KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Robust Biometric-based Anonymous User Authenticated Key Agreement Scheme for Telecare Medicine Information Systems

  • Jung, Jaewook (Department of Computer Engineering, Sungkyunkwan University) ;
  • Moon, Jongho (Department of Computer Engineering, Sungkyunkwan University) ;
  • Won, Dongho (Department of Computer Engineering, Sungkyunkwan University)
  • Received : 2016.11.16
  • Accepted : 2017.04.23
  • Published : 2017.07.31
Download PDF
⟨ Previous Next ⟩

Abstract

At present, numerous hospitals and medical institutes have implemented Telecare Medicine Information Systems (TMIS) with authentication protocols to enable secure, efficient electronic transactions for e-medicine. Numerous studies have investigated the use of authentication protocols to construct efficient, robust health care services, and recently, Liu et al. presented an authenticated key agreement mechanism for TMIS. They argued that their mechanism can prevent various types of attacks and preserve a secure environment. However, we discovered that Liu et al.'s mechanism presents some vulnerabilities. First, their mechanism uses an improper identification process for user biometrics; second, the mechanism is not guaranteed to protect against server spoofing attacks; third, there is no session key verification process in the authentication process. As such, we describe how the above-mentioned attacks operate and suggest an upgraded security mechanism for TMIS. We analyze the security and performance of our method to show that it improves security relative to comparable schemes and also operates in an efficient manner.

Keywords

Acknowledgement

Supported by : National Research Foundation of Korea(NRF)

