A Secure Three-Factor User Authentication and Key Agreement Protocol for TMIS With User Anonymity

Abstract

Telecare medical information system (TMIS) makes an efficient and convenient connection between patient(s)/user(s) and doctor(s) over the insecure internet. Therefore, data security, privacy and user authentication are enormously important for accessing important medical data over insecure communication. Recently, many user authentication protocols for TMIS have been proposed in the literature and it has been observed that most of the protocols cannot achieve complete security requirements. In this paper, we have scrutinized two (Mishra et al., Xu et al.) remote user authentication protocols using smart card and explained that both the protocols are suffering against several security weaknesses. We have then presented three-factor user authentication and key agreement protocol usable for TMIS, which fix the security pitfalls of the above mentioned schemes. The informal cryptanalysis makes certain that the proposed protocol provides well security protection on the relevant security attacks. Furthermore, the simulator AVISPA tool confirms that the protocol is secure against active and passive attacks including replay and man-in-the-middle attacks. The security functionalities and performance comparison analysis confirm that our protocol not only provide strong protection on security attacks, but it also achieves better complexities along with efficient login and password change phase as well as session key verification property.

Introduction

In TMIS, medical server generally maintains the electronic medical records of the registered patients and provides various services like health educators, physicians, hospitals, care-givers, public health organizations and home-care service. User-friendly, omnipresence and the low cost of internet technology, facilitates online medical services, in which a registered user/patient can access the remote service at any instant from anywhere. When a registered user wants to get medical services, s/he uses smart card to the smart devices and transmits data to the medical server through public channel. The attacker/adversary may have full control over the public channel. Therefore, s/he can eavesdrop, intercept, record, modify, delete, and replay the message broadcasting via public channel. As, the data is transmitted over the public channel, maintaining user authentication, data privacy, data integrity and confidentiality of the data are very much essential. In order to design authentication protocol, many researchers employ several cryptographic algorithms like non-invertible one-way hash function, Chaotic maps, ECC-RSA cryptosystem and some others operation like X-OR and concatenate etc. Though ECC and RSA both cryptosytem provides same level of security, ECC is more suitable than RSA [15], because ECC [16, 19, 21] uses only point multiplication operation and the key length is 160 bits, whereas RSA uses exponentiation operation, which takes very much longer computation than point multiplication and the key length of the RSA is 1024 bits, which is larger than ECC. On the other hand, hash-function and chaotic maps [17] both plays a crucial role for designing user authentication protocol and provides same level of security, but the computation of hash function is less than the chaotic maps operation.

The main security threats for the password based authenticated key exchange protocols are password guessing attack. As the adversary has maximum capabilities over the communication network, he/she may trap all the communicating messages and guess the user’s password in off-line mode. Therefore, password based authentication system may not be fully secured. To the best of our knowledge, the password based authentication system has some problems such as a long and random password cannot be used, because it is very difficult to remember for a use. If the user stores his/her password somewhere, there is possibility for stealing the password. Moreover, the user may be shared the long and random password with other people, but there is no way to identify who is the legal user. To overcome the above problems, most popular and secure biometric technology (fingerprint, iris, retina etc.) is extensively used to authenticate the legal user because of its uniqueness property and does not need to remember. The several advantages of using the biometric technology are as follows:

1. 1.

   Biometric key cannot be lost or forgotten and very difficult to copy or share.

2. 2.

   Biometric key is extremely hard to forge or distribute.

3. 3.

   Guessing biometric key is dreadfully hard.

Attacker model

As the authentication protocol are executed over the insecure communication, the attacker has several advantages or capabilities over the authentication protocol. The several valid assumptions regarding authentication protocol are presented below.

1. 1.

   An attacker is able to extract the smart card information by monitoring the power consumption [27, 43]. For example if an attacker gets the smart card of the valid user, s/he then may get al.l the stored information of the smart card.

2. 2.

   An attacker may eavesdrop all the communication between the entities involved of the protocol over the public channel. It is also assume that an attacker cannot intercept the message over the secure channel.

3. 3.

   According to reference [48], an attacker can guess low entropy password and identity individually easily but guessing two secret parameters (e.g. password, identity) is computationally infeasible in polynomial time.

4. 4.

   An attacker can modify, delete and resend, reroute the eavesdrops message.

5. 5.

   An attacker may be a legitimate user or vice versa.

6. 6.

   If we assume that the length of the user’s identity and password is n character, then the probability of guessing approximately composed of n character is \(\frac {1}{2^{6n}}\) as pointed out by [10].

Literature review

To ensure security and privacy during information transmission via public channel, the smart card based anonymous remote user authentication schemes are generally adopted. Last few years, many password or biometric template based remote user authentication and key agreement protocols [1, 3–5, 12, 18, 20, 22, 25, 26, 28–34, 38] have been proposed in the literature for different application systems. But, none of them is completely free from security attacks. In 2010, Wu et al. [52] proposed an efficient authentication scheme for TMIS and adding a pre-computing phase for low computational cost. But, Debiao He [13] demonstrated that Wu et al. [52] protocol fails to resist impersonation attack and insider attack and presents an enhance scheme of Wu et al. protocol and claimed that the enhance scheme is completely free from security attacks and takes low computational cost. In 2012, Wei et al. [51] identified that both Wu et al. and Debiao He protocols are inefficient to meet two-factor authentication and also proposed a scheme, which is efficient and achieves two-factor authentication. Thereafter, Zhu [56] described that Wei et al. protocol is vulnerable to off-line password guessing attack and also proposed an improved scheme for TMIS. Then, Lee and Liu [35] demonstrated that Zhu’s scheme cannot resist parallel session attack and presented a improved scheme and declared that their protocol is efficient in terms of security and applicable for TMIS systems.

In 2012, dynamic-ID based authentication and key agreement protocol is presented by Chen et al. [11] But, Lin [39] demonstrated that Chen et al.’s protocol suffers from user anonymity problem and password can be derived from the stolen smart card. Later, Cao and Zhai [9] demonstrated that Chen et al. protocol is vulnerable to off-line identity guessing attack, off-line password guessing attack and un-detectable online password guessing attack when the user’s smart card is lost. They also presented an improved scheme for TMIS. Thereafter, Xie et al. [53] described that Chen et al.’s protocol suffers from security weaknesses and proposed an improved scheme. In 2013, Tan et al.’s [49] proposed a biometric based remote user authentication scheme for telecare medical information system and declared that their protocol achieves mutual authentication property and session key agreement between the user and the server.

In 2013, Awasthi-Srivastava [8] proposed three-factor based user authentication and key agreement protocol for TMIS and declared that the same protocol should be application in real-time application. However, Mishra et al.’s [46] pointed out that the protocol [8] is not secure against undetectable password guessing attack along with inefficient password change phase. Additionally, they proposed three-factor based authentication protocol for enhancing security of the scheme [8]. Recently, Lu et al.’s [41] also showed that Arshad et al’s [7] cannot provide complete security requirements and proposed an improved scheme over scheme [7]. Furthermore, Zhang et al.’s [40] introduced three-factor based user authentication protocol for enhancing security and performance. In the same year, Yan et al.’s [55] reviews the proposed protocol presented by Tan et al.’s and declares that the scheme is vulnerable to denial-of-service attack. To eliminate the drawbacks of Tan et al.’s protocol, Yan et al.’s proposed an improved scheme for better security protection and performance. In 2014, Mishra et al. [45] demonstrated that Yan et al. protocol suffers from user anonymity problem, password guessing attack, inefficient login phase, inefficient password and biometric update phase and three factor authentication problem. They also proposed and improved scheme for better security and performance. Recently, Mrudula et al.’s [47] pointed out that the Mishra et al.’s [45] protocol is insecure against off-line password guessing attack and user impersonation attack. We further described that the Mishra et al.’s protocol cannot withstand server impersonation attack, session key computation attack and smart card theft attack. In 2014, Xu et al.’s [54] proposed a ECC based remote user authentication and key agreement scheme for telecare medical information system and claimed that their protocol achieves higher security along with better performance. After that, Mishra [44] showed that the same protocol has security vulnerability on the login and authentication phase and then Islam-Khan [23] further demonstrated that the same protocol [54] is not secure against replay attack and cannot provide efficient authentication phase. However, we have carefully scrutinized the Xu et al.’s protocol and further explained that the protocol proposed by Xu et al.’s cannot provide efficient password change phase. In order to fix the limitations of Mishra et al. [45] and Xu et al. [54], this proposed ECC based user authentication and key agreement protocol using smart card for TMIS and also analyzed the security as well as performance evaluation of the proposed scheme.

