Introduction

The TMIS is applicable in various healthcare systems, such as remote user’s medical monitoring, consultation, and health-related flexible and convenient services. In the healthcare sector, these systems are essential for the current demand as these provide private health facilities to the patients at their home. Healthcare services are improved due to the technological development in the network. As a consequence, electronic devices can be used by patients to receive healthcare services. We know that the users use the public insecure channel to access the service. This leads to a security threat. Thus, the communication must be through an effective authenticated channel in order to achieve privacy and security. To fill this gap, Wu et al. [10] came up with a secure authentication scheme for the system. In the following, Wei et al. [9] noticed that the work of Wu et al. [9] is vulnerable to two-factor authentication. Therefore, a new scheme is proposed based on a smart card for TMIS to validate two-factor authentication. In 2012, Zhu [12] found that in Wei et al.’s technique password guessing is possible. He proposed an advanced scheme, but that was without anonymous communication. Later, Chen et al. [5] developed an anonymous authentication technique for TMIS. In the following, Lin et al. [7] showed that in Chen et al.’s scheme, the user’s identity can be disclosed with the help of the dictionary attack and guessing of the password is possible using smart card’s information. In order to prevent the existing attacks, Lin et al. [7] presented an anonymous authentication scheme. Cao and Zhai [4] illustrated that the design of Chen et al. is vulnerable to password guessing and identity guessing attacks due to smart card information. Thus, they designed an efficient protocol for TMIS. The protocols [4, 7, 12] are not secure against input verifying conditions since incorrect input cannot be efficiently distinguished by these protocols. Cryptosystems, based on the chaotic maps, have been developed in order to improve efficiency and security. Apart from security, privacy attributes have equal importance. Two key privacy attributes are anonymity and unlinkability,

which are missing in many authentication schemes for TMIS, such as [9, 10, 12, 31] protect user’s anonymity. In 2013, Guo et al. [14] constructed an AKA-CM (authenticated Key agreement based on the chaotic map) protocol. Later, Hao et al. [15] showed that the work [14] does not provide the user traceability due to the use of two secret keys. Hoa et al. then developed a new technique that performs better over the work of Guo et al. In 2014, the weaknesses in Hoa et al.’s scheme were noticed by Jiang et al. [16]. They observed that the scheme is not secure against the stolen smart card (SSC) attack. Li et al. [21], in 2016, proposed an AKA-CM for healthcare. However, Madhusudhan et al. noticed that the design is vulnerable to impersonation (IMP) and password guessing (PAG) attacks. Later, Jiang et al. [27] presented an improved AKA model for TMIS, which uses three messages of exchange for session key agreement. Moreover, this scheme is not much efficient as it uses six elliptic curve scalar multiplication as given in [27], which has the highest cost as given in [27]. At the same time, Wu et al. [28] presented RFID based AKA scheme, which uses the hash function. In the following, Radhakrishnan et al. [19] presented an authentication protocol (AUTP) for TMIS which is not secure against identity guessing (IDG), SSC information, and PAG attacks. Later, Zhang et al. [25] proposed an AUT (authentication technique) for TMIS. Unfortunately, this protocol is also insecure against PAG, IDG, and replay (RPL) attacks. In the following, a robust AUT was developed by Madhusudhan et al. [20] for telecare medical information system (TMIS). However, it can be observed that their scheme remains insecure against SSC, IMP, PAG, and IDG attacks. The brief analysis of security attributes is given in Tables 1 and 2. In [34], Li et al. presented a cloud-assisted mutual authentication and privacy preservation protocol for TIMS. In the following, a secure mutual authentication protocol for cloud-assisted TMIS based on elliptic curve cryptography was proposed by Kumar et al. [35]. Later on, Salem and Amin [36] developed an RFID authentication protocol relying on El-Gamal cryptosystem for secure telecare medical information systems. Nayak and Pippal [38] also discussed existing authentication protocols for TMIS and did their efficiency analysis. Recently, a chaotic hash function based lightweight client authentication scheme with anonymity for TMIS was proposed by Gaikwad et al. [37].

