Abstract
The Telecare Medicine Information Systems (TMISs) provide an efficient communicating platform supporting the patients access health-care delivery services via internet or mobile networks. Authentication becomes an essential need when a remote patient logins into the telecare server. Recently, many extended chaotic maps based authentication schemes using smart cards for TMISs have been proposed. Li et al. proposed a secure smart cards based authentication scheme for TMISs using extended chaotic maps based on Lee’s and Jiang et al.’s scheme. In this study, we show that Li et al.’s scheme has still some weaknesses such as violation the session key security, vulnerability to user impersonation attack and lack of local verification. To conquer these flaws, we propose a chaotic maps and smart cards based password authentication scheme by applying biometrics technique and hash function operations. Through the informal and formal security analyses, we demonstrate that our scheme is resilient possible known attacks including the attacks found in Li et al.’s scheme. As compared with the previous authentication schemes, the proposed scheme is more secure and efficient and hence more practical for telemedical environments.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
Introduction
With the fast development of information and communication technologies, the demand of low-cost handheld telecommunication systems and customized patient physiological monitoring devices are continuously rising. Meanwhile, more and more people demand for the health promotion and medical services are on the increasing due to the continued population ageing [1]. As a consequence, the above phenomena lead to a gaining popularity for telecare services applications. Telecare is regarded as a time and expense saving substitute compared with traditional medical service. The Telecare Medicine Information Systems (TMISs) build a bridge between patients at home and doctors at a clinical center or home healthcare (HHC) agency [2]. In such system, the patients only need to stay at home, they can still access a convenient and prompt treatment from the medical center over internet or mobile networks [2, 3]. However, one of the most concerned problem of TMISs is the open communication channel between patients and doctors may lead to provide an opportunity for an adversary to gain the privacy of patients. Security of the private data becomes crucial because nobody is willing to reveal his own sensitive information to light. Therefore, how to safeguard information privacy in TMISs during transmission via the insecure network becomes a significant concern.
Authentication mechanisms become an essential need for TMISs when a remote patient tries to access the resources of telecare server. Several authenticated key agreement schemes [4, 11] have been proposed for TMISs. In 2010, Wu et al. [12] proposed a low computation password based authentication scheme. However, He et al. [13] pointed out that Wu et al.’s scheme was vulnerable to the insider and impersonation attacks. In order to overcome these weaknesses, He et al. proposed an improved scheme. Unfortunately, Wei et al. [14] demonstrated that both of Wu et al.’s scheme and He et al.’s scheme suffered from the off-line password guessing attack. To solve the limitations in the scheme of Wu et al. and He et al., Wei et al. also developed an improved scheme. Later, Zhu [15] showed that Wei et al.’s scheme was insecure against the off-line password guessing attack and also designed an improved authentication scheme. Nevertheless, the high computation overhead caused by modular exponential operations leads to decrease those works for practical applications.
With the rapid development of chaos theory related to cryptography [16, 18], more and more authentication schemes based on chaos theory have been studied widely since it has better performance than traditional cryptography [19]. In 2007, Xiao et al. [20] developed the first chaotic maps based authenticated key agreement protocol using random numbers. After that, Tseng et al. [21] also proposed a user anonymity-preserving chaotic maps-based authentication and key agreement scheme. Unfortunately, Niu et al. [22] found that Tseng et al.’s scheme failed to provide user anonymity. Consequently, Niu et al. also presented an improved scheme to overcome the weakness. However, Xue et al. [23] pointed out that Niu et al.’s scheme was vulnerable to the man-in-the-middle attack. Recently, Guo et al. [24] proposed a chaotic maps-based password authenticated key agreement using smart cards. Unfortunately, both Hao et al. [25] and Lin [26] pointed out that Guo et al.’s scheme could not guarantee user anonymity. To remedy the identified deficiencies, Hao et al. and Lin presented their modified version of Guo et al.’s scheme, respectively. Nevertheless, Jiang et al. [27] and Lee [28] respectively showed that Hao et al.’s scheme did not achieve fairness in session key establishment and suffer from stolen smart card attack. They then developed their improved scheme to conquer the flaws of Hao et al.’s scheme. Unfortunately, Li et al. [29] demonstrated that both Lee’s and Jiang et al.’s schemes could not withstand the service misuse attack for non-registered users and provide user identity during authentication phase. While addressing the limitations of Lee’s and Jiang et al.’s schemes, Li et al. present a slight modification on Lee’s scheme to prevent the shortcomings.
In this paper, we find that Li et al.’s scheme has still some weaknesses such as violation the session key security, vulnerability to user impersonation attack and lack of local verification. To conquer these flaws, we propose a chaotic maps and smart cards based password authentication scheme by applying biometrics technique [30] and hash function operations. Through the informal and formal security analyses, we demonstrate that our scheme is resilient possible known attacks including the attacks found in Li et al.’s scheme. As compared with the previous authentication schemes, the proposed scheme is more secure and efficient and hence more practical for telemedical environments.
The remainder of this paper is organized as follows. Section “Preliminaries” introduces some preliminaries about hash functions and Chebyshev chaotic maps. The review and security analysis of Li et al.’s scheme are shown in Section “Review of Li et al.’s scheme” and Section “Security analysis of Li et al.’s scheme”, respectively. Section “Proposed authentication scheme” and “Security analysis” show our proposed scheme and analyze its security. Section “Functionality and performance analysis comparison” depicts the performance and security features comparisons among the proposed scheme and other related ones. Section “Conclusion” is a brief conclusion.
