An Improved Anonymous Authentication Scheme for Telecare Medical Information Systems

Abstract

Telecare medical information system (TMIS) constructs an efficient and convenient connection between patients and the medical server. The patients can enjoy medical services through public networks, and hence the protection of patients’ privacy is very significant. Very recently, Wu et al. identified Jiang et al.’s authentication scheme had some security drawbacks and proposed an enhanced authentication scheme for TMIS. However, we analyze Wu et al.’s scheme and show that their scheme suffers from server spoofing attack, off-line password guessing attack, impersonation attack. Moreover, Wu et al.’s scheme fails to preserve the claimed patient anonymity and its password change phase is unfriendly and inefficient. Thereby, we present a novel anonymous authentication scheme for telecare medical information systems to eliminate the aforementioned faults. Besides, We demonstrate the completeness of the proposed scheme through the BAN logic. Furthermore, the security of our proposed scheme is proven through Bellare and Rogaways model. Compared with the related existing schemes, our scheme is more secure.

Introduction

With the rapid development of information and communication technology, the telecare medical information systems are increasingly applied to enable or support healthcare delivery services. Patients can conveniently access health information and medical services through public networks at home. Considering the patients’ privacy and security issues, a viable authentication mechanism will thus be in demand to verify the authenticity of all participants and to tackle the illegal access. Generally, smart cards and passwords are used to design remote identity-based authentication schemes [1–6].

In 2012, Wu et al. [7] proposed an authentication scheme with a pre-computation approach for TMIS. Later, He et al. [8] showed that Wu et al.’s scheme was insecure to against impersonation attack, insider attack, and then proposed an improved scheme to enhance the security. However, Wei et al. [9] stated that both of the mentioned authentication schemes were vulnerable to off-line password guessing attack once the patient’s smart card was compromised. To rectify this flaw, Wei et al. presented a modified authentication scheme for TMIS. Unfortunately, soon after that Zhu [10] demonstrated that Wei et al.’s scheme was still susceptible to off-line password guessing attack and proposed a RSA based scheme. Nevertheless, in the above schemes, the identities of patients are transmitted in plaintext over the insecure network which may result in ID-theft attack and impersonation attack.

In order to negate this risk, dozens of dynamic ID-based authentication schemes for TMIS have been proposed [11–14, 17]. In 2012, Chen et al. [11] pointed out that Khan et al.’s scheme [12] had some security drawbacks and proposed a new dynamic ID-based scheme for TMIS. Later on, Jiang et al. [13] observed that Chen et al.’s scheme failed to provide patient anonymity and untraceability. Furthermore, they proposed an authentication scheme accomplishing patient privacy protection. Unluckily, Wu et al. [14] and Kumari et al. [17] demonstrated that Jiang et al.’s scheme fell short to resist a range of attacks such as off-line password guessing attack, impersonation attack, DoS attack and so on. They also proposed their own schemes to overcome these identified weaknesses, respectively. Here, we examine Wu et al.’s authentication scheme and identify its security pitfalls in this paper. And then, we propose a modified authentication scheme for TMIS which can achieve patient anonymity and untraceability.

The rest of this paper is organized as follows. In the next section, we present the preliminaries that will be used throughout the paper. In Section “Security model”, we review the security model and definition for authenticated key exchange protocols. we briefly review Wu et al.’s scheme in section “Review of Wu et al.’s scheme”. Subsequently, we show its weaknesses in Section “Security pitfalls in Wu et al.’s scheme”. Then, we proceed with proposing our new scheme in Section “The improved scheme”, together with analyzing its security in Section “Security analysis of the proposed scheme”. In Section “Performance and functionality analysis”, we compare the performance of our new scheme with the previous schemes. Section “Conclusion” concludes the paper.

Preliminaries

Symmetric-Key Encryption

A symmetric encryption scheme can provide privacy. It consists of three algorithms: the key generation algorithm KG″, the encryption algorithm E and the decryption algorithm D.

For privacy, we consider the notion of indistinguishability under adaptive chosen plaintext attack (IND-CPA). Let b ← {0, 1} denote a random bit. The adversary \(\mathcal {A}\) has access to a left-or-right (LR) oracle which returns E _K (M _b ) upon receiving a pair of messages (M ₀, M ₁) from the adversary. Finally, the adversary outputs b′ ∈ {0, 1} as her guess of the value of b. We define the advantage of \(\mathcal {A}\) as

$$\mathbf{Adv}^{ind-cpa}_{\mathcal{A}}(k) =|{\text{Pr}}[b=b']-1/2|. $$

(1)

We say a symmetric-key encryption scheme is secure against adaptive chosen plaintext attacks if for any polynomial time adversary \(\mathcal {A}\), \(\mathbf {Adv}^{ind-cpa}_{\mathcal {A}}(k)\) is negligible in k.

Decisional Diffie-Hellman (DDH) Assumption.

