Improvement of an Anonymous and Lightweight Authentication Scheme for TMIS ()
1. Introduction
Advances in computer networks and communications boost the development of telecare medicine information systems (TMIS), through which patients can use flexible and convenient healthcare. A typical medical application scenario of TMIS is shown as Figure 1. Patients submit their healthcare data to a telecare server via wired or wireless medical devices in their home. When the doctors receive the patient’s medical reports, they perform the diagnosis at their clinical center, and then provide the clinical decisions and treatments to the patients via the internet.
![]()
Figure 1. A typical medical application scenario of TMIS.
However, since the healthcare data transmitted through the public channel usually contains the secret information of the patients, it is essential to use authentication mechanism in the TMIS scenario. Recently, many authentication schemes for TMIS [1]-[6] have been designed to protect patient’s personal information. In 2017, Kang et al. proposed a user authentication scheme for TMIS [1], which has simple computing cost due to the only usage of hash function. They claimed that the proposed scheme could resist various attacks. Unfortunately, we find that their scheme still suffers from traceability attack and user impersonation attack. To enhance the security and preserve the efficiency of Kang et al.’s scheme, we proposed a new anonymous and lightweight scheme.
2. Review of Kang et al.’s Scheme
This section presents Kang et al.’s scheme for TMIS [1]. Their scheme consists of four phases: 1) Registration Phase, 2) Login Phase, 3) Authentication Phase and 4) Password Change Phase. For convenience, some notations used in this paper are described as follows:
u
: Patient or user
u
: The identity of the ith user
u
: The password of the ith user
u
: The secret number of the TMIS server
u
: A symmetric encryption function with key K
u
: A symmetric decryption function with key K
u
: A one-way hash function
u
: Exclusive-or operation
u
: Concatenation operation
2.1. Registration Phase
To access the facilities or services provided by the TMIS server, the user must register in the server first by the following steps.
Step 1. The user
chooses the identity and password
,
and generates a random integer b. Then, he computes
and sends the registration message
to the TMIS server via a secure channel.
Step 2. On receiving the registration message, the server generates a random integer
and then computes
,
,
,
. Next, the TMIS server issues a smart card and stores the data
and sends the card to the user
.
Step 3. When the user
receives the card from the server, he stores b into the card. Finally, the smart card contains
.
2.2. Login Phase
When a registered user
desires to login in the TMIS, he must perform the following steps to construct a login request message.
Step 1. The user
inserts his smart card and enters the identity
and the password
, which are chose by himself in the registration phase. Then, the smart card computes
,
,
and checks whether
equals to
or not. If true, the smart card believes the user is the owner and continues to execute Step 2. Otherwise, it terminates the login request.
Step 2. The smart card generates a random integer
and the current timestamp
, and then computes
,
,
. After that, it sends the login request message
to the TMIS server via a public channel.
2.3. Authentication Phase
After receiving the login request message from the user, the TMIS server performs the following steps to achieve mutual authentication and establish a shared session key.
Step 1. The TMIS server retrieves the current timestamp
and verifies the freshness of
’s timestamp
.
Step 2. The server then continues to compute
,
,
,
and checks whether
equals to
. If the two values equal, then the user is authenticated and the authentication process continues.
Step 3. The server generates a random integer
and the current timestamp
, and computes
,
. After that, it sends the authentication message
to user
via a public channel.
Step 4. On receiving the authentication message form the server, the user
retrieves the current timestamp
and verifies the freshness of server’s timestamp
.
Step 5. The user computes the key
,
and checks whether
is equal to
. If true, the server is authenticated. Otherwise, the authentication process is terminated.
Step 6. The user then generates the current timestamp
and continues to compute
. After that, he sends the response message
to the server via a public channel.
Step 7. When the server receives the response message, it retrieves the current timestamp
and verifies the freshness of
. Then it computes
and checks whether
equals to
. If true, the server believes that they have established the session key SK.
Finally, the user and the TMIS server can use the shard session key to encrypt the information transmitted through the public channel without worrying about the privacy disclosure.
2.4. Password Change Phase
This phase is needed when a user desires to change his password. For this, the user has to perform the following steps.
Step 1. The user
inserts his smart card and then he enters the identity
and the password
to pass the smart card verification. The smart card will compute
,
,
and checks whether
equals to
or not. If true, the smart card believes the user is the owner and continues to execute Step 2. Otherwise, it terminates the password change request.
Step 2. The user inputs the new password
and the smart card computes
.
Step 3. The smart card replaces
with the new value
in its memory.
3. Cryptanalysis of Kang et al.’s Scheme
In this section, we describe our findings that the scheme of Kang et al. is vulnerable to traceability attack and user impersonation attack. Before that, an attacker model [7] [8] is defined as follows.
3.1. Attacker Model
1) The adversary has full control of the public channel, but not the secure channel. That means the adversary can obtain all the transmitted data in the login and authentication phase.