Preliminaries
In this section, we briefly introduce the one-way hash function [31] and Chebyshev chaotic maps [32, 34].
Definition 1
A secure one-way hash function h : {0, 1}\(^{*}\rightarrow \) {0, 1} n , which takes an input as an arbitrary length binary string x∈{0,1}∗ and outputs a binary string h(x)∈{0,1}n. The probability of \(\mathcal {A}\) in finding collision is defined as \(Adv_{HASH}^{\mathcal {A}}(t_{1})=Pr[\mathcal {A}((x, x'), x\neq x'): h(x) = h(x')]\).
Definition 2
Let n be an integer, x is a real number from the set [−1,1], the Chebyshev polynomial of degree n is defined as T n (x)=c o s(n⋅c o s −1(x)).
Definition 3
Given two elements x, y \(\in Z_{p}^{*}\), the Chaotic Maps Discrete Logarithm Problem (CMDLP) is to find the integer r, such that y =T r (x). The probability of \(\mathcal {A}\) can solve the CMDLP is defined as \(Adv_{CMDLP}^{\mathcal {A}}(t_{2}) = Pr[\mathcal {A}(x, y)= r:\ r\in Z_{p}^{*}, y=T_{r}(x) mod p]\).
Definition 4
Given three parameters x, T r (x) and T s (x), the Chaotic Maps Diffie-Hellman Problem (CMDHP) is to compute T r s (x) such that T r s (x)=T r (T s (x))=T s (T r (x)).
Review of Li et al.’s scheme
In this section, we will review Li et al.’s extended chaotic maps based password authentication scheme for TMISs. Their scheme is composed of three phases, which are registration, authentication and password change. For convenience, some notations used in this paper are described in Table 1.
Registration
-
(1) U generates a random number b, selects a password PW and sends {I D,h 1(I D||h(P W||b))} to S.
-
(2) S selects a random number r, computes I M 1 = I M 3 = h(k s )⊕r, I M 2=I M 4=h 1(k s ||r)⊕I D,D 1=h 1(I D||k s )⊕h 1(I D||h 1(P W||b)). Then, S stores {I M 1, I M 2, I M 3, I M 4, D 1, h 1(⋅), h 2(⋅)} into U’s smart card and issues it to U. Moreover, S keeps a status table which is composed of three fields, i.e., U’s identity, latest random number and LB, where LB presents whether U logins into S or not.
-
(3) U computes D 2 = h 1(I D||P W)⊕b and stores D 2 into smart card. Now, the smart card contains { I M 1, I M 2, I M 3, I M 4, D 1, D 2, h 1(⋅), h 2(⋅)}.
Authentication
There are two types of authentication processes. Case 1 is satisfied when the latest random number kept by U and S are identical. Case 2 is satisfied when the latest random number kept by U and S are different. We mainly consider case 1 since our cryptanalysis aims at it.
-
(1) U inserts his smart card into a card reader and enters his identity ID and password PW. Then the smart card generates a random number u and computes b=h(I D||P W)⊕D 2, K=D 1⊕h 1(I D||h(P W||b))=h 1(I D||k s ), T u (K) and X 1=h 1(K||I M 1||I M 2||T u (K)||T 1), where T 1 is the current timestamp. At last, U sends the login request M 1={I M 1, I M 2, T u (K),X 1, T 1} to S.
-
(2) After receiving the message from U, S verifies if T 2 −T 1≤ΔT holds or not, where T 2 is the timestamp. If it is so, S computes r \(^{\prime }\) = I M 1⊕h(k s ) and ID \(^{\prime }\) =IM \(_{2} \oplus h_{1}(k_{s}||r^{\prime })\) and checks if (\(ID^{\prime }\), \(r^{\prime }\)) equals maintained (I D, r). If it is found, S computes K \(^{\prime }\) =h \(_{1}(ID^{\prime }||k_{s})\) and checks if \(h(K^{\prime }||IM_{1}||IM_{2}||T_{u}(K)||T_{1})\stackrel {?}{=}X_{1}\). If it holds, S generates two random numbers r n e w and v and computes \(IM_{1}^{*} = h_{1}(k_{s})\oplus r_{new},\ IM_{2}^{*} = h_{1}(k_{s}||r_{new})\oplus ID^{\prime }\), \(T_{v}(K^{\prime })\), sk = h 2(T u (K), \(T_{v}(K^{\prime })\), T v (T u (K))), Y 1 =\(IM_{1}^{*}\oplus \) h 1(s k||T 1), Y 2 =\(IM_{2}^{*}\oplus h_{1}(sk||T_{2})\), \(Y_{3}=h_{1}(sk||IM_{1}^{*} ||IM_{2}^{*} ||T_{v}(K^{\prime })||T_{2})\) and sends \(\{Y_{1},\ Y_{2},\ Y_{3},\ T_{v}(K^{\prime }),\ T_{2}\}\) to U.
