Introduction

With the rapid development of computer network technology, the TMIS provide a way for relating patients, doctors and a medical server. By building TMIS, hospitals try to cut down medical and time expenses and meanwhile make the quality of medical service better. Many patients can be diagnosed at home via TMIS. The medical server owns patients’ private medical information such as names, telephone numbers, past medical history and so on. Patients can send instant data of their body to the server via the Internet and doctors can give some advice according to the accumulated patients’ health data. For some patients who have chronic illnesses, it may save them a lot of time on the way between his own house and the hospital.

Based on the development background, we take part in an initial research on a telecare medical information system for the residents which may be inconvenient to go to hospital. The old or disabled people who have chronic illnesses can get advice from doctors in time and not to go to hospital usually. Also, people may consult the doctors about recent symptoms. Doctors can monitor patients’ physiological data and make corresponding decisions for them. The users should be authenticated and the messages between communication entities should be protected. In order to keep privacy, an authentication scheme should be built in the TMIS to enable the service available for legal users, either patients or doctors. So user authentication becomes important for remote systems. Our contribution is the proposed new secure authentication scheme for this system.

To enhance the security, schemes based on smart cards and passwords have appeared. They belong to two-factor authentication schemes. However, information in the smart card can be extracted [9, 11]. So a successful authentication scheme based on the smart card should still be secure even if the information in the card is stolen.

Recently, many two-factor authentication schemes for TMIS have been raised and unfortunately some of them have been criticized quickly. In 2012, Wu et al. [15] proposed one remote user authentication scheme for telecare medical service. He et al. [5] pointed out Wu et al.’s scheme [15] was vulnerable to impersonation attacks and insider attacks and proposed a new scheme for TMIS. But Wei et al. [13] showed that schemes in [5, 15] were not secure due to no two-factor authentication and proposed an improved scheme to overcome the problem. Soon after that Zhu [17] pointed that scheme in [13] was vulnerable to off-line password guessing attack and proposed a new scheme according to RSA. However, none of the schemes in [5, 13, 15, 17] protects the user’s identity secretly. That is to say, the identity of the user in the above schemes are in plaintext over the network.

In 2004, Das et al. [4] proposed a dynamic ID-based authentication scheme to conceal user’s identity in transmission. A lot of ID-based schemes have been proposed. However, many of them have been attacked [3, 8, 12, 14]. In 2012, Chen et al. [2] showed that Khan et al.’s scheme [8] did not have the character of anonymity and presented a new dynamic ID-based authentication scheme with smart cards for TMIS. Then Cao et al. [1], Xie et al. [16], Lin [10] and Jiang et al. [7] all demonstrated that Chen et al.’s scheme [2] had weaknesses such as off-line password guessing attack, tracking attack, lack of privacy protection and so on. They also proposed their own scheme respectively. Unfortunately, we find that Jiang et al.’s scheme [7] has useless ID and it is vulnerable to off-line password guessing attack,user impersonation attack and DoS attack. And we propose an improved authentication scheme for TMIS which can protect the user’s privacy.

The rest of the paper is organized as follows. In next section we give some notations and definitions throughout this paper. In Section “Review of Jiang et al.’s scheme” we briefly review their scheme. Then the Section “Security analysis of Jiang et al.’s scheme” shows its disadvantages. In Section “System environment and the improved scheme” and Section “Security analysis and comparison”, we propose the framework of the project and an improved authentication scheme. Then we analyze our scheme’s security and performance. And in the last Section some conclusions are drawn.

Notations and definitions

In this Section, we list the notations used throughout the paper. They are defined in Table 1. Also, we describe some premises in order to analyze the schemes. They are listed as definitions after Table 1:

Table 1 Notations in the paper
Full size table

Definition 1

A user’s password can be collected in a finite set, which can be guessed in polynomial time.

Definition 2

The secret number x in S is a strong key, which can not be guessed in polynomial time.

Definition 3

The hash function h(.) and symmetric key cryptosystem are secure(e.g.SHA-1 and AES).

