Open Access
Issue
Wuhan Univ. J. Nat. Sci.
Volume 28, Number 6, December 2023
Page(s) 531 - 540
DOI https://doi.org/10.1051/wujns/2023286531
Published online 15 January 2024

© Wuhan University 2023

Licence Creative CommonsThis is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

0 Introduction

With the rapid development of network and information technology, the Telecare Medical Information System (TMIS) provides an efficient and convenient connection between patients and medical servers. Patients can collect their physiological data, such as blood glucose, blood pressure, body temperature, and heart rate, through wearable sensor devices (smart wristbands or sensors deployed in or on the body, etc.) and access medical services through public networks at any time and place. While providing this convenience, protecting the patient's privacy and providing security in TMIS is imperative. In TMIS, the telecare server maintains patients' confidentiality and medical information, including identity, password, and electronic medical records[1]. Only legitimate patients can access their medical information to protect their privacy and the confidentiality of medical information. Since the communication is transmitted in a public channel, the transmitted data can be intercepted or even tampered with by a malicious attacker. When a patient's transmitted information is tampered with, doctors will likely make the wrong diagnosis and treatment modality. All these can cause irreversible harm to the patient and is likely to threaten the patient's life. Therefore, ensuring secure information transmission is considered an issue in TMIS. Fortunately, authentication schemes can ensure privacy and secure communication between the patients and the remote servers, providing good anonymity and privacy protection for the patients. Simultaneously, authentication schemes are used in many areas to ensure secure communications[2-4].So far, many authentication and key agreement schemes have been proposed for TMIS[5-10].

In 2015, Chaudhry et al[11] proposed an improved two-factor authentication scheme for telecare medical information systems. However, Qiu et al[12] remarked that Chaudhry et al's scheme[11] is prone to offline password guessing attack, user/server impersonation attack, and man-in-middle attack, and proposed a mutual authentication scheme based on elliptic curve cryptography for TMIS. In 2019, Gupta et al[13] proposed a lightweight anonymous user authentication scheme for TMIS based only on simple XOR and a one-way cryptographic hash function. However, Hajian et al[14] proved Gupta et al's[13] scheme is vulnerable to desynchronization attack, compromised wearable devices, compromise gateway attack, offline guessing attack and privileged insider attacks. Subsequently, Hajian et al[14] proposed a scalable healthcare authentication scheme with attack resilience and anonymous key agreement (SHAPARAK). In 2022, Yu et al[15] proved that SHAPARAK[14] suffers from many security drawbacks, such as man-in-the-middle (MITM), impersonation attacks, and session key disclosure attacks. Yu et al[15] proposed a three-factor-based privacy-preserving scheme in IoMT-enabled TMIS environments (SALS-TMIS) to resolve the security flaws of SHAPARAK[14]. We prove that Yu et al's scheme[15] is vulnerable to replay attacks, tracking attacks, and impersonation attacks. Moreover, Yu et al's scheme[15] does not provide mutual authentication. Therefore, we propose an improved privacy-preserving authentication scheme for the telecare medical information system environment to resolve the security flaws of Yu et al's scheme[15]. Our improved scheme has good user anonymity and security and can resist all existing attacks.

The rest of the paper is organized as follows. In Section 1, we briefly review Yu et al's scheme. In Section 2, we analyze its weaknesses. The improved scheme is proposed in Section 3. Security cryptanalysis and comparisons are given in Section 4. Finally, the article is concluded in Section 5.

1 Review of Yu et al's Scheme

This section reviews Yu et al's scheme[15]. It is a three-factor authentication scheme for TMIS, which includes the registration phase for the user and sensor device, the login and authentication phase, and the password change phase. For the sake of brevity, the password and biometric update phase is not reviewed here. Table 1 represents the notations of this paper.

Table 1

Notations

1.1 System Setup Process

This process includes the sensor device and the gateway setup processes. S registers SDj and assigns the secret credentials to it. S chooses a sensor device's temporal identity TSIDj, a sensor device's identity SIDj, and a shared secret key XSDj for each SDj. Then, S stores {TSIDj, SIDj, XSDj} in the memory of each SDj. After that, S stores {TSIDj, SIDj, XSDj, h (∙)} in a secure database. To register a GWi, S chooses a shared secret key XGDi, a gateway's identity GIDi, and a temporal identity TGIDi for each GWi and then stores {TGIDi, GIDi, XGDi, h (∙)} in the memory of GWi. After that, S stores {TGIDi, GIDi, XGDi, h (∙)} in a secure database.

