An improved biometrics based authentication scheme using extended chaotic maps for multimedia medicine information systems

Abstract

With the increase of security requirements, numerous biometrics based authentication schemes that apply the smart card technology are proposed for multimedia medicine information systems in the last several years. Recently, Lu et al. presented a biometrics based authentication and key agreement scheme using extended Chebyshev chaotic maps. Unfortunately, we find that their scheme is still insecure with respect to issues such as flaws in the both login phase and password change phase. And we show that their scheme is vulnerable to the Denial-of-Service attack, user impersonation attack and server masquerade attack, which also fails to achieve the user anonymity. In order to remedy these weaknesses, we retain the useful properties of Lu et al.’s scheme to propose a robust biometrics based authentication and key agreement scheme for multimedia medicine information systems. The informal and formal security analysis of our scheme are given respectively, which demonstrate that our scheme satisfies the desirable security requirements. Furthermore, the proposed scheme provides some significant features which are not considered in most of the related schemes, such as, biometric information protection and user re-registration or revocation. Thus, our scheme resists the known attacks and is efficient for practical applications in the multimedia medicine information systems.

1 Introduction

With the rapid development of wireless sensor networks, advances in the communication technology enhance the quality and efficiency of online services for multimedia medical information system (MMIS) [19, 52]. In recent years, MMIS becomes more popular as an emerging healthcare application, which is widely applied to enhance the medical process at a home healthcare (HHC) agency or a clinical center between patients and doctors [20, 21]. Compared with both traditional medical diagnosis process and paper-based medical system, MMIS provides the electronic media-based medical services such as clinical diagnosis, health guidance and health record, which measures the significant and private parameters (such as electrocardiogram, blood pressure, heart rate and so on) of patients and sends them to remote servers [2, 5, 11, 18, 43, 46]. With the assistance of MMIS, patients who suffer from diabetes mellitus, hypertension and coronary artery disease are able to directly exchange their daily medical data and access medical specialists more conveniently. Besides, in order to take better care of the aged people, remote medical clinical diagnostics and real-time monitoring of patients are considered as crucial parts of healthcare systems [22, 23]. However, general communication between doctors and patients is almost implemented through the Internet and is vulnerable to many different kinds of attacks so that how to ensure the security and privacy of e-healthcare information transmitted over the public networks becomes a great challenge from academia and industry [30, 49, 57, 58].

Over the last two decades, authentication schemes have been widely applied in a variety of information systems. Since the first one for open communication channels was proposed by Lamport, a great many of authentication schemes have been presented to achieve the authorized communication between remote entities [1, 9, 26, 34, 38, 44]. According to the evidences adopted in the protocols, most existing schemes are divided into two categories: identity-based and certificate-based [24, 27, 32, 50]. The latter category requires the large storage space and high computation overhead for the management of certificate store so that a good amount of identity-based authentication protocols are generally applied in the MMISs to provide the convenient and secure health-care services [10, 16, 17, 28, 41, 47, 51, 53, 55, 60].

In the last several years, there are many conventional authentication protocols for MMISs which are based on the elliptic curve cryptography (ECC) and traditional public key cryptography [17, 28, 51, 53, 55, 60]. In 2010, Wu et al. [53] presented an identity-based authentication scheme for MMISs adopting the RSA algorithm. However, He et al. [17] analyzed that Wu et al.’s scheme was unable to resist the impersonation attack and insider attack, and failed to achieve the mutual authentication. Then He et al. [17] put forward an improved identity-based authentication scheme. Unfortunately, Wei et al. [51] pointed out that Wu et al.’s scheme [53] and He et al.’s scheme [17] were still insecure against the off-line password guessing attack. In order to eliminate the security weakness, Wei et al. [51] proposed an enhanced authentication scheme to enhance the security of MMISs. In addition, Xu et al. [55] designed a novel dynamic identity-based authentication protocol using ECC in 2014. Islam and Khan [28] proved that Xu et al.’s scheme [55] failed to update the password correctly and was insecure against the strong replay attack. Then Islam and Khan [28] put forward an improved authentication for MMISs. However, Zhang and Zhu [60] examined that Islam and Khan’s protocol [28] was unable to resist the off-line password guessing attack and server spoofing attack, and further proposed an enhanced authentication protocol.

The scalar point multiplication and modular exponentiation operation in the elliptic curve group are involved in the above schemes [17, 28, 51, 53, 55, 60], which are complicated to perform in the mobile environment where the computation overhead and storage space are constrained, especially in the MMISs. Benefit from the development of chaos theory, extended Chebyshev chaotic maps are implemented efficiently and have been added into the authentication schemes to solve these aforementioned problems [10, 16, 41, 47]. Thus, more work about authenticated key agreement schemes using extended chaotic maps needs to be studied. Furthermore, there are some security vulnerabilities to two-factor identity-based authentication schemes which apply the passwords and tokens for providing the authentication [6, 33, 36, 54]. In particular, it is difficult to remember long and random passwords for patients. Meanwhile, short passwords are easily compromised by the dictionary attack since their low entropy. Based on side channel attacks, such as SPA and DPA, it is feasible to extract the information stored in the smart cards [45]. To meet these problems, many researchers have combined the biometric information, passwords and tokens to enhance the security of authentication schemes [8, 25, 61], where the uniqueness of biometrics makes it extremely difficult for adversary to forge the biometric information [37, 39]. And authentication protocol does not request user to remember his biometrics. However, biometric characteristics imprinted by the same user are not exactly the same every time so that directly adopting them always results in the low acceptation of MMISs [3, 12, 13]. Thus, we introduce the fuzzy extractor to increase the probability of acceptance.

Recently, Lu et al. [42] put forward a biometrics based authentication scheme for MMISs using extended Chebyshev chaotic maps to overcome the weaknesses of previous schemes. Unfortunately, according to the analysis given in this paper, we find that their scheme is still insecure with respect to issues such as flaws in the both login phase and password change phase. And we show that their scheme is vulnerable to the Denial-of-Service attack, user impersonation attack and server masquerade attack, which also fails to achieve the user anonymity. In order to solve these problems, we retain the useful properties of Lu et al.’s scheme to propose a robust biometrics based authentication and key agreement scheme for MMISs. The presented scheme satisfies the desirable security requirements which are demonstrated in the informal and formal security analysis, respectively. Furthermore, the proposed scheme provides some significant features which are not considered in most of the related schemes, for example, biometric information protection and user re-registration or revocation. Compared with other related schemes, our scheme provides some more secure properties and significant functionalities with the same level of computation overhead, communication cost and storage space.

The remaining of this paper is organized as follows. Next section briefly introduces the fuzzy extractor, threat assumptions, one-way hash function and extended Chebyshev chaotic map which are applied in our scheme. Section 3 reviews the Lu et al.’s scheme. And Section 4 mainly discusses the weaknesses of Lu et al.’s scheme. Section 5 describes the proposed scheme in details. Then Section 6 provides the informal security analysis, security model, formal security analysis, verification about BAN logic, functionality analysis and performance comparison analysis, respectively. Last section gives the conclusion.

2 Preliminaries

In this section, we describe the details of fuzzy extractor, threat assumptions, one-way hash function and extended Chebyshev chaotic map which are adopted in the presented scheme.