2) The adversary can alter, delete or replay the data that he captured form the public channel.
3) The adversary has the ability to read or extract the secret data from the smart card issued to the user.
4) The adversary can guess either the user’s identity or the password, but not both at a time.
5) The adversary knows the authentication scheme since he can be an outsider user or a legal user.
3.2. Suffer from Traceability Attack
The main mechanism of the traceability attack is that the adversary can trace the user (patient) with the messages captured from the public channel. This happens when there exist invariant parameters in the login or response message. Unfortunately, in the of Kang et al.’s scheme, we find that the login messages contain
, which are equal in all sessions. Through it, the adversary can trace the user.
3.3. Suffer from User Impersonation Attack
The main mechanism of the user impersonation attack is that the adversary can impersonate the user (patient) to construct the login and response message sent to the TMIS server and establish a session key with it without being found malicious. We assume that the adversary obtains the user’s login message
transmitted in the public channel, the he can perform the user impersonation attack by the following steps.
Step 1. The adversary registers himself in the TMIS server with the registration message
, where t is a simple integer. And obtains a smart card contains the data
. Then, he use the return parameters to compute the legal values
and
.
Step 2. The adversary generates a random integer
and the current timestamp
, and then he constructs the required login parameters
,
,
, where
is obtained from the user’s old login request message. After that, it sends the login request message
to the TMIS server via a public channel, where
is obtained from the adversary’s smart card.
Step 3. On receiving the login request message, the TMIS server first checks
and
by computing
,
,
,
. These will pass the verification and the server will take the adversary as the real user who has the parameter
in his smart card since there is no table to record the corresponding relations between
and the generated random integer
in the registration phase.
Step 4. The server then generates a random integer
and the current timestamp
, and computes
. After that, it sends the authentication message
to the adversary, who he thinks is the real user.
Step 5. When receives the authentication message from the server, the adversary computes
. And then generates the current timestamp
and computes
, and sends the response message
to the server via a public channel.
Step 6. When the server receives the response message, the server verifies the freshness of
and checks the validity of
by comparing the values of
and
. There is no doubt that it will pass the verification.
Finally, the adversary and the TMIS server establish a shared session key
, with which the adversary can make requests for the private information such as medical records of the user (patient) without being detected.
4. The Proposed Scheme
In previous sections, we show that Kang et al.’s scheme fails to achieve the claimed goals since the user can be tracked through a constant quantity during the authentication process in the TMIS. To erase the mentioned security weaknesses, we present a new anonymous and lightweight authentication scheme for TMIS. The proposed scheme also consists of four phase: 1) Registration Phase, 2) Login Phase, 3) Authentication Phase and 4) Password Change Phase.
4.1. Registration Phase
When a user desires to use the facilities or services provided by the TMIS server, he must become the legal user first. For this, he needs to perform the following steps to register in the TMIS server.
Step 1. The user
chooses the identity and password
,
and generates a random integer b. Then, he computes
and sends the registration message
to the TMIS server via a secure channel.
Step 2. When the server receives the registration message, he generates a random integer
and computes
,
,
. Then, he issues a smart card and stores the data
into it. After that, he sends the card to the user
via a secure channel.
Step 3. On receiving the smart card from the server, the user
stores b into the card. Finally, the smart card contains
.
4.2. Login Phase
A registered user
can construct a login request message to login in the TMIS by the following steps.
Step 1. The user
inserts his smart card and enters the identity
and the password
. Then, the smart card computes
,
and checks whether
equals to
or not. If true, the smart card believes the user is the owner and continues. Otherwise, it terminates the login request.
Step 2. The smart card generates a random integer
and the current timestamp
, and then computes
,
,
. After that, he sends the login request message
to the TMIS server via a public channel.
4.3. Authentication Phase
After receiving the login request message from the user, the TMIS server performs the following steps to build up a shared session key with the user.
Step 1. The TMIS server retrieves the current timestamp
and verifies the freshness of
’s timestamp
.
Step 2. The TMIS server then obtains
and computes
,
, and checks whether
is equal to
or not. If true, the user is authenticated and the authentication process continued. Otherwise, the server aborts the authentication process.
Step 3. The server generates two random integers
and the current timestamp
, and then continues to compute
,
,
,
,
. After that, he sends the authentication message
to the user
via a public channel.
Step 4. On receiving the authentication message form the server, the user
retrieves the current timestamp
and verifies the freshness of server’s timestamp
.
Step 5. The user then continues to compute
,
,
and checks whether
are equal or not. If true, the server is authenticated and
is used to replace
in the smart card’s memory. Otherwise, the authentication process is terminated.
Step 6. The user generates the current timestamp
and computes
, and sends the response message
to the server via a public channel.
Step 7. When the server receives the response message, it retrieves the current timestamp
and verifies the freshness of
. Then it computes
and checks whether
equals to
. If the two values equal, the server believes that they have established the session key SK.
