Abstract
Nowadays, with comprehensive employment of the internet, healthcare delivery services is provided remotely by telecare medicine information systems (TMISs). A secure mechanism for authentication and key agreement is one of the most important security requirements for TMISs. Recently, Tan proposed a user anonymity preserving three-factor authentication scheme for TMIS. The present paper shows that Tan’s scheme is vulnerable to replay attacks and Denial-of-Service attacks. In order to overcome these security flaws, a new and efficient three-factor anonymous authentication and key agreement scheme for TMIS is proposed. Security and performance analysis shows superiority of the proposed scheme in comparison with previously proposed schemes that are related to security of TMISs.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
Introduction
With the rapid advancement of the internet and information technology, the telecare medicine information systems (TMISs) are more and more employed to provide healthcare delivery services [1]. In fact, the geographical distance between patients and doctors is eliminated by the TMISs. Via the internet, a patient at the home can easily send his/her health information to his/her doctor, or he/she can use portals to access and monitor his/her health information. Security of health data is very important because doctors use this information (e.g. Blood glucose, OXI, EEG, ECG, etc.) to diagnose and treat disease [2, 3]. Since the internet has an open architecture, these systems are prone to various security attacks. A secure and efficient authentication and key agreement scheme is able to provide various aspects of security for health information [4]. Access to the medical servers’ resources (e.g. health information) can be controlled by authentication mechanisms, and security of the transmitted data can be provided by encrypting them with the negotiated session keys [4]. Hitherto, many authentication and key agreement schemes have been proposed to provide security in TMIS [1–39].
In 2009, Wang et al. [5] proposed a dynamic ID-based authentication scheme. The term of “dynamic ID-based” means that the identity of the user will change in each session; therefore, the users’ activities will be untraceable. However, Wang et al.’s scheme does not provide user anonymity, because the real identity of the user is transmitted over a public channel. Furthermore, Khan et al. [6] pointed out that Wang et al.’s scheme [5] does not provide key agreement and is vulnerable to privileged insider attacks because the server chooses users’ passwords. In order to overcome these weaknesses, Khan et al. proposed an improved authentication and key agreement scheme [6]. However, Chen et al. [2] declared that the password change phase of Khan et al.’s scheme [6] does not work properly and their scheme does not provide anonymity. In addition, Chen et al. suggested an improved authentication scheme [2]. Later, Xie et al. [7] showed that in the Chen et al.’s scheme [2] an adversary using a stolen smart card and previous related transmitted messages is able to obtain the user’s password and previous established session keys between the user and the server, and also the adversary is able to impersonate a legal user. In addition, Jiang et al. [8] demonstrated that in the Chen et al.’s scheme [2], an adversary is able to guess the real identity of the user and since the masked identity of the user is static, users’ activities are traceable. To overcome these weaknesses, Jiang et al. proposed an enhanced authentication scheme [8]. After that, Wu et al. [9] showed that in the Jiang et al.’s scheme [8], an adversary using a stolen smart card and the previous login messages is able to guess the user’s password in an off-line manner. Furthermore, since the inputted password and identity are not checked in the password change phase, if a user mistakenly enters a wrong old password, then he/she will no longer be able to login to the server. Therefore, Jiang et al.’s scheme [8] is vulnerable to denial-of-service attacks [9]. In order to strengthen the security of Jiang et al.’s scheme [8], Wu et al. [9] proposed an improved authentication scheme. However, in [1] it was demonstrated that a legal but malicious user in the Wu et al.’s scheme [9] is able to impersonate the server, obtain the real identity of other users, and guess users’ passwords in an off-line manner. Therefore, Wu et al.’s scheme [9] is vulnerable to impersonation attacks and off-line password guessing attacks, and also does not provide user anonymity [1].
In 2012, Wu et al. [10] proposed a new authentication scheme for TMIS. The security of their scheme was based on difficulty of solving the discrete logarithm problem (DLP). Therefore, they claimed that their scheme is secure against various attacks. However, their scheme failed to preserve user anonymity, because in their scheme the user’s real identity is transmitted over a public channel. Furthermore, He et al. [11] demonstrated that Wu et al.’s scheme [10] is vulnerable to privileged insider attacks. This attack is possible due to submission of user’s chosen password in plaintext to the server in the registration phase. In addition, He et al. [11] proved that in the Wu et al.’s scheme [10], a legal user is able to impersonate other users. In order to overcome the weaknesses of Wu et al.’s scheme [10], He et al. proposed an improved DLP-based authentication scheme [11]. Their improved scheme [11] was more efficient than Wu et al.’s scheme [10], because it required less exponential operations. However, Wei et al. [12] demonstrated that both the Wu et al.’s scheme [10] and He et al.’s scheme [11] are insecure against off-line password guessing attacks. They showed that when an adversary steals or finds a smart card, he/she could guess the password of the owner of the smart card. To enhance the security, Wei et al. proposed another DLP-based authentication scheme [12]. Nevertheless, their improved scheme [12] does not provide user anonymity, because the user’s real identity is transmitted through a public channel. Furthermore, Zhu [13] proved that the Wei et al.’s scheme [12] similar to the previous schemes is insecure against off-line password guessing attacks. Zhu [13] showed that an adversary who stolen a user’s smart card and has eavesdropped the previous authentication messages, is able to guess the password of the owner of the smart card. To improve the security, Zhu [13] proposed an RSA-based authentication scheme. However, several studies [14–16] proved that Zhu’s scheme [13] is insecure against password guessing attacks, impersonation attacks, parallel attacks, smart card lost attacks, and denial-of service attacks, and also does not provide key agreement and user anonymity.
All above mentioned authentication schemes are based on two factors. That is, in those schemes, the user to complete the authentication and key agreement process, must know a secret (e.g., password), and must have a token (e.g., smart card, mobile device, etc.). However, the secret can be guessed, shared, or disclosed, and the token may be stolen, lost, duplicated, or given to others. Therefore, to enhance the security, researchers introduced a new type of authentication, called three-factor authentication, which uses three factors for authentication. In this type of authentication, biometrics (e.g. iris, face, retina, fingerprint, etc.) are used as a third factor for authentication. Since biometrics cannot be guessed, forged, shared, duplicated, stolen, or given to others [17], by employment of biometrics, before mentioned problems could be eliminated.
