A More Secure Anonymous User Authentication Scheme for the Integrated EPR Information System

Abstract

Secure and efficient user mutual authentication is an essential task for integrated electronic patient record (EPR) information system. Recently, several authentication schemes have been proposed to meet this requirement. In a recent paper, Lee et al. proposed an efficient and secure password-based authentication scheme used smart cards for the integrated EPR information system. This scheme is believed to have many abilities to resist a range of network attacks. Especially, they claimed that their scheme could resist lost smart card attack. However, we reanalyze the security of Lee et al.’s scheme, and show that it fails to protect off-line password guessing attack if the secret information stored in the smart card is compromised. This also renders that their scheme is insecure against user impersonation attacks. Then, we propose a new user authentication scheme for integrated EPR information systems based on the quadratic residues. The new scheme not only resists a range of network attacks but also provides user anonymity. We show that our proposed scheme can provide stronger security.

Introduction

Nowadays, with the increase of people’s average life span, more and more chronic patients require long-term follow-ups, such that most of them are required to go to hospital for checkups and treatments. Such treatments not only consume huge human and material resources but also reduce patients’ quality of life. In order to solve this kind of situation, wireless network technology was used by many hospitals to transmit information instead of using labor power. Patients can send or access their health information for health monitoring and healthcare related services by the network technology. Their physiological information can be monitored instantly.

A integrated EPR information system can help health care workers and medical personnel to make correct clinical decision rapidly. The registered user can get various services from the medical server. In integrated EPR information system, with the rapid development of computer and information technologies, the control of the access to remote medical server’s resources has become a crucial challenge [2]. A secure remote authentication scheme is needed to protect confidentiality and data integrity. Recently, a lot of research work (e.g. [5, 6, 8, 9, 11, 15–18, 21, 24–26, 29]) has been done in the design and analysis of user authentication protocols for integrated EPR information systems. However, most of the existing protocols were broken shortly after they were proposed.

Most of Current integrated EPR information systems are smart-card-based password authentication; it involves a server S and a client U _i . At first, S securely issues a smart-card to U _i with the smart-card being personalized with respect to I D _i and an initial password in the registration phase. This phase is carried out only once for each client. Later on, U _i can access S in the login-and-authentication phase based on his/her smart card and password, and this phase can be carried out as many times as needed. However, in login-and-authentication phase, there could have various kinds of passive and active adversaries in the communication channel between U _i and S. They can eavesdrop on messages and even modify, remove or insert messages into the channel. One famous attack is off-line guessing attack (also known as off-line dictionary attack). The purpose of off-line guessing attack is to compromise a client’s password through exhaustive search of all possible password values. If the adversary also obtains the information stored in the smart card, the probability of getting the password will greatly increase. Therefore, one security requirement for smart-card-based password authentication is security against off-line guessing attack. In particular, an adversary should not launch off-line guessing attack against the client’s password even if a client’s smart-card is compromised. In practice, the adversary may steal the smart-card and extract all the information stored in it through reverse engineering [7, 13]. So, for a secure smart-card-based password authentication scheme, we require that the client’s password should remain secure even after the client’s smart-card is compromised.

In 2012, Wu et al. [23] proposed an efficient password based user authentication scheme using smart cards for the integrated EPR information system, and claimed that the proposed scheme could resist various malicious attacks. However, Lee et al. [10] pointed out that their scheme is vulnerable to lost smart card attack and stolen verifier attack. Then, Lee et al. proposed a new scheme and claimed that it can resist those attacks.

User anonymity and untraceability are very important security features. They are desirable to keep users’ identities anonymous and not to be traced in the remote user authentication process in integrated EPR information system. Recently, some research work (e.g. [1, 2, 12, 19, 20, 22, 28]) have been done in the design and analysis of anonymous authentication protocols. However, most of them exists some flaws.

Our contributions

First, we analyzed Lee et al.’ scheme and claimed that their scheme is still vulnerable to lost smart card attack. If the adversary obtained the secret information stored in user’s smart card, he/she can obtain the user’s password by off-line password guessing attack. Then, the adversary can impersonate the user to fool the server.

Second, in this paper, we propose a novel anonymous user authentication protocol based smart card for integrated EPR information system that can achieve the following properties: resist lost smart card attack; provide user anonymity; provide mutual authentication.