Definition 4

The attacker A can control over the communication channel between the user and the remote server. And A may either (1) get a user’s password, or (2) obtain the smart card and extract secret parameters in it, (3) but not the both above.

Review of Jiang et al.’s scheme

In this Section, we briefly review Jiang’ et al.’s scheme [7]. It contains five phases: Registration phase, Login phase, Authentication phase, Password change phase and Lost smart card revocation phase.

Registration phase

The user registers or re-registers with the remote server. A person who wants to become a new legal user U i must do the following steps through a secure channel:

  1. (1)

    U i S: ID i , RPW i .

    U i selects an identity ID i , a password PW i and produces a random number r i . Then he computes RPW i = h(r i ||PW i ) and sends the message R = {ID i ,RPW i } to the server S.

  2. (2)

    SU i :card.

    After receiving R, S verifies whether ID i is valid, and rejects it if it is invalid. Then S checks the account record. If U i is a new user, S adds (ID i ,N = 0) into the database. Otherwise, S sets N = N + 1, chooses a random number b and computes

    $$\begin{array}{l} J_{i} = h(x||ID_{i}||N) \\ L_{i} = J_{i}\oplus RPW_{i} \\ AID_{i} = E_{x}(ID_{i}||b) \end{array} $$

    Finally, S stores (L i , AID i , h(.), E key (.), D key (.)) into a smart card and sends it to U i .

  3. (3)

    U i card : r i .

    U i stores r i into the smart card.

Login phase

To login the system, U i inserts his smart card into the device. Then he inputs ID i and PW i .

  1. (1)

    The smart card retrieves r i , L i and AID i in itself, and computes

    $$\begin{array}{l} RPW_{i} = h(r_{i}||PW_{i}) \\ J_{i} = L_{i}\oplus RPW_{i}\\ C_{1} = h(T_{i}||J_{i}) \end{array} $$
  2. (2)

    U i S : m = {AID i ,T i ,C 1}.

    U i sends the login message m = {AID i ,T i ,C 1} to S.

Authentication phase

Upon receiving the message m, S follows steps below:

  1. (1)

    SU i : m′ = {C 2}.

    S checks the validity of the user’s timestamp T i . If it is invalid, S rejects this request. Otherwise, S uses x to decrypt AID i , obtains ID i and b and calculates J i = h(x||ID i ||N). Then S compares whether C 1 is equal to h(T i ||J i ). If it does not hold, S rejects the request. Otherwise, S selects another random number b′, computes

    $$\begin{array}{l} AID_{i}' = E_{x}(ID_{i}||b') \\ C_{2} = E_{J_{i}}(AID_{i}'||C_{1}||T_{s}) \end{array} $$

    and sends m′ = {C 2} to U i . At last S can compute sk = h(J i ||T i ||T s ).

  2. (2)

    After receiving m′, the smart card decrypts C 2 to get \(AID_{i}',C_{1}'\) and T s , checks the validity of T s and stops this session if T s is invalid. Then the card checks the equation \(C_{1}'=C_{1}\). If \(C_{1}'\neq C_{1}\), U i terminates the session. Otherwise, S is authenticated. U i calculates the session key sk = h(J i ||T i ||T s ). The smart card replaces AID i with \(AID_{i}'\), which will be used in the user’s next login phase.

Password change phase

If U i wants to change his password, he inserts the smart card and inputs the old password PW i and the new password \(PW_{i}^{new}\). Then the card computes

$$\begin{array}{l} RPW_{i} = h(r_{i}||PW_{i})\\ RPW_{i}^{new} = h\left(r_{i}||PW_{i}^{new}\right) \\ L_{i}^{new} = L_{i}\oplus RPW_{i} \oplus RPW_{i}^{new} \end{array} $$

and replaces L i with \(L_{i}^{new}\).

Lost smart card revocation phase

To revoke the lost smart card and request a new one, U i can re-register with S through the secure channel as the registration phase. S verifies U i ’s secret information such as date of birth known to U i . After validating, S issues a new smart card to U i .

