Abstract
The integrated EPR information system supports convenient and rapid e-medicine services. A secure and efficient authentication scheme for the integrated EPR information system provides safeguarding patients’ electronic patient records (EPRs) and helps health care workers and medical personnel to rapidly making correct clinical decisions. Recently, Wu et al. proposed an efficient password-based user authentication scheme using smart cards for the integrated EPR information system, and claimed that the proposed scheme could resist various malicious attacks. However, their scheme is still vulnerable to lost smart card and stolen verifier attacks. This investigation discusses these weaknesses and proposes a secure and efficient authentication scheme for the integrated EPR information system as alternative. Compared with related approaches, the proposed scheme not only retains a lower computational cost and does not require verifier tables for storing users’ secrets, but also solves the security problems in previous schemes and withstands possible attacks.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
Introduction
Nowadays, with the development of internet, the integrated EPR information system makes it be possible to share the patients’ medical histories such as patients’ privacy, diagnosis records and reports among hospitals. The security and privacy issues of EPRs are important for the patients to understand how the hospitals control the use of their personal information, such as name, telephone, address, e-mail and medical records, etc [1, 2]. Secure and efficient authentication schemes for the integrated EPR information system can realize the goals described above and can help health care workers and medical personnel to rapidly making correct clinical decisions.
Recently, many related authentication approaches for the integrated EPR information system were proposed in succession. For example, Takeda et al. [3] in 2000 proposed the architecture for networked electronic patient record systems. Lee et al. [4] in 2002 proposed a fingerprint-based remote user authentication scheme by using smart cards and biometrics. Lin and Lia [5] in 2004 pointed out that the scheme of Lee et al. was vulnerable to masquerade attacks and proposed an improved flexible scheme to enhance the security problem. Lee and Chiu [6] in 2005 proposed an improved remote authentication scheme based on the remote authentication scheme using smart cards of Wu and Chieu [7]. Wu et al. [8] in 2010 used pre-computing concepts to develop an efficient authentication scheme for telecare medicine information systems. Later, He et al. [9] stated the weaknesses of the scheme proposed by Wu et al., and proposed an improved scheme to improve the weaknesses in security. In 2012, Wei et al. [10] stated that both of the authentication schemes of Wu et al. and He et al. cannot achieve a two-factor authentication. Wei et al. also proposed an improved authentication scheme and claimed their scheme could withstand various attacks. However, the scheme of Wei et al. still had weaknesses, which was showed by Zhu [11]. In 2012, Wu et al. [12] proposed a reliable user authentication and key agreement scheme for HAI surveillance information system.
Additionally, Wu et al. [2] in 2012 used lower computational operations including hash, exclusive-or and multiplication operations to develop an efficient password-based authentication scheme for the integrated EPR information system. They also claimed their scheme could resist various malicious attacks. However, in the scheme of Wu et al., if an adversary steals a copy of the verifier in the authentication server’s database, then can derive all secrets and successfully masquerade as a legitimate user. Additionally, if an adversary steals a user’s smart card and, then he/she knows all the user’s secrets and easily masquerade as a legitimate user. That is, the scheme of Wu et al. is vulnerable to lost smart card and stolen verifier attacks.
This investigation will discuss the weaknesses of the scheme proposed by Wu et al. Also, a secure and efficient authentication scheme for the integrated EPR information system is proposed. There are many approaches were proposed for overcoming the possible attacks described above. For example, Song in 2010 [13] presented a smart card based password authentication protocol based on the Discrete Logarithm Problem (DLP) [14]. Kumar et al. in 2011 [15] demonstrated the weaknesses of the remote password authentication schemes proposed by Yoon and Yoo [16] and Xiang et al. [17] and presented an improved authentication scheme, which was also based on the Discrete Logarithm Problem (DLP), as alternative. In addition, Ramasamy and Muniyandi [18] in 2012 developed a smart card based password authentication protocol based on RSA [19]. However, all these authentication schemes required some heavy exponential computations. In order to solve the security problems and provide lower computational cost, the proposed authentication scheme protects the user’s password with a secret key in the user’s smart cards, and uses the one-way hash function to protect users’ passwords for server’s authentications such that the server cannot directly derive them from the revealed messages. Thus, the proposed scheme not only keeps the advantages of the scheme of Wu et al. including a lower computational cost and no verifier tables in the server, but also solves the security problems in previous schemes and withstands possible attacks.
The rest of this paper is organized as follows. The next section defines the notation used in this paper and reviews the scheme of Wu et al. Section “The weaknesses of the scheme of Wu et al.” shows the possible attacks against the scheme of Wu et al. The subsequent section introduces the proposed authentication scheme. The security and performance analyses are described in “Security analyses” and “Performance analyses”. Finally, Section “Conclusions” concludes the paper.