Organization of the paper

The rest of this paper is organized as follows. We provide some mathematical preliminaries in section “Mathematical preliminaries”, which will be used throughout the paper. In section “Review Lee et al.’s scheme”, we briefly review Lee et al.’s scheme. Subsequently, we show its weaknesses in section “Flaws of Lee et al.’s scheme”. Then, we proceed with proposing our scheme in section “The proposed scheme”, together with analyzing its security in section “Security analysis”. In section “Performance comparison”, we compare the performance of our new protocol with others previous scheme [3, 10, 23, 27]. Section “Conclusion” concludes the paper.

Notations

In Table 1, we list the notations used throughout this paper.

Table 1 Notations used in this paper

Mathematical preliminaries

In this section, we discuss quadratic residue problem which will be used in the proposed scheme.

Quadratic residue problem

Assume that n = pq, where p and q are two large primes. If y = x ² mod n has a solution, i.e., there exists a square root for y, then y is called a quadratic residue mod n. The set of all quadratic residue numbers in [1, n−1] is denoted by QR _n . Then the quadratic residue problem states that, for y ∈ QR _n , it is hard to find x without the knowledge of p and q due to the difficulty of factoring n [14]. Some related authentication schemes are designed based on quadratic residues [3, 27].

Review Lee et al.’s scheme

There are four phases in Lee et al.’s scheme.

Registration phase

A user U _i registers his/her identity I D _i and password pw _i to the integrated EPR information system S by performing the following steps.

• Step 1:   The patient U _i submits his/her registration request (I D _i , pw _i ) to the server S via a secure channel.

• Step 2:   The server S verifies the legitimacy of I D _i and computes v = h(K ⊕ I D _i ), where K is the secret number of S.

• Step 3:   S computes s ₁ = h(pw _i ∥K), s ₂ = h(h(pw _i ∥s ₁)) and N = v ⊕ s ₂ ⊕ H, where H is a constant secret value.

• Step 4:   S issues the smart card, containing I D _i , h(), N, s ₁.

• Step 5:   S sends the smart card to U _i over a secure channel.

Login phase

Whenever a user U _i wants to login the integrated EPR information system server S, he/she proceeds the following steps:

• Step 1:   U _i ’s smart card chooses a random number r ₁ and computes s ₂ = h(h(pw _i ∥s ₁)) and C ₁ = r ₁ ⊕ s ₂.

• Step 2:   U _i sends (N, I D _i , C ₁) to S.

Verification phase

After receiving the request message (N, I D _i , C ₁) from U _i , the integrated EPR information system server S executes the following steps.

• Step 1–1:   If S successfully verifies the validity of I D _i , then accepts the user U _i request; otherwise, rejects this service request.

• Step 1–2:   Compute v = h(K ⊕ I D _i ) and \(s_{2}'\) = H ⊕ N ⊕ v.

• Step 1–3:   Compute \(r_{1}'\) = s \(s_{2}'\) ⊕ C ₁ =\(s_{2}'\) ⊕ s ₂ ⊕ r ₁.

• Step 1–4:   Compute a = r ₂ ⊕ h(\(r_{1}'\) ∥\(s_{2}'\)), b = h(\(s_{2}'\)∥r ₂∥\(r_{1}'\)), where r ₂ is a random number.

• Step 1–5:   S sends (a, b) to U _i .

After receiving the reply message (a, b) from S, U _i executes the following steps.

• Step 2–1:   Compute h(r ₁∥s ₂) and \(r_{2}'\) \(r_{2}'\) = a ⊕ h(r ₁∥s ₂).

• Step 2–2:   Check b = h(s ₂∥\(r_{2}'\)∥r ₁). If successful, U _i confirms that S is valid.

• Step 2–3:   C ₂ = h(\(r_{2}'\)∥s ₂) ⊕ h(pw _i ∥s ₁).

• Step 2–4:   U _i sends C ₂ to S.

After receiving C ₂ from U _i , S executes the following steps.

• Step 3–1:   Compute u = h(r ₂∥\(s_{2}'\)) ⊕ C ₂ = h(r ₂∥\(s_{2}'\)) ⊕ h(\(r_{2}'\)∥s ₂) ⊕ h(pw _i ∥s ₁).

• Step 3–2:   If S successfully checks \(s_{2}'\) = h(u), U _i is authenticated.

Finally, U _i and S can generate a common session key sk = h(\(r_{1}'\)∥r ₂) = h(r ₁∥\(r_{2}'\)) used for later secure transmission.

Password change phase

Any legal user U _i can change the password by using the following steps.