2.1 Fuzzy extractor

The mechanism of fuzzy extractor which contains two procedures is illustrated in the Fig. 1. In particular, procedure G e n includes a probabilistic generation function, which extracts the biometric information BIO, and outputs an auxiliary binary string R ∈ {0, 1}^l and a nearly random binary string P ∈ {0, 1}^∗. Accordingly, procedure R e p contains a deterministic reproduction function, which recovers R with the assistance of biometrics B I O ^∗ and corresponding auxiliary binary string P. If G e n(B I O) → 〈R, P〉 and d i s(B I O, B I O ^∗) ≤ t, then we have R e p(B I O ^∗, P) = R. Otherwise, there is no guarantee provided by procedure R e p. The error-tolerant mechanism makes it dependable to retrieve a nearly uniform randomness R with the help of corresponding auxiliary string P from biometric information B I O ^∗, as long as it remains reasonably close to original biometrics BIO. More details about fuzzy extractor are explained in the literature [3, 12, 13].

Fig. 1

The mechanism of fuzzy extractor

2.2 Threat assumptions

During this subsection, we introduce the Dolev-Yao threat model [14] and consider the risk of side-channel attacks [31] to establish the following threat assumptions in the multimedia medicine information systems.

1. 1.

   Adversary E may be an outsider or a malicious yet legitimate user.

2. 2.

   Adversary E eavesdrops on the all communication between user and server through a public channel.

3. 3.

   Adversary E reroutes, modifies, resends and deletes the eavesdropped information.

4. 4.

   Adversary E extracts the sensitive stored messages from a lost or stolen smart card by examining the power consumption.

2.3 One-way hash function

The one-way hash function h = h(x) : {0, 1}^∗ → {0, 1}ⁿ is a deterministic algorithm, which outputs a fixed length binary string {0, 1}ⁿ according to the arbitrary length binary string {0, 1}^∗ [7]. Also it is computationally infeasible to retrieve the input x from the given hash value and hash function, which is called the one-way property. Furthermore hash function possesses the both weak and strong collision resistant property. For a given input x, finding any input y ≠ x so that h(x) = h(y) is computationally infeasible. For a given pair of inputs (x, y) with x ≠ y, h(x) = h(y) is computationally infeasible.

2.4 Extended Chebyshev chaotic map

The Chebyshev chaotic map T _n (x) is a polynomial in x of degree n, which is defined by the following equation.

$$T_{n}(x) = \cos n\theta, $$

in which x = cos𝜃 [4]. Besides, recurrence equation of T _n (x) is defined as the equation below.

$$T_{n}(x) = 2xT_{n-1}(x) - T_{n-2}(x), $$

for any natural number n ≥ 2, with T ₀(x)=1 and T ₁(x) = x. The Chebyshev chaotic map satisfies the semi-group property and commutative under composition so that T _r (T _s (x)) = T _s (T _r (x)). It is proved by the following relation.

$$\begin{array}{@{}rcl@{}} T_{r}(T_{s}(x)) &=& \cos \left( r \cdot \cos^{-1} \left( \cos(s \cdot cos^{-1}(x)) \right) \right)\\ &=& \cos (rs \cdot \cos^{-1}(x)) = T_{sr}(x) = T_{s}(T_{r}(x)), \end{array} $$

for any natural number s, r ∈ Z ⁺. In 2008, Zhang [59] further enhanced the Chebyshev chaotic map, then he proved that semi-group property and commutative under composition still hold on the interval (−∞, + ∞). The extended Chebyshev polynomial is defined by the following relation.

$$T_{n}(x) = (2x \cdot T_{n-1}(x) - T_{n-2}(x)) \mod p, $$

where n ≥ 2, x ∈ (−∞, + ∞) and p is a large prime number. Also T _r (T _s (x)) = T _{r s} (x) = T _s (T _r (x)) mod p holds. There are two computationally infeasible problems for extended Chebyshev chaotic map [35], which are explained as follows.

Extended Chebyshev chaotic map discrete logarithm problem (ECDLP): given p, x and y, finding an integer r satisfying y = T _r (x) mod p is computationally infeasible.

Extended Chebyshev chaotic map decisional Diffie-Hellman problem (ECDDHP): given x, T _r (x), T _s (x) and T _z (x), deciding whether T _{r s} (x) = T _z (x) mod p holds is computationally infeasible.

3 Review of Lu et al.’s scheme

Recently, Lu et al. [42] proposed a biometrics based authentication scheme for multimedia medicine information systems using extended Chebyshev chaotic maps. There are three phases relating to the Lu et al.’s scheme, which are registration phase, login and authentication phase, and password change phase, respectively. Server S selects two hash functions h ₁(⋅) and h ₂(⋅). For convenience, Table 1 lists the symbols and notations applied in their scheme.

Table 1 Symbols and notions in Lu et al.’s scheme

3.1 Registration phase

1. 1.

   New user U selects the identity ID and password PW, and imprints the biometrics BIO. Then U calculates P W D = h ₁(P W||H(B I O)), and sends {I D, P W D} to server S over a secure channel.

2. 2.

   After receiving the request message, S computes K = h ₁(I D||P W D) and I M ₁ = K ⊕ h ₁(k _s ), in which k _s is S’s secret key. S issues the smart card SC to U, which contains {I M ₁} through a secure channel.

3. 3.

   Upon receiving the smart card, U selects a secret key k _u and calculates f = h ₁(I D||k _u ) ⊕ P W D. Finally, user U stores f into the SC which contains {I M ₁, f, h ₁(⋅),h ₂(⋅),H(⋅)}.

3.2 Login and authentication phase

1. 1.

   U inserts the SC into a device reader, inputs the identity ID, password PW, selects a secret key k _u and biometrics BIO. Then U verifies whether h ₁(I D||k _u ) ⊕ h ₁(P W||H(B I O)) is consistent with f. If it holds, U calculates K = h ₁(I D||h ₁(P W||H(B I O))), generates a random number u and computes R ₁ = K ⊕ I D, R ₂ = I D ⊕ T _u (K), and R ₃ = h ₁(I D||T _u (K)). Lastly, U sends the login request {R ₁, R ₂, R ₃} to S over a public channel.

2. 2.

   When receiving the login request from U, S adopts his secret key k _s to compute K ^′ = I M ₁ ⊕ h ₁(k _s ), I D = R ₁ ⊕ K, T _u (K) = R ₂ ⊕ I D, and checks whether h ₁(I D||T _u (K)) is consistent with R ₃. If they are equal, S generates a random number v, and calculates I M ₂ = T _v (K)⊕I D, A u t h _S = h ₁(K||T _v (K)||s k), T _{u v} (K) and s k = h ₂(T _u (K), T _v (K), T _{u v} (K)). Finally, S submits the message {A u t h _S , I M ₂} to U.

3. 3.

   Upon receiving the authentication request message, U retrieves T _v (K) by calculating I M ₂ ⊕ I D and computes s k = h ₂(T _u (K), T _v (K), T _{u v} (K)) to check whether \(Auth_{S}^{\prime } = h_{1}(K || T_{v}(K) || sk)\) is equal to A u t h _S . If it holds, S is authenticated successfully and calculates A u t h _U = h ₁(s k||T _v (K)||K) to send the message {A u t h _U } to S.