-
(3) On receiving the message from S, U verifies if T \(^{\prime \prime }\) − T 2 ≤ ΔT holds or not. If it holds, U computes sk \(^{\prime }\) = h 2(T u (K), \(T_{v}(K^{\prime }\)), T u (T v (\(K^{\prime }\)))), IM \(_{1new}^{*}\) =Y 1 ⊕h 1(sk \(^{\prime } ||T_{1}\)), IM \(_{2new}^{*}\) =Y 2 ⊕h 1(\(sk^{\prime }||T_{2}\)) and checks if computed h 1(\(sk^{\prime }\) ||\(IM_{1new}^{*}\) ||\(IM_{2new}^{*}\) || T v (\(K^{\prime }\)) || T 2) =? Y 3. If equivalent, U replaces { I M 1, I M 2, I M 3, I M 4} with {\(IM_{1new}^{*}\), \(IM_{2new}^{*}\), I M 1, I M 2}. Then, U computes M 3 = X 2 = h 1(\(IM_{1new}^{*}\) ||\(IM_{2new}^{*}\) || T u (T v (\(K^{\prime }\))) ||\(sk^{\prime }\) || T 3) and sends { M 3, T 3} to S.
-
(4) After receiving the response message from U, S verifies if T 4−T 3≤ΔT holds or not. If it holds, S checks if computed h 1(\(IM_{1new}^{*}\) ||\(IM_{2new}^{*}\) || T v (T u (K)) || s k||T 3) =?X 2. If it is identical, S updates r with r n e w in its status table.
Password change
U inserts the smart card into the card reader and keys identity ID, original password PW and a new password P W new. Then, the smart card computes \(b= D_{2}\oplus h_{1}(ID||PW), D^{\prime }_{1}=D_{1}\oplus h_{1}(ID||h(PW||b))\oplus h_{1}(ID||h(PW^{new}||b)), D^{\prime }_{2} = h_{1}(ID||PW^{new})\oplus b\) and updates the smart card’s memory D 1, D 2 by \(D^{\prime }_{1},\ D^{\prime }_{2}\).
Security analysis of Li et al.’s scheme
Li et al. claimed that their scheme could resist the session key attack. However, we demonstrate that their scheme is not really secure against the session key attack. Furthermore, we find that their scheme is also unable to protect against user impersonation attack and provide local verification. Now, Let’s see the details of these problems.
Violation the session key security
Let \(\mathcal {A}\) be an active adversary [35] who steals the smart card of U. Then, \(\mathcal {A}\) can extract [36] the secret information {I M 1, I M 2, I M 3, I M 4, D 1, D 2 h 1(⋅), h 2(⋅)} and hence he can easily obtain the session key between U and S. The session key proceeds as follows:
-
(1)
\(\mathcal {A}\) steals the information {I D, r} stored in the sever and compromises the server’s long-term key [37] \(k_{s}^{\prime }\) to compute K=h 1(I D||k s ). \(\mathcal {A}\) then intercepts the login message {I M 1, I M 2, T u (K), X 1, T 1}.
-
(2)
Using the approach [38], \(\mathcal {A}\) computes \(u'=\frac {arcos(T_{u}(K))+2k\pi }{arcos(x)}\), \(v^{\prime }=\frac {arcos(T_{v}(K))+2k\pi }{arcos(x)}\), ∀k ∈Z to satisfy the equation T u (K) \(=T_{u^{\prime }}\)(k), T v (K) \(=T_{v^{\prime }}\)(K). Then, \(\mathcal {A}\) can compute \(T_{u^{\prime }}\)(\(T_{v^{\prime }}\)(K)) \(=T_{u^{\prime }}\)(T v (K)) =T v (\(T_{u^{\prime }}\)(K)) =T v (T u (K)) =T v u (K). Therefore, \(\mathcal {A}\) can get the session key s k=h 2(T u (K), T v (K), T v u (K))
User impersonation attack
As described in the subsection, \(\mathcal {A}\) can also impersonate as a legal user to cheat S when he knows the value of K. The details are described as follows:
-
(1)
\(\mathcal {A}\) generates a random number \(u^{\prime }\) and computes \(X_{1}= h_{1}(K||IM_{1}||IM_{2}||T_{u^{\prime }}(K)||T^{\prime }_{1})\), where \(T^{\prime }_{1}\) is the current timestamp. Then, \(\mathcal {A}\) sends \(\{IM_{1}, \ IM_{2}, T_{u^{\prime }}(K),\ X_{1},\ T^{\prime }_{1}\}\) to S.
-
(2)
When receiving the message from \(\mathcal {A}\) who pretends to be U, the messages can successfully pass S’s verification and S performs the following scheme normally. Finally, S sends the authenticated message {Y 1, Y 2, Y 3, T v (K), T 2} to \(\mathcal {A}\), where v and T 2 are the random number and the current timestamp on sever side, respectively.
-
(3)
Upon \(\mathcal {A}\) receiving the authenticated message, he checks if T 3−T 2≤△T, where T 3 is the current timestamp. If it holds, \(\mathcal {A}\) computes \(sk=h_{2}(T_{u^{\prime }},\ T_{v}(K), T_{{u^{\prime }}v}(K))\), derives the values of \(IM_{1new}^{*}\), \(\ IM_{2new}^{*}\) by using sk, computes \(X_{2}=h_{1}(IM_{1new}^{*}||IM_{2new}^{*}|| T_{u}(T_{v}(K))||sk||T_{4})\) and sends the message {X 2, T 4} to S, where T 4 is the current timestamp.
