Analysis and Improvement of a Privacy-Preserving Authentication Scheme for Telecare Medical Information System Environment

: Telecare Medical Information System (TMIS) can provide various telemedicine services to patients. However, information is communicated over an open channel. An attacker may intercept, replay, or modify this information. Therefore, many authentication schemes are proposed to provide secure communication for TMIS. Recently, Yu et al proposed a privacy-preserving authentication scheme in the Internet of Medical Things (IoMT)-enabled TMIS environments. They emphasize that their scheme is resistant to various attacks and ensures anonymity. Unfortunately, this paper demonstrates that Yu et al 􀆳 s scheme is vulnerable to impersonation attacks, replay attacks, and tracking attacks and cannot mutually authenticate. To overcome the shortcomings of Yu et al 􀆳 s scheme, we mainly improve the authentica ‐ tion and key agreement process and propose a corresponding improved scheme. We also compare the improved scheme with several exist ‐ ing authentication schemes in terms of security and computational efficiency.


Introduction
With the rapid development of network and information technology, the Telecare Medical Information System (TMIS) provides an efficient and convenient connection between patients and medical servers.Patients can collect their physiological data, such as blood glucose, blood pressure, body temperature, and heart rate, through wearable sensor devices (smart wristbands or sensors deployed in or on the body, etc.) and access medical services through public networks at any time and place.While providing this convenience, protecting the patient  s privacy and providing security in TMIS is imperative.In TMIS, the telecare server maintains patients  confidentiality and medical information, including identity, password, and electronic medical records [1] .Only legitimate patients can access their medical information to protect their privacy and the confidentiality of medical information.Since the communication is transmitted in a public channel, the transmitted data can be intercepted or even tampered with by a malicious attacker.When a patient  s transmitted information is tampered with, doctors will likely make the wrong diagnosis and treatment modality.All these can cause irreversible harm to the patient and is likely to threaten the patient  s life.Therefore, ensuring secure information transmission is considered an issue in TMIS.Fortunately, authentication schemes can ensure privacy and secure communication between the patients and the remote servers, providing good anonymity and privacy protection for the patients.Simultaneously, authentication schemes are used in many areas to ensure secure communications [2][3][4] .So far, many authentication and key agreement schemes have been proposed for TMIS [5][6][7][8][9][10] .
In 2015, Chaudhry et al [11] proposed an improved two-factor authentication scheme for telecare medical information systems.However, Qiu et al [12] remarked that Chaudhry et als scheme [11] is prone to offline password guessing attack, user/server impersonation attack, and man-in-middle attack, and proposed a mutual authentication scheme based on elliptic curve cryptography for TMIS.In 2019, Gupta et al [13] proposed a lightweight anonymous user authentication scheme for TMIS based only on simple XOR and a one-way cryptographic hash function.However, Hajian et al [14] proved Gupta et als [13] scheme is vulnerable to desynchronization attack, compromised wearable devices, compromise gateway attack, offline guessing attack and privileged insider attacks.Subsequently, Hajian et al [14] proposed a scalable healthcare authentication scheme with attack resilience and anonymous key agreement (SHAPARAK).In 2022, Yu et al [15] proved that SHAPARAK [14] suffers from many security drawbacks, such as man-in-the-middle (MITM), impersonation attacks, and session key disclosure attacks.Yu et al [15] proposed a three-factor-based privacypreserving scheme in IoMT-enabled TMIS environments (SALS-TMIS) to resolve the security fl aws of SHAPARAK [14] .We prove that Yu et al  s scheme [15] is vulnerable to replay attacks, tracking attacks, and impersonation attacks.Moreover, Yu et als scheme [15] does not provide mutual authentication.Therefore, we propose an improved privacy-preserving authentication scheme for the telecare medical information system environment to resolve the security flaws of Yu et als scheme [15] .Our improved scheme has good user anonymity and security and can resist all existing attacks.
The rest of the paper is organized as follows.In Section 1, we briefly review Yu et als scheme.In Section 2, we analyze its weaknesses.The improved scheme is proposed in Section 3. Security cryptanalysis and com-parisons are given in Section 4. Finally, the article is concluded in Section 5.

Review of Yu et al􀆳s Scheme
This section reviews Yu et al  s scheme [15] .It is a three-factor authentication scheme for TMIS, which includes the registration phase for the user and sensor device, the login and authentication phase, and the password change phase.For the sake of brevity, the password and biometric update phase is not reviewed here.Table 1 represents the notations of this paper.