4. 4.

   Once receiving the message, S validates whether h ₁(s k||T _v (K)||K) is consistent with A u t h _U . If it is true, U is authenticated successfully. Otherwise, S refuses the request. Lastly, U and S have a common session key s k = h ₂(T _u (K), T _v (K), T _{u v} (K)).

3.3 Password change phase

1. 1.

   U inputs the identity ID, old password PW, secret key k _u and biometrics BIO.

2. 2.

   SC validates whether h ₁(I D||k _u ) ⊕ h ₁(P W||H(B I O)) is consistent with f.

3. 3.

   If it is true, U selects new password P W ^new and new secret key \(k_{u}^{new}\) to calculate f ^new.

4. 4.

   SC replaces f with f ^new in the memory.

4 Cryptanalysis of Lu et al.’s scheme

Lu et al.’s scheme efficiently resists the insider attack and password guessing attack. In addition, their scheme ensures the forward secrecy. Unfortunately, their scheme is still vulnerable to the Denial-of-Service attack. Moreover, their scheme is insecure against the user impersonation attack and server masquerade attack. We also find that some phases of Lu et al.’s scheme are not correct. Furthermore, Lu et al.’s scheme does not provide the user anonymity and user re-registration/revocation. We describe the details of these problems in the following subsections.

4.1 Flaws in login and authentication phase

During the registration phase of Lu et al.’s scheme, server S computes I M ₁ = K ⊕ h ₁(k _s ) which is stored in the smart card SC and transmits it to U through a secure channel. There are no extra operations and storage spaces for storing every user’s I M ₁ in the database of server S in their scheme. In the login and authentication phase, user U sends the login request {R ₁, R ₂, R ₃} to server S over a public channel and then S adopts his secret key k _s to compute K ^′ = I M ₁ ⊕ h ₁(k _s ) as planned. However, I M ₁ is not submitted to S by U in the login phase so that S is unable to retrieve K ^′ without I M ₁. Thus, this operation is impossible in the Lu et al.’s scheme. Therefore we demonstrate that there are flaws in the login and authentication phase, especially user U should send {R ₁, R ₂, R ₃, I M ₁} to server S instead of {R ₁, R ₂, R ₃}.

4.2 Flaws in password change phase

In the password change phase of Lu et al.’s scheme, user U inputs his identity ID, old password P W ^old, secret key k _u and biometrics BIO. Then smart card SC validates whether h ₁(I D||k _u ) ⊕ h ₁(P W||H(B I O)) is consistent with f. If it is true, U selects new password P W ^new and new secret key \(k_{u}^{new}\) to calculate f ^new. Finally, SC replaces f with f ^new in the memory as planned. However, during the next login phase, U calculates his new K _U = h ₁(I D||h ₁(P W ^new||H(B I O))) and transmits \(IM_{1}^{old}\) to server S. On the other hand, S computes his new \(K_{S} = IM_{1}^{old} \oplus h_{1}(k_{s})\) during the further authentication phase, that is, K _S = h ₁(I D||h ₁(P W ^old||H(B I O))) according to K _S = h ₁(I D||P W D ^old) and P W D ^old = h ₁(P W ^old||H(B I O)). As we know, U calculates s k _U = h ₂(T _u (K _U ),T _v (K _S ),T _{u v} (K _S )) and S computes s k _S = h ₂(T _u (K _U ),T _v (K _S ),T _{u v} (K _U )). Due to P W ^old≠P W ^new, K _S ≠K _U so that U and S have different session keys. Thus there are flaws in password change phase, especially I M ₁ needs to be updated.

4.3 Denial-of-service attack

Although targets and means may vary, Denial-of-Service (DoS) attack is generally an attempt to make network resources unavailable for malicious users and adversaries, which indefinitely or temporarily interrupts the services of hosts. In the Lu et al.’s scheme, adversary E is able to carry out the DoS attack without difficulty. Figure 2 shows the procedure and effect of DoS attack on the Lu et al.’s scheme. Particularly, E collects the previous login request message {R _P1, R _P2, R _P3, I M _P1} from a public channel and then forwards it to server S. After receiving the login request message, S does not know whether received messages are outdated and as always executes the operation (2) which includes generating the random number once, sending the authentication request message once, executing the Chebyshev chaotic map operation twice, calculating the XOR operation four times and performing the hash function four times. By adopting the intercepted login request message repeatedly, E is able to make the services or network resources unavailable in the multimedia medicine information system so that Lu et al.’s scheme becomes vulnerable to the DoS attack. To solve this problem, timestamp needs to be added in the login request message, which helps servers check the freshness of messages in order to resist the DoS attack to a certain extent.

Fig. 2

The DoS attack on the Lu et al.’s scheme

4.4 User impersonation attack

Let E be a malicious yet legitimate user in the multimedia medicine information system, who possesses his smart card and extracts the information of smart card {I M _1E , f _E , h ₁(⋅),h ₂(⋅),H(⋅)}. And E is able to impersonate another legal user U to cheat the server S so that Lu et al.’s scheme is vulnerable to the user impersonation attack. E carries out the following steps.

1. 1.

   E calculates P W D _E = h ₁(P W _E ||H(B I O _E )) and K _E = h ₁(I D _E ||P W D _E ). Then he retrieves h ₁(k _s ) = K _E ⊕ I M _1E .

2. 2.

   E collects the user U’s login request message {R ₁, R ₂, R ₃, I M ₁}, and computes K = I M ₁ ⊕ h ₁(k _s ) and I D = R ₁ ⊕ K for user impersonation attack.

3. 3.

   E generates a random number w and computes R _1E = K ⊕ I D, R _2E = I D ⊕ T _w (K), and R _3E = h ₁(I D||T _w (K)). Then E submits his login request message {R _1E , R _2E , R _3E , I M ₁} to S.

4. 4.

   Upon receiving the login request, S authenticates E who impersonates U successfully, executes the following operations and submits the message {A u t h _S , I M ₂} to E.

5. 5.

   When receiving the message, E retrieves T _v (K) = I M ₂ ⊕ I D, computes T _{w v} (K) = T _w (T _v (K)) and s k = h ₂(T _w (K), T _v (K), T _{w v} (K)), and calculates A u t h _E = h ₁(s k||T _v (K)||K) to send the authentication message {A u t h _E } to S.

6. 6.

   Finally, E and S agree on a common session key s k = h ₂(T _w (K), T _v (K), T _{w v} (K)) successfully. However, E performs a user impersonation attack since S believes that he is communicating with U.

4.5 Server masquerade attack

As described in this subsection, Lu et al.’s scheme is vulnerable to the server masquerade attack. More narrowly, adversary E who is a malicious yet legitimate user can be authenticated by another legitimate user U using the S’s secret value h ₁(k _s ). The details are showed as follows.

1. 1.

   Upon intercepting the login request message {R ₁, R ₂, R ₃, I M ₁} from U, E calculates K = I M ₁ ⊕ h ₁(k _s ), I D = R ₁ ⊕ K and T _u (K) = R ₂ ⊕ I D.

2. 2.

