Introduction

The Telecare Medical Information System (TMIS) provides an effective way to enhance the medical process between the doctors and nurses at a clinical center or a home healthcare (HHC) agency, and home-based patients. According to the traditional medical diagnosis process, a patient goes to a hospital or a clinic, and then consults a doctor; however, TMIS technology means that patients can remain within their home, as they can still access convenient and prompt medical treatment through the Internet or mobile networks [1, 2]. With a TMIS, patients can save a great amount of time and access doctors and specialists more easily; for example [2], by using a TMIS, a hypertension patient or a diabetes mellitus patient can directly exchange his/her daily medical data, collected by the patient at home, for the medical advice of doctors and/or nurses without needing to visit a hospital or a clinic; however, the user accesses the telecare medical services over a public network, exposing the exchange to security risks. It is therefore important, but also challenging, to enhance the security of TMIS technology so that a patient and a doctor can perform mutual authentication and session key establishment on a medical server without compromising the privacy of the patient.

Password authentication schemes have been widely used over the last two decades. Since Lamport [3] proposed the first password-based authentication scheme for insecure communication in 1981, password authentication schemes [48] have been extensively investigated. Recently, a remote user authentication protocol became essential for TMISs so that remote patients could access the resources on the telecare server. Several authenticated key agreement schemes [913] have been proposed for TMISs. In 2010, Wu et al. [14] proposed a low computation password-based authentication scheme; however, He et al. [15] pointed out that Wu et al.’s scheme is vulnerable to the insider and impersonation attacks. To overcome these weaknesses, He et al. proposed an improved scheme, but unfortunately, Wei et al. [16] demonstrated that the schemes of both Wu et al. and He et al. are vulnerable to the off-line password guessing attack. To solve the limitations of the schemes of Wu et al. and He et al., Wei et al. also developed an improved scheme; however, Zhu [17] later showed that Wei et al.’s scheme is insecure against the off-line password guessing attack and designed an authentication scheme to address this limitation. Nevertheless, the high computational overhead that is caused by modular exponential operations means that it is less feasible to practically apply these works.

With the rapid development of cryptography related chaos theory [1820], an increasing number of chaos theory-based authentication schemes have been widely studied, as the performances of these schemes are more effective than that of traditional cryptography [21]. In 2007, Xiao et al. [22] developed the first chaotic map-based, authenticated key agreement protocol for which random numbers are used. Tseng et al. [23] then proposed a scheme that comprises a chaotic map-based authentication and key agreement and supposedly preserves user anonymity; unfortunately, Niu et al. [24] found that Tseng et al.’s scheme does not actually provide user anonymity and presented an improved scheme to overcome the weakness. Xue et al. [25], however, pointed out that Niu et al.’s scheme is vulnerable to the man-in-the-middle attack.

Recently, Guo et al. [26] proposed a chaotic map-based, password authenticated key agreement scheme for which smart cards are required; unfortunately, both Hao et al. [27] and Lin [28] pointed out that user anonymity is not guaranteed under Guo et al.’s scheme. To remedy the identified deficiency, Hao et al. and Lin presented their modified versions of Guo et al.’s scheme; however, Jiang et al. [29] and Lee [30] showed that Hao et al.’s scheme did not achieve fairness in terms of session key establishment and is vulnerable to the stolen smart card attack. Both Jiang et al. and Lee then developed improved schemes to overcome the flaws of Hao et al.’s scheme; unfortunately, Li et al. [31] demonstrated that the schemes of both Jiang et al. and Lee cannot withstand the service misuse attack for non-registered users and reveals the user’s identity during the authentication phase.

While addressing the limitations of the schemes of Lee and Jiang et al., Li et al. presented a slightly modified version of Lee’s scheme to prevent thecorresponding shortcomings. Afterward, Lu et al. [32] found that Li et al.’s modified scheme still comprises some weaknesses such as a violation of the session key security, a vulnerability to the user impersonation attack, and a lack of local verification, and they subsequently proposed a robust and efficient biometrics-based password authentication scheme for TMISs for which extended chaotic maps are used; however, we found that the authentication scheme of Lu et al. is still insecure with respect to the outsider attack, the impersonation attack, and the replay attack, among others. The contributions of the proposed article are two fold. First, we point out the security flaws of Lu et al.’s user authentication scheme, and secondly, we present a new chaotic map-based, remote user authentication scheme for TMISs; moreover, the proposed scheme is more secure than Lu et al.’s scheme.

The remainder of this paper is organized as follows: The section titled “Preliminaries” introduces some preliminaries about Chebyshev chaotic maps and hash functions; the review and security analysis of Lu et al.’s scheme are shown in “Review of Lu et al.’s Scheme” and “Security analysis of Lu et al.’s Scheme”, respectively; “Our proposed authentication scheme” and “Security analysis” present our proposed scheme and an analysis of its security, respectively; “Functionality and performance comparison analysis” shows the comparisons of the performances and security features of the proposed scheme and other related schemes; and “Conclusion” is composed of a brief conclusion.

