This article has been accepted for publication in a future issue of this journal, but has not been

fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2905731, IEEE Access

Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.s
Digital Object Identifier 10.1109/ACCESS.2017.Doi Number

Questioning Key Compromise Attack on Ostad-

Sharif et al.’s Authentication and Session key
Generation Scheme for Healthcare Applications
Saru Kumari1, Pradeep Chaudhary2, Chien-Ming-Chen3, and Muhammad Khurram Khan4,
Senior Member, IEEE
1
Department of Mathematics, Ch. Charan Singh University, Meerut, Uttar Pradesh, India
2
Department of Statistics, Ch. Charan Singh University, Meerut, Uttar Pradesh, India
3
College of Computer Science and Engineering, Shandong University of Science and Technology, Shandong, China
4
Centre of excellence in Information Assurance, King Saud University, Riyadh, Saudi Arabia

Corresponding author: Chien-Ming-Chen (e-mail: chienmingchen@ieee.org), Muhammad Khurram Khan (mkhurram@ksu.edu.sa)

ABSTRACT Recently, Ostad-Sharif et al. pointed out the susceptibility of three different authentication
schemes themed for telecare medicine/medical information systems (TMIS) to key compromise
impersonation attack (KCIA). To further address this issue, they proposed an ECC-based authentication and
key generation scheme for healthcare applications. In this work, we show that Ostad-Sharif et al.’s scheme
is not only affected with key compromise impersonation attack but also suffers from key compromise
password guessing attack. Several papers have been published by the researchers by applying KCIA on
existing authentication protocols. Before any further move in research in this direction, researchers must
contemplate about KCIA. We conclude this article with rigorous analysis of KCIA along with two
questions to ponder-on for the research community working in this field.

INDEX TERMS Authentication; Key-agreement; Key compromise password guessing attack;

Key compromise impersonation.

I. INTRODUCTION
Telecare medicine/medical information systems (TMIS) are II. NOTATIONS AND PICTORIAL REVIEW OF OSTAD-
systems dedicated to provide online healthcare services. It SHARIF ET AL.’S SCHEME
is playing an important role in upgrading the traditional
time consuming healthcare system to a smart healthcare A. NOTATIONS AND DESCRIPTION
system with the use of information and communication TABLE I THE NOTATIONS WITH DESCRIPTION
Notations Description
technology (ICT). As these systems are entirely based on
pi Patient
Internet, an open medium, security and privacy are major S Server
concerns for their viability. The issue of security and E Attacker
privacy is well addressed by the authentication and key idp, pwp Identity/password of patient
agreement schemes. idm Identity of patient’s mobile device
x Server’s master secret key
Recently, Ostad-Sharif et al. [1] pointed out key rp , u p Random numbers generated at the patient end
compromise impersonation attack in authentication schemes during registration phase
designed by Giri et al. [2], Amin and Biswas [3], and ns Random number generated at the server end during
registration phase
Arshad and Rasoolzadegan [4] for telecare np Random number generated at the patient end during
medicine/medical information systems (TMIS). In login-authentication phase
succession, Ostad-Sharif et al. [1] also proposed an nss , nsnew Random numbers generated at the server end during
login-authentication phase
authentication scheme for healthcare applications. In this tp Current timestamp at the patient side
paper, we show that their scheme is also susceptible to key sk Session key agreed between patient and server
compromise impersonation attack. The worst case is that in P Base point on a suitably chosen elliptic curve
h0(.), h1(.), One-way hash functions
their scheme the key compromise impersonation attack h2(.)
leads to password guessing attack.
Å Bitwise XOR operator
|| Concatenation operator

VOLUME XX, 2017 1

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2905731, IEEE Access

B. PICTORIAL REVIEW OF OSTAD-SHARIF ET AL.’S SCHEME

Patient (pi) Server (S)

Registration of Patient:
Chooses idp, pwp & rp, up
opwp = h0((idmÅidp)||rp||pwp)
xpwp = h0(up||pwp)P
{idp, idm, opwp, xpwp} Checks the validity of idp, idm
ap = h0(idm||idp||x), bp = opwpÅap
cp = h1(opwp) Å xP, dp = h1(ap) Å xpwp
Generates random number ns
eidp = encx(idp||ns)
Stores {idp, idm, empty, dp } in its database
{eidp, bp, cp}
Sets tokenppw = 0
Stores {eidp, bp, cp, rp, up, tokenppw} in the mobile device

