Robust and Efficient Biometrics Based Password Authentication Scheme for Telecare Medicine Information Systems Using Extended Chaotic Maps

Abstract

The Telecare Medicine Information Systems (TMISs) provide an efficient communicating platform supporting the patients access health-care delivery services via internet or mobile networks. Authentication becomes an essential need when a remote patient logins into the telecare server. Recently, many extended chaotic maps based authentication schemes using smart cards for TMISs have been proposed. Li et al. proposed a secure smart cards based authentication scheme for TMISs using extended chaotic maps based on Lee’s and Jiang et al.’s scheme. In this study, we show that Li et al.’s scheme has still some weaknesses such as violation the session key security, vulnerability to user impersonation attack and lack of local verification. To conquer these flaws, we propose a chaotic maps and smart cards based password authentication scheme by applying biometrics technique and hash function operations. Through the informal and formal security analyses, we demonstrate that our scheme is resilient possible known attacks including the attacks found in Li et al.’s scheme. As compared with the previous authentication schemes, the proposed scheme is more secure and efficient and hence more practical for telemedical environments.

Introduction

With the fast development of information and communication technologies, the demand of low-cost handheld telecommunication systems and customized patient physiological monitoring devices are continuously rising. Meanwhile, more and more people demand for the health promotion and medical services are on the increasing due to the continued population ageing [1]. As a consequence, the above phenomena lead to a gaining popularity for telecare services applications. Telecare is regarded as a time and expense saving substitute compared with traditional medical service. The Telecare Medicine Information Systems (TMISs) build a bridge between patients at home and doctors at a clinical center or home healthcare (HHC) agency [2]. In such system, the patients only need to stay at home, they can still access a convenient and prompt treatment from the medical center over internet or mobile networks [2, 3]. However, one of the most concerned problem of TMISs is the open communication channel between patients and doctors may lead to provide an opportunity for an adversary to gain the privacy of patients. Security of the private data becomes crucial because nobody is willing to reveal his own sensitive information to light. Therefore, how to safeguard information privacy in TMISs during transmission via the insecure network becomes a significant concern.

Authentication mechanisms become an essential need for TMISs when a remote patient tries to access the resources of telecare server. Several authenticated key agreement schemes [4, 11] have been proposed for TMISs. In 2010, Wu et al. [12] proposed a low computation password based authentication scheme. However, He et al. [13] pointed out that Wu et al.’s scheme was vulnerable to the insider and impersonation attacks. In order to overcome these weaknesses, He et al. proposed an improved scheme. Unfortunately, Wei et al. [14] demonstrated that both of Wu et al.’s scheme and He et al.’s scheme suffered from the off-line password guessing attack. To solve the limitations in the scheme of Wu et al. and He et al., Wei et al. also developed an improved scheme. Later, Zhu [15] showed that Wei et al.’s scheme was insecure against the off-line password guessing attack and also designed an improved authentication scheme. Nevertheless, the high computation overhead caused by modular exponential operations leads to decrease those works for practical applications.

With the rapid development of chaos theory related to cryptography [16, 18], more and more authentication schemes based on chaos theory have been studied widely since it has better performance than traditional cryptography [19]. In 2007, Xiao et al. [20] developed the first chaotic maps based authenticated key agreement protocol using random numbers. After that, Tseng et al. [21] also proposed a user anonymity-preserving chaotic maps-based authentication and key agreement scheme. Unfortunately, Niu et al. [22] found that Tseng et al.’s scheme failed to provide user anonymity. Consequently, Niu et al. also presented an improved scheme to overcome the weakness. However, Xue et al. [23] pointed out that Niu et al.’s scheme was vulnerable to the man-in-the-middle attack. Recently, Guo et al. [24] proposed a chaotic maps-based password authenticated key agreement using smart cards. Unfortunately, both Hao et al. [25] and Lin [26] pointed out that Guo et al.’s scheme could not guarantee user anonymity. To remedy the identified deficiencies, Hao et al. and Lin presented their modified version of Guo et al.’s scheme, respectively. Nevertheless, Jiang et al. [27] and Lee [28] respectively showed that Hao et al.’s scheme did not achieve fairness in session key establishment and suffer from stolen smart card attack. They then developed their improved scheme to conquer the flaws of Hao et al.’s scheme. Unfortunately, Li et al. [29] demonstrated that both Lee’s and Jiang et al.’s schemes could not withstand the service misuse attack for non-registered users and provide user identity during authentication phase. While addressing the limitations of Lee’s and Jiang et al.’s schemes, Li et al. present a slight modification on Lee’s scheme to prevent the shortcomings.

