On the Security of A Dynamic ID-based Authentication Scheme for Telecare Medical Information Systems

Abstract

Telecare medical information systems (TMISs) are increasingly popular technologies for healthcare applications. Using TMISs, physicians and caregivers can monitor the vital signs of patients remotely. Since the database of TMISs stores patients’ electronic medical records (EMRs), only authorized users should be granted the access to this information for the privacy concern. To keep the user anonymity, recently, Chen et al. proposed a dynamic ID-based authentication scheme for telecare medical information system. They claimed that their scheme is more secure and robust for use in a TMIS. However, we will demonstrate that their scheme fails to satisfy the user anonymity due to the dictionary attacks. It is also possible to derive a user password in case of smart card loss attacks. Additionally, an improved scheme eliminating these weaknesses is also presented.

Introduction

Healthcare has been paid more and more attention in countries with aging populations. Home healthcare are especially popular for recent years due to the development of telecommunication technology and the coming of low-cost mobile devices. A telecare medical information system (TMIS) is a kind of home healthcare techniques taking the advantages of Internet to remotely monitor patients’ vital signs and allows physicians and caregivers to access and update medical information at any time. The medical information of patients is called electronic medical records (EMRs) which are as important as paper records and should be carefully protected for ensuring patients’ privacy. Only authenticated users should be given the appropriate authorizations to access the resources of TMISs. To enforce strict access control policy, we have to adopt a secure remote user authentication scheme first.

Generally speaking, password based authentication schemes [6, 10, 12, 15, 16] are commonly utilized approaches in which each user first registers to the remote medical server with his identity (ID) and a chosen password. The medical server also keeps a password table for subsequent verifications. In 1981, Lamport [10] used one-way hash functions to propose a simple password authentication scheme in which the remote server stores hashed passwords to increase the security. However, his scheme could not withstand either the replay or impersonation attacks. Since user identity is also sensitive information when a patient with chronic diseases attempts to login the remote medical server, many researchers [1, 2, 4, 5, 7–9, 11, 13, 17–21, 23, 25–27] begin studying dynamic ID authentication schemes. Instead of using static ID, such schemes generate a different virtual ID with respect to each login session even for the same user, so as to fulfill user anonymity.

In 2004, Das et al. [4] proposed a dynamic ID-based remote user authentication scheme. A major characteristic of their scheme is that the server is unnecessary to store a password table, which releases the server-side burdens. Still, some researchers [1, 9, 11] pointed out their scheme is insecure under the server spoofing, impersonation and dictionary attacks. Later, several improved mechanisms [11, 21, 26] eliminating the drawbacks of Das et al.’s scheme are proposed.

In 2010, Tsai et al. [19] proposed a new dynamic ID authentication scheme using smart cards. Their scheme employed the concept of two-factor authentication, i.e., something you know (like passwords) and something you have (like smart cards). They also showed that previous works [21, 26] are vulnerable to the impersonation attack and could not satisfy the anonymous requirement of dynamic ID authentication schemes. Yet, the security of Tsai et al.’s scheme is based on the assumption of trusted servers, i.e., they did not consider the possibility of privileged insider attack in which a malicious remote server can easily derive legitimate users’ passwords.

In 2012, Wu et al. [24] introduced an authentication scheme for TMISs. Their scheme is suitable for the mobile devices. By reviewing Wu et al.’ scheme, He et al. [5] found out that their scheme is vulnerable to the impersonation and insider attacks and further addressed an enhanced variant. Yet, Wei et al. [22] pointed out a weakness of both their works [5, 24] and proposed a new scheme with two-factor authentication for TMISs. Later, Zhu [28] improved Wei et al’s scheme to withstand the off-line password guessing attacks. More recently, Chen et al. [3] came up with a dynamic ID-based authentication scheme for TMISs. Nevertheless, in this paper, we first demonstrate that the user identity of Chen et al.’s scheme will be compromised under the dictionary attack. A user password can be further derived with the smart card loss attacks. Then we give an enhanced variant to eliminate these weaknesses.

Chen et al.’s scheme and security weaknesses

In this section, we first briefly review Chen et al.’s scheme [3] and then shows their security vulnerabilities.

Review of Chen et al.’s scheme

Without loss of generality, Chen et al.’s scheme can be divided into registration, login, authentication and password change phases. Let x be the master secret of remote server and h(⋅) a collision-resistant one-way hash function. We describe each phase as follows:

Registration phase

A patient U _i associated with the identity ID _i first chooses his password pw _i and a random integer r _i to compute RPW _i = h(r _i , pw _i ). The information (ID _i , RPW _i ) is then sent to the medical server S via a secure channel. Upon receiving it, the medical server S checks the validity of ID _i and then sets N = 0 in the registration records if ID _i is a new user. Note that when U _i re-registers to the remote server S due to smart card loss, the value N is increased by 1. Then S computes J = h(x, ID _i , N), L = J ⊕ RPW _i and y = h(RPW _i , ID _i ), and delivers a smart card containing (L, y) to U _i via a secure channel. After receiving it, U _i stores r _i into the smart card.