Review of the authentication scheme of Wu et al.
This section first lists the notation used throughout this work and then briefly reviews the authentication scheme created by Wu et al. [2] and its weaknesses. In this work, U denotes the medical service requester (user); ID denotes the identifier of U; and S denotes the integrated EPR information system server, which U registers in. Table 1 lists the notations used throughout this work.
Wu et al. [2] in 2012 proposed a password-based user authentication scheme for the integrated EPR information system. Their scheme comprises four phases including registration, login, verification and password change phases, which works as follows.
Registration phase
A user U registers his/her identity ID and password pw to the integrated EPR information system S by performing the following steps:
-
Step 1:
User U submits the registration request ID and pw to the server S.
-
Step 2:
The server S verifies the validity of the user ID, and then computes v = h(K ⊕ ID), where K is the secret number belonging to S.
-
Step 3:
S finds N such that the sum of v⋅pw + N equals a constant secret value H. Then S computes s = h(pw||K).
-
Step 4:
S personalizes U’s medical smart card included with the above parameters {h(∙), N, s, pw}. The number s is stores into smart card.
-
Step 5:
S ⇒ U: Finally, the server S returns the medical smart card to user U through a secure channel.
Login phase
Whenever a user U wants to login the integrated EPR information system server S, U inserts his smart card into the smart card reader of a terminal, enters ID and pw, and then executes the following steps.
-
Step 1:
U’s smart card chooses a random number r 1, and then computes C 1 = h(s||r 1) and C 2 = r 1⋅pw.
-
Step 2:
U → S with parameters (N, ID, C 1, C 2).
Verification phase
After receiving the request message (N, ID, C 1, C 2) from U, S executes the following steps.
-
Step 1:
If S successfully verifies the validity of ID, then accepts the user U request; otherwise, rejects this service request.
-
Step 2:
Compute v = h(K ⊕ ID) and pw = (H − N)⋅v −1.
-
Step 3:
Compute r 1′ = pw −1⋅C 2 = pw −1⋅pw⋅r 1 and s′ = h(pw||K).
-
Step 4:
If h(s′||r 1′) equals to C 1, go to Step 5; otherwise, stop and reply the error message to U.
-
Step 5:
Generate the message pair (a, b) for a mutual authentication between S and U, where a = r 2 ⊕ h(s′), b = h(pw || r 2 || r 1′), and r 2 is a random number.
-
Step 6:
S → U with (a, b).
After receiving the reply message (a, b) from S, U executes the following steps.
-
Step 1:
Restore r 2′ through r 2′ = a ⊕ h(s).
-
Step 2:
Check b = h(pw || r 2 ′ || r 1). If successful, user U confirms that S is valid.
-
Step 3:
U → S with c = h(pw || r 1 || r 2 ′) for another side authentication.
After receiving the message c from U, S executes the following steps.
-
Step 1:
Check c = h(pw || r 1′ || r 2). If successful, U is authenticated. Finally, U and S can generate a common session key \( sk=h\left( {r_1^{\prime}\left| {\left| {{r_2}) = h({r_1}} \right|} \right|r_2^{\prime }} \right) \) used for later secure transmission.
Password change phase
The legal user U changes his/her password by executing the following steps.
-
Step 1:
U ⇒ S with parameters (ID, pw, pw new ).
-
Step 2:
S computes v = h(K ⊕ ID) and finds another appropriate N * such that the value v∙pw new + N * equals the secret value H. Then S computes s = h(pw new || K), and sends it with the N * to U through the secure channel.
The weaknesses of the scheme of Wu et al.
Wu et al. presented an efficient authentication scheme in order to solve the weaknesses of the previous authentication schemes. However, in the authentication scheme of Wu et al., if an adversary steals a copy of the verifier in S’s database, then can derive all secrets and thus can masquerade as a legitimate user. Additionally, if an adversary steals U’s smart card and, then he/she knows all U’s secrets, and can easily masquerade as a legitimate user U. Thus, the scheme of Wu et al. is vulnerable to lost smart card and stolen verifier attacks. The scenarios are described as follows.