System Setup Process
This process includes the sensor device and the gateway setup processes.S registers SD j and assigns the secret credentials to it.S chooses a sensor devices temporal identity TSID j , a sensor devices identity SID j , and a shared secret key X SD j for each SD j .Then, S stores {TSID j , SID j , X SD j } in the memory of each SD j .After that, S stores {TSID j , SID j , X SD j , h (•)} in a secure database.To register a GW i , S chooses a shared secret key X GD i , a gateway  s identity GID i , and a temporal identity TGID i for each GW i and then stores {TGID i , GID i , X GD i , h ( •)} in the memory of GW i .After that, S stores {TGID i , GID i , X GD i , h (•)} in a secure database.

User registration process
The user (U i /GW i ) must register with TMIS Server (S) to access the medical services.This process is described in detail as follows: Step 1 The user U i /GW i selects an ID i , PW i , and generates a random number RU i .Then U i /GW i computes Step 2 Upon receiving the message, S computes S sends {X i } to the U i through a secure channel.Finally, S computes W i = E K i ( X i  HID i ) and stores {W i } in a se- cure database.
Step 3 After receiving the message, the user imprints a biometric BIO i and computes Finally, U i /GW i stores {A i  B i } in the memory.
1.2.2Sensor device process SD j must register with S to access healthcare services.This process is described in detail as follows: Step 1 SD j first generates a random number RS j and computes SI j = h(TSID j ||SID j ||RS j ), After that, SD j sends {SI j  TSID j  N j } to the GW i via a public channel.
Step 2 After getting the message, GW i computes Step 3 Upon getting the message, S computes Then, S sends { f j TS j f i TU i } to the GW i via a public channel.Finally, S encrypts SA j = E K i ( RS j ) and then stores {SA j } in a secure channel.
Step 4 After getting the message, GW i computes the SD j and then stores {TSID j } in the memory.
Step 5 Upon getting the message, SD j computes d j = ) and then stores {C j } in the memory.

Authentication and Key Agreement Process
The registered GW i and SD j perform mutual authentication with S to establish a common session key between GW i and SD j .All messages are transmitted through a public channel.The detailed descriptions are as follows: Step 1 U i inputs a unique ID i , PW i , and imprints BIO i into GW i .Then, GW i computes nates the current session; otherwise, it generates a random nonce R u and computes After that, GW i sends {M 1 Auth u TGID i } to the SD j through a public channel.
Step 2 After obtaining the message, SD j computes ( d j ||RS j ) = C j Åh ( X SD j ||SID j ) .After that, SD j gener- ates a random nonce R s and computes Step 3 Upon getting the message, S retrieves {W i SA j } in a secure database.After that, S decrypts RS j = D K i ( SA j ) and computes S terminates the current session, otherwise it computes Then, S sends {M 3 Auth tu  Auth ts } to the SD j through a public channel.
Step 4 After obtaining the message, SD j computes

, and verifies whether Auth
) and updates TSID j with TSID new j .
Finally, SD j sends {M 4 Auth tu Auth su } to the GW i . Step , and then verifies whether Auth * su = ?Auth su .If it is correct, GW i updates TSID j within TSID new j in the memory.Consequently, the mutual authentication between each entity is successful, and a common session key is established between GW i and SD j successfully.

Flaws of Yu et al􀆳s Scheme
In this section, based on the "Dolev-Yao (DY)" threat model [16] , we show the security flaws of Yu et als scheme [15] , such as replay attack, tracking attack, and fake sensor attack to Yu et als scheme [15] .Moreover, Yu et als scheme [15] does not provide mutual authentication.

Replay Attack
During the authentication and key agreement phases, information is transmitted in the public channel; a malicious attacker can intercept the message {M 1 Auth u TGID i } sent by the user (U i /GW i ), and re- send this message to the sensor device (SD j ).SD j gets the message and computes ( d j ||RS j ) = C j Åh ( X SD j ||SID j ) .SD j then generates the random number R' s and computes , and sends the message {M 1 Auth u TGID i M ' 2  Auth' s TSID new j } to the TMIS Server (S).After S receives the message, it retrieves {W i , SA j } in its database.After that, S decrypts RS j = D k i ( SA j ) and computes , and then S checks whether Auth' s * = ?Auth' s .These two values are equal, and the verification passes.S calculates Then S checks whether Auth * u = ?Auth u , at this time Auth * u = Auth u , because it is the intercepted real message sent by the user (U i /GW i ), then the verification passes.So, the replay attack is successful.