1.2 Registration Process

1.2.1 User registration process

The user (Ui/GWi) must register with TMIS Server (S) to access the medical services. This process is described in detail as follows:

Step 1   The user Ui/GWi selects an IDi, PWi, and generates a random number RUi. Then Ui/GWi computes HIDi = h(IDi||RUi),HPWi = h(PWi||RUi) and sends {HIDi, HPWi} to the S via a secure channel.

Step 2   Upon receiving the message, S computes Xi=h(TGIDi||Ki||XGDi), Qi= HIDih(Xi||Ki||XGDi). Then, S sends {Xi} to the Ui through a secure channel. Finally, S computes Wi = EKi(Xi, HIDi) and stores {Wi} in a secure database.

Step 3   After receiving the message, the user imprints a biometric BIOi and computes

A i = ( R U i | | X i ) h ( I D i | | P W i | | B I O i )

B i   =   h ( H I D i | | H P W i | | R U i | | X i )

Finally, Ui/GWi stores {Ai, Bi} in the memory.

1.2.2 Sensor device process

SDj must register with S to access healthcare services. This process is described in detail as follows:

Step 1   SDj first generates a random number RSj and computes

S I j   =   h ( T S I D j | | S I D j | | R S j )

N j   = h ( S I D j | | X S D j | | T S I D j ) R S j

After that, SDj sends {SIj, TSIDj, Nj} to the GWivia a public channel.

Step 2   After getting the message, GWi computes UIi=h(TSIDj||GIDi||XGDi) and sends {SIj, TSIDj, Nj,TGIDi,UIi} to the S.

Step 3   Upon getting the message, S computes UIi*=h(TSIDj||GIDi||XGDi) and checks whether UIi*=?UIi. If it is correct, S computes RSj=h(SIDj||XSDj||TSIDj)Nj, SIj*=h(TSIDj||SIDj||RSj) and checks whether SIj*=?SIj. If it is valid, S computes

d j   =   h ( S I D j | | R S j | | K i )

f j   =   d j h ( S I D j | | R S j | | X S D j )

g i = h ( G I D i | | T G I D i | | K i )

f i   =   g i h ( G I D i | | X G D i | | T G I D i )

T S j   =   h ( S I D j | | d j | | X S D j | | R S j )

T U i = h ( G I D i | | g i | | X G D i )

Then, S sends {fj,TSj,fi,TUi} to the GWivia a public channel. Finally, S encrypts SAj=EKi(RSj) and then stores {SAj} in a secure channel.

Step 4   After getting the message, GWi computes gi=fih(GIDi||XGDi||TGIDi), TUi*=h(GIDi||gi||XGDi) and verifies TUi*=? TUi. If it is equal, GWisends {fj, TSj} to the SDj and then stores {TSIDj} in the memory.

Step 5   Upon getting the message, SDj computes dj=fjh(SIDj||RSj||XSDj), TSj* = h(SIDj||dj||XSDj||RSj) and checks TSj*=?TSj. If it is valid, SDj computes Cj=(dj||RSj)h(XSDj||SIDj) and then stores {Cj} in the memory.

1.3 Authentication and Key Agreement Process

The registered GWi and SDj perform mutual authentication with S to establish a common session key between GWi and SDj. All messages are transmitted through a public channel. The detailed descriptions are as follows:

Step 1  Ui inputs a unique IDi, PWi, and imprints BIOi into GWi. Then, GWicomputes

( R U i | | X i )   =   A i h ( I D i | | P W i | | B I O i )

H I D i   =   h ( I D i | | R U i )

H P W i   = h ( P W i | | R U i )

B i *   =   h ( H I D i | | H P W i | | R U i | | X i )

and checks whether Bi*=? Bi. If it is not equal, GWi terminates the current session; otherwise, it generates a random nonce Ru and computes M1=Ruh(Xi||XGDi||TGIDi),Authu=h(HIDi||TGIDi||Ru||Xi||XGDi). After that, GWi sends {M1,Authu,TGIDi} to the SDj through a public channel.

Step 2   After obtaining the message, SDj computes (dj||RSj)=Cjh(XSDj||SIDj). After that, SDj generates a random nonce Rs and computes M2=Rsh(RSj||dj||XSDj||TSIDj), Auths=h(SIDj||TSIDj||RSj||Rs||XSDj) and then sends {M1,Authu, TGIDi, M2, Auths, TSIDj} to S.

