1 Introduction

The mobile devices such as cell phones, personal digital assistants and smartphones, have gained increasingly popular due to their portability (Stojmenović 2002). People use these devices to accomplish remote operations anytime and anywhere (Yoon et al. 2012). In distributed healthcare applications, these devices are now able to collect individual health-related data and report them to healthcare professionals situated anywhere. These data allow for distributed care, enabling remote diagnoses, alerting doctors for an emergency intervention or to changing conditions as they occur and providing the total picture of the patient’s health so that necessary care can be administered. When an unexpected incident underwent on the health of a patient, the latter may be not able to authenticate itself using something he/she knows as passwords. In such critical situation, the authentication process should be done automatically without the patient intervention. A biometric-based authentication scheme responds well to this important requirement.

Biometrics (Ross et al. 2008; Doshi and Nirgude 2015) is the study of measuring physiological or behavioral characteristics of a person to verify or recognize his or her identity. These characteristics include features, like fingerprints, face, hand geometry, voice and iris (Jain et al. 2004; Sonkamble et al. 2010; Jayaram and Fleyeh 2013). Every person possesses biometric features, which are unique and its properties remain stable during one’s lifetime (Moolla et al. 2012; Al-Ani 2014; Doshi and Nirgude 2015; Sabah et al. 2015). In classical biometric-based authentication methods, the identification of a user is performed through a specific analytical comparison between the introduced user’s biometric data and the prior stored one (Tong et al. 2007). In mobile environments, this process introduces hard constraints on computation, storage and communication, respectively, when analyzing, saving and transmitting this type of complex data. An extensive analysis of the literature has shown that various biometric-based remote patient authentication schemes have been proposed. However, the previously proposed schemes are much more complex, present performance limits and do not show a sufficient security level against attacks. In this paper, we address these limits and we propose a secure and lightweight remote authentication scheme for mobile healthcare environments. The proposed scheme is based on Elliptic Curve Cryptography (ECC) (Miller 1986; Koblitz 1987), in which a correspondence is established between the biometric template of a patient and its cryptographic keys. After extracting the patient’s biometric template, its key pair is computationally derived from that template. The key pair is used to produce a Diffie–Hellman-based session key (Diffie and Hellman 1976) with the remote server for mutual authentication. Through the security analysis and simulations, we conduct an overall comparison to concurrent schemes, where the proposed scheme demonstrates promising results.

The contributions of this work are quintuple: (1) the proposed scheme translates the patient biometric data to ECC-based key pair and it does not require to save or to communicate the patient’s biometric template; (2) it transforms the biometric inputs before their use, so that the transformed template be revocable, non-invertible, reliable, and respects the patient privacy; (3) it performs in four rounds of communication in both phases: registration and authentication; (4) it provides an effective robustness against replay, impersonation, server spoofing, anonymity, insider, man-in-the-middle, physical, parallel session, reflection and denial of service attacks; and (5) it operates with a lightweight load of storage, communication and computation.

The remaining of this paper is organized as follows. In Sect. 2, we review the related work. In Sect. 3, we present the detailed description of the proposed scheme. In Sect. 4, we analyze its security against malicious attacks. In Sect. 5, we provide the simulation results with comparison to the literature. Finally, we conclude this paper in Sect. 6.

2 Related work

Several biometric-based remote user authentication schemes have been proposed. The authors of Mastali and Agbinya (2010), Peralta et al. (2015) and Limbasiya and Doshi (2017), summarize a good representative part of them. In this section, we review from the literature some relevant and recent schemes.

In Khan et al. (2008), the authors have proposed a chaotic hash-based biometric remote user authentication scheme using mobile devices. The solution is a two-factor authentication scheme using passwords and fingerprints. The aim of this scheme lies in the fact that it allows commercial companies to provide for the mobile users the ability to remotely access to their resources such as e-banking, e-commerce, e-health, etc., in full security. Once a user needs to access a commercial company service, he firstly must execute the authentication system using his own mobile device to access the desired service.