References

  1. H. Takeda, Y. Matsumura, S. Kuwata, H. Nakano, N. Sakamoto and R. Yamamoto, "Architecture for networked electronic patient record systems," International journal of medical informatics, vol. 60, no. 2, pp. 161-167, November, 2000. https://doi.org/10.1016/S1386-5056(00)00116-7
  2. A.T. Chan, J. Cao, H. Chan and G. Young, "A web-enabled framework for smart card applications in health services," Communications of the ACM, vol. 44, no. 9, pp. 76-82, 2001. https://doi.org/10.1145/383694.383710
  3. S.H. Li, C.Y. Wang, W.H. Lu, Y.Y. Lin and D.C. Yen, "Design and implementation of a telecare information platform," Journal of medical systems, vol. 36, no. 3, pp. 1629-1650, 2012. https://doi.org/10.1007/s10916-010-9625-6
  4. S. Gritzalis, C. Lambrinoudakis, D. Lekkas and S. Deftereos, "Technical guidelines for enhancing privacy and data protection in modern electronic medical environments," IEEE Transactions on Information Technology in Biomedicine, vol. 9, no. 3, pp. 413-423, 2005. https://doi.org/10.1109/TITB.2005.847498
  5. J. Hur and K. Kang, "Dependable and secure computing in medical information systems," Computer Communications, vol. 36, no. 1, pp. 20-28, 2012. https://doi.org/10.1016/j.comcom.2012.01.006
  6. M. Nikooghadam and A. Zakerolhosseini, "Secure communication of medical information using mobile agents," Journal of medical systems, vol. 36, no. 6, pp. 3839-3850, 2012. https://doi.org/10.1007/s10916-012-9857-8
  7. L. Lamport, "Password authentication with insecure communication," Communications of the ACM, vol. 24, no. 11, pp. 770-772, 1981. https://doi.org/10.1145/358790.358797
  8. Z.Y. Wu, Y.C. Lee, F. Lai, H.C. Lee and Y. Chung, "A secure authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 36, no. 3, pp. 1529-1535, 2010. https://doi.org/10.1007/s10916-010-9614-9
  9. D. He, J. Chen and R. Zhang, "A more secure authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 36, no. 3, pp. 1989-1995, 2012. https://doi.org/10.1007/s10916-011-9658-5
  10. J. Wei, X. Hu and W. Liu, "An improved authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 36, no. 6, pp. 3597-3604, 2012. https://doi.org/10.1007/s10916-012-9835-1
  11. D. Mishra, S. Mukhopadhyay, S. Kumari, M.K. Khan and A. Chaturvedi, "Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce," Journal of medical systems, vol. 38, no. 5, pp. 41, 2014. https://doi.org/10.1007/s10916-014-0041-1
  12. Z.Y. Wu, Y. Chung, F. Lai and T.S. Chen, "A password-based user authentication scheme for the integrated EPR information system," Journal of medical systems, vol. 36, no. 2, pp. 631-638, 2012. https://doi.org/10.1007/s10916-010-9527-7
  13. T.F. Lee, I.P. Chang, T.H. Lin and C.C. Wang, "A secure and efficient password-based user authentication scheme using smart cards for the integrated epr information system," Journal of medical systems, vol. 37, no. 3, pp. 1-7, 2013.
  14. F. Wen, "A more secure anonymous user authentication scheme for the integrated EPR information system," Journal of medical systems, vol. 38, no. 5, pp. 1-7, 2014. https://doi.org/10.1007/s10916-013-0001-1
  15. M.K. Khan, A. Chaturvedi, D. Mishra and S. Kumari, "On the security enhancement of integrated electronic patient records information systems," Computer Science and Information Systems, vol. 12, no. 2, pp. 857-872, 2015. https://doi.org/10.2298/CSIS141029030K
  16. A.K. Das, "A secure and robust password-based remote user authentication scheme using smart cards for the integrated epr information system," Journal of medical systems, vol. 39, no. 3, pp. 1-14, 2015. https://doi.org/10.1007/s10916-014-0182-2
  17. C.T. Li, C.Y. Weng, C.C. Lee and C.C. Wang, "A hash based remote user authentication and authenticated key agreement scheme for the integrated EPR information system," Journal of medical systems, vol. 39, no. 11, pp. 1-11, 2015. https://doi.org/10.1007/s10916-014-0182-2
  18. D. Mishra, S. Mukhopadhyay, A. Chaturvedi, S. Kumari and M.K. Khan, "Cryptanalysis and improvement of Yan et al.'s biometric-based authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 38, no. 6, pp. 24, 2014. https://doi.org/10.1007/s10916-014-0024-2