Step 3   Upon getting the message, S retrieves {Wi,SAj} in a secure database. After that, S decrypts RSj=DKi(SAj) and computes

d j = h ( S I D j | | R S j | | K i )

R s = M 2 h ( R S j | | X S D j | | T S I D j )

A u t h s * = h ( S I D j | | T S I D j | | R S j | | R s | | X S D j )

and then checks whether Auths*=?Auths. If it is not valid, S aborts the current session. Otherwise, it decrypts (Xi, HIDi) = DKi(Wi) and computes

X i = h ( T G I D i | | K i | | X G D i )

R u = M 1 h ( X i | | X G D i | | T G I D i )

A u t h u *   =   h ( H I D i | | T G I D i | | R u | | X i | | X G D i )

Then S checks whether Authu*=?Authu. If it is not equal, S terminates the current session, otherwise it computes

T S I D j n e w = h ( T S I D j | | R s )

M 3 = R u h ( d j | | T S I D j | | R S j | | X S D j )

A u t h t u   = h ( T G I D i | | H I D i | | X G D i | | X i | | R u )

A u t h t s   = h ( T S I D j n e w | | S I D j | | R S j | | X S D j | | R s )

Then, S sends {M3,Authtu, Authts} to the SDj through a public channel.

Step 4   After obtaining the message, SDj computes

T S I D j n e w =   h ( T S I D j | | R s )

A u t h t s * = h ( T S I D j n e w | | S I D j | | R S j | | X S D j | | R s )

and verifies whether Authts*=?Authts. If it is correct, SDj computes Ru=M3h(dj||TSIDj||SIDj||RSj||XSDj), M4=Rsh(Ru||TGIDi||TSIDj), SKij=h(Ru||Rs||TGIDi||TSIDj), Authsu=h(TSIDjnew||TGIDi||SKij) and updates TSIDjwith TSIDjnew. Finally, SDj sends {M4,Authtu,Authsu} to the GWi.

Step 5   Upon getting the message, GWi computes Authtu*=h(TGIDi||HIDi||XGDi||Xi||Ru) and checks whether Authtu*=?Authtu. If it is not valid, GWi aborts the current session, otherwise it computes

R s   = M 4 h ( R u | | T G I D i | | T S I D j )

T S I D j n e w =   h ( T S I D j | | R s )

S K i j   =   h ( R u | | R s | | T G I D i | | T S I D j )

A u t h s u * = h ( T S I D j n e w | | T G I D i | | S K i j )

and then verifies whether Authsu*=?Authsu. If it is correct, GWi updates TSIDj within TSIDjnew in the memory. Consequently, the mutual authentication between each entity is successful, and a common session key is established between GWi and SDj successfully.

2 Flaws of Yu et al's Scheme

In this section, based on the "Dolev-Yao (DY)" threat model[16], we show the security flaws of Yu et al's scheme[15], such as replay attack, tracking attack, and fake sensor attack to Yu et al's scheme [15]. Moreover, Yu et al's scheme[15] does not provide mutual authentication.

2.1 Replay Attack

During the authentication and key agreement phases, information is transmitted in the public channel; a malicious attacker can intercept the message {M1,Authu,TGIDi} sent by the user (Ui/GWi), and resend this message to the sensor device (SDj). SDj gets the message and computes (dj||RSj)=Cj h(XSDj||SIDj). SDj then generates the random number Rs' and computes

M 2 ' =   R s ' h ( R S j | | d j | | X S D j | | T S I D j n e w )

A u t h s ' = h ( S I D j | | T S I D j n e w | | R S j | | R s ' | | X S D j )

and sends the message {M1,Authu,TGIDi,M2',Auths',TSIDjnew} to the TMIS Server (S). After S receives the message, it retrieves {Wi, SAj} in its database. After that, S decrypts RSj=Dki(SAj) and computes

d j = h ( S I D j | | R S j | | K i )

R s ' = M 2 ' h ( R S j | | X S D j | | T S I D j n e w )

A u t h s ' * =   h ( S I D j | | T S I D j n e w | | R S j | | R s | | X S D j )

and then S checks whether Auths'*=?Auths'. These two values are equal, and the verification passes. S calculates

( X i ,   H I D i ) = D K i ( W i )

X i   =   h ( T G I D i | | K i | | X G D i )

R u = M 1 h ( X i | | X G D i | | T G I D i )

A u t h u * = h ( H I D i | | T G I D i | | R u | | X i | | X G D i )

Then S checks whether Authu*=?Authu, at this time Authu*=Authu, because it is the intercepted real message sent by the user (Ui/GWi), then the verification passes. So, the replay attack is successful.

2.2 Tracking Attacks

Since malicious attackers are ubiquitous, during the authentication and key agreement phases, an attacker intercepts the messages sent by Ui/GWi{M1,Authu,TGIDi} and the messages sent by SDj{M1,Authu,TGIDi,M2,Auths,TSIDj}. The TGIDi in these two messages is invariable in any session. Consequently, the attacker can know a message is from the same user. Hence, the attacker can track the user.