In this paper, we find that Li et al.’s scheme has still some weaknesses such as violation the session key security, vulnerability to user impersonation attack and lack of local verification. To conquer these flaws, we propose a chaotic maps and smart cards based password authentication scheme by applying biometrics technique [30] and hash function operations. Through the informal and formal security analyses, we demonstrate that our scheme is resilient possible known attacks including the attacks found in Li et al.’s scheme. As compared with the previous authentication schemes, the proposed scheme is more secure and efficient and hence more practical for telemedical environments.

The remainder of this paper is organized as follows. Section “Preliminaries” introduces some preliminaries about hash functions and Chebyshev chaotic maps. The review and security analysis of Li et al.’s scheme are shown in Section “Review of Li et al.’s scheme” and Section “Security analysis of Li et al.’s scheme”, respectively. Section “Proposed authentication scheme” and “Security analysis” show our proposed scheme and analyze its security. Section “Functionality and performance analysis comparison” depicts the performance and security features comparisons among the proposed scheme and other related ones. Section “Conclusion” is a brief conclusion.

Preliminaries

In this section, we briefly introduce the one-way hash function [31] and Chebyshev chaotic maps [32, 34].

Definition 1

A secure one-way hash function h : {0, 1}\(^{*}\rightarrow \) {0, 1} ⁿ , which takes an input as an arbitrary length binary string x∈{0,1}^∗ and outputs a binary string h(x)∈{0,1}ⁿ. The probability of \(\mathcal {A}\) in finding collision is defined as \(Adv_{HASH}^{\mathcal {A}}(t_{1})=Pr[\mathcal {A}((x, x'), x\neq x'): h(x) = h(x')]\).

Definition 2

Let n be an integer, x is a real number from the set [−1,1], the Chebyshev polynomial of degree n is defined as T _n (x)=c o s(n⋅c o s ⁻¹(x)).

Definition 3

Given two elements x, y \(\in Z_{p}^{*}\), the Chaotic Maps Discrete Logarithm Problem (CMDLP) is to find the integer r, such that y =T _r (x). The probability of \(\mathcal {A}\) can solve the CMDLP is defined as \(Adv_{CMDLP}^{\mathcal {A}}(t_{2}) = Pr[\mathcal {A}(x, y)= r:\ r\in Z_{p}^{*}, y=T_{r}(x) mod p]\).

Definition 4

Given three parameters x, T _r (x) and T _s (x), the Chaotic Maps Diffie-Hellman Problem (CMDHP) is to compute T _{r s} (x) such that T _{r s} (x)=T _r (T _s (x))=T _s (T _r (x)).

Review of Li et al.’s scheme

In this section, we will review Li et al.’s extended chaotic maps based password authentication scheme for TMISs. Their scheme is composed of three phases, which are registration, authentication and password change. For convenience, some notations used in this paper are described in Table 1.

Table 1 Notations

Registration

• (1) U generates a random number b, selects a password PW and sends {I D,h ₁(I D||h(P W||b))} to S.

• (2) S selects a random number r, computes I M ₁ = I M ₃ = h(k _s )⊕r, I M ₂=I M ₄=h ₁(k _s ||r)⊕I D,D ₁=h ₁(I D||k _s )⊕h ₁(I D||h ₁(P W||b)). Then, S stores {I M ₁, I M ₂, I M ₃, I M ₄, D ₁, h ₁(⋅), h ₂(⋅)} into U’s smart card and issues it to U. Moreover, S keeps a status table which is composed of three fields, i.e., U’s identity, latest random number and LB, where LB presents whether U logins into S or not.

• (3) U computes D ₂ = h ₁(I D||P W)⊕b and stores D ₂ into smart card. Now, the smart card contains { I M ₁, I M ₂, I M ₃, I M ₄, D ₁, D ₂, h ₁(⋅), h ₂(⋅)}.

Authentication

There are two types of authentication processes. Case 1 is satisfied when the latest random number kept by U and S are identical. Case 2 is satisfied when the latest random number kept by U and S are different. We mainly consider case 1 since our cryptanalysis aims at it.