• Step 1:   U _i sends (I D _i , pw _i , pw _new ) to S.

• Step 2:   S computes \(v=h(K\oplus ID_{i}), s_{1}^{\ast }=h(pw_{new}\|K),\) \(s_{2}^{\ast }=h(h(pw_{new}\|s_{1}^{\ast }))\) and \(N^{\ast }=v\oplus s_{2}^{\ast }\oplus H\). Then, S sends \((s_{1}^{\ast },N^{\ast })\) to U _i through the secure channel. Finally, U _i updates his/her medical smart card as (I D _i , h(),\(N^{\ast }, s_{1}^{\ast })\).

Figure 1 illustrates the login and verification phases of Lee et al.’s scheme.

Fig. 1

Message flows in login and authentication phase

Flaws of Lee et al.’s scheme

Security against lost smart card attack

Lee et al. proposed a secure and efficient password-based authentication scheme and claimed that it can resist off-line password guessing attack and lost smart card attack.

In this section, we show that Lee et al.’s scheme is vulnerable to lost smart card attack. If an adversary A obtains the message I D _i , h(.), N, s ₁ stored in U _i ’s smart card and the transmitted message C ₁,(a, b), then he/she can get the U _i ’s password pw _i by the following steps:

• Step 1.   The adversary A chooses \(pw_{i}^{\ast }\) and computes \(s_{2}^{\ast }=h(h(pw_{i}^{\ast }\|s_{1})), r_{1}^{\ast }=C_{1}\oplus S_{2}^{\ast }=C_{1}\oplus h(h(pw_{i}^{\ast }\|s_{1}))\).

• Step 2.   The adversary A computes \(r_{2}^{\ast }=a \oplus h(r_{1}^{\ast }\|s_{2}^{\ast })=a \oplus h(C_{1}\oplus h(h(pw_{i}^{\ast }\|s_{1}))\|\) \(h(h(pw_{i}^{\ast }\|s_{1})))\).

• Step 3.   The adversary A computes \(b^{\ast }=h(s_{2}^{\ast }\|r_{2}^{\ast }\|r_{1}^{\ast })=\) \(h(h(h(pw_{i}^{\ast }\|s_{1}))\|(a \oplus h(C_{1}\oplus h(h(pw_{i}^{\ast }\|s_{1}))\|\) \(h(h(pw_{i}^{\ast }\) ∥s ₁))))\(\|(C_{1}\oplus h(h(pw_{i}^{\ast }\|s_{1}))))\).

• Step 4.   The adversary A verifies whether b ^∗ = b or not. If it holds, the adversary obtains the correct password pw _i of legal user U _i . Otherwise, the adversary A repeats the above steps until the correct password is found.

When an adversary obtains the password of user U _i , he/she can impersonate U _i to cheat the server S. Hence, Lee et al’s scheme cannot resist impersonation attack and provide mutual authentication.

The proposed scheme

In this section, we propose a new authentication scheme with privacy preservation for integrated EPR information system. The new scheme can resist against a range of attacks, such as off-line password guessing attack, stolen verifier attack, and lost smart card attack, etc.

Before the system begins, S generates two secret large primes p, q and computes the number n = pq. The new protocol has four phases: registration, login phase, authentication phase, password change phase.

Registration phase

To initialize, the patient U _i registers with the medical server S.

• Step 1:   The patient U _i submits his/her registration request (I D _i , pw _i ) to the server S via a secure channel.

• Step 2:   The server S verifies the legitimacy of I D _i and computes v = h(K ⊕ I D _i ), where K is the secret number of S.

• Step 3:   S computes s ₁ = h(pw _i ∥K), s ₂ = h(h(pw _i ∥s ₁)) and N = v ⊕ s ₂. S then initiates a counter ctr _i = 0 for U _i and creates a record (I D _i , ctr _i ) in its database.

• Step 4:   S issues the smart card, containing h(), N, s ₁, ctr _i .

• Step 5:   S sends the smart card to U _i over a secure channel.

Login phase

In this phase, when a legal user wants to login the EPR information system, he/she will proceed the following steps:

• Step 1:   U _i inserts his/her smart card into the device and enters his/her identity I D _i and password pw _i . The smart card computes s ₂ = h(h(pw _i ∥s ₁) and generates a random number r.

• Step 2:   The smart card computes ctr _i = ctr _i + 1, M ₁ = (I D _i ∥N∥s ₂∥r∥ctr _i )² mod n. Finally, U _i sends a login message M ₁ to S.