  19. X. Xu, P. Zhu, Q. Wen, Z. Jin, H. Zhang and L. He, "A secure and efficient authentication and key agreement scheme based on ecc for telecare medicine information systems," Journal of medical systems, vol. 38, no. 1, pp. 1-7, 2014. https://doi.org/10.1007/s10916-013-0001-1
  20. S.H. Islam and M.K. Khan, "Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems," Journal of medical systems, vol. 38, no. 10, pp. 1-16, 2014. https://doi.org/10.1007/s10916-013-0001-1
  21. D. Mishra, "Understanding Security Failures of Two Authentication and Key Agreement Schemes for Telecare Medicine Information Systems," Journal of medical systems, vol. 39, no. 3, pp. 19, 2015. https://doi.org/10.1007/s10916-015-0193-7
  22. T.F. Lee, "An efficient chaotic maps-based authentication and key agreement scheme using smartcards for telecare medicine information systems," Journal of medical systems, vol. 37, no. 6, pp. 9985, 2013. https://doi.org/10.1007/s10916-013-9985-9
  23. S.A. Chaudhry, H. Naqvi, T. Shon, M. Sher and M.S. Farash, "Cryptanalysis and improvement of an improved two factor authentication protocol for telecare medical information systems," Journal of Medical Systems, vol. 39, no. 6, pp. 66, 2015. https://doi.org/10.1007/s10916-015-0244-0
  24. M. Wazid, A.K. Das, S. Kumari, X. Li and F. Wu, "Design of an efficient and provably secure anonymity preserving three-factor user authentication and key agreement scheme for TMIS," Security and Communication Networks, vol. 9, no. 13, pp. 1983-2001, 2016.
  25. A. Irshad, M. Sher, O. Nawaz, S.A. Chaudhry, I. Khan and S. Kumari, "A secure and provable multi-server authenticated key agreement for TMIS based on Amin et al. scheme," Multimedia Tools and Applications, pp. 1-27, 2016.
  26. S.A. Chaudhry, M.T. Khan, M.K. Khan and T. Shon, "A multiserver biometric authentication scheme for TMIS using elliptic curve cryptography," Journal of medical systems, vol. 40, no. 11, pp. 230. https://doi.org/10.1007/s10916-016-0592-4
  27. D. Giri, T. Maitra, R. Amin and P.D. Srivastava, "An Efficient and Robust RSA-Based Remote User Authentication for Telecare Medical Information Systems," Journal of medical systems, vol. 39, no. 1, pp. 1-9, 2015. https://doi.org/10.1007/s10916-014-0182-2
  28. R, Amin and G.P. Biswas, "An improved rsa based user authentication and session key agreement protocol usable in TMIS," Journal of Medical Systems, vol. 39, no. 8, pp. 1-14, 2015. https://doi.org/10.1007/s10916-014-0182-2
  29. W. Liu, Q. Xie, S. Wang and B. Hu, "An improved authenticated key agreement protocol for telecare medicine information system," SpringerPlus, vol. 5, no. 1, pp. 555, 2016. https://doi.org/10.1186/s40064-016-2018-7
  30. N. Koblitz, "Elliptic curve cryptosystems," Mathematics of computation, vol. 48, no. 177, pp. 203-209, 1987. https://doi.org/10.1090/S0025-5718-1987-0866109-5
  31. Y. Dodis, L. Reyzin, and A. Smith, "Fuzzy extractors: How to generate strong keys from biometrics and other noisy data," in Proc. of International Conference on the Theory and Applications of Cryptographic Techniques, pp. 523-540, 2004.
  32. X. Li, Q. Wen, W. Li, H. Zhang and Z. Jin, "Secure privacy-preserving biometric authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 38, no. 11, pp. 1-8, 2014. https://doi.org/10.1007/s10916-013-0001-1
  33. M. Zhang, J. Zhang and Y. Zhang, "Remote three-factor authentication scheme based on Fuzzy extractors," Security and Communication Networks, vol. 8, no. 4, pp. 682-693, 2015. https://doi.org/10.1002/sec.1016
  34. Y. Choi, Y. Lee and D. Won, "Security improvement on biometric based authentication scheme for wireless sensor networks using fuzzy extraction," International Journal of Distributed Sensor Networks, vol. 2016, pp. 2, 2016.
  35. P. Kocher, J. Jaffe, and B. Jun, "Differential power analysis," in Proc. of Advances in Cryptology (CRYPTO'99), 388-397, 1999.
  36. J. Kim, D. Lee, W. Jeon, Y. Lee and D. Won, "Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks," Sensors, vol. 14, no. 4, pp. 6443-6462, 2014. https://doi.org/10.3390/s140406443
  37. J. Moon, Y. Choi, J. Kim and D. Won, "An Improvement of Robust and Efficient Biometrics Based Password Authentication Scheme for Telecare Medicine Information Systems Using Extended Chaotic Maps," Journal of medical systems, vol. 40, no. 3, pp. 1-11, 2016. https://doi.org/10.1007/s10916-015-0365-5