-
(4)
When receiving the message from \(\mathcal {A}\), S continues to proceed the scheme without detected. Finally, \(\mathcal {A}\) and S “successfully” agree on a session key sk. But unfortunately S mistakenly believes that he is communicating with the legitimate true U.
Lack of local verification
In the login and authentication phases of Li et al.’s scheme, U inputs and directly sends the login message to S. Note that the smart terminal of U does not verify the entered information correctly or not. Therefore, even if U mistakenly keys the wrong information or \(\mathcal {A}\) sends an forged message, S will accept and still continue as original scheme. This will result in an unnecessary waste of communication and computational costs.
Proposed authentication scheme
In this section, we will propose a biometrics based password authentication scheme for TMISs using extended chaotic maps. In the proposed scheme, we employ biometrics to conceal password. We adopt Biohashing to protect biometrics of patients, which can resolve high false rejection and hence decrease denial of service access probability [39]. And biohashing is very efficient and lightweight as compared to modular exponentiation and elliptic curve point multiplication [40]. Our scheme consists of three phases: registration, login and authentication and password updating.
Registration
-
(1)
U inputs his biometrics characteristic BIO, selects an identity ID and a password PW. Then U computes P W D=h 1(P W||H(B I O)) and submits {I D, P W D} to S through a secure channel.
-
(2)
S computes K=h 1(I D||P W D), I M 1=K⊕h 1(k s ), where k s is S’s secret key. S then issues a smart card containing {I M 1} to U.
-
(3)
U selects a secret key k u and computes f=h 1(I D||k u )⊕P W D. U then stores f into smart card. Thus, it is noted that the smart card of U contains the information {I M 1, f, h 1(⋅), h 2(⋅), H(⋅)}.
Login and Authentication
-
(1)
U first inserts the smart card into a device reader and enters his identity ID, password PW, secret key k u and also imprints biometric BIO at the sensor. U then checks whether h 1(I D||k u )⊕h 1(P W||H(B I O))=?f. If it holds, U computes K=h 1(I D||h 1(P W||H(B I O))), then generates a random number u and computes R 1=K⊕I D,R 2=I D⊕T u (K),R 3=h 1(I D||T u (K)). Finally, U sends the message {R 1,R 2,R 3} to S.
-
(2)
Upon receiving the message from U, S uses his key k s to derive K by computing \(K^{\prime }=IM_{1}\oplus h(k_{s})\), he then computes I D=R 1⊕K,T u (K)=I D⊕R 2 and checks h(I D||T u (K))=?R 3. If it is correct, S then generates a random number v and computes I M 2=T v (K)⊕I D,A u t h s =h 1(K||T v (K)||s k),T u v (K)),s k=h 2(T u (K),T v (K). Finally, S sends the message {A u t h s , I M 2} to U.
-
(3)
After receiving the message from S, U derives T v (K) by computing I M 2⊕I D and computes s k=h 2(T u (K),T v (K),T u v (K)) to verify whether A u t h s′=h 1(K||T v (K)||s k) is equal to the received A u t h s . If it holds, U successfully authenticates S and computes A u t h u =h 1(s k||T v (K)||K) and then sends the message {A u t h u } to S.
-
(4)
Once receiving the message from U, S validates whether h 1(s k||T v (k)||K)=?A u t h u . If it is true, S successfully authenticates U; otherwise, S aborts this request. Finally, U and S have a common session key s k=h 2(T u (K),T v (K),T u v (K)).
Password change
If U wants to change password, U inserts his smart card into the card reader and keys in ID, PW, k u and BIO. Then, the smart card checks h 1(I D||k u )⊕h 1(P W||H(B I O))=?f. If it holds, U submits a new password P W new and a new secret key \(k_{u}^{new}\), the smart card then computes f new and then replaces f with f new (Fig 1 ).
Security analysis
In this section, we first adopt Burrows-Abadi-Needham (BAN) logic [41] to prove that a session key between U and S can be correctly generated within authentication process. Then, we conduct a security analysis of the proposed scheme through both the informal and formal.
Verifying authentication scheme with BAN logic
BAN logic [41] is a set of rules for defining and analyzing information exchange schemes. It helps its users determine whether exchanged information is trustworthy, secured against eavesdropping, or both. It has been highly successful in analyzing the security of authentication schemes [42]. In this subsection, we prove that a session key between communicating parties can be correctly generated within authentication process using BAN logic. First, we introduce some notations and logical postulates of BAN logic that we will used in our scheme (Table 2).
-
(1)
BAN logical postulates
-
a.
Message-meaning rule: \(\frac {A|\equiv A\stackrel {K}\leftrightarrow B,\ A\triangleleft \{X\}_{K}}{A|\equiv | B\sim X}\): if A believes that the key K is shared by A and B, and sees X encrypted with K, then A believes that B once said X.
-
b.
Nonce-verification rule: \(\frac {A|\equiv \#X, \ A |\equiv B|\sim X}{A|\equiv B|\equiv X}\): if A believes that X could have been uttered only recently and that B once said X, then A believes that B believes X.
-
c.
The belief rule: \(\frac {A|\equiv X,\ A|\equiv Y}{A|\equiv (X,\ Y)}\): if A believes X and Y, then A believes (X, Y).
-
d.
Fresh conjuncatenation rule: \(\frac {A|\equiv \#X}{A|\equiv \#(X,\ Y)}\): if A believes freshness of X, B believes freshness of (X, Y).
-
e.