Security analysis of Jiang et al.’s scheme

Jiang et al. claimed their scheme achieved many security characters. However, in their scheme the user’s identity is useless and the scheme is vulnerable to off-line password guessing attack,user impersonation attack and DoS attack.

ID uselessness

Let’s see the login phase of Jiang et al.’s scheme. U i inputs ID i and PW i , but the card does not use ID i at all. The login message m employs AID i as the user’s identity on the communication channel, which is directly read from the smart card. ID i is useless in the login phase. The user can input any string as an identity.

Off-line password guessing attack

If the attacker A steals U i ’s smart card temporarily, he can extract (\(L_{i}$, $AID_{i}'$,$r_{i}\)) from the card and then return it to U i . A gets the login and authentication message of U i : m = {AID i , T i , C 1} and \(m' = \{E_{J_{i}}(AID_{i}'||C_{1}||T_{s})\}\). Then A guesses the password as \(PW_{i}^{*}\), computes RPW = h(r i ||PW ), \(J_{i}^{*} = L_{i}\oplus RPW_{i}\) and \(C_{1}^{*} = h(T_{i}||J_{i})\). He can use J i to get C 1 from decryption of m . If \(C_{1}^{*} = C_{1}\), the password PW is correct. Otherwise, A can try the next candidate password. Since T i , C 1, L i , r i are all known to A, A only need to repeat guessing the password until \(PW_{i}^{*}\) is correct. Because J i does not vary in different sessions, A can use many Login & Authentication messages between U i and S to guess the password. Once A has guessed the correct password, J i , T s can be obtained and the session key sk can be computed easily.

User impersonation attack

After the above off-line guessing attack, A gets the right password and then he can pass himself off as a legal user. Due to the disadvantage of ID uselessness, A can input a random string for the identity to start a session and impersonate a legal user successfully.

DoS attack

There are two cases of DoS attack:

  1. (1)

    Once A logins successfully, he can get the next AID i and make the legal U i under DoS attack right away. In other words, U i does not owns the next login information AID i . So he can not login unless he re-registers again.

  2. (2)

    In fact, due to the lack of checking password mechanism, Password change phase can always be successful. User might input a wrong old password by mistake and this will lead to a failed login next time. So without verification, changing one’s password is insecure. Obviously, there is no password-checking mechanism for Password change phase in Jiang et al.’s scheme. So the scheme is also under this attack. And we find that schemes proposed in[5, 7, 10, 13, 14, 16] are all vulnerable to this attack, too.

System environment and the improved scheme

We first show the structure of system environment and its application. After that, we will present our authentication scheme.

Structure of system environment

First, some medical devices should be placed in residents’ houses or a service center in community. For example, cameras, microphones, transducers for collecting temperature and signals of pulse, blood pressure and so on are needed in the terminal. The collected information should be transmitted via the communication channel. In Fig. 1, if the patient requests a medical help, he should login with his smart card at the beginning. Then the user uses devices to collect body data and sends the information to the server. The doctor should also have identity checked first. According to the patient’s video, audio body information and history data, the doctor can communicate with the patient and give some advice to the patient for concrete symptoms. At the end of the diagnosis, the doctor verifies the service the patient requested before and the patient pays the bill. Moreover, a patient can access his own health history data, too.

Figure 1
figure 1

Simple frame of our system.

Full size image

All users of this system must register on the server first and the server issues a smart card to the user. These data flows are via a secure channel. Then the legal user uses his own smart card with devices like personal computers and notebooks to login in. Of course the messages from Login phase to the end of the session are in insecure channel.

Our proposed scheme also has five phases: Registration phase, Login phase, Authentication phase, Password change phase and Lost smart card revocation phase. In Fig. 2, we show the Registration, Login and Authentication phase. The details are as follows:

Figure 2
figure 2

Registration, Login & Authentication phases of our scheme.