• (1) U inserts his smart card into a card reader and enters his identity ID and password PW. Then the smart card generates a random number u and computes b=h(I D||P W)⊕D ₂, K=D ₁⊕h ₁(I D||h(P W||b))=h ₁(I D||k _s ), T _u (K) and X ₁=h ₁(K||I M ₁||I M ₂||T _u (K)||T ₁), where T ₁ is the current timestamp. At last, U sends the login request M ₁={I M ₁, I M ₂, T _u (K),X ₁, T ₁} to S.

• (2) After receiving the message from U, S verifies if T ₂ −T ₁≤ΔT holds or not, where T ₂ is the timestamp. If it is so, S computes r \(^{\prime }\) = I M ₁⊕h(k _s ) and ID \(^{\prime }\) =IM \(_{2} \oplus h_{1}(k_{s}||r^{\prime })\) and checks if (\(ID^{\prime }\), \(r^{\prime }\)) equals maintained (I D, r). If it is found, S computes K \(^{\prime }\) =h \(_{1}(ID^{\prime }||k_{s})\) and checks if \(h(K^{\prime }||IM_{1}||IM_{2}||T_{u}(K)||T_{1})\stackrel {?}{=}X_{1}\). If it holds, S generates two random numbers r _{n e w} and v and computes \(IM_{1}^{*} = h_{1}(k_{s})\oplus r_{new},\ IM_{2}^{*} = h_{1}(k_{s}||r_{new})\oplus ID^{\prime }\), \(T_{v}(K^{\prime })\), sk = h ₂(T _u (K), \(T_{v}(K^{\prime })\), T _v (T _u (K))), Y ₁ =\(IM_{1}^{*}\oplus \) h ₁(s k||T ₁), Y ₂ =\(IM_{2}^{*}\oplus h_{1}(sk||T_{2})\), \(Y_{3}=h_{1}(sk||IM_{1}^{*} ||IM_{2}^{*} ||T_{v}(K^{\prime })||T_{2})\) and sends \(\{Y_{1},\ Y_{2},\ Y_{3},\ T_{v}(K^{\prime }),\ T_{2}\}\) to U.

• (3) On receiving the message from S, U verifies if T \(^{\prime \prime }\) − T ₂ ≤ ΔT holds or not. If it holds, U computes sk \(^{\prime }\) = h ₂(T _u (K), \(T_{v}(K^{\prime }\)), T _u (T _v (\(K^{\prime }\)))), IM \(_{1new}^{*}\) =Y ₁ ⊕h ₁(sk \(^{\prime } ||T_{1}\)), IM \(_{2new}^{*}\) =Y ₂ ⊕h ₁(\(sk^{\prime }||T_{2}\)) and checks if computed h ₁(\(sk^{\prime }\) ||\(IM_{1new}^{*}\) ||\(IM_{2new}^{*}\) || T _v (\(K^{\prime }\)) || T ₂) =? Y ₃. If equivalent, U replaces { I M ₁, I M ₂, I M ₃, I M ₄} with {\(IM_{1new}^{*}\), \(IM_{2new}^{*}\), I M ₁, I M ₂}. Then, U computes M ₃ = X ₂ = h ₁(\(IM_{1new}^{*}\) ||\(IM_{2new}^{*}\) || T _u (T _v (\(K^{\prime }\))) ||\(sk^{\prime }\) || T ₃) and sends { M ₃, T ₃} to S.

• (4) After receiving the response message from U, S verifies if T ₄−T ₃≤ΔT holds or not. If it holds, S checks if computed h ₁(\(IM_{1new}^{*}\) ||\(IM_{2new}^{*}\) || T _v (T _u (K)) || s k||T ₃) =?X ₂. If it is identical, S updates r with r _{n e w} in its status table.

Password change

U inserts the smart card into the card reader and keys identity ID, original password PW and a new password P W ^new. Then, the smart card computes \(b= D_{2}\oplus h_{1}(ID||PW), D^{\prime }_{1}=D_{1}\oplus h_{1}(ID||h(PW||b))\oplus h_{1}(ID||h(PW^{new}||b)), D^{\prime }_{2} = h_{1}(ID||PW^{new})\oplus b\) and updates the smart card’s memory D ₁, D ₂ by \(D^{\prime }_{1},\ D^{\prime }_{2}\).

Security analysis of Li et al.’s scheme

Li et al. claimed that their scheme could resist the session key attack. However, we demonstrate that their scheme is not really secure against the session key attack. Furthermore, we find that their scheme is also unable to protect against user impersonation attack and provide local verification. Now, Let’s see the details of these problems.