Recently, Awasthi et al. [18] proposed a biometric-based authentication scheme for TMIS. Because of employing only hash and XOR operations for authentication and key agreement, their scheme was a lightweight and efficient authentication scheme. However, since the values of the user’s identity and biometric are stored in plaintext on the smart card, if an adversary acquires the user’s smart card, then he/she can guess the user’s password in an off-line manner. Therefore, their scheme is vulnerable to password guessing attacks once the smart card is stolen [19]. In addition, in the password change phase of their scheme, the smart card only checks the inputted biometric and does not check the inputted old password. Therefore, if a user mistakenly enters a wrong old password, then he/she will no longer be able to pass the verification process of the smart card and login to the server [20]. Furthermore, Tan in [20] proved that Awasthi et al.’s scheme [18] is vulnerable to reflection attacks and does not provide user anonymity and three-factor security. To improve the security of the Awasthi et al.’s scheme [18], Tan in [20] proposed a biometric-based authentication scheme for TMIS using elliptic curve cryptosystem (ECC) [40]. Elliptic curve discrete logarithm problem (ECDLP) is considerably more difficult than the discrete logarithm problem (DLP) and the integer factorization problem (RSA is the well-known example) [41, 42]. Hence, the elliptic curve cryptosystems need a smaller key size than the other public-key cryptosystems to achieve a same security level (a 1,024-bit RSA key is equivalent to a 160-bit ECC key) [43, 44]. The higher speed and lower power consumption are the result of reduction in the key size [41, 45]. Therefore, the performance of the Tan’s scheme [20] is better than the previous schemes in both efficiency and security. However, in this paper, we show that the Tan’s enhanced authentication scheme [20] is insecure against replay attacks and denial-of-service attacks. Furthermore, in order to improve security and efficiency of the Tan’s scheme [20], we propose a new ECC-based three-factor anonymous authentication and key agreement scheme for TMIS.
The rest of paper is organized as follows. Tan’s scheme is reviewed in Section “Review of the Tan’s scheme”. Weaknesses of the Tan’s scheme are discussed in Section “Weaknesses of the Tan’s scheme”. In Section “The proposed scheme”, a new three-factor anonymous authentication and key agreement scheme for TMIS is proposed. Security and performance of the proposed scheme is analyzed in Sections “Security analysis” and “Performance analysis”, respectively. Finally, the paper is concluded in Section “Conclusion”.
Review of the Tan’s scheme
In this section, we will briefly review Tan’s authentication scheme for TMIS [20]. Tan’s scheme consists of four phases as follows, namely registration phase, login phase, authentication and key agreement phase, and password and biometric update phase. The definition of notations used throughout this paper is summarized in Table 1.
Registration phase
Before a user (e.g. patient, doctor, nurse, etc.) can use the telecare server’s services, the user has to register with the telecare server. At the end of the registration phase that is performed once for each user, the user obtains a smart card that contains the required information for accessing the provided services.
Step 1: The patient chooses an identity ID i , a password PW i , and a random number N C . Then, he/she imprints his/her biometric B i at a sensor, computes d = h(PW i ⊕ B i ) ⊕ N C and submits ID i and d to the telecare server through a secure channel.
Step 2: Upon receiving ID i and d, the telecare server computes c = h(ID i ||x) ⊕ d, stores {c, P, h(•), n, Y} into a smart card and sends the smart card to the patient through the secure channel.
Step 3: When the patient receives the smart card, he/she computes d 1 = c ⊕ N C and d 2 = h(PW i ||B i ||ID i ), and replaces c with {d 1, d 2} in his/her smart card.
Login phase
A registered patient can access the telecare server’s information and services by successfully performing the login and authentication phases. In the login phase that is the first check point, the smart card checks the legitimacy of the patient by verifying the inputted identity, password, and biometric. In this phase, the patient inserts his/her smart card into a card reader, enters his/her ID i and PW i , and imprints his/her biometric B i at the sensor. After that, the smart card computes d 2 * = h(PW i ||B i ||ID i ) and checks whether d 2 * is equal to d 2 or not. If they are equal, the smart card chooses a random number r i ∈ R Z p *, and computes R 1 = r i P, R 2 = r i Y, v i = ID i ⊕ h(R 1||R 2), x i = d 1 ⊕ h(PW i ⊕ B i ), and z i = h(ID i ||v i ||R 1||R 2||x i ). Finally, the smart card sends the message (R 1, v i , z i ) to the telecare server through a public channel.
Authentication and key agreement phase
This phase is initiated when the patient passes the verification process of the login phase. In this phase, the patient and the telecare server mutually authenticate each other to thwart security attacks. Furthermore, they negotiate a shared session key that will be used to encrypt/decrypt and authenticate subsequent communications. During this phase, the following steps are performed.
Step 1: Upon receiving the message (R 1, v i , z i ), the telecare server computes R 2 * = xR 1, ID i * = v i ⊕ h(R 1||R 2 *), x i * = h(ID i *||x), and z i * = h(ID i *||v i ||R 1||R 2 *||x i *), and checks whether z i * is equal to the received z i or not. If they are not equal, it halts the process. Otherwise, the telecare server authenticates the patient. After that, the telecare server chooses a random number r ∈ R Z p *, computes R = rP and z = h(rR 1||R 2 *||R||x i *), and sends a message (R, z) to the patient through the public channel. Finally, it computes the session key SK as SK = h(rR 1||ID i *||R||x i *).
Step 2: When the patient receives the message (R, z), he/she computes z * = h(r i R||R 2||R||x i ) and checks whether z * is equal to the received z or not. If they are equal, the telecare server is authenticated by the patient and the patient computes the session key SK as SK = h(r i R||ID i ||R||x i ).
Password and biometric update phase
When a patient suspects that his/her password is used or misused by a third party, he/she must change the password immediately. When a patient wants to change his/her password and biometric, he/she inserts his/her smart card into the card reader and inputs his/her ID i , PW i , and B i . Then, the smart card computes d 2 * = h(PW i ||B i ||ID i ) and checks whether d 2 * is equal to d 2 or not. If they are equal, it asks the user to input a new password PW i New and a new biometric B i New. After entering PW i New and B i New by the patient, the smart card computes d 1 New = d 1 ⊕ h(PW i ⊕ B i ) ⊕ h(PW i New ⊕ B i New), and d 2 New = h(PW i New||B i New||ID i ), and replaces d 1 and d 2 with d 1 New and d 2 New, respectively.