In Chen et al. (2012), the authors have demonstrated that the scheme of Khan et al. (2008) is vulnerable to the impersonation attack by using information leaked from the mobile device. Besides, the intruder can analyze these information and forge form them secret parameters. In remedy of these drawbacks, Chen et al. have proposed an improved scheme, which is a combination of a fingerprint biometric and passwords. In order to improve the security of the scheme, they have used hash functions instead of the chaotic functions. The authors have claimed that their scheme is more secure and efficient while providing a low computation requirement.

In Truong et al. (2012), the authors have demonstrated that the scheme of Chen et al. (2012) fails to replay attack, server and user spoofing attacks and lacks the user’s anonymity, and they have proposed enhancements. The latter resides in the mitigation and isolation of theft risk of the user’s identity, which could be used by an intruder to re-register him to the service provider. This is done so that the intruder could obtain a secret key to impersonate either the legitimate user or the server. The authors have claimed that their scheme provides greater security and is practical for wireless communication systems.

In Khan et al. (2014), the authors have shown that the scheme of Truong et al. (2012) is vulnerable to other attacks, such as password guessing, user and server impersonation attacks by using the information extracted from the user’s mobile device and the intercepted login request. They have proposed an improved scheme, which overcomes not only the attacks, but also inherits the original merits of the two previous schemes (Khan et al. 2008; Chen et al. 2012). However, the solution presents performance limits regarding the storage, computation and communication overhead. On top of that, the solution is unable to achieve user’s anonymity and still vulnerable to user impersonation, and desynchronization attacks (Wu et al. 2015).

In Mishra et al. (2014), the authors have proposed a biometric-based authenticated key agreement scheme using smart cards. The solution is an improvement of Chuang and Chen (2014), which has been elaborated for the expert systems to achieve the user’s anonymity in the multi-server environments. The authors have claimed that their improved scheme eradicates the loopholes originate from the basic scheme. However, later, Wang et al. (2016) have stated that the scheme of Mishra et al. (2014) is susceptible to some malicious attacks, such as replay, user and server masquerade, denial of service attacks, and does not provide both user’s anonymity and perfect forward secrecy. To strengthen the security aspect, Lu et al. (2015) have introduced a more secure three-factor authentication scheme to conquer the drawbacks of the scheme of Mishra et al. (2014). The authors have focused on the scheme security while addressing the issue of password change phase.

In Reddy et al. (2016), the authors have pointed out that the scheme of Lu et al. (2015) suffers from some attacks including, clock synchronization problem, man-in-the-middle attack, impersonation attack, attack against anonymity, and it does not provide perfect forward secrecy. The conventional authentication schemes based upon passwords and smart cards are not appropriate for the distributed multi-server network environment due to the difficulties of remembering the access passwords related to each service provider. For that reason, He and Wang (2015) have proposed an authentication scheme based on biometric inputs using ECC to overcome the aforementioned shortcoming. Although the solution is the first truly three-factor authenticated scheme, the integration of the registration center provides high computation requirements (Reddy et al. 2017). Additionally, Odelu et al. (2015) have pointed out that the scheme of He and Wang (2015) suffers from some security weaknesses, including user’s anonymity, impersonation, and known session-specific temporary information attacks.

In Lu et al. (2016), the authors have proposed another three-factor authentication scheme for the Session Initiation Protocol (SIP), which is largely needed in the multimedia services. Lu et al.’s scheme improves Zhang et al. (2014). However, Kumari et al. (2017) have shown that the scheme of Lu et al. (2016) cannot withstand the impersonation attack, it does not provide the user’s anonymity, and still failed to achieve mutual authentication between the communicating parties.

In Jung et al. (2017), the authors have proposed an anonymous user authentication scheme with session key agreement for the integrated Electronic Patient Records (EPR) information system. The solution is an extended of three-factor user authentication scheme, which has been proposed to remedy the flaws of Li et al. (2015) scheme in order to protect the user information. However, the solution is vulnerable to denial of service and impersonation attacks, and fails to preserve the user’s anonymity.