Motivation and contributions

In the literature review section, we observed that most of the protocols suffer from security weaknesses, which ensures that the protocols are not suitable for practical implementation. Therefore, we are motivated to develop biometric based user authentication protocol using smart card usable for telecare medical information system. In this paper, we achieve the following contributions:

1. (1)

   We have shown that the Mishra et al.’s protocol has security weaknesses such as server impersonation attack, smart card theft attack and session key discloser attack. Moreover, we have also demonstrated that the Xu et al.’s protocol has security weaknesses in the password update phase.

2. (2)

   In order to overcome the weaknesses, we have proposed an efficient user authentication protocol using smart card whose performance analysis ensures that the computation and communication costs are relatively better than the existing related protocols. Moreover, the proposed scheme provides efficient login and password update phase along with session key verification property.

3. (3)

   We have simulated our proposed protocol using widely accepted AVISPA simulator tool which ensures that the protocol is SAFE under OFMC and CL-AtSe models.

Road map of the paper

In “Preliminaries” section, we discussed the concept and the property of cryptographic one-way hash function, bio-hashing techniques, elliptic curve cryptosystem and some computational problems as preliminaries of our works. In “Brief review of Mishra et al. scheme” section, we briefly review Mishra et al. recently published protocol and the security analysis of [45] scheme is given in “Security flaws of the Scheme proposed by Mishra et al.” section. “Brief review of Xu et al. scheme” section addresses Xu et al. recently published protocol and the security weaknesses appears in “Security flaws of the scheme proposed by Xu et al.” section. “Proposed key agreement protocol for TMIS system” section presents our proposed protocol for TMIS and the security attack protection discussion is presented in “Cryptanalysis of the proposed scheme” section. The performance comparison is also made and given in “Performance evaluation” section. Finally, we conclude the paper in “Conclusion and future work” section and completes the paper with references.

Preliminaries

In this section, We briefly review the basic concepts of cryptographic one-way hash function, bio-hashing, ECC cryptosystem along with some hardness problems are introduced.

Cryptographic one-way hash function

A cryptographic one-way hash function maps a string of arbitrary length to a string of fixed length called the hashed value. It can be symbolized as: h : X → Y, where X = {0, 1}^∗, and Y = {0, 1}ⁿ. X is binary string of arbitrary length and Y is a binary string of fixed length n. It is used in many cryptographic applications such as digital signature, random sequence generators in key agreement, authentication protocols and so on. Cryptographic one-way hash function satisfies the following properties:

1. 1.

   Easiness: Given m ∈ X, it can be easily compute y such that y = h(m).

2. 2.

   Preimage Resistant: It is hard to find m from given y, where h(m) = y.

3. 3.

   Second-Preimage Resistant: It is hard to find input \(m^{\prime }\in X\) such that \(h(m) = h(m^{\prime })\) for given input m ∈ X and \(m^{\prime }\ne m\).

4. 4.

   Collision Resistant: It is hard to find a pair \((m, m^{\prime }) \in X \times X\) such that \(h(m) = h(m^{\prime })\), where \(m\ne m^{\prime }\).

5. 5.

   Mixing-Transformation: On any input m ∈ X, the hashed value y = h(m) is computationally indistinguishable from a uniform binary string in the interval {0, 2ⁿ}, where n is the output length of hash h(⋅).

It is our assumption that this paper uses SHA-2 hash function for achieving top security whose message digest is 160 bits.

Bio-hashing

The biometric technology has the great importance for providing genuine user authentication in any authentication system. Generally, imprint biometric characteristics (face, fingerprint, palmprint etc.) may not be exactly same at each time. Therefore, high false rejection of registered users resulting low false acceptation, is often occurs in the evaluation of biometric systems. In order to resolve the high false rejection rate, Jina et al. [24] proposed a two-factor authenticator on iterated inner products between tokenised pseudo-random number and the user specific fingerprint features, which produces a set of user specific compact code that coined as Bio-Hashing. Later, Lumini and Nanni [42] proposed the improvement of Bio-Hashing. As pointed out by [10], Bio-Hashing is used to map a user/patients biometric feature onto user specific random vectors in order to generate a code, called biocode and then discritizes the projection coefficients into zero and one. Bio-Hashing is always one-way function and secure as cryptographic one-way hash function.

ECC-cryptosystem

The elliptic curve cryptosystem was initially proposed by Koblitz (1987) and Miller (1985) to design public key cryptosystem and presently it is widely used in several cryptographic schemes to provide desired level of security and computational efficiency. Let E _p (a, b) be a set of elliptic curve points over the prime field F _p defined by the non-singular elliptic curve equation: y ² m o d p = x ³ + a x + b m o d p with (a, b) ∈ F _p and 4a ³ + 27b ² m o d p ≠ 0. The additive ECC group defined as G _p = {(x, y):x, y ∈ F _p and \(x,y \in E_{p}(a,b)\} \bigcup \{O \}\), where the point O is known as “point at infinity”. The scalar multiplication on the cyclic group G _p defined as: k.P = (P + P + P ....... k times) that means k times addition of point P. There are several computational problem based on ECC which are presented below:

Definition 1

The elliptic curve discrete logarithm problem (ECDLP) is defined as: Given Q, R ∈ G _p , find an integer k ∈ [1, n − 1] such that R = k.Q.

Definition 2

The computational Diffie? Hellman problem (CDHP) is defined as: Given (P, a P, b P) for any a, b ∈ [1, n − 1] computation of abP is very hard to the group G _p .

Definition 3

The elliptic curve factorization problem (ECFP) is defined as: Given P, Q ∈ G _p , where Q = s P + t P and (s, t) ∈ [1, n − 1], then computation of s P and t P is impossible.

Definition 4

The decisional Diffie? Hellman problem is defined as: Given (P, a P, b P, c P) for any (a, b, c) ∈ [1, n − 1], decide whether or not c P = a b P i.e. c = a b m o d p or not.

Definition 5

The weak Diffie? Hellman problem (WDHP) is defined as: For Q ∈ G _p and some k ∈ [1, n − 1] from the given triplet (P, Q, k P) computation of k Q is hard.

Brief review of Mishra et al. scheme

In this section, we briefly review Mishra et al. protocol, which is the improvement of Yan et al. protocol. In Table 1, we have presented all the notations used throughout this paper. Like Yan et al. protocol, Mishra et al. protocol has mainly four phases such as registration phase, login phase, authentication phase and password change phase. All the mentioned phases are presented below. In Fig. 1, we have demonstrated all the phases of the Mishra et al. scheme.