   E generates a random number w and computes I M ₂ = T _w (K)⊕I D, s k = h ₂(T _u (K), T _w (K), T _{u w} (K)) and A u t h _E = h ₁(K||T _w (K)||s k). Then he submits the message {A u t h _E , I M ₂} to U.

3. 3.

   When receiving the message from E, U executes the following operations and then authenticates E.

4. 4.

   Finally, E and U agree on a common session key s k = h ₂(T _u (K), T _w (K), T _{u w} (K)) successfully. However, E performs a server masquerade attack since U believes that he is communicating with S.

4.6 Lack of user anonymity

Unfortunately, since identity of user U is derived from R ₁ by using the secret value h ₁(k _s ), their scheme cannot achieve the user anonymity. First E calculates P W D _E = h ₁(P W _E ||H(B I O _E )) and K _E = h ₁(I D _E ||P W D _E ). Then he retrieves h ₁(k _s ) = K _E ⊕ I M _1E . Next E collects the U’s login request message {R ₁, R ₂, R ₃, I M ₁}. Finally he computes K = I M ₁ ⊕ h ₁(k _s ) and I D = R ₁ ⊕ K to thieve the identity of legitimate user. Therefore Lu et al.’s scheme is unable to provide the user anonymity.

4.7 Lack of user re-registration/revocation

There is no user re-registration/revocation phase in the Lu et al.’s scheme so that user U is unable to re-register or revoke his privilege if his smart card SC is lost or stolen. In order to promote the functionality of multimedia medicine information system, we design the corresponding re-registration/revocation phase and more details are described in the following section.

5 The proposed scheme

Based on the cryptanalysis of Lu et al.’s scheme, we propose a novel biometric-based authentication and key agreement scheme for multimedia medicine information systems. Our scheme consists of the following four phases: registration phase, login and authentication phase, password change phase and re-registration/revocation phase. The presented scheme improves the Lu et al.’s scheme in the several aspects: 1) it resists the Denial-of-Service attack by adding a timestamp in the login request message, 2) it hides the server S’s secret value to prevent the user impersonation attack and server masquerade attack, 3) it provides the user anonymity to enhance the performance of multimedia medicine information systems, and 4) it adds the user re-registration/revocation phase for practical requirements. More details are described in the following subsections. For convenience, Table 2 lists the symbols and notations applied in our scheme.

Table 2 Symbols and notions in our scheme

5.1 Registration phase

New user U _i executes the registration phase with server S over a secure channel. The registration phase is illustrated in the Fig. 3 and is described as follows.

1. 1.

   Firstly, new user U _i imprints his personal biometric information B I O _i at the sensor. Next sensor sketches B I O _i , extracts (R _i , P _i ) from G e n(B I O _i ) → (R _i , P _i ), and stores P _i in the memory. U _i selects his identity I D _i and password P W _i , and calculates R P W _i = h ₁(P W _i ||R _i ).

2. 2.

   Then he sends the registration request message {I D _i , R P W _i } to server S through a secure channel.

3. 3.

   After receiving the registration request, S computes A _i = h ₁(I D _i ||s), C I D _i = E N C _x (I D _i ||k _u ) and V _i = h ₁(I D _i ||R P W _i ), in which k _u is selected by S and has a fixed length. Then S adds a novel entry 〈I D _i , N _i = 1〉 to the database, where N _i means the times of user registration.

4. 4.

   S issues U _i with his smart card S C _i which contains {A _i , C I D _i , V _i , h ₁(⋅),h ₂(⋅)} via a secure channel.

5. 5.

   Upon receiving the S C _i , U _i computes B _i = A _i ⊕ h ₁(I D _i ||P W _i ), replaces A _i with B _i and stores P _i into the S C _i . Thereby it is noted that smart card S C _i contains {B _i , C I D _i , P _i , V _i , h ₁(⋅),h ₂(⋅)}.

Fig. 3

The registration phase

5.2 Login and authentication phase

During the login and authentication phase, smart card S C _i is able to verify the U _i ’s identity, password, and biometric information immediately. Also server S confirms the freshness of login request message. The login and authentication phase is showed in the Fig. 4 and is explained below.

1. 1.

   User U _i inserts his smart card S C _i into the reader, imprints his biometrics \(BIO_{i}^{*}\) at the sensor, and inputs his identity I D _i and password P W _i . Then sensor sketches \(BIO_{i}^{*}\) and recovers R _i from \(Rep(BIO_{i}^{*}, P_{i}) \rightarrow R_{i}\).

2. 2.

   U _i calculates R P W _i = h ₁(P W _i ||R _i ) and verifies whether h ₁(I D _i ||R P W _i ) = V _i holds. If it holds, U _i further computes A _i = B _i ⊕ h ₁(I D _i ||P W _i ). Otherwise, S C _i terminates the U _i ’s login.

3. 3.

   U _i selects a random number u, and computes R ₁ = I D _i ⊕ T _u (A _i ) and R ₂ = h ₁(I D _i ||A _i ||T _u (A _i )||T _i ), where T _i is an additional timestamp.

4. 4.

   U _i submits the login request message {C I D _i , R ₁, R ₂, T _i } to S over a public channel.

5. 5.

   When receiving the login request message from U _i , server S checks whether T _j −T _i ≤ΔT is valid, where ΔT is time interval and T _j is the time when receiving the login request message. If it holds, S performs the following steps. Otherwise, login request message is rejected by S.

6. 6.

   S retrieves (I D _i ||k _u ) = E N C _x (C I D _i ), A _i = h ₁(I D _i ||s) and T _u (A _i ) = R ₁ ⊕ I D _i . Then S verifies whether h ₁(I D _i ||A _i ||T _u (A _i )||T _i ) is consistent with R ₂.

7. 7.

   If this verification holds, S generates a random number v, and calculates E _i = T _v (A _i ) ⊕ I D _i , s k _i = h ₂(T _u (A _i ),T _v (A _i ),T _{u v} (A _i )) and A u t h _S = h ₁(A _i ||T _v (A _i )||s k _i ). Otherwise, S terminates the authentication request.

8. 8.

   S sends the authentication request message {A u t h _S , E _i } to U _i through a public channel.

9. 9.

   Upon receiving the authentication request message, U _i retrieves T _v (A _i ) = I D _i ⊕ E _i , s k _i = h ₂(T _u (A _i ),T _v (A _i ),T _{u v} (A _i )) and then examines whether h ₁(A _i ||T _v (A _i )||s k _i ) = A u t h _S holds. If it holds, U _i authenticates S successfully and calculates A u t h _U = h ₁(s k _i ||T _u (A _i )||A _i ). Otherwise, U _i rejects the authentication request.

10. 10.

    Then U _i submits the authentication request message {A u t h _U } to S through a public channel.

11. 11.

    After receiving the authentication request message, S checks whether h ₁(s k _i ||T _u (A _i )||A _i ) = A u t h _U holds. If this verification holds, S authenticates U _i successfully. Otherwise, authentication request is rejected by S. Finally, U _i and S have a common session key s k _i for further communication.

Fig. 4

The login and authentication phase

5.3 Password change phase

During the password change phase, U _i updates the password without any help from server S. This phase includes the following four steps.

1. 1.

   User U _i inserts his smart card S C _i , imprints his biometrics \(BIO_{i}^{*}\) at the sensor, and inputs I D _i and P W _i . Then sensor sketches \(BIO_{i}^{*}\) and recovers R _i from \(Rep(BIO_{i}^{*}, P_{i}) \rightarrow R_{i}\).