Weaknesses of the Tan’s scheme
In this section, we will show that Tan’s scheme [20] is vulnerable to replay attacks and denial-of-service attacks.
Replay attacks
Suppose an adversary has eavesdropped a past login message (R 1, v i , z i ). He/she is able to launch a replay attack and login to the telecare server by re-sending the eavesdropped message (R 1, v i , z i ) to the telecare server. In other words, the adversary without running the “Login phase”, sends the eavesdropped message (R 1, v i , z i ) to the telecare server. In the “Authentication and key agreement phase”, upon receiving the message (R 1, v i , z i ), the telecare server computes R 2 * = xR 1, ID i * = v i ⊕ h(R 1||R 2 *), x i * = h(ID i *||x), and z i * = h(ID i *||v i ||R 1||R 2 *||x i *), and checks whether z i * is equal to the received z i or not. Since z i and z i * are equal, the telecare server will authenticate the adversary, and the adversary will be able to login to the telecare server. Thus, the adversary can easily login to the telecare server by re-sending an old login message.
Since the telecare server does not check the freshness of the received login message (R 1, v i , z i ), and authenticates the patient in Step 1 of the “Authentication and key agreement phase”, the telecare server will not be able to discover replay attacks.
Denial-of-service attacks
Due to avalanche effect of hash functions that a change in an input bit can effect one half of output bits averagely [46], if a noisy data (e.g. biometrics) be considered as input of a hash function, the output of the hash function differs hugely for each input (same biometrics) [47].
In the registration phase of the Tan’s scheme, the patient computes d 2 = h(PW i ||B i ||ID i ) using his/her identity ID i , password PW i , and personal biometric B i . Then, he/she stores d 2 in the smart card for the verification process in the login phase. In the login phase, the patient inserts his/her smart card into a card reader, enters his/her ID i and PW i , and imprints his/her biometric B i * at the sensor. The verification is performed by checking whether d 2 * = h(PW i ||B i *||ID i ) is equal to stored d 2 or not. However, this verification may never pass because d 2 * = d 2 may never hold. Since the inputted biometrics of a same patient may vary in each time [48], the equation d 2 * = d 2 may never hold due to the avalanche property of the hash function. As a result, the legal patient may be unable to pass the verification process at the login phase. Therefore, Tan’s scheme [20] is vulnerable to denial-of-service attacks.
The proposed scheme
In this section, we explain our proposed three-factor anonymous authentication and key agreement scheme for TMIS. The proposed scheme improves both the security and efficiency of the Tan’s scheme. In the proposed scheme, in order to withstand the replay attack that is discussed in Subsection Replay attacks, we use a timestamp and two fresh random numbers to ensure the freshness of the login and authentication messages. Therefore, the server can check the freshness of the login message by verifying the timestamp and random numbers. Furthermore, in the proposed scheme the server authenticates the patient after receiving and verifying the corresponding response message from the patient in Step A3 of login and authentication phase. It should be noted that in the Tan’s scheme [20], the server authenticates the patient after receiving and verifying the first login message, and also it does not check the freshness of the received login message. In order to solve the denial-of-service problem of the Tan’s scheme that is discussed in Subsection Denial-of-service attacks, instead of using a hash function for biometric verification, we use a symmetric parametric function that determines differences between two biometric templates. In order to reduce the computational complexity, we use two 160-bit modular multiplications and one 160-bit modular inversion instead of two elliptic curve point multiplications in the Tan’s scheme [20]. Since, the cost of an elliptic curve point multiplication is equivalent to the cost of 1,200 modular multiplications or 400 modular inversions [49], the computational cost is reduced significantly in comparison with the Tan’s scheme. The proposed scheme consists of four phases: system setup phase, registration phase, login and authentication phase, and password and biometric update phase. Details of these phases are described in the following subsections.
System setup phase
In order to select and determine the security functions, parameters, and variables, which will be used by the server and users during the registration, login and authentication, and password and biometric update phases, the telecare server runs this phase once at the system initialization time. In this phase, the telecare server chooses an elliptic curve E [50], and selects a base point P with the large order n over E. Then, the telecare server selects a random integer x ∈ R Z p * as its secret key and computes its public key Y = xP. Furthermore, the telecare server selects two secure one-way hash functions h(•): {0,1}* → {0,1}s, and h 1(•): {0,1}* → Z p *, where s is the output size. Finally, the telecare server publishes (E, n, P, Y, h(∙), h 1(∙)) as system parameters and keeps x securely.
Registration phase
Before a user (e.g. patient, doctor, nurse, etc.) can use the telecare server’s services, the user has to register with the telecare server. At the end of the registration phase that is performed once for each user, the user obtains a smart card that contains the required information for accessing the provided services. As illustrated in Fig. 1, the registration process of the proposed scheme proceeds as follows.
Registration phase of the proposed scheme
-
Step R1:
The patient chooses an identity, ID i , a password, PW i , and a random number, N C . Furthermore, he/she imprints his/her biometric B i at a sensor. After that, he/she computes his/her masked password MPW i as MPW i = PW i ⊕ N C and his/her masked biometric MB i as MB i = B i ⊕ N C . Finally, he/she sends ID i , MPW i , and MB i to the telecare server through a secure channel.
-
Step R2:
Upon receiving ID i , MPW i , and MB i , the telecare server checks whether ID i is already in database or not. If ID i does not exist, the telecare server computes AID i = h 1(x||ID i ), V i = MPW i ⊕ MB i ⊕ ID i = PW i ⊕ N C ⊕ B i ⊕ N C ⊕ ID i = PW i ⊕ B i ⊕ ID i , and W i = h(MB i ) ⊕ h(MPW i ) ⊕ ID i ⊕ AID i . Furthermore, the telecare server selects a random number N S and computes R i = x ⊕ N S , and MID i = ID i ⊕ h(N S ). Then, the telecare server stores ID i in its database and the information {V i , W i , R i , MID i , τ, d( · ), E, n, P, Y, h( · ), h 1( · )} into a smart card. Note that d( · ) is a function that determines differences between two biometric templates that are even if belong to a same person, may have a few differences, and τ is a threshold for acceptability of this difference [51]. Finally, the telecare server sends the smart card to the patient through the secure channel.