Tracking Attacks
Since malicious attackers are ubiquitous, during the authentication and key agreement phases, an attacker intercepts the messages sent by U i /GW i {M 1 Auth u TGID i } and the messages sent by SD j {M 1 Auth u TGID i M 2  } Auth s TSID j .The TGID i in these two messages is invariable in any session.Consequently, the attacker can know a message is from the same user.Hence, the attacker can track the user.

Sensor Impersonation Attacks
When a user U i /GW i authenticates with a sensor device SD j to establish a session key, SD j can obtain the U i / GW i  s random number R u , and get h(X i ||X GD i || TGID i ) from M 1 .In the next session, when this user U i /GW i authenticates with another sensor SD k , the sensor device SD j of the last session can play the role of an attacker to impersonate SD k and reach a session key with the user U i /GW i .The specific attack process is as follows.
After user U i /GW i authenticates with SD j to establish the session key, SD j obtains the X GD i , and TGID i are constant, the value of h(X i ||X GD i || TGID i ) is constant.This shows that SD j obtains a critical secret value of U i /GW i .
In the next session, assume user U i /GW i authenticates with sensor device SD k , and U i /GW i sends the message {M ' 1 Auth' u TGID i } to SD k .SD k receives message from U i and sends message to server S. Server S receives the message from SD k and sends {M 3 Auth tu Auth ts } to SD k .In such a process as de- scribed above, SD j can intercept TGID i TSID k M ' 1  Auth tu from these messages.Since the value of TGID i is constant in any session, SD j can identify the user Then SD j picks a random number R * s , and then calculates Then, SD j sends the message {M * 4  Auth tu Auth * su }to the user U i /GW i .After receiving the message , verifies Auth * tu = ?Auth tu and the authentication will pass.
ik ) and verifies Auth * su * = ?Auth * su , and the authentication can pass.U i /GW i replaces TSID k in memory with TSID new k * .SD j successfully impersonates the sensor device SD k and establishes a session key SK ik with U i /GW i .

The Scheme does not Achieve Mutual Authentication
Based on Section 2.3, because the attacker success-fully impersonates the SD k and makes the U i /GW i update the TSID k of SD k with TSID new k * . But TSID new k * ¹ TSID new k .The TSID new k * is updated by the attacker SD j and TSID new k is updated by TMIS server(S).The next time the U i /GW i tries to contact SD k , the U i /GW i cannot contact the target SD k because of the wrong SD k  s temporary identity TSID new k * , and the scheme eventually fails and does not achieve mutual authentication.

Improved Scheme
In this section, we propose an improved secure and anonymous privacy-preserving authentication scheme to resolve the shortcomings of Yu et als scheme [15] .The improved scheme consists of three phases: user registration phase, sensor registration phase, and authentication and key agreement phase.However, the setup phase user and sensor device registration phases are the same as those of Yu et al  s scheme [15] .We mainly improve on the authentication and key agreement phase.
The registered GW i and SD j perform mutual authentication with S to establish a common session key between GW i and SD j .All messages are transmitted through a public channel.In Fig. 1, we present the authentication and key agreement of the improved scheme.The detailed descriptions of this phase are as follows: Step 1 U i inputs a unique ID i , PW i , and imprints BIO i into GW i .Then, GW i computes

and checks whether B
nates the current session; otherwise, it generates a random nonce R u and the current timestamps After that, GW i sends {M 1 Auth u TGID i T 1 } to the SD j through a public channel.
Step 2 After obtaining the message, SD j computes ( d j ||RS j ) = C j Åh ( X SD j || SID j ) .After that, SD j generates a random nonce R s and the current timestamps and then sends Step 3 Upon getting the message, S retrieves {W i SA j } in a secure database by TGID i and TSID j .After that, S decrypts RS j = D K i ( SA j ) and computes and then checks whether Auth * s = ?Auth s .If it is not valid, S aborts the current session.Otherwise, it decrypts . and then checks whether Auth * u = ?Auth u .If it is not equal, S terminates the current session, otherwise it generates the current timestamps T 3 and computes . Then S sends {M 3  Auth tu  Auth ts T 3 } to the SD j through a public channel.S updates TSID j with TSID new j and updates TGID i within TGID new i in the memory.
Step 4 After obtaining the message, SD j computes and verifies whether Auth * ts = ?Auth ts .If it is correct, SD j generates the current timestamps T 4 and computes and updates TSID j with TSID new j .Finally, SD j sends {M 4  Auth tu  Auth su T 3 T 4 } to GW i .
Step 5 Upon getting the message, GW i computes Auth * tu = h(TGID i ||HID i ||X GD i ||X i ||R u ||T 3 ) and checks whether Auth * tu = ?Auth tu .If it is not valid, GW i aborts the current session, otherwise it computes , and then verifies whether Auth * su = ?Auth su .If it is correct, GW i updates TSID j with TSID new j and updates TGID i with TGID new i in the memory.Consequently, the mutual authentication between each entity is successful, and a common session key is established between GW i and SD j successfully.