Jurisdiction rule: \(\frac {A|\equiv B\Rightarrow X,\ A |\equiv B|\equiv X}{A|\equiv X}\): if A believes that B has jurisdiction over X and A trusts B on the truth of X, then A believes X.
-
(2) Idealized scheme
\(U: \ <ID>_{U\stackrel {K}\longleftrightarrow S}, \ <ID>_{\{{U\stackrel {K}\longleftrightarrow S}\}_{u}},\ (ID)_{\{{U\stackrel {K}\longleftrightarrow S}\}_{u}},\\\ (U\stackrel {sk}\longleftrightarrow S,\ \{{U\stackrel {K}\longleftrightarrow S}\}_{v})_{U\stackrel {K}\longleftrightarrow S}\)
\(S: \ (U\stackrel {sk}\longleftrightarrow S,\ \{{U\stackrel {K}\longleftrightarrow S}\}_{u})_{U\stackrel {K}\longleftrightarrow S},\\\ <ID>_{\{{U\stackrel {K}\longleftrightarrow S}\}_{v}} \)
-
(3) Establishment of security goals
g 1. U|≡S|≡U⇔s k S
g 2. U|≡U⇔s k S
g 3. S|≡U|≡U⇔s k S
g 4. S|≡U⇔s k S
-
(4) Initiative premises
p 1. U|≡# u
p 2. S|≡# v
p 3. U|≡U⇔K S
p 4. S|≡U⇔K S
\(p_{5}.\ U|\equiv S\Rightarrow (U\stackrel {sk}\longleftrightarrow S)\)
\(p_{6}.\ S|\equiv U\Rightarrow (U\stackrel {sk}\longleftrightarrow S)\)
-
(5) Scheme analysis
a 1. Since p 3 and U ⊲ (U ⇔s k S, { U⇔K S} u ) U⇔K S , we apply the message-meaning rule to obtain: U|≡S|∼(U⇔s k S,{U⇔K S} u ).
a 2.Since p 1 and a 1, we apply the fresh conjuncatenation rule and nonce-verification rule to obtain: U|≡S|≡(U⇔s k S,{U⇔K S} u ).
g 1. Since a 2 and p 3, we apply the belief rule to obtain : U|≡S|≡U⇔s k S.
g 2. Since p 5 and g 1, we apply the jurisdiction rule to obtain: U|≡U⇔s k S.
a 3. Since p 4 and S ⊲ (U ⇔s k S, {U ⇔K S} v ) U⇔K S , we apply the message-meaning rule to obtain: S|≡U|∼(U⇔s k S,{U⇔K S} v ).
a 4. Since p 2 and a 3, we apply the fresh conjuncatenation rule and nonce-verification rule to obtain: S|≡U|≡(U⇔s k S,{U⇔K S} v ).
g 3. Since a 4 and p 4, we apply the belief rule to obtain: S|≡U|≡U⇔s k S.
g 4. Since g 3 and p 6, we apply the jurisdiction rule to obtain: S|≡U⇔s k S.
As a result, analyzing the security of our scheme with BAN logic, we can now be sure that the proposed scheme is truly capable of achieving the goals.
Informal security analysis
In this subsection, we analyze the security of the proposed scheme to withstand various known attacks including the aforementioned attacks found in Li et al.’s scheme. The following attacks are based on the assumptions that a malicious adversary \(\mathcal {A}\) has totally control over the communication channel connecting U and S in login and authentication phases. So \(\mathcal {A}\) can intercept, insert, delete, or modify any message transmitted via public channel [43].
User is anonymous
Our scheme can preserve the identity anonymity since ID cannot be derived from R 1 without the knowledge of K. Additionally, K cannot be derived from I M 1 without the server’s private key k s . Also, ID cannot be derived from R 3, owing to the one-way property of the hash function. Therefore, the proposed scheme provides user anonymity.
Insider attack
In the registration of our scheme, U sends {ID, h 1(P W||H(B I O))} to S. The privileged insider \(\mathcal {A}\) of S cannot get the password PW since it is protected by user’s biometrics and the secure hash function. Therefore, our scheme can withstand the insider attack.
Perfect forward secrecy
In the proposed scheme, the session key sk =H(T u (K), T v (K), T u v (K)) is related with the value K and two random numbers u and v. The value K is hidden by sever’s secret key k s and is computed by user’s password PW and biometrics BIO, anyone except U does not know. The two numbers were chosen by U and S, respectively. If \(\mathcal {A}\) wants to compute u and v from T u (K) and T v (K), he will face the CMDLP. Therefore, our scheme can provide perfect forward secrecy.
Mutual authentication
In the authentication phase of our scheme, U and S can authenticate each other by checking the correctness of A u t h s and A u t h u separately. If \(\mathcal {A}\) wants to forge the message, he will face the CMDLP and the CMDHP. Both the validity of A u t h u and A u t h s are confirmed by U and S, respectively. Therefore, mutual authentication between U and S is achieved.
Stolen smart card attack
Suppose \(\mathcal {A}\) can extract all the information from the smart card by the side channel attack [36]. \(\mathcal {A}\) may attempt to retrieve the password from the stolen information, but the password is protected by the elements ID, BIO and k u that \(\mathcal {A}\) does not know. Therefore, our scheme is secure against the stolen smart card attack.