Preliminaries

In this section, we briefly introduce the one-way hash function [33] and Chebyshev chaotic maps [34, 35]. The Chebyshev polynomial T n (x) is an x polynomial of degree n.

Definition 1

A secure one-way hash function h:{0,1}→{0,1}n that takes an input as an arbitrary length binary string x∈{0,1} and outputs a binary string h(x)∈{0,1}n. The probability of \(\mathcal {A}\) finding a collision is defined as

$$Adv^{\mathcal{A}}_{HASH}(t_{1})=Pr[\mathcal{A}((x,x^{\prime}), x\neq x^{\prime}): h(x)=h(x^{\prime})]. $$

Definition 2

Let n be an integer and x is a real number from the set [ −1, 1], so that the Chebyshev polynomial of degree n is defined as T n (x) = c o s(na r c c o s(x)).

Definition 3

Given the two elements x and y \(\in Z^{\ast }_{p}\), the Chaotic Maps Discrete Logarithm Problem (CMDLP) is whe- ther the integer r can be found such that y = T r (x). The probability of \(\mathcal {A}\) being able to solve the CMDLP is defined as \(Adv^{\mathcal {A}}_{CMDLP}(t_{2})=Pr[\mathcal {A} (x, y)=r:r \in Z^{\ast }_{P}, y=T_{r}(x)~mod~p\)].

Definition 4

Given the three parameters x, T r (x) and T s (x), the Chaotic Maps Diffie-Hellman Problem (CMDHP) is whe- ther T r s (x) can be computed such that T r s (x) = T r (T s (x)) = T s (T r (x)).

Review of Lu et al.’s Scheme

In this section, we review Lu et al.’s biometrics-based password authentication scheme for TMISs for which chaotic maps are used. Their scheme consists of the following three phases: registration, login and authentication, and password updating. For convenience, some of the notations that are used in Lu et al.’s scheme are described in Table 1.

Table 1 Notations used in Lu et al.’s scheme
Full size table

Registration

  1. (1)

    U inputs his/her biometrics characteristic BIO, and selects an identity ID and a password PW. Then, U computes P W D = h 1(P W||H(B I O)) and sends {I D, P W D} to S over a secure channel.

  2. (2)

    S computes K = h 1(I D||P W D) and I M 1 = Kh 1(k s ), where k s is S’s secret key. S then issues a smart card containing {I M 1,h 1(⋅),h 2(⋅),H(⋅)} to U.

  3. (3)

    U selects a secret key k u and computes f = h 1(I D||k u )⊕P W D. Then, U stores f onto the smart card; therefore, it is noted that the smart card of U contains the information {I M 1,f,h 1(⋅),h 2(⋅),H(⋅)}.

Login and authentication

  1. (1)

    U first inserts the smart card into a card reader and inputs his/her identity ID, password PW, and secret key k u and also imprints his/her biometrics BIO at the sensor. U then checks whether \(h_{1} (ID||k_{u})\oplus h_{1} (PW||H(BIO)) \overset {?}{=} f\); if it holds, U computes K = h 1(I D||h 1(P W||H(B I O))), generates a random number u, and computes R 1 = KI D, R 2 = I DT u (K), and R 3 = h 1(I D||T u (K)). Lastly, U sends the message {R 1,R 2,R 3} to S.

  2. (2)

    After receiving the login request message from U, S uses the secret key k s to derive K by computing K = I M 1h 1(k s ). He/she then computes I D = R 1K and T u (K) = I DR 2, and checks \(h_{1} (ID||T_{u} (K)) \overset {?}{=} R_{3}\); if it is correct, S then generates a random number v and computes I M 2 = T v (K)⊕I D, s k = h 2(T u (K),T v (K),T u v (K)), and A u t h s = h 1(K||T v (K)||s k). Lastly, S sends the message {A u t h s ,I M 2} to U.

  3. (3)

    Upon receiving the login response message from S, U derives T v (K) by computing I M 2I D, and computes s k = h 2(T u (K),T v (K),T u v (K)) to verify whether h 1 (K||T v (K)||s k) is equal to the received A u t h s . If it is holds, U successfully authenticates S and computes A u t h u = h 1(s k||T v (K)||K), and then sends the message {A u t h u } to S.

  4. (4)

    Upon receiving the message from U, S validates whether \(h_{1} (sk||T_{v} (K)||K)\overset {?}{=} Auth_{u}\). If it is true, S successfully authenticates U; otherwise, S aborts the request. Lastly, U and S have the common session key s k = h 2(T u (K),T v (K),T u v (K)).