Security Analysis and Comparison
In this section, we conducted a security analysis and comparison to demonstrate that our scheme provides various security features.Through the analysis, our proposed scheme prevents multiple security attacks, including impersonation attack, replay attack, tracking attack, MIMT attack, offline password guessing attack, perfect forward secrecy, and session key disclosure attack.In addition, our scheme ensures user anonymity and mutual authentication.We compare our scheme  s computation costs and security features with the related schemes.

Anonymity
In the improved scheme, on the one hand, no real identity is transmitted in the open channel, and the temporary identities TGID i and TSID j are transmitted.On the other hand, suppose an attacker eavesdrops the messages TGID i and TSID j from the public channel.However, the attacker cannot obtain the true identity ID i of U i and the true identity SID j of SD j because the identity information is protected by random numbers RU i and RS j , secret credentials X i and d j , shared secret keys X GD i , X SD j and biometric BIO i through Hash and XOR functions.Moreover, the attacker cannot guess the correct identity since HID i =h(ID i ||RU i ), (d j ||RS j ) =C j ⊕ h(X SD j ||SID j ), the attacker cannot gain HID i , RU i , d j , RS j , C j and SID j .Therefore, the improved scheme provides anonymity.

Replay attack
Since the messages are transmitted in a public channel, an attacker can eavesdrop or even tamper with the messages.The attacker may try to retransmit the intercepted message to server S or sensor device SD j in an attempt to perform a replay attack, but this will not succeed because the improved scheme uses timestamps.When server S or sensor device SD j receives the message, it will verify that the timestamp is within a reasonable interval and terminate the session as soon as it is outside the valid range.Even if the attacker modifies the intercepted timestamp to the current time, server S or sensor device SD j will still terminate the session because the sent {M 1 , Auth u , M 2 , Auth s , M 3 , Auth tu , Auth ts , Auth su } all contain timestamps T 1 , T 2 , T 3 , T 4 and for the attacker to make the sent message not be rejected, the attacker must modify {M 1 , Auth u , M 2 , Auth s , M 3 , Auth tu , Auth ts , Auth su }, but the attacker cannot modify these values.In order to modify these values, the attacker must know the random numbers {R u , R s }, the true identity {ID i , SID j }, the shared key {X GD i , X SD j }, and the secret credentials {X i , d j , RS j }.And there is no way for the attacker to obtain these values.Therefore, the improved scheme can resist the replay attack.

Tracking attack
In the improved scheme, the temporary identities TGID i and TSID j are transmitted in the open channel.But TGID i and TSID j are updated in each session and cannot be traced even if an attacker picks them up.To try to know the updated TGID i , TGID i =h(TGID i ||GID i || X GD i ||R u ), the attacker must obtain GID i , X GD i , R u .But GID i , X GD i , and R u are not available.Even if the attacker obtains the random number R u , since X GD i is the shared key of U i and S, only U i and S can know it, and from Section 4.1.1we can know that the real identity GID i attacker cannot obtain it.So, the improved scheme can effectively resist the tracking attack.

Impersonation attack
Suppose an attacker tries to perform impersonation by eavesdropping the transmitted messages on the public channel.However, in order to generate authentication request messages {M 1 , Auth u , TGID i , T 1 }, {M 1 , Auth u , TGID i , M 2 , Auth s , TSID j , T 1 , T 2 } or response messages {M 3 , Auth tu , Auth ts , T 3 }, {M 4 , Auth tu , Auth su , T 3 , T 4 }, an attacker must know random numbers R u and R s , shared secret keys X GD i and X SD j , secret credentials X i , d j and RS j and sensor device identity SID j , but these values are invisible to the attacker.Even if an attacker obtains the random number R u and gets h(X i ||X GD i ||TGID i ||T 1 ) by M 1 to try to impersonate the sensor device, this approach is not feasible.Because h(X i ||X GD i ||TGID i ||T 1 ) contains the timestamp T 1 , the value of h(X i ||X GD i ||TGID i ||T 1 ) changes in each session.Therefore, the improved scheme can effectively resist the impersonation attack.4.1.5Perfect forward secrecy Suppose the attacker eavesdrops on the transmitted message {M 1 , Auth u , TGID i , M 2 , TSID j , T 2 }.Then, an attacker can attempt to calculate SK ij =h (R u ||R s ||TGID i ||TSID j ).But an attacker cannot obtain the random nonce R u and R s .Even if the session key SK ij of this communication is compromised, it will not compromise the session key of the last communication because the random numbers R u and R s in the session key are randomly generated.Therefore, the improved scheme has excellent forward security.