Full size image

Registration phase

U i can register or re-register at the remote server S and perform the following steps through a secure channel:

  1. (1)

    U i S : ID i , RPW i .

    U i chooses his identity ID i , a password PW i and generates a random number r i . Then he calculates RPW i = h(r i ||PW i ) and sends the message R = {ID i ,RPW i } to S.

  2. (2)

    SU i : ca rd.

    Upon receiving R, S checks if ID i is valid. If it is invalid, S rejects it. Then S checks the account records in database. If U i is a new user, S adds (ID i ,N = 0) into the database. Otherwise, S sets N = N + 1 and stores it. Then S calculates

    $$\begin{array}{l} J_{i} = h(x||ID_{i}||N) \\ L_{i} = J_{i}\oplus RPW_{i} \\ e_{i} = h(x)\oplus h(RPW_{i}||ID_{i}) \end{array} $$

    Finally, S stores (L i , e i , h(.), E key (.), D key (.)) into a smart card and issues it to U i .

  3. (3)

    U i card : r i .

    U i stores r i into the smart card.

Login phase

When U i wants to login the system, he inserts his smart card into the card reader and inputs ID i with PW i . The messages between U i and S transmit via an insecure channel.

  1. (1)

    The smart card retrieves r i , L i and e i , and computes

    $$\begin{array}{l} RPW_{i} = h(r_{i}||PW_{i})\\ J_{i} = L_{i}\oplus RPW_{i} \\ AID_{i} = e_{i}\oplus h(RPW_{i}||ID_{i})\oplus h(T_{i})\oplus ID_{i} \\ B_{1} = e_{i}\oplus h(RPW_{i}||ID_{i})\oplus T_{i} \\ V_{i} = h(T_{i}||J_{i}) \\ C_{1} = E_{h(T_{i})}(AID_{i}||T_{i}||V_{i}) \end{array} $$
  2. (2)

    U i S : m = {B 1, C 1}

    U i sends the login message m = {B 1, C 1} to S.

Authentication phase

Upon receiving the message m, S does the steps as follows:

  1. (1)

    SU i : m′ = {B 2, C 2}.

    S computes \(T_{i}'=B_{1}\oplus h(x)\), and checks the validity of the user’s timestamp \(T_{i}'\). If it is invalid, S terminates this request. Otherwise, S decrypts C 1 with \(h(T_{i}')\), gets \(AID_{i}'$, $T_{i}''$, $V_{i}'\), and checks if the equation \(T_{i}'=T_{i}''\) is true. If it does not hold, S rejects the request. Otherwise, S calculates \(ID_{i}'=AID_{i}'\oplus h(x)\oplus h(T_{i}')\) and checks whether \(ID_{i}'\) is in the account table. If it is true, S obtains N, computes \(J_{i}'=h(x||ID_{i}'||N)\) and compares whether \(V_{i}'\) is equal to \(h(T_{i}'||J_{i}')\). If it does not hold, S rejects the request. Otherwise, S computes

    $$\begin{array}{l} B_{2} = h(x)\oplus T_{s}\\ C_{2} = E_{h(T_{s})}(V_{i}'||T_{s})\\ sk = h(J_{i}'||T_{i}'||T_{s}||ID_{i}') \end{array} $$

    and sends m′ = {B 2,C 2} to U i .

  2. (2)

    When U i receives m′, the smart card computes \(T_{s}'=B_{2}\oplus e_{i}\oplus h(RPW_{i}||ID_{i})\), and checks the validity of \(T_{s}'\). If it passes, U i should decrypt C 2 with \(h(T_{s}')\) and gets \(V_{i}''\) and \(T_{s}''\). U i checks the equations \(T_{s}'=T_{s}''\) and \(V_{i}''=V_{i}\) and ends the session if either of them is not correct. Otherwise, U i calculates the session key \(sk=h(J_{i}||T_{i}||T_{s}'||ID_{i})\).