Login phase

To login the remote TMIS, U _i first enters his (ID _i , pw _i ) and the smart card computes RPW _i = h(r _i , pw _i ), J = L ⊕ RPW _i , C ₁ = h(T _i , J) and AID _i = ID _i ⊕ h(y, T _i ), where T _i is the current timestamp. Finally, the login request {AID _i , T _i , RPW _i , C ₁} is sent to the remote server S.

Authentication phase

Upon receiving the login request, S first verifies if (T _i ′ − T _i ) ≤ ΔT where T _i ′ is the timestamp of receiving time and ΔT is the valid time transmission interval. Otherwise, S rejects it. Then S searches the account database to find an ID _i ′ satisfying that h(h(RPW _i , ID _i ′), T _i ) = AID _i ⊕ ID _i ′. If it does not exist, S terminates the request. S further computes J = h(x, ID _i ′, N) and verifies whether C ₁ = h(T _i , J). If it holds, ID _i ′ is authenticated.

Then S sends {C ₂ = h(C ₁, J, T _s ), T _s } where T _s is the current timestamp to U _i . After receiving it, U _i first checks if T _s is within the valid time transmission interval and then computes a session key sk = h(C ₂ ⊕ J) for subsequent communication.

Password change phase

To change the password, the user U _i first enters his old and new passwords (pw _i , pw _i *). Then the smart card computes RPW _i ′ = h(r _i , pw _i ), y′ = h(RPW _i ′, ID _i ) and compares if y′ = y. If it holds, the smart card proceeds to compute L* = L ⊕ RPW _i ′ ⊕ h(r _i , pw _i *) and updates L as L*.

Security weaknesses of Chen et al.’s scheme

We demonstrate that a malicious adversary can (i) reveal the user identity of Chen et al.’s scheme by plotting the dictionary attack and (ii) derive both the user identity and password in case of smart card loss attacks as follows:

1. (i)

   Dictionary attacks: An adversary first intercepts a login request {AID _i , T _i , RPW _i , C ₁} and chooses a candidate ID _j from the dictionary to check if

   $$ AI{D_i}=I{D_j}\oplus h\left( {h\left( {RP{W_i},I{D_j}} \right),{T_i}} \right). $$

   If it does not hold, the adversary repeats the process until finding the correct one. As each user’s identity is easily rememberable words, we claim that the dictionary attack is feasible.

2. (ii)

   Smart card loss attacks: Since every smart card stores {L, y, r}, an adversary picking up a lost smart card first retrieves the stored (y, r) and then chooses a pair of candidate (ID _j , pw _j ) to perform the off-line password guessing by verifying whether

   $$ y=h\left( {h\left( {r,pw_j} \right),I{D_j}} \right). $$

   If it holds, the adversary has found out the correct identity along with user’s password.

Proposed scheme

In this section, we introduce an enhanced variant motivated by Zhu’s scheme [28] and based on the famous RSA problem [14]. We define used notations as Table 1. The proposed scheme also consists of four phases as those defined in Chen et al.’s scheme. Initially, the medical server S selects two large primes (p, q), computes N = pq, chooses an integer e relatively prime to (p − 1)(q − 1) and derives d satisfying ed ≡ 1 (mod (p − 1)(q − 1)). The parameter d is the master secret of medical server S. Details of each phase are described as follows:

Table 1 The used notations

Registration phase

A patient U _i associated with the identity ID _i performs the following interactive steps with the remote server S:

1. Step 1

   U _i chooses a password PW _i and an integer t ∈ _R Z _N to compute

   $$ {W_i}=h\left( {P{W_i}\oplus t} \right), $$

   (1)

   and then sends (ID _i , W _i ) to the server S via a secure channel.

2. Step 2

   Upon receiving it, the server S computes

   $$ {n_i}={W_i}\oplus h\left( {d\oplus I{D_i}} \right), $$

   (2)

   and issues a smart card containing (N, n _i , e) to U _i via the secure channel.

3. Step 3

   After receiving the smart card, U _i stores t into the smart card.

Login phase

To login the remote medical server S, U _i first enters his (ID _i , PW _i ) and then the smart card chooses k _i ∈ _R Z _N to compute:

$$ {W_i}=h\left( {P{W_i}\oplus t} \right), $$

(3)

$$ {H_i}={n_i}\oplus {W_i}=h\left( {d\oplus I{D_i}} \right), $$

(4)

$$ CI{D_i}=h\left( {{H_i}\oplus {k_i}} \right), $$

(5)

$$ {R_i}=h\left( {CI{D_i},{k_i},I{D_i},{T_1}} \right),\mathrm{where}\,{{\it T}_1}\,\mathrm{is}\,\mathrm{the}\,\mathrm{current}\,\mathrm{timestamp}, $$

(6)

$$ {X_i}={{\left( {CI{D_i}\left\| {{k_i}} \right\|I{D_i}} \right)}^e}\bmod\,N, $$

(7)

The login request (X _i , R _i , T ₁) is then sent to S.