3 The proposed scheme

In this section, we give the overview and assumptions followed by the detailed description of the proposed scheme.

3.1 System model

There are three parties involved in the proposed scheme: the remote server S, the patient \(P_i\) and its own mobile device. The latter could be a personal digital assistant or a smartphone, which acts as a sink and collects information regarding the patient’s medical information. The supervision process could be realized through a wireless body area network (Bradai et al. 2011; Aqsa et al. 2015), where sensors are deployed on or around the patient’s body. The mobile device communicates the patient’s data to the remote server via the Internet. The remote server keeps electronic medical data of the registered patients. These data are shared among authorized users, such as the healthcare staff, researchers, government agencies and/or insurance companies (Li et al. 2010; Elgazzar et al. 2012; Chatterjee et al. 2013). The remote server is a trusted party, which is responsible for initializing the system, publishing the system parameter and outputting the authentication credentials for the system patients.

We do not focus on a particular biometric feature. Furthermore, we assume that each patient is equipped with a biometric data reader specific to the targeted type of application. The proposed scheme is executed in three phases: (1) the system initialization, (2) the patient registration; and (3) the mutual authentication with session key agreement. The overall framework of the proposed scheme is illustrated in Fig. 1. Table 1 summarizes the main used notations and the following subsections describe the operations of each phase.

Fig. 1
figure 1

Overall operations of the proposed scheme

Full size image
Table 1 Main notations
Full size table

3.2 System initialization phase

In this phase, two distinct operations are involved, namely the cancellable biometric template extraction and the system parameter generation.

3.2.1 Cancellable biometric template extraction

The generation of a cryptographic key using biometric inputs has emerged as one of the most effective process used to overcome the security weakness in classical methods based on passwords, tokens, etc. However, the biometric data cannot be used directly in the cryptographic operations because (Boyen et al. 2005; Bo et al. 2009):

  1. 1.

    The biometric data are not uniformly distributed.

  2. 2.

    Two different biometric impressions of the same person are infrequently identical, and hence, this type of data is not accurately reproducible.

Furthermore, the biometric data is a personal feature usually non-cancellable, because when there is theft or forgery, it is not possible to change it as in case of Personal Identification Number (PIN-codes) or passwords (Belguechi et al. 2011; Barman et al. 2015). In this study, we address these limitations by the computation of the patient’s key pair from its cancellable biometric template.

In order to obtain the cancellable biometric template, the patient imprints his biometric data \(B_{i}\) using the mobile device, which extracts the minutiae points as features. The extraction process of these features involves four major steps (Lalithamani and Soman 2009; Andalib and Abdulla-Al-Shami 2013): (1) normalization; (2) orientation and frequency estimation; (3) phase estimation; and (4) minutiae points detection. Actually, several embedded biometric recognition devices are used to retrieve the minutiae points from the acquired fingerprint image (e.g., Lumidigm M301 web (Bayometric 2017a), Suprema BioMini web (Bayometric 2017b), Verifi P5100 web (Neuro Technology 2017), etc.).

The acquired biometric data are subject to significant variations. Thus, the minutiae points can disappear from an extraction to another. According to the literature, the number of minutiae points collected from a good quality of biometric readers contain usually between 40 and 100 minutiae (Hong et al. 1998). Nevertheless, this number is reduced to between 20 and 30 minutiae (Zaeri 2011), when are collected from a latent or a partial template. The minutiae points set of the acquired patient \(P_i\)’s biometric data \(B_i\) is denoted by \(M_i\) such as

$$\begin{aligned} M_i=\big \{m_k=(x_k, y_k, \theta _k)\big \}_{1\le k \le u}, \end{aligned}$$
(1)

where u is the total number of minutiae points extracted from the patient’s biometric template, \((x_k, y_k)\) are the point \(m_k\)’s Cartesian-coordinates, and \(\theta _k\) is the point \(m_k\)’s orientation. The distance between any pair of minutiae points \(m_k\) and \(m_l\), with coordinates \((x_k, y_k)\) and \((x_l, y_l)\), respectively, is computed by the Cartesian-distance.

