A Secure and Efficient Password-Based User Authentication Scheme Using Smart Cards for the Integrated EPR Information System

Abstract

The integrated EPR information system supports convenient and rapid e-medicine services. A secure and efficient authentication scheme for the integrated EPR information system provides safeguarding patients’ electronic patient records (EPRs) and helps health care workers and medical personnel to rapidly making correct clinical decisions. Recently, Wu et al. proposed an efficient password-based user authentication scheme using smart cards for the integrated EPR information system, and claimed that the proposed scheme could resist various malicious attacks. However, their scheme is still vulnerable to lost smart card and stolen verifier attacks. This investigation discusses these weaknesses and proposes a secure and efficient authentication scheme for the integrated EPR information system as alternative. Compared with related approaches, the proposed scheme not only retains a lower computational cost and does not require verifier tables for storing users’ secrets, but also solves the security problems in previous schemes and withstands possible attacks.

Introduction

Nowadays, with the development of internet, the integrated EPR information system makes it be possible to share the patients’ medical histories such as patients’ privacy, diagnosis records and reports among hospitals. The security and privacy issues of EPRs are important for the patients to understand how the hospitals control the use of their personal information, such as name, telephone, address, e-mail and medical records, etc [1, 2]. Secure and efficient authentication schemes for the integrated EPR information system can realize the goals described above and can help health care workers and medical personnel to rapidly making correct clinical decisions.

Recently, many related authentication approaches for the integrated EPR information system were proposed in succession. For example, Takeda et al. [3] in 2000 proposed the architecture for networked electronic patient record systems. Lee et al. [4] in 2002 proposed a fingerprint-based remote user authentication scheme by using smart cards and biometrics. Lin and Lia [5] in 2004 pointed out that the scheme of Lee et al. was vulnerable to masquerade attacks and proposed an improved flexible scheme to enhance the security problem. Lee and Chiu [6] in 2005 proposed an improved remote authentication scheme based on the remote authentication scheme using smart cards of Wu and Chieu [7]. Wu et al. [8] in 2010 used pre-computing concepts to develop an efficient authentication scheme for telecare medicine information systems. Later, He et al. [9] stated the weaknesses of the scheme proposed by Wu et al., and proposed an improved scheme to improve the weaknesses in security. In 2012, Wei et al. [10] stated that both of the authentication schemes of Wu et al. and He et al. cannot achieve a two-factor authentication. Wei et al. also proposed an improved authentication scheme and claimed their scheme could withstand various attacks. However, the scheme of Wei et al. still had weaknesses, which was showed by Zhu [11]. In 2012, Wu et al. [12] proposed a reliable user authentication and key agreement scheme for HAI surveillance information system.

Additionally, Wu et al. [2] in 2012 used lower computational operations including hash, exclusive-or and multiplication operations to develop an efficient password-based authentication scheme for the integrated EPR information system. They also claimed their scheme could resist various malicious attacks. However, in the scheme of Wu et al., if an adversary steals a copy of the verifier in the authentication server’s database, then can derive all secrets and successfully masquerade as a legitimate user. Additionally, if an adversary steals a user’s smart card and, then he/she knows all the user’s secrets and easily masquerade as a legitimate user. That is, the scheme of Wu et al. is vulnerable to lost smart card and stolen verifier attacks.