Patient(pi) /Mobile Device(mdi) Server (S)

Login and Authentication:
pi: Inserts idp, pwp
mdi: Retrieves rp, bp
opwp = h0((idmÅidp)||rp||pwp)
ap = opwp Å bp , Q = xP = h1(opwp)Åcp
Generates random number np
Xp = h0(idm||idp||np)P
vp = h0(ap||Xp||Q||tp||tokenppw)
For tokenppw >=1
xpwp = h0(up||pwp)P
vppw = h0(ap||Xp||Q||tp||xpwp||tokenppw)
{tokenppw, eidp, Xp, vp, vppw, tp} For fresh tp , (idp||ns) = decx(eidp)
For valid idp , Retrieves idm and dp
ap = h0(idm||idp||x), xpwp = h1(ap)Ådp
For tokenppw = 0, verifies if
h0(ap||Xp| Q||tp||tokenppw) =? vp
For tokenppw >=1, verifies if
h0(ap||Xp||Q||tp||xpwp||tokenppw) = ?vppw
Else, {xpwpold = h1(ap) dpold
h0(ap||Xp||Q||tp|| xpwpold ||tokenppw) = ?vppw}
Generates random number nss
k = (x + h0(idx||nss))( xpwp + Xp), sk = h2(tp||k)
Generates random number nsnew
eidpnew = encs(idp||nsnew), oeidpnew = eidpnew Å h3(sk)
vs = h0(ap||Xs||eidpnew||sk)
new
{oeidp , Xs, vs}
k = (h0(up||pwp) + h0(idm||idp||np))(Q + Xs)
sk = h2(tp||k), eidpnew = oeidpnew Å h3(sk)
h0(ap||Xs||eidpnew||sk) = ? vs
eidpnew ¬ eidp
Sets tokenppw = 0

FIGURE 1. User registration, login & authentication phases of Ostad-Sharif et al.’s scheme
.