Table 1 Key attributes comparison of password based AUTP for TMIS
Full size table
Table 2 Key attribute comparison of AKA-CM for TMIS
Full size table

As we know Th ≈ 0.00032s is a very light weight operation as we compared with other’s such as tme ≈ 0.0192s, \(t_{fe} \approx t_{h_{b}}\approx t_{ecm} \approx 0.0171 s\) [32], tb ≈ 0.380s, tsym ≈ 0.0056s, tecmtc ≈ 0.0171s [2]. We compare the performance of related schemes in. Figure 1.

Fig. 1
figure 1

Computational cost comparison of related schemes

Full size image

A comparative summary of the security attributes of authentication protocols (chaotic map-based) for TMIS is given in Table 2. We use the notations and × to denote that a scheme achieves the attribute and fails to attain the attribute respectively. It can be seen from Tables 1 and 2 that existing protocols for TMIS are weak from a security point of view. In other words, the protocols cannot resist all existing attacks as provided in Tables 2 and 1. Thus, it is required to have an AKA-MP for TMIS preserving the following attributes:

  • User friendly login and password update.

  • Unlinkability.

  • Mutual authenticated secure session-key based Communication.

  • Low computational overhead and high security.

  • Less communication overhead and anonymity.

Therefore, we proposed a secure and efficient AKA-MP for TMIS. The security analysis of our scheme is given in this work. Our construction is resistant to existing attacks and possesses a key agreement using two message exchange.

Roadmap

The paper is originated as follows: Basic assumptions, notations and model is discussed in “Preliminaries”. The proposed scheme is described in “Proposed Scheme”. The claim of security is proved in “Security Analysis”. The performance of the proposed scheme is discussed in “Computational Efficiency Analysis”. Lastly, conclusion is provided in “Conclusion”.

Preliminaries

The notations and basic definitions are presented in this section. Also Chaos theory’s definition with its properties are discussed. The description of the notations is given as in Table 3.

Table 3 Notations
Full size table

Chebyshev Chaotic Map (CCM)

The following definition of CCM are taken from [17, 18].

  • Definition 1 Chebyshev polynomial (CHP) of degree n (positive integer) is denoted by Tn(x) and defined as \(T_{n}(x) = cos(n (\arccos (x)))\) such that \(T_{n}(x):(-\infty ,+\infty )\rightarrow [-1,+1]\). It satisfies the relation Tn(x) = (2xTn− 1(x) − Tn− 2(x)) for \(x\in (-\infty ,+\infty )\), T0(x) = 1 and T1(x) = x

  • Definition 2 The DLP (discrete logarithm problem) is to compute an integer u satisfying the equality Tu(x) = y given y and x.

  • Definition 3 Computational Diffie-Hellman (CDH) problem is defined as follows: given the tuple \(\left (x,T_{u}(x),T_{v}(x)\right )\), it is hard to compute Tuv(x).

Threat model

We follow the notations as described in Table 3 and a threat model as depicted in Figure (1) under security assumptions [8] about the computational power of R in smart card security in password-based and chaotic map-based authentication schemes.

  • The pseudo-random password is chosen by the user from the dictionary. Sj has private key. Essential values are inserted by the server in the smart card during the registration.

  • The R, Ui and Sj communicate via oracle queries that enable R to break authentication scheme.

  • The R controls the communication channel by intercepting, modifying, resenting and diverting the message.

  • The R can steal the smart card and can get its stored information.

Proposed Scheme

We now present an AKA-CM to address the security and efficiency requirements.

Registration Phase

Ui adopts secure channel to complete his registration with Sj. The communication of messages and computation are described in Fig. 2.

