A robust authentication scheme for telecare medical information systems

Abstract

With the speedy progress in technology, the Internet has become a non-separable part of human life. It is obvious to use the Internet in all fields and medical field is no exception. The concept of establishing telecare medicine information systems(TMIS) for patients is gaining more popularity recently. To ensure the privacy of patients and to allow authorized access to remote medical servers, many authentication schemes have been proposed. Li et al., in 2016, proposed a secure dynamic identity and chaotic maps based user authentication and key agreement scheme. They claimed that the scheme is resistant to most of the known attacks. However, from thorough cryptanalysis, we have proved that their scheme is vulnerable to user impersonation attack, password guessing attack and server impersonation attack. We have also illustrated that their scheme does not provide user anonymity, convenient smart card revocation and security to session key. To overcome the aforementioned security weaknesses, we have proposed an enhanced authentication scheme using chaotic maps, which has been discussed in this paper along with its cryptanalysis. Cryptanalysis of the proposed scheme proves that the scheme is more robust and suitable for implementation.

1 Introduction

The evolution and swift progress in the Internet technology has left no stone unturned. Digitization is of utmost importance in almost all the fields including e-medicine. Valuable work has been happening lately in this field including applications of IoT, schemes for implantable medical devices deployment and wireless body area networks [3, 4, 37, 43,44,45]. Due to this, the geographical distance between patients and doctors is far close to elimination. In medical organizations, medical personnel have to quickly understand the complete information of patients to make instant and accurate diagnoses as well as to provide appropriate treatment.

The purpose of medical records is to provide continuity of care [10]. A patient’s medical record is an important part of treatment, and to aid in treatment, the record must contain complete, accurate personal information [38]. Traditional article-based patient records have various drawbacks like disorganization, low data mobility, illegibility, more space requirement, conservation difficulty and low transferability [14, 27, 35, 36, 41, 42]. To overcome all these drawbacks, traditional article-based patient records have been transformed to electronic patient records. The advantages of this approach are accessibility, low costs, easy reporting, readability and diagnostic support [23].

In order to support patients and doctors, the integrated EPR (Electronic Patient Record) systems are widely used. Monitoring patient’s health data and providing accurate information to medical institutions, analysis and maintenance of patient’s health is mostly covered in EPR information system. Personal health record systems are more than just repositories for patient data; they combine data, knowledge and software tools, which help patients to become active participants in their own care [39]. Doctors use the information (ex. ECG, EEG, treatment record of the diseases, etc.) to diagnose and treat disease [34]. Since the Internet is open to all, it is vulnerable to various security attacks. Patients and physicians fear that medical records may not be secure because the EPR systems are Web-based [2]. A registered user can access services from the medical server whenever required. During these data exchange, a lot of private and sometimes, highly confidential information will be transmitted over public channels. Due to this, there is great risk for loss of privacy and this has to be controlled. For e.g., in the US, federal regulations enacted under the Health Insurance Portability and Accountability Act (HIPAA) require members of the healthcare industry who use electronic information systems to protect the privacy of medical information [5].

To use services from a remote server, one must have proper access rights. Authentication guarantees that the system’s resources are not obtained fraudulently by unauthorized users [52]. Password-based authentication scheme is one of the most convenient authentication mechanisms. But due to the openness of the Internet, number of attacks are possible. So, to achieve secure authentication, a strong authentication scheme is essential between user and server.

Different authentication schemes have been proposed in the literature and one such scheme was proposed by Li et al. [22]. The contribution of this article is to reveal the weaknesses of Li et al.’s scheme and propose a robust scheme, which overcomes the mentioned weaknesses.

1.1 Contributions of the paper

Contributions of this paper are as follows:

1. 1.

   We have proposed an authentication scheme using Chebyshev chaotic maps which provides smaller key size with fast computation and higher efficiency. In this scheme, both the parties can authenticate each other. Also, the proposed scheme does not maintain any user identity or password verification table.

2. 2.

   Security analysis of the proposed scheme proves that it can overcome all the security attacks. In addition to this, analysis is presented using widely accepted BAN(Burrows-Abadi-Needham) logic. In this, it is proved that the session key generated during a session is safe. This safety of session key assures that the communication between both the parties is secure. In other words, it can be inferred that the proposed scheme provides security.

3. 3.

   Comparison of communication cost with real time execution values of the proposed scheme with other schemes have been presented. Additionally, various schemes have been compared based on the performance.

1.2 Structure of the paper

The rest of the article is organized as follows. Section 2 briefly puts light on the related work. Section 3 discusses mathematical preliminaries used in the reviewed and proposed schemes. Section 4 reviews Li et al.’s scheme followed by its cryptyanalysis in Section 5. The proposed scheme is thoroughly explained in Section 6, whereas security analysis of the proposed scheme is discussed in Section 7. Section 8 verifies the proposed scheme using BAN logic. Section 9 compares the proposed scheme with other schemes in terms of computational cost, execution time as well as performance with Section 10 concluding the paper.

2 Related work

In this section, remote user authentication schemes for the integrated EPR information systems have been studied thoroughly. Remote user authentication schemes are employed to ensure secure and authorized communication between user and server [52]. They verify the validity of remote user and server over insecure channel. Several schemes have been proposed in the literature for the integrated EPR information systems to improve the existing schemes. Tsai et al. [40], Madhusudhan and Mittal [25] have clearly explained the possible attacks to consider and the security goals to achieve while designing an ideal authentication scheme using smart cards.