2.3 Sensor Impersonation Attacks

When a user Ui/GWi authenticates with a sensor device SDj to establish a session key, SDj can obtain the Ui/GWi's random number Ru, and get h(Xi||XGDi||TGIDi) from M1. In the next session, when this user Ui/GWi authenticates with another sensor SDk, the sensor device SDj of the last session can play the role of an attacker to impersonate SDk and reach a session key with the user Ui/GWi. The specific attack process is as follows.

After user Ui/GWi authenticates with SDj to establish the session key, SDj obtains the Ui/GWi's random number Ru, Ru=M3h(dj||TSIDj||SIDj||RSj||XSDj). The sensor device SDj solves h(Xi||XGDi||TGIDi) according to the message M1 by h(Xi||XGDi||TGIDi)=M1Ru. Since Xi, XGDi, and TGIDi are constant, the value of h(Xi||XGDi||TGIDi) is constant. This shows that SDjobtains a critical secret value of Ui/GWi.

In the next session, assume user Ui/GWi authenticates with sensor device SDk, and Ui/GWi sends the message {M1',Authu',TGIDi} to SDk. SDk receives message from Ui and sends message

{ M 1 ' , A u t h u ' , T G I D i , M 2 , A u t h s , T S I D k }

to server S. Server S receives the message from SDk and sends {M3,Authtu,Authts} to SDk. In such a process as described above, SDj can intercept TGIDi,TSIDk,M1',Authtu from these messages. Since the value of TGIDi is constant in any session, SDj can identify the user Ui /GWi. Since h(Xi||XGDi||TGIDi) is known, SDjcan get the random number Ru' selected by the user according to M1', Ru'=M1'h(Xi||XGDi||TGIDi). Then SDj picks a random number Rs*, and then calculates

T S I D k n e w * = h ( T S I D k | | R s * )

M 4 * = R s * h ( R u ' | | T G I D i | | T S I D k )

S K i k * = h ( R u ' | | R s * | | T G I D i | | T S I D k )

A u t h s u * = h ( T S I D k n e w * | | T G I D i | | S K i k * )

Then, SDj sends the message {M4*, Authtu,Authsu*}to the user Ui/GWi. After receiving the message {M4*, Authtu,Authsu*}, user Ui/GWicalculates Authtu*=h(TGIDi||HIDi||XGDi||Xi||Ru), verifies Authtu*=?Authtu and the authentication will pass. Ui/GWi computes

R s * = M 4 * h ( R u | | T G I D i | | T S I D k )

T S I D k n e w * = h ( T S I D k | | R s * )

S K i k * = h ( R u | | R s * | | T G I D i | | T S I D k )

A u t h s u * * = h ( T S I D k n e w * | | T G I D i | | S K i k * )

and verifies Authsu**=?Authsu*, and the authentication can pass. Ui/GWi replaces TSIDk in memory with TSIDknew*. SDj successfully impersonates the sensor device SDk and establishes a session key SKikwith Ui/GWi.

2.4 The Scheme does not Achieve Mutual Authentication

Based on Section 2.3, because the attacker successfully impersonates the SDk and makes the Ui/GWi update the TSIDk of SDk with TSIDknew*. But TSIDknew*TSIDknew. The TSIDknew* is updated by the attacker SDjand TSIDknew is updated by TMIS server(S). The next time the Ui/GWi tries to contact SDk, the Ui/GWi cannot contact the target SDk because of the wrong SDk's temporary identity TSIDknew*, and the scheme eventually fails and does not achieve mutual authentication.

3 Improved Scheme

In this section, we propose an improved secure and anonymous privacy-preserving authentication scheme to resolve the shortcomings of Yu et al's scheme[15]. The improved scheme consists of three phases: user registration phase, sensor registration phase, and authentication and key agreement phase. However, the setup phase user and sensor device registration phases are the same as those of Yu et al's scheme[15]. We mainly improve on the authentication and key agreement phase.

The registered GWiand SDj perform mutual authentication with S to establish a common session key between GWi and SDj. All messages are transmitted through a public channel. In Fig. 1, we present the authentication and key agreement of the improved scheme. The detailed descriptions of this phase are as follows:

thumbnail Fig. 1

Authentication and key agreement phase of the proposed scheme

Step 1  Ui inputs a unique IDi, PWi, and imprints BIOi into GWi. Then, GWicomputes

( R U i | | X i )   =   A i h ( I D i | | P W i | | B I O i )

H I D i   =   h ( I D i | | R U i )

H P W i   = h ( P W i | | R U i )

B i *   =   h ( H I D i | | H P W i | | R U i | | X i )

and checks whether Bi*=? Bi. If it is not equal, GWi terminates the current session; otherwise, it generates a random nonce Ru and the current timestamps T1. Then GWi computes

M 1   =   R u h ( X i | | X G D i | | T G I D i | | T 1 )

A u t h u   =   h ( H I D i | | T G I D i | | R u | | X i | | X G D i | | T 1 )

After that, GWi sends {M1,Authu,TGIDi,T1} to the SDj through a public channel.