  • Ui chooses Idi, Pwi,imprints biometric Hi = hb(biometric) and executes Ai = h(Idi||Pwi||Hi) and forwards {Idi,Ai} to Sj.

  • The Sj, after recovering {Idi,Ai}, checks the correctness of Ui’s identity Idi. If validation succeeds, then Sj uses its secret key x to derive Tx(Idi||ni) for user Ui, where \(n_{i} \in Z_{p}^{\ast }\) is randomly chosen. Sc then derives Bi = Tx(Idi||ni) ⊕ Ai.

  • Using secure channel, Sj issues Sc storing {h(.),Bi,ni} to Ui. Sj stores ni corresponding to Idi in secure database.

  • Ui then puts in Di in Sc along-with {h(.),Bi,Di,ni} after computing Tx(Idi||ni) = BiAi,Di = h(Tx(Idi||ni)||Pwi||Idi||Hi).

Fig. 2
figure 2

Communication model

Full size image

Login Phase

Ui login to Sj by following steps. Description is provided via Fig. 3.

  • Ui inserts Sc, Idi and Pwi. Ui imprints his biometric on sensor and computes \(H_{i}^{\prime } =h_{b}(biometric)\) and \(A_{i}^{\prime } = h(Id_{i}||Pw_{i}||H_{i})\).

  • Utilizing \(A_{i}^{\prime }\), Sc receives \(T_{x}(Id_{i}||n_{i})' = A_{i}^{\prime } \oplus B_{i}\) and executes \(D_{i}^{\prime }= h(T_{x}(Id_{i}||n_{i})'||Pw_{i}||Id_{i}||H_{i})\) and verifies the equality \(D_{i}^{\prime } \overset {?}{=} D_{i}\). The verification holds if all input parameters Idi, Pwi and biometric are correct.

  • Sc chooses \( y \in Z_{p}^{\ast } \) randomly and derives Wi = TyTx (Idi||ni),Ci = Ty(Idi||ni), Gi = Idih(Ty(Idi||ni) ||Wi||T1) and Fi = h(Tx(Idi||ni)||Wi||T1). Finally, Ui transmits {Ci,Gi,Fi,T1} to Sj.

Fig. 3
figure 3

Registration through secure channel

Full size image

Authentication Phase

Description is provided via Fig. 4. On receiving {Ci,Fi,T1} from Ui, Sj performs the following steps:

  • Sj verifies correctness of T1, and then derives TxTy \((Id_{i}||n_{i}) = W_{i}^{\prime }\), \(Id_{i} = G_{i} \oplus h(T_{y}(Id_{i}||n_{i})||Sk_{i}^{\prime }||T_{1})\) and \(F_{i}^{\prime } = h(T_{x}(Id_{i}||n_{i})||Sk_{i}^{\prime }||T_{1})\), and verifies the equality \( F_{i}^{\prime } \overset {?}{=} F_{i}\) to check user validity.

  • Sj selects a random value z and computes Cj = Tz (Idi||ni), Wj = TzTy(Idi||ni), \(Sk_{j} = h(W_{i}^{\prime }||W_{j}||T_{1})\) and Fj = h(Skj||Wj||T2).

  • Sj transmits {Fj,Cj,T2}.

  • On receiving {Fj,Cj,T2}, Ui verifies the correctness of T2, then executes \(W_{j}^{\prime } = T_{z}T_{y}(Id_{i}||n_{i})\), \(Sk_{i} = h(W_{i}||W_{j}^{\prime }||T_{1})\) and \(F_{j}^{\prime } = h(Sk_{i}||W_{j}^{\prime }||T_{2})\) and verifies \(F_{j}^{\prime } \overset {?}{=} F_{j}\). If verification succeeds, Ui accepts \(Sk_{i} = h(W_{i}||W_{j}^{\prime }||T_{1})\).

Fig. 4
figure 4

Illustration of login and authentication via open channel

Full size image

Security Analysis

Our construction achieves mutual authentication and makes a secure communication between the Ui and the Sj.