Violation the session key security

Let \(\mathcal {A}\) be an active adversary [35] who steals the smart card of U. Then, \(\mathcal {A}\) can extract [36] the secret information {I M ₁, I M ₂, I M ₃, I M ₄, D ₁, D ₂ h ₁(⋅), h ₂(⋅)} and hence he can easily obtain the session key between U and S. The session key proceeds as follows:

1. (1)

   \(\mathcal {A}\) steals the information {I D, r} stored in the sever and compromises the server’s long-term key [37] \(k_{s}^{\prime }\) to compute K=h ₁(I D||k _s ). \(\mathcal {A}\) then intercepts the login message {I M ₁, I M ₂, T _u (K), X ₁, T ₁}.

2. (2)

   Using the approach [38], \(\mathcal {A}\) computes \(u'=\frac {arcos(T_{u}(K))+2k\pi }{arcos(x)}\), \(v^{\prime }=\frac {arcos(T_{v}(K))+2k\pi }{arcos(x)}\), ∀k ∈Z to satisfy the equation T _u (K) \(=T_{u^{\prime }}\)(k), T _v (K) \(=T_{v^{\prime }}\)(K). Then, \(\mathcal {A}\) can compute \(T_{u^{\prime }}\)(\(T_{v^{\prime }}\)(K)) \(=T_{u^{\prime }}\)(T _v (K)) =T _v (\(T_{u^{\prime }}\)(K)) =T _v (T _u (K)) =T _{v u} (K). Therefore, \(\mathcal {A}\) can get the session key s k=h ₂(T _u (K), T _v (K), T _{v u} (K))

User impersonation attack

As described in the subsection, \(\mathcal {A}\) can also impersonate as a legal user to cheat S when he knows the value of K. The details are described as follows:

1. (1)

   \(\mathcal {A}\) generates a random number \(u^{\prime }\) and computes \(X_{1}= h_{1}(K||IM_{1}||IM_{2}||T_{u^{\prime }}(K)||T^{\prime }_{1})\), where \(T^{\prime }_{1}\) is the current timestamp. Then, \(\mathcal {A}\) sends \(\{IM_{1}, \ IM_{2}, T_{u^{\prime }}(K),\ X_{1},\ T^{\prime }_{1}\}\) to S.

2. (2)

   When receiving the message from \(\mathcal {A}\) who pretends to be U, the messages can successfully pass S’s verification and S performs the following scheme normally. Finally, S sends the authenticated message {Y ₁, Y ₂, Y ₃, T _v (K), T ₂} to \(\mathcal {A}\), where v and T ₂ are the random number and the current timestamp on sever side, respectively.

3. (3)

   Upon \(\mathcal {A}\) receiving the authenticated message, he checks if T ₃−T ₂≤△T, where T ₃ is the current timestamp. If it holds, \(\mathcal {A}\) computes \(sk=h_{2}(T_{u^{\prime }},\ T_{v}(K), T_{{u^{\prime }}v}(K))\), derives the values of \(IM_{1new}^{*}\), \(\ IM_{2new}^{*}\) by using sk, computes \(X_{2}=h_{1}(IM_{1new}^{*}||IM_{2new}^{*}|| T_{u}(T_{v}(K))||sk||T_{4})\) and sends the message {X ₂, T ₄} to S, where T ₄ is the current timestamp.

4. (4)

   When receiving the message from \(\mathcal {A}\), S continues to proceed the scheme without detected. Finally, \(\mathcal {A}\) and S “successfully” agree on a session key sk. But unfortunately S mistakenly believes that he is communicating with the legitimate true U.

Lack of local verification

In the login and authentication phases of Li et al.’s scheme, U inputs and directly sends the login message to S. Note that the smart terminal of U does not verify the entered information correctly or not. Therefore, even if U mistakenly keys the wrong information or \(\mathcal {A}\) sends an forged message, S will accept and still continue as original scheme. This will result in an unnecessary waste of communication and computational costs.

Proposed authentication scheme

In this section, we will propose a biometrics based password authentication scheme for TMISs using extended chaotic maps. In the proposed scheme, we employ biometrics to conceal password. We adopt Biohashing to protect biometrics of patients, which can resolve high false rejection and hence decrease denial of service access probability [39]. And biohashing is very efficient and lightweight as compared to modular exponentiation and elliptic curve point multiplication [40]. Our scheme consists of three phases: registration, login and authentication and password updating.