Step 2   After obtaining the message, SDj computes (dj||RSj)=Cjh(XSDj||SIDj). After that, SDj generates a random nonce Rs and the current timestamps T2. Then S computes M2=Rsh(RSj||dj||XSDj||TSIDj||T2),Auths=h(SIDj||TSIDj||RSj||Rs||XSDj||T2) and then sends {M1, Authu, TGIDi,M2, Auths,TSIDj,T1,T2} to S.

Step 3   Upon getting the message, S retrieves {Wi,SAj} in a secure database by TGIDi and TSIDj. After that, S decrypts RSj =DKi(SAj) and computes

d j   =   h ( S I D j | | R S j | | K i )

R s   = M 2 h ( R S j | | d j | | X S D j | | T S I D j | | T 2 )

A u t h s *   =   h ( S I D j | | T S I D j | | R S j | | R s | | X S D j | | T 2 )

and then checks whether Auths*=?Auths. If it is not valid, S aborts the current session. Otherwise, it decrypts (Xi,HIDi)=DKi(Wi) and computes

X i   =   h ( T G I D i | | K i | | X G D i )

R u   =   M 1 h ( X i | | X G D i | | T G I D i | | T 1 )

A u t h u *   =   h ( H I D i | | T G I D i | | R u | | X i | | X G D i | | T 1 )

and then checks whether Authu*=?Authu. If it is not equal, S terminates the current session, otherwise it generates the current timestamps T3 and computes

T S I D j n e w = h ( T S I D j | | R s )

T G I D i n e w = h ( T G I D i | | G I D i | | X G D i | | R u )

M 3   =   R u h ( d j | | T S I D j | | S I D j | | R S j | | X S D j | | T 3 )

A u t h t u   = h ( T G I D i | | H I D i | | X G D i | | X i | | R u | | T 3 )

A u t h t s   = h ( T S I D j n e w | | S I D j | | R S j | | X S D j | | R s | | T 3 )

Then S sends {M3,Authtu, Authts,T3} to the SDj through a public channel. S updates TSIDjwith TSIDjnew and updates TGIDiwithin TGIDinew in the memory.

Step 4   After obtaining the message, SDj computes

T S I D j n e w =   h ( T S I D j | | R s )

A u t h t s * = h ( T S I D j n e w | | S I D j | | R S j | | X S D j | | R s | | T 3 )

and verifies whether Authts*=? Authts. If it is correct, SDj generates the current timestamps T4 and computes

R u   = M 3 h ( d j | | T S I D j | | S I D j | | R S j | | X S D j | | T 3 )

M 4   =   R s h ( R u | | T G I D i | | T S I D j | | T 4 )

S K i j   =   h ( R u | | R s | | T G I D i | | T S I D j )

A u t h s u   =   h ( T S I D j n e w | | T G I D i | | S K i j | | T 4 )

and updates TSIDj with TSIDjnew. Finally, SDj sends {M4, Authtu, Authsu,T3,T4} to GWi.

Step 5   Upon getting the message, GWi computes Authtu*=h(TGIDi||HIDi||XGDi||Xi||Ru||T3) and checks whether Authtu*=? Authtu. If it is not valid, GWiaborts the current session, otherwise it computes

R s   = M 4 h ( R u | | T G I D i | | T S I D j | | T 4 )

T S I D j n e w =   h ( T S I D j | | R s )

T G I D i n e w = h ( T G I D i | | G I D i | | X G D i | | R u )

S K i j   =   h ( R u | | R s | | T G I D i | | T S I D j )

A u t h s u * = h ( T S I D j n e w | | T G I D i | | S K i j | | T 4 )

and then verifies whether Authsu*=? Authsu. If it is correct, GWi updates TSIDj with TSIDjnew and updates TGIDiwith TGIDinew in the memory. Consequently, the mutual authentication between each entity is successful, and a common session key is established between GWi and SDj successfully.

4 Security Analysis and Comparison

In this section, we conducted a security analysis and comparison to demonstrate that our scheme provides various security features. Through the analysis, our proposed scheme prevents multiple security attacks, including impersonation attack,replay attack,tracking attack, MIMT attack, offline password guessing attack, perfect forward secrecy, and session key disclosure attack. In addition, our scheme ensures user anonymity and mutual authentication. We compare our scheme's computation costs and security features with the related schemes.