Offline password guessing attack
Suppose an attacker tries to guess the real password PW i of the legitimate user U i based on HID i , the attacker must know RU i and HID i , but these two values are unknown to the attacker.If the attacker extracts all the se-cret parameters {A i , B i } in the mobile device  s memory and tries to guess PW i based on A i , the attacker must know the user  s unique biometric BIO i , a real identity ID i , a random number RU i and the secret value X i .Because the attacker has no way to obtain U i  s biometric BIO i , identity ID i , random number RU i , and secret value X i .Therefore, it is impossible for the attacker to correctly guess U i s real password PW i .

Session key disclosure attack
To obtain the session key SK ij , an attacker must obtain the random numbers R u and R s .But the random numbers are masked by the secret credentials X i and d j , shared secret keys X GD i and X SD j with hash and XOR functions.The attacker cannot obtain these values.Therefore, the improved scheme is secure against session key leakage attacks.

MITM attack
An attacker can eavesdrop on the information exchanged through the public channel.However, in order to generate authentication request messages {M 1 , Auth u , TGID i , T 1 }, {M 1 , Auth u , TGID i , M 2 , Auth s , TSID j , T 1 , T 2 } or response messages {M 3 , Auth tu , Auth ts , T 3 }, {M 4 , Auth tu , Auth su , T 3 , T 4 }, an attacker must know random numbers R u and R s , shared secret keys X GD i and X SD j , secret credentials X i , d j , and RS j and sensor device identity SID j , but these values are invisible to the attacker.Therefore, the attacker cannot generate authentication messages or reach a session key.So, the improved scheme can effectively resist man-in-the-middle attacks.

Mutual authentication
In the process of mutual authentication and key agreement, all entities of scheme successfully authenticate each other.After obtaining the messages {M

Table 3 Computation cost comparison s Scheme
Wang et als scheme [15] Lee et als scheme [16] Gupta et als scheme [17] Wu et als scheme [18] Yu et als scheme [12] The ter security functionalities.Ref. [21] also has good safety properties, but its computational cost is higher than our scheme.Thus, the improved scheme is suitable for TMIS environments.

Conclusion
This paper shows that Yu et als scheme is vulnerable to replay attack, tracking attacks, and impersonation attacks.To overcome the security flaws of their scheme, we propose an improved authentication scheme for the telecare medical information system environment.We conducted a security analysis to demonstrate that the improved scheme can prevent various security attacks, including impersonation attack, replay attack, tracking attack, MIMT attack, offline password guessing attack, user anonymity, mutual authentication, and perfect forward secrecy.And the improved scheme offers excellent anonymity.The improved scheme also provides lower computation costs and better security than related existing schemes.Therefore, the improved scheme is applicable for the TMIS environments.
i s identity U i s identity SD j s identity U i s identity U i s biometric Common session key between GW i and SD j Ss master key Shared secret key between GW i and S Shared secret key between SD j and S Encryption and decryption Maximum transmission delay One-way Hash function Bitwise XOR operation Concatenation operation

Fig. 1
Fig. 1 Authentication and key agreement phase of the proposed scheme

5
Upon getting the message, GW i computes Auth * tu = h(TGID i ||HID i ||X GD i ||X i ||R u ) and checks whether Auth * tu = ?Auth tu .If it is not valid, GW i aborts the current session, otherwise it computes 1 , Auth u , TGID i , M 2 , Auth s , TSID j , T 1 , T 2 } of SD j , S verifies .After getting the message {M 3 , Auth tu , Auth ts , T 3 } from S, SD j verifies whether Auth * ts = ?Auth ts .If the verification passes, SD j authenticates to S. After receiving the messages {M 4 , Auth tu , Auth su , T 4 } from SD j and S, U i / GW i verifies that Auth * tu = ?Auth tu Auth * su = ?Auth su .If the authentication passes, U i /GW i authenticates SD j and S and establishes a common session key SK ij with SD j .4.1.10Stolen verifier attack In this attack, the attacker steals the information stored in Ss database related to U i and SD j and tries to impersonate the legitimate entity.However, the attack- ? Auth u .If equal, S authenticates U i /GW i .And S verifies that Auth * s = ?Auth s .If equal, S authenticates to SD j