Registration

1. (1)

   U inputs his biometrics characteristic BIO, selects an identity ID and a password PW. Then U computes P W D=h ₁(P W||H(B I O)) and submits {I D, P W D} to S through a secure channel.

2. (2)

   S computes K=h ₁(I D||P W D), I M ₁=K⊕h ₁(k _s ), where k _s is S’s secret key. S then issues a smart card containing {I M ₁} to U.

3. (3)

   U selects a secret key k _u and computes f=h ₁(I D||k _u )⊕P W D. U then stores f into smart card. Thus, it is noted that the smart card of U contains the information {I M ₁, f, h ₁(⋅), h ₂(⋅), H(⋅)}.

Login and Authentication

1. (1)

   U first inserts the smart card into a device reader and enters his identity ID, password PW, secret key k _u and also imprints biometric BIO at the sensor. U then checks whether h ₁(I D||k _u )⊕h ₁(P W||H(B I O))=?f. If it holds, U computes K=h ₁(I D||h ₁(P W||H(B I O))), then generates a random number u and computes R ₁=K⊕I D,R ₂=I D⊕T _u (K),R ₃=h ₁(I D||T _u (K)). Finally, U sends the message {R ₁,R ₂,R ₃} to S.

2. (2)

   Upon receiving the message from U, S uses his key k _s to derive K by computing \(K^{\prime }=IM_{1}\oplus h(k_{s})\), he then computes I D=R ₁⊕K,T _u (K)=I D⊕R ₂ and checks h(I D||T _u (K))=?R ₃. If it is correct, S then generates a random number v and computes I M ₂=T _v (K)⊕I D,A u t h _s =h ₁(K||T _v (K)||s k),T _{u v} (K)),s k=h ₂(T _u (K),T _v (K). Finally, S sends the message {A u t h _s , I M ₂} to U.

3. (3)

   After receiving the message from S, U derives T _v (K) by computing I M ₂⊕I D and computes s k=h ₂(T _u (K),T _v (K),T _{u v} (K)) to verify whether A u t h s′=h ₁(K||T _v (K)||s k) is equal to the received A u t h _s . If it holds, U successfully authenticates S and computes A u t h _u =h ₁(s k||T _v (K)||K) and then sends the message {A u t h _u } to S.

4. (4)

   Once receiving the message from U, S validates whether h ₁(s k||T _v (k)||K)=?A u t h _u . If it is true, S successfully authenticates U; otherwise, S aborts this request. Finally, U and S have a common session key s k=h ₂(T _u (K),T _v (K),T _{u v} (K)).

Password change

If U wants to change password, U inserts his smart card into the card reader and keys in ID, PW, k _u and BIO. Then, the smart card checks h ₁(I D||k _u )⊕h ₁(P W||H(B I O))=?f. If it holds, U submits a new password P W ^new and a new secret key \(k_{u}^{new}\), the smart card then computes f ^new and then replaces f with f ^new (Fig 1 ).

Fig. 1

Our proposed scheme

Security analysis

In this section, we first adopt Burrows-Abadi-Needham (BAN) logic [41] to prove that a session key between U and S can be correctly generated within authentication process. Then, we conduct a security analysis of the proposed scheme through both the informal and formal.

Verifying authentication scheme with BAN logic

BAN logic [41] is a set of rules for defining and analyzing information exchange schemes. It helps its users determine whether exchanged information is trustworthy, secured against eavesdropping, or both. It has been highly successful in analyzing the security of authentication schemes [42]. In this subsection, we prove that a session key between communicating parties can be correctly generated within authentication process using BAN logic. First, we introduce some notations and logical postulates of BAN logic that we will used in our scheme (Table 2).

Table 2 BAN logic notations

1. (1)

   BAN logical postulates

2. a.

   Message-meaning rule: \(\frac {A|\equiv A\stackrel {K}\leftrightarrow B,\ A\triangleleft \{X\}_{K}}{A|\equiv | B\sim X}\): if A believes that the key K is shared by A and B, and sees X encrypted with K, then A believes that B once said X.

3. b.

   Nonce-verification rule: \(\frac {A|\equiv \#X, \ A |\equiv B|\sim X}{A|\equiv B|\equiv X}\): if A believes that X could have been uttered only recently and that B once said X, then A believes that B believes X.

4. c.