Off-line password guessing attack
\(\mathcal {A}\) intercepts the communication between U and S, obtains all messages (R 1, R 2, R 3, A u t h s , I M 3, A u t h u ) and plans to launch an off-line password guessing attack. As we know, all messages are related with U’s password and these messages are all “encrypted” by K which is hidden by sever’s secret key k s and is computed by user’s password PW and biometric BIO, anyone except U does not know. Thus, \(\mathcal {A}\) cannot verify whether his guessed password is right or not. This means our scheme can resist the off-line password guessing attack.
Impersonation attack
\(\mathcal {A}\) cannot impersonate the user and the server through the intercepted messages. Since \(\mathcal {A}\) has to generate a fresh message if he wants to impersonate the user or the server. Without the user’s personal details I D, P W, B I O and k u , \(\mathcal {A}\) cannot generate the legal login message {R 1, R 2, R 3}, where R 1=K⊕I D, R 2=I D⊕T u (K), R 3=h 1(I D||T u (K)) and K=h 1(I D||h 1(P W||H(B I O))), u is a random number generated by U. Without the server’s secret key k s , \(\mathcal {A}\) cannot generate the authentication message {A u t h s , I M 2} either. Therefore, our scheme can resist the impersonation attack.
Session key security
Suppose \(\mathcal {A}\) eavesdrops all the messages { R 1, R 2, R 3, A u t h s , I M 2, A u t h u } transmitted in public channel, steals the smart card and extracts [36] the information {f, I M 1, h 1(⋅), h 2(⋅), H(⋅)} from it. Then, our scheme can provide session key security as follows: U and S compute a unique session key s k=h 2(T u (K),T v (K),T u v (K)) in each execution of the scheme. To compute T u (K)/ T v (K) from R 2/ I M 2, the user’s identity ID is needed. In order to retrieve ID from R 1, \(\mathcal {A}\) needs to know PW and H(B I O). Since only U can imprint biometrics BIO at the sensor, no adversary can achieve the user’s identity ID and PW. On the other hand, anyone except U and S has to compute T u v (K) from T u (K) and T v (K) if he wants to get the session key, then he will face to solve the CMDHP. Therefore, the proposed authentication scheme can provide session key security.
Formal security analysis of the proposed scheme
In this subsection, we provide the formal security analysis of our scheme and show that our scheme is secure.
Theorem 1
Under the Definition 3, our scheme is secure against an adversary \(\mathcal {A}\) deriving the password PW of a legal user U and the session key sk between U and S if the hash function h 1 (⋅) closely behaves like a random oracle.
Proof
The formal security proof of our scheme is similar to that as in [44, 45]. Using the following oracles to construct \(\mathcal {A}\) who will have the ability to derive the user’s PW and the session key sk between U and S.
Reveal 1: This random oracle will unconditionally output the input x from the given hash value y=h 1(x).
Reveal 2: This random oracle will unconditionally output r from the given values y=T r (x) and x.
\(\mathcal {A}\) runs the experimental algorithm showed in Table 3, \(EXP_{HASH,\ CMDLP}^{BECMPATMISs,\mathcal {A}}\) for our biometric and extended chaotic maps based password authentication scheme for TMISs, say BECMPATMISs.
Define the success probability for \(EXP_{HASH, CMDLP}^{BECMPATMISs,\mathcal {A}}\) is \(Succ_{HASH, CMDLP}^{BECMPATMISs,\mathcal {A}}= |2Pr[EXP_{HASH, CMDLP}^{BECMPATMISs,\mathcal {A}}= 1] -1|\) and the advantage function for this experiment then becomes \(Adv_{HASH, CMDLP}^{BECMPATMISs,\mathcal {A}}(t, q_{R_{1}}, q_{R_{2}}) = max_{\mathcal {A}}{Succ_{HASH, CMDLP}^{BECMPATMISs}}\), where the maximum is taken over all \(\mathcal {A}\) with execution time t and the number of queries \(q_{R_{1}}, q_{R_{2}}\) made to the Reveal 1 and Reveal 2 oracles, respectively. Consider the experiment showed in Table 3 for \(\mathcal {A}\). If \(\mathcal {A}\) has the ability to solve the hash function and the CMDLP provided in Definition 1 and Definition 3, then he can directly derive user’s PW, and the session key sk between U and S. In this case, \(\mathcal {A}\) will discover the complete connections between U and S. However, it is a computationally infeasible problem to invert the input from a given hash value and outputs r from given values T r (x), i.e., \(Adv_{HASH}^{\mathcal {A}}(t_{1})\leq \epsilon _{1} \), \(Adv_{CMDLP}^{\mathcal {A}}(t_{2})\leq \epsilon _{2} \), ∀𝜖 1>0, 𝜖 2>0. Hence, we have \(Adv_{HASH,\ CMDLP}^{BECMPATMISs,\mathcal {A}}(t, \ q_{R_{1}},\ q_{R_{2}})\leq \epsilon \), as it is dependent on \(Adv_{HASH}^{\mathcal {A}}(t_{1}) \), \(Adv_{CMDLP}^{\mathcal {A}}(t_{2}) \). Therefore, our scheme is probably secure against \(\mathcal {A}\) deriving PW and sk. □
Functionality and performance analysis comparison
In this section, we evaluate the functionality and performance analyses of the proposed scheme and make a comparison with other related schemes [24, 26–29, 32–34]. We list the functionality comparisons between the proposed scheme and other schemes in [24, 26–29, 32–34] are given. Table 4 shows that our scheme is more secure and robust than other related schemes and achieves more functionality features. In the performance comparison, define T C C M , T E and T H be the time for performing a Chebyshev chaotic map operation, a symmetric encryption/decryption operation and a hash function, where T C C M ≈70T E ≈175T H [23]. From Fig. 2, we can see that our scheme takes much less computation to accomplish the mutual authentication and key agreement than the previous chaotic maps based authentication schemes for TMISs.
