Professional Documents
Culture Documents
Kumar Morteza
Kumar Morteza
fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2905731, IEEE Access
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.s
Digital Object Identifier 10.1109/ACCESS.2017.Doi Number
ABSTRACT Recently, Ostad-Sharif et al. pointed out the susceptibility of three different authentication
schemes themed for telecare medicine/medical information systems (TMIS) to key compromise
impersonation attack (KCIA). To further address this issue, they proposed an ECC-based authentication and
key generation scheme for healthcare applications. In this work, we show that Ostad-Sharif et al.’s scheme
is not only affected with key compromise impersonation attack but also suffers from key compromise
password guessing attack. Several papers have been published by the researchers by applying KCIA on
existing authentication protocols. Before any further move in research in this direction, researchers must
contemplate about KCIA. We conclude this article with rigorous analysis of KCIA along with two
questions to ponder-on for the research community working in this field.
I. INTRODUCTION
Telecare medicine/medical information systems (TMIS) are II. NOTATIONS AND PICTORIAL REVIEW OF OSTAD-
systems dedicated to provide online healthcare services. It SHARIF ET AL.’S SCHEME
is playing an important role in upgrading the traditional
time consuming healthcare system to a smart healthcare A. NOTATIONS AND DESCRIPTION
system with the use of information and communication TABLE I THE NOTATIONS WITH DESCRIPTION
Notations Description
technology (ICT). As these systems are entirely based on
pi Patient
Internet, an open medium, security and privacy are major S Server
concerns for their viability. The issue of security and E Attacker
privacy is well addressed by the authentication and key idp, pwp Identity/password of patient
agreement schemes. idm Identity of patient’s mobile device
x Server’s master secret key
Recently, Ostad-Sharif et al. [1] pointed out key rp , u p Random numbers generated at the patient end
compromise impersonation attack in authentication schemes during registration phase
designed by Giri et al. [2], Amin and Biswas [3], and ns Random number generated at the server end during
registration phase
Arshad and Rasoolzadegan [4] for telecare np Random number generated at the patient end during
medicine/medical information systems (TMIS). In login-authentication phase
succession, Ostad-Sharif et al. [1] also proposed an nss , nsnew Random numbers generated at the server end during
login-authentication phase
authentication scheme for healthcare applications. In this tp Current timestamp at the patient side
paper, we show that their scheme is also susceptible to key sk Session key agreed between patient and server
compromise impersonation attack. The worst case is that in P Base point on a suitably chosen elliptic curve
h0(.), h1(.), One-way hash functions
their scheme the key compromise impersonation attack h2(.)
leads to password guessing attack.
Å Bitwise XOR operator
|| Concatenation operator
FIGURE 1. User registration, login & authentication phases of Ostad-Sharif et al.’s scheme
.
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2905731, IEEE Access
III. QUESTIONING KEY COMPROMISE ATTACK ON {idp, idm, dp} corresponding to pi from the stolen registration
OSTAD-SHARIF ET AL.’S SCHEME table of the database of S. Then E guesses pwp* for possible
In this section, we show that Ostad-Sharif et al.’s scheme password of pi, computes ap = h0(idm||idp||x), opwp = bp Å ap.
suffers from key compromise impersonation attack and key E computes opwp* = h0((idmÅidp)||rp||pwp*) whence rp is
compromise password guessing attack. available from the mobile device. E compares opwp* and
opwp, the equality of these two values ensures the
A. KEY COMPROMISE IMPERSONATION ATTACK correctness of the guessed pwp*, else, E attempts with some
An attacker E possessing the secret key x of the server S other guess. E can also compute xpwp = dp Å h1(ap), xpwp* =
intercepts the login message {tokenppw, eidp, Xp, vp, vppw, tp} h0(up||pwp*)P, whence rp is available in the mobile device. E
of pi from public channel and reads the value of tokenppw. E compares xpwp* and xpwp, the equality of these two values
computes (idp||ns) = decx(eidp) and uses the retrieved idp to ensures the correctness of the guessed pwp*, else, E attempts
obtain user specific details {idp, idm, dp} from the stolen with some other guess. In this way, the attacker E can
registration table of the database of S. E computes ap = guess the password of pi.