Let g denote a generator of a cyclic group G with prime order q. Let g ^x denote the modular exponentiation operation in G for any x ∈ Z _q . The DDH assumption [15] says for any polynomial time algorithm \(\mathcal {D}\),

$$\mathbf{Adv}^{ddh}_{\mathcal{D}}(k)= {\text{Pr}}[\mathcal{D}(g, g^{a}, g^{b}, g^{ab})=1] $$

$$\begin{array}{*{20}l} -{\text{Pr}}[\mathcal{D}(g, g^{a}, g^{b}, g^{r}) =1] \end{array} $$

(2)

is negligible in k where a, b, r are randomly selected from Z _q . That is, given the tuple (g, g ^a,g ^b), g ^ab is computationally indistinguishable from a random element g ^r of G.

Security model

The first formal security model for authenticated key exchange protocols is due to Bellare and Rogaway [16], which is usually referred to as the BR93-Model. In the following section, we review the BR93-Model and then prove that our scheme meets the requirements of BR93-Model.

The security model and concepts

We denote the client oracle which plays the role A to interact with B in the ith session by \(\Pi ^{i}_{A,B}\), and denote the server oracle which plays the role B to interact with A in the jth session by \(\Pi ^{j}_{B,A}\).

Let P be the proposed authentication protocol. In this protocol, there are two partner oracles \(\Pi ^{i}_{A,B}\) and \(\Pi ^{j}_{B,A}\), and a probabilistic polynomial time adversary \(\mathcal {A}\) who can control the entire network and obtain the transmitted data in the past processes. In each protocol execution, or session, the adversary activates an instance either by an external request or by an incoming message. In addition, the adversary \(\mathcal {A}\) can make the following oracle queries:

• Execute query: This query models all kinds of passive attacks, where a passive adversary can eavesdrop all transmitted data between the client oracle \(\Pi ^{i}_{A,B}\) and the server oracle \(\Pi ^{j}_{B,A}\) in the running protocol.

• Send query: This query models active attacks where an adversary sends a message m to an oracle \(\Pi ^{i}_{A,B}\) (or \(\Pi ^{j}_{B,A}\)). The oracle executes the protocol based on the received message m and sends the response back to the adversary. An adversary can also initiate a session by setting m = λ(empty string).

• Leak query: This query models the leakage of one of the two authentication factors owned by a user. When the adversary makes the query, the client oracle will respond one of two factors to the adversary. We will consider the following cases: 1) the leakage of the password; 2) the leakage of the data stored in the smart card.

• Reveal query: This query allows the adversary to learn the session key generated by an oracle \(\Pi ^{i}_{A,B}\)(or \(\Pi ^{i}_{B,A}\)). Such a query is only valid when the oracle currently holds a session key.

• Test query: An adversary can only make this query once to a test oracle. Upon receiving this query, a random coin b is tossed. If b = 1, the real session key held by the test oracle is returned to the adversary; otherwise, a random key is selected from the session key space and returned to the adversary.

At the end of the game, the adversary outputs a bit b′ as her guess for b. The adversary’s advantage in winning the game is defined as

$$\mathbf{Adv}_{\mathcal{A}}(k)=|{\text{Pr}}[b'=b]-1/2|.$$

Review of Wu et al.’s scheme

Wu et al.’s authentication scheme consists of five phases, i.e., registration phase, login phase, authentication pha-se, password change phase and lost smart card revocation phase. The detailed steps of login phase and authentication phase are further illustrated in Fig. 1. For clarity, notations used in Wu et al.’s scheme are listed in Table 1.

Fig. 1

Login phase and authentication phase

Table 1 Notations

Registration phase

• Step 1. A patient U _i chooses his identity ID _i , password PW _i and a random number r _i . Then he/she computes RPW _i = h(r _i ∥ PW _i ) and transmits {ID _i , RPW _i } to the medical server S via a secure channel.

• Step 2. After receiving U _i ’s registration request, S verifies the validity of ID _i . If the verification fails, S rejects it. On the contrary, S maintains an account table for the registration patient, which records the identity ID _i and the registration time N in the format (ID _i , N) (if it is U _i ’s first registration, S sets N = 0; otherwise, S sets N = N+1).

• Step 3. S computes J _i = h(x∥ID _i ∥ N), L _i = J _i ⊕ RPW _i , e _i = h(x) ⊕ h(RPW _i ∥ ID _i ). Afterwards, S writes {L _i , e _i , h(⋅),E _key (⋅),D _key (⋅)} into a smart card and issues it to U _i .

• Step 4. U _i enters r _i into his/her smart card.