D. Mishra [30], Cao et al. [7] and others have proposed different schemes for the integrated EPR system [9, 31, 32]. In 2010, Wu et al. [52] proposed an efficient user authentication scheme for telecare medicine authentication system with low computational cost. But then, He et al. [12] showed that Wu et al.’s scheme suffered from impersonation attack and insider attack. Then they proposed an improved scheme. In the same year, Wei et al. [46] demonstrated that He et al.’s scheme could not provide two-factor security and proposed an improved scheme. But then, Zhu [55] showed that Wei et al.’s scheme could not resist offline password guessing attack and he proposed RSA-based authentication scheme for TMIS. In these schemes, the identity of the user was static. Later dynamic ID-based authentication schemes for TMIS were proposed. Again in 2012, Wu et al. [51] proposed an efficient password based user authentication scheme using smart cards for the integrated EPR information systems based on difficulty of solving the Discrete Logarithm Problem (DLP). Their scheme consists of lightweight hashing functions and multiplication computations. But in 2013, Lee et al. [21] pointed out that the scheme in [51] was vulnerable to stolen-verifier and smart card loss attacks; they proposed an improved version of that scheme. But then, Wen [47] pointed out that [21] could not withstand offline password guessing attack and he proposed an improvement of the same. Also, in 2013 and 2014, different authentication schemes were proposed [8, 16, 48, 50, 53]. However, Das [11] in 2015, identified the flaws in password change phase of Wen’s scheme and also showed that their scheme failed to overcome privileged insider attack. He then proposed an improved version of the Wen’s scheme while retaining the original merits of Lee et al.’s scheme and Wen’s scheme, in which it is mentioned that the improved scheme is secure against possible known attacks. Later, Mir et al. [29] pointed out weaknesses in [11] and proposed an improved scheme. Authentication schemes based on chaotic maps were proposed [17, 20, 24, 33].

Recently Li et al. [22] proposed a chaotic map based authentication scheme for e-healthcare systems. In this article, we have thoroughly cryptanalyzed their scheme. Unfortunately, several security weaknesses have been identified, which includes server impersonation attack, failure to provide user anonymity, password guessing attack etc.

3 Mathematical preliminaries

The proposed scheme makes use of one-way hash functions, Chebyshev polynomial and chaotic maps. These maps produce required confusion and diffusion. The outputs produced by chaotic maps combined with hash functions can make it almost impossible for an adversary to guess the values without knowledge of initial values. It is a map which exhibits some sort of random behavior. They are unstable dynamical systems with high sensitivity to initial conditions [13]. In other words, a negligible change in the input makes a huge difference in the resulting output. Properties of chaotic maps like ergodicity and sensitive dependence on initial conditions and system parameters are quite advantageous to construct secure communication schemes, where irregularity in code sequences, sensitive dependence on plain texts and keys are required [26]. In this section, the basics of these concepts are described.

1. 1.

   Hash function: A one-way cryptographic hash function, h : {0, 1}^∗→{0, 1}^∗ takes a binary string qε {0, 1}^∗ of any arbitrary length as an input and produces a binary string of fixed length, say nbits, h(q)𝜖{0, 1}^∗ as output [49].

2. 2.

   Chebyshev polynomial and properties [15, 54]

   • The Chebyshev polynomial T_n(x) : [− 1,1] → [− 1,1] of degree n is defined as

     $$ T_{n}(x) = \left\{\begin{array}{ll} \cos(n.\arccos (x)) & \text{if} \ x \ \epsilon \ [-1,1] \\ \cos (n\theta) & \text{if} \ x = \cos \theta, \theta \ \epsilon \ [0,\pi] \end{array}\right. $$

     (1)

     The recurrence relation of the polynomial in (1) is given by

     $$ T_{n}(x)=\left\{\begin{array}{ll} 1 & \text{if} \ n \ = \ 0 \\ x & \text{if} \ n \ = \ 1 \\ 2xT_{n-1}(x)-T_{n-2}(x) & \text{if} \ n \geq 2 \end{array}\right. $$

     (2)

   • The semi-group property of the enhanced Chebyshev polynomial holds on the interval (−∞, + ∞) and is defined as follows For T_n(x) = 2xT_n− 1(x) − T_n− 2(x), n ≥ 2 where p is a large prime and x𝜖 (−∞, + ∞), T_r(T_s(x)) ≡ T_rs(x) ≡ T_s(T_r(x))(modp) always holds where \(r,s \ \epsilon \ Z_{p}^{*} = \{a | 0 < a < p, \ gcd(a,p)= 1\} = \{1,2, ...,p-1\}\).

   • For any given x and y, it is computationally infeasible to find integer s such that T_s(x) = y. This property is referred to as the chaotic map-based discrete logarithm problem (CMDLP).

4 Review of Li et al.’s scheme [22]

In this section, Li et al.’s scheme is briefly reviewed. The notations used in this scheme are listed in Table 1. The various phases of Li et al.’s scheme are given below.

Table 1 Notations used in this article

1. A.

   Registration Phase

   To access services from the e-healthcare system server S, a new user U_i must register himself/herself at the server S. The following steps are performed during registration:

   1. R1.

      U_i initially selects his/her identity ID_i, a password PW_i and a random number b. U_i computes the masked password W = h(PW_i ∥ b) and sends the registration message {ID_i, W} to the server S via a secure channel.

   2. R2.

      On receiving the registration request message {ID_i, W} from the user U_i, the server S validates the identity ID_i of U_i. If it is valid, the server S calculates T_d(ID_i ∥ Q) and computes v = W ⊕ T_d(ID_i ∥ Q). It then stores ID_i and Q in its database. If it is U_i’s initial registration, S sets Q = 0 in the field of registration times for U_i; else S sets Q = Q + 1.

   3. R3.

      S then issues a smart card containing the information {v, h(.), Q} to the user U_i via a secure channel.