   The belief rule: \(\frac {A|\equiv X,\ A|\equiv Y}{A|\equiv (X,\ Y)}\): if A believes X and Y, then A believes (X, Y).

5. d.

   Fresh conjuncatenation rule: \(\frac {A|\equiv \#X}{A|\equiv \#(X,\ Y)}\): if A believes freshness of X, B believes freshness of (X, Y).

6. e.

   Jurisdiction rule: \(\frac {A|\equiv B\Rightarrow X,\ A |\equiv B|\equiv X}{A|\equiv X}\): if A believes that B has jurisdiction over X and A trusts B on the truth of X, then A believes X.

• (2) Idealized scheme

  \(U: \ <ID>_{U\stackrel {K}\longleftrightarrow S}, \ <ID>_{\{{U\stackrel {K}\longleftrightarrow S}\}_{u}},\ (ID)_{\{{U\stackrel {K}\longleftrightarrow S}\}_{u}},\\\ (U\stackrel {sk}\longleftrightarrow S,\ \{{U\stackrel {K}\longleftrightarrow S}\}_{v})_{U\stackrel {K}\longleftrightarrow S}\)

  \(S: \ (U\stackrel {sk}\longleftrightarrow S,\ \{{U\stackrel {K}\longleftrightarrow S}\}_{u})_{U\stackrel {K}\longleftrightarrow S},\\\ <ID>_{\{{U\stackrel {K}\longleftrightarrow S}\}_{v}} \)

• (3) Establishment of security goals

  g ₁. U|≡S|≡U⇔s k S

  g ₂. U|≡U⇔s k S

  g ₃. S|≡U|≡U⇔s k S

  g ₄. S|≡U⇔s k S

• (4) Initiative premises

  p ₁. U|≡# u

  p ₂. S|≡# v

  p ₃. U|≡U⇔K S

  p ₄. S|≡U⇔K S

  \(p_{5}.\ U|\equiv S\Rightarrow (U\stackrel {sk}\longleftrightarrow S)\)

  \(p_{6}.\ S|\equiv U\Rightarrow (U\stackrel {sk}\longleftrightarrow S)\)

• (5) Scheme analysis

  a ₁. Since p ₃ and U ⊲ (U ⇔s k S, { U⇔K S} _u ) _{U⇔K S} , we apply the message-meaning rule to obtain: U|≡S|∼(U⇔s k S,{U⇔K S} _u ).

  a ₂.Since p ₁ and a ₁, we apply the fresh conjuncatenation rule and nonce-verification rule to obtain: U|≡S|≡(U⇔s k S,{U⇔K S} _u ).

  g ₁. Since a ₂ and p ₃, we apply the belief rule to obtain : U|≡S|≡U⇔s k S.

  g ₂. Since p ₅ and g ₁, we apply the jurisdiction rule to obtain: U|≡U⇔s k S.

  a ₃. Since p ₄ and S ⊲ (U ⇔s k S, {U ⇔K S} _v ) _{U⇔K S} , we apply the message-meaning rule to obtain: S|≡U|∼(U⇔s k S,{U⇔K S} _v ).

  a ₄. Since p ₂ and a ₃, we apply the fresh conjuncatenation rule and nonce-verification rule to obtain: S|≡U|≡(U⇔s k S,{U⇔K S} _v ).

  g ₃. Since a ₄ and p ₄, we apply the belief rule to obtain: S|≡U|≡U⇔s k S.

  g ₄. Since g ₃ and p ₆, we apply the jurisdiction rule to obtain: S|≡U⇔s k S.

As a result, analyzing the security of our scheme with BAN logic, we can now be sure that the proposed scheme is truly capable of achieving the goals.

Informal security analysis

In this subsection, we analyze the security of the proposed scheme to withstand various known attacks including the aforementioned attacks found in Li et al.’s scheme. The following attacks are based on the assumptions that a malicious adversary \(\mathcal {A}\) has totally control over the communication channel connecting U and S in login and authentication phases. So \(\mathcal {A}\) can intercept, insert, delete, or modify any message transmitted via public channel [43].

User is anonymous

Our scheme can preserve the identity anonymity since ID cannot be derived from R ₁ without the knowledge of K. Additionally, K cannot be derived from I M ₁ without the server’s private key k _s . Also, ID cannot be derived from R ₃, owing to the one-way property of the hash function. Therefore, the proposed scheme provides user anonymity.