Login phase

• Step 1. U _i inserts his/her smart card into the device and keys ID _i , PW _i . Subsequently, the smart card calculates RPW _i = h(r _i ∥ PW _i ), J _i = L _i ⊕ RPW _i , AID _i = e _i ⊕ h(RPW _i ∥ ID _i ) ⊕ h(T _i ) ⊕ ID _i = h(x) ⊕ h(T _i ) ⊕ ID _i , B ₁ = e _i ⊕ h(RPW _i ∥ ID _i ) ⊕ T _i = h(x) ⊕ T _i , V _i = h(T _i ∥ J _i ) and C ₁ = E _{h(T i)}(AID _i ∥ T _i ∥ V _i ), where T _i is the current timestamp.

• Step 2. The smart card sends the login request message m = {B ₁, C ₁} to S.

Authentication phase

• Step 1. Upon receiving m, S computes T _i ′ = B ₁ ⊕ h(x) and checks the validity of the timestamp T _i ′. If it is invalid, S aborts the login request; otherwise, S decrypts C ₁ using \(h(T_{i}^{\prime })\) to obtain \(AID_{i}^{\prime }\), \(T_{i}^{\prime \prime }\), \(V_{i}^{\prime }\), and then verifies \(T_{i}^{\prime }\) with the decrypted \(T_{i}^{\prime \prime }\). If \(T_{i}^{\prime }\neq T_{i}^{\prime \prime }\), S terminates this session. Otherwise, S computes \(ID_{i}^{\prime }=AID_{i}^{\prime }\oplus h(x)\oplus h(T_{i}^{\prime })\) and checks whether \(ID_{i}^{\prime }\) is in the account table. If it is true, S retrieves N, calculates \(J_{i}^{\prime }=h(x\|ID_{i}^{\prime }\|N)\) and compares whether the decrypted \(V_{i}^{\prime }\) equals to the computed \(h(T_{i}^{\prime }\|J_{i}^{\prime })\). If they are equal, the login request is accepted and U _i is authentic; otherwise, the procedure is terminated immediately. After the verification of U _i , S computes B ₂ = h(x) ⊕ T _s , \(C_{2}=E_{h(T_{s})}(V_{i}^{\prime }\|T_{s})\), \(sk=h(J_{i}^{\prime }\|T_{i}^{\prime }\|T_{s}\|ID_{i}^{\prime })\) and sends the reply mutual authentication message m′={B ₂, C ₂} to U _i .

• Step 2. After receiving the response message m′, the smart card computes \(T_{s}^{\prime }=B_{2}\oplus e_{i}\oplus h(RPW_{i}\|ID_{i})\) and checks the validity of \(T_{s}^{\prime }\). If the verification holds, U _i decrypts C ₂ using \(h(T_{s}^{\prime })\) to get \(V_{i}^{\prime \prime }\) and \(T_{s}^{\prime \prime }\). Subsequently, U _i verifies \(T_{s}^{\prime } ? = T_{s}^{\prime \prime }\) and \(V_{i} ? = V_{i}^{\prime \prime }\). If either or both are false, the authentication fails; else, U _i confirms that S is authentic and computes the session key \(sk=h(J_{i}\|T_{i}\|T_{s}^{\prime }\|ID_{i})\).

Password change phase

When U _i wants to change his/her password, he/she inserts the smart card into a terminal and inputs identity ID _i , old password PW _i , new password \(PW_{i}^{new}\).

• Step 1. U _i sends the password change request m = {B ₁, C ₁} to S. Afterwards, S and U _i perform the mutual authentication to verify the validity of each other as depicted in the authentication phase.

• Step 2. If the mutual authentication fails, the smart card rejects U _i ’s password change request directly. If the mutual authentication is completed successfully, the smart card computes \(RPW_{i}^{new}=h(r_{i}\|PW_{i}^{new})\), \(L_{i}^{new}\) \(=L_{i}\oplus RPW_{i}\oplus RPW_{i}^{new}\), \(e_{i}^{new}=e_{i}\oplus h(RPW_{i}\|ID_{i})\oplus h(RPW_{i}^{new}\|ID_{i})\).

• Step 3. The smart card replaces L _i , e _i with \(L_{i}^{new}\), \(e_{i}^{new}\), respectively.

Lost smart card revocation phase

If the smart card of U _i is lost, he/she could re-register at S through the secure channel as registration phase. After the verification of the identity ID _i , S retrieves N from the account table and sets N = N + 1, then stores the new entry (ID _i , N) in to account table. Finally, S issues a new smart card which contains security parameters to U _i .

Security pitfalls in Wu et al.’s scheme

In this section, we demonstrate that Wu et al.’s scheme is susceptible to various attacks, such as server spoofing attack, off-line password guessing attack and impersonation attack. Furthermore, their scheme cannot provide the claimed patient anonymity and the password change phase is unfriendly and inefficient. The details of these flaws are described as follows.

Failure of protecting patient anonymity

In Wu et al.’s scheme security analysis, the authors claimed that the adversary could not decrypt C ₁ without T _i to retrieve AID _i which contained ID _i , and there-by, their scheme satisfied patient anonymity and untraceability. However, we find it is not true due to the following analysis.