Table 1 List of notations used

Fig. 1

Mishra et al.’s scheme [45]

Registration phase

For the new user registration, this phase executes all the steps which are discussed below:

• Step 1: User U _i chooses identity I D _i , Password P W _i , biometric template B _i , a random number N _i and computes W = h(I D _i ∥ P W _i ∥ N _i ) and then submits registration message 〈I D _i , W〉 to the server S through secure channel.

• Step 2: S computes X _i = h(I D _i ∥x), Y _i = X _i ⊕ W, where x is the server’s secret key. Then, S generates a random nonce R and uses symmetric key cryptosystem such as AES-256 to compute N I D = S y m.E n c _(x)(I D _i ∥R) and issues a smart card after storing secret parameters 〈N I D, Y _i , h(⋅)〉 into the memory of smart card. It may be noted that Mishra et al.’s protocol does not store bio-hashing function H() in the memory of smart card. So, the computation of H(B _i ) is not feasible in the login phase. Hence, it is required to store H() into memory of smart card.

• Step 3: After getting the smart card, U _i stores N = N _i ⊕ H(B _i ) and V _i = h(I D _i ∥P W _i ∥N _i ) into the smart card.

Login phase

This phase executes when U _i wishes to access server’s resources. All the steps of this phases are presented below:

• Step 1: U _i provides 〈I D _i , P W _i 〉 to the smart devices and B _i at the sensor device.

• Step 2: Smart card then computes N _i = N ⊕ H(B _i ), \(V_{i}^{*} = h (ID_{i} \parallel PW_{i} \parallel N_{i})\) and matches \(V_{i}^{*}\) with the stored V _i . If it matches, continues next steps; otherwise, terminates the session.

• Step 3: Smart card further computes W = h(I D _i ∥P W _i ∥N _i ), X _i = Y _i ⊕ W and then generates a random nonce r _i and again computes a _i = h(I D _i ∥X _i ∥r _i ). Then, the smart card sends 〈N I D, a _i , r _i 〉 to S through public channel.

Authenticated key agreement phase

In order to accomplish mutual authentication and session key agreement, the U _i and S execute all the steps which are presented below.

• Step 1: Server first retrieves I D _i by decrypting NID parameter and computes X _i = h(I D _i ∥x), \(a_{i}^{*} = h(ID_{i} \parallel X_{i} \parallel r_{i})\). Then, S matches the value of \(a_{i}^{*}\) with a _i , if it matches, continues next steps; otherwise, terminates the session.

• Step 2: In this steps, S generates random numbers \(\langle r_{s}, R^{\prime } \rangle \) and computes s k = h(I D _i ∥X _i ∥r _i ∥r _s ), \(NID^{\prime } = SymEnc_{(x)}(ID_{i} \parallel R^{\prime })\), \(b_{i} = h(ID_{i} \parallel NID \parallel sk \parallel NID^{\prime })\). Server then sends a message \(\langle r_{s}, b_{i}, h(sk \parallel ID_{i}) \oplus NID^{\prime } \rangle \) to the user.

• Step 3: Upon receiving the message, the smart card computes the session key s k = h(I D _i ∥X _i ∥r _i ∥r _s ) and retrieves \(NID^{\prime } = h(sk \parallel ID_{i}) \oplus NID^{\prime } \oplus h(sk \parallel ID_{i})\) and further computes \(b_{i}^{*} = h (ID_{i} \parallel NID \parallel sk \parallel NID^{\prime })\). Then, S matches computed \(b_{i}^{*}\) with the received b _i . If it does not match, terminates the connection; otherwise, continues the next steps.

• Step 4: Smart card computes \(c_{i} = h(ID_{i} \parallel NID^{\prime } \parallel sk)\) and sends the verification message 〈c _i 〉 to the server S through public channel.

• Step 5: Upon receiving the verification message, server computes \(c_{i}^{*} = h(ID_{i} \parallel NID^{\prime } \parallel sk)\) and matches it with the received c _i . If it matches, session key is verified and user is authenticated; otherwise, stops the session.

Password and biometric update phase

As described earlier in the login phase, Steps 1-2 are same. Therefore. we discuss rest of the steps which are described below.

• Step 3: U _i inputs password \(PW_{i}^{\prime }\), biometric template \(B_{i}^{\prime }\) and random number \(N_{i}^{\prime }\).

• Step 4: After inputting, smart card computes the following parameters: W = h(I D _i ∥P W _i ∥N _i ), \(W_{new} = h(ID_{i} \parallel PW_{i}^{\prime } \parallel N_{i}^{\prime })\), Y _{n e w} = Y _i ⊕ W ⊕ W _{n e w} , \(V_{new} = h (ID_{i} \parallel PW_{i}^{\prime } \parallel N_{i}^{\prime })\), \(N_{new} = N_{i}^{\prime } \oplus H(B_{i}^{\prime })\). Then, the smart card replaces 〈Y _i , N, V _i 〉 with the new values 〈Y _{n e w} , N _{n e w} , V _{n e w} 〉 respectively and completes password and biometric update phase.

Security flaws of the Scheme proposed by Mishra et al.

This section presents several security flaws of the scheme proposed by Mishra et al. They have mentioned that if the attacker gets the smart card of the user U _i , s/he can extract all the information stored in the smart card memory by monitoring the power consumption [27, 43]. Based on assumption mentioned in the attacker model, this section discusses several security attacks such as server impersonation attack, smart card theft attack and session key discloser attack. As mentioned in [47], the attacker knows valid I D _i from the Mishra et al.’s protocol description.

Server impersonation attack

In this attack, the attacker can impersonate as a valid server after intercepting the reply message of the Mishra et al. protocol. The detail description of this attack is presented below:

• Step 1: The attacker first intercepts login-reply messages of the protocol and computes \(sk^{a} = h(ID_{g} \parallel {X_{i}^{a}} \parallel r_{i} \parallel r_{s})\) and then retrieves \(NID^{\prime } = h(sk \parallel ID_{i}) \oplus NID^{\prime } \oplus h(sk^{a} \parallel ID_{g})\).

• Step 2: Attacker generates a random nonce R _s and computes \(sk^{**} = h(ID_{g} \parallel {X_{i}^{a}} \parallel r_{i} \parallel R_{s})\), \(b_{i}^{**} = h (ID_{g} \parallel NID \parallel sk^{**} \parallel NID^{\prime })\), \(c_{i}^{**} = h(sk^{**} \parallel ID_{g}) \oplus NID^{\prime })\) and sends \(\langle R_{s}, b_{i}^{**}, c_{i}^{**} \rangle \) to the smart card user U _i .

• Step 3: After receiving message from the attacker, U _i computes s k = h(I D _i ∥X _i ∥r _i ∥R _s ) and then retrieves \(NID^{\prime } = c_{i}^{**} \oplus h(sk \parallel ID_{i})\). Further the U _i computes \(b_{i} = h(ID_{i} \parallel NID \parallel sk \parallel NID^{\prime })\). Finally, the U _i checks whether the computed b _i matches with the received \(b_{i}^{**}\). If it matches, user believes that the server is authentic, but it is not true.

The above description clearly states that the protocol proposed by Mishra et al. is insecure against server impersonation attack.

Smart card theft attack

The scheme [47] described that the attacker knows valid I D _i from the scheme [45]. In this attack, we will describe that the attacker can act as a valid user after getting the legal user’s smart card by some means. This is clear from the following descriptions:

• Step 1: The attacker chooses a password \(P{W_{i}^{a}}\) and utilizes his/her biometric template B _i like fingerprint and then computes \(W = h(ID_{i} \parallel P{W_{i}^{a}} \parallel {N_{i}^{a}})\), where \({N_{i}^{a}}\) is the random number chosen by the attacker.