  38. D. Kang, J. Jung, J. Mun, D. Lee, Y. Choi and D. Won, "Efficient and robust user authentication scheme that achieve user anonymity with a Markov chain," Security and Communication Networks, vol. 9, no. 11, pp. 1462-1476, 2016. https://doi.org/10.1002/sec.1432
  39. W. Stallings, Cryptography and network security: principles and practices, Pearson Education India, 2006.
  40. H.C. Hsiang and W.K. Shih, "Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment," Computer Standards & Interfaces, vol. 31, no. 6, pp. 1118-1123, 2009. https://doi.org/10.1016/j.csi.2008.11.002
  41. S. Blake-Wilson, D. Johnson, and A. Menezes, "Key agreement protocols and their security analysis," in Proc. of IMA International Conference on Cryptography and Coding, pp. 30-45, 1997.
  42. S.H. Islam, M.K. Khan and X. Li, "Security analysis and improvement of 'a more secure anonymous user authentication scheme for the integrated EPR information system'," PloS one, vol. 10, no. 8, pp. e0131368, 2015. https://doi.org/10.1371/journal.pone.0131368
  43. M. Burrows, M. Abadi and R. Needham, "A logic of authentication," ACM Transactions on Computer System, vol. 8, pp. 18-36, 1990. https://doi.org/10.1145/77648.77649
  44. M. Abdalla, P. A. Fouque and D. Pointcheval, "Password-based authenticated key exchange in the three-party setting," in Proc. of International Workshop on Public Key Cryptography, Springer Berlin Heidelberg, pp. 65-84, 2005.
  45. AVISPA, Automated validation of internet security protocols and applications, http://www.avispa-project.org/.
  46. O. Mir, J. Munilla and S. Kumari, "Efficient anonymous authentication with key agreement protocol for wireless medical sensor networks," Peer-to-Peer Networking and Applications, vol. 10, no. 1, pp. 79-91, 2017. https://doi.org/10.1007/s12083-015-0408-1
  47. T. F. Lee, "Provably secure anonymous single-sign-on authentication mechanisms using extended Chebyshev chaotic maps for distributed computer networks," IEEE Systems Journal, 2015.
  48. V. Boyko, P. MacKenzie and S. Patel, "Provably secure password-authenticated key exchange using Diffie-Hellman," in Proc. of International Conference on the Theory and Applications of Cryptographic Techniques, Springer Berlin Heidelberg, pp. 156-171, 2000.
  49. D. von Oheimb, "The high-level protocol specification language HLPSL developed in the EU project AVISPA," in Proc. of APPSEM workshop, pp. 1-17, 2005.
  50. D. Dolev and A. Yao, "On the security of public key protocols," IEEE Transactions on information theory, vol. 29, no. 2, pp. 198-208, 1983. https://doi.org/10.1109/TIT.1983.1056650
  51. A. K. Das, "A secure user anonymity-preserving three-factor remote user authentication scheme for the telecare medicine information systems," Journal of medical systems, vol. 39, no. 3, pp. 1-20, 2015. https://doi.org/10.1007/s10916-014-0182-2
  52. W. Dai, Crypto++ Library, 5.6.1., http://www.cryptopp.com, 2011.
  53. A. K. Sutrala, A. K. Das, V. Odelu, M. Wazid and S. Kumari, "Secure anonymity-preserving password-based user authentication and session key agreement scheme for telecare medicine information systems," Computer Methods and Programs in Biomedicine, vol. 135, pp. 167-185, 2016. https://doi.org/10.1016/j.cmpb.2016.07.028
  54. M. H. Ibrahim, S. Kumari, A. K. Das, M. Wazid and V. Odelu, "Secure anonymous mutual authentication for star two-tier wireless body area networks," Computer methods and programs in biomedicine, vol. 135, pp. 37-50, 2016. https://doi.org/10.1016/j.cmpb.2016.07.022
  55. M. Wazid, A. K. Das, S. Kumari, X. Li and F. Wu, "Provably secure biometric-based user authentication and key agreement scheme in cloud computing," Security and Communication Networks, vol. 9, no. 17, pp. 4103-4119, 2016. https://doi.org/10.1002/sec.1591
  56. M. Wazid, S. Zeadally, A. K. Das and V. Odelu, "Analysis of Security Protocols for Mobile Healthcare," Journal of medical systems, vol. 40, no. 11, pp. 1-10, 2016. https://doi.org/10.1007/s10916-015-0365-5
  57. S. Challa, M. Wazid, A. K. Das, N. Kumar, A. G. Reddy, E. J. Yoon and K. Y. Yoo, "Secure Signature-Based Authenticated Key Establishment Scheme for Future IoT Applications," IEEE Access, vol. 5, pp. 3028-3043, 2017. https://doi.org/10.1109/ACCESS.2017.2676119