-
Step R3:
When the patient receives the smart card, he/she stores the random number N C in the memory of it.
Login and authentication phase
A registered patient can access the telecare server’s information and services by successfully performing the login and authentication phase. In this phase, first the smart card checks the legitimacy of the patient by verifying the inputted identity, ID i , password, PW i , and biometric, B i . Then, the patient and the telecare server mutually authenticate each other to thwart security attacks. Meanwhile, they negotiate a shared session key that will be used to encrypt/decrypt and authenticate subsequent communications. After the mutual authentication, the patient can login to the telecare server and obtain desired services. In this phase that is running frequently, the patient communicates with the telecare server through a public channel. As illustrated in Fig. 2, this phase includes the following steps.
Login and authentication phase of the proposed scheme
-
Step A1:
The patient inserts his/her smart card into a smart card reader, enters his/her ID i , and PW i , and imprints his/her biometric B i * at the sensor. Then, the smart card computes B i = V i ⊕ PW i ⊕ ID i and checks whether the equation d(B i , B i *) < τ holds or not. If the equation does not hold, it halts the process. Otherwise, it extracts the authenticator of the patient as AID i = h(B i ⊕N C ) ⊕ h(PW i ⊕ N C ) ⊕ ID i ⊕ W i , chooses a random integer d C ∈ R Z p *, computes R C = AID i (d C )P = h 1(x||ID i )(d C )P, and V 1 = h(ID i ||R C ||AID i ||T C ), and sends a request message as REQUEST (R C , T C , V 1, MID i , R i ) to the telecare server. Note that T C is the current time of the patient’s system.
-
Step A2:
Upon receiving the message REQUEST (R C , T C , V 1, MID i , R i ) at the time T S , the telecare server checks whether the equation T S - T C ≤ ΔT holds or not. If the equation does not hold, the telecare server rejects the REQUEST message. Otherwise, the telecare server computes N S = x ⊕ R i , extracts ID i as ID i = MID i ⊕ h(N S ), and checks whether ID i is exist in database or not. If it does not exist, the telecare server terminates the session. Otherwise, it computes h(ID i ||R C ||h 1(x||ID i )||T C ), and checks whether it is equal to the received V 1 or not. If they are not equal, the telecare server terminates the session. Otherwise, the telecare server chooses a random integer d S ∈ R Z p *, and computes Q S = d S P and K 1 = h 1(x||ID i )−1(d S )R C = h 1(x||ID i )−1(d S )h 1(x||ID i )(d C )P = d S d C P. Furthermore, it selects a random number N S New and computes R i * = h(K 1) ⊕ x ⊕ N S New, MID i * = h(K 1) ⊕ ID i ⊕ h(N S New), and V 2 = h(MID i *||Q S ||K 1||R i *||ID i ). Finally, the telecare server sends the message CHALLENGE (Q S , V 2, MID i *, R i *) to the patient.
-
Step A3:
After receiving the message CHALLENGE (Q S , V 2, MID i *, R i *), the patient computes K 2 = d C Q S = d C d S P and checks whether h(MID i *||Q S ||K 2||R i *||ID i ) is equal to the received V 2 or not. If they are not equal, the patient stops the session. Otherwise, he/she authenticates the telecare server, and computes MID i New = MID i * ⊕ h(K 2), that is equal to ID i ⊕ h(N S New), and R i New = R i * ⊕ h(K 2), that is equal to x ⊕ N S New. Then, the patient updates the values of MID i and R i that are stored in the smart card with the values of MID i New and R i New, respectively. Finally, the patient computes V 3 = h(K 2||Q S ||ID i ), and the shared session key SK as SK = h(ID i ||Q S ||K 2), and sends a message RESPONSE (V 3) to the telecare server.
-
Step A4:
Upon receiving the message RESPONSE (V 3), the telecare server checks whether h(K 1||Q S ||ID i ) is equal to V 3 or not. If they are not equal, the telecare server ignores the RESPONSE message. Otherwise, the telecare server authenticates the patient and computes the shared session key SK as SK = h(ID i ||Q S ||K 1).
Password and biometric update phase
When a patient suspects that his/her password is used or misused by a third party, he/she must change the password immediately. In this phase, the patient can update his/her old password PW i to a new password PW i New and his/her old biometric B i to a new biometric B i New. This phase includes the following steps.
-
Step P1:
The patient inserts his/her smart card into a smart card reader, enters his/her ID i and PW i and imprints his/her biometric B i * at the sensor.
-
Step P2:
The smart card computes B i = V i ⊕ PW i ⊕ ID i and checks whether the equation d(B i , B i *) < τ holds or not. If the equation does not hold, the smart card halts the process. Otherwise, it shows a message to the patient that indicates “please input your new password and biometric”.
-
Step P3:
The patient enters a new password PW i New and imprints a new personal biometric B i New.
-
Step P4:
The smart card computes V i New and W i New as follows.
$$ \begin{array}{l}\begin{array}{l}{V_i}^{New}=P{W_i}^{New}\oplus {B_i}^{New}\oplus P{W}_i\oplus {B}_i\oplus {V}_i\\ {}\kern1.75em =P{W_i}^{New}\oplus {B_i}^{New}\oplus P{W}_i\oplus {B}_i\oplus P{W}_i\oplus {B}_i\oplus I{D}_i\\ {}\kern1.75em =P{W_i}^{New}\oplus {B_i}^{New}\oplus I{D}_i\end{array}\hfill \\ {}\begin{array}{l}{W_i}^{New}=h\left({B_i}^{New}\oplus {N}_C\right)\oplus h\left(P{W_i}^{New}\oplus {N}_C\right)\oplus h\left({B}_i\oplus {N}_C\right)\oplus h\left(P{W}_i\oplus {N}_C\right)\oplus {W}_i\\ {}\kern2em =h\left({B_i}^{New}\oplus {N}_C\right)\oplus h\left(P{W_i}^{New}\oplus {N}_C\right)\oplus h\left({B}_i\oplus {N}_C\right)\oplus h\left(P{W}_i\oplus {N}_C\right)\oplus h\left({B}_i\oplus {N}_C\right)\oplus h\left(P{W}_i\oplus {N}_C\right)\oplus I{D}_i\oplus AI{D}_i\\ {}\kern2em =h\left({B_i}^{New}\oplus {N}_C\right)\oplus h\left(P{W_i}^{New}\oplus {N}_C\right)\oplus I{D}_i\oplus AI{D}_i\end{array}\hfill \end{array} $$Finally, the smart card replaces V i and W i with V i New and W i New, respectively.