Verification phase

S performs the following steps to authenticate requested user and generate a session key between them:

1. Step 1

   Check if (T ₂ − T ₁) ≤ ΔT where T ₂ is the timestamp of receiving time and ΔT is the valid transmission time interval.

2. Step 2

   If it holds, S computes

   $$ \left( {CI{D_i}\left\| {{k_i}} \right\|I{D_i}} \right)=X_i^d\bmod\,N, $$

   (8)
   $$ {H_i}^{\prime }=h\left( {d\oplus I{D_i}} \right), $$

   (9)
   $$ {R_i}^{\prime }=h\left( {h\left( {{H_i}\prime \oplus {k_i}} \right),{k_i},I{D_i},{T_1}} \right), $$

   (10)

   and then checks if CID _i = h(H _i ′ ⊕ k _i ) and R _i ′ = R _i ; else, the session is terminated.

3. Step 3

   S further computes

   $$ \lambda =h\left( {{H_i}^{\prime },CI{D_i},{R_i}^{\prime },{T_1},{T_2}} \right), $$

   (11)
   $$ {V_s}=h\left( {\lambda, {H_i}^{\prime },{T_1},{T_2}} \right), $$

   (12)

   and returns (V _s , T ₂) to U _i .

4. Step 4

   Upon receiving it, U _i checks if (T ₃ − T ₂) ≤ ΔT where T ₃ is the timestamp of receiving time. If it holds, U _i computes

   $$ {\lambda^{\prime }}=h\left( {{H_i},CI{D_i},{R_i},{T_1},{T_2}} \right), $$

   (13)
   $$ {V_s}^{\prime }=h\left( {{\lambda^{\prime }},{H_i},{T_1},{T_2}} \right), $$

   (14)

   and then compares whether V _s ′ = V _s . If it holds, U _i and the medical server S have authenticated each other. The parameter λ is then used as a session key for subsequent communication.

Password-change phase

To change the password, U _i enters his old and new passwords (PW _i , PW _i ′). Then the smart card computes

$$ {n_i}^{\prime }={n_i}\oplus h\left( {P{W_i}\oplus t} \right)\oplus h\left( {P{W_i}^{\prime}\oplus t} \right), $$

(15)

and updates n _i as n _i ′.

Security Analyses

We give some discussions in relation to the security of the proposed scheme. We show that our scheme is secure against following existential attacks:

1. i.

   Can the proposed scheme withstand ID - theft attacks ?

In the login phase, a dynamic ID CID _i is not sent to the remote server S directly. It is embedded in the parameters (X _i , R _i ) which are protected by the one-way hash function (OHF) and the intractable RSA problem. Even if an adversary successfully obtains CID _i , he cannot derive the real identity without the random number k _i and the master secret d of the server S.

1. ii.

   Can the proposed scheme withstand privileged insider attacks ?

When a user registers to a remote server, the server receives the user identity along with an encapsulated password W _i = h(PW _i ⊕ t). To derive the real password of user, a malicious server has to invert the OHF and know the random number t chosen by the user. Consequently, it is impossible for any malicious server to derive the real password of registered user.

1. iii.

   Can the proposed scheme withstand password guessing attacks ?

When an adversary attempts to plot the password guessing attack for intercepted messages (X _i , R _i , T ₁), he will face the difficulty of inverting OHF and solving the RSA problem. Even if an insider attacker can obtain W _i from the secure channel, he also has to find out the random number t first.

1. iv.

   Can the proposed scheme withstand impersonation attacks ?

To impersonate a legitimate user, an adversary has to generate valid login request (X _i , R _i , T ₁) for passing the server’s authentication. However, without the real password of user, any adversary could not successfully pass the verification of remote server.

1. v.

   Can the proposed scheme withstand server spoofing attacks ?

To masquerade as a remote server in the verification phase, an adversary must return a valid response V _s = h(λ, H _i ′, T ₁, T ₂). However, without the master secret d, the adversary cannot compute the correct V _s and will be detected by the user.

1. vi.

   Can the proposed scheme withstand stolen - verifier attacks ?

Since in the proposed scheme, the remote server is unnecessary to maintain a verification table, our scheme will not suffer from the stolen-verifier attack.

1. vii.

   Can the proposed scheme achieve forward secrecy ?

In the proposed scheme, a session key λ changes with different communication sessions. Therefore, even if the session key of previous session is accidentally compromised, the confidentiality of current communicated messages is still fulfilled.

1. viii.

   Can the proposed scheme withstand smart card loss attacks ?

A smart card stores the information of (N, n _i , e, t). An adversary obtaining a lost smart card still cannot derive user’s password without the master secret d of remote server or generate a valid login request to pass the authentication.

Conclusions

Secure remote user authentication for TMISs is a vital application for home healthcare technologies. In this paper, we pointed out some weaknesses of recently proposed work, i.e., Chen et al.’s scheme. To eliminate these security drawbacks, we also proposed an enhanced variant and analyzed its security. The proposed scheme is more secure and thus appealing to the practical environments.