Syst. 36(6):3833–3838, 2012.
doi:10.1007/s10916-012-9856-9.