This investigation will discuss the weaknesses of the scheme proposed by Wu et al. Also, a secure and efficient authentication scheme for the integrated EPR information system is proposed. There are many approaches were proposed for overcoming the possible attacks described above. For example, Song in 2010 [13] presented a smart card based password authentication protocol based on the Discrete Logarithm Problem (DLP) [14]. Kumar et al. in 2011 [15] demonstrated the weaknesses of the remote password authentication schemes proposed by Yoon and Yoo [16] and Xiang et al. [17] and presented an improved authentication scheme, which was also based on the Discrete Logarithm Problem (DLP), as alternative. In addition, Ramasamy and Muniyandi [18] in 2012 developed a smart card based password authentication protocol based on RSA [19]. However, all these authentication schemes required some heavy exponential computations. In order to solve the security problems and provide lower computational cost, the proposed authentication scheme protects the user’s password with a secret key in the user’s smart cards, and uses the one-way hash function to protect users’ passwords for server’s authentications such that the server cannot directly derive them from the revealed messages. Thus, the proposed scheme not only keeps the advantages of the scheme of Wu et al. including a lower computational cost and no verifier tables in the server, but also solves the security problems in previous schemes and withstands possible attacks.

The rest of this paper is organized as follows. The next section defines the notation used in this paper and reviews the scheme of Wu et al. Section “The weaknesses of the scheme of Wu et al.” shows the possible attacks against the scheme of Wu et al. The subsequent section introduces the proposed authentication scheme. The security and performance analyses are described in “Security analyses” and “Performance analyses”. Finally, Section “Conclusions” concludes the paper.

Review of the authentication scheme of Wu et al.

This section first lists the notation used throughout this work and then briefly reviews the authentication scheme created by Wu et al. [2] and its weaknesses. In this work, U denotes the medical service requester (user); ID denotes the identifier of U; and S denotes the integrated EPR information system server, which U registers in. Table 1 lists the notations used throughout this work.

Table 1 Notation

Wu et al. [2] in 2012 proposed a password-based user authentication scheme for the integrated EPR information system. Their scheme comprises four phases including registration, login, verification and password change phases, which works as follows.

Registration phase

A user U registers his/her identity ID and password pw to the integrated EPR information system S by performing the following steps:

1. Step 1:

   User U submits the registration request ID and pw to the server S.

2. Step 2:

   The server S verifies the validity of the user ID, and then computes v = h(K ⊕ ID), where K is the secret number belonging to S.

3. Step 3:

   S finds N such that the sum of v⋅pw + N equals a constant secret value H. Then S computes s = h(pw||K).

4. Step 4:

   S personalizes U’s medical smart card included with the above parameters {h(∙), N, s, pw}. The number s is stores into smart card.

5. Step 5:

   S ⇒ U: Finally, the server S returns the medical smart card to user U through a secure channel.

Login phase

Whenever a user U wants to login the integrated EPR information system server S, U inserts his smart card into the smart card reader of a terminal, enters ID and pw, and then executes the following steps.

1. Step 1:

   U’s smart card chooses a random number r ₁, and then computes C ₁ = h(s||r ₁) and C ₂ = r ₁⋅pw.

2. Step 2:

   U → S with parameters (N, ID, C ₁, C ₂).

Verification phase

After receiving the request message (N, ID, C ₁, C ₂) from U, S executes the following steps.

1. Step 1:

   If S successfully verifies the validity of ID, then accepts the user U request; otherwise, rejects this service request.

2. Step 2:

   Compute v = h(K ⊕ ID) and pw = (H − N)⋅v ⁻¹.

3. Step 3:

   Compute r ₁′ = pw ⁻¹⋅C ₂ = pw ⁻¹⋅pw⋅r ₁ and s′ = h(pw||K).

4. Step 4:

   If h(s′||r ₁′) equals to C ₁, go to Step 5; otherwise, stop and reply the error message to U.

5. Step 5:

   Generate the message pair (a, b) for a mutual authentication between S and U, where a = r ₂ ⊕ h(s′), b = h(pw || r ₂ || r ₁′), and r ₂ is a random number.

6. Step 6:

   S → U with (a, b).

After receiving the reply message (a, b) from S, U executes the following steps.

1. Step 1:

   Restore r ₂′ through r ₂′ = a ⊕ h(s).

2. Step 2:

   Check b = h(pw || r ₂ ′ || r ₁). If successful, user U confirms that S is valid.

3. Step 3:

   U → S with c = h(pw || r ₁ || r ₂ ′) for another side authentication.