Security analysis
In this section, resistance of the proposed scheme against various security attacks such as impersonation attacks, replay attacks, denial-of-services attacks, stolen verifier attacks, password guessing attacks, privileged insider attacks, and modification attacks is examined. Furthermore, functionality of our proposed scheme to provide some security requirements, such as perfect forward secrecy, known-key security, and patient’s anonymity is investigated.
Impersonation attacks
Suppose an adversary steals or finds a smart card and wants to impersonate a legal patient. Even if the adversary derives V i , W i , N C , MID i , and R i from the smart card, he/she is not able to obtain the right value h 1(x||ID i ) without knowing the values of PW i , ID i , and B i . Thus, he/she cannot compute a valid request message as REQUEST (R C , T C , V 1, MID i , R i ), where R C = h 1(x||ID i )(d C )P and V 1 = h(ID i ||R C ||h 1(x||ID i )||T C ). Therefore, the adversary cannot impersonate a legal patient. On the other hand, suppose the adversary wants to impersonate a legal telecare server and spoof the patient, the adversary has to produce a valid data V 2 as V 2 = h(MID i *||Q S ||K 1||R i *||ID i ). However, since the adversary does not know the telecare server’s secret key, x, he/she cannot compute K 1 = h 1(x||ID i )−1(d S )R C , where R C = h 1(x||ID i )(d C )P. Therefore, the adversary is not able to produce a valid challenge message and he/she cannot impersonate a legal telecare server.
Hence, the proposed scheme is secure against impersonation attacks and mutual authentication is provided in our scheme.
Replay attacks
As discussed in Subsection Replay attacks, the Tan’s scheme [20] is vulnerable to replay attacks because the telecare server does not check the freshness of the received login message {R 1, v i , z i }, and also the telecare server authenticates the patient after receiving and verifying the first login message in Step 1 of the “Authentication and key agreement phase”. In order to withstand replay attacks, we use a timestamp, T C , and two fresh random numbers d C and d S to ensure the freshness of the login and authentication messages. Furthermore, in the proposed scheme, the telecare server authenticates the patient after receiving and verifying the message RESPONSE (V 3) in Step A3 of the login and authentication phase.
Suppose an adversary re-sends an old message REQUEST (R C , T C , V 1, MID i , R i ) to the medical server. The telecare server can detect a replay attack by checking the condition T S - T C ? ≤ ΔT, where T S and ΔT denotes the telecare server’s current time and the maximum transmission delay, respectively. Note that, if the adversary changes the timestamp T C in the request message, then the telecare server is able to detect this modification by checking V 1 = ? h(ID i ||R C ||h 1(x||ID i )||T C *), where T C * denotes the changed timestamp. Furthermore, even if the adversary immediately re-sends an eavesdropped REQUEST message to the telecare server and passes the freshness checking, he/she when receives the message CHALLENGE (Q S , V 2, MID i *, R i *) in the Step A2 of the login and authentication phase, cannot generate a valid message RESPONSE (V 3). Since the adversary does not know the patient’s identity ID i and the random number d C , he/she cannot compute a correct value V 3 as V 3 = h(d C Q S ||Q S ||ID i ). Therefore, our proposed scheme is secure against replay attacks.
Denial-of-service attacks
In the Tan’s scheme, a hash function is used to check the validity of the inputted biometric, password and identity. As discussed in the Subsection Denial-of-service attacks, due to the avalanche property of hash functions and the noise feature of biometrics, a legal patient may never pass the verification process at the login phase. In order to solve this problem, we use a symmetric parametric function d (.) that determines differences between two biometric templates [51]. In the proposed scheme, the patient’s biometric template B i is stored in the memory of the smart card in a protected manner. When the patient wants to login to the server, he/she inserts his/her smart card in the card reader and keys in his/her identity ID i and password PW i , and imprints his/her biometric B i * at the sensor. Then, the smart card extracts the stored biometric B i as B i = V i ⊕ PW i ⊕ ID i and checks whether the equation d(B i , B i *) < τ holds or not. If the equation holds, the patient will pass the verification process. In [51] it is demonstrated that the inputted biometric B i * with some differences with the stored biometric template B i (the difference between them must be less than the predetermined threshold τ) could pass the biometric verification process. Therefore, the proposed scheme is immune from denial-of service attacks.
Stolen verifier attacks
In the proposed scheme, the telecare server does not maintain any passwords, biometrics or verification information of patients in its database. Therefore, even if an adversary accesses the database of the telecare server, he/she still is not able to find the authentication information of the patients.
Password guessing attacks
Suppose an adversary steals or finds a smart card and extracts the information {V i , W i , N C , R i , MID i } that are stored in the smart card, where W i = h(B i ⊕ N C ) ⊕ h(PW i ⊕ N C ) ⊕ ID i ⊕ h 1(x||ID i ), V i = PW i ⊕ B i ⊕ ID i , R i = x ⊕ N S , and MID i = ID i ⊕ h(N S ). However, since the adversary has no knowledge of the telecare server’s secret key x, the patient’s biometric template B i , and the patient’s identity ID i , he/she is not able to obtain the patient’s password PW i . Even if the adversary has recorded all the previous authentication messages, he/she still is not able to relate the stolen smart card with its corresponding authentication messages to guess a correct password and identity. Because the patient’s identity is not stored in plaintext on the smart card as well as it is not sent in plaintext in the authentication messages. Therefore, the proposed scheme is secure against off-line password guessing attacks. In addition, online password guessing attacks can be defeated by limiting the number of failed login requests.
Privileged insider attacks
In the proposed scheme, the patient in order to register himself/herself in a telecare server, submits his/her masked password MPW i = PW i ⊕ N C , and his/her masked biometric MB i = B i ⊕ N C , where N C is a random number. Since the privileged staff at the server side does not know the random number N C , he/she is not able to retrieve patient’s password PW i , or the patient’s biometric B i . Therefore, the proposed scheme is immune from privileged insider attacks.