   4. R4.

      U_i calculates T_d(ID_i ∥ Q) = v ⊕ W, X = b ⊕ h(ID_i ∥ PW_i), Y = h(T_d(ID_i ∥ Q) ∥ b ∥ h(ID_i ∥ PW_i) and stores X and Y into the smart card.

2. B.

   Login Phase

   Whenever a registered user wants to login to the TMIS system server S, the following steps will be executed:

   1. L1.

      U_i inserts his/her smart card into the card reader of a terminal, inputs his/her identity ID_i and password PW_i. The smart card of U_i computes h(ID_i ∥ PW_i), b = X ⊕ h(ID_i ∥ PW_i), W = h(PW_i ∥ b) and T_d(ID_i ∥ Q) = v ⊕ W. It then verifies if h(T_d(ID_i ∥ Q) ∥ b ∥ h(ID_i ∥ PW_i)) = Y holds or not. If it holds, it goes to next step. Otherwise, the login session is terminated.

   2. L2.

      U_i’s smart card generates a random number a and computes K_US = T_aT_d(ID_i ∥ Q), R = h(ID_i ∥ T_a(ID_i ∥ Q) ∥ T_d(ID_i ∥ Q)) and V = K_US ⊕ (ID_i ∥ R).

   3. L3.

      Finally, U_i sends the login request message {T_a(ID_i ∥ Q), V } through a public channel to the server S.

3. C.

   Authentication Phase

   On receiving the login request message {T_a(ID_i ∥ Q), V } from U_i, server S performs the following steps:

   1. A1.

      S calculates \(K_{US}^{l} =T_{d}T_{a}(ID_{i} \parallel Q)\), verifies the validity of ID_i and Q. It then verifies if h(ID_i ∥ T_a(ID_i ∥ Q) ∥ T_d(ID_i ∥ Q)) = R holds or not. If it does not hold, S rejects the service request message and the authentication phase is terminated.

   2. A2.

      S computes session key SK = h(ID_i ∥ T_d(ID_i ∥ Q) ∥ T_a(ID_i ∥ Q)) and Z = h(ID_i ∥ SK ∥ T_d(ID_i ∥ Q)) and sends the authentication request message {Z} to the user U_i.

   3. A3.

      On receiving the authentication request message {Z} from S, U_i computes SK^l = h(ID_i ∥ T_d(ID_i ∥ Q) ∥ T_a(ID_i ∥ Q)) to check if the condition h(ID_i ∥ SK^l ∥ T_d(ID_i ∥ Q)) = Z holds or not. If the condition holds, the server S is authenticated.

      After successful authentication, the session key SK = h(ID_i ∥ T_d(ID_i ∥ Q) ∥ T_a(ID_i ∥ Q)) = SK^l provides a secure channel for S and U_i to communicate with each other.

4. D.

   Password Change Phase

   Suppose a user U_i wants to change the password, the following steps are performed:

   1. P1.

      U_i inserts his/her smart card into the card reader terminal, enters his/her identity ID_i and old password PW_i. The smart card computes h(ID_i ∥ PW_i), b = X ⊕ h(ID_i ∥ PW_i), W = h(PW_i ∥ b), T_d(ID_i ∥ Q) = v ⊕ W and verifies if h(T_d(ID_i ∥ Q) ∥ b ∥ h(ID_i ∥ PW_i)) equals Y or not. If the verification is valid, U_i enters a new password PW_new; else the request is denied.

   2. P2.

      The smart card computes W_new = h(PW_new ∥ b), v_new = W_new ⊕ T_d(ID_i ∥ Q), X_new = b ⊕ h(ID_i ∥ PW_new) and Y_new = h(T_d(ID_i ∥ Q) ∥ b ∥ h(ID_i ∥ PW_new)).

   3. P3.

      Finally, the smart card replaces v, X and Y with v_new, X_new and Y_new respectively.

5. E.

   Smart Card Revocation Phase

   Suppose a legal user U_i loses his/her smart card, U_i informs S regarding his/her revocation in person. S then confirms the authenticity of U_i by verifying U_i’s identification papers. On successful authentication, S asks U_i to select a new password and a new random number and execute the same steps of the registration phase. Finally S sets Q = Q + 1 in the field of registration times for U_i.

5 Security weaknesses in Li et al.’s scheme

In this section, Li et al.’s scheme has been cryptanalyzed in depth and identified weaknesses are explained in detail. Before analyzing the scheme, the following assumptions are considered regarding the possibilities of an adversary as described by Kocher et al. [19] and Messerges et al. [28]:

1. 1.

   An adversary has total control over the communication channel connecting the users and the remote server in login/authentication phase. So the adversary can intercept, insert, delete or modify any message transmitted via public channel.

2. 2.

   An adversary can extract the information stored in a smart card by means of analyzing the power consumption of the smart card.

5.1 Obtaining secret value d of the server S

Suppose an adversary initially registers as a legal user in the system with his own ID and PW, then the system issues a smart card with all registered parameters in it. Now, according to Kocher et al. and Messerges et al., the adversary can obtain all the parameters inside the card. So the adversary now has the parameters {X, Y, h(.), v, Q} stored in it by analyzing the power consumption. Now, he calculates T_d(ID ∥ Q) = v ⊕ W, where W = h(PW_i ∥ b), password and random number are of the adversary. He then calculates

$$d^{l} = \frac{\arccos T_{d}(ID_{i} || Q)+ 2k\pi}{\arccos (x)} $$

such that \( {T_{d}^{l}}(ID\parallel Q) = T_{d}(ID \parallel Q). \)

1. 1.