Security against lost smart card attacks
If an adversary \( \mathcal{A} \) steals U’s smart card and obtains the message {h(⋅), N, s, pw}, then he/she can easily compute and send out the request message (N, ID, C 1, C 2), where r 1 is a random number, C 1 = h(s||r 1) and C 2 = r 1⋅pw. Since \( \mathcal{A} \) knows all U’s secrets and thus can masquerade as a legitimate user U. Therefore, the scheme of Wu et al. is vulnerable to the lost smart card attacks
Security against stolen verifier attacks
An adversary \( \mathcal{A} \) steals a copy of the verifier {K, H, h(.)} in S’s database and records {ID, N} from a successful authentication of a certain user U. Then \( \mathcal{A} \) computes v = h(K ⊕ ID), pw = (H − N)⋅v −1 and s = h(pw|| K). \( \mathcal{A} \) has {h(), N, s, pw} and thus can masquerade as a legitimate user. Therefore, the scheme of Wu et al. is vulnerable to the stolen verifier attacks.
The proposed secure and efficient authentication scheme
This section presents a secure and efficient authentication scheme, which protects the password with a secret key in the user’s smart cards. In order to prevent that the adversary steals a user’s smart card and obtains the valuable message, and masquerades as a legitimate user, the proposed authentication scheme protects the user’s password with a secret key in the user’s smart cards. Additionally, the proposed scheme uses the one-way hash function to protect users’ passwords for server’s authentications such that the server is able to verify users’ passwords, but cannot directly derive them from the revealed messages. We adopt lower computational operations, such as XOR and hash operations, to develop the proposed scheme. Thus, it can avoid the weaknesses described above and have a lower computational cost. The proposed scheme also comprises registration, login, verification and password change phases, which works as follows.
Registration phase
A user U registers his/her identity ID and password pw to the integrated EPR information system S by performing the following steps.
-
Step 1:
User U submits the registration request ID and pw to the server S via a secure channel.
-
Step 2:
The server S verifies the validity of the user ID, and then computes v = h(K ⊕ ID), where K is the secret number of S.
-
Step 3:
S computes s 1 = h(pw||K), s 2 = h(h(pw||s 1)) and N = v ⊕ s 2 ⊕ H, where H is a constant secret value.
-
Step 4:
S personalizes U’s medical smart card included with the above parameters {ID, h(⋅), N, s 1}.
-
Step 5:
S ⇒ U: Finally, the server S returns the medical smart card to user U through a secure channel.
Figure 1 illustrates the login and verification phases of the proposed authentication scheme, which functions as follows.
Login phase
Whenever a user U wants to login the integrated EPR information system server S, U inserts his smart card into the smart card reader of a terminal, enters ID and pw, and then executes the following steps.
-
Step 1:
U’s smart card chooses a random number r 1, and then computes s 2 = h(h(pw||s 1)) and C 1 = r 1 ⊕ s 2.
-
Step 2:
U → S with parameters (N, ID, C 1).
Verification phase
After receiving the request message (N, ID, C 1) from U, the integrated EPR information system server S executes the following steps.
-
Step 1-1:
If S successfully verifies the validity of ID, then accepts the user U request; otherwise, rejects this service request.
-
Step 1-2:
Compute v = h(K ⊕ ID) and s 2′ = H ⊕ N ⊕ v.
-
Step 1-3:
Compute r 1′ = s 2′ ⊕ C 1 = s 2′ ⊕ (s 2 ⊕ r 1).
-
Step 1-4:
Generate the message pair (a, b) for a mutual authentication between S and U, where a = r 2 ⊕ h(r 1′||s 2′), b = h(s 2′||r 2||r 1′), and r 2 is a random number.
-
Step 1-5:
S → U with (a, b).
After receiving the reply message (a, b) from S, U executes the following steps.
-
Step 2-1:
Compute h(r 1||s 2) and r 2′ = a ⊕ h(r 1||s 2).
-
Step 2-2:
Check b = h(s 2||r 2′||r 1). If successful, U confirms that S is valid.
-
Step 2-3:
Compute C 2 = h(r 2′||s 2) ⊕ h(pw||s 1).
-
Step 2-4:
U → S with C 2 for S’s authentication.
After receiving C 2 from U, S executes the following steps.
-
Step 3-1:
Compute u = h(r 2||s 2′) ⊕ C 2 = h(r 2||s 2′)(⊕ h(r′2||s 2) ⊕ h(pw||s 1)).
-
Step 3-2:
If S successfully checks s 2′ = h(u), U is authenticated. Finally, U and S can generate a common session key \( sk=h\left( {r_1^{\prime }||{r_2}} \right)=h\left( {{r_1}||r_2^{\prime }} \right) \) used for later secure transmission.
Password change phase
Any legal user U can change the password by using the following steps.
-
Step 1:
U ⇒ S with parameters (ID, pw, pw new ).