Password change

If U wants to change his/her password, U inserts his/her smart card into the card reader and keys in ID, PW, k u , and BIO. Then, the smart card checks whether \(h_{1} (ID||k_{u})\oplus h_{1} (PW||H(BIO)) \overset {?}{=} f\); if it holds, U submits a new password P W n e w as well as a new secret key k u(n e w). The smart card then computes f n e w , followed by the replacement of f with f n e w .

Security analysis of Lu et al.’s Scheme

Lu et al. claimed that their scheme is resistant to the impersonation attack; however, we demonstrated that their scheme is still insecure against this attack type. We also found that their scheme is not secure against the outsider attack and the session key attack, and that it cannot support user anonymity; furthermore, some of the phases of Lu et al.’s scheme are not correct. We provide the details of these problems in the following subsections.

Incorrect login and authentication phase

In the login and authentication phase of Lu et al.’s scheme, the user U sends the login request message {R 1,R 2,R 3} to server S, followed by the computation of K = I M 1h 1(k s ) by server S. If, however, I M 1 is not the received value from U, this process is impossible; therefore, we assumed that user U sends the I M 1 to server S.

Incorrect password change phase

During the password change phase of Lu et al.’s scheme, if U wants to change his/her password, the smart card checks whether \(h_{1} (ID||k_{u})\oplus h_{1} (PW||H(BIO))\overset {?}{=} f\); if it holds, U submits a new password P W n e w and a new secret key k u(n e w), and the smart card then computes f n e w , followed by the replacement of f with f n e w . To update I M 1(n e w), however, I M 1 is also required . If I M 1 is not updated, U will compute K u = h 1(I D||h 1(P W n e w ||H(B I O))) after the password updating stage and S will compute K s = I M 1h 1(k s ) = h 1(I D||h 1(P W||H(B I O))); therefore, U will compute s k u = h 2(T u (K u ),T v (K s ),T u v (K s )) and S will compute s k s = h 2(T u (K u ),T v (K s ),T u v (K u )). Lastly, both U and S cannot have the sheared session key sk.

Outsider attack

Let \(\mathcal {A}\) be an active adversary [36] who owns a smart card and can extract [37] the information of the legal user {I M 1,h 1(⋅),h 2(⋅),f,H(⋅)}. He/she can then easily obtain h 1(k s ) that is the same for each legal user and is the hash value of the secret key that is selected by server S.

  1. (1)

    \(\mathcal {A}\) computes \(PWD_{\mathcal {A}}=h_{1} (PW_{\mathcal {A}}||H(BIO_{\mathcal {A}}))\) and \(K_{\mathcal {A}} =h_{1} (ID_{\mathcal {A}}||PWD_{\mathcal {A}})\); then, he/she can obtain h 1(k s ) by calculating \(IM_{1}\oplus K_{\mathcal {A}}\).

Violation of the session key security

If \(\mathcal {A}\) intercepts the communication between U and S, he/she can then obtain all of the messages {I M 1,R 1,R 2,R 3,A u t h s , I M 2,A u t h u }; furthermore, he/she can also easily obtain the session key between U and S. The details are described as follows:

  1. (1)

    \(\mathcal {A}\) computes K = I M 1h 1(k s ), I D = R 1K, T u (K) = R 2I D, and T v (K) = I M 2I D.

  2. (2)

    Using the [37], \(\mathcal {A}\) computes \(u^{\prime }=\frac {arcos(T_{u} (K))+2k\pi }{arccos(x)}\), \(v^{\prime }= \frac {arccos(T_{v} (K))+2k\pi }{arcos(x)}\), ∀kZ to satisfy the equation \(T_{u} (K) =T_{u^{\prime }}(K)\), and \(T_{v} (K)=T_{v^{\prime }}(K)\). Then, he/she can compute \(T_{uv} (K)=T_{u}(T_{v}(K))=T_{u^{\prime }}(T_{v^{\prime }}(K))\) therefore, \(\mathcal {A}\) can obtain the shared session key s k = h 2(T u (K),T v (K),T u v (K)).

User impersonation attack

As described in this subsection, an outsider adversary \(\mathcal {A}\) can also impersonate a legal user U to cheat the server S because he/she can know the secret value K of U. The details are described as follows:

  1. (1)

    \(\mathcal {A}\) generates a random number u and computes \(T_{u^{\prime }} (K)\), \(R_{2}=ID\oplus T_{u^{\prime }}(K)\), and \(R_{3}=h_{1} (ID||T_{u^{\prime }} (K))\). Then, \(\mathcal {A}\) sends the login request message {I M 1,R 1,R 2,R 3} to S.