Modification attacks
In the proposed scheme, authentication messages include the verification data V 1, V 2, and V 3. The verification data V 1 is generated by a hash function using secret values ID i and h 1(x||ID i ). Both verification data V 2 and V 3 are produced by a hash function using ID i and K 1 = K 2 = d C d S P. Since the adversary does not know ID i , x and d C d S P, he/she cannot compute a right verification data as V 1, V 2, or V 3. Therefore, our proposed scheme is secure against modification attacks.
Perfect forward secrecy
In the proposed scheme, SK = h(ID i ||d S P||d S d C P) is a shared session key between the patient and the telecare server. Even if an adversary obtains the telecare server’s secret key, x, or the patient’s password, PW i , he/she cannot compute previous session keys, because without knowing d C or d S , it is difficult to compute d C d S P. Besides, due to hardness of ECDLP [40], the adversary is not able to derive d C from R C = h 1(x||ID i )(d C )P, and d S from Q S = d S P. Therefore, perfect forward secrecy is supported in our proposed scheme.
Known-key security
In the proposed scheme, the shared session key SK = h(ID i ||d S P||d S d C P) changes in each session run. Even if an adversary somehow obtains a shared session key, he/she still is not able to compute other session keys. Because, values of d C and d S differ in each session run, and without knowing d C or d S , it is difficult to compute d C d S P. Therefore, known-key security is provided in our proposed scheme.
Patient’s anonymity
In our proposed scheme, the real identity of the patient is protected by a random number, N S , that is chosen by the server as MID i = ID i ⊕ h(N S ). Since the adversary has no knowledge of the random number N S , he/she is not able to obtain the real identity of the patient. In addition, an illegal server without knowing the secret key x, is not able to retrieve N S from R i = x ⊕ N S , therefore it cannot retrieve the patient’s identity ID i from MID i = ID i ⊕ h(N S ).
Functionality comparisons
In order to evaluate the functionality of the proposed scheme, we compare it with Tan’s scheme [20] and some related schemes [14, 15, 21] in terms of security properties as summarized in Table 2. Xu et al.’s scheme [21] and Lee et al.’s scheme [15] are vulnerable to denial-of-service attacks, because in the password change phase of these schemes, the smart card does not verify the inputted old password [22]. Therefore, if a user during the password change process mistakenly enters a wrong old password, then he/she will no longer be able to pass the verification process of the smart card and login to the server. Tan’s scheme [20] is vulnerable to replay attacks and denial-of-service attacks as demonstrated in Section “Weaknesses of the Tan’s scheme”. Khan et al.’s scheme [14] does not provide user anonymity as the real identity of the user is transmitted through a public channel. Furthermore, since the uniqueness of the user’s identity is not checked in the registration process of the Khan et al.’s scheme, an adversary can register with an identity that corresponds to an existing user. When the adversary registers with an existing identity, he/she acquires a new smart card that has the same content with the victim’s smart card. The adversary with the acquired smart card can easily impersonate the victim user. Therefore, Khan et al.’s scheme [14] is vulnerable to impersonation attacks. Lee et al.’s scheme [15] is vulnerable to replay attacks as stated in [22]. It is visible from the Table 2 that the proposed scheme is superior compared with other schemes.
Performance analysis
In this section, the performance of our proposed scheme is analyzed. Furthermore, the computation cost of the proposed scheme is compared with the Tan’s scheme [20] and some related schemes [14, 15, 21].
In order to provide a precise computation cost comparison, we use the experiment data reported in [21] to evaluate schemes. Most recently, Xu et al. [21] evaluated the running time of the elliptic curve point multiplication and modular exponentiation operations by using C++ in the environment (CPU: 1.6 GHz, RAM: 2.0 GB). They reported that the average time of executing a modular exponentiation and a point multiplication is 1,910, and 1.49 ms, respectively. They also demonstrated that execution times of the hash function operation and exclusive-or operation (XOR) are negligible. Furthermore, Koblitz et al. [49] showed that the cost of executing an elliptic curve point multiplication is equivalent to the cost of 1,200 modular multiplications or 400 modular inversions. Therefore, we can conclude that execution of a 160-bit modular multiplication and a 160-bit modular inversion takes 0.00125 and 0.003725 ms, respectively.
For convenience, let T EXP , T PM , T M , T INV , T X , and T H denote the time complexity of executing a modular exponentiation, an elliptic curve point multiplication, a 160-bit modular multiplication, a 160-bit modular inversion, a bit-wise exclusive-or (XOR) operation and a one-way hash function operation, respectively. In order to evaluate the computation efficiency of different schemes, we use the simple method from [52]. For example, in the proposed scheme, four hash function operations and nine exclusive-or operations are needed to register a new user, therefore, the computational cost of the registration phase of our scheme is 4T H + 9T X . In the login and authentication phase, four elliptic curve point multiplications, two 160-bit modular multiplications, one 160-bit modular inversion, 15 hash function operations, and 15 exclusive-or operations are required to accomplish mutual authentication and session key establishment. Therefore, the computational cost of the login and authentication phase of the proposed scheme is 4T PM +2T M +1T INV +15T H +15T X . Besides, four hash function operations and 14 exclusive-or operations are required to update the password and biometric, therefore, the computational cost of the password and biometric update phase is 4T H +14T X . As a result, the total computational cost of our proposed scheme is 4T PM +2T M +1T INV +23T H +38T X , and the resulting computation time is (4*(1.49) + 2*(0.00125) + 0.003725) ≈ 5.97 ms.