Description of Existing Attacks

Our protocol is secure against insider attack, offline PAG attack, online PAG attack, server IMP attack and the user IMP attack, which are described below:

  • Three factor authentication: Ui with valid smart cart can execute the login session only after successfully delivering three factors {Idi,Pwi,Hi} as session executes after the verification of \(D_{i} \overset {?}{=} h(X_{i}||Pw_{i}||Id_{i}||H_{i})\), where Hi = hb(biometric) and Xi = h(Idi||Pwi||Hi) ⊕ Bi. In order to get Xi = Tx(Idi||ni), R requires three factors {Idi,Pwi,Hi} as Xi = AiBi, where \(A_{i}^{\prime }= h(Id_{i}||Pw_{i}||H_{i})\). The two factors (pwi, biometric) are only with Ui. The Third factor (Idi) masked value (Gi) is transmitted, where Gi = Idih(Ty(Idi||ni)||Wi||T1). To extract, Idi from Gi, R has to calculate Wi = TyTx(Idi||ni), which is computationally infeasible.

  • Anonymity and unlinkability: Dynamic value (masked identity) Gi instead of Idi is involved in the message transmission, i.e. {Ci,Gi,Fi,T1}. Moreover, it is computationally infeasible to achieve Idi using Gi and Ty(Idi||ni) as Gi = Idih(Ty(Idi||ni)||Wi||T1), where Wi = TyTx(Idi||ni). It justifies that protocol ensures anonymity.

    Furthermore, linking of any two sessions messages is not possible in proposed protocol as all the values of transmitted messages {Ci,Gi,Fi,T1} and {Fj,Cj,T2} calculated using randomly generated values or timestamp. In other words, since during communication Ty(Idi||ni), Tz(Idi||ni), T1 and T2 changes every time, the proposed protocol supports unlinkability. Hence anonymity and unlinkability is preserved.

  • Insider attack: It is a form of malicious attack performed on a computer or network by entity who is having authorized system access. In our scheme, it is impossible to get a Ui’s password by any destructive insider in the system. Ui submits the masked value of password as h(Idi|Pwi||Hi) instead of Pwi to Sj, where h(.) is considered secure one way function. Thus, due to this secure hash function, any insider is unable to retrieve the password Pwi of the user. Moreover, R cannot guess the password as to guess the password, R needs Hi = hb(biometric).

  • Stolen smart card attack: This attack fails as R is unable to extract the value Tx(Idi||ni), which is required to initiate login session. As Tx(Idi||ni) = AiBi and Ai = h(Idi||Pwi||Hi), thus to get Tx(Idi||ni) R has to compute Ai = h(Idi||Pwi||Hi). The computation of Ai = h(Idi||Pwi||Hi) requires three factors {Idi,Pwi,Hi}, which are only with Ui. Moreover, neither Ai nor any factor {Idi,Pwi,Hi} are stored in Sc. To directly compute < Tx(Idi||ni) >, Sj secret key x and user’s Idi are required. However, both parameters (x, Idi) are not public.

  • Off-line password guessing attack: To verify the guessed password, R can use the condition \(D_{i} \overset {?}{=} h(X_{i}||Pw_{i}||Id_{i}||H_{i})\). However, the computation of Di requires the knowledge of the secret factors {Idi,Pwi,Hi,Xi}, where Hi = hb(biometric), Xi = AiBi, \(A_{i}^{\prime }= h(Id_{i}||Pw_{i}||H_{i})\). To compute Xi from Bi, {Idi,Hi} are needed other then guessed Pwi. Since both the factors (Idi,Hi), are unknown to R, it cannot correctly guess Pwi.