  2. (2)

    After receiving the login request message from \(\mathcal {A}\) who pretends to be U, the messages can successfully pass S’s verification and S performs the following scheme normally. Then, S sends the login response message {A u t h s ,I M 2} to \(\mathcal {A}\), where v is the random number on the server side.

  3. (3)

    Upon receiving the login response message from S, \(\mathcal {A}\) computes T v (K) = I M 2I D, \(T_{u^{\prime }v}(K)=T_{u^{\prime }}(T_{v} (K))\), \(sk=h_{2} (T_{u^{\prime }}(K), T_{v}(K), T_{u^{\prime }v}(K))\), and A u t h u = h 1(s k||T v (K)||K). Then, \(\mathcal {A}\) sends the authentication message {A u t h u } to S.

  4. (4)

    When receiving the message {A u t h u } from \(\mathcal {A}\), S continues to proceed with the scheme without being detected. Lastly, \(\mathcal {A}\) and S “successfully” agree on a shared session key sk; however, an unfortunate outcome occurs, as S mistakenly believes that he/she is communicating with the legitimate user U.

Server impersonation attack

An outsider adversary \(\mathcal {A}\) can also impersonate a server S to cheat user U because he/she knows the secret value h 1(k s ) of server S. \(\mathcal {A}\) performs the following steps:

  1. (1)

    When U is sending the login request message {I M 1,R 1,R 2,R 3} to server S, \(\mathcal {A}\) can intercept this message and compute K = I M 1h 1(k s ), I D = R 1K, and T u (K) = R 2I D.

  2. (2)

    \(\mathcal {A}\) generates a random number v and computes \(IM_{2}=T_{v^{\prime }}(K)\oplus ID\), \(sk=h_{2} (T_{u} (K), T_{v^{\prime }}(K),T_{uv^{\prime }}(K))\), and \(Auth_{s}=h_{1} (K||T_{v^{\prime }}(K)||sk)\). Lastly, \(\mathcal {A}\) sends the login response message {A u t h s ,I M 2} to U.

  3. (3)

    After receiving the login response message {A u t h s ,I M 2} from \(\mathcal {A}\), U continues to proceed with the scheme without being detected. Lastly, U and \(\mathcal {A}\) “successfully” agree on a shared session key sk; however, an unfortunate outcome occurs, as U mistakenly believes that he/she is communicating with the server S.

Lack of user anonymity

Lu et al. claimed that their scheme can preserve the anonymity of an identity since ID cannot be derived from R 1 without the knowledge of K; additionally, K cannot be derived from I M 1 without the server’s private key k s . However, we found that if an outsider adversary \(\mathcal {A}\) can obtain h 1(k s ), then he/she can compute K = I M 1h 1(k s ) and I D = R 1K. Lu et al.’s scheme is therefore unable provide user anonymity.

Our proposed authentication scheme

In this section, we propose a new biometrics-based password-authentication scheme for TMISs for which an extended chaotic map is used. Lu et al. verified that Biohasing is very efficient and lightweight compared to modular exponentiation and elliptic-curve point multiplication [38, 39]. We also adopted Biohasing to protect patient’s biometrics, which can also counter a high number of false rejections that therefore decreases the probability that service access is denied [40]. Our proposed scheme consists of the following four phases: registration, login, authentication, and password changing. For convenience, some of the notations that are used in our proposed scheme are described in Table 2 and our proposed scheme consists of the following login and session key agreement phases as shown in Fig. 1.

Table 2 Notations used our proposed scheme
Full size table
Fig. 1
figure 1

Login and session key agreement phase of our scheme

Full size image

Registration phase

  1. (1)

    U inputs his/her biometrics characteristics BIO, and selects an identity ID and a password PW. Then U computes P W D = h 1(P W||H(B I O)) and sends {I D, P W D} to server S over a secure channel.

  2. (2)

    Upon receiving the registration request message from U, S checks whether or not ID is already in the database. If ID does not exist, S generates a random number k u that is unique to U. Then, S computes K = h 1(I D||P W D), I M 1 = Kh 1(k u ), I M 2 = h 1(k u ||k s )⊕h 1(k s ) and f = I M 1h 1(I DP W D) where k s is S’s secret master key. Note that k u is a fixed length value. Lastly, S stores {I Dh 1(k s ||k u ),k u k s ,h 1(k u ||k s )} in its database.

  3. (3)

    S stores a smart card containing {I M 1,I M 2,f,h 1(⋅),h 2(⋅),H(⋅)} and sends a smart card SC to U through a secure channel, thereby completing the registration phase.

Login phase

  1. (1)

    U first inserts the smart card into a card reader and enters his/her identity ID and password PW, and also imprints his/her biometric BIO at the sensor. SC then computes P W D = h 1(P W||H(B I O)) and checks whether \(IM_{1} \oplus h_{1} (ID\oplus PWD) \overset {?}{=} f\).