After receiving the message c from U, S executes the following steps.

1. Step 1:

   Check c = h(pw || r ₁′ || r ₂). If successful, U is authenticated. Finally, U and S can generate a common session key \( sk=h\left( {r_1^{\prime}\left| {\left| {{r_2}) = h({r_1}} \right|} \right|r_2^{\prime }} \right) \) used for later secure transmission.

Password change phase

The legal user U changes his/her password by executing the following steps.

1. Step 1:

   U ⇒ S with parameters (ID, pw, pw _new ).

2. Step 2:

   S computes v = h(K ⊕ ID) and finds another appropriate N ^* such that the value v∙pw _new + N ^* equals the secret value H. Then S computes s = h(pw _new || K), and sends it with the N ^* to U through the secure channel.

The weaknesses of the scheme of Wu et al.

Wu et al. presented an efficient authentication scheme in order to solve the weaknesses of the previous authentication schemes. However, in the authentication scheme of Wu et al., if an adversary steals a copy of the verifier in S’s database, then can derive all secrets and thus can masquerade as a legitimate user. Additionally, if an adversary steals U’s smart card and, then he/she knows all U’s secrets, and can easily masquerade as a legitimate user U. Thus, the scheme of Wu et al. is vulnerable to lost smart card and stolen verifier attacks. The scenarios are described as follows.

Security against lost smart card attacks

If an adversary \( \mathcal{A} \) steals U’s smart card and obtains the message {h(⋅), N, s, pw}, then he/she can easily compute and send out the request message (N, ID, C ₁, C ₂), where r ₁ is a random number, C ₁ = h(s||r ₁) and C ₂ = r ₁⋅pw. Since \( \mathcal{A} \) knows all U’s secrets and thus can masquerade as a legitimate user U. Therefore, the scheme of Wu et al. is vulnerable to the lost smart card attacks

Security against stolen verifier attacks

An adversary \( \mathcal{A} \) steals a copy of the verifier {K, H, h(.)} in S’s database and records {ID, N} from a successful authentication of a certain user U. Then \( \mathcal{A} \) computes v = h(K ⊕ ID), pw = (H − N)⋅v ⁻¹ and s = h(pw|| K). \( \mathcal{A} \) has {h(), N, s, pw} and thus can masquerade as a legitimate user. Therefore, the scheme of Wu et al. is vulnerable to the stolen verifier attacks.

The proposed secure and efficient authentication scheme

This section presents a secure and efficient authentication scheme, which protects the password with a secret key in the user’s smart cards. In order to prevent that the adversary steals a user’s smart card and obtains the valuable message, and masquerades as a legitimate user, the proposed authentication scheme protects the user’s password with a secret key in the user’s smart cards. Additionally, the proposed scheme uses the one-way hash function to protect users’ passwords for server’s authentications such that the server is able to verify users’ passwords, but cannot directly derive them from the revealed messages. We adopt lower computational operations, such as XOR and hash operations, to develop the proposed scheme. Thus, it can avoid the weaknesses described above and have a lower computational cost. The proposed scheme also comprises registration, login, verification and password change phases, which works as follows.

Registration phase

A user U registers his/her identity ID and password pw to the integrated EPR information system S by performing the following steps.

1. Step 1:

   User U submits the registration request ID and pw to the server S via a secure channel.

2. Step 2:

   The server S verifies the validity of the user ID, and then computes v = h(K ⊕ ID), where K is the secret number of S.

3. Step 3:

   S computes s ₁ = h(pw||K), s ₂ = h(h(pw||s ₁)) and N = v ⊕ s ₂ ⊕ H, where H is a constant secret value.

4. Step 4:

   S personalizes U’s medical smart card included with the above parameters {ID, h(⋅), N, s ₁}.

5. Step 5:

   S ⇒ U: Finally, the server S returns the medical smart card to user U through a secure channel.