• Step 2: From the smart card parameters, The attacker computes X _i = Y _i ⊕ V _i = h(I D _i ∥x), \({Y_{i}^{a}} = X_{i} \oplus W\) and then replaces Y _i with the new value \({Y_{i}^{a}}\) into the memory of smart card, where the value of NID is remain unchanged. Attacker further computes \(N = {N_{i}^{a}} \oplus H(B_{i})\) and \({V_{i}^{a}} = h(ID_{i} \parallel P{W_{i}^{a}} \parallel {N_{i}^{a}})\) and stores \(\langle N, {V_{i}^{a}} \rangle \) into the memory of smart card.

• Step 3: It is noticeable that the new computed smart card parameters are valid. Therefore, the smart device and the server cannot detect the attacker that resulting the attacker easily can access medical server at anytime. This is a very serious attack on Mishra et al.’s protocol.

Session key computation attack

The authenticated session key is used for secure communication between the entities involved, and an attacker upon disclosure of the key can decrypt the secret information. So, the secrecy of session key is the mandatory property of any key agreement protocol. However, Mishra et al.’s protocol is insecure against the session key disclosure attack. The description of the above attack is presented below:

• Step 1: The attacker knows valid I D _i of a legal U _i using off-line identity guessing attack.

• Step 2: The attacker knows X _i = h(I D _i ∥x) by computing Y _i ⊕ V.

• Step 3: The attacker also knows 〈r _c , r _s 〉 from the login-reply messages.

• Step 4: As the session key of the Mishra et al.’s protocol relies on the 〈I D _i , X _i , r _i , r _s 〉, the attacker can easily compute S K = (h(I D _i ∥X _i ∥r _i ∥r _s )) and decrypt the cipher messages exchanged between the user and the medical server.

Brief review of Xu et al. scheme

This section briefly introduces Xu et al. protocol, which is based on the elliptic curve cryptosystem. The Xu et al.’s protocol consists mainly four phases namely registration phase, login phase, authentication phase and password change phase. All the phases of Xu et al.’s protocol are presented below and also demonstrates in Fig. 2.

Fig. 2

Xu et al.’s scheme [54]

Registration phase

This phase consists of the following steps:

• Step 1: User U _i chooses his/her identity I D _i , Password P W _i and computes A = h(P W _i ∥r). Then U _i sends 〈I D _i , A〉 to the telecare server S through secure channel.

• Step 2: After getting the registration message, S computes M = h(x ⊕ I D _i ) and B = M ⊕ A. Then, S issues a smart card after storing 〈E _p , P, Y, B, h(), h ₁()〉 into memory of smart card through secure channel for each U _i .

• Step 3: After receiving the smart card, U _i stores r into the smart card and uses it properly in the future.

Login phase

When U _i wants to get services, s/he needs to send login message to the server. All the steps of this phase are presented below:

• Step 1: U _i first inserts his/her smart card to the smart devices and inputs 〈I D _i , P W _i 〉. Smart card then performs the following operation:

  $$\begin{array}{@{}rcl@{}} A &=& h(PW_{i} \parallel r)\\[-1pt] M &=& B \oplus A\\[-1pt] C_{1} &=& a\cdot P\\[-1pt] C_{2} &=& a \cdot Y\\[-1pt] CID &=& ID_{i} \oplus h_{1}(C_{2})\\[-1pt] F &=& h(ID_{i} \parallel M \parallel T_{1}) \end{array} $$

  where a is the random nonce chosen by the U _i and T ₁ is the current timestamp.

• Step 2: Smart card then sends the login message 〈C ₁, C I D, F, T ₁〉 to the server S through public channel.

Authentication phase

This phase performs mutual authentication and session key agreement between the U _i and the S. All the steps of this phase are presented below:

• Step 1: After receiving the login message, S checks the validity of T ₁. If it is not true, terminates the session; otherwise, S computes the following operation:

  $$C_{2}^{\prime} = x \cdot C_{1} $$
  $$\begin{array}{@{}rcl@{}} ID_{i}^{\prime} &=& CID \oplus h_{1}(C_{2}^{\prime})\\ M^{\prime} &=& h(x \oplus ID_{i}^{\prime})\\ F^{\prime} &=& h(ID_{i}^{\prime} \parallel M^{\prime} \parallel T_{1}) \end{array} $$

  Then, S checks the condition \(F^{\prime } = F\). If the condition holds, S believes that U _i is a legal user and continues next steps; otherwise, terminates the session.

• Step 2: In this step, S generates a random nonce c and takes current timestamp T ₂ and then computes the following operations:

  $$\begin{array}{@{}rcl@{}} D_{1} &=& c \cdot P, D_{2} = c \cdot C_{1}\\ sk &=& h(ID_{i}^{\prime} \parallel h_{1}(D_{2}) \parallel M^{\prime})\\ G &=& h(sk \parallel M^{\prime} \parallel T_{2}) \end{array} $$

  Then, S sends reply message 〈D ₁, G, T ₂〉 to the U _i through public channel.

• Step 3: After receiving the reply message, U _i checks whether T ₂ is valid or not. If it is not valid, terminates the connection; otherwise, computes \(D_{2}^{\prime } = a \cdot D_{1}\), \(sk^{\prime } = h(ID_{i} \parallel h_{1}(D_{2}^{\prime }) \parallel M)\), \(G^{\prime } = h(sk^{\prime } \parallel M \parallel T_{2})\) and matches the computed \(G^{\prime }\) with the received G. If it matches, the U _i believes that the S is authentic. After that, both parties S and U _i share a common session key s k = h(I D _i ∥h ₁(D ₂)∥M) for subsequent communications.

Password update phase

This phase works when a U _i wants to change his/her password. It needs to perform the following steps:

• Step 1: U _i firstly enters 〈I D _i , P W _i 〉 and then smart card computes A = h(P W∥r), B ⊕ A = M

• Step 2: U _i then inputs new password P W _{n e w} and smart card computes A _{n e w} = h(P W _{n e w} ∥r), B _{n e w} = A _{n e w} ⊕ M. Then, the smart card replaces B with B _{n e w} and updates the new password successfully.

Security flaws of the scheme proposed by Xu et al.

Xu et al. proposed an efficient protocol in terms of security for the TMIS system. However, we have pointed out that their protocol has security weaknesses in the password change phase and presented below.

Design flaws in the password update phase

In the password update phase of Xu et al. protocol, U _i first provides I D _i and password P W _i to the smart devices. It then computes some parameters and asks to input new password to the U _i . Then, U _i provides new password \(PW_{i}^{new}\) to the smart device and updates some information(s) of the smart card. It may be noted that the smart devices never verify the old password before updating the new password into the smart card. In this regard, there may arise two difficulties such as 1) Password change after smart card lost, 2) lacks of properly password update in the password update phase of the Xu et al. protocol.

Password change after smart card lost

We assume that an attacker/non-registered user has stolen U _i ’s smart card by some means and inserted it into the smart device and entered identity \(I{D_{i}^{a}} \neq ID_{i}\) and password \(P{W_{i}^{a}} \neq PW_{i}\). Since, the smart device never verifies old user password or identity, it straightforwardly computes \(A^{\prime } = h(P{W_{i}^{a}} \parallel r)\), \(M^{\prime } = B \oplus A^{\prime } \neq M\) and then asks for a new password \(PW_{i}^{new}\) to the U _i . After that, the smart devices computes A ^new = h(P W ^new∥r), B ^new = A ^new ⊕ M and updates the smart card with the new parameters 〈A ^new, B ^new〉 and delivers it to the U _i by some means. This case is applicable where the smart card may be returned to the original user U _i by some means. the original user U _i will be failed to access the server’s resources for the subsequent transaction, because of inefficient password change phase.