  2. (2)

    If it holds, SC computes K = h 1(I D||P W D) and generates a random number u. Then, SC computes R 1 = I DT u (K) and R 2 = h 1(I D||K||T u (K)); otherwise, SC rejects the login request. Lastly, SC sends the login request message {I M 1,I M 2,R 1,R 2} to S.

Authentication phase

  1. (1)

    After receiving the login request message from U, S uses his/her secret key k s to derive h 1(k u ||k s ) by computing h 1(k u ||k s ) = I M 2h 1(k s ); then he/she checks whether or not h 1(k u ||k s ) is already in the database. If h 1(k u ||k s ) does exist, S computes K = I M 1h 1(k u ) and T u (K) = I DR 1 and checks whether \(h_{1}(ID||K|| T_{u}(K)) \overset {?}{=} R_{2}\); if it holds, S then generates a random number v and computes I M 3 = T v (K)⊕I D, s k = h 2(T u (K),T v (K), T v u (K)), and A u t h s = h 1(K||T v (K)||s k). Lastly, S sends the login response message {A u t h s ,I M 3} to U.

  2. (2)

    Upon receiving the login response message from S, SC derives T v (K) by computing I M 3I D, and s k = h 2(T u (K),T v (K),T u v (K)) is also computed to verify whether h 1(K||T v (K)||s k) is equal to the received A u t h s ; if it is holds, U successfully authenticates S and computes A u t h u = h 1(s k||T v (K)||K) and the authentication response message {A u t h u } is sent to S.

  3. (3)

    When receiving the authentication response message from U, S validates whether \(h_{1} (sk||T_{v}(K)||K)\overset {?}{=} Auth_{u}\). If it is true, S successfully authenticates U; otherwise, S aborts this request. Lastly, U and S have a common session key s k = h 2(T u (K),T v (K),T u v (K)).

Password change phase

If U wants to change his/her password, he/she inserts his/her smart card into a card reader, and then enters his/her ID, PW, and BIO. The smart card then performs the following steps:

  1. (1)

    SC computes P W D = h 1(P W||H(B I O)) and checks whether \(IM_{1}\oplus h_{1} (ID\oplus PWD) \overset {?}{=} f\). If it is equal, SC computes K = h 1(I D||P W D) and accepts U who can enter a new password P W n e w ; otherwise, the smart card rejects the password change request.

  2. (2)

    After U submits a new password P W n e w , SC then computes P W D n e w = h 1(P W n e w ||H(B I O)), K n e w = h 1(I D||P W D n e w ), I M 1(n e w) = I M 1KK n e w , and f n e w = I M 1(n e w)h 1(I DP W D n e w ).

  3. (3)

    SC then updates I M 1, f so that it becomes I M 1(n e w), f n e w .

Security analysis

In this section, we demonstrate that our scheme can withstand a number of possible attack types. We also show that our scheme, which keeps the merits of Lu et al.’s scheme, supports several security properties. The security analysis of our proposed scheme was conducted under the following four assumptions:

  1. (1)

    An adversary \(\mathcal {A}\) can be either a user or a server; furthermore, both a registered user and a registered server can act as an adversary.

  2. (2)

    An adversary \(\mathcal {A}\) can eavesdrop on every communication that occurs over public channels; consequently, he/she can capture any message that is exchanged between a user and a server.

  3. (3)

    An adversary \(\mathcal {A}\) has the ability to alter, delete, or reroute a captured message.

  4. (4)

    Information can be extracted from a smart card by examining the power consumption of the card.

Formal security analysis

In this subsection, we demonstrate the formal security analysis of our proposed scheme and show that the scheme is secure. First, we define the following hash function [41].

Definition 1

A secure one-way hash function h:{0,1}→{0,1}n, which takes an input as an arbitrary length binary string x∈{0,1} and outputs a binary string h(x)∈{0,1}n and satisfies the following requirements: a. Given yY, it is computationally infeasible to find an xX such that y = h(x):b. Given xX, it is computationally infeasible to find another x xX, such that h(x ) = h(x):c. It is computationally infeasible to find a pair (x ,x)∈X ×X, with x x, such that h(x ) = h(x).

Theorem 1

Under the assumption that the one-way hash function h(⋅) closely behaves like an oracle, then our proposed scheme is provably secure against an adversary \(\mathcal {A}\) for the protection of a user’s personal information including his/her identity ID, the shared session key sk, the user’s unique value k u , and the server’s secret number k s that is selected by S.