4.4. Password Change Phase
When a user desires to change his password, he can perform the following steps without any assistance from the TMIS server.
Step 1. The user
inserts his smart card and enters the identity
and the password
. Then, the smart card computes
,
and checks whether
equals to
or not. If true, the smart card believes the user is the owner and continues. Otherwise, it terminates the password change request.
Step 2. The user then inputs the new password
and the smart card computes
,
.
Step 3. The smart card replaces
with
in its memory.
5. Security Analysis
Various authentication schemes have been demonstrated insecure [9] [10] [11] [12]. Thus, in this section we discuss the security features of the proposed scheme under the adversary model mentioned in the Section 3.
5.1. User Anonymity
Anonymity is a mechanism that there is no adversary having the capacity to compromise the user’s (patient’s) real identity. In the proposed scheme, the user’s identity is masked in parameters
,
,
and
. With the protection of the one-way hash function, the adversary has no way to retrieve the user’s identity.
5.2. Mutual Authentication
In the proposed scheme, the user (patient) and the TMIS server achieve mutual authentication with the assistance of
and
. That means, the user is authenticated by the server according to the value
since no one knows all the values needed to construct
besides the real user. Also, only the TMIS server can construct
for verification.
5.3. Session Key Security
In the proposed scheme, only the user (patient) and TMIS server can compute the shared session key
since all the values required to calculated the key is only known to the user and TMIS. With knowing the parameters transmitted in the authentication process, the adversary cannot construct the key.
5.4. Traceability Attack
In different sessions of the proposed scheme, the parameters in the user’s (patient’s) login request message
and response message
are changeable. Thus, with the transmitted messages captured from different, the adversary cannot trace the user. Our proposed scheme resists traceability attack.
5.5. Replay Attack
When the adversary eavesdrops the whole transmitted message between the user (patient) and the TMIS server and replay it later, it will be immediately detected as the timestamp is outdate in the parameters
and
. Then the adversary may try to reconstruct the two parameters. However, with the protection of the parameters
(
) and
(
), the adversary cannot realize it. Thus, our proposed scheme resists replay attack.
5.6. Offline Password Guessing Attack
In the proposed scheme, the adversary can only guess the user’s (patient’s) password through
or
in the smart card. However, without the knowledge of the user’s real identity
, the adversary cannot compute the values required.
5.7. Impersonation Attack
When the adversary desires to impersonate the user (patient), he needs to construct the login request message first. However, the adversary is no way to know the user’s identity
and
, which are required to construct the parameter
in the login request message. Thus, he cannot impersonate the user. On the other hand, without knowing the server’s secret key
, the adversary cannot decrypt
and computes the parameter
and
. Thus, he cannot impersonate the server. Our proposed scheme resists impersonation attack.
5.8. Stolen Verifier Attack
The stolen verifier attack means that the adversary gets some precious information that is stored in the server’s end. This happens especially when the server maintains the database of the user’s information like password. In the proposed scheme, the TMIS server does not keep any storage database, which is an essential requirement to launch this attack. Thus, our proposed scheme resists stolen verifier attack.
6. Performance Analysis
In this section, we compare the communication cost and compare the security features with the related schemes [1]-[6]. We only compare the time cost in the login and authentication phase of the proposed scheme and Kang et al.’s since the two phases are performed frequently. During the login and authentication phase of our proposed scheme, hash function is used 12 times. However, Kang et al.’s uses 14 times. Next, we compare the security features with Kang et al.’s and the other related schemes. From the Table 1, we can see that our proposed
![]()
Table 1. Comparison of security features. (O: Satisfy X: Not Satisfy).
F1. Insider Attack; F2. User Anonymity; F3. Traceability Attack; F4. Offline Password Guessing Attack; F5. User Impersonation Attack; F6. Replay Attack; F7. No Verification Table; F8. Session Key Agreement; F9. Detect Wrong Password Quickly; F10. Mutual Authentication.
scheme performs better in terms of providing security features.
7. Conclusion
In this paper, we analyze Kang et al.’s scheme which was designed for TMIS using hash function and claimed to resist various attacks. However, we still find that the scheme is susceptible to traceability attack and user impersonation attack. In order to erase the secure drawbacks we found, we present a new anonymous and lightweight scheme and prove that our proposed scheme has better performance in terms of communication cost and security.
Acknowledgements
The work of Chien-Ming Chen was supported in part by the Project NSFC (National Natural Science Foundation of China) under Grant number 61402135 and in part by Shenzhen Technical Project under Grant number JCYJ20170307151750788 and in part by Shenzhen Technical Project under Grant number KQJSCX20170327161755. The work of Eric Ke Wang was supported in part by National Natural Science Foundation of China (No. 61572157), grant No. 2016A030313660 from Guangdong Province Natural Science Foundation, JCYJ20160608161351559 from Shenzhen Municipal Science and Technology Innovation Project.