-
Step 2:
S computes v = h(K ⊕ ID), \( s_1^{*}=h\left( {\left. {p{w_{new }}} \right\|K} \right) \), \( s_2^{*}=h\left( {h\left( {\left. {pw} \right\|s_1^{*}} \right)} \right) \) and \( {N^{*}}=v\oplus s_2^{*}\oplus H \). Then, S sends \( \left( {s_1^{*},\ {N^{*}}} \right) \) to U through the secure channel. Finally, U updates his/her medical smart card as \( \left\{ {ID,h\left( \cdot \right),{N^{*}},s_1^{*}} \right\} \).
Security analyses
This section shows that the proposed authentication scheme can resist possible attacks including off-line password guessing attacks, undetectable on-line password guessing attacks, stolen verifier attacks, and lost smart card attacks. For data transmission security, user masquerading detection and server spoofing detection, the analyses of the proposed scheme are similar to those of the scheme of Wu et al. Thus these analyses are not presented here.
Resistance to off-line password guessing attacks
In the proposed scheme, no information helps to verify directly the correctness of the guessed passwords based on C 1, (a, b) and C 2, where C 1 = r 1 ⊕ s 2, a = r 2 ⊕ h(r 1||s 2), b = h(s 2||r 2||r 1) and C 2 = h(r 2||s 2) ⊕ h(pw||s 1), s 1 = h(pw||K) and s 2 = h(h(pw||s 1)), because that r 1 and r 2 are two random numbers and are protected by the secret keys s 1 and s 2. Thus, offline password guessing attacks are unsuccessful against the proposed protocol.
Resistance to undetectable on-line password guessing attacks
In proposed scheme, an adversary \( \mathcal{A} \), who disguises as U, sends a request message (N, ID, \( C_1^{*} \)) to S, where \( C_1^{*} \) may be a previous used message or a random number. Then, S computes v, s 2′ and r 1′ = s 2′ ⊕ \( C_1^{*} \), generates a random number r 2 , computes and sends (a, b) to U, where a = r 2 ⊕ h(r 1′||s 2′) and b = h(s 2′||r 2||r 1′). After receiving (a, b), \( \mathcal{A} \) cannot correct compute C 2 = h(r 2′||s 2) ⊕ h(pw||s 1) for S’ authentication without the random secrets r 1, r 2, and the secret keys s 1, s 2; then a failed guess must be detected by S in Step 2-4 of the verification phase.
Resistance to stolen verifier attacks
An adversary \( \mathcal{A} \) steals a copy of the verifier {K, H, h(.)} in S’s database and records {ID, N} from a successful authentication of a certain user U. Although \( \mathcal{A} \) can obtain s 2 by computing v = h(K ⊕ ID) and s 2 = H ⊕ N ⊕ v, \( \mathcal{A} \) cannot derive the correct pw because of the one-way hash property, where s 1 = h(pw||K), s 2 = h(h(pw||s 1)). He/she cannot compute and send out the correct messages (N, ID, C 1) in the login phase and C 2( = h(r 2′||s 2) ⊕ h(pw||s 1)) in Step 2-4 of the verification phase, and thus cannot masquerade as a legitimate user. Therefore, the proposed scheme can resist the stolen verifier attacks.
Resistance to lost smart card attacks
If an adversary \( \mathcal{A} \) steals U’s smart card and obtains the message {ID, h(⋅), N, s 1}, then he/she cannot compute and send out the correct messages (N, ID, C 1) in the login phase and C 2 in Step 2-4 of the verification phase, without the correct pw, where r 1 is a random number, s 2 = h(h(pw||s 1)) = h 2(pw||s 1) and C 1 = r 1 ⊕ s 2, and C 2 = h(r 2′||s 2) ⊕ h(pw||s 1). A fail login will be detected by S in Step 3-2 of the authentication phase, and thus the proposed scheme can resist lost smart card attacks.
Performance analyses
Table 2 lists the performance comparisons of related schemes and the proposed scheme. Both the scheme of Wu et al. and the proposed scheme do not require heavy exponential operations and elliptic curve exponential operations, and thus more efficient than other related schemes. Although the scheme of Wu et al. requires fewer hash function operations than the proposed scheme, the scheme of Wu et al. employs multiplication operations and requires more computations to find the inverses of some numbers. Moreover, the proposed scheme solves the security problems in previous schemes and withstands possible attacks. Thus, the proposed scheme is superior to other related schemes.