Any legal but malicious patient \(\mathcal {A}\) of the server can get the secret value h(x) by computing \(h(x)=e_{\mathcal {A}}\oplus h(RPW_{\mathcal {A}}\|ID_{\mathcal {A}})\). Consider that \(\mathcal {A}\) has recorded U _i ’s previous login request message m = {B ₁, C ₁}. Then, with the computed secret number h(x), he/she can easily compute T _i = B ₁ ⊕ h(x). After getting the timestamp, the attacker \(\mathcal {A}\) can further decrypt C ₁ using h(T _i ) to obtain AID _i and calculates ID _i = AID _i ⊕ h(x) ⊕ h(T _i ).

Server spoofing attack

As explained above, with the computed secret value h(x), the malicious patient \(\mathcal {A}\) can masquerade as S to fool any legitimate patient by performing the following steps:

• Step 1. Intercepts the login request message m = {B ₁, C ₁} of U _i and computes T _i = B ₁ ⊕ h(x). Then \(\mathcal {A}\) can decrypt C ₁ = E _{h(T i)}(AID _i ∥ T _i ∥ V _i ) to get V _i with h(T _i ).

• Step 2. Computes \(B_{2}^{*}=h(x)\oplus T_{s}^{*}\), \(C_{2}^{*}=E_{h(T_{s}^{*})}(V_{i}\) \(\|T_{s}^{*})\), where \(T_{s}^{*}\) is the current timestamp. Then, sends the forged reply message \(m'^{*}=\{B_{2}^{*},C_{2}^{*}\}\) to U _i .

  It is easy to see that the response message m′^∗ can pass the verification due to \(\mathcal {A}\) forges m′^∗ with the valid timestamp and the correct secret information V _i which is decrypted from C ₁.

Off-line password guessing attack

Password as an easy-to-remember credential drawing from a small space is easily hacked from off-line password guessing attack. In case a legal remote patient U _i ’s smart card is somehow obtained (e.g. stolen or picked up) by the malicious patient \(\mathcal {A}\), and the stored secret values {L _i , e _i , r _i } can be extracted by side-channel attacks [18, 19]. Then \(\mathcal {A}\) avails of the compromised h(x), ID _i to launch off-line password guessing attack.

• Step 1. Computes \(e_{i}^{*}=h(x)\oplus h(h(r_{i}\|PW_{i}^{*})\|ID_{i})\) where \(PW_{i}^{*}\) is a guessed password from the password space \(\mathcal {D}\).

• Step 2. Verifies whether \(e_{i}^{*}\) equals to e _i to ensure the correctness of \(PW_{i}^{*}\).

• Step 3. Repeats the Steps 1 and 2 by replacing another guessed password \(PW_{i}^{*}\) until U _i ’s password PW _i is found.

  Using the guessing password PW _i , the adversary can proceed impersonation attack easily.

The improved scheme

In this section, we present a new authentication scheme with privacy preservation for TMIS which can resist a range of attacks such as off-line password guessing attack, server spoofing attack and impersonation attack, even if the smart card is compromised. Our scheme also consists of five phases, i.e., registration phase, login phase, authentication phase, password change phase and lost smart card revocation phase. In Fig. 2, we will further depict the login phase and authentication phase.

Fig. 2

Login phase and authentication phase

In order to initialize this scheme, S chooses a multiplication group G = Z _p and a element g ∈ G with order q, where p and q are two large prime numbers such that p = 2q + 1. Then S selects the master secret key x ∈ Z _q and computes the public key g ^x mod p.

Registration phase

• Step 1. A patient U _i chooses his/her identity ID _i , password PW _i and generates a random number r _i . Then he/she computes RPW _i = h(r _i ∥ PW _i ) and sends {ID _i , RPW _i } to the medical server S over a secure communication channel.

• Step 2. Upon receiving {ID _i , RPW _i }, S verifies the legitimacy of ID _i . If it is valid, S maintains an account table (ID _i , N) for the registration patient, where N is the registration time (N = 0, if it is U _i ’s first registration; otherwise, N = N+1). Then, S computes security parameters J _i = h(x∥ID _i ∥ N), L _i = J _i ⊕ RPW _i and K _i = h(ID _i ∥ RPW _i ).

• Step 3. S personalizes the smart card with {L _i , K _i , g, g ^x mod p, p, q, h(⋅),E _key (⋅),D _key (⋅)} and issues it to U _i via a secure channel.

• Step 4. U _i inserts r _i into the received smart card.

Login phase

• Step 1. U _i inserts the smart card into a card reader and inputs his/her identity ID _i and password PW _i . Then, the smart card computes RPW _i = h(r _i ∥ PW _i ), K _i ′ = h(ID _i ∥ RPW _i ) and verifies whether K _i ′ = K _i or not. If K _i ′ = K _i , proceeds to Step 2; otherwise, the login phase is terminated immediately.