Lacks of properly password update

As mention earlier, smart devices never verify old password in the password update phase. In order to update password, we supposed that U _i inputs correct identity I D _i and wrong password \(P{W_{i}^{w}}\) by mistake in password update phase. Then, the smart device straightforwardly computes \(A^{*} = h(P{W_{i}^{w}} \parallel r)\), M ^∗ = B ⊕ A ^∗. It may be noted that, A ^∗ ≠ A and M ^∗ ≠ M as \(P{W_{i}^{w}} \neq PW_{i}\).

Now, smart device asks to input new password to the U _i and s/he inputs new password \(PW_{i}^{new}\) and then smart device computes A ^new = h(P W ^new∥r), B ^new = A ^new ⊕ M ^∗. Finally, the smart device replaces 〈B〉 with the 〈B ^new〉. There may arise several difficulties which are discussed below.

• A. The value of M ^∗ should be h(x ⊕ I D _i ) but actually \(M^{*} = h(x \oplus ID_{i}) \oplus h(PW_{i} \parallel r) \oplus h(P{W_{i}^{w}} \parallel r) \), which is ≠ h(x ⊕ I D _i ), since \(PW_{i} \neq P{W_{i}^{w}}\).

• B. It is also noticeable that the value of B ^new is dependent on the wrong entered password \(P{W_{i}^{w}}\) and the new password P W ^new.

• C. Valid user U _i thinks that the password is updated successfully, so s/he uses new password \(PW_{i}^{new}\) for the next transaction and so on. Since, smart device never verifies password in the login phase of the Xu et al. protocol, so each and every time login message will be created and forwarded to the S. After checking the condition, S rejects the connection due to invalid login message, as the login message is created by the wrong entered password \(P{W_{i}^{w}}\) and U _i then believes that the server acts as a fraud but it is wrong. This problem can be avoided, if the smart devices check user’s password at the beginning of the login phase. Thus, it is clear that Xu et al. protocol has design flaws in the password update phase.

Proposed key agreement protocol for TMIS system

In this section, we proposed a user authentication and key agreement protocol based on the cryptographic one-way hash function and ECC using smart card applicable for TMIS. In our scheme, there are several phases like user registration phase, login phase, key agreement and mutual authentication phase and password change phase. All these phases of our proposed protocol are presented below.

In Fig. 3, we have explained all the phases of the proposed protocol.

Fig. 3

Description of the proposed scheme

User registration phase

It is the initial phase for accessing the medical services and any user can register with the medical server. The user chooses his/her desired identity I D _i , password P W _i , biometric template like fingerprint T _i and sends 〈I D _i , A _i , F _i 〉 to the medical server through secure channel or in person after computing A _i = h(I D _i ∥P W _i ) and F _i = H(T _i ). After receiving the registration request, medical server S computes A _i = h(I D _i ∥P W _i ), W = h(I D _s ∥x∥I D _i ), B _i = h(I D _i ∥A _i ) ⊕ W, C I D _i = E N C _x (I D _i ∥R _{r a n} ) and issues a smart card for the U _i after storing 〈F _i , A _i , B _i , C I D _i , h(), H()〉 into the memory of smart card through secure channel and completes the registration process, where I D _s is the identity of medical server and R _{r a n} is the random number. It is our assumption that an user chooses low entropy 〈I D _i , P W _i 〉 which are guessable individually in polynomial time.

Login phase

After completing registration procedure successfully, the U _i can access the medical server at anytime from anywhere through a card reader or terminal device which is connected to the medical server. All the steps of this phase are presented below:

• Step 1: The U _i primarily inserts his/her smart card into the card reader device and inputs biometric template T _i to the specific sensor device. The card reader computes \(F_{i}^{*} = H(T_{i})\) and matches it with the stored F _i . If it matches, biometric verification passes successfully and asks to input 〈I D _i , P W _i 〉 to the U _i ; otherwise, aborts the connection.

• Step 2: The card reader computes \(A_{i}^{*} = h(ID_{i} \parallel PW_{i})\) and matches it with the stored A _i . The matching result ensures whether the U _i has provided valid 〈I D _i , P W _i 〉 or not. If it matches, continues the next step; otherwise, aborts the connection.

• Step 3: In this step, the terminal generates a random nonce r _i and computes C ₁ = r _i ⋅P, \(W = B_{i} \oplus h(ID_{i} \parallel A_{i}^{*})\), C ₂ = r _i ⊕ W, C ₄ = h(I D _i ∥r _i ∥W) and transmits 〈C ₂, C ₄, C I D _i 〉 to the medical server as a login message through public/open channel.

Authentication and key agreement phase

The main aim of this phase is to achieve mutual authentication and to share session key agreement between the U _i and the medical server. All the steps of this phase are presented below:

• Step 1: Based on the received login message, the medical server first decrypts C I D _i using server’s secret key x and gets \((ID_{i}^{*} \parallel R_{ran}) = DEC_{x}(CID_{i})\), \(W = h(ID_{s} \parallel x \parallel ID_{i}^{*})\), \(r_{i}^{*} = C_{2} \oplus W\), \(C_{1}^{*} = r_{i}^{*} \cdot P\), \(C_{4}^{*} = h(ID_{i} \parallel r_{i}^{*} \parallel W)\) and matches \(C_{4}^{*}\) with the received C ₄. If it matches, the medical server believes the authenticity of the U _i .

• Step 2: The medical server generates a random nonce r _j and computes D ₁ = r _j ⋅P, \(SK = r_{j} \cdot C_{1}^{*} = r_{j}\cdot r_{i}^{*} \cdot P\), \(G_{1} = D_{1} + C_{1}^{*}\), \(L_{i} = h(ID_{i}^{*} \parallel h_{1}(D_{1}) \parallel W)\), \(CID_{i}^{\prime } = ENC_{x}(ID_{i}^{*} \parallel R_{ran}^{\prime })\) and sends reply message \(\langle L_{i}, G_{1}, CID_{i}^{\prime } \rangle \) to the U _i through public channel, where \(R_{ran}^{\prime }\) is the random number generated by the medical server.

• Step 3: Based on the received reply message, the U _i computes \(D_{1}^{*} = G_{1} - C_{1}^{*}\), \(L_{i}^{*} = h(ID_{i} \parallel h_{1}(D_{1}^{*}) \parallel W)\), \(SK = r_{i} \cdot D_{1}^{*} = r_{i} \cdot r_{j} \cdot P\) and matches \(L_{i}^{*}\) with the received L _i . If it matches, the U _i believes the authenticity of the medical server and the protocol achieves the mutual authentication property and shares a common secret session key SK. After performing mutual authentication, the U _i replaces old 〈C I D _i 〉 with the new \( \langle CID_{i}^{\prime } \rangle \) into the memory of smart card. Finally, the U _i computes Z _i = h(I D _i ∥S K) and forwards it to the medical server through public channel.

• Step 4: After receiving it, the server computes \(Z_{i}^{*} = h(ID_{i}^{*} \parallel SK)\) and matches it with the received Z _i . If it matches, both parties start secure communication.

Password change phase

In any password based user authentication scheme, it is a good property for designing password change phase to provide to change the password facility efficiently without the help of the medical server. Initially, the U _i inserts the smart card to the card reader and executes step-1,2 of the login phase for the authenticity of the U _i . After that, the card reader executes the following steps for changing the password successfully.