To generate the cancellable biometric template from the acquired minutiae points, first, we compute the distance between each pair of minutiae points. Then, the obtained values are structured and sorted in a matrix, denoted by \(A_i\) such as

$$\begin{aligned} A_i= \begin{pmatrix} d_{11} &{} d_{12} &{} d_{13} &{} \cdots &{} d_{1u} \\ d_{21} &{} d_{22} &{} d_{23} &{} \cdots &{} d_{2u} \\ \vdots &{} \vdots &{} \vdots &{} &{} \vdots \\ d_{u1} &{} d_{u2} &{} d_{u3} &{} \cdots &{} d_{uu} \end{pmatrix}. \end{aligned}$$
(2)

Note that \(\forall k,l \in \{1, u \}^2, d_{kl} = d_{lk}\), where the set of \(d_{kl}\) represent the coefficients. We consider either the upper or lower triangular part of \(A_i\). For instance, in case of the upper part, the patient \(P_i\)’s cancellable biometric template \(\gamma _i\) is computed such as

$$\begin{aligned} \gamma _i= \sqrt{\sum d_{kl}}, d_{kl}\in A, \quad k \le l. \end{aligned}$$
(3)

To protect the extracted minutiae points \(M_i=\big \{m_k\big \}\), the latter set is completed by a set of chaff points \(C_i\) such as \(C_i=\big \{c_l\big \}\) with \(m_k\ne m_l\). The aim of the shuffling is to avoid all the attempts, which can be used to distinct between genuine and chaff points. On the mobile device is kept \(C_i\) secretly, which can be used to recover the genuine minutiae from \(M_i \cup C_i\). In Fig. 2, we illustrated an example of shuffling in case of fingerprint template.

Fig. 2
figure 2

Shuffling of a fingerprint-based minutiae points set with chaff points insertion

Full size image

3.2.2 System parameter generation

In the server side, S chooses an elliptic curve \(E_{q}(a, b)\) with an order n, where n is a large number for security considerations. Then, it selects a base point G with an order n over \(E_{q}(a, b)\), chooses its private key \(\widehat{K}_S\in [1, n-1]\), and computes the corresponding public key \(K_S=\langle Q_S, G\rangle\) such as

$$\begin{aligned} Q_S=\widehat{K}_S \cdot G. \end{aligned}$$
(4)

Afterwards, it chooses a secure one-way hash function \(H:\{0, 1\}^{*} \rightarrow Z^*_{p}\), where \(Z^*_{p}\) is a cyclic group of an order \(p-1\). Finally, it keeps secretly \(\widehat{K}_S\) and publishes \(\langle K_S, n, G, H \rangle\) as system parameters.

In the patient side, the key pair is computationally derived from its biometric template. First, by using the biometric reader, the mobile device extracts the patient \(P_i\)’s biometric template \(B_{i}\) and computes its corresponding cancellable biometric template \(\gamma _i\) using the genuine minutiae points (cf. Sect. 3.2.1). Then, the mobile device computes its private key \(\widehat{K}_i\) such as

$$\begin{aligned} \widehat{K}_i=H\big (\gamma _i \cdot G\big ). \end{aligned}$$
(5)

Finally, it computes its public key \(K_i=\langle Q_i,G\rangle\) such as

$$\begin{aligned} Q_i=\widehat{K}_i \cdot G. \end{aligned}$$
(6)

Note that it is hard to forge \(\widehat{K}_i\) from \(Q_i\) and G because of the Elliptic Curve Discrete Logarithm Problem (ECDLP).Footnote 1