   No user anonymity

   Assume that the adversary comes in possession of the smart card of a user U_i with the values {X, Y, h(.), v, Q} and he has stored these values. Suppose he eavesdrops the login message {T_a(ID_i ∥ Q), v} and authentication message {Z} between U_i and S, then from the above argument, adversary calculates \( a^{l} = \frac {\arccos T_{a}(ID_{i}|| Q)+ 2k\pi }{\arccos (x)} \) such that \({T_{a}^{l}}(ID_{i} \parallel Q)=T_{a}(ID_{i} \parallel Q)\). He then chooses ID^l, computes \({T_{a}^{l}}(ID^{l} \parallel Q)\) using the value of Q stored in the smart card and checks if the computed value equals T_a(ID_i ∥ Q). If they are equal, the adversary has guessed the correct identity. If not, he repeats the procedure with different values for ID until he guesses the correct identity. So, user anonymity is not preserved in this scheme.

2. 2.

   Vulnerable to password guessing attack

   Suppose an adversary gets a smart card having the values {X, Y, h(.),v, Q}, which he stores for his further purposes, and has eavesdropped login message {T_a(ID_i ∥ Q), v} and authentication message {Z} between U_i and S. From 1), the adversary already has obtained the ID_i of U_i. Also he has originally calculated d^l such that \({T_{d}^{l}}(ID \parallel Q) = T_{d}(ID \parallel Q)\). Now using ID_i and Q from smart card, he computes \({T_{d}^{l}}(ID_{i} \parallel Q)\) which is T_d(ID_i ∥ Q). Using v = W ⊕ T_d(ID_i ∥ Q), adversary computes W = v ⊕ T_d(ID_i ∥ Q). Also from X = b ⊕ h(ID_i ∥ PW_i), b is computed as b = X ⊕ h(ID_i ∥ PW_i). The value Y = h(T_d(ID_i ∥ Q) ∥ b ∥ h(ID_i ∥ PW_i)) is stored in the smart card. Substituting b in this expression, \(Y = h({T_{d}^{l}}(ID_{i} \parallel Q) \parallel X \oplus h(ID_{i} \parallel PW_{i}) \parallel h(ID_{i} \parallel PW_{i}))\) where X is obtained from the smart card. Now adversary guesses a value PW, computes \( Y^{l} = h({T_{d}^{l}}(ID_{i} \parallel Q) \parallel X \oplus h(ID_{i} \parallel PW) \parallel h(ID_{i} \parallel PW)) \) and checks if Y^l = Y holds. If it holds, adversary has guessed the correct password. If not, he repeats the procedure with different values for PW until he guesses the correct value. So the scheme cannot provide protection against offline password guessing attack.

3. 3.

   Vulnerable to user impersonation attack

   Assume that an adversary has the values ID_i and PW_i of a legal user along with the stored smart card values {X, Y, h(.), v, Q}. He chooses a random number a^ll and computes \(T_{a}^{ll}(ID_{i} \parallel Q)\) from the stored value Q. He further computes \(K_{US}^{ll} = T_{a}^{ll} {T_{d}^{l}} (ID_{i} || Q)\), \(R^{ll} = h(ID_{i} \parallel T_{a}^{ll}(ID_{i} \parallel Q) \parallel {T_{d}^{l}}(ID_{i} \parallel Q))\) and \({v_{1}^{l}} = K_{US}^{ll} \oplus (ID_{i} \parallel R^{ll})\), sends the login request message \( \{T_{a}^{ll}(ID_{i} \parallel Q),\ v^{ll}\} \) to the server S. On receiving this message, server does the required computations including the session key, \(SK^{ll} = h(ID_{i} \parallel {T_{d}^{l}}(ID_{i} \parallel Q) \parallel T_{a}^{ll}(ID_{i} \parallel Q))\) and sends Z^ll to the user, where \(Z^{ll} = h(ID_{i} \parallel SK^{ll} \parallel {T_{d}^{l}}(ID_{i} \parallel Q))\). So, the adversary successfully impersonated as the legal user. Hence, their scheme cannot resist user impersonation attack.

4. 4.

   Inconvenient smart card revocation phase

   In this scheme, if a legal user wants to revoke a lost smart card, he/she must inform the medical server in person meaning revocation cannot take place online and the user has to be physically present causing inconvenience to the user and hence it can be concluded that smart card revocation is not very convenient from the point of view of the user.

5. 5.

   Insecure session key

   Assume that an adversary has eavesdropped the login message {T_a(ID_i ∥ Q), v} as well as the authentication message {Z} of a user and has stored the values from the smart card. As explained in 1), adversary can obtain the ID_i. Also he has the value of T_a(ID_i ∥ Q) from the login message and he has calculated d^l such that \({T_{d}^{l}}(ID_{i} \parallel Q) = T_{d}(ID_{i} \parallel Q)\). He can easily compute the session key as \(SK = h(ID_{i} \parallel {T_{d}^{l}}(ID_{i} \parallel Q) ||T_{a}(ID_{i} \parallel Q))\). Therefore, the session key is not secure in their scheme.

6. 6.

   Vulnerable to server impersonation attack

   As explained in 1), an adversary has user identity ID_i from the smart card and obtains the required password PW_i of the user U_i as explained in 2). Also, he has the value \({T_{d}^{l}}(ID_{i} \parallel Q) = T_{d}(ID_{i} \parallel Q)\) as explained above. Assume that the adversary obtains the user login request message {T_a(ID_i ∥ Q), v}. Using \({T_{d}^{l}}(ID_{i} \parallel Q)\), he computes \(SK = h(ID_{i} \parallel {T_{d}^{l}}(ID_{i} \parallel Q) \parallel T_{a}(ID_{i} \parallel Q))\), Z = h(ID_i ∥ SK ∥ T_d(ID_i ∥ Q)) and sends the {Z} to the user U_i. On receiving {Z}, U_i computes SK_l = h(ID_i ∥ T_d(ID_i ∥ Q) ∥ T_a(ID_i ∥ Q)) and the condition h(ID_i ∥ SK^l ∥ T_d(ID_i ∥ Q)) = Z holds since \({T_{d}^{l}}(ID_{i} \parallel Q) = T_{d}(ID_{i} \parallel Q)\). User authenticates him as the authentic server and communicates with him proving that the adversary has successfully impersonated the server.