Conclusions
This investigation addresses the weaknesses of the authentication scheme of Wu et al., including suffering from the stolen verifier attacks and lost smart card attacks. This investigation also presents a secure and efficient authentication scheme for the integrated EPR information system. The proposed authentication scheme still retains lower computational cost and does not require verifier tables for storing users’ secrets. Additionally, the proposed scheme solves the security problems in previous schemes and withstands possible attacks. Thus, the proposed authentication scheme for the integrated EPR information system can provide users with a secure and efficient practical environment.
References
Chen, T. L., Chung, Y. F., and Lin, F. Y. S., A study on agent-based secure scheme for electronic medical record system. J. Med. Syst. 2012. doi:10.1007/s10916-010-9595-8.
Wu, Z. P., Chung, Y., Lai, F., and Chen, T. S., A password-based user authentication scheme for the integrated EPR information system. J. Med. Syst. 36(2):631–638, 2012.
Takeda, H., Matsumura, Y., and Kuwata, S., Architecture for networked electronic patient record systems. Int. J. Med. Inform. 60(2):161–167, 2000.
Lee, J. K., Ryu, S. R., and Yoo, K. Y., Fingerprint-based remote user authentication scheme using smart cards. Electron. Lett. 38(12):554–555, 2002.
Lin, C. H., and Lai, Y. Y., A flexible biometrics remote user authentication scheme. Comput. Stand. Interfaces 27(1):19–23, 2004.
Lee, N. Y., and Chiu, Y. C., Improved remote authentication scheme with smart card. Comput. Stand. Interfaces 27(2):177–180, 2005.
Wu, S. T., and Chieu, B. C., A user friendly remote authentication scheme with smart cards. Comput. Secur. 22(6):547–550, 2003.
Wu, Z. Y., Lee, Y. C., Lai, F., Lee, H. C., and Chung, Y., A secure authentication scheme for telecare medicine information systems. J. Med. Syst. 2010. doi:10.1007/s10916-010-9614-9.
He, D. B., Chen, J. H., and Zhang, R., A more secure authentication scheme for telecare medicine information systems. J. Med. Syst. 2011. doi:10.1007/s10916-011-9658-5.
Wei, J., Hu, X., and Liu, W., An improved authentication scheme for telecare medicine information systems. J. Med. Syst. 2012. doi:10.1007/s10916-012-9835-1.
Zhu, Z., An efficient authentication scheme for telecare medicine information systems. J. Med. Syst. 2012. doi:10.1007/s10916-012-9856-9.
Wu, Z. Y., Tseng, Y. J., Chung, Y., Chen, Y. C., and Lai, F., A reliable user authentication and key agreement scheme for Web-based Hospital-acquired Infection Surveillance Information System. J. Med. Syst. 36:2547–2555, 2012.
Song, R., Advanced smart card based password authentication protocol. Comput. Stand. Interfaces 32(5–6):321–325, 2010.
Stallings, W., Cryptography and network security: principles and practice, 2nd edition. Prentice Hall, Upper Saddle River, 1999.
Kumar, M., Gupta, M. K., and Kumari, S., An improved efficient remote password authentication scheme with smart card over insecure network. Int. J. Netw. Secur. 13(3):167–177, 2011.
Yoon, E. J., and Yoo, K. Y., Drawbacks of Liao et al.’s password authentication scheme. International Conference on Next Generation Web Services Prac-tices (NWeSP 2006), Seoul, Korea, 2006.
Xiang, T., Wong, K. W., and Liao, X., Cryptanalysis of a password authentication scheme over insecure networks. J. Comput. Syst. Sci. 74(5):657–661, 2008.
Ramasamy, R., and Muniyandi, A. P., An efficient password authentication scheme for smart card. Int. J. Netw. Secur. 14(3):180–186, 2012.
Rivest, R. L., Shamir, A., and Adleman, L., A method for obtaining digital signature and public key cryptosystems. Commun. ACM 21(2):120–126, 1978.
Lu, R., Cao, Z., Chai, Z., and Liang, X., A simple user authentication scheme for grid computing. Int. J. Netw. Secur. 7(2):202–206, 2008.
Wang, Y. Y., Liu, J. Y., Xiao, F. X., and Dan, J., A more efficient and secure dynamic ID-based remote user authentication scheme. Comput. Commun. 32:583–585, 2009.
Acknowledgment
The authors would like to thank the editor and the anonymous referees for their valuable comments. This work was supported in part by the National Science Council of the Republic of China under the Grant NSC 100-2221-E-320-004.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Lee, TF., Chang, IP., Lin, TH. et al. A Secure and Efficient Password-Based User Authentication Scheme Using Smart Cards for the Integrated EPR Information System. J Med Syst 37, 9941 (2013). https://doi.org/10.1007/s10916-013-9941-8
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-013-9941-8