2. 2.

   U _i computes R P W _i = h ₁(P W _i ||R _i ) and verifies whether h ₁(I D _i ||R P W _i ) = V _i holds. If this verification holds, S C _i asks U _i for a new password. Otherwise, password change request is rejected immediately by S C _i .

3. 3.

   U _i selects new password \(PW_{i}^{new}\) and further calculates \(RPW_{i}^{new} = h_{1}(PW_{i}^{new} || R_{i})\), \(B_{i}^{new} = B_{i} \oplus h_{1}(ID_{i} || PW_{i}) \oplus h_{1}(ID_{i} || PW_{i}^{new})\) and \(V_{i}^{new} = h_{1}(ID_{i} || RPW_{i}^{new})\).

4. 4.

   U _i replaces B _i with \(B_{i}^{new}\) and V _i with \(V_{i}^{new}\) in the memory, respectively.

5.4 User revocation/re-registration phase

The user re-registration/revocation phase helps user U _i re-register or revoke his privilege when his smart card S C _i is lost or stolen. If U _i wants to re-register, he sends a re-registration request to server S via a secure channel. Then S executes the registration steps which are described in the previous section and replaces 〈I D _i , N _i 〉 with 〈I D _i , N _i = N _i +1〉 to assist U _i re-register. Similarly, upon receiving a revocation request through a secure channel, S modifies the corresponding entry by setting at 〈I D _i , N _i = 0〉.

6 Analysis of our scheme

The authentication and key agreement schemes proposed for multimedia medicine information systems need to possess two essential requirements which are security and functionality. During this section, we analysis how the presented scheme is satisfied with these requirements, and compare our scheme with other related authentication and key agreement schemes.

6.1 Informal security analysis

In this subsection, we analyze the strength of our scheme against the following common attacks.

Resistance to replay attack

Replay attack means that adversary E intercepts the submitted messages to apply these data in some manner, which includes copying and possibly altering these data. Although adversary E intercepts the previous login request message {C I D _i , R ₁, R ₂, T _i } and transmits it to server, S verifies the legality of message by verifying T _i and R ₂ as follows.

$$R_{2} = h_{1}(ID_{i} || A_{i} || T_{u}(A_{i}) || T_{i}), $$

in which T _i is different during every session so that E is unable to be authenticated by S. Therefore the proposed scheme resists the replay attack by adding the timestamp T _i into verification information R ₂.

Resistance to modification attack

Though adversary E attempts to modify the intercepted messages, the presented scheme examines whether the received messages are modified with the help of one-way hash function. E does not have the capabilities to retrieve u, I D _i and A _i from the intercepted information so that he cannot generate a legitimate login or authentication message. Thus our scheme is secure against the modification attack.

Resistance to stolen-verifier attack

In our scheme, server S does not save the biometrics or passwords of legitimate users so that adversary E is unable to steal the biometrics-verifier or passwords-verifier of users even if he has an authorized database access. As a result, the presented scheme prevents the stolen-verifier attack.

Resistance to password guessing attack

With the assistance of side-channel attacks, adversary E acquires B _i , P _i , C I D _i , and V _i . But he cannot check the U _i ’s password in the off-line or on-line environment without relevant information about B I O _i and x. At the same time, U _i ’s password is protected by h ₁(P W _i ||R _i ), in which R _i possesses the high entropy. Besides, there is no the same biometric template between any two people. Consequently, our scheme is secure against the password guessing attack.

Resistance to user impersonation attack

User impersonation attack means that a malicious yet legitimate user E attempts to impersonate another user for authentication and key agreement. During the communication between user U _i and server S, U _i ’s real identity I D _i is protected by C I D _i = E N C _x (I D _i ||k _u ) and R ₁ = I D _i ⊕ T _u (A _i ). Furthermore, random number k _u changes in every registration phase and u changes in each session so that E is unable to acquire another legitimate user’s identity. In conclusion, the proposed scheme prevents the user impersonation attack.

Resistance to server masquerade attack

Upon receiving the login request message from U _i , adversary E tries to masquerade as server S by applying the previous authentication request message \(\{ Auth_{S}^{old}, E_{i}^{old} \}\), in which \(Auth_{S}^{old} = h_{1}(A_{i} || T_{v}(A_{i})^{old} || sk_{i}^{old})\), \(sk_{i}^{old} = h_{2}(T_{u}(A_{i})^{old}, T_{v}(A_{i})^{old}, T_{uv}(A_{i})^{old})\) and \(E_{i}^{old} = T_{v}(A_{i})^{old} \oplus ID_{i}\). However U _i adopts the different random numbers during the different sessions, that is, T _u (A _i )^old≠T _u (A _i )^new so that E’s attempt fails. Therefore, our scheme resists the server masquerade attack.

Resistance to insider attack

Malicious insider E has the authority to access the system and is familiar with system procedures, who tries to acquire user U _i ’s private messages such as biometrics and password. Server S cannot recover the biometrics B I O _i or password P W _i from R P W _i = h ₁(P W _i ||R _i ). Furthermore S does not store R P W _i in the database. So the presented scheme prevents the insider attack.

Resistance to Denial-of-Service attack

Adversary E carries out the Denial-of-Service (DoS) attack to diminish or eliminate server’s capability, which usually makes server S unavailable. With the help of timestamp T _i , server S verifies the freshness and legality of R ₂ = h ₁(I D _i ||A _i ||T _u (A _i )||T _i ) in the login request message. The current timestamp is unable to match the previous R _P2 which is submitted by adversary E. Besides, input verification of password and identity has been added in the proposed scheme, which avoids the invalid input and malicious tampering. Also our scheme adopts the fuzzy extractor to satisfy the usage requirements of biometrics. As a result, the proposed scheme is secure against the DoS attack.

Resistance to stolen smart card attack

Stolen smart card attack means that adversary E tries to use the information stored in the smart card S C _i to be authenticated by server S without biometrics or password. With the assistance of SPA or DPA, E is able to obtain B _i , P _i , C I D _i and V _i . In the presented scheme, a session key between user U _i and server S is generated below.

$$(ID_{i} || k_{u}) = DEC_{x}(CID_{i}), $$

$$T_{u}(A_{i}) = R_{1} \oplus ID_{i}, $$

$$T_{v}(A_{i}) = ID_{i} \oplus E_{i}, $$

$$sk_{i} = h_{2}(T_{u}(A_{i}), T_{v}(A_{i}), T_{uv}(A_{i})). $$

Although E obtains C I D _i , R ₁ and E _i over public channels, it is difficult for him to retrieve A _i and I D _i without secret values u, v and x. Above all, our scheme resists the smart card attack.

6.2 Security model

Based on He et al.’s work [21] and Dolev-Yao threat model [14], we define the capabilities of adversary E in the security model. We establish the threat assumptions as mentioned in the Subsection 2.2 and further allow E potentially control the all communications over the public network during a probabilistic polynomial time. We consider a game between adversary and oracle in which adversary E asks some queries to the oracle and oracle responses to the adversary. These queries simulate the attacks which adversary E may execute in the real system. We consider the following types of queries for the proposed authentication and key agreement scheme. Let \({\Pi }_{U_{i}}^{l}\) denotes the lth instance of participant U _i .