Insider attack

In the registration of our scheme, U sends {ID, h ₁(P W||H(B I O))} to S. The privileged insider \(\mathcal {A}\) of S cannot get the password PW since it is protected by user’s biometrics and the secure hash function. Therefore, our scheme can withstand the insider attack.

Perfect forward secrecy

In the proposed scheme, the session key sk =H(T _u (K), T _v (K), T _{u v} (K)) is related with the value K and two random numbers u and v. The value K is hidden by sever’s secret key k _s and is computed by user’s password PW and biometrics BIO, anyone except U does not know. The two numbers were chosen by U and S, respectively. If \(\mathcal {A}\) wants to compute u and v from T _u (K) and T _v (K), he will face the CMDLP. Therefore, our scheme can provide perfect forward secrecy.

Mutual authentication

In the authentication phase of our scheme, U and S can authenticate each other by checking the correctness of A u t h _s and A u t h _u separately. If \(\mathcal {A}\) wants to forge the message, he will face the CMDLP and the CMDHP. Both the validity of A u t h _u and A u t h _s are confirmed by U and S, respectively. Therefore, mutual authentication between U and S is achieved.

Stolen smart card attack

Suppose \(\mathcal {A}\) can extract all the information from the smart card by the side channel attack [36]. \(\mathcal {A}\) may attempt to retrieve the password from the stolen information, but the password is protected by the elements ID, BIO and k _u that \(\mathcal {A}\) does not know. Therefore, our scheme is secure against the stolen smart card attack.

Off-line password guessing attack

\(\mathcal {A}\) intercepts the communication between U and S, obtains all messages (R ₁, R ₂, R ₃, A u t h _s , I M ₃, A u t h _u ) and plans to launch an off-line password guessing attack. As we know, all messages are related with U’s password and these messages are all “encrypted” by K which is hidden by sever’s secret key k _s and is computed by user’s password PW and biometric BIO, anyone except U does not know. Thus, \(\mathcal {A}\) cannot verify whether his guessed password is right or not. This means our scheme can resist the off-line password guessing attack.

Impersonation attack

\(\mathcal {A}\) cannot impersonate the user and the server through the intercepted messages. Since \(\mathcal {A}\) has to generate a fresh message if he wants to impersonate the user or the server. Without the user’s personal details I D, P W, B I O and k _u , \(\mathcal {A}\) cannot generate the legal login message {R ₁, R ₂, R ₃}, where R ₁=K⊕I D, R ₂=I D⊕T _u (K), R ₃=h ₁(I D||T _u (K)) and K=h ₁(I D||h ₁(P W||H(B I O))), u is a random number generated by U. Without the server’s secret key k _s , \(\mathcal {A}\) cannot generate the authentication message {A u t h _s , I M ₂} either. Therefore, our scheme can resist the impersonation attack.

Session key security

Suppose \(\mathcal {A}\) eavesdrops all the messages { R ₁, R ₂, R ₃, A u t h _s , I M ₂, A u t h _u } transmitted in public channel, steals the smart card and extracts [36] the information {f, I M ₁, h ₁(⋅), h ₂(⋅), H(⋅)} from it. Then, our scheme can provide session key security as follows: U and S compute a unique session key s k=h ₂(T _u (K),T _v (K),T _{u v} (K)) in each execution of the scheme. To compute T _u (K)/ T _v (K) from R ₂/ I M ₂, the user’s identity ID is needed. In order to retrieve ID from R ₁, \(\mathcal {A}\) needs to know PW and H(B I O). Since only U can imprint biometrics BIO at the sensor, no adversary can achieve the user’s identity ID and PW. On the other hand, anyone except U and S has to compute T _{u v} (K) from T _u (K) and T _v (K) if he wants to get the session key, then he will face to solve the CMDHP. Therefore, the proposed authentication scheme can provide session key security.

Formal security analysis of the proposed scheme

In this subsection, we provide the formal security analysis of our scheme and show that our scheme is secure.

Theorem 1

Under the Definition 3, our scheme is secure against an adversary \(\mathcal {A}\) deriving the password PW of a legal user U and the session key sk between U and S if the hash function h ₁ (⋅) closely behaves like a random oracle.

Proof

The formal security proof of our scheme is similar to that as in [44, 45]. Using the following oracles to construct \(\mathcal {A}\) who will have the ability to derive the user’s PW and the session key sk between U and S.

Reveal 1: This random oracle will unconditionally output the input x from the given hash value y=h ₁(x).