• Step 2. The smart card computes J _i = L _i ⊕ RPW _i , then chooses a random number a and computes A _i = g ^Jia mod p, B _i = (g ^x mod p)^Jia mod p, C _i = E _{B i} (ID _i , T _i , g ^a mod p), where T _i is the current time.

• Step 3. The smart card sends the login request message {A _i , C _i } to S.

Authentication phase

• Step 1. On receiving {A _i , C _i } from U _i , S computes B _i ′ = (A _i )^x mod p and decrypts C _i using B _i ′ to recover ID _i , T _i , g ^a mod p. Subsequently, S checks the validity of ID _i and T _i . If either or both are invalid, the login request is rejected.

• Step 2. S retrieves N from the account table with ID _i and computes J _i ′ = h(x∥ID _i ∥ N), \(A_{i}\prime = (g^{a}~mod~p)^{J_{i}\prime }\) mod p. Then S compares the computed A _i ′ with the received A _i . If they are equal, the legitimacy of U _i is ensured; on the contrary, S terminates this session immediately.

• Step 3. S acquires the timestamp T _s and generates a random number b, then computes R _s = h(ID _i ∥ J _i ′), \(V_{s}=E_{B_{i}\prime }(R_{s},T_{s},g^{b}~mod~p)\). Afterwards, S sends the mutual authentication message {V _s } to U _i .

• Step 4. Upon receiving the reply message {V _s } at T _s ′, U _i decrypts V _s to recover the values R _s , T _s , g ^b mod p with B _i . Then U _i checks the validity of T _s . If T _s ′−T _s ≥△T, U _i terminates this session; otherwise, proceeds to Step 5.

• Step 5. U _i computes h(ID _i ∥ J _i ) and compares it with the decrypted R _s . If they are equal, the server S is authenticated by U _i ; otherwise, this session is terminated. Finally, U _i computes K ₀ = F(g ^ab,0) and set the session key as sk = F(g ^ab,1) shared with S, where F denotes a pseudo-random function. U _i sends the K ₀ to the server.

• Step 6. The server computes K ₀′ = F(g ^ab,0) and verifies whether K ₀ = K ₀′ or not. If it is true, the server accepts the user and computes the session key F(g ^ab,1) shared with U _i .

Password change phase

This phase is invoked whenever U _i wants to change his/her password PW _i with a new password \(PW_{i}^{new}\).

• Step 1. U _i inserts his/her smart card into a card reader and keys in ID _i , PW _i and requests to change the password.

• Step 2. The smart card computes RPW _i = h(r _i ∥ PW _i ), K _i ′ = h(ID _i ∥ RPW _i ) and checks whether K _i ′ ? = K _i . If the equation holds, proceeds to Step 3; otherwise, this phase is terminated.

• Step 3. U _i inputs a new password \(PW_{i}^{new}\) twice for correctness of \(PW_{i}^{new}\). Note that if the input passwords are not consistent, the smart card will ask him/her to key in a new password twice again. If the input passwords are consistent, the smart card computes \(RPW_{i}^{new}\) \(=h(r_{i}\|PW_{i}^{new})\), \(L_{i}=L_{i}\oplus RPW_{i}\oplus RPW_{i}^{new}\) and \(K_{i}^{new}=h(ID_{i}\|RPW_{i}^{new})\). Then the smart card replaces L _i , K _i with \(L_{i}^{new}\), \(K_{i}^{new}\), respectively.

Lost smart card revocation phase

If U _i ’s smart card is lost or stolen, he/she could re-register at S through the secure channel as registration phase. After the verification of the identity ID _i , S retrieves the entry (ID _i , N) from the account table and sets N = N+1, then stores the new (ID _i , N) in its database. Afterwards, S computes the security parameters of the patient and issues a new smart card to him/her as depicted in the registration phase.

Security analysis of the proposed scheme

Security analysis based on BR93 model

Below we prove that the proposed authentication and key agreement scheme is secure in the security model presented in Section 1.

Theorem 1

If the symmetric-key encryption scheme is secure against adaptively chosen plaintext attack, and the function F is a secure pseudo-random function, then the proposed authentication and key agreement scheme is secure under the DDH assumption.

Proof

Let ℬ be an adversary against proposed authentication protocol. We separate the proof into two cases, based on the factor that is leaked to the adversary. □

Case 1. The password is leaked.

(1.1) We first consider the situation that the test query is made to an instance belonging to a user. Below we define a sequence of games with Game 0 being the original security game defined in Section 1.

1. Game 1.

   This game is the same as the original game, except that before the adversary begins, a random value m ← {1, 2, ... , l _u } is chosen where l _u denotes the maximum number of user instances that would be activated in the game. If the Test query is not made to the m-th instance, then the simulation halts and a random bit b′ is returned.

2. Game 2.

   This game is the same as Game 1, except that if the adversary successfully forges a valid response V _s with respect to U _i before or in the test session, then the simulation halts and a random b′ is returned.