1. 1.

   E x t r a c t(I D _i ): When E executes this query with user U _i ’s identity I D _i , oracle allows E to get the long-term secret key of I D _i .

2. 2.

   E x e c u t e(U _i , S): This query simulates the passive attacks, in which E eavesdrops an execution of scheme and gets back the complete transcripts between U _i and S.

3. 3.

   \(Send({\Pi }_{U_{i}}^{l},M)\): When E executes this query with message M, oracle executes the authentication and key agreement protocol according to its specification and returns the result to E, which leads to some active attacks such as impersonation attacks and man-in-the-middle attacks.

4. 4.

   \(Reveal({\Pi }_{U_{i}}^{l})\): This query simulates the known key attacks in the real system, where oracle returns the session key for instance \({\Pi }_{U_{i}}^{l}\) to E.

5. 5.

   C o r r u p t(I D _i ): When E executes this query with user U _i ’s identity I D _i , oracle exposes the long-term secret key held by U _i .

6. 6.

   \(Test({\Pi }_{U_{i}}^{l})\): This query is used to define the advantage of E. When adversary E asks this query to instance \({\Pi }_{U_{i}}^{l}\), a random bit b is chosen. If b = 1, then session key is returned. Otherwise a random string with the same length of the session key is returned to E.

6.3 Formal security analysis

With the assistance of formal security analysis, we demonstrate that our scheme is secure against the adversary E. In this subsection, we adopt the oracle R e v e a l as described above. It unconditionally outputs x from the one-way hash function y = h ₁(x). In particular, the following two theorems provide the formal security analysis for our scheme.

Theorem 1

Under the assumption that hash function h ₁ (x) closely behaves like the oracle Reveal, our scheme is provably secure against the adversary E for recovering the identity ID _i of user U _i , secret key s of server S, and session key sk _i between U _i and S, respectively.

Proof

We need to establish the capacity of E who is able to retrieve the identity I D _i of U _i , secret key s of S, and session key s k _i between U _i and S, respectively. Adversary E adopts the oracle R e v e a l to perform the experimental algorithm \(EXP1_{E,BAKAS}^{HASH}\), in which the BAKAS means the presented biometrics based authentication and key agreement scheme. Particularly, details of Algorithm \(EXP1_{E,BAKAS}^{HASH}\) are showed in the Table 3. □

Table 3 Algorithm \(EXP1_{E,BAKAS}^{HASH}\)

We define the success probability of \(EXP1_{E,BAKAS}^{HASH}\) as \( Success1 = \big | P(EXP1_{E,BAKAS}^{HASH}\) =1)−1|, in which P(⋅) means the probability of \(EXP1_{E,BAKAS}^{HASH}\). The advantage function for algorithm \(EXP1_{E,BAKAS}^{HASH}\) becomes A d v1(e t ₁, q _{R e v e a l} )= maxE{S u c c e s s1}, in which the maximum for adversary E depends on the execution time e t ₁ and number of queries q _{R e v e a l} made to the oracle R e v e a l. The proposed scheme is provably secure against adversary E, if A d v1(e t ₁, q _{R e v e a l} ) ≤ ε ₁, for any sufficiently small ε ₁ > 0. If adversary E has the capacity to retrieve x from the hash function y = h ₁(x), he can easily retrieve the identity I D _i , secret key s, and session key s k _i to win the game. However, it is a computationally infeasiblebproblem to derive the inputs of hash function. Therefore maxE{S u c c e s s1} = A d v1(e t ₁, q _{R e v e a l} ) ≤ ε ₁, for any sufficiently small ε ₁ > 0. In conclusion, our scheme is provably secure against the adversary E for retrieving the identity I D _i , secret key s, and session key s k _i .

Theorem 2

Under the assumption that hash function h ₁ (⋅) closely behaves like the oracle Reveal, our scheme is provably secure against adversary E for deriving the password PW _i of user U _i , even if smart card SC _i is stolen.

Proof

We need to construct the adversary E who can retrieve the password P W _i . Adversary E extracts all the information {B _i , C I D _i , P _i , V _i } from the stolen smart card S C _i and adopts the oracle R e v e a l to execute the experimental algorithm \(EXP2_{E,BAKAS}^{HASH}\). In particular, details of algorithm \(EXP2_{E,BAKAS}^{HASH}\) are described in the Table 4. □

Table 4 Algorithm \(EXP2_{E,BAKAS}^{HASH}\)

We define the success probability of \(EXP2_{E,BAKAS}^{HASH}\) as \(Success2 = \big | P(EXP2_{E,BAKAS}^{HASH} \) =1)−1|, where P(⋅) means the probability of \(EXP2_{E,BAKAS}^{HASH}\). The advantage function for algorithm \(EXP2_{E,BAKAS}^{HASH}\) becomes A d v2(e t ₂, q _{R e v e a l} )= maxE{S u c c e s s2}, where the maximum for adversary E depends on the execution time e t ₂ and number of queries q _{R e v e a l} made to the oracle R e v e a l. The presented scheme is provably secure against the adversary E, if A d v2(e t ₂, q _{R e v e a l} ) ≤ ε ₂, for any sufficiently small ε ₂ > 0. If adversary E is able to retrieve x from the hash function y = h ₁(x), he can easily retrieve the password P W _i to win the game. However, it is a computationally infeasible problem to retrieve the inputs of hash function. Thus maxE{S u c c e s s2} = A d v2(e t ₂, q _{R e v e a l} ) ≤ ε ₂, for any sufficiently small ε ₂ > 0. Above all, our scheme is provably secure against the adversary E for retrieving the password P W _i .

6.4 Verifying the security with BAN logic

The Burrows-Abadi-Needham (BAN) logic includes a set of rules, which is applied to define and analyze the information exchange schemes [42]. During this section, we introduce some symbols and notations of BAN logic in the Table 5 and adopt the BAN logic to verify that a session key between U _i and S is correctly generated in our authentication scheme.

Table 5 Symbols and notions in the BAN logic

The BAN logical postulates

1. 1.

   The message-meaning rule, that is \(\frac {A |\equiv A {\overset {K}\longleftrightarrow } B, A \triangleleft \{ X \}_{K}}{A |\equiv B |\sim X}\). In particular, if A believes that session key K is shared by A and B, and A sees that statement X is encrypted with session key K, then A believes that B said the statement X.

2. 2.

   The nonce-verification rule, that is \(\frac {A |\equiv \# X, A |\equiv B |\sim X}{A |\equiv B |\equiv X}\). In detail, if A believes that statement X is fresh and B said the statement X, then A believes that B believes the statement X.

3. 3.

   The belief rule, that is \(\frac {A |\equiv X, A |\equiv Y}{A |\equiv (X,Y )}\). Particularly, if A believes statement X and statement Y, then A believes (X, Y).

4. 4.

   The fresh conjuncatenation rule, that is \(\frac {A |\equiv \# X}{A |\equiv \# (X,Y )}\). In particular, if A believes that statement X is fresh, then A believes (X, Y) is fresh.

5. 5.