3.3 Patient registration phase

This process is executed at the first interaction of a patient \(P_i\) with the remote server S. All the operations performed by the patient \(P_i\) are executed by its mobile device. First, by using the biometric reader, the mobile device extracts the patient \(P_i\)’s biometric template \(B_{i}\) and computes his/her cancellable biometric template \(\gamma _i\). Then, it computes the matching index \(V_i\) such as

$$\begin{aligned} V_i=H\big (ID_{i}\Vert \widehat{K}_i\big ), \end{aligned}$$
(7)

and sends the registration request \(\langle V_i, ID_i, K_i \rangle _{K_S}\) to the remote sever S, where \(ID_{i}\) represents the patient’s identity (the mobile’s serial number is recommended). The parameter \(V_i\) matches the patient’s identity to its private key that is already linked to its biometric template. Upon receiving the request, the remote server S generates a random number \(r_S\in [1, n-1]\) and computes the patient’s authentication information \(AI_{i}\) such as

$$\begin{aligned} AI_{i}=H\big (ID_{i}\Vert r_{S}\cdot \widehat{K}_S\Vert T\big ) \oplus V_i, \end{aligned}$$
(8)

where T is the current timestamp of the remote server S. Finally, it saves \(\langle ID_{i}, AI_{i} \rangle\) in its locally and sends \(\langle ID_{i},V_i, AI_{i} \rangle _{K_i}\) to the patient’s mobile device.

3.4 Mutual authentication with session key agreement phase

The parameter \(B_i\) represents the patient \(P_i\) biometric template from which is already generated the key pair during the system initialization. Later, when a given user pretends to be the patient \(P_i\), the mobile device extracts its biometric data, denoted by \(B'_i\), and checks its correspondence to the generated keys. In this context, the patient \(P_i\)’s mobile device extracts the minutiae set \(M'\) by using the embedded biometric module and recovers the genuine minutiae points from \(M_i \cup C_i\). If the similarity degree between the sets \(M'\) and M is unacceptable regarding a predetermined threshold \(\tau\), the mobile device rejects the login request. Otherwise, the mobile device computes the patient’s cancellable biometric template \(\gamma _i\) from which it computes the key pair \(\langle \widehat{K}_i, K_i\rangle\). Then, it computes \(V'_{i}\) such as

$$\begin{aligned} V'_{i}=H\big (ID_{i}\Vert \widehat{K}_i\big ). \end{aligned}$$
(9)

If the matching index is invalid, i.e., \(V'_{i}\ne V_i\), then the mobile device rejects the login request. This process authenticates the patient \(P_i\) by its own mobile device, restricting the usage of the latter only by its proper owner. If the patient \(P_i\) is authenticated, the mobile device selects a secret random number \(r_{i}\in [1, n-1]\), computes

$$\begin{aligned} W_{i}=r_{i} \cdot Q_i, \end{aligned}$$
(10)
$$\begin{aligned} D_{i}=r_{i} \cdot \big (V_i+Q_S\big ), \end{aligned}$$
(11)
$$\begin{aligned} R_{i}=r_{i} \cdot G, \end{aligned}$$
(12)

and finally the secret authentication information by

$$\begin{aligned} SAI_{i}=AI_{i} \oplus V_i. \end{aligned}$$
(13)

The mobile device computes the session key \(\ell\) such as

$$\begin{aligned} \ell =\widehat{K}_i \cdot Q_S, \end{aligned}$$
(14)

and the patient \(P_i\)’s dynamic identity \(DI_{i}\) such as

$$\begin{aligned} DI_{i}=ID_{i} \oplus H\big (T_{i}\Vert r_{i} \cdot V_i \Vert \ell \big ), \end{aligned}$$
(15)