3. Game 3.

   This game differs from the previous one in the following way: a random value γ = g ^r is chosen and the value g ^ab used in the protocol is replaced with γ.

4. Game 4.

   In this game, we replace F(g ^r,⋅) with a truly random function RF(⋅).

In the analysis below, we use σ _i to denote the event that b′ = b, and τ _i to denote the advantage of the adversary, in Game i. Analysis of Games 1: Let E denote the event that the m-th session is the test session. We have

$$\begin{array}{@{}rcl@{}} {\text{Pr}}[\sigma_{1}] & = & {\text{Pr}}[\sigma_{1}|E]{\text{Pr}}[E]+{\text{Pr}}[\sigma_{1}|\overline{E}]{\text{Pr}}[\overline{E}]\\ &=& {\text{Pr}}[\sigma_{1}|E]{\text{Pr}}[E]+1/2(1 - {\text{Pr}}[E])\\ &=& ({\text{Pr}}[\sigma_{1}|E] - 1/2){\text{Pr}}[E] + 1/2 \\ & = & 1/l_{u}({\text{Pr}}[\sigma_{0}] - 1/2) + 1/2 \end{array} $$

Hence,

$$\tau_{1} = {\text{Pr}}[\sigma_{1}]-1/2=\tau_{0}/l_{u}.$$

Analysis of Game 2: Since the symmetric encryption scheme E is ind-cpa secure, the difference between Game 1 and Game 2 is bounded by

$$\tau_{1} \le \tau_{2} + \mathbf{Adv}^{ind-cpa}_{E}(k).$$

Analysis of Game 3: If ℬ can distinguish Game 2 from Game 3, then we can construct adversary \(\mathcal {D}\) which can break the DDH assumption. Let α = g ^x,β = g ^y,γ be the DDH problem \(\mathcal {D}\) aims to solve. When m-th session is activated, \(\mathcal {D}\) uses its inputs (α, β, γ) instead of the values g ^a,g ^b,g ^ab in the test session. Notice that since the adversary cannot forge a valid response V _s in Game 2, \(\mathcal {D}\) can successfully plant the DDH problem into the test session. \(\mathcal {D}\) outputs 1 if ℬ wins, and 0 otherwise. Then we have,

$$\begin{array}{@{}rcl@{}} && \mathbf{Adv}^{ddh}_{\mathcal{D}}\\ & = & {\text{Pr}}[\mathcal{D} \to 1|\gamma=g^{xy}]-{\text{Pr}}[\mathcal{D} \to 1|\gamma=g^{r}]\\ & = & {\text{Pr}}[\mathcal{B} ~wins|\gamma=g^{xy}]-{\text{Pr}}[\mathcal{B}~wins|\gamma=g^{r}]\\ & = & {\text{Pr}}[\sigma_{2}] - {\text{Pr}}[\sigma_{3}] \end{array} $$

and

$$\tau_{2} \le \tau_{3} + \mathbf{Adv}^{ddh}(k).$$

Analysis of Game 4: since the function F is a secure pseudo-random function, the difference between Game 2 and Game 3 is also negligible, and we have

$$\tau_{3} \le \tau_{4} +\mathbf{Adv}^{prf}_{F}(k).$$

In Game 4, we can see that the key returned to the test query is random no matter b = 0 or b = 1, so \({\text {Pr}}[\sigma _{4}]=\frac {1}{2}\) and τ ₄ = 0.

Combining the above results, we can conclude:

$$\begin{array}{@{}rcl@{}} \tau_{0} & \leq & l_{u}(Adv^{ddh}(k)+\mathbf{Adv}^{prf}_{F}(k)+\mathbf{Adv}^{ind-cpa}_{E}(k)). \end{array} $$

(1.2) We then consider that the test query is made to an instance of S.

Game 1. is the same as in the case (1.1). That is we guess that the test query will be made to the m-th instance of the server S (assume that there are at most l _s server instances). Let U _i denote the user involved in the test session.

Game 2. This game is the same as Game 1, except that if the adversary successfully forges a valid login request C _i with respect to U _i before or in the test session, then the simulation halts and a random b′ is returned.

Game 3. and Game 4. are the same as in case (1.1).

Analysis of Game 2: Since the symmetric encryption scheme E is ind-cpa secure, the difference between Game 1 and Game 2 is bounded by

$$\tau_{1} \le \tau_{2} + \mathbf{Adv}^{ind-cpa}_{E}(k).$$

Game 3 and Game 4 are the same as in the case (1.1), and therefore, we have

$$\begin{array}{@{}rcl@{}} \tau_{0} & \leq & l_{s}(\mathbf{Adv}^{ind-cpa}_{E}(k)+ \mathbf{Adv}^{ddh}(k) + \mathbf{Adv}^{prf}_{F}(k)). \end{array} $$

Case 2. The smart card data is leaked.