The computational cost of the proposed scheme and related schemes [14, 15, 20, 21] during the registration, login and authentication, and password and biometric update processes are compared in Table 3. Khan et al.’s scheme [14] is a DLP-based authentication and key agreement scheme, which requires some exponential operations. Since the exponentiation is a time consuming operation, their scheme has computation overhead and is not suitable for medical networks involving resource constrained mobile devices. Moreover, Khan et al.’s scheme [14] does not provide user anonymity and is vulnerable to user impersonation attacks. Lee et al.’s scheme [15] is an RSA-based scheme, which requires two exponentiations to complete the mutual authentication and key agreement process. However, Lee et al.’s scheme [15] improved the performance by eliminating four exponentiations, but the computational cost is still high. Furthermore, Lee et al.’s scheme [15] is vulnerable to denial-of-services attacks and replay attacks [22]. Xu et al.’s scheme [21], Tan’s scheme [20], and our proposed scheme rely on the ECDLP. Since the elliptic curve point multiplication is the basic and the main operation in elliptic curve cryptosystems and the time complexity of it, is lower than the time complexity of modular exponentiation (1T EXP ≈ 8.2T PM [49]), the computational cost is significantly reduced in these schemes. Tan’s scheme [20] is vulnerable to replay attacks and both the Tan’s scheme [20] and Xu et al.’s scheme [21] are vulnerable to denial-of-services attacks. Therefore, both the Xu et al.’s scheme [21], and Tan’s scheme [20] are not suitable for TMIS. Table 3 shows that our improved scheme is more efficient than both the Xu et al.’s scheme [21] and the Tan’s scheme [20]. In our scheme, two elliptic curve point multiplications are replaced with two 160-bit modular multiplications and one 160-bit modular inversion. Since, the modular multiplication and modular inversion has lower computation costs than the elliptic curve point multiplication (1T PM ≈ 1200T M ≈ 400T INV [49]), the total computation cost is reduced and efficiency is improved. As a result, we can conclude that our improved scheme is more efficient than other schemes.
Conclusion
In this paper, we have discovered two security weaknesses in the Tan’s authentication scheme for telecare medicine information systems (TMISs). We have shown that Tan’s scheme is vulnerable to replay attacks and denial-of-service attacks. In order to improve the security and efficiency, we have proposed a new anonymous three-factor ECC-based authentication and key agreement scheme for TMIS. According to the security and performance analysis, the proposed scheme not only withstands various attacks but it also is more efficient than Tan’s scheme. Due to the better performance of the proposed scheme, our scheme is more suitable for TMIS.
References
Wen, F., Guo D., An improved anonymous authentication scheme for telecare medical information systems. J. Med. Syst. 38(5):1–11, 2014. doi:10.1007/s10916-014-0026-0.
Chen, H. M., Lo, J. W., Yeh, C. K., An efficient and secure dynamic ID-based authentication scheme for telecare medical information systems. J. Med. Syst. 36(6):3907–3915, 2012.
Nikooghadam, M., Zakerolhosseini, A., Secure communication of medical information using mobile agents. J. Med. Syst. 36(6):3839–3850, 2012.
Kim, K.-W., Lee, J.-D., On the security of two remote user authentication schemes for telecare medical information systems. J. Med. Syst. 2014. doi:10.1007/s10916-014-0017-1.
Wang, Y.-Y., Liu, J.-Y., Xiao, F.-X., Dan, J., A more efficient and secure dynamic ID-based remote user authentication scheme. Comput. Commun. 32(4):583–585, 2009.
Khan, M. K., Kim, S.-K., Alghathbar, K., Cryptanalysis and security enhancement of a more efficient & secure dynamic ID-based remote user authentication scheme. Comput. Commun. 34(3):305–309, 2011.
Xie, Q., Zhang, J., Dong, N., Robust anonymous authentication scheme for telecare medical information systems. J. Med. Syst. 2013. doi:10.1007/s10916-012-9911-6.
Jiang, Q., Ma, J.F., Ma, Z., Li, G.S., A privacy enhanced authentication scheme for telecare medical information systems. J. Med. Syst. 2013. doi:10.1007/s10916-012-9897-0.
Wu, F., Xu, L.L., Security analysis and improvement of a privacy authentication scheme for telecare medical information systems. J. Med. Syst. 2013. doi:10.1007/s10916-013-9958-z.
Wu, Z.Y., Lee, Y.C., Lai, F., Lee, H.C., Chung, Y., A secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1529–1535, 2012.
He, D., Chen, J., Zhang, R., A more secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1989–1995, 2012.
Wei, J., Hu, X., Liu, W., An improved authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3597–3604, 2012.
Zhu, Z., An efficient authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3833–3838, 2012.
Khan, M.K., Kumari, S., An authentication scheme for secure access to healthcare services. J. Med. Syst. 2013. doi:10.1007/s10916-013-9954-3.
Lee, T.-F., Liu, C.-M., A secure smart-card based authentication and key agreement scheme for telecare medicine information systems. J. Med. Syst. 2013. doi:10.1007/s10916-013-9933-8.
Muhaya, F. T. B., Cryptanalysis and security enhancement of Zhu’s authentication scheme for telecare medicine information system. Secur. Commun. Netw. 2014. doi:10.1002/sec.967.
Radha, N., Karthikeyan, S., A study on biometric template security. ICTACT J Soft Comput 1(1):37–41, 2010.
Awasthi, A. K., Srivastava, K., A biometric authentication scheme for telecare medicine information systems with nonce. J. Med. Syst. 2013. doi:10.1007/s10916-013-9964-1.
Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M.K., Chaturvedi, A., Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J. Med. Syst. 2014. doi:10.1007/s10916-014-0041-1.
Tan, Z., A user anonymity preserving three-factor authentication scheme for telecare medicine information systems. J. Med. Syst. 2014. doi:10.1007/s10916-014-0016-2.
Xu, X., Zhu, P., Wen, Q., Jin, Z., Zhang, H., He, L., A secure and efficient authentication and key agreement scheme based on ECC for telecare medicine information systems. J. Med. Syst. 2014. doi:10.1007/s10916-013-9994-8.
Das, A. K., Bruhadeshwar, B., An improved and effective secure password-based authentication and key agreement scheme using smart cards for the telecare medicine information system. J. Med. Syst. 37, 2013. doi:10.1007/s10916-013-9969-9.
Wu, Z.-Y., Chung, Y., Lai, F., Chen, T.-S., A password-based user authentication scheme for the integrated EPR information system. J. Med. Syst. 36(2):631–638, 2012. doi:10.1007/s10916-010-9527-7.
Hsiao, T.-C., Liao, Y.-T., Huang, J.-Y., Chen, T.-Z., Horng, G.-B., An Authentication Scheme to Healthcare Security under Wireless Sensor Networks. J. Med. Syst. 36(2):3649–3664, 2012. doi:10.1007/s10916-012-9839-x.