Conclusion
In this paper, we analyzed the security weaknesses of one of the most recent chaotic maps and smart cards based authentication schemes for TMISs proposed by Li et al.. Li et al. claimed that their authentication scheme was secure against various known attacks with mutual authentication and key agreement. However, we found that Li et al.’s authentication scheme could not secure against user impersonation attack while failing to provide local verification and the session key security. We further proposed a secure biometric based authentication scheme for TMISs using extended chaotic maps to conquer the security flaws of Li et al.’s scheme. Our proposed scheme is immune to user impersonation attack while providing the session key security and local verification which Li et al.’s scheme fails to satisfy. Meanwhile, our scheme can withstand the trace, off-line password guessing and stolen smart card attacks. In addition, our scheme achieves the mutual authentication and perfect forward secrecy. We present a cryptanalysis of our scheme through both informal and formal security analyses. Besides, our scheme has the lowest computational cost among other related schemes. Considering the security and efficiency provided by our scheme, we conclude that our scheme is more appropriate for telemedical applications in comparison with other related schemes.
References
Hsu, C.L., Lee, M.R., Su, C.H, The role of privacy protection in healthcare information systems adoption. J. Med. Syst 37(5):1–12, 2013.
Lambrinoudakis, C., and Gritzalis, S., Managing medical and insurance information through a smart-card-based information system. J. Med. Syst 24(4):213–234, 2000.
Chen, H.M., Lo, J.W., Yeh, C.K., An efficient and secure dynamic ID-based authentication scheme for telecare medical information systems. J. Med. Syst 36(6):3907–3915, 2012.
Maitra, T., and Giri, D., An efficient biometric and password-based remote user authentication using smart card for telecare medical information systems in multi-server environment. J. Med. Syst 38(12):1–19, 2014.
Das, A.K., and Goswami, A., An enhanced biometric authentication scheme for telecare medicine information systems with nonce using chaotic hash function. J. Med. Syst 38(6):27, 2014.
Kim, K.W., and Lee, J.D, On the security of two remote user authentication schemes for telecare medical information systems. J. Med. Syst 38(5):1–11, 2014.
Alomair, B., and Poovendran, R., Efficient Authentication for Mobile and Pervasive Computing. IEEE Trans on Mobile. Comput 13(3):469–481, 2014.
Sui, Y., Zou, X.K., Du, E.Y., Li, F., Design and analysis of a highly user-friendly, secure, privacy-preserving, and revocable authentication method. IEEE Trans on Comput 63(4):902–916, 2014.
Lu, Y.R., Li, L.X., Peng, H.P., Yang, X., Yang, Y.X.: A lightweight ID based authentication and key agreement protocol for multiserver architecture. Int. J. Distrib. Sens. N. vol. 2015, Article ID 635890, 9 p, 2015. doi:10.1155/2015/635890.
Lu, Y.R., Li, L.X., Yang, Y.X.: Robust and efficient authentication scheme for session initiation protocol. Math. Probl. Eng. vol. 2015, Article ID 894549, 9 p, 2015. doi:10.1155/2015/894549.
Lu, Y.R., Li, L.X., Peng, H.P., Yang, Y.X.: An enhanced biometricbased authentication scheme for telecare medicine information systems using elliptic curve cryptosystem. J. Med. Syst. 39(3):1–8, 2015.
Wu, Z.Y., Lee, Y.C., Lai, F., Lee, H.C., Chung, Y., A secure authentication scheme for telecare medicine information systems. J. Med. Syst 36(3):1529–1535, 2012.
He, D.B., Chen, J.H., Zhang, R., A More Secure Authentication Scheme for Telecare Medicine Information Systems. J Med. Syst. 36(3):1989–1995, 2012.
Wei, J., Hu, X., Liu, W., An improved authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3597–3604, 2012.
Zhu, Z., An efficient authentication scheme for telecare medicine information systems. J. Med. Syst 36(6): 3833–3838, 2012.
Özkaynak, F., and Yavuz, S., Designing chaotic S-boxes based on time-delay chaotic system. Nonlinear Dyn 74(3):551–557, 2013.
Hussain, I., Shah, T., Gondal, M., Mahmood, H., An efficient approach for the construction of LFT S-boxes using chaotic logistic map. Nonlinear Dyn 71:133–140, 2013.
Khan, M., Shah, T., Mahmood, H., Gondal, M., An efficient method for the construction of block cipher with multichaotic systems. Nonlinear Dyn 71:489–492, 2013.
Gao, B., Shi, Y.F., Yang, C.L., Li, L.X., Wang, L.C., Yang, Y.X., STP-LWE: A variant of learning with error for a flexible encryption. Math. Probl. Eng 341490:1–7, 2014. Article ID 2014.
Xiao, D., Liao, X., Wong, K., An efficient entire chaos based scheme for deniable authentication. Chaos Soliton. Fract 23:1327–1331, 2005.