Authentication phase

After receiving the message M ₁, S executes the following Steps:

• Step 1:   S solves M ₁ by using the Chinese Remainder Theorem with p and q to get I D _i , N, s ₂, r, ctr _i . Then, the S verifies the retrieved ctr _i with the stored\(ctr_{i}'\) corresponding to I D _i . If ctr _i > \(ctr_{i}'\), then the S replaces \(ctr_{i}'\) with new counter ctr _i in its database and proceeds the next step. Otherwise, the S rejects this message and considers it as a replay message.

• Step 2:   After that, S computes v = h(K ⊕ I D _i ), \(s_{2}'\) = N ⊕ v and compares it with the received s ₂. If they are equal, the authenticity of U _i is ensured. S computes the session key SK = h(s ₂∥r∥1) shared with U _i .

• Step 3:   S computes M ₂ = h(s ₂∥r∥0) and sends M ₂ to U _i .

• Step 4:   U _i computes \(M_{2}'\) = h(s ₂∥r∥0) and checks whether M ₂ = \(M_{2}'\). If they are not equal, U _i stops the session. Otherwise, U _i authenticates the server S and computes the session key SK = h(s ₂∥r∥1).

Password change phase

The legal user U _i can change the password by using the following steps.

• Step 1:   U _i sends I D _i , pw _i , pw _new to S via a secure channel.

• Step 2:   S computes \(v=h(K\oplus ID_{i}), s_{1}^{\ast }=h(pw_{new}\|K),\) \(s_{2}^{\ast }=h(h(pw_{new}\|s_{1}^{\ast }))\) and \(N^{\ast }=v\oplus s_{2}^{\ast }\). Then, S sends \((s_{1}^{\ast },N^{\ast })\) to U _i through the secure channel. Finally, U _i updates his/her medical smart card as \((ID_{i},h(),N^{\ast }, s_{1}^{\ast })\).

Figure 2 illustrates the login and authentication phases of the proposed authentication scheme.

Fig. 2

Message flows in login and authentication phase

Security analysis

In this section, we analyze the security of the proposed scheme and show that it can resist against different types of attacks and also it provides user anonymity.

We assumed that an attacker may have the following capabilities. First, the attacker has total control over the communication path between the user and the server. That is, the attacker can intercept, insert, delete, or modify any message through the path. Second, the attacker may extract the secret parameters from the smart card [7, 13].

User anonymity

Firstly, we can see that the communication transcript reveals no information about the identity I D _i of the user. In our proposed scheme, I D _i is concealed in M ₁. If the attacker wants to get the I D _i from M ₁, he/she should solve the quadratic residue problem by knowing the secret key p, q which only kept by the server S. Therefore, the attacker cannot identify the U _i from the login message. Secondly, if the attacker wants to obtain the I D _i from the information N stored in the smart card, he/she should know the S ^′ s secret key K and user \(U_{i}'\) s password pw _i . Hence, our proposed scheme protects the user’s anonymity.

Replay attack

In our scheme, we used the counter based authentication mechanism to prevent replay attack. If the adversary replays the previous login message, then S will detect the attack when examining the counter ctr _i of the user U _i . The concrete step is as follows: During the authentication phase, when the S receives a message M1′, it verifies the retrieved the counter \(ctr_{i}'\) with the stored counter ctr _i according to the I D _i . If the message \(M_{1}'\) is a replay message, then the S will find that \(ctr_{i}'\) < ctr _i . Then S simply rejects this message. Hence, our scheme prevents the replay attack.

Impersonation attack

In our scheme, in order to impersonate the U _i , the adversary must obtain the value of I D _i , N, s ₂. When the smart card is stolen and compromised, the adversary can learn the values of (N, s ₁, ctr _i ). However, the adversary knows neither I D _i , pw _i nor K, and he/she cannot compute the value of s ₂. Hence, the adversary can not forge a valid message M1′ to cheat S.

On the other hand, if an adversary wants to impersonate the server S to cheat the user U _i , he/she should forge valid information M ₂ by knowing the value s ₂, r which is concealed in M ₁. If the adversary wants to get the s ₂, r from M ₁, he/she should solve the quadratic residue problem by knowing the secret key p, q which only kept by the server S.

Hence, our proposed scheme can resist the impersonation attack and provide mutual authentication.