7. 7.

   Vulnerable to man-in-the-middle attack

   As explained in 3) and 6), an adversary can impersonate a legal user, U_i and can masquerade a server S_i. This can be a done in the session wherein an adversary impersonates the legal user, U_i and server S. In other words, he can easily perform man-in-the-middle attack and their scheme cannot resist this attack.

6 The proposed scheme

In this section, the proposed scheme is explained in detail. Assuring secure communication between user and server being the primary concern, chaotic maps have been used in the proposed scheme.

1. A.

   Registration Phase

   To access services from a trusted medical server, new user U_i has to register himself/ herself initially. This phase is shown in Fig. 1. The steps in this phase are as follows.

   1. R1.

      User U_i chooses a username ID_i, a password PW_i and a secret number b. Then he computes the masked password A_i = b ⊕ h(ID_i ∥ PW_i) and sends the registration message {ID_i, A_i} to the server S_j via a secure channel.

   2. R2.

      On receiving the registration request message {ID_i, A_i} from the user U_i, the server S_j validates the identity ID_i of U_i. If it is valid, the server S_j computes T_x(ID_i ∥ m_i), where x is the secret key of the server and m_i is a random number chosen by server for U_i(which is unique for every user). It then computes B_i = T_x(ID_i ∥ m_i) ⊕ h(A_i).

   3. R3.

      S_j then issues a smart card containing the information {h(.), B_i, m_i} to the user U_i via a secure channel.

   4. R4.

      After receiving the smart card securely from the server S_j, U_i computes T_x(ID_i ∥ m_i) = B_i ⊕ h(A_i), C_i = b ⊕ h(PW_i ∥ ID_i), D_i = h(T_x(ID_i||m_i)|| C_i||h(PW_i)) and stores C_i and D_i in the smart card. This completes the registration phase of a new user U_i and Fig. 1 represents this phase. The smart card now has the values {B_i, h(.), C_i, D_i, m_i} stored in it.

   Fig. 1

   

   Registration phase of the proposed scheme

2. B.

   Login Phase

   If a registered user wants to login to the TMIS server S_j, the following steps will be executed:

   1. L1.

      U_i inserts his/her smart card into the card reader of a terminal, inputs his/her identity ID_i and password PW_i. The smart card of U_i computes b^l = C_i ⊕ h(PW_i ∥ ID_i) and \({A_{i}^{l}} = b^{l} \oplus h(ID_{i} \parallel PW_{i})\).

   2. L2.

      Using \({A_{i}^{l}}\), the smart card obtains \(T_{x}(ID_{i} \parallel m_{i})^{l} = h({A_{i}^{l}}) \oplus B_{i}\) and computes \({D_{i}^{l}} = h(T_{x}(ID_{i} || m_{i} )^l || C_{i} || h(PW_{i} )) \). Then it checks if \({D_{i}^{l}} = D_{i}\) holds or not. If it does not hold, the session is aborted. Else step L3 is executed.

   3. L3.

      The smart card computes generates a random number y and computes E_i = h(D_i) ⊕ T_y(ID_i ∥ m_i), CID_i = h(ID_i) ⊕ T_y(T_x(ID_i ∥ m_i)) and F_i = h(E_i ∥ T_y(ID_i ∥ m_i) ∥ h(ID_i)). Finally the smart card of U_i sends the login request message {CID_i, D_i, E_i, F_i} to S_j through a public channel.

3. C.

   Authentication Phase

   On receiving the login request message {CID_i, D_i, E_i, F_i} from U_i, server S_j performs the following steps to authenticate the user U_i:

   1. A1.

      S_j obtains T_y(ID_i ∥ m_i) = h(D_i) ⊕ E_i and computes h(ID_i) = CID_i ⊕ T_x(T_y(ID_i ∥ m_i)). Then it computes h(E_i ∥ T_y(ID_i ∥ m_i) ∥ h(ID_i)) and checks if it is equal to F_i received in the login message. If equal, S_j authenticates U_i and executes step A2; otherwise this session is terminated.

   2. A2.

      S_j generates a random number z and computes the session key, SK = h(h(ID_i)||T_z(T_y(ID_i||m_i))||T_y(ID_i||m_i)) and H_i = h(T_z(ID_i ∥ m_i) ∥ SK ∥ h(ID_i)). Then it sends the authentication message {T_z(ID_i ∥ m_i), H_i} to U_i through a public channel.

   3. A3.

      On receiving {T_z(ID_i ∥ m_i), H_i} from S_j, U_i computes SK^l = h(h(ID_i)||T_z(T_y (ID_i||m_i))||T_y(ID_i||m_i)) and \({H_{i}^{l}} = h(T_{z}(ID_{i} || m_{i} )) \parallel SK^{l} \parallel h(ID_{i}))\). Then it verifies if the condition \({H_{i}^{l}} = H_{i}\) holds or not. If it holds, U_i authenticates S_j. Else, U_i aborts the session. After mutual authentication, U_i and S_j agree on the shared session key, SK = h(h(ID_i)||T_z(T_y(ID_i||m_i))||T_y(ID_i||m_i)) to communicate with each other and this completes the authentication phase.

   Figure 2 demonstrates the login as well as authentication phases of the proposed scheme.