  • Replay attack: This attack is a kind of network attack where transmission of valid data is maliciously delayed or repeated by an originator or by an advisory who intercepts the data and retransmits it. In our scheme, R can retrieves the old transmitted messages {Ci,Gi,Fi,T1} and {Fj,Cj,T2} as these messages transmits via public channel. However, Sj and Ui can easily verify the replay of old messages using timestamp.

  • User impersonation attack: R can retrieves the messages {Ci,Gi,Fi,T1} and {Fj,Cj,T2} as these messages transmits via public channel. However, to establish a valid session R has to compute the fresh login message as proposed scheme resist replay attack. R cannot modify the previously transmitted message {Ci,Gi,Fi,T1} to impersonate as R has to update Fi = h(Tx(Idi||ni)||Wi||T1), which is not possible as this is the output of hash function and to freshly compute Fi, Tx(Idi||ni) is needed. Moreover, R can also get the values {Bi,Di,ni} from the lost/ stolen card. However, this information is also not sufficient to impersonate a valid user, which is shown in stolen smart card attack.

  • Server impersonation attack: The R, with the knowledge of {h(.),Bi,Di,ni} and old transmitted messages {Ci,Gi,Fi,T1} and {Fj,Cj,T2}, cannot impersonate a server as follows:

    1. (a)

      Ui can easily detect old transmitted message {Fj, Cj,T2} using timestamp T2 and Fj = h(Skj|| Wj||T2), where Wj = TzTy(Idi||ni), Skj = h(Wi ||Wj||T1) and Wi = TyTx(Idi||ni).

    2. (b)

      R cannot generate fresh response by impersonating server as R has to compute Fj = h(Skj||Wj ||T2), which requires the information of Sj or Ui secret key.

  • Forward secrecy: With the knowledge of Sj’s secret key x, R cannot compute \(Sk_{i} = h(W_{i}||W_{j}^{\prime }||T_{1})\) as

    1. (a)

      Session key is defined as h(Wi||Wj||T1).

    2. (b)

      Computation of Ski requires, the computation of Wi and Wj, where Wi = TyTx(Idi||ni) and Wj = TzTy(Idi||ni).

    3. (c)

      Computation Wj = TzTy(Idi||ni) using Ty(Idi|| ni) and Tz(Idi||ni) is infeasible.

    4. (d)

      Without the knowledge of Wj, R cannot compute Ski.

Proof of Security

In this section, the security of our proposed scheme is explained against the general attacks. Here, we follow the symbols of [6].

  • (a) Existential-UNT-QSE (E-UNT-QSE): Here, the R is not successful to choose request format of the user by communicating with the server and the smart card. In addition to that, he would not be able to eavesdrop over the existing channel.

  • (b) Forward-UNT-QSER (F-UNT-QSER): Here, the R would not be able to trace past information on receiving the smart card which leaks stored information.

The following channels are to be used for oracles in our proof:

  • CHA1: Transmitting messages to the Sj from the Ui.

  • CHA2: Transmitting messages to the Ui from the Sj.

The following oracles will be used in our proof:

  • Query(\({\pi _{U}^{i}}, m_{1}, {\pi _{S}^{j}}\)) A request m1 is sent to the server by R via CHA1.

  • Send(\(\pi _{S_{j}}^{k}, m_{2}, {\pi _{U}^{i}}\)): On receiving the query in CHA2, m2 is sent to the server by R via CHA2 in order to obtain the Sj’s access.

  • Execute(\({\pi _{U}^{i}}, {\pi _{S}^{j}}\)):R uses an instance of the protocol P run between Sj and smart card, and retrieves the messages which are communicated via CHA1, CHA2.

  • Reveal (\({\pi _{U}^{i}}\)): R obtains the stored information in the smart card of the user. This may be utilized once so that Query (Q), Send (S), Execute (E) and Reveal (R) may not be applied further.

Theorem 1

The proposed key agreement protocol P is E-UNT-QSE.