Proof

The formal security proof of our proposed scheme is similar to those that are in [4244]. Use the following oracle to construct \(\mathcal {A}\), who will have the ability to derive the user U’s ID, the shared session key sk, the user’s unique value k u , and the server’s secret number k s that is selected by S. Reveal: This random oracle will unconditionally output the input x from the given hash result y = h(x). Now, an adversary \(\mathcal {A}\) runs the experimental algorithm that is shown in Table 3, which is \(EXP^{JKMSE}_{HASH, A}\) or JKMSE, for our proposed scheme. By defining the success probability for \(EXP^{JKMSE}_{HASH, A}\) as \(Success^{JKMSE}_{HASH, A}=|Pr[EXP^{JKMSE}_{HASH, A}=1]-1|\), the advantage function for this experiment then becomes

Table 3 Algorithm \(EXP^{JKMSE}_{HASH, A}\)
Full size table

\(Adv^{JKMSE}_{HASH, A}(t, q_{R})=max_{A} Success^{JKMSE}_{HASH, A}\)where the maximum is taken over all of \(\mathcal {A}\) with the execution time t and the number of queries q R that are made to the Reveal oracle. Consider the experiment that is shown in Table 3 for \(\mathcal {A}\). If \(\mathcal {A}\) has the ability to solve the hash function problem that is provided in Definition 1, then he/she can directly derive U’s identity ID, the shared session key sk, the user’s unique value k u , and the server’s secret number k s . In this case, \(\mathcal {A}\) will discover the complete connections between U and S; however, it is a computationally infeasible problem to invert the input from a given hash value, i.e., \(Adv^{JKMSE}_{HASH, A}(t)\leq \epsilon \), ∀𝜖>0. We then have \(Adv^{JKMSE}_{HASH, A}(t, q_{R})\leq \epsilon \), since \(Adv^{JKMSE}_{HASH, A}(t, q_{R})\) depends on \(Adv^{JKMSE}_{HASH, A}(t)\). As a result, there is no way for \(\mathcal {A}\) to discover the complete connections between U and S, and our proposed scheme is therefore provably secure against an adversary that seeks to derive (I D,P W,B I O,k u ,k s ).

Verification of authentication scheme with BAN logic

Burrows-Abadi-Needham (BAN) logic [45] is a set of rules for the definition and analysis of information-exchange protocols. Concretely, BAN logic helps its users to decide whether ex-changed information is trustworthy and secured against eavesdropping, or both. In this section, we prove that a shared session key between a user and a server can be correctly generated within the authentication process using BAN logic. Some of the notations and logical postulates [46] that are used in BAN logic are described in Table 4.

  1. (1)

    BAN logical postulates.

    1. a.

      Message-meaning rule: \(\frac {\mathcal P|\equiv \mathcal P\overset {\mathcal K}{\leftrightarrow }\mathcal Q,\mathcal P\triangleleft \{\mathcal X\}_{\mathcal K}}{\mathcal P|\equiv \mathcal Q|\sim \mathcal X}\): If principal \(\mathcal P\) believes that he/she shares the secret key \(\mathcal K\) with \(\mathcal Q\), and \(\mathcal P\) sees the statement \(\mathcal X\) encrypted under \(\mathcal K\), then \(\mathcal P\) believes that \(\mathcal Q\) once said \(\mathcal X\).

    2. b.

      Nonce-verification rule: \(\frac {\mathcal P|\equiv \# (\mathcal X),\mathcal P|\equiv \mathcal Q|\sim \mathcal X}{\mathcal P|\equiv \mathcal Q|\equiv \mathcal X}\): If principal \(\mathcal P\) believes that \(\mathcal X\) is fresh and that \(\mathcal Q\) once said \(\mathcal X\), then \(\mathcal P\) believes that \(\mathcal Q\) believes \(\mathcal X\).

    3. c.

      The belief rule: \(\frac {\mathcal P|\equiv \mathcal X,\mathcal P|\equiv \mathcal Y}{\mathcal P|\equiv (\mathcal X,\mathcal Y)}\): If principle \(\mathcal P\) believes \(\mathcal X\) and \(\mathcal Y\), then \(\mathcal P\) believes \((\mathcal X,\mathcal Y)\).

    4. d.

      Freshness-conjuncatenation rule: \(\frac {\mathcal P|\equiv \#(\mathcal X)}{\mathcal P|\equiv \#(\mathcal X,\mathcal Y)}\): If principle \(\mathcal P\) believes that \(\mathcal X\) is fresh, then \(\mathcal P\) believes that \((\mathcal X, \mathcal Y)\) is fresh.

    5. e.

      Jurisdiction rule: \(\frac {\mathcal P|\equiv \mathcal Q|\Rightarrow \mathcal X,\mathcal P|\equiv \mathcal Q|\equiv \mathcal X}{\mathcal P|\equiv \mathcal X}\): If principle \(\mathcal P\) believes that \(\mathcal Q\) has jurisdiction over \(\mathcal X\) and \(\mathcal P\) believes that \(\mathcal Q\) believes \(\mathcal X\), then \(\mathcal P\) believes \(\mathcal X\).