4.1 Security Analysis

4.1.1 Anonymity

In the improved scheme, on the one hand, no real identity is transmitted in the open channel, and the temporary identities TGIDi and TSIDjare transmitted. On the other hand, suppose an attacker eavesdrops the messages TGIDi and TSIDjfrom the public channel. However, the attacker cannot obtain the true identity IDi of Ui and the true identity SIDj of SDj because the identity information is protected by random numbers RUi and RSj, secret credentials Xi and dj, shared secret keys XGDi, XSDj and biometric BIOi through Hash and XOR functions. Moreover, the attacker cannot guess the correct identity since HIDi=h(IDi||RUi), (dj||RSj)=Cjh(XSDj||SIDj), the attacker cannot gain HIDi, RUi,dj, RSj, Cj and SIDj. Therefore, the improved scheme provides anonymity.

4.1.2 Replay attack

Since the messages are transmitted in a public channel, an attacker can eavesdrop or even tamper with the messages. The attacker may try to retransmit the intercepted message to server S or sensor device SDjin an attempt to perform a replay attack, but this will not succeed because the improved scheme uses timestamps. When server S or sensor device SDj receives the message, it will verify that the timestamp is within a reasonable interval and terminate the session as soon as it is outside the valid range. Even if the attacker modifies the intercepted timestamp to the current time, server S or sensor device SDj will still terminate the session because the sent {M1, Authu, M2, Auths, M3, Authtu, Authts, Authsu} all contain timestamps T1, T2, T3, T4 and for the attacker to make the sent message not be rejected, the attacker must modify {M1, Authu, M2, Auths, M3, Authtu, Authts, Authsu}, but the attacker cannot modify these values. In order to modify these values, the attacker must know the random numbers {Ru, Rs}, the true identity {IDi, SIDj}, the shared key {XGDi, XSDj}, and the secret credentials {Xi, dj, RSj}. And there is no way for the attacker to obtain these values. Therefore, the improved scheme can resist the replay attack.

4.1.3 Tracking attack

In the improved scheme, the temporary identities TGIDi and TSIDj are transmitted in the open channel. But TGIDi and TSIDj are updated in each session and cannot be traced even if an attacker picks them up. To try to know the updated TGIDi, TGIDi=h(TGIDi||GIDi||XGDi||Ru), the attacker must obtain GIDi, XGDi, Ru. But GIDi, XGDi, and Ru are not available. Even if the attacker obtains the random number Ru, since XGDi is the shared key of Ui and S, only Ui and S can know it, and from Section 4.1.1 we can know that the real identity GIDi attacker cannot obtain it. So, the improved scheme can effectively resist the tracking attack.

4.1.4 Impersonation attack

Suppose an attacker tries to perform impersonation by eavesdropping the transmitted messages on the public channel. However, in order to generate authentication request messages {M1, Authu, TGIDi, T1}, {M1, Authu, TGIDi, M2, Auths, TSIDj, T1, T2} or response messages {M3, Authtu, Authts, T3}, {M4, Authtu, Authsu, T3, T4}, an attacker must know random numbers Ru and Rs, shared secret keys XGDi and XSDj, secret credentials Xi, dj and RSj and sensor device identity SIDj, but these values are invisible to the attacker. Even if an attacker obtains the random number Ru and gets h(Xi||XGDi||TGIDi||T1) by M1 to try to impersonate the sensor device, this approach is not feasible. Because h(Xi||XGDi||TGIDi||T1) contains the timestamp T1, the value of h(Xi||XGDi||TGIDi||T1) changes in each session. Therefore, the improved scheme can effectively resist the impersonation attack.

4.1.5 Perfect forward secrecy

Suppose the attacker eavesdrops on the transmitted message {M1, Authu, TGIDi, M2, TSIDj, T2}. Then, an attacker can attempt to calculate SKij=h(Ru||Rs||TGIDi||TSIDj). But an attacker cannot obtain the random nonce Ru and Rs. Even if the session key SKijof this communication is compromised, it will not compromise the session key of the last communication because the random numbers Ru and Rs in the session key are randomly generated. Therefore, the improved scheme has excellent forward security.

4.1.6 Offline password guessing attack

Suppose an attacker tries to guess the real password PWiof the legitimate user Ui based on HIDi, the attacker must know RUi and HIDi, but these two values are unknown to the attacker. If the attacker extracts all the secret parameters {Ai, Bi} in the mobile device's memory and tries to guess PWi based on Ai, the attacker must know the user's unique biometric BIOi, a real identity IDi, a random number RUi and the secret value Xi. Because the attacker has no way to obtain Ui's biometric BIOi, identity IDi, random number RUi, and secret value Xi. Therefore, it is impossible for the attacker to correctly guess Ui's real password PWi.