where \(T_{i}\) denotes the current timestamp of the mobile device. Finally, the mobile device sends \(\langle Q_i, DI_{i}, D_{i},T_{i}, R_{i}, \langle W_{i}, H\big (R_{i}\Vert SAI_{i}\Vert T_{i}\big )\rangle _\ell \rangle\) to the remote server S. Upon receiving, the remote server S extracts \(T_i\). Then, it checks the timestamp validity, such as \(T_{S}-T_{i}\le \Delta T\), where \(T_S\) and \(\Delta T\) denote, respectively, the current timestamp of the remote server and the expected valid time interval of the transmission delay. If \(T_{S}-T_{i}> \Delta T\), a replay attack is suspected and then, the remote server S rejects the login request. Otherwise, the remote server S computes in its side the session key such as

$$\begin{aligned} \ell =\widehat{K}_S \cdot Q_i. \end{aligned}$$
(16)

Note that the session key \(\ell\) is shared between the patient \(P_i\) and the remote server S and both of them computes it without any anterior interaction. In the patient side, the mobile device by holding the remote server S’s public key \(K_S=\langle Q_S, G\rangle\), it has already computed

$$\begin{aligned} \ell =\widehat{K}_i \cdot Q_S=\widehat{K}_i \cdot \widehat{K}_S \cdot G=\widehat{K}_S \cdot \widehat{K}_i \cdot G=\widehat{K}_S \cdot Q_i, \end{aligned}$$
(17)

which represents the same session key computed in the remote server side. Next, it computes \(\langle r_{i} \cdot V_i \rangle\) such as

$$\begin{aligned} r_{i} \cdot V_i=D_{i}-\widehat{K}_S \cdot R_{i}. \end{aligned}$$
(18)

The remote server S can check the patient identity by verifying the following equality

$$\begin{aligned} ID_{i}=DI_{i}\oplus H\big (T_{i}\Vert r_{i} \cdot V_i \Vert \ell \big ). \end{aligned}$$
(19)

Otherwise, it rejects the login request. In the other case, it decrypts \(\langle W_{i}, H\big (R_{i}\Vert SAI_{i}\Vert T_{i}\big )\rangle _\ell\), computes \(H\big (R_{i}\Vert SAI_{i}\Vert T_{i}\big )\) and compares the result to the already stored value. If it holds, the remote server S authenticates the patient \(P_i\), or else, the login request is rejected.

In order to authenticate the remote server S, the latter selects a secret random number \(r_{S}\in [1, n-1]\), computes

$$\begin{aligned} W_{S}=r_{S} \cdot Q_S, \end{aligned}$$
(20)

and responds to the patient \(P_i\) with \(\langle W_{i}\oplus W_{S},T_{S}, \langle H\big (W_{S}\Vert SAI_{i}\Vert T_{S}\big ) \rangle _\ell \rangle\). Upon receiving, the mobile device checks the validity of the timestamp, such as \(T_i-T_S \le \Delta T\). If it not holds, the mobile device rejects the request. Otherwise, it decrypts the message by computing

$$\begin{aligned} h=\langle H\big (W_{S}\Vert SAI_{i}\Vert T_{S}\big )\rangle _\ell , \end{aligned}$$
(21)

extracts \(W_{S}\) from \(\langle W_{i}\oplus W_{S} \rangle\), computes

$$\begin{aligned} h'=H\big (W_{S}\Vert SAI_{i}\Vert T_{S}\big ), \end{aligned}$$
(22)

and finally verifies if \(h=h'\). If it holds, the patient \(P_i\) authenticates the remote server S.

4 Security analysis

In this section, we analyze the security of the proposed scheme against well known threats. Its robustness is effective against the following attacks:

  • Replay attack: an adversary may try replaying the exchanged messages between a patient \(P_i\) and the remote server S. Suppose that he/she has already intercepted a valid login request previously sent-out by the patient \(P_i\). If he/she replays the login request, the remote server S detects the attack by verifying the timestamp \(T_{i}\) of the received request, which will be rejected if \(T_{S}-T_{i}> \Delta T\). In the other hand, the adversary cannot succeed replaying the remote server S’s login request. The patient \(P_i\) detects such attack by verifying the inequality \(T_{i}-T_{S}> \Delta T\).