  2. (2)

    Idealized scheme

    • U:\(\langle ID\rangle _{U\overset {K}{\leftrightarrow }S}\), \(\langle ID\rangle _{\{U\overset {K}{\leftrightarrow }S\}_{u}}\), \((ID)_{\{U\overset {K}{\leftrightarrow }S\}_{u}}\), \((U\overset {sk}{\leftrightarrow }S, \{U\overset {K}{\leftrightarrow }S\}_{v})_{U\overset {K}{\leftrightarrow }S}\)

    • S:\((U\overset {sk}{\leftrightarrow }S, \{U\overset {K}{\leftrightarrow }S\}_{u})_{U\overset {K}{\leftrightarrow }S}\), \(\langle ID\rangle _{\{U\overset {K}{\leftrightarrow }S\}_{v}}\)

  3. (3)

    Establishment of security goals

    • g 1.\(U|\equiv S|\equiv U\overset {sk}{\longleftrightarrow }S\)

    • g 2.\(U|\equiv U|\overset {sk}{\longleftrightarrow }S\)

    • g 3.\(S|\equiv U|\equiv U\overset {sk}{\longleftrightarrow }S\)

    • g 4.\(S|\equiv U\overset {sk}{\longleftrightarrow }S\)

  4. (4)

    Initiative premises

    • p 1.U|≡# u

    • p 2.S|≡# v

    • p 3.\(U|\equiv U\overset {K}{\leftrightarrow }S\)

    • p 4.\(S|\equiv U\overset {K}{\leftrightarrow }S\)

    • p 5.\(U|\equiv S\Rightarrow (U\overset {sk}{\longleftrightarrow }S)\)

    • p 6.\(S|\equiv U\Rightarrow (U\overset {sk}{\longleftrightarrow }S)\)

  5. (5)

    Our proposed scheme analysis

    • a 1. Since p 3 and \(U\triangleleft (U\overset {sk}{\leftrightarrow }S, \{U\overset {K}{\leftrightarrow }S\}_{u})_{U\overset {K}{\leftrightarrow }S}\), we apply the message-meaning rule to obtain: \(U|\equiv S|\sim (U\overset {sk}{\leftrightarrow }S, \{U\overset {K}{\leftrightarrow }S\}_{u})\).

    • a 2. Since p 1 and a 1, we apply the fresh conjuncatenation rule and nonce-verification rule to obtain: \(U|\equiv S|\equiv (U\overset {sk}{\leftrightarrow }S, \{U\overset {K}{\leftrightarrow }S\}_{u})\).

    • g 1. Since a 2 and p 3, we apply the belief rule to obtain: \(U|\equiv S|\equiv U\overset {sk}{\leftrightarrow }S\).

    • g 2. Since p 5 and g 1, we apply the jurisdiction rule to obtain: \(U|\equiv U\overset {sk}{\leftrightarrow }S\).

    • g 3. Since p 4 and \(S\triangleleft (U\overset {sk}{\leftrightarrow }S, \{U\overset {K}{\leftrightarrow }S\}_{v})_{U\overset {K}{\leftrightarrow }S}\), we apply the message-meaning rule to obtain: \(S|\equiv U|\sim (U\overset {sk}{\longleftrightarrow }S, \{U\overset {K}{\leftrightarrow }S\}_{v})\).

    • g 4. Since p 2 and a 3, we apply the belief rule to obtain: \(S|\equiv U|\equiv (U\overset {sk}{\longleftrightarrow }S, \{U\overset {K}{\leftrightarrow }S\}_{v})\).

    • g 3. Since a 4 and p 4, we apply the belief rule to obtain: \(S|\equiv U|\equiv U\overset {sk}{\longleftrightarrow }S\).

    • g 4. Since g 3 and p 6, we apply the jurisdiction rule to obtain: \(S|\equiv U\overset {sk}{\longleftrightarrow }S\).

As a result, our proposed scheme is truly capable of achieving the goals.

Table 4 Notations used in BAN Logic
Full size table

Resisting the outsider attack

Suppose an outsider adversary \(\mathcal {A}\) extracts all of the information {I M 1,I M 2,h 1(⋅),h 2(⋅),f,H(⋅)} from an owned smart card by using a side channel attack [37]; however, he/she cannot obtain of the secret information of S. Although \(\mathcal {A}\) can compute h 1(k u ) = I M 1K, the value k u is a random number that is selected by S and is unique to the user; therefore, \(\mathcal {A}\) does not know this value and our proposed scheme can resist the outsider attack.