Yan, X., Li, W., Li, P., Wang, J., Hao, X., Gong, P., A Secure Biometrics-based Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 37, 2013. doi:10.1007/s10916-013-9972-1.
Cao, T., Zhai, J., Improved Dynamic ID-based Authentication Scheme for Telecare Medical Information Systems .J. Med. Syst. 37, 2013. doi:10.1007/s10916-012-9912-5.
Lin, H.-Y., On the Security of A Dynamic ID-based Authentication Scheme for Telecare Medical Information Systems. J. Med. Syst. 37, 2013. doi:10.1007/s10916-013-9929-4.
Hao, X., Wang, J., Yang, Q., Yan, X., and Li, P., A chaotic map-based authentication scheme for telecare medicine information systems. J. Med. Syst. 37:9919, 2013. doi:10.1007/s10916-012-9919-y.
Yau, W.-C., Phan, R. C.-W., Security Analysis of a Chaotic Map-based Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 37:9993, 2013. doi:10.1007/s10916-013-9993-9.
Chang, Y.-F., Yu, S.-H., Shiao, D.-R., An uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37:9902, 2013. doi:10.1007/s10916-012-9902-7.
Das, A. K., Goswami, A., A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37:9948, 2013. doi:10.1007/s10916-013-9948-1.
Wen, F., A robust uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37:9980, 2013. doi:10.1007/s10916-013-9980-1.
Zhao, Z., An Efficient Anonymous Authentication Scheme for Wireless Body Area Networks Using Elliptic Curve Cryptosystem. J. Med. Syst. 38, 2014. doi:10.1007/s10916-014-0013-5.
Mishra, D., Mukhopadhyay, S., Chaturvedi, A., Kumari, S., Khan, M. K., Cryptanalysis and Improvement of Yan et al.’s Biometric-Based Authentication Scheme for Telecare Medicine Information Systems. J. Med. Syst. 38, 2014. doi:10.1007/s10916-014-0024-2.
Das, A. K., Goswami, A., An Enhanced Biometric Authentication Scheme for Telecare Medicine Information Systems with Nonce Using Chaotic Hash Function. J. Med. Syst. 38, 2014. doi:10.1007/s10916-014-0027-z.
Xie, Q., Liu, W., Wang, S., Han, L., Hu, B., Wu, T., Improvement of a Uniqueness-and-Anonymity-Preserving User Authentication Scheme for Connected Health Care. J. Med. Syst. 38, 2014. doi:10.1007/s10916-014-0091-4.
Jiang, Q., Ma, J., Lu, X., Tian, Y., Robust Chaotic Map-based Authentication and Key Agreement Scheme with Strong Anonymity for Telecare Medicine Information Systems. J. Med. Syst. 38, 2014. doi:10.1007/s10916-014-0012-6.
Li, C.-T., Lee, C.-C., Weng, C.-Y., A Secure Chaotic Maps and Smart Cards Based Password Authentication and Key Agreement Scheme with User Anonymity for Telecare Medicine Information Systems. J. Med. Syst. 38, 2014. doi:10.1007/s10916-014-0077-2.
Wen, F., A more secure anonymous user authentication scheme for the integrated EPR information system. J. Med. Syst. 2014. doi:10.1007/s10916-014-0042-0.
Hankerson, D., Menezes, A., Vanstone, S., Guide to elliptic curve cryptography. Springer, New York, USA, 2004.
Vanstone, S. A., Elliptic curve cryptosystem-the answer to strong, fast public-key cryptography for securing constrained environments. Inf. Secur. Tech. Rep. 12:78–87, 1997.
Nikooghadam, M., Zakerolhosseini, A., An efficient blind signature scheme based on the elliptic curve discrete logarithm problem. The ISC International Journal of Information Security. 8(10):125–131, 2009.
Stallings, W., Cryptography and Network Security: Principles and Practice, 4th edition. Prentice Hall, Upper Saddle River, NJ, 2005.
Zakerolhosseini, A., Nikooghadam, M., Secure Transmission of Mobile Agent in Dynamic Distributed Environments. Wireless Personal Communications, 70(2):641–656, 2013. doi:10.1007/s11277-012-0712-5.
Nikooghadam, M., Zakerolhosseini, A., Moghaddam, M.E., Efficient utilization of elliptic curve cryptosystem for hierarchical access control. J. Syst. Softw. 83(10):1917–1929, 2010.
Agarwal, S., Rungta, A., Padmavathy, R., Shankar, M., Rajan, N., An Improved Fast and Secure Hash Algorithm. Journal of Information Processing Systems. 8(1):119–132, 2012.
Linnartz, J.-P., Tuyls, P., New shielding functions to enhance privacy and prevent misuse of biometric templates. In: Proceedings of the Audio- and Video-Based Person Authentication. 2688:393–402, 2003. Guildford, UK. doi:10.1007/3-540-44887-X_47.
Nanavati, S., Thieme, M., Nanavati, R., Biometrics: Identity Verification in a Networked World. John Wiley & Sons, Inc., New York, NY, USA. 2002.
Koblitz, N., Menezes, A., Vanstone, S., The state of elliptic curve cryptography. Des. Code. Crypt. 19:173–193, 2000.
Johnson, D., Menezes, A., Vanstone, S., The elliptic curve digital signature algorithm (ECDSA). Inter. J. Inf. Secur. 1(1):36–63, 2001. doi:10.1007/s102070100002.
Inuma, M., Otsuka, A., Imai, H., Theoretical framework for constructing matching algorithms in biometric authentication systems. In: Proc of ICB’09. Lecture notes in computer science. 5558:806–815, 2009. Springer Berlin Heidelberg. doi:10.1007/978-3-642-01793-3_82.
He D., Chen J., Hu J., An ID-based client authentication with key agreement protocol for mobile client–server environment on ECC with provable security. Inf. Fusion 13(3):223–230, 2012.
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Systems-Level Quality Improvement
Rights and permissions
About this article
Cite this article
Arshad, H., Nikooghadam, M. Three-Factor Anonymous Authentication and Key Agreement Scheme for Telecare Medicine Information Systems. J Med Syst 38, 136 (2014). https://doi.org/10.1007/s10916-014-0136-8
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-014-0136-8