Password change phase

If U i wants to change his password, he inserts the smart card and inputs his identity ID i , the old password PW i and the new password \(PW_{i}^{new}\).

  1. (1)

    It’s as same as the Login phase.

  2. (2)

    It’s as same as the first step of Authentication phase. But S need not to compute sk.

  3. (3)

    After receiving m′, the smart card gets \(T_{s}'\) as in Authentication phase, decrypts C 2 with \(h(T_{s}')\) and checks \(T_{s}'=T_{s}''\) and \(V_{i}''=V_{i}\). If either of them is not right, U i terminates the session. Otherwise, the smart card computes

    $$\begin{array}{l} RPW_{i}^{new} = h\left(r_{i}||PW_{i}^{new}\right)\\ L_{i}^{new} = L_{i}\oplus RPW_{i} \oplus RPW_{i}^{new}\\ e_{i}^{new} = e_{i}\oplus h(RPW_{i}||ID_{i})\oplus h\left(RPW_{i}^{new}||ID_{i}\right)\\ \end{array} $$

    and replaces L i , e i with \(L_{i}^{new},e_{i}^{new}\) respectively.

Lost smart card revocation phase

If U i has lost his smart card, he can re-register at S through the secure channel as the registration phase. S verifies U i , makes N = N + 1 and stores (ID i ,N) into the account table. At last, S issues a new smart card to U i .

Security analysis and comparison

In this Section, we analyze our scheme. Clearly it can resist general attacks and has common security features. Then we compare it with Jiang et al.’s scheme. The details are as follows:

ID usefulness

In the login and authentication phase, ID i is used to compute session parameter AID i and the session key sk. So the user’s identity is useful in the scheme.

On-line password guessing attack

On-line password guessing attack denotes that an attacker A can guess a legal user’s password on line successfully. To overcome this attack, we can limit the login times of the same identity in a short time. If A tries more times than the upper bound, S can reject the request and do some extra secure steps such as freezing the card.

Off-line password guesssing attack

If A eavesdrops all the messages in the communication channel and steals U i ’s smart card, A can get L i , e i , r i , B 1, C 1 and C 2. Because x is unknown to A, A can’t guess PW i via any of above parameters. For example, A guesses a password PW to compute J i = L i h(r i ||PW ), but J i is protected in V i and V i is encrypted by h(T i ). So A has to get T i to check J i . If A wants to get T i , he has only one way, which is to calculate T i = B 1h(x). Unfortunately A can’t get x and fails to guess correct PW i .

Privileged insider attack

The manager of the medical server may impersonate the user if he knows the legal user’s password. There is no password table in S in our scheme. And every PW i is protected by a random number r i and hash function in the registration, login and password change phase. Therefore our scheme can resist privileged insider attacks.

Stolen-verifier attack

There is no verification table such as hashed passwords or any information containing PW i . The server S authenticates the user’s session by its secret number x and uses no number relating to PW i . So our scheme is secure against stolen-verifier attack.

Replay attack

Suppose A replays the eavesdropped messages, such as m which is sent to S, he will not succeed. Each message can be checked by the timestamp. So a replayed message can be easily detected and dropped.

Man-in-middle attack

Assume that A intercepts the messages between U i and S, and replaces part or the whole message with his own faked information to impersonate the user or the server. However, it’s impossible for A to fabricate legal messages due to lack of x. The faked message can not pass either side’s verification. In other words, the fact A can’t produce false session information denotes that our scheme withstands User impersonation attack, Server impersonation attack and Modification attack which are referred in Jiang et al.’s scheme.

Mutual authentication

It’s important for the TMIS to let the user and the remote server verify the identity of each other. In fact, once the scheme can withstand user & server impersonation attack, it satisfies the character of mutual authentication. According to the analysis of Man-in-middle attack, we can see this point. Furthermore, in our scheme, the session key formed at the last of Authentication phase is denoted as h(J i ||T i ||T s ||ID i ). Only the server and the user know the elements of the key and can build it without any difficulty. Because the two timestamps are not directly transmitted in the channel, the session key including them means both sides confirm each other. So our scheme satisfies this feature.