   Fig. 2

   

   Login and authentication phases of the proposed scheme

4. D.

   Password Change Phase

   Suppose a user wants to change or update his/her password, the following steps will be performed:

   1. P1.

      U_i inserts his/her smart card into the card reader of a terminal, inputs his/her identity ID_i and password PW_i. The smart card of U_i computes b^l = C_i ⊕ h(PW_i ∥ ID_i) and \({A_{i}^{l}} = b^{l} \oplus h(ID_{i} \parallel PW_{i})\). Using \({A_{i}^{l}}\), the smart card obtains \(T_{x}(ID_{i} \parallel m_{i})^{l} = h({A_{i}^{l}}) \oplus B_{i}\) and computes \({D_{i}^{l}} = h(T_{x}(ID_{i} || m_{i} )^{l} || C_{i} || h(PW_{i} ))\). Then it checks if \({D_{i}^{l}} = D_{i}\) holds or not. If it does not hold, the session is aborted and user cannot change password. Else, the server requests for a new password from the user.

   2. P2.

      User U_i enters the new password \(PW_{i}^{new}\). The smart card computes \(A_{i}^{new} = b \oplus h(ID_{i} \parallel PW_{i}^{new})\), \(B_{i}^{new} = h(A_{i}^{new}) \oplus T_{x}(ID_{i} \parallel m_{i})\), \(C_{i}^{new} = b \oplus h(PW_{i}^{new} \parallel ID_{i})\) and \(D_{i}^{new} = h(T_{x}(ID_{i} || m_{i} ) ^l || C_{i}^{new} || h(PW_{i}^{new}))\). It then replaces the values B_i, C_i and D_i with \(B_{i}^{new}\), \(C_{i}^{new}\) and \(D_{i}^{new}\) respectively.

      This completes the password change phase.

5. E.

   Smart Card Revocation Phase

   If a user loses his/her smart card, he/she can send an online request to the server entering the identity ID_i. After checking if that ID_i is valid, the user has to answer the security questions. On successful verification of the legality of the user, the server deactivates the old smart card concerned with that ID_i and requests the user to enter a new masked password \(A_{i}^{new}\). Using \(A_{i}^{new}\) and ID_i, the server does the required computations as in registration phase and issues a new smart card to the user with the newly computed values. On receiving the new smart card, the user computes C_i and D_i and stores them in the smart card.

7 Security analysis

Security analysis of the proposed scheme has been discussed in this section. It is shown that the proposed scheme overcomes all the security weaknesses pointed out in Li et al.’s scheme.

1. 1.

   User anonymity is preserved

   The identity ID_i of user is not stored in smart card and in login phase, identity is sent as dynamic identity CID_i, which changes during every session. Suppose an adversary eavesdrops the login and/or authentication messages, {CID_i, D_i, E_i, F_i} and/or {T_z(ID_i ∥ m_i), H_i} respectively of the user U_i, revealing ID_i is impossible due to CMDLP explained in 2) of Section 3. It is computationally infeasible to obtain value of ID_i without knowledge of x and y in T_yT_x(ID_i ∥ m_i). Hence, the user anonymity is preserved in the proposed scheme.

2. 2.

   Security against password guessing attack

   In the proposed scheme, the password PW_i of a user U_i is covered with his/her own secret value b and identity ID_i. Now suppose an adversary gets to know ID_i, it is not possible to guess PW_i without the knowledge of b, which is a secret number known only to the user U_i. Suppose the adversary obtains the values {A_i, h(.), B_i, C_i, D_i} from the smart card of the user U_i, even then the scheme forbids password guessing because the password PW_i is protected with secret key, x of the server as well as ID_i and b in D_i = h(T_x(ID_i||m_i)||C_i||h(PW_i)) and A_i = b ⊕ h(ID_i ∥ PW_i). Therefore, the proposed scheme resists offline password guessing attack.

3. 3.

   Security against user impersonation attack

   Since random numbers are generated during every session, impersonation attack is not possible. If an adversary has all the smart card values {h(.), C_i, D_i, B_i, m_i} and previously intercepted login message {CID_i, D_i, E_i, F_i}, it is not possible to generate a valid login message in the next session since a nonce, y have been used in the proposed scheme. Guessing these values and forming a valid login message is practically impossible. So, protection against impersonation attack is provided in the proposed scheme.

4. 4.

   Efficient smart card revocation

   Unlike Li et al.’s scheme, the user need not go in person to revoke a lost smart card. He/she has to send an online request and verify his/her identity after which a new smart card will be issued. It has to be noted that in the proposed scheme, server deactivates the old smart card on verification of the legality of the user of the lost smart card so that even if adversary comes in possession with that card, he/she cannot misuse the card. So, smart card revocation is efficient in the proposed scheme.

5. 5.

   Secure session key

   In the proposed scheme, the session key SK computed in steps A2 and A3 contains two random numbers y and z combined with Chebyshev chaotic map. If the adversary gets to know these numbers during any session, even then session key cannot be compromised because these random numbers vary during each session with which the session key keeps changing. Along with the knowledge of y and y, an adversary needs to have the correct ID_i to obtain the session key of the user U_i. Also if the adversary gets to know a previous session key, still it will not help him in computing the next session key due to its format, SK = h(h(ID_i)||T_z(T_y(ID_i||m_i))||T_y(ID_i||m_i)). So, the session key is well protected in the proposed scheme.

6. 6.

   Security against server impersonation attack

   Random numbers are generated to compute the chaotic values used in the proposed scheme because of which server impersonation is not possible. If an adversary has all the smart card values {h(.), C_i, D_i, B_i, m_i} and previously intercepted login message {CID_i, D_i, E_i, F_i}, it is not possible to generate a valid authentication message in the next session since a nonce, z have been used in the proposed scheme. Guessing these values and forming a valid authentication message is impossible. So, protection against server impersonation attack is provided in the proposed scheme.