VOLUME XX, 2017 1

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2905731, IEEE Access
III. QUESTIONING KEY COMPROMISE ATTACK ON
OSTAD-SHARIF ET AL.’S SCHEME
In this section, we show that Ostad-Sharif et al.’s scheme
suffers from key compromise impersonation attack and key
compromise password guessing attack.
A. KEY COMPROMISE IMPERSONATION ATTACK
An attacker E possessing the secret key x of the server S
intercepts the login message {tokenppw, eidp, Xp, vp, vppw, tp}
of pi from public channel and reads the value of tokenppw. E
computes (idp||ns) = decx(eidp) and uses the retrieved idp to
obtain user specific details {idp, idm, dp} from the stolen
registration table of the database of S. E computes ap =
h0(idm||idp||x), generates a random number nep and computes
Xep = h0(idm||idp||nep)P where P is public value. For tokenppw =
0, E computes vep = h0(ap||Xep|| xP ||tep||tokenppw) with current
timestamp tep. For tokenppw >=1, E computes xpwp = dp Å
h1(ap) and veppw = h0(ap||Xep|| xP ||tep||xpwp||tokenppw). E sends
{tokenppw, eidp, Xep, vep, veppw, tep} as a login message to S in
order to act as the legal user pi. Clearly, the login message
{tokenppw, eidp, Xep, vep, veppw, tep} will be entertained by S as
tep is the current timestamp; eidp contains the valid identity
idp of pi; Xep contains the valid identity idp of pi, the valid
identity idm of the mobile device of pi, and fresh random
number nep; further vep and veppw are computed with the
exact session key x of S, valid value of ap and also
according to the value of tokenppw being sent. Thus, the
server will believe that the received message is from the
legitimate patient pi and hence the attacker is able to
impersonate as patient.
B. KEY COMPROMISE PASSWORD GUESSING ATTACK
Suppose that an attacker E, possessing the compromised
secret key x of the server, obtains the mobile device of
patient pi. E can procure the parameters {eidp, bp, cp, rp, up,
tokenppw} stored inside the mobile device [5, 6]. Then E can
guess the password of pi in any of the following ways.
E computes (idp||ns) = decx(eidp) to obtain idp, makes a guess
idm* for identity of the mobile device of pi and computes ap*
= h0(idm*||idp||x), opwp* = bp Å ap*, h1(opwp*), h1(opwp) = cp Å
xP, whence P is public parameter. Compares h1(opwp*) and
h1(opwp), equality of these two values guarantees the
correctness of the guessed idm*, else, E attempts with some
other guess. It is clear from the aforementioned
computations that if E possesses the correct idm then it also
possesses the correct opwp and ap. Then E guesses pwp* for
possible password of pi and computes opwp** =
h0((idmÅidp)||rp||pwp*) whence rp is available from the mobile
device. Equality of opwp** and opwp guarantees the
correctness of the guessed pwp*, else, E attempts with some
other guess.
Alternately, E can also obtain the exact value of idm
corresponding to the patient pi from the database of the
server S since S stores {idp, idm, empty, dp} in its database as
the explanation follows. Since idp is available in the
database entry of pi. The attacker E possessing idp via
computation (idp||ns) = decx(eidp), can easily pick the entry
3 VOLUME XX, 2017
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Kumari et al.: Questioning Key Compromise Attack
{idp, idm, dp} corresponding to pi from the stolen registration
table of the database of S. Then E guesses pwp* for possible
password of pi, computes ap = h0(idm||idp||x), opwp = bp Å ap.
E computes opwp* = h0((idmÅidp)||rp||pwp*) whence rp is
available from the mobile device. E compares opwp* and
opwp, the equality of these two values ensures the
correctness of the guessed pwp*, else, E attempts with some
other guess. E can also compute xpwp = dp Å h1(ap), xpwp* =
h0(up||pwp*)P, whence rp is available in the mobile device. E
compares xpwp* and xpwp, the equality of these two values
ensures the correctness of the guessed pwp*, else, E attempts
with some other guess. In this way, the attacker E can
guess the password of pi.
IV. CONCLUSION
Given any authentication scheme, if the secret key of the
server is compromised and comes in the knowledge of an
attacker then the scheme will surely be exposed to various
types of attacks. In fact, leakage of server’s secret key is
very rare and this is a very strong assumption to apply
attacks on an existing scheme. The reason is that the server
is the most trusted authority in the scenario of
authentication schemes, thereby; there are substantial
security provisions to maintain the security of server’s
secret key.
We observed that Ostad-Sharif et al.’s scheme suffers
from key compromise impersonation attack as well as key
compromise password guessing attack although they would
have definitely tried their best to avoid the possibility of
key compromise attack on their scheme as they themselves
mounted this attack on the target schemes in their work, and
in the process of seeking a solution to this attack they
designed and presented a new scheme. Thus, it is hardly
possible for an authentication scheme to defy this attack.
Moreover, once the secret key of the server comes in the
knowledge of an attacker E, he/she can act as the legitimate
server. In sensitive application scenario of healthcare, the
attacker sitting as a valid server can collect sensitive data of
patients that can be misused for various purposes. In
addition, the attacker acting as the legitimate server can
also provide false reply to patients’ queries thereby creating
problems in their treatment with an intention to corrupt the
online healthcare system. Therefore, key compromise
attack is detrimental for sensitive applications such as
healthcare services and it may lead to public unrest and
disinterest in online services.
Based on the above analysis and discussion we put
forward two questions for the researchers working in this
field. First question is whether the key compromise attack
should be designated as a valid attack or an invalid attack.
That is, researchers should provide either validity or
invalidity to this attack. Second question is that if the
researchers provide validity to this attack then they should
provide a concrete solution to it which is an open challenge.
Conflict of Interest: Authors have no conflict of interest.
 This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2019.2905731, IEEE Access