DoS attack

Compared to the analysis of DoS attack to Jiang et al.’s scheme, our scheme avoids the two cases. That is to say, weaknesses including off-line password guessing attack and no password-checking do not happen in it. First, our scheme does not employ the method that S gives the next login identity to U i and it can resist off-line password guessing attack. Thus the first case of DoS attack in Jiang et al. does not exist. Second, in our scheme, U i must input ID i and the old PW i , which are to be authenticated by S. The old password does not pass the verification means legal user’s wrong input by mistake or a malicious attacker’s trial. Only after the proper authentication, L i and e i can be changed correctly. Also, it’s certain that the password change phase can be transferred via insecure channel. So our scheme can resist DoS attack.

User anonymity and untraceability

It’s obvious that any third party can’t know the real identity of U i , because ID i is concealed in AID i and AID i is encrypted by h(T i ). And T i is protected in B 1 by h(x), so the attacker A faces the problem to get T i . Furthermore, AID i varies in each session because AID i is generated by the timestamp T i . It’s difficult for A to tell apart U i from others in communication channel. So our scheme satisfies user anonymity and untraceability.

Known-key security

The session key is produced as sk = h(J i ||T i ||T s ||ID i ) and the two timestamps T i , T s can not be same in different sessions. Keys in different sessions are independent of each other. Due to the secure hash function, A can not get the plaintext J i ||T i ||T s ||ID i . So if the attacker A knows some session keys, other session keys will not be affected.

Freely password chosen and update

According to our scheme, the user can randomly choose his password according to his hobbies in registration phase and change it without restriction when required. So this feature can be satisfied.

Comparisons

Here Table 2 lists security comparisons and Table 3 shows performance comparisons.

Table 2 Security comparison
Full size table
Table 3 Performance comparison
Full size table

From Table 2, it’s easy to know our scheme is secure while Jiang et al.’s scheme is under off-line password guessing attacks, user impersonation attacks and DoS attacks.

We use the time cost of hash function and symmetric encryption/decryption in [6], and compare our scheme with Jiang et al.’s in Table 3. T H denotes the computation time of the hash function, e.g., SHA-1, which costs about 0.5ms. And T s denotes the computation time of symmetric encryption/ decryption, e.g., AES, which costs about 8.7ms. Other operations, such as XOR and concatenation, cost too little time, so we omits them.

From Table 3, in our scheme the total computation time of registration phase is 4T H ≈ 2 ms, which is lower than Jiang et al.’s scheme. In Login and Authentication phase, the computation of our scheme costs 11T H + 4T S ≈ 40.3 ms totally, while Jiang et al.’s scheme costs 6T H + 4T S ≈ 37.8 ms. The time cost of our scheme is 2.5 ms, or 6.6 % more than Jiang et al.’s. But more specifically, the time cost in Server side is less than Jiang et al.’s, with only 19.9 ms in our scheme, reduced by 36.7 %. In other words, our scheme needs more time in user side. It’s good for easing the Server’s stress. Password change phase in our scheme costs a lot more time because it employs steps in Login phase and part of Authentication phase. However, we should notice that the probability of using password change phase is far less than Login and Authentication. The card revocation phase in two schemes costs the same time as the registration phase respectively, so we omit it. The most important thing is, our scheme is secure and on the contrary, Jiang et al.’s scheme is vulnerable to three different attacks. From the above analysis, we can see that our scheme is better.

Conclusion

In this paper, we show that Jiang et al.’s scheme has some disadvantages including ID uselessness and under off-line password guessing attack, user impersonation attack and DoS attack. In order to overcome those defects, we propose a new scheme for our telecare medical information system research. With analysis we can see that our scheme can resist general attacks and overcome the drawback of Jiang et al.’s scheme. The scheme can protect the messages transmitting through the insecure channel between the user and the server obviously. There’s no doubt that our scheme is suitable for using in the TMIS.