• Step 1: After user authentication, the card reader asks to input new password \(PW_{i}^{new}\) to the U _i and after entering it, the card reader computes \(A_{i}^{new} = h(ID_{i} \parallel PW_{i}^{new})\), \(B_{i}^{new} = h(ID_{i} \parallel A_{i}^{new} ) \oplus W\), where W is the old parameter and then the card reader replaces 〈A _i , B _i 〉 with the new values \(\langle A_{i}^{new}, B_{i}^{new} \rangle \) respectively and completes the password change phase successfully.

Cryptanalysis of the proposed scheme

This section cryptanalyses the proposed authentication scheme based on the assumptions mentioned in the attacker model. Firstly, we have demonstrated that the proposed protocol provides well security protection on all the confidential information of the user and server presented in Theorem 1. Secondly, the informal cryptanalysis ensures that all the relevant secure attacks are well protected. Thirdly, the AVISPA simulator tool confirms that the proposed authentication protocol is SAFE against active and passive attacks including replay and man-in-the-middle attacks.

Theorem 1

Under the assumptions that the attacker knows smart card parameters 〈F _i , B _i , A _i , CID _i , h(), H()〉, login message 〈C ₂, C4, CID _i 〉 and reply \( \langle L_{i}, G_{1}, CID_{i}^{\prime }\rangle \) from the proposed scheme description. The proposed scheme is secure against the attacker for deriving or guessing 〈ID _i , PW _i , T _i 〉 of a legal user, secret key 〈x〉 of the medical server and the session key 〈SK〉 between user and medical server.

Proof

In this proof, we assume that the attacker is able to derive or guess secret parameters 〈I D _i , P W _i , T _i , x〉 including the session key 〈S K〉 from the proposed authentication scheme. The justifications of the proof are presented below:

1. (1)

   The attacker primarily tries to retrieve confidential information 〈I D _i , P W _i , T _i , x〉 from the smart card knowledge 〈F _i , B _i , A _i , C I D _i , h(), H()〉, where F _i = H(T _i ), A _i = h(I D _i ∥P W _i ), B _i = h(I D _i ∥A _i ) ⊕ W, W = h(I D _s ∥x∥I D _i ) and C I D _i = E N C _x (I D _i ∥R _{r a n} ). The parameter F _i is protected by the bio-hashing operation which produces a bio-code. It should be noted that the bio-hashing operation is one-way and secure as cryptographic one-way hash function. Therefore, the attacker cannot gain any sensitive information from the bio-code. As the biometric template is very high entropy parameter, the adversary cannot guess it in polynomial time. The another smart card parameter A _i relies on the 〈I D _i , P W _i 〉 and protected by the non-invertible cryptographic one-way hash function. Therefore, the attacker cannot retrieve 〈I D _i , P W _i 〉 from A _i . In order to guess the correct 〈I D _i , P W _i 〉 from A _i at a time, the probability is approximately \(\frac {1}{2^{12n}}\), which is very negligible. Similarly, the parameter B _i is protected by the one-way hash function and relies on the secret values W = h(I D _s ∥x∥I D _i ). The attacker only knows 〈A _i , F _i , I D _s 〉 from the B _i = h(I D _i ∥A _i ) ⊕ W parameter. The attacker cannot extract 〈I D _i , x〉 from the B _i because of non-invertible one-way hash function. To guess the secret parameters 〈I D _i , x〉, the probability is approximately \(\frac {1}{2^{6n+1024}}\), which is negligible.

2. (2)

   In each authentication cycle, the login parameters 〈C ₂, C ₄, C I D _i 〉 is transmitted through insecure channel, where C ₂ = r _i ⊕ W, C ₄ = h(I D _i ∥r _i ∥W) and C I D _i = E N C _x (I D _i ∥R _{r a n} ). As mentioned above, the parameter W is secure against the attacker. Therefore, the attacker cannot extract random nonce r _i or W from C ₂. Similarly, the attacker cannot extract I D _i from C ₄, as the parameter C ₄ is protected by the non-invertible one-way hash function. Since the parameter C ₄ relies on the 〈r _i , W〉, the attacker cannot verify the guessed identity using C ₄. If the attacker wants to guess I D _i from C ₄, the probability is approximately \(\frac {1}{2^{6n + 160 + 1024}}\), which is very negligible.

3. (3)

   In each execution of the proposed protocol, the reply message \(\langle L_{i}, G_{1}, CID_{i}^{\prime } \rangle \) is transmitted over the insecure channel, where \(L_{i} = h(ID_{i}^{*} \parallel h_{1}(D_{1}) \parallel W)\), \(G_{1} = D_{1} + C_{1}^{*}\) and \(CID_{i} = ENC_{x}(ID_{i} \parallel R_{ran}^{\prime })\). The computation of L _i parameter relies on the confidential parameter 〈I D _i , D ₁, W〉 and also all these parameter are protected by the cryptographic one-way hash function. Therefore, the attacker cannot extract I D _i from L _i and also the guessing probability would be very negligible.

4. (4)

   The session key of the proposed protocol S K = r _i ⋅r _j ⋅P relies on the random nonces 〈r _i , r _j 〉 which are secure throughout our scheme. Additionally, the SK is protected by the elliptic curve discrete logarithm problem (ECDLP). Therefore, the attacker cannot compute SK without the knowledge of 〈r _i , r _j 〉. In order to guess the session key, the probability is approximately \(\frac {1}{2^{320}}\), which is very negligible and infeasible in polynomial time.

The above explanations clearly state that the attacker has no way to extract the confidential parameters of the user and server including session key of the proposed protocol. Additionally, it also shows that the guessing probability is negligible. Therefore, our assumption is wrong and proof the Theorem 1. □

Off-line identity-password guessing attack

In our proposed scheme, we have assumed that each users use very low entropy I D _i and P W _i which can be guessed by the attacker in polynomial time. However, the attacker cannot successfully verify the guessed I D _i or P W _i in off-line mode by using the extracted parameters 〈F _i , B _i , A _i , C I D _i , h(), H()〉 from the stolen smart card and intercepted parameters 〈C ₂, C4, C I D _i , L _i , G ₁〉 from the login-reply messages. We have presented below clear justifications for resilience of off-line identity-password guessing attacks.

1. (1)

   In order to verify the guessed parameters \(ID_{i}^{*}\) and P W _i ∗ by using the parameter A _i = h(I D _i ∥P W _i ), the attacker has to guess correctly two unknown parameters 〈I D _i , P W _i 〉 at a time, which is infeasible in polynomial time.

2. (2)

   To Verify the guessed identity \(ID_{i}^{*}\) by using the condition \(B_{i}^{*} = h(ID_{i}^{*} \parallel A_{i}) \oplus h(ID_{s} \parallel x \parallel ID_{i}) = B_{i}\), the attacker needs to know the secret key x of the server. It is noted that the secret key x is only known to the attacker.

3. (3)

   Similarly, the attacker needs to know x parameters to verify the guessed identity \(ID_{i}^{*}\) by using C I D _i , where C I D _i = E N C _x (I D _i ∥R _{r a n} ).

4. (4)

   The attacker also cannot verify the guessed identity \(ID_{i}^{*}\) by using the parameters 〈C ₄, L _i 〉 because of secret parameters 〈r _i , W, D ₁〉.

The above justifications clearly state that the attacker cannot verify the guessed \(ID_{i}^{*}\) and \(PW_{i}^{*}\). Therefore, the proposed scheme is secure against off-line password guessing attack.