Proof

Let us assume that R has taken \(\mathcal {Q}\)-Oracle so that \(\omega _{i}(U_{1})\in \{\mathit {Query}(\pi _{U_{1}}^{i}, *)\}\) and \(\omega _{i}(U_{2})\in \{\mathit {Query}(\pi _{U_{2}}^{i}, *)\}\). The output m1 ∈〈Ci,Fi,T1〉 of \(\mathcal {Q}\)-Oracle and simultaneously m2 ∈〈Cj,Ti〉,Fi of the Sj are unlinkable due to the dynamic parameter Fi = h(Tx(Idi||ni)||Wi||T1). To retrieve Idi, R has to find y from Ty(Idi||ni) which is chaotic based discrete logarithm problem. Since, DLP problem is computationally hard, R cannot get Idi from Fi and Ty(Idi||ni). Additionally, Fi = h(Tx(Idi||ni)||Wi||T1) is generated using random number y as Wi = TyTx(Idi||ni). For different sessions this changes Fi, which is essential. During communication also the time-stamp T1 changes. Therefore, it is impossible to link the communicated messages. The Sj sends Hi after inserting T2. Cj = Tz(Idi||ni) is clearly dynamic. Here, the value Idi is masked with the dynamic value so that in each session the output is changing. Hence, the proposed scheme offers anonymity along with unlinkability in the communication between Ui and Sj.

In CHA1, the Ui cannot be impersonated by R since he has no knowledge about Pwi, Idi and the private key x of Sj. In a similar manner, the Sj cannot be impersonated by R in CHA2 as he has no knowledge about Sj’s secret key x and the user’s Idi. Hence, our scheme stops unauthorized Ui and Sj to impersonate in CHA1 and CHA2. Thus, in the given \(\mathcal {Q}\)-Oracle, the R’s advantage is not important as he gets no useful information. Therefore, P is E-UNT-Q. Assume that R gets QS-Oracle’s access such that \(\omega _{i}(U_{1})\in \{Query(\pi _{U_{1}}^{i}, *), Send(*, \pi _{U_{1}}^{i})\}\) and \(\omega _{i}(U_{2})\in \{Query(\pi _{U_{2}}^{i}, *), Send(*, \pi _{U_{2}}^{i})\}\). The Sj will not be impersonated by R he has no knowledge of Idi, y and the Sj’s secrete key. Therefore, R has trivial advantage with the \(\mathcal {QS}\)-Oracle’s help. So, P is E-UNT-QS. Let us consider that the R has \(\mathcal {QSE}\)-Oracle’s access such that \(\omega _{i}(U_{1})\in \{Query(\pi _{U_{1}}^{i}, *), Send(*, \pi _{U_{1}}^{i}), Execute(\pi _{U_{1}}^{i}, {\pi _{S}^{j}})\}\) and ωi \((U_{2})\!\in \! \{Query(\pi _{U_{2}}^{i}, *), Send(*, \pi _{U_{2}}^{i}),\) \( Execute(\pi _{U_{2}}^{i}, {\pi _{S}^{j}} \}\). Due to the fresh use of y,T1,T2, the messages exchanged during P’s execution are unique. Moreover, the replay of an old is stopped by the timestamp. Any old message cannot be used further as the Sj verifies a masked message and the R has no knowledge of the server’s private key x and the random number y. Hence, P is E-UNT-QSE which is the necessary security feature. □

Theorem 2

Our key agreement protocol P is resistant to active-attacks.

Proof

Suppose R gets \(\mathcal {QSE}\)-Oracle’s access and in all the session, during communication he modifies the message. If the Sj or the Uj believe that a modified message is correct then the protocol is not secure against an active attack. In this case, our goal is to prove that the R has a trivial advantage. Suppose, the R uses the \(\mathcal {Q}\)-Oracle to change a message in the CHA1 and simultaneously in the CHA2. But, the modified message cannot be accepted in the Sj and Ui as the Sj verifies Ti, the Fi and the Idi in M1 during authentication phase. Moreover, Hi in M1 is verified by the user during the authentication phase.