Stolen verifier attack

An adversary A steals the secret information K stored in S’s database and records M ₁ from a successful authentication of a certain user U _i . He/She cannot get any information about U _i , because he/she cannot solve the message M ₁. Thus, he/she cannot masquerade as a legitimate user. On the other hand, the adversary cannot masquerade as S to cheat user U _i , because he/she cannot compute s ₂, r by knowing K. Therefore, the proposed scheme can resist the stolen verifier attack.

Off-line password guessing attack

Assumed that the adversary obtains the secret values of (N, s ₁, ctr _i ) stored in the smart card and the transmitted message M ₁, M ₂, he/she wants to get the password pw _i . Firstly, we can see that the adversary cannot get the password pw _i by the equations s ₁ = h(pw _i ∥K) and N = v ⊕ s ₂ = h(K ⊕ I D _i ) ⊕ h(h(pw _i ∥s ₁)), because he/she doesn’t know the secret value K stored by S. Secondly, he/she cannot get password pw _i by the equations M ₁ = (I D _i ∥N∥s ₂∥r∥ctr _i )² mod n, M ₂ = h(s ₂∥r∥0), because he/she doesn’t know the secret value K, I D _i , r. Hence, our proposed scheme can prevent the off-line password guessing attack.

Lost smart card attack

If an attacker steals the smart card of user U _i and wants to use the obtained smart card to login to the server, he/she has to input the correct information I D _i , pw _i of the user U _i . However, the attacker does not know U _i ’s I D _i and pw _i , he/she cannot successfully be authenticated by the server.

We further assume that the attacker can retrieve all the information {h(), N, s ₁, ctr _i } stored in the smart card by monitoring the power consumption [7, 13]. Note that the user’s identity I D _i is not stored in the smart card, and the attacker knows neither I D _i nor pw _i . Suppose the attacker wants to obtain pw _i , I D _i from the retrieved message. From N = h(I D _i ⊕ K) ⊕ h(h(pw _i ∥h(pw _i ∥K))), the attacker has no feasible way to obtain pw _i , because he/she doesn’t know the secret key K known by server S. Similarly, the attacker cannot obtain pw _i from the information s ₁ = h(pw _i ∥K), because he/she doesn’t know the value of K.

Therefore, our proposed scheme can resist lost smart card attack.

Performance comparison

We compare our new scheme with other previous authentication schemes [3, 10, 23, 27]. In Table 2, we provide the comparison based on the key security, while we compare their efficiency in terms of computation and communication cost in Table 3. The following notations are used in Table 3. t _h : The time complexity of the hash computation; t _m : The time complexity of the modular squaring computation; t _qr : The time complexity of computing a square root modulo n. Modular squaring computation is cheaper than traditional hash function, such as MD5. The computation of a square root modulo n is as efficient as that of modular exponentiation [4].

Table 2 Security and Usability Comparison

Table 3 Efficiency Comparison in login phase and authentication phase

From Table 2, we can conclude that our proposed scheme provides better security and usability than the other two schemes [10, 23]. Wu et al.’s scheme in [23] satisfies two of the six criterions. Lee et.al.’s scheme in [10] only satisfies one of the six criterions. Our scheme can achieve the entire criterion listed in Table 2.

In Table 3, we summarize the efficiency comparison between our scheme and other schemes in [3, 10, 27] in case of the login phase and authentication phase. Our scheme requires two less Modular squaring computation and two less computation of a square root modulo n than Chen et al.’s scheme [3] and Yeh et al.’s schme [27]. Moreover, our proposed scheme saves thirteen, fourteen and seven hash operations compared with Chen et al.’s scheme [3], Yeh et al.’s scheme [27] and Lee et al.’s scheme [10], respectively. Our scheme also reduces five, six and four transmitted message compared with Chen et al.’s scheme [3], Yeh et al.’s scheme [27] and Lee et al.’s scheme [10], respectively. Although our scheme requires one extra Modular squaring computation and one computation of a square root modulo n than Lee et al.’s scheme [10], our scheme achieves stronger security than Lee etal.’s scheme, as is shown in Table 2.

Conclusion

In this paper, we discussed several security weaknesses in a recently proposed smart card based user authentication scheme for EPR information system. We showed that this scheme is vulnerable to lost smart card attack. In order to withstand its security flaws, we proposed a novel anonymous user authentication protocol based on quadratic residue problem for EPR information system. Our scheme is secure even if the secret information stored in the smart card is compromised. Our scheme uses counter based authentication mechanism to prevent replay attack.