Tseng, H., Jan, R., Yang, W., A chaotic maps-based key agreement protocol that preserves user anonymity. IEEE Int. Conf. Commun.,1–6, 2009. ICC09.
Niu, Y., and Wang, X., An anonymous key agreement protocol based on chaotic maps. Commun. Nonlinear Sci. Numer. Simul. 16(4):1986–1992, 2011.
Xue, K., and Hong, P., Security improvement on an anonymous key agreement protocol based on chaotic maps. Commun. Nonlinear Sci. Numer. Simul. 17:2969–2977, 2012.
Guo, C., and Chang, C.C., Chaotic maps-based passwordauthenticated key agreement using smart cards. Commun. Nonlinear Sci. Numer. Simul 18(6):1433–1440, 2013.
Hao, X., Wang, J., Yang, Q., Yan, X., Li, P., A chaotic map-based authentication scheme for telecare medicine information systems. J. Med. Syst 37(2):9919, 2013.
Lin, H.Y., Improved chaotic maps-based password-authenticated key agreement using smart cards.Commun. Nonlinear Sci. Numer, Simul. In: doi:10.1016/j.cnsns.2014.05.027 (2014)
Jiang, Q., Ma, J., Lu, X., Tian, Y., Robust chaotic map-based authentication and key agreement scheme with strong anonymity for telecare medicine information systems. J. Med. Syst. 38(2):12, 2014.
Lee, T.F., An eEfficient chaotic map-based authentication and key agreement scheme using smart cards for telecare medicine information systems. J. Med. Syst 37(6):9985, 2013.
Li, C.T., Cheng, C.L., Chi, Y.W., A secure chaotic maps and smart cards based password authentication and key agreement scheme with user anonymity for telecare medicine information systems, J. Med. Syst. 38(9):1–11, 2014.
Gao, B., Li, L.X., Peng, H.P., Kurths, J., Zhang, W.G., Yang, Y.X., Principle for performing attractor transits with single control in Boolean networks. Phys. Rev. E 88,:062706, 2013.
Stallings, W., Cryptography and Network Security: Principles and Practices. 3rd edn. Englewood Cliffs: Prentice Hall, 2003.
Li, C.T., Lee, C.C., Weng, C.Y., An extended chaotic maps based user authentication and privacy preserving scheme against DoS attacks in pervasive and ubiquitous computing environments. Nonlinear Dyn 74:1133–1143, 2013.
Lee, C.C., Lou, D.C., Li, C.T., An extended chaotic maps-based protocol with key agreement for multiserver environments. Nonlinear Dyn 76(1):853–866, 2014.
Lee, C.C., and Hsu, C.W., A secure biometric-based remote user authentication with key agreement scheme using extended chaotic maps. Nonlinear Dyn 71:201–211, 2013.
Zhao, D.W., Peng, H.P., Li, L.X., Yang, Y.X., A secret sharing scheme with a short share realizing the (t, n) threshold and the adversary structure. Comput. Math. Appl 64(4):611–615, 2012.
Messerges, T.S., Dabbish, E.A., Sloan, R.H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput 51(5):541–552, 2002.
Hölbl, M., Welzer, T., Brumen, B., An improved two-party identity-based authenticated key agreement protocol using pairings, J. Cmput. Syst 78:142–150, 2012.
Bergamo, P., Arco, P., Santis, A., Kocarev, L., Security of public key cryptosystems based on Chebyshev polynomials. IEEE. Trans. Circ. Syst. I 52:1382–1393, 2005.
Lumini, A., and Nanni, L., An improved biohashing for human authentication. Pattern Recognition 40(3):1057–1065, 2007.
Das, A.K., and Goswami, A., An enhanced biometric authentication scheme for telecare medicine information systems with nonce using chaotic hash function. J. Med. Syst 38(6):27, 2014.
Burrow, M., Abadi, M., Needham, R., A logic of authentication. ACM Trans on Compu. Syst. 8:18–36, 1990.
Zhao, D.W., Peng, H.P., Li, L.X., Yang, Y.X., A secure and effective anonymous authentication scheme for roaming service in global mobility networks. Wireless Pers. Commun 78:247–269, 2013. doi:10.1007/s11277-014-1750-y.
Lamport, L., Password authentication with insecure communication. Commun.ACM 24(11):770–772, 1981.
Odelu, V., Das, A.K., Goswami, A., A secure effective key management scheme for dynamic access control in a large leaf class hierarchy. Inform Sciences 269(10):270–285, 2014.
Das, A.K., and Bruhadeshwar, B., An improved and effective secure password-based authentication and key agreement scheme using smart cards for the telecare medicine information system, J. Med. Syst 37:9969, 2013.
Acknowledgments
The authors would like to thank all the anonymous reviewers for their helpful advice. This paper is supported by the National Natural Science Foundation of China (Grant No. 61121061), the Beijing Natural Science Foundation (Grant No. 4142016), and the Asia Foresight Program under NSFC Grant (Grant No. 61411146001).
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Mobile Systems
Rights and permissions
About this article
Cite this article
Lu, Y., Li, L., Peng, H. et al. Robust and Efficient Biometrics Based Password Authentication Scheme for Telecare Medicine Information Systems Using Extended Chaotic Maps. J Med Syst 39, 65 (2015). https://doi.org/10.1007/s10916-015-0229-z
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-015-0229-z