Kumari et al.: Questioning Key Compromise Attack

Acknowledgement: Authors extend their appreciation to Director, State Institute of Rural Development, Rural Development
Department, Government of U.P., India. His current research interests
the Deanship of Scientific Research at King Saud include reliability and applied cryptography.
University for funding this work through research group no.
(RG-1439-58)
Chien-Ming Chen received his PHD from the
National Tsing Hua University, Taiwan. He is
currently an associate professor of Shandong
REFERENCES University of Science and Technology, China. Dr.
Chen serves as an executive editor of International
[1] A. Ostad-Sharif, D. Abbasinezhad-Mood, and M. Nikooghadam, “A Journal of Information Computer Security. He also
robust and efficient ECC-based mutual authentication and session serves as an associate editor of IEEE ACCESS.
key generation scheme for healthcare applications,” J. Med. Syst. vol. His current research interests include network
43:10, 2019. DOI: 10.1007/s10916-018-1120-5. security, mobile internet, IoT and cryptography.

[2] D. Giri, T. Maitra, R. Amin, and P. D. Srivastava, “An efficient and

robust RSA-based remote user authentication for telecare medical MUHAMMAD KHURRAM KHAN is currently
information systems,” J. Med. Syst. vol. 39:145, 2015. DOI: working as a Full Professor at the Center of
10.1007/s10916-014-0145-7 Excellence in Information Assurance (CoEIA),
King Saud University, Kingdom of Saudi Arabia.
[3] R. Amin, and G. P. Biswas, “An improved RSA based user He is one of the founding members of CoEIA and
authentication and session key agreement protocol usable in TMIS,” has served as the Manager R&D from March 2009
J. Med. Syst. vol. 39, no. 8, pp.79, 2015. to March 2012. He is the Editor-in-Chief of a
well-esteemed international journal
[4] H. Arshad, and A. Rasoolzadegan, “Design of a secure 'Telecommunication Systems' published by Springer-Verlag (since 1993)
authentication and key agreement scheme preserving user privacy with an impact factor of 1.542 (JCR 2017). He is the full-time
usable in telecare midicine information systems,” J. Med. Syst. vol. Editor/Associate Editor of several international journals/magazines. He has
40, no. 11, pp. 237, 2016. also played role of the guest editor of several international ISI-indexed
journals of Springer-Verlag and Elsevier Science, etc. Moreover, he is one
[5] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in of the organizing chairs of more than 5 dozen international conferences
Advances in Cryptology (CRYPTO’99), 1999, 388–397. and member of technical committees of more than 10 dozen international
conferences. He has secured an outstanding leadership award at IEEE
[6] T.S. Messerges, E.A. Dabbish, and R.H. Sloan, “Examining smart- international conference on Networks and Systems Security 2009,
card security under the threat of power analysis attacks,” IEEE Trans. Australia. He has been awarded a Gold Medal for the 'Best Invention &
on Comp. vol. 51, no. 5, pp. 541–552, 2002. Innovation Award' at 10th Malaysian Technology Expo 2011, Malaysia.
Moreover, his invention recently got a Bronze Medal at '41st International
Exhibition of Inventions' at Geneva, Switzerland in April 2013. In addition,
he was awarded best paper award from the Journal of Network &
Computer Applications (Elsevier) in Dec. 2015. Prof. Khurram is the
recipient of King Saud University Award for Scientific Excellence
(Research Productivity) in May 2015. He is also a recipient of King Saud
University Award for Scientific Excellence (Inventions, Innovations, and
SARU KUMARI is currently an Assistant Technology Licensing) in May 2016. Prof. Khurram has published over
Professor with the Department of Mathematics, 325 research papers in the journals and conferences of international repute.
Ch. Charan Singh University, Meerut, Uttar In addition, he is an inventor of 10 US/PCT patents. He has edited 7
Pradesh, India. She received her Ph.D. degree in books/proceedings published by Springer-Verlag and IEEE. His research
Mathematics in 2012 from CCS University, areas of interest are Cybersecurity, digital authentication, biometrics,
Meerut, UP, India. She has published more than multimedia security, and technological innovation management.
133 research papers in reputed International
journals and conferences, including 115
publications in SCI-Indexed Journals. She is on
the Editorial Board of more than 12 Journals of
International repute including 7 SCI Journals. She served as lead/Guest
Editor of four Special Issues in SCI Journals of Elsevier, Springer and
Wiley. She is Technical Program Committee Member for many
International conferences. Her current research interests include