7. 7.

   Resists man-in-the-middle attack

   It is explained in 3) that the proposed scheme overcomes user impersonation attack. Also, it can withstand server impersonation attack which is justified in 6). In other words, it is not possible for an adversary to impersonate a legal user as well as the server in the same session. This proves that the proposed scheme resists man-in-the-middle attack.

8 Security analysis using ban logic

BAN logic [6] is an analysis model for authentication models. It is used to verify whether the protocol proves the presence of each party to the other and also helps bring to light the various security problems. For verification, the following notations and constructs are used:

1. 1.

   P believes X (P∣ ≡ X) : Principal P acts as though X is true.

2. 2.

   P sees X (P ⊲ X) : Someone has sent a message containing X to P, who can read and repeat X.

3. 3.

   P said X (P∣ ∼ X) : Principal P at some time sent a message including the statement X.

4. 4.

   P controls X (P∣ ⇒ X) : P has jurisdiction over X meaning P is an authority on X and should be trusted on this matter.

5. 5.

   fresh(X) (#(X)) : Formula X is fresh meaning that X has not been sent in a message at any time before the current run of the protocol. This is usually true for nonces.

6. 6.

   \(P \stackrel {K} \leftrightarrow Q \): P and Q may use the shared key K to communicate. The key K will never be discovered by any principal except P or Q, or a principal trusted by either P or Q.

7. 7.

   \(\mid \xrightarrow {K} P \): P has K as a public key. The matching secret key K^− 1 will never be discovered by any principal except P or a principal trusted by P.

8. 8.

   \( P \stackrel {X} \leftrightharpoons Q \): Formula X is a secret known only to P and Q, and possibly to principals trusted by them. Only P and Q may use X to prove their identities.

9. 9.

   {X}_K : Formula X is encrypted under the key K.

10. 10.

    〈X〉_Y : Formula X is combined with the formula Y, it is intended that Y be a secret and that its presence proves the identity of whoever utters 〈X〉_Y.

The protocol analysis along with the above constructs uses the following logical postulates in proving the identity of the parties involved.

1. 1.

   The message-meaning rule concerns the interpretation of messages. They all explain how to derive beliefs about the origin of messages.

   For shared keys,

   $$\frac{P \ believes \ P \stackrel{K} \leftrightarrow Q, \ P\ sees\ \{X\}_{K} } {P \ believes \ Q \ said \ X} $$

   For public keys,

   $$\frac{P \ believes \ P \stackrel{K} \leftrightarrow Q,\ P\ sees\ \{X\}_{K^{-1}} } {P \ believes \ Q \ said \ X} $$

   For shared secrets,

   $$\frac{P \ believes \ P \stackrel{X} \leftrightharpoons Q,\ P\ sees\ \langle X \rangle_{Y} } {P \ believes \ Q \ said \ X} $$
2. 2.

   The nonce-verification rule expresses the check that a message is recent and hence, the sender still believes in it.

   $$\frac{P \ believes \ \# (X), \ P\ believes\ Q \ said \ X} {P \ believes \ Q \ believes \ X} $$
3. 3.

   The jurisdiction rule states that if P believes that Q has jurisdiction over X, then P trusts Q on the truth of X.

   $$\frac{P \ believes \ Q\ controls\ X, \ P\ believes\ Q \ believes \ X} {P \ believes \ X} $$
4. 4.

   If a principal sees a formula, then he also sees its components, provided he knows the necessary keys.

   $$\frac{P \ sees \ (X, Y)\ } {P \ sees \ X} $$
   $$\frac{P \ believes \ \langle X \rangle_{Y}\ } {P \ sees \ X} $$
   $$\frac{P \ believes \ P \stackrel{K} \leftrightarrow Q,\ P\ sees\ \langle X \rangle_{K} } {P \ sees \ X} $$
   $$\frac{P \ believes \ \mid \xrightarrow{K} P, \ P\ sees \ \langle X \rangle_{K}} {P \ believes \ sees\ X} $$
   $$\frac{P \ believes \ \mid \xrightarrow{K} P, \ P\ sees \ \langle X \rangle_{K^{-1}}} {P \ believes \ sees\ X} $$
5. 5.

   The freshness rule indicates that if one part of formula is fresh, then the entire formula is fresh.

   $$\frac{P \ believes \ \# (X)} {P \ believes \ \# (X, Y)} $$

Idealized protocol:

Here, s₂ = T_x(ID_i ∥ m_i)

\( U \rightarrow S : \langle ID \rangle _{U \stackrel {s_{2}} \leftrightarrow S}, \langle ID \rangle _{\{ U \ \stackrel {s_{2}} \leftrightarrow S\}_{y}} , (U \ \stackrel {SK} \leftrightarrow \ S, \{U \stackrel {s_{2}} \leftrightarrow S\}_{r_{2}} )_{U \stackrel {s_{2}} \leftrightarrow S} \)

\( S \rightarrow U : (U \ \stackrel {SK} \leftrightarrow \ S, \ \{U \stackrel {s_{2}} \leftrightarrow S\}_{y} )_{U \underleftrightarrow {s_{2}}S } , \langle ID \rangle _{\{U \stackrel {s_{2}} \leftrightarrow S\}_{z}} \)

According to the logical postulates, the proposed scheme should satisfy the following goals:

1. G1.

   \( U \mid \equiv S \mid \equiv U \ \stackrel {SK} \leftrightarrow \ S \)

2. G2.

   \( S \mid \equiv U \mid \equiv U \ \stackrel {SK} \leftrightarrow \ S \)