(2.1) The test query is made to an instance belonging to a user. The proof is the same as in (1.1) and is omitted here.(2.2) The test query is made to an instance belonging to the server.The proof is the same as in (1.1) and is omitted here. Therefore, we have

$$\begin{array}{@{}rcl@{}} \tau_{0} & \leq & l_{s}(\mathbf{Adv}^{ind-cpa}_{E}(k)+ \mathbf{Adv}^{ddh}(k) + \mathbf{Adv}^{prf}_{F}(k)). \end{array} $$

where l _s denotes the number of send queries made by ℬ in the game.

Discussion on the other possible attacks

In the following, we analyze our proposed scheme and show that it can preserve user privacy and is secure to against various threats.

Patient’s privacy protection

It is very essential for a secure authentication scheme for TMIS to provide patient privacy. In the proposed scheme, the patient’s identity is hidden in C _i = E _{B i} (ID _i , T _i , g ^a mod p). If the adversary wants to retrieve the patient’s identity ID _i from C _i , he/she has to compute B _i = (g ^x mod p)^Jia mod p from A _i = g ^Jia mod p and g ^x mod p, then he/she will face with the Computational Diffie-Hellman problem. Furthermore, the login request message {A _i , C _i } varies in each session run due to the randomness of a and T _i . Therefore, it is impossible for the adversary to identify and trace the patient who is involved in the authentication session. In other words, the proposed scheme achieves patient anonymity and untraceability.

Off-line password guessing attack

Suppose that an adversary has obtained the secret parameters {L _i , K _i } stored in the smart card of another legitimate patient U _i [18, 19], then he/she tries to get U _i ’s password from K _i = h(ID _i ∥ RPW _i )=h(ID _i ∥ h(r _i ∥PW _i )) by launching off-line password guessing attack. However, the attacker has to guess both ID _i and PW _i at the same time. As pointed in [21], the probability of crack a veritable password (or identity) comprised by n characters is approximately \(\frac {1}{2^{6n}}\). In the proposed scheme, the probability of crack the correct ID _i comprised by m characters and PW _i , which incorporated in K _i simultaneous is approximately \(\frac {1}{2^{6(n+m)}}\). Since there can be a huge number of users in the system, it is infeasible for an adversary to do an exhaustive search for all the possible (ID, password) pairs. However, we remark that if the user ID space is small, then offline password guessing attack would become feasible if the smart card of a user is stolen and compromised by the attacker. On the other hand, since the attacker didn’t know the secret key x, he/she could not obtain U _i ’s password from the message L _i = J _i ⊕ RPW _i = J _i ⊕ h(r _i ∥ PW _i )=h(x∥ID _i ∥ N) ⊕ h(r _i ∥ PW _i ).

Replay attack

The replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. The proposed scheme is capable of detecting and resisting the replay attack since the random nonce and timestamp is contained in each session run. If an adversary eavesdrops and replays any authentication message exchanged between U _i and S, the replayed message can be easily detected and dropped.

Authentication proof based on BAN-logic

BAN logic [20] is a logic of belief which focuses on the beliefs of the legitimate principals involved in the protocol. It has been highly successful in analyzing the security of authentication schemes. In this section, we demonstrate that the proposed scheme is working correctly by achieving the authentication goals using BAN logic. The notations used in BAN logic analysis are defined as follows:

• P∣≡ X: The principal P believes a statement X or P would be entitled to believe X.

• ♯(X): The formula X is fresh.

• P ⇒ X: The principal P has jurisdiction over the statement X.

• P ⊲ X: The principal P sees the statement X.

• P∣∼ X: The principal P once said the statement X.

• (X, Y): The formula X or Y is one part of the formula (X, Y).

• {X} _Y : The formula X is encrypted under the key Y.

• \(P \mathop {\longleftrightarrow }\limits ^{K} Q\) : The principal P and Q use the shared key K to communicate. Here, K will never be discovered by any principal except for P and Q.

• sk: The session key used in the current session.

Some main logical postulates of BAN logic are described as follows:

• The message-meaning rule: \(\frac {P\mid \equiv P\mathop {\longleftrightarrow }\limits ^{K} Q, P\triangleleft \{X\}_{K}}{P\mid \equiv Q\mid \sim X}\).

• The freshness-conjuncatenation rule: \(\frac {P\mid \equiv \sharp (X)}{P\mid \equiv \sharp (X,Y)}\).

• The nonce-verification rule: \(\frac {P\mid \equiv \sharp (X), P\mid \equiv Q\mid \sim X}{P\mid \equiv Q\mid \equiv X}\).

• The jurisdiction rule: \(\frac {P\mid \equiv Q\Rightarrow X, P\mid \equiv Q\mid \equiv X}{P\mid \equiv X}\).