If the R uses the \(\mathcal {Q}\)-Oracle to change a message {Ci,Fi,T1} of communication, the Sj verification becomes invalid in Fi = h(Tx(Idi||ni)||Wi||T1).

Due to the chaotic discrete logarithm problem and the hash function, the R cannot modify the message. Furthermore, he uses the \(\mathcal {QS}\)-Oracle to modify a message in the CHA2. Therefore, R will get a trivial advantage because the Ui checks the Cj,T2. Moreover, even if the R has \(\mathcal {QSE}\)-Oracle’s access, then also he would not be able to get success by performing the communication repeatedly. The verification of the modified message is not possible and in the concerned communication, the authorized entity terminates the session key. Hence, P is secure against active attacks. □

Analysis of Security using BAN Logic

BAN logic [26] is a set of rules for analyzing message exchange protocols. BAN logic assumes that the information exchange happens public monitoring.For verification following notations used:

  1. 1.

    A|≡ Y: The principal A acts as Y holds.

  2. 2.

    AY: An entity sent Y to A who can read and repeat Y.

  3. 3.

    \(A |\sim Y\): A once said Y, implies A|≡ Y when A sent it.

  4. 4.

    A|⇒ Y: A controls Y, A has an jurisdiction on Y .

  5. 5.

    #Y: Message Y is fresh means Y never sent before.

  6. 6.

    \(A |\equiv B \overset {{k}}\longleftrightarrow A\): A and B use K common shared key for communication.

  7. 7.

    \(A \overset {K}{\rightleftharpoons } B:\) secret K is used by A and B.

  8. 8.

    {Y }k: The Y is encrypted with k.

  9. 9.

    < Y >X: The formula Y is blended with formula X.

  10. 10.

    (Y )k: The Y formula is keyed hash with the k.

For description of BAN logic terms [26], the required rules are discussed below:

Rule (1)

Message means rule care of messages:

For shared private keys:

$$ \frac{A |\equiv B \overset{{k}}\longleftrightarrow A, A \lhd \{X\}_{k}}{A |\equiv B\sim X} $$
(1)

If A trusts that B knows k and looks X encrypted with k, A trusts that B once said X.

Rule (2)

The nonce verification rule confirms message is recent:

$$ \frac{A |\equiv \# (X), A | \equiv B|\sim X}{A |\equiv B|\equiv X} $$
(2)

If A trusts that X is fresh and A trusts that B once said X, A trust that B believes X.

Rule (3)

The jurisdiction rule ensures that A trusts B has jurisdiction on X:

$$ \frac{A |\equiv B |\equiv X, A |\equiv B|\Rightarrow X}{A |\equiv X} $$
(3)

Rule (4)

The freshness rule ensures that message is true if one part of message is true:

$$ \frac{A |\equiv \# (X)}{A |\equiv \# (X, Y)} $$
(4)

According to the BAN logic, the presented scheme achieves: Goal 1. \( U_{i}|\equiv (U_{i}\overset {{Sk}}\longleftrightarrow S_{j})\); Goal 2. \(S_{j}|\equiv (U_{i}\overset {{Sk}}\longleftrightarrow S_{j})\); The protocol type:

Message 1. \(U_{i} \rightarrow S_{j}: C_{i} = T_{y}(Id_{i}||n_{i}), F_{i} = h(T_{x}(Id_{i}||n_{i})||W_{i}||T_{1}), T_{1}\).