4.1.7 Session key disclosure attack

To obtain the session key SKij, an attacker must obtain the random numbers Ru and Rs. But the random numbers are masked by the secret credentials Xi and dj, shared secret keys XGDi and XSDj with hash and XOR functions. The attacker cannot obtain these values. Therefore, the improved scheme is secure against session key leakage attacks.

4.1.8 MITM attack

An attacker can eavesdrop on the information exchanged through the public channel. However, in order to generate authentication request messages {M1, Authu, TGIDi, T1}, {M1, Authu, TGIDi, M2, Auths, TSIDj, T1, T2} or response messages {M3, Authtu, Authts, T3}, {M4, Authtu, Authsu, T3, T4}, an attacker must know random numbers Ru and Rs, shared secret keys XGDi and XSDj, secret credentials Xi, dj, and RSj and sensor device identity SIDj, but these values are invisible to the attacker. Therefore, the attacker cannot generate authentication messages or reach a session key. So, the improved scheme can effectively resist man-in-the-middle attacks.

4.1.9 Mutual authentication

In the process of mutual authentication and key agreement, all entities of scheme successfully authenticate each other. After obtaining the messages {M1, Authu, TGIDi, M2, Auths, TSIDj, T1, T2} of SDj, S verifies that Authu*=?Authu. If equal, S authenticates Ui/GWi. And S verifies that Auths* =?Auths. If equal, S authenticates to SDj. After getting the message {M3, Authtu, Authts, T3} from S, SDj verifies whether Authts* =? Authts. If the verification passes, SDj authenticates to S. After receiving the messages {M4, Authtu, Authsu, T4} from SDj and S, Ui/GWi verifies that Authtu* =?AuthtuAuthsu* =?Authsu. If the authentication passes, Ui/GWi authenticates SDj and S and establishes a common session key SKij with SDj.

4.1.10 Stolen verifier attack

In this attack, the attacker steals the information stored in S's database related to Ui and SDj and tries to impersonate the legitimate entity. However, the attackers cannot impersonate the legitimate entity even if they obtain the stored information {Wi, SAj} from S's database because they cannot access the secret information related to Ui and SDj without S's master key Ki. Thus, the stolen verifier attack is not viable in our scheme.

4.2 Comparision

Table 2 shows the experimental results obtained in Refs. [1,17] . The comparison results of computation costs and the security features are shown in Tables 3 and 4, respectively. Table 3 shows the improved scheme is superior to the schemes[18,19] in terms of computation costs. Table 4 shows the comparison results of security features between the improved scheme and the relative schemes[15,18,20]. Although the improved scheme has a higher computation cost than Refs. [15,20], it offers better security functionalities. Ref. [21] also has good safety properties, but its computational cost is higher than our scheme. Thus, the improved scheme is suitable for TMIS environments.

Table 2

Execution time

Table 3

Computation cost comparison (unit:s)

Table 4

Security features of different schemes

5 Conclusion

This paper shows that Yu et al's scheme is vulnerable to replay attack, tracking attacks, and impersonation attacks. To overcome the security flaws of their scheme, we propose an improved authentication scheme for the telecare medical information system environment. We conducted a security analysis to demonstrate that the improved scheme can prevent various security attacks, including impersonation attack, replay attack, tracking attack, MIMT attack, offline password guessing attack, user anonymity, mutual authentication, and perfect forward secrecy. And the improved scheme offers excellent anonymity. The improved scheme also provides lower computation costs and better security than related existing schemes. Therefore, the improved scheme is applicable for the TMIS environments.