Figure 1 illustrates the login and verification phases of the proposed authentication scheme, which functions as follows.

Fig. 1

The login and verification phases of proposed authentication scheme

Login phase

Whenever a user U wants to login the integrated EPR information system server S, U inserts his smart card into the smart card reader of a terminal, enters ID and pw, and then executes the following steps.

1. Step 1:

   U’s smart card chooses a random number r ₁, and then computes s ₂ = h(h(pw||s ₁)) and C ₁ = r ₁ ⊕ s ₂.

2. Step 2:

   U → S with parameters (N, ID, C ₁).

Verification phase

After receiving the request message (N, ID, C ₁) from U, the integrated EPR information system server S executes the following steps.

1. Step 1-1:

   If S successfully verifies the validity of ID, then accepts the user U request; otherwise, rejects this service request.

2. Step 1-2:

   Compute v = h(K ⊕ ID) and s ₂′ = H ⊕ N ⊕ v.

3. Step 1-3:

   Compute r ₁′ = s ₂′ ⊕ C ₁ = s ₂′ ⊕ (s ₂ ⊕ r ₁).

4. Step 1-4:

   Generate the message pair (a, b) for a mutual authentication between S and U, where a = r ₂ ⊕ h(r ₁′||s ₂′), b = h(s ₂′||r ₂||r ₁′), and r ₂ is a random number.

5. Step 1-5:

   S → U with (a, b).

After receiving the reply message (a, b) from S, U executes the following steps.

1. Step 2-1:

   Compute h(r ₁||s ₂) and r ₂′ = a ⊕ h(r ₁||s ₂).

2. Step 2-2:

   Check b = h(s ₂||r ₂′||r ₁). If successful, U confirms that S is valid.

3. Step 2-3:

   Compute C ₂ = h(r ₂′||s ₂) ⊕ h(pw||s ₁).

4. Step 2-4:

   U → S with C ₂ for S’s authentication.

After receiving C ₂ from U, S executes the following steps.

1. Step 3-1:

   Compute u = h(r ₂||s ₂′) ⊕ C ₂ = h(r ₂||s ₂′)(⊕ h(r′₂||s ₂) ⊕ h(pw||s ₁)).

2. Step 3-2:

   If S successfully checks s ₂′ = h(u), U is authenticated. Finally, U and S can generate a common session key \( sk=h\left( {r_1^{\prime }||{r_2}} \right)=h\left( {{r_1}||r_2^{\prime }} \right) \) used for later secure transmission.

Password change phase

Any legal user U can change the password by using the following steps.

1. Step 1:

   U ⇒ S with parameters (ID, pw, pw _new ).

2. Step 2:

   S computes v = h(K ⊕ ID), \( s_1^{*}=h\left( {\left. {p{w_{new }}} \right\|K} \right) \), \( s_2^{*}=h\left( {h\left( {\left. {pw} \right\|s_1^{*}} \right)} \right) \) and \( {N^{*}}=v\oplus s_2^{*}\oplus H \). Then, S sends \( \left( {s_1^{*},\ {N^{*}}} \right) \) to U through the secure channel. Finally, U updates his/her medical smart card as \( \left\{ {ID,h\left( \cdot \right),{N^{*}},s_1^{*}} \right\} \).

Security analyses

This section shows that the proposed authentication scheme can resist possible attacks including off-line password guessing attacks, undetectable on-line password guessing attacks, stolen verifier attacks, and lost smart card attacks. For data transmission security, user masquerading detection and server spoofing detection, the analyses of the proposed scheme are similar to those of the scheme of Wu et al. Thus these analyses are not presented here.