h0(idm||idp||x), generates a random number nep and computes
Xep = h0(idm||idp||nep)P where P is public value. For tokenppw = IV. CONCLUSION
0, E computes vep = h0(ap||Xep|| xP ||tep||tokenppw) with current Given any authentication scheme, if the secret key of the
timestamp tep. For tokenppw >=1, E computes xpwp = dp Å server is compromised and comes in the knowledge of an
h1(ap) and veppw = h0(ap||Xep|| xP ||tep||xpwp||tokenppw). E sends attacker then the scheme will surely be exposed to various
{tokenppw, eidp, Xep, vep, veppw, tep} as a login message to S in types of attacks. In fact, leakage of server’s secret key is
order to act as the legal user pi. Clearly, the login message very rare and this is a very strong assumption to apply
{tokenppw, eidp, Xep, vep, veppw, tep} will be entertained by S as attacks on an existing scheme. The reason is that the server
tep is the current timestamp; eidp contains the valid identity is the most trusted authority in the scenario of
idp of pi; Xep contains the valid identity idp of pi, the valid authentication schemes, thereby; there are substantial
identity idm of the mobile device of pi, and fresh random security provisions to maintain the security of server’s
number nep; further vep and veppw are computed with the secret key.
exact session key x of S, valid value of ap and also We observed that Ostad-Sharif et al.’s scheme suffers
according to the value of tokenppw being sent. Thus, the from key compromise impersonation attack as well as key
server will believe that the received message is from the compromise password guessing attack although they would
legitimate patient pi and hence the attacker is able to have definitely tried their best to avoid the possibility of
impersonate as patient. key compromise attack on their scheme as they themselves
mounted this attack on the target schemes in their work, and
B. KEY COMPROMISE PASSWORD GUESSING ATTACK in the process of seeking a solution to this attack they
Suppose that an attacker E, possessing the compromised designed and presented a new scheme. Thus, it is hardly
secret key x of the server, obtains the mobile device of possible for an authentication scheme to defy this attack.
patient pi. E can procure the parameters {eidp, bp, cp, rp, up, Moreover, once the secret key of the server comes in the
tokenppw} stored inside the mobile device [5, 6]. Then E can knowledge of an attacker E, he/she can act as the legitimate
guess the password of pi in any of the following ways. server. In sensitive application scenario of healthcare, the
E computes (idp||ns) = decx(eidp) to obtain idp, makes a guess attacker sitting as a valid server can collect sensitive data of
idm* for identity of the mobile device of pi and computes ap* patients that can be misused for various purposes. In
= h0(idm*||idp||x), opwp* = bp Å ap*, h1(opwp*), h1(opwp) = cp Å addition, the attacker acting as the legitimate server can
xP, whence P is public parameter. Compares h1(opwp*) and also provide false reply to patients’ queries thereby creating
h1(opwp), equality of these two values guarantees the problems in their treatment with an intention to corrupt the
correctness of the guessed idm*, else, E attempts with some online healthcare system. Therefore, key compromise
other guess. It is clear from the aforementioned attack is detrimental for sensitive applications such as
computations that if E possesses the correct idm then it also healthcare services and it may lead to public unrest and
possesses the correct opwp and ap. Then E guesses pwp* for disinterest in online services.
possible password of pi and computes opwp** = Based on the above analysis and discussion we put
h0((idmÅidp)||rp||pwp*) whence rp is available from the mobile forward two questions for the researchers working in this
device. Equality of opwp** and opwp guarantees the field. First question is whether the key compromise attack
correctness of the guessed pwp*, else, E attempts with some should be designated as a valid attack or an invalid attack.
other guess. That is, researchers should provide either validity or
Alternately, E can also obtain the exact value of idm invalidity to this attack. Second question is that if the
corresponding to the patient pi from the database of the researchers provide validity to this attack then they should
server S since S stores {idp, idm, empty, dp} in its database as provide a concrete solution to it which is an open challenge.
the explanation follows. Since idp is available in the
database entry of pi. The attacker E possessing idp via Conflict of Interest: Authors have no conflict of interest.
computation (idp||ns) = decx(eidp), can easily pick the entry
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2905731, IEEE Access
Acknowledgement: Authors extend their appreciation to Director, State Institute of Rural Development, Rural Development
Department, Government of U.P., India. His current research interests
the Deanship of Scientific Research at King Saud include reliability and applied cryptography.
University for funding this work through research group no.
(RG-1439-58)
Chien-Ming Chen received his PHD from the
National Tsing Hua University, Taiwan. He is
currently an associate professor of Shandong
REFERENCES University of Science and Technology, China. Dr.
Chen serves as an executive editor of International
[1] A. Ostad-Sharif, D. Abbasinezhad-Mood, and M. Nikooghadam, “A Journal of Information Computer Security. He also
robust and efficient ECC-based mutual authentication and session serves as an associate editor of IEEE ACCESS.
key generation scheme for healthcare applications,” J. Med. Syst. vol. His current research interests include network
43:10, 2019. DOI: 10.1007/s10916-018-1120-5. security, mobile internet, IoT and cryptography.
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.