   The jurisdiction rule, that is \(\frac {A |\equiv B \Rightarrow X, A |\equiv B |\equiv X}{A |\equiv X}\). In detail, if A believes that B has the jurisdiction over statement X and B believes the truth of statement X, then A believes the statement X.

The idealized scheme

$$\begin{array}{@{}rcl@{}} &&U_{i}: < ID_{i} >_{\{U_{i} {\overset{A_{i}}\longleftrightarrow} S\}_{u}}, (ID_{i},A_{i} )_{\{U_{i} {\overset{A_{i}}\longleftrightarrow} S\}_{u}}, (U_{i} {\overset{sk_{i}}\longleftrightarrow} S,{\{ U_{i} {\overset{A_{i}}\longleftrightarrow} S \}}_{v} )_{U_{i} {\overset{A_{i}}\longleftrightarrow} S}.\\ &&S: < ID_{i} >_{\{U_{i} {\overset{A_{i}}\longleftrightarrow} S\}_{v}}, (U_{i} {\overset{sk_{i}}\longleftrightarrow} S,{\{ U_{i} {\overset{A_{i}}\longleftrightarrow} S \}}_{u} )_{U_{i} {\overset{A_{i}}\longleftrightarrow} S}. \end{array} $$

The establishment of security goals

• g1.     \(U_{i} |\equiv S |\equiv U_{i} {\overset {sk_{i}}\longleftrightarrow } S\)

• g2.     \(U_{i} |\equiv U_{i} {\overset {sk_{i}}\longleftrightarrow } S\)

• g3.     \(S |\equiv U_{i} |\equiv U_{i} {\overset {sk_{i}}\longleftrightarrow } S\)

• g4.     \(S |\equiv U_{i} {\overset {sk_{i}}\longleftrightarrow } S\)

The initiative premises

• p1.     U _i |≡# u

• p2.     S|≡# v

• p3.     \(U_{i} |\equiv U_{i} {\overset {A_{i}}\longleftrightarrow } S\)

• p4.     \(S |\equiv U_{i} {\overset {A_{i}}\longleftrightarrow } S\)

• p5.     \(U_{i} |\equiv S \Rightarrow (U_{i} {\overset {sk_{i}}\longleftrightarrow } S )\)

• p6.     \(S |\equiv U_{i} \Rightarrow (U_{i} {\overset {sk_{i}}\longleftrightarrow } S )\)

The security analysis

• a1.     Since p3 and \(U_{i} \triangleleft (U_{i} {\overset {sk_{i}}\longleftrightarrow } S,{\{ U_{i} {\overset {A_{i}}\longleftrightarrow } S \}}_{u} )_{U_{i} {\overset {A_{i}}\longleftrightarrow } S},\) we adopt the message-meaning rule to acquire \(U_{i} |\equiv S |\sim (U_{i} {\overset {sk_{i}}\longleftrightarrow } S,{\{ U_{i} {\overset {A_{i}}\longleftrightarrow } S \}}_{u} )\).

• a2.     Because of p1 and a1, we use the fresh conjuncatenation rule and nonce-verification rule to get \(U_{i} |\equiv S |\equiv (U_{i} {\overset {sk_{i}}\longleftrightarrow } S,{\{ U_{i} {\overset {A_{i}}\longleftrightarrow } S \}}_{u} )\).

• g1.     Since a2 and p3, we apply the belief rule to acquire \(U_{i} |\equiv S |\equiv U_{i} {\overset {sk_{i}}\longleftrightarrow } S\).

• g2.     Because of p5 and g1, we adopt the jurisdiction rule to get \(U_{i} |\equiv U_{i} {\overset {sk_{i}}\longleftrightarrow } S\).

• a3.     Since p4 and \(S \triangleleft (U_{i} {\overset {sk_{i}}\longleftrightarrow } S,{\{ U_{i} {\overset {A_{i}}\longleftrightarrow } S \}}_{v} )_{U_{i} {\overset {A_{i}}\longleftrightarrow } S},\) we use the message-meaning rule to acquire \(S |\equiv U_{i} |\sim (U_{i} {\overset {sk_{i}}\longleftrightarrow } S,{\{ U_{i} {\overset {A_{i}}\longleftrightarrow } S \}}_{v} )\).

• a4.     Because of p2 and a3, we apply the fresh conjuncatenation rule and nonce-verification rule to get \(S |\equiv U_{i} |\equiv (U_{i} {\overset {sk_{i}}\longleftrightarrow } S,{\{ U_{i} {\overset {A_{i}}\longleftrightarrow } S \}}_{v} )\).

• g3.     Since a4 and p4, we adopt the belief rule to acquire \(S |\equiv U_{i} |\equiv U_{i} {\overset {sk_{i}}\longleftrightarrow } S\).

• g4.     Because of g3 and p6, we use the jurisdiction rule to get \(S |\equiv U_{i} {\overset {sk_{i}}\longleftrightarrow } S\).

Above all, results show that our scheme is able to generate a session key s k _i correctly between U _i a n d S.

6.5 Functionality analysis

A variety of requirements in the respect of functionality for authentication and key agreement schemes have been suggested in the previous studies. During this section, we show that our scheme provides these functionalities which are described below.

Biometric information protection

In the conventional schemes, biometric information of user U _i is directly stored in the smart card S C _i so that adversary E obtains the biometrics from the lost or stolen smart cards with the help of side channel attacks. We adopt a secure mechanism to solve this problem, where the nearly random string R _i is protected by one-way hash function and is extracted from the biometrics B I O _i by fuzzy extractor. It makes impossible for E to acquire the biometric information. Therefore, our scheme provides the biometric information protection.

Fast error detection

It is essential to provide the fast error detection, which makes smart card S C _i examine the incorrect passwords or any other mistakes immediately. In the login and password change phases, S C _i detects the errors quickly, such as the incorrect identities, inaccurate passwords and false biometric information without the assistance of server S. As a result, the proposed scheme provides the fast error detection.

Mutual authentication

Mutual authentication means that both communicating parties authenticate each other. In the presented scheme, both user U _i and server S approve each other by applying u, v, x, s k _i and A _i . During the authentication phase, U _i authenticates S by checking whether h ₁(A _i ||T _v (A _i )||s k _i ) = A u t h _S holds. And S verifies whether A u t h _U is consistent with h ₁(s k _i ||T _u (A _i )||A _i ) to authenticate the U _i . In conclusion, our scheme achieves the mutual authentication.

Session key agreement

For the session key agreement, user U _i and server S establish a session key which is adopted to protect the subsequent communication. In the proposed scheme, session key s k _i = h ₂(T _u (A _i ),T _v (A _i ),T _{u v} (A _i )) is generated by U _i and S, in which u and v are different in every session. Above all, session keys are various in the different sessions so that it is hard for adversary E to retrieve the previous session keys from the intercepted communication messages.

Secure and simple password modification

According to secure and simple password modification, user U _i has the ability to change their passwords without the help of any third trusted party and the authenticity is verified by his smart card S C _i . In the proposed scheme, U _i changes the password independently and does not need any communication with server S. Furthermore, S C _i examines whether h ₁(I D _i ||R P W _i ) = V _i holds during each password change phase so that adversary E is unable to change the password even if he acquires the smart card and password. Thus, the presented scheme provides the secure and simple password modification.