The following assumptions are made to achieve the desired goals:

1. A1.

   \( S \mid \equiv U \mid \Rightarrow U \ \stackrel {SK} \leftrightarrow \ S \)

2. A2.

   \( U \mid \equiv S \mid \Rightarrow U \ \stackrel {SK} \leftrightarrow \ S \)

3. A3.

   U∣ ≡ #(y)

4. A4.

   S∣ ≡ #(z)

5. A5.

   \( U \mid \equiv U \stackrel {s_{2}} \leftrightarrow S \)

6. A6.

   \( S \mid \equiv U \stackrel {s_{2}} \leftrightarrow S \)

Analysis:

1. P1.

   Since \( U \triangleleft (U \ \stackrel {SK} \leftrightarrow \ S, \ \{U \stackrel {s_{2}} \leftrightarrow S\}_{y} )_{U \underleftrightarrow {s_{2}}S }\), applying message-meaning rule using A5, we obtain \( (U \ \stackrel {SK} \leftrightarrow \ S, \ \{U \stackrel {s_{2}} \leftrightarrow S\}_{y} ) \).

2. P2.

   From A3 and P1, application of nonce-verification rule yields \( (U \ \stackrel {SK} \leftrightarrow \ S, \ \{U \stackrel {s_{2}} \leftrightarrow S\}_{y} ) \).

3. P3.

   From P2 and A5, we can break the conjunction to obtain \( U \mid \equiv S \mid \equiv U \ \stackrel {SK} \leftrightarrow \ S \) (G1 is achieved).

4. P4.

   Since \( S \triangleleft (U \ \stackrel {SK} \leftrightarrow \ S, \{U \stackrel {s_{2}} \leftrightarrow S\}_{z} )_{U \stackrel {s_{2}} \leftrightarrow S} \), using A6 and applying message-meaning rule, we obtain \( S \mid \equiv U \mid \sim (U \ \stackrel {SK} \leftrightarrow \ S, \{U \stackrel {s_{2}} \leftrightarrow S\}_{z} ) \).

5. P5.

   From A4 and P4, using nonce-verification rule, we obtain \( S \mid \equiv U \mid \equiv (U \ \stackrel {SK} \leftrightarrow \ S, \{U \stackrel {s_{2}} \leftrightarrow S\}_{z})\).

6. P6.

   Using P5 and A6, we obtain \( S \mid \equiv U \mid \equiv U \ \stackrel {SK} \leftrightarrow S \) (G2 is achieved).

   From G1 and G2, it can be observed that both the user U_i and server S_j believe that the session key SK = h(T_z(T_y(ID_i ∥ m_i)) ∥ h(ID_i ∥ T_y(ID_i ∥ m_i)) is shared between them.

9 Performance and computational cost comparison

In this section, a detailed comparison of the proposed scheme with Li et al.’s scheme and other schemes [1, 11, 22, 29] has been made in terms of computational cost, execution time and performance. Table 2 shows the computational cost comparison in which, T_h denotes the time required for executing one-way hash operation, T_e for executing exponentiation and T_ch for executing T_n(x)(modp) in Chebyshev chaotic map. Concatenation and XOR operations are ignored since their execution time is very less compared to hash functions and chaotic maps. Table 3 compares the execution time of different schemes whereas comparison of performance of the proposed scheme with other schemes is presented in Table 4.

Table 2 Computational cost comparison

Table 3 Execution time comparison

Table 4 Performance comparison

From Table 2, it can be observed that the proposed scheme requires five hash operations more than that of Li et al.’s scheme but the number of chaotic operations is same. But when compared to [11], the proposed scheme uses one hash operation less. From Table 4, it can be clearly seen that even with less hash operations, the proposed scheme is able to provide more security than [11]. In comparison with [1] also, the proposed scheme uses less hash functions. Furthermore, it has to be noted that [1] uses RSA algorithm which increases the time complexity whereas the proposed scheme does not use RSA algorithm and only use of hash operations and chaotic maps.

Table 3 presents the execution time for the aforementioned authentication schemes. The results in this table are computed based on an experiment conducted on Intel Pentium4 2600MHz processor with 1024 MB RAM in [18]. According to this study, the execution time for various operations are T_h = 0.0005s, T_e = 0.063075s and T_ch = 0.02102s. From Table 3, it is clear that the proposed scheme requires 0.002s more than [22]. But this extra time can be justified from Table 4 by noting that the proposed scheme is able to overcome seven security attacks thereby providing more security than [22]. The scheme in [29] requires 0.011s for execution but at the same time, the scheme is not user friendly since there is no option for smart card revocation. The execution time for the scheme in [1] is 0.13615s which is more than the execution time of the proposed scheme. In addition to this, their scheme does not withstand all the security attacks. Also from Table 4, it is clear that [1] cannot resist user impersonation, replay attack etc. From this, the schemes using less hash operations are not able to overcome all the attacks but the proposed scheme overcomes all the possible security attacks. To achieve these properties, it is worth the additional operations. So, the proposed scheme is robust and more secure when compared to Li et al.’s and the other schemes.

10 Conclusion

Li et al. proposed a secure dynamic identity and chaotic maps based user authentication and key agreement scheme for ehealthcare systems in 2016. Their scheme has been thoroughly cryptanalyzed and several security weaknesses have been pointed out. This paper clearly explains the identified weaknesses which are user impersonation attack, password guessing attack, server impersonation attack, no user anonymity, insecure session key, man-in-the-middle attack and inconvenient smart card revocation. To overcome the mentioned weaknesses, a robust scheme has been proposed using Chebyshev polynomial. The proposed scheme overcomes all the mentioned security weaknesses and is more suitable in terms of security as well as practical implementation.