User anonymity and untraceability attack

We have explained in off-line identity-password guessing attacks that the attacker cannot extract or guess user identity from protocol description and known parameters of the attacker. Therefore, we can claim that the proposed protocol preserves user anonymity property. During execution of the proposed protocol, the parameter C I D _i = E N C _x (I D _i ∥R _{r a n} ) is transmitted as a login message. After receiving C I D _i , the medical server extracts I D _i after decrypting C I D _i with the help of the server’s secret key x. After performing mutual authentication, the server sends \(CID_{i}^{\prime } = ENC_{x}(ID_{i} \parallel R_{ran}^{\prime })\) to the U _i , and after getting it, the smart card updates \(CID_{i}^{\prime }\) in each authentication cycle. As the parameter C I D _i is not static, it is our argue that the attacker cannot trace the U _i from the login message.

Privileged insider attack

Most of the today’s security system does not guarantee high reliability due to insider attack. It is practical that most of the users use identical password for accessing a set of application servers. If an insider of the system such as system manager or administrator leaks the user’s confidential information i.e. password (P W _i ) to the attacker, he/she may use that password to the others accounts of the others servers. Therefore, the confidentiality on the user’s password from the server is very necessary, though the server is trusted. At the time of registration, the proposed protocol sends A _i = h(I D _i ∥P W _i ) instead of plaintext password P W _i to the server. Therefore, the insider person cannot extract P W _i from A _i due to non-invertible one-way hash function.

User impersonation attack

In this attack, we suppose that the attacker eavesdrops the login message of the proposed scheme 〈C ₂, C ₄, C I D _i 〉 and tries to impersonate as a legitimate user. However, the attacker cannot impersonate as a legitimate user due to the following reasons:

1. (1)

   It is clear that the attacker can generate a random number \(r_{i}^{*}\) and compute \(C_{1} = r_{i}^{*} \cdot P\), as the parameter P is public.

2. (2)

   To compute valid C ₂, where C ₂ = r _i ⊕ W, the attacker needs valid W = h(I D _s ∥x∥I D _i ) which is not feasible.

3. (3)

   The parameter C ₄ = h(I D _i ∥h(C ₁)∥W) relies on the secret parameter W and the identity I D _i . Therefore, the attacker cannot compute valid C ₄ parameter.

The above explanations show that the proposed scheme resists user impersonation attack i.e. the attacker cannot impersonate as a legitimate user.

Server impersonation attack

Like user impersonation attack, the attacker may also try to impersonate as a legitimate server after generating valid reply message \(\langle L_{i}^{*}, G_{1}^{*}, CID_{i}^{\prime } \rangle \) of the proposed scheme. However, the proposed scheme provides strong security protection against server impersonation attack due to following reasons:

1. (1)

   The parameter G ₁ is defined as \(G_{1} = D_{1} + C_{1}^{*} \), where D ₁ = r _j ⋅P and \(C_{1}^{*} = r_{i}^{*} \cdot P\).

2. (2)

   It is confirmed that the attacker can compute \(D_{1}^{*} = r_{j}^{*} \cdot P\) after generating a random number \(r_{j}^{*}\).

3. (3)

   To compute valid G ₁, the attacker needs to compute valid \(C_{1}^{*}\) which is dependent on the random number r _i . As the attacker cannot compute valid r _i from C ₂ parameter due to secret value W, he/she is unable to compute valid G ₁.

4. (4)

   Similarly, the attacker cannot compute valid L _i = h(I D _i ∥h ₁(D ₁)∥W) due to unknown secret parameters 〈I D _i , W〉.

The above explanations show that the proposed scheme is secure against server impersonation attack.

Smart card theft attack

It is a very critical attack on any smart card based user authentication and key agreement protocol. If the attacker can compute the valid registration parameters without altering server’s information and identity of the user, s/he may introduce a new smart card by using his/her own biometric template and password. However, the attacker cannot launch smart card theft attack which is justified below:

1. (1)

   The smart card holds 〈F _i , B _i , A _i , C I D _i , h(), H()〉 of a legal user where, F _i = H(T _i ), A _i = h(I D _i ∥P W _i ), B _i = h(I D _i ∥A _i ) ⊕ W, W = h(I D _s ∥x∥I D _i ), C I D _i = E N C _x (I D _i ∥R _{r a n} ).

2. (2)

   It is confirmed that the attacker can compute \({F_{i}^{a}} = H({T_{i}^{a}})\) by utilizing his/her biometric template \({T_{i}^{a}}\) and can embed into the smart card.

3. (3)

   As the valid user password P W _i is hashed with the valid I D _i in A _i , the attacker cannot embed attacker’s password \(P{W_{i}^{a}}\) without the knowledge of valid I D _i . Therefore, the computation \({A_{i}^{a}} = h(ID_{i} \parallel P{W_{i}^{a}})\) is not feasible.

4. (4)

   Similarly, the attacker cannot compute valid B _i without the knowledge of secret parameters 〈I D _i , W〉.

The above descriptions confirm that the proposed authentication scheme is secure against smart card theft attack.

Smart card stolen attack

We supposed that the attacker has got the legal user smart card by some means and extracted smart card information 〈F _i , A _i , B _i , C I D _i , h(), H()〉, where F _i = H(T _i ), A _i = h(I D _i ∥P W _i ), B _i = h(I D _i ∥A _i ) ⊕ W, W = h(I D _s ∥x∥I D _i ) and C I D _i = E N C _x (I D _i ∥R _{r a n} ). It is noted that the bio-hashing is secure as cryptographic one-way hash function and non-invertible. Therefore, the attacker cannot extract T _i from F _i . Moreover, s/he cannot guess it in polynomial time due to high entropy property. The parameter A _i is protected by the one-way hash function and hence cannot extract 〈I D _i , P W _i 〉 from A _i . Additionally, they (attacker) cannot guess low entropy 〈I D _i , P W _i 〉 from A _i as suggested in [48]. The attacker is not able to guess or extract 〈I D _i 〉 from B _i , C I D _i due to unknown parameter 〈x, R _{r a n} 〉. Therefore, the proposed authentication scheme provides strong security protection on smart card stolen attack.

Session key computation attack

The security of the session key S K = r _i ⋅r _j ⋅P of our proposed protocol relies on the difficulty of elliptic curve discrete logarithm problem. We have shown earlier that the attacker has no way to extract 〈r _i , r _j 〉 parameters from the protocol description. As the computation of the session key depends upon the two secret number 〈r _i , r _j 〉, the attacker is unable to compute it. Therefore, the proposed scheme provides strong security protection on the session key.

Session key verification

In the step 3-4 of the authentication phase, the user sends Z _i = h(I D _i ∥S K) to the medical server and upon receiving it, the server checks the verification whether \(Z_{i}^{*} = h(ID_{i}^{*} \parallel SK) =? Z_{i}\). If it is correct, it ensures that the session key SK is verified. Therefore, the proposed scheme provides session key verification property.

Efficient login and password change phase

In the login phase of our scheme, the smart card generates and transmits the login message after verifying the user’s biometric template and password every time. Therefore, the login phase reduces extra computation as well as network congestion. Similarly, the smart card verifies the authenticity of the user before updating the new password. It may be noted that the user can choose and update the password at his will without the help of the medical server which reduces communication cost as well as computation cost.

Message freshness

Timestamp method is the another way for resisting replay attack. However, this method may sometimes suffer from clock synchronization problem. To overcome it, the authentication scheme should maintain global clock time i.e. the user and the medical server should maintain same time, which requires extra cost of the protocol. For avoiding this problem, our proposed protocol uses random nonces instead of timestamp to verify the freshness of the message.