Message 2. \(S_{j} \rightarrow U_{i}: C_{j}, T_{2}\) We assume the following about the initial condition of the protocol to analyze given protocol: A1: Ui|≡ #(T1); A2: Sj|≡ #(T2); A3: \(U_{i} |\equiv (U \overset {{X_{U}}}\longleftrightarrow S)\); A4: \(S_{j} |\equiv (U \overset {X_{U}}\longleftrightarrow S )\); A5: \(U_{i} |\equiv S |\equiv (U \overset {{X_{U})}}\longleftrightarrow S)\); A6: \(S_{j} |\equiv U |\equiv (U \overset {X_{U}}\longleftrightarrow S )\); We analyze proposed protocol based on the BAN logic and the proof of presented scheme is given as follows:With the message 1, we obtain goal (2):S1: \(S \lhd (ID_{U_{i}}, T_{u_{i}}(y),T_{1})_{x_{u}}, T_{u_{i}}(y).T_{1}\)According to A4, we apply the rule :S2: \(S |\equiv U|\sim T_{1}\)According to the A1, we apply the freshness rule to get:S3: \(S |\equiv \# (ID_{u_{i}}, T_{u_{i}}(x), T_{1})_{X_{u}}\)With the S2 and S3, apply the nonce verificationS4: \(S |\equiv U|\equiv (T_{u_{i}}(y), T_{1})_{X_{u}}\)According to the A4 and S4, we concern the jurisdiction to get:S5: S|≡ T1According to sk = h(TyTx(Idi||ni)||TzTy(Idi||ni)||T1), S5 and A2, we could obtainS6: \(S |\equiv (U \overset {{Sk}}\longleftrightarrow S)\) With the message 2, we could achieve goal (1):S7: \(U \lhd (ID_{u_{i}}, T_{1}, T_{2})_{X_{U}}, T_{2}\)With the assumption A3 and the message meaning rule we get:S8: \(U |\equiv S|\sim T_{2}\)With the A2, we apply the freshness rule and get:S9: \(U |\equiv \# (Id_{u_{i}}, T_{1}, T_{2})_{X_{U}}\)According to the S8 and S9, we apply nonce verification ruleS10: \(U |\equiv S|\equiv (Id_{u_{i}}, T_{1}, T_{2})_{X_{U}}\)With the A3 and S10 we concern the jurisdiction ruleS11: U|≡ T2According to Ski = h(TyTx(Idi||ni)||TzTy(Idi||ni)||T1), S11 and A1, we could obtainS12: \(U |\equiv (U \overset {{Sk}}\longleftrightarrow S)\)Hence,we achieved the goal-1 and goal-2 in the proposed scheme which proves security using BAN logic.

Computational Efficiency Analysis

We utilize the following notations th, \(t_{h_{b}}\), Tme, Tfe, tb, tsym, tc, Tecm describing as computation time of hash function, computation time of bio-hashing, computation time of modulo exponentiation, computation time of fuzzy extractor, computation time of bilinear pairing, computation time of symmetric encryption/ decryption, computation time of chaotic map operation, computation time of elliptic curve point multiplication, respectively.

Generally, telecare medicine services rely on devices with limited storage and low computation cost. This makes the necessity of efficient and secure authentication scheme. Although the existing schemes for TMIS guarantee to remove the security weaknesses, still from Tables 1 and 2 it can be seen that these schemes have weak security. In addition, computational overhead of proposed scheme is comparable with related schemes [15, 16, 20, 21, 24] (see Table 4).

Table 4 Comparison of proposed scheme with the related authentication schemes
Full size table

Conclusion

In this paper, the security of recently presented chaotic map-based authentication scheme has been illustrated. We have observed the vulnerabilities of existing scheme against stolen smart card attack, identity guessing attack and impersonation attack. Moreover, many schemes provide limited support to unlikability. In order to ensure secure and authorized communication, we developed an authentication protocol relying on the chaotic map for TMIS to achieve desirable security and performance attributes. Note that the proposed protocol overcome the prevalent limitations in existing protocols. In particular, it allows session key verification and mutual authentication with only two messages exchange. Moreover, it ensures forward secrecy along with anonymity and unlinkability. Furthermore, a comparison of proposed construction with existing protocols in terms of computation cost is provided.