References

  1. Ryu J, Oh J, Kwon D, et al. Secure ECC-based three-factor mutual authentication protocol for telecare medical information system[J]. IEEE Access, 2022, 10: 11511-11526. [CrossRef] [Google Scholar]
  2. Li R, Kang B Y, Mai K Q . Analysis and improvement on a Hash-based authentication scheme for multi-server architecture[J]. Wuhan University Journal of Natural Sciences, 2021, 26(5): 394-404. [Google Scholar]
  3. Du J Q, Kang B Y, Han Y B. Improvement on a biometric based user authentication scheme in wireless sensor networks using smart cards[J]. Wuhan University Journal of Natural Sciences, 2020, 25(2): 155-161. [Google Scholar]
  4. Kang B Y, Du J Q, Si L, et al. Analysis and improvement on a mobile payment protocol with outsourced verification in cloud service[J]. Wuhan University Journal of Natural Sciences, 2019, 24(3): 223-228. [CrossRef] [Google Scholar]
  5. Radhakrishnan N, Muniyandi A P. Dependable and provable secure two-factor mutual authentication scheme using ECC for IoT-based telecare medical information system[J]. Journal of Healthcare Engineering, 2022, 2022:9273662. [CrossRef] [Google Scholar]
  6. Shamshad S, Ayub M F, Mahmood K, et al. An identity-based authentication protocol for the telecare medical information system (TMIS) using a physically unclonable function[J]. IEEE Systems Journal, 2022, 16(3): 4831-4838. [NASA ADS] [CrossRef] [Google Scholar]
  7. Tanveer M, Alkhayyat A, Chaudhry S A, et al. REAS-TMIS: Resource-efficient authentication scheme for telecare medical information system[J]. IEEE Access, 2022, 10: 23008-23021. [NASA ADS] [CrossRef] [Google Scholar]
  8. Chen Y L, Chen J H. An efficient and privacy-preserving mutual authentication with key agreement scheme for telecare medicine information system[J]. Peer-to-Peer Networking and Applications, 2022, 15(1):516-528. [CrossRef] [Google Scholar]
  9. Zhai X Y, Wang J. A multi-server biometric authentication scheme based on extended chaotic map for telecare medical information system[J]. Multimedia Tools and Applications, 2022, 81(28): 40159-40179. [CrossRef] [Google Scholar]
  10. Chen Y L, Chen J H. A biometrics-based mutual authentication and key agreement protocol for TMIS using elliptic curve cryptography[J]. Multimedia Tools and Applications, 2023, 82(11): 16009-16032. [CrossRef] [PubMed] [Google Scholar]
  11. Chaudhry S A, Naqvi H, Shon T, et al. Cryptanalysis and improvement of an improved two factor authentication protocol for telecare medical information systems[J]. Journal of Medical Systems, 2015, 39(6): 66. [Google Scholar]
  12. Qiu S M, Xu G A, Ahmad H, et al. A robust mutual authentication scheme based on elliptic curve cryptography for telecare medical information systems[J]. IEEE Access, 2017, 6: 7452-7463. [Google Scholar]
  13. Gupta A, Tripathi M, Shaikh T J, et al. A lightweight anonymous user authentication and key establishment scheme for wearable devices[J]. Computer Networks, 2019, 149: 29-42. [CrossRef] [Google Scholar]
  14. Hajian R, ZakeriKia S, Erfani S H, et al. SHAPARAK: Scalable healthcare authentication protocol with attack-resilience and anonymous key-agreement[J]. Computer Networks, 2020, 183: 107567. [CrossRef] [Google Scholar]
  15. Yu S, Park K. SALS-TMIS: Secure, anonymous, and lightweight privacy-preserving scheme for IoMT-enabled TMIS environments[J]. IEEE Access, 2022, 10: 60534-60549. [NASA ADS] [CrossRef] [Google Scholar]
  16. Dolev D, Yao C C. On the security of public key protocols[C]// Symposium on Foundations of Computer Science. New York: IEEE, 1981. [Google Scholar]
  17. Lee S, Kim S, Yu S, et al. Provably secure PUF-based lightweight mutual authentication scheme for wireless body area networks[J]. Electronics, 2022, 11(23): 3868. [CrossRef] [Google Scholar]
  18. Wang Y B, Liu W R, Li B. An improved authentication protocol for smart healthcare system using wireless medical sensor network[J]. IEEE Access, 2021, 9: 105101-105117. [CrossRef] [Google Scholar]
  19. Lee J Y, Oh J, Park Y. A secure and anonymous authentication protocol based on three-factor wireless medical sensor networks[J]. Electronics, 2023, 12(6): 1368. [CrossRef] [Google Scholar]
  20. Gupta A, Tripathi M, Muhuri S, et al. A secure and lightweight anonymous mutual authentication scheme for wearable devices in Medical Internet of Things[J]. Journal of Information Security and Applications, 2022, 68: 103259. [CrossRef] [Google Scholar]
  21. Wu T Y, Wang T, Lee Y Q, et al. Improved authenticated key agreement scheme for fog-driven IoT healthcare system[J]. Security and Communication Networks, 2021, 2021: 6658041. [Google Scholar]

All Tables

Table 1

Notations

Table 2

Execution time

Table 3

Computation cost comparison (unit:s)

Table 4

Security features of different schemes

All Figures

thumbnail Fig. 1

Authentication and key agreement phase of the proposed scheme

In the text

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.