  • Impersonation attack: an adversary may try impersonating a legitimate patient through the intercepted messages from the previous sessions. Assume that the adversary has already intercepted a valid login request previously sent-out by the patient \(P_i\) or by the remote server S. The adversary cannot succeed the patient impersonation attack because he/she cannot create a forged login request for the fresh timestamps without holding the private keys \(\widehat{K}_i\) and \(\widehat{K}_S\).

  • Server spoofing attack: an adversary may try masquerading as a remote server to discover the patient’s long-term secret by intercepting \(\langle Q_i, DI_{i}, D_{i},T_{i}, R_{i}, \langle W_{i}, H\big (R_{i}\Vert SAI_{i}\Vert T_{i}\big )\rangle _\ell \rangle\) of a previous session. It is impossible for the adversary to figure-out \(W_{i}\) or \(H\big (R_{i}\Vert SAI_{i}\Vert T_{i}\big )\) from the message without holding the session key \(\ell\). Moreover, it is not possible to forge a valid login request \(\langle W_{i}\oplus W_{S},T_{S}, \langle H\big (W_{S}\Vert SAI_{i}\Vert T_{S}\big ) \rangle _\ell \rangle\) without holding the private keys \(\widehat{K}_i\) and \(\widehat{K}_S\), and he/she cannot compute \(\langle r_{i}\cdot V_i \rangle\) or \(W_{S}\) from \(D_{i}\) and \(\langle W_{i}\oplus W_{S} \rangle\).

  • Attack against anonymity: from the login request, an adversary has no way to guess or to compute the patient’s original identity \(ID_i\) from its dynamic identity \(DI_i\) without holding the session key \(\ell\). Also, the biometric template is used only when generating the key pair. Hence, the proposed scheme preserves the patient’s anonymity.

  • Insider attack: from the registration request \(\langle V_i, ID_i, K_i \rangle _{K_S}\) sent-out by the patient to the remote server, the privileged insider cannot obtain from this request any secret information without holding the server private key \(\widehat{K}_S\). Moreover, the proposed scheme does not require any password. Hence, the privileged-insider cannot impersonate any legitimate patient.

  • Man-in-the-middle attack: the first authentication step is accomplished directly between the patient and its mobile device without any intermediate entity. Therefore, the man-in-the-middle attack cannot succeed. In the second authentication step, an adversary may attempt to stand between the mobile device and the remote server S. However, since the exchanged messages are authenticated, the adversary has no possibility to impersonate anyone of them.

  • Physical attack: assume that an adversary finds or steals the patient’s mobile device and attempts to obtain the confidential parameters \(\langle ID_{i}, AI_{i} \rangle\). In that situation, it is impossible for him/her to figure-out any secret information from these parameters without holding the server’s private key \(\widehat{K}_S\) and the corresponding timestamp.

  • Parallel session attack: assume that an adversary intercepts the exchanged messages between a patient \(P_i\) and the remote server S, and then try to open a parallel session with the remote server S (respectively to the patient \(P_i\)). The remote server S (respectively the patient \(P_i\)) detects such attack by verifying the freshness of the timestamp \(T_i\) (respectively \(T_S\)) of the received request.

  • Reflection and denial of service attacks: it is impossible for an adversary to forge a valid login request out of those intercepted between the two communication parties without holding the secret parameters: \(\ell\), \(\widehat{K}_i\), \(\widehat{K}_S\), \(r_{i}\), and \(r_{S}\). The denial of service attack is countered by the inability of the adversary to introduce both a valid biometric template \(B_{i}\) and a correct identity \(ID_{i}\).

In Table 2, we summarize the overall security analysis of the proposed scheme with comparison to the related works.