User re-registration/revocation

User U _i sends a re-registration/revocation request message to the server S through a secure channel if he wants to re-register or revoke his privilege. And then S helps U _i achieve the re-registration or revocation by modifying 〈I D _i , N _i 〉 in the database. In conclusion, user re-registration/revocation improves the performance of practical applications, which makes our scheme more robust than other related schemes.

Anonymity

Anonymity means that user U _i ’s real identity is not disclosed to other unauthorized parties. In the proposed scheme, dynamic identity C I D _i is computed from C I D _i = E N C _x (I D _i ||k _u ), in which x and k _u are not leaked out from the intercepted messages via public channels. Thus, adversary E cannot calculate the U _i ’s identity I D _i without x and k _u . Server S retrieves I D _i from (I D _i ||k _u ) = E N C _x (C I D _i ). However, only authorized server S confirms the real identity of U _i . Above all, E is unable to obtain the U _i ’s real identity, but U _i is accurately authenticated by S.

Perfect forward secrecy

The perfect forward secrecy implies that a session key derived from a set of long-term keys will not be retrieved even if one of the user’s long-term keys is compromised in the future. In the proposed scheme, a session key between user U _i and server S is acquired below.

$$(ID_{i} || k_{u}) = ENC_{x}(CID_{i}), $$

$$T_{u}(A_{i}) = R_{1} \oplus ID_{i}, $$

$$T_{v}(A_{i}) = ID_{i} \oplus E_{i}, $$

$$sk_{i} = h_{2}(T_{u}(A_{i}), T_{v}(A_{i}), T_{uv}(A_{i})). $$

Although U _i ’s long-term key k _u is compromised, adversary E is not able to calculate x, u and v so that he is unable to retrieve I D _i , T _u (A _i ), T _v (A _i ) and T _{u v} (A _i ) to calculate session keys between U _i and S. Therefore, the presented scheme achieves the perfect forward secrecy.

6.6 Comparisons with related schemes

During this subsection, we compare the resistance, functionality and performance of our scheme with other related authentication schemes, such as Guo et al.’s scheme [15], Lin et al.’s scheme [40], Jiang et al.’s scheme [29] and Lu et al.’s scheme [42].

According to the Table 6, it shows the resistance comparison of various related authentication schemes. We define the following notations: R1: resistance to replay attack, R2: resistance to modification attack, R3: resistance to stolen-verifier attack, R4: resistance to password guessing attack, R5: resistance to user impersonation attack, R6: resistance to server masquerade attack, R7: resistance to insider attack, R8: resistance to Denial-of-Service attack and R9: resistance to stolen smart card attack in the Table 6. It can be seen that our scheme provides the all resistance requirements and is more secure.

Table 6 The resistance comparison

Table 7 lists the functionality comparison of the presented scheme with other related schemes, where we apply the following notations: F1: biometric information protection, F2: fast error detection, F3: mutual authentication, F4: session key agreement, F5: secure and simple password modification, F6: user re-registration/revocation, F7: anonymity and F8: perfect forward secrecy. And then we further compare our scheme with Moon et al.’s scheme [48] which is another improved scheme. The result demonstrates that our scheme provides the enough functionalities and is more practical for multimedia medicine information systems.

Table 7 The functionality comparison

We compare our scheme with these relevant authentication schemes for computational costs involved in the both login phase and authentication phase. In order to measure the computation complexity, we treat the one-way hash function operation, extended Chebyshev chaotic map operation and symmetric encryption/decryption operation as the time complexity since the XOR operation requires very little computational cost, in which T _h denotes the time of executing a one-way hash function, definition of T _s is the time of running a symmetric encryption/decryption operation and T _c means the time of performing an extended Chebyshev chaotic map, respectively. According to the Xue et al.’s work [56], we learn that the executing time of a one-way hash function is 0.2 ms on average, the running time of a symmetric encryption/decryption operation is about 0.45 ms and the performing time of an extended Chebyshev chaotic map is around 32.2 ms in the operational environment (CPU: 3.2 GHz, RAM: 3.0 G). Table 8 and Fig. 5 show the computation cost comparison among our scheme and other related schemes in terms of the computation cost. In the Table 8, we use the notations as follow: C1: computation overhead in the user side, C2: execution overhead in the user side, C3: computation overhead in the server side, C4: execution overhead in the server side and C5: total execution overhead. The computation cost requested in the presented scheme is lower than that in the Guo et al.’s scheme, Lin et al.’s scheme and Jiang et al.’s scheme.

Table 8 The computation cost comparison

Fig. 5

The computation cost comparison

To estimate the communication cost, we assume the length of security parameters, such as, bit length of timestamp is 16, bit length of user identity is 160, bit length of random number is 160, output bit length of hash function is 160 and output bit length of extended Chebyshev chaotic map is 160. In our scheme, user U _i transmits the login request message {C I D _i , R ₁, R ₂, T _i } to server S during the login phase, and its length is [(160 + 160) + 160 + 160 + 16]/8 = 82 bytes. And during the stage of authentication, communication cost is [(160+160)+160]/8 = 60 bytes, which contains the authentication request messages {A u t h _S , E _i } and {A u t h _U }. So total communication cost of the proposed scheme is 82+60=142 bytes. Analogously, we estimate the communication cost of other related schemes. In order to measure the storage requirement, we consider the information stored in the smart card and compute the byte length of stored message as storage cost. In the proposed scheme, stored message {B _i , C I D _i , P _i , V _i } requires [160 + (160 + 160) + 160 + 160]/8 = 100 bytes. Similarly, we measure the storage requirement of other relevant schemes. As shown in the Table 9 and Fig. 6, we demonstrate the comparison regarding on the communication and storage costs of various authentication schemes. We provide the notations below: S1: communication overhead in the login phase, S2: communication overhead in the authentication phase, S3: total communication overhead and S4: storage overhead in the Table 9. With the same level of communication overhead and storage cost, the proposed scheme obviously has advantages in the computation complexity by considering the computation overhead between other related schemes and ours. From the results of these comparisons given above, we conclude that our scheme has better efficiency among resistance, functionality and performance than other related authentication schemes.

Table 9 The communication and storage costs comparison

Fig. 6

The communication and storage costs comparison

7 Conclusion

With the increase of security requirements, a great number of authentication schemes come to be widely deployed in the multimedia medicine information systems over the last several years. In this study, we analyze the weaknesses of Lu et al.’s scheme. We find that there are flaws in the both login phase and password change phase. And we show that their scheme is vulnerable to the Denial-of-Service attack, user impersonation attack and server masquerade attack, which also fails to achieve the user anonymity. Based on the cryptanalysis of Lu et al.’s scheme, we retain the useful properties of their scheme to propose a robust biometrics based authentication and key agreement scheme using extended Chebyshev chaotic maps. The presented scheme satisfies the desirable security requirements which are demonstrated in the informal and formal security analysis, respectively. Furthermore, the proposed scheme provides some significant features which are not considered in most of the related schemes, for example, biometric information protection and user re-registration or revocation. With the same level of computation overhead, communication cost and storage space, our scheme provides some more secure properties and significant functionalities. In conclusion, we confirm that the proposed scheme resists the known attacks and is efficient for practical applications in the multimedia medicine information systems.