According to the analytic procedures of BAN logic, we list the verification goals of the proposed scheme as follows:

1. Goal.1:

   \(U_{i}\mid \equiv (U_{i}\mathop {\longleftrightarrow }\limits ^{sk} S)\)

2. Goal.1:

   \(S\mid \equiv (U_{i}\mathop {\longleftrightarrow }\limits ^{sk} S)\)

Next, the proposed scheme is arranged from the generic type to the idealized form in the following:

1. Message 1:

   U _i →S: {ID _i , T _i , g ^a mod p} _{B i}

2. Message 2:

   S→U _i : {R _s , T _s , g ^b mod p} _{B i}

We make the following assumptions about the initial state of the scheme to further analyze the proposed scheme:

1. A.1:

   U _i ∣≡ ♯(g ^a mod p)

2. A.2:

   S∣≡ ♯(g ^b mod p)

3. A.3:

   \(U_{i}\mid \equiv (U_{i}\mathop {\longleftrightarrow }\limits ^{B_{i}} S)\)

4. A.4:

   \(S\mid \equiv (U_{i}\mathop {\longleftrightarrow }\limits ^{B_{i}}S)\)

5. A.5:

   U _i ∣≡ S⇒g ^b mod p

6. A.6:

   S∣≡ U _i ⇒g ^a mod p

Based on the above-mentioned assumptions and rules of BAN logic, we analyze the idealized form of the proposed scheme and the main procedures of proof as follows:

According to the message 1, we obtain:

$$S\triangleleft \{g^{a}~mod~p\}_{B_{i}}.$$

According to the assumption A.4 and the message meaning rule, we obtain:

$$S\mid \equiv U_{i}\mid \sim g^{a}~mod~p.$$

According to freshness-conjuncatenation rule and the nonce verification rule, we obtain:

$$S\mid \equiv U_{i}\mid \equiv g^{a}~mod~p.$$

According to the assumption A.6 and the jurisdiction rule, we obtain:

$$S\mid \equiv g^{a}~mod~p.$$

According to sk = F(g ^ab,1), we obtain:

$$S\mid \equiv (U_{i}\mathop{\longleftrightarrow}\limits^{sk}S) \text{(\textbf{Goal 2})}.$$

According to the message 2, we obtain:

$$U_{i}\triangleleft \{g^{b}~mod~p\}_{B_{i}}.$$

According to the assumption A.3 and the message-meaning rule, we obtain:

$$U_{i}\mid \equiv S\mid \sim g^{b}~mod~p.$$

According to freshness-conjuncatenation rule and the nonce-verification rule, we obtain:

$$U_{i}\mid \equiv S\mid \equiv g^{b}~mod~p.$$

According to the assumption A.5 and the jurisdiction rule, we obtain:

$$U_{i}\mid \equiv g^{b}~mod~p.$$

According to sk = F(g ^ab, 1), we obtain:

$$U_{i}\mid \equiv (U_{i}\mathop{\longleftrightarrow}\limits^{sk}S) \text{(\textbf{Goal 1})}.$$

Performance and functionality analysis

In this section, we will evaluate the performance and functionality of the modified scheme and make comparisons with two related schemes: Jiang et al.’s scheme [13] and Wu et al.’s scheme [14]. The comparison based on the key security among these schemes is given in Table 2, while we compare their efficiency in terms of computation and communication cost in Table 3. Let T _h , T _s , T _F , T _m and T _e be the time for performing an one-way hash function, a symmetric encryption/decryption, a pseudo-random function, a modular multiplication and a modular exponentiation, respectively.

Table 2 Comparisons of functionality

Table 3 Performance comparisons

It is visible from Table 2 that the proposed scheme provides better security than the other two related schemes. Jiang et al.’s scheme only satisfies four criterion listed in Table 2. Wu et al.’s scheme does not satisfy five of the eight criterion. While the proposed scheme can achieve all requirements listed in Table 2. Note that, the proposed scheme offers the patient anonymity and untraceability which are the most important features of an authentication scheme for TMIS.

From Table 3, we can see that the total computation cost in the login phase and authentication phase of Jiang et al.’s scheme, Wu et al.’s scheme, the proposed scheme are 6T _h + 4T _s , 11T _h + 4T _s , 5T _h + T _m + 8T _e + 4T _s + T _F . Compared with the other two related schemes, our scheme needs more computational cost and communication cost. Nevertheless, our scheme can thwart many security threats identified in these schemes and provide more additional security features.

Conclusion

In this article, we have demonstrated that the recently proposed Wu et al.’s authentication scheme for TMIS could not achieve patient privacy and is susceptible to server spoofing attack, off-line password guessing attack, impersonation attack. Besides, the password change phase of Wu et al.’s scheme is unfriendly and inefficient since the patient has to communicate with the medical server to update his/her password. In order to rectify these security flaws, we proposed a new smart card based authentication scheme with privacy protection for TMIS. According to the performance and functionality analysis, we show that the proposed scheme is robust for the telecare medical information systems.