DOI QR코드

DOI QR Code

Cryptanalysis and Improvement of RSA-based Authentication Scheme for Telecare Medical Information Systems

  • Kim, Keewon (Dept. of Applied Computer Engineering, Dankook University)
  • Received : 2019.11.07
  • Accepted : 2020.01.27
  • Published : 2020.02.28

Abstract

The telecare medical information system (TMIS) supports convenient and rapid health-care services. A secure and efficient authentication and key agreement scheme for TMIS provides safeguarding electronic patient records (EPRs) and helps health care workers and medical personnel to rapidly making correct clinical decisions. Giri et al. proposed an RSA-based remote user authentication scheme using smart cards for TMIS and claimed that their scheme could resist various malicious attacks. In this paper, we point out that their scheme is still vulnerable to lost smart card attacks and replay attacks and propose an improved scheme to prevent the shortcomings. As compared with the previous authentication schemes for TMIS, the proposed scheme is more secure and practical.

원격 의료 정보 시스템(TMIS; Telecare Medical Information System)은 편리하고 빠른 헬스 케어(health-care) 서비스를 제공한다. 원격 의료 정보 시스템을 위한 안전하고 효율적인 인증 및 키 합의 기법은 전자 환자 기록(EPR; Electronic Patient Record)을 안전하게 보호하고, 헬스케어 종사자와 의료진이 신속하고 정확하게 임상 의사결정(clinical decision)을 할 수 있도록 도와준다. Giri 등은 원격 의료 정보 시스템을 위한 스마트 카드(smart card)를 이용한 RSA기반 원격 사용자 인증 기법을 제안하였으며, 제안한 기법이 다양한 악의적인 공격에 강인하다고 주장하였다. 본 논문에서는 그들의 기법이 여전히 스마트 카드 분실 공격(lost smart card attack)과 재전송 공격(replay attack)에 취약함을 보이고, 그러한 단점을 개선한 기법을 제안한다. 기존의 원격 의료 정보 시스템을 위한 인증 기법들과 안전성을 비교한 결과를 보면, 제안한 기법이 더욱 안전하고 실용적이다.

Keywords

References

  1. C. Lambrinoudakis, and S. Gritzalis, "Managing Medical and Insurance Information Through a Smart-card-based Information System," J. Med. Syst., Vol. 24, No. 4, pp. 213-234, Aug. 2000. DOI: 10.1023/A:1005549330655
  2. L. Lamport, "Password Authentication with Insecure Communication," Comm. ACM, Vol. 24, No. 11, pp. 770-772, Nov. 1981. DOI: 10.1145/358790.358797
  3. M.S. Hwang, and L.H. Li, "A New Remote User Authentication Scheme Using Smart Cards," IEEE Trans. Consum. Electron., Vol. 46, No. 1, pp. 28-30, Feb. 2000. DOI: 10.1109/30.826377
  4. Y.F. Chang, C.C. Chang, and J.Y. Kuo, "A Secure One-time Password Authentication Scheme Using Smart Cards without Limiting Login Times," ACM SIGOPS Operating Systems Review, Vol. 38, No. 4, pp. 80-90, Oct. 2004. DOI: 10.1145/1031154.1031164
  5. Z.Y. Wu, Y.C. Lee, F. Lai, H.C. Lee, Y. Chung, "A Secure Authentication Scheme for Telecare Medicine Information Systems," J. Med. Syst., Vol. 36, No. 3, pp. 1529-1535, Jun. 2012. DOI: 10.1007/s10916-010-9614-9
  6. D. He, J. Chen, R. Zhang, "A More Secure Authentication Scheme for Telecare Medicine Information Systems," J. Med. Syst., Vol. 36, No. 3, pp. 1989-1995, Jun. 2012. DOI: 10.1007/s10916-011-9658-5
  7. J. Wei, X. Hu, W. Liu, "An Improved Authentication Scheme for Telecare Medicine Information Systems," J. Med. Syst., Vol. 36, No. 6, pp. 3597-3604, Dec. 2012. DOI: 10.1007/s10916-012-9835-1
  8. Z. Zhu, "An Efficient Authentication Scheme for Telecare Medicine Information Systems," J. Med. Syst., Vol. 36, No. 6, pp. 3833-3838, Dec. 2012. DOI: 10.1007/s10916-012-9856-9
  9. R.L. Rivest, A. Shamir, L. Adleman, "A Method for Obtaining Digital Signatures and Public-key Cryptosystems," Commun. ACM, Vol. 21, No. 2, pp. 120-126, Feb. 1978. DOI: 10.1145/359340.359342
  10. M.K. Khan, and S. Kumari, "An Authentication Scheme for Secure Access to Healthcare Services," J. Med. Syst., Vol. 37, No. 4, pp. 9954, Aug. 2013. DOI: 10.1007/s10916-013-9954-3
  11. D. Giri, T. Maitra, R. Amin, and P.D. Srivastava, "An Efficient and Robust RSA-Based Remote User Authentication for Telecare Medical Information Systems," J. Med. Syst. Vol. 39, No. 1, pp.145, Jan. 2015. DOI: 10.1007/s10916-014-0145-7
  12. P. Kocher, J. Jae, B. Jun, "Differential Power Analysis," CRYPTO 99, LNCS 1666, pp. 388-397, 1999. DOI: 10.1007/3-540-48405-1_25
  13. T. Messerges, E. Dabbish, R. Sloan, R., "Examining Smart-card Security under the Threat of Power Analysis Attacks," IEEE Trans. Comput. Vol. 51, No. 5, pp. 541-552, May 2002. DOI: 10.1109/TC.2002.1004593
  14. E. Brier, C. Clavier, and F. Olivier, "Correlation Power Analysis with a Leakage Model," CHES 2004, LNCS 3156, pp. 16-29, 2004. DOI: 10.1007/978-3-540-28632-5_2
  15. T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh, and M.T.M. Shalmani, "On the Power of Power Analysis in the Real World: A Complete Break of the Keeloq Code Hopping Scheme," CRYPTO 08, LNCS 5157, pp. 203-220, 2008. DOI: 10.1007/978-3-540-85174-5_12
  16. C. Boyd, and A. Mathuria, "Protocols for Authentication and Key Establishment" Springer, 2003.
  17. C.C. Yang, H.W. Yang, and R.C. Wang, "Cryptanalysis of Security Enhancement for the Timestamp-based Password Authentication Scheme Using Smart Cards," IEEE Trans. Consum. Electron., Vol. 50, No. 2, pp. 578-579, May 2004. DOI: 10.1109/TCE.2004.1309428