Reveal 2: This random oracle will unconditionally output r from the given values y=T _r (x) and x.

\(\mathcal {A}\) runs the experimental algorithm showed in Table 3, \(EXP_{HASH,\ CMDLP}^{BECMPATMISs,\mathcal {A}}\) for our biometric and extended chaotic maps based password authentication scheme for TMISs, say BECMPATMISs.

Define the success probability for \(EXP_{HASH, CMDLP}^{BECMPATMISs,\mathcal {A}}\) is \(Succ_{HASH, CMDLP}^{BECMPATMISs,\mathcal {A}}= |2Pr[EXP_{HASH, CMDLP}^{BECMPATMISs,\mathcal {A}}= 1] -1|\) and the advantage function for this experiment then becomes \(Adv_{HASH, CMDLP}^{BECMPATMISs,\mathcal {A}}(t, q_{R_{1}}, q_{R_{2}}) = max_{\mathcal {A}}{Succ_{HASH, CMDLP}^{BECMPATMISs}}\), where the maximum is taken over all \(\mathcal {A}\) with execution time t and the number of queries \(q_{R_{1}}, q_{R_{2}}\) made to the Reveal 1 and Reveal 2 oracles, respectively. Consider the experiment showed in Table 3 for \(\mathcal {A}\). If \(\mathcal {A}\) has the ability to solve the hash function and the CMDLP provided in Definition 1 and Definition 3, then he can directly derive user’s PW, and the session key sk between U and S. In this case, \(\mathcal {A}\) will discover the complete connections between U and S. However, it is a computationally infeasible problem to invert the input from a given hash value and outputs r from given values T _r (x), i.e., \(Adv_{HASH}^{\mathcal {A}}(t_{1})\leq \epsilon _{1} \), \(Adv_{CMDLP}^{\mathcal {A}}(t_{2})\leq \epsilon _{2} \), ∀𝜖 ₁>0, 𝜖 ₂>0. Hence, we have \(Adv_{HASH,\ CMDLP}^{BECMPATMISs,\mathcal {A}}(t, \ q_{R_{1}},\ q_{R_{2}})\leq \epsilon \), as it is dependent on \(Adv_{HASH}^{\mathcal {A}}(t_{1}) \), \(Adv_{CMDLP}^{\mathcal {A}}(t_{2}) \). Therefore, our scheme is probably secure against \(\mathcal {A}\) deriving PW and sk. □

Table 3 Algorithm \(EXP_{HASH,\ CMDLP}^{BECMPATMISs,\mathcal {A}}\)

Functionality and performance analysis comparison

In this section, we evaluate the functionality and performance analyses of the proposed scheme and make a comparison with other related schemes [24, 26–29, 32–34]. We list the functionality comparisons between the proposed scheme and other schemes in [24, 26–29, 32–34] are given. Table 4 shows that our scheme is more secure and robust than other related schemes and achieves more functionality features. In the performance comparison, define T _{C C M} , T _E and T _H be the time for performing a Chebyshev chaotic map operation, a symmetric encryption/decryption operation and a hash function, where T _{C C M} ≈70T _E ≈175T _H [23]. From Fig. 2, we can see that our scheme takes much less computation to accomplish the mutual authentication and key agreement than the previous chaotic maps based authentication schemes for TMISs.

Fig. 2

Performance comparison

Table 4 Functionality comparison

Conclusion

In this paper, we analyzed the security weaknesses of one of the most recent chaotic maps and smart cards based authentication schemes for TMISs proposed by Li et al.. Li et al. claimed that their authentication scheme was secure against various known attacks with mutual authentication and key agreement. However, we found that Li et al.’s authentication scheme could not secure against user impersonation attack while failing to provide local verification and the session key security. We further proposed a secure biometric based authentication scheme for TMISs using extended chaotic maps to conquer the security flaws of Li et al.’s scheme. Our proposed scheme is immune to user impersonation attack while providing the session key security and local verification which Li et al.’s scheme fails to satisfy. Meanwhile, our scheme can withstand the trace, off-line password guessing and stolen smart card attacks. In addition, our scheme achieves the mutual authentication and perfect forward secrecy. We present a cryptanalysis of our scheme through both informal and formal security analyses. Besides, our scheme has the lowest computational cost among other related schemes. Considering the security and efficiency provided by our scheme, we conclude that our scheme is more appropriate for telemedical applications in comparison with other related schemes.