Simulation for formal security verification using AVISPA tool

This section discusses regarding the simulation of our proposed scheme for the formal security verification using the widely-accepted AVISPA [2, 6, 12] (Automated Validation of Internet Security Protocols and Applications) tool for proving the proposed protocol is secure against passive and active attacks including the replay and man-in-the-middle attacks.

Specifying the proposed protocol

In this section, we discuss briefly the specification of the proposed scheme using HLPSL language for the roles of the user, server, session and the environment. In Fig. 4, we have implemented the role for the U _i . During the registration phase, the U _i initially transmits 〈I D _i , A _i , F _i 〉 to the medical server through secure channel with the help of the Snd() operation and symmetric key. The type declaration channel(dy) means that the channel is for the Dolev-Yao [14] threat model. The declaration secret(PWi, Ti, subs2, Ui) indicates that the parameters 〈P W _i , T _i 〉 are only known to U _i and similarly secret(IDi, subs3, Ui,S) tells that the I D _i is kept secret permanently to both U _i and S. U _i then receives a smart card information 〈F _i , A _i , B _i , C I D _i h(), H()〉 with the help of theRcv() operation. Thereafter, the U _i generates a random number with the help of the new() operation and sends the login message 〈C ₂, C ₄, C I D _i 〉 to the S through public channel. The declaration \(witness (Ui, S, alice\_bob\_ri, Ri^{\prime })\) indicates that the U _i has generated freshly \(R_{i}^{\prime }\) for the S in the login phase. In the authentication and key agreement phase, the U _i receives reply message \(\langle L_{i}^{\prime }, G_{i}^{\prime }, CIDin, \rangle \) with the help of the Rcv() operation and finally sends 〈Z _i 〉 to the S over public channel for session key verification. The declaration \(request(S, Ui, bob\_alice\_rs, Rs^{\prime })\) means that the U _i authenticates the S.

Fig. 4

Role specification for the user (Ui) of the proposed scheme in HLPSL

In Fig. 5, we have implemented the role for the medical server S in HLPSL language. After receiving the registration message, the S transmits a smart card with the parameters 〈F _i , A _i , B _i , C I D _i , h(), H()〉 with the help of the S n d() operation through secure channel. The declaration secret(X, subs1, S) states that the secret key is kept secret permanently to the medical server. In login phase, the server receives 〈C ₂, C ₄, C I D _i 〉 from the U _i through insecure channel. After that, the S generates a random nonce with the help of the new() operation and transmits a reply message \(\langle L_{i}^{\prime }, G_{i}^{\prime }, CIDin \rangle \) to the U _i over a public channel. Finally, the S receives a message 〈Z _i 〉 for session key verification with the help of the R c v() operation. The declaration \(request~(Ui, S, alice\_bob\_ri, Ri^{\prime })\) states that the S authenticates U _i .

Fig. 5

Role specification for the bob (S) of the proposed scheme in HLPSL

In Fig. 6, we have provided the specification for the roles of session, goal and environment in HLPSL. In the session segment, all the basic roles including the roles for the U _i and the S are instanced with concrete arguments. The environment section contains the global constant and composition of one or more session and the intruder knowledge is also given. The current version (2006/02/2013) of HLPSL supports the standard authentication and secrecy goals. In our implementation, the following three secrecy goals and two authentications are verified.

• secrecy_of subs 1: It represents the secret key X _s is kept secret to medical server only.

• secrecy_of subs 2: It represents the secret parameters 〈P W _i , T _i 〉 is kept secret only to U _i .

• secrecy_of subs 3: It represents the secret parameter I D _i is kept secret only to U _i and S

• authentication_on bob_alice_ri: It means that the U _i generates a random nonce r _i where r _i is only known to U _i and if S receives it through message securely, S then authenticates the U _i .

• authentication_on bob_alice_rs: It means that the S generates a random nonce r _s where r _s is only known to S and if U _i receives it through message securely, U _i then authenticates the S.

Fig. 6

Role specification for session, goal and environment of the proposed scheme in HLPSL

Simulation results

In this section, we specify simulation results of our proposed scheme based on the widely-accepted two back-ends such as OFMC and CL-AtSe using the AVISPA web tool [50]. The Figs. 7 and 8 confirm that the proposed protocol is SAFE under two back-ends OFMC and CL-AtSe respectively. Moreover, the simulation results using AVISPA clearly demonstrates that the proposed scheme is secure against active and passive attacks including replay and man-in-the-middle attacks.

Fig. 7

Simulation result of the proposed scheme for the OFMC back-end

Fig. 8

Simulation result of the proposed scheme for the CL-AtSe back-end

Performance evaluation

The computation and communication cost complexities are the most important issues to measure the performance of any user authentication and key agreement protocol and it should be as minimum as possible than the existing related schemes for achieving better performance. This section evaluates the performance comparison of the proposed protocol with some other existing related protocols. In Table 2, we have presented security functionality comparison of the proposed protocol with other existing related protocols and it has been observed that none of the protocols are completely free from security weaknesses. However, the proposed protocol not only protects security attacks described in the Table 2, but also protects user-server impersonation attack, smart card theft attack, smart card stolen and achieves efficient login and password update phase and session key verification property. In order to measure the computation cost, this paper mainly uses symmetric key encryption/decryption operation T _s , cryptographic hash function (T _h ), point multiplication (T _{p m} ) operation, xor (⊕) and concatenation (∥). As the operations 〈⊕, ∥〉 take very negligible computation cost than \(\langle T_{h}, T_{pm, T_{s}} \rangle \), we avoid it in our comparison. According to [36, 37], the computation cost complexity can be roughly expressed as (T _{p m} >>T _s > T _h ). As suggested in [36, 37], we have assumed that the computation cost for one-way hash function, symmetric key encryption decryption algorithm and elliptic curve scalar point multiplication operation take 0.0005, 0.0087 and 0.063075 second respectively. The Table 3 presents the computation and communication cost comparison of the proposed protocol with some other related existing protocols. The Table 3 clearly indicates that the execution time of the proposed protocol is better than scheme [54]. However, the proposed scheme takes relatively more computation than the schemes [10, 12, 45, 49, 55], because these schemes are based on the light wight cryptographic hash function. Although the proposed protocol provides high security protection on the relevant security attacks mentioned in Table 2, the Table 3 ensures that the protocol is relatively better than existing related protocols in terms of smart card storage and computation cost.

Table 2 Security functionality comparison of the proposed scheme with related schemes

Table 3 Computation, communication and storage cost comparison of the proposed scheme with related schemes

Conclusion and future work

In this paper, we have analyzed that both (Mishra et al. and Xu et al.) protocols suffer from several security weaknesses. Thereafter, we have proposed a more efficient and secure authentication protocol to fix the Mishra and Xu et al.’s security weaknesses. The proposed scheme satisfies all the desirable security attributes which are presented in the security analysis section of this paper through both formal and informal security analysis. We have simulated our proposed scheme for the formal security verification using the widely-accepted AVISPA tool and shown that the proposed protocol is secure against passive and active attacks including the replay and man-in-the-middle attacks. The performance analysis confirms that the proposed protocol is efficient as compared to other related existing schemes in terms of computation and smart card storage overhead. The proposed scheme supports efficient login and authentication phase, password change phase and achieves mutual authentication as well as session key agreement and verification between the user and the medical server. Considering the security and efficiency provided by the proposed scheme, we conclude that the proposed scheme is more appropriate for practical application for telecare medical information system. Further, we aim to reduce the complexities of the proposed protocol without compromising security.