Resisting the impersonation attack

Suppose \(\mathcal {A}\) intercepts all of the messages {I M 1,I M 2,R 1,R 2,I M 3,A u t h s ,A u t h u } that are transmitted over a public channel between U and S; however, \(\mathcal {A}\) cannot generate the legal login request message {I M 1,I M 2,R 1,R 2}, where I M 1 = Kh 1(k u ), I M 2 = h 1(k u ||k s )⊕h 1(k s ), R 1 = KI D, R 2 = I DT u (K), and K = h 1(I D||h 1(P W||H(B I O))), because the value k u is a random number that is selected by S and is unique to user, and u is a random number that is generated by U. Furthermore, \(\mathcal {A}\) cannot generate the login response message {A u t h s ,I M 3} without the random number v. Our proposed scheme can therefore resist the impersonation attack.

Resisting the smart card stolen attack

Suppose that \(\mathcal {A}\) steals the smart card of a legal user U; then, he/she can extract all of the information {I M 1,I M 2,h 1(⋅),h 2(⋅),f,H(⋅)} from the smart card by using the side channel attack [37]. \(\mathcal {A}\), however, cannot obtain any of the secret information of U. The password PW is protected by the elements ID and BIO that \(\mathcal {A}\) does not know. Our proposed scheme can therefore resist the smart card stolen attack.

User anonymity

Our proposed scheme can preserve the anonymity of an identity since ID cannot be derived from R 1 without the knowledge of K; furthermore, K cannot be derived from I M 1 without the random number k u because of the one-way hash function. Our proposed scheme therefore provides user anonymity.

Perfect forward secrecy

In our proposed scheme, the shared session key s k = h 2(T u (K),T v (K),T u v (K)) is related to the value K and the two random numbers u and v. The value K is hidden by the random number k u and is computed by using the user’s password PW and the biometrics BIO that, with the exception of U, nobody knows; moreover, two random numbers are chosen by U and S. If the adversary \(\mathcal {A}\) wants to compute u and v from T u (K) and T v (K), he/she must first obtain the value K and will face the CMDLP. Our proposed scheme can therefore provide perfect forward secrecy.

Session key security

Suppose that \(\mathcal {A}\) intercepts all of the messages {I M 1,I M 2,R 1,R 2,I M 3,A u t h s ,A u t h u } that are transmitted across a public channel between the user U and the server S, and steals the smart card of U, and then extracts the all of the information {I M 1,I M 2,h 1(⋅),h 2(⋅),f,H(⋅)}; however, \(\mathcal {A}\) cannot compute the session key s k = h 2(T u (K),T v (K),T u v (K)). To compute T u (K) and T v (K) from R 2 and I M 3, U’s identity ID is needed. To retrieve ID from R 1, \(\mathcal {A}\) needs to know the PW and H(B I O). Since only U can imprint his/her biometrics BIO at the sensor, an adversary \(\mathcal {A}\) cannot attain U’s ID and PW. Alternatively, anyone, with the exception of U and S, is required to compute T u v (K) from T u (K) and T v (K) if he/she wants to obtain the session key, then he/she will be required to solve the CMDHP. Our proposed scheme can therefore provide session key security.

Functionality and performance comparison analysis

In this section, we evaluate the functionality comparisons between our proposed scheme and the other related schemes of [26, 2832, 34, 35, 47] are given. Table 5 shows that our proposed scheme is more secure and robust than the other related schemes and that it achieves a greater number of functionality features. For the performance comparison, the definitions of T C C M , T E , and T H are the performance times of a Chebyshev chaotic map operation, a symmetric encryption/decryption operation, and a hash function, respectively; Recently, Xue and Hong [25] estimated the running time of different cryptographic operations whereby T C C M is nearly 32.2 ms on average, T E is nearly 0.45 ms on average, and T H is below 0.2 ms on average in the environment (CPU:3.2 GHz, RAM: 3.0 G). Table 6 shows that our proposed scheme performs two further hash functions than Lu et al.’s scheme to accomplish mutual authentication and key agreement; however, a very brief amount of time consumed by this operation.

Table 5 Security attributes comparison
Full size table
Table 6 Performance comparison
Full size table

Conclusion

In 2015, Lu et al. proposed an enhanced TMIS scheme based on Li et al.’s scheme and demonstrated its resistance to the typical attack types; however, we found that Lu et al.’s scheme is not secure against the outsider attack, the impersonation attack, and the replay attack, among others. In this paper, to solve these security vulnerabilities, we propose an improved authentication scheme for TMISs that maintains the merits of Lu et al.’s scheme and is more secure; further-more, the computational cost of our proposed scheme is lower than that of Lu et al.’s scheme. The performed security analysis confirms that our proposed scheme rectifies the weaknesses of Lu et al.’s scheme.