Resistance to off-line password guessing attacks

In the proposed scheme, no information helps to verify directly the correctness of the guessed passwords based on C ₁, (a, b) and C ₂, where C ₁ = r ₁ ⊕ s ₂, a = r ₂ ⊕ h(r ₁||s ₂), b = h(s ₂||r ₂||r ₁) and C ₂ = h(r ₂||s ₂) ⊕ h(pw||s ₁), s ₁ = h(pw||K) and s ₂ = h(h(pw||s ₁)), because that r ₁ and r ₂ are two random numbers and are protected by the secret keys s ₁ and s ₂. Thus, offline password guessing attacks are unsuccessful against the proposed protocol.

Resistance to undetectable on-line password guessing attacks

In proposed scheme, an adversary \( \mathcal{A} \), who disguises as U, sends a request message (N, ID, \( C_1^{*} \)) to S, where \( C_1^{*} \) may be a previous used message or a random number. Then, S computes v, s ₂′ and r ₁′ = s ₂′ ⊕ \( C_1^{*} \), generates a random number r ₂ , computes and sends (a, b) to U, where a = r ₂ ⊕ h(r ₁′||s ₂′) and b = h(s ₂′||r ₂||r ₁′). After receiving (a, b), \( \mathcal{A} \) cannot correct compute C ₂ = h(r ₂′||s ₂) ⊕ h(pw||s ₁) for S’ authentication without the random secrets r ₁, r ₂, and the secret keys s ₁, s ₂; then a failed guess must be detected by S in Step 2-4 of the verification phase.

Resistance to stolen verifier attacks

An adversary \( \mathcal{A} \) steals a copy of the verifier {K, H, h(.)} in S’s database and records {ID, N} from a successful authentication of a certain user U. Although \( \mathcal{A} \) can obtain s ₂ by computing v = h(K ⊕ ID) and s ₂ = H ⊕ N ⊕ v, \( \mathcal{A} \) cannot derive the correct pw because of the one-way hash property, where s ₁ = h(pw||K), s ₂ = h(h(pw||s ₁)). He/she cannot compute and send out the correct messages (N, ID, C ₁) in the login phase and C ₂( = h(r ₂′||s ₂) ⊕ h(pw||s ₁)) in Step 2-4 of the verification phase, and thus cannot masquerade as a legitimate user. Therefore, the proposed scheme can resist the stolen verifier attacks.

Resistance to lost smart card attacks

If an adversary \( \mathcal{A} \) steals U’s smart card and obtains the message {ID, h(⋅), N, s ₁}, then he/she cannot compute and send out the correct messages (N, ID, C ₁) in the login phase and C ₂ in Step 2-4 of the verification phase, without the correct pw, where r ₁ is a random number, s ₂ = h(h(pw||s ₁)) = h ²(pw||s ₁) and C ₁ = r ₁ ⊕ s ₂, and C ₂ = h(r ₂′||s ₂) ⊕ h(pw||s ₁). A fail login will be detected by S in Step 3-2 of the authentication phase, and thus the proposed scheme can resist lost smart card attacks.

Performance analyses

Table 2 lists the performance comparisons of related schemes and the proposed scheme. Both the scheme of Wu et al. and the proposed scheme do not require heavy exponential operations and elliptic curve exponential operations, and thus more efficient than other related schemes. Although the scheme of Wu et al. requires fewer hash function operations than the proposed scheme, the scheme of Wu et al. employs multiplication operations and requires more computations to find the inverses of some numbers. Moreover, the proposed scheme solves the security problems in previous schemes and withstands possible attacks. Thus, the proposed scheme is superior to other related schemes.

Table 2 The performance comparisons of the related schemes and the proposed scheme

Conclusions

This investigation addresses the weaknesses of the authentication scheme of Wu et al., including suffering from the stolen verifier attacks and lost smart card attacks. This investigation also presents a secure and efficient authentication scheme for the integrated EPR information system. The proposed authentication scheme still retains lower computational cost and does not require verifier tables for storing users’ secrets. Additionally, the proposed scheme solves the security problems in previous schemes and withstands possible attacks. Thus, the proposed authentication scheme for the integrated EPR information system can provide users with a secure and efficient practical environment.