Table 2 Security analysis (✔: prevent the attack, ✗: do not prevent the attack)
Full size table

5 Performance evaluation

In this section, we provide the simulation results comparing the proposed scheme to some relevant schemes presented in Sect. 1. The simulations are developed on a Samsung Galaxy S6 smartphone characterized by a processing rate of 2.1 GHz, a memory of 3 Go, and a wireless transmission rate of 5.76 Mbps. The smartphone interacts with a server machine characterized by a processing rate of 2.3 GHz, a memory of 4 Go, and a wireless transmission rate of 54 Mbps. The authentication process is performed through the fingerprint-based biometric feature.

The performance evaluation is performed for both mobile and server sides, covering three major metrics: (1) the communication cost, which represents the amount of transmitted data traffic per session of authentication, (2) the processing time, which represents the time spent in computation per session of authentication, and (3) the storage cost, which represents the memory space spent for the system parameters per session of authentication. These metrics are evaluated according to three hash function families: MD5 (128 bits), SHA-1 (160 bits) and SHA-256 (256 bits).

Figures 3 and 4 illustrate the obtained results in terms of communication cost, respectively, in the mobile device and the remote server side. We note that the communication overhead increases for all the compared schemes when increasing the hash function output size. The results denote out performance of the proposed scheme compared to the other solutions. In fact, the proposed scheme performs the mutual authentication process in two rounds of communication. Both mobile device and remote server compute, independently, an identical session key without extra communication. The schemes of Khan et al. (2008); Chen et al. (2012) perform the mutual authentication process in four rounds of communication, achieving better results in the mobile device side compared to the schemes of Truong et al. (2012), Khan et al. (2014), Lu et al. (2015) ad Jung et al. (2017) operating in five rounds.

Fig. 3
figure 3

Communication cost evaluation in the mobile device side per session of authentication

Full size image
Fig. 4
figure 4

Communication cost evaluation in the remote server side per session of authentication

Full size image

Figures 5 and 6 illustrate the obtained results in terms of processing time, respectively, in the mobile device and remote the server side. We note that the processing time increases for all the compared schemes when increasing the hash function output size. The results denote out performance of the proposed scheme compared to the other solutions. Indeed, the proposed scheme uses a symmetrical session key in the mutual authentication process. In the two rounds of communication, both the mobile device and the remote server perform one operation of encryption in their side, and hence, reducing significantly the computational overhead.

Fig. 5
figure 5

Processing time evaluation in the mobile device side per session of authentication

Full size image
Fig. 6
figure 6

Processing time evaluation in the remote server side per session of authentication

Full size image

Figures 7 and 8 illustrate the obtained results in terms of storage cost, respectively, in the mobile device and the remote server side. We note that the storage cost increases for all the compared schemes when increasing the hash function output size. The results denote out performance of the proposed scheme compared to the other solutions. Following the other schemes, an important number of cryptographic parameters are stored in both mobile device and remote server side. These parameters are necessarily required to achieve the authentication process. In the proposed scheme, two cryptographic information are maintained per one mobile and all the other parameters and keys are dynamically computed.

Fig. 7
figure 7

Storage cost evaluation in the mobile device side per session of authentication

Full size image
Fig. 8
figure 8

Storage cost evaluation in the remote server side per session of authentication

Full size image

6 Conclusion

In this paper, we have proposed a secure and lightweight remote patient authentication scheme with biometric inputs for mobile healthcare environments. The proposed scheme translates the biometric input of a patient to ECC-based keys, which are used instead of the patient’s biometric template in the authentication process. The proposed scheme offers several advantages: (1) it provides mutual authentication with session key agreement; (2) it does not require remote transmission of the patients biometric data; (3) it does not hold a database of correspondence binding the patients to their biometric templates; (4) it does not need to analyze biometric data and the computational cost is thoroughly minimized; and (5) it resists against various attacks, namely replay, impersonation, server spoofing, anonymity, insider, man-in-the-middle, physical, parallel session, reflection and denial of service attacks. We have performed an overall evaluation of the proposed scheme through simulations. The results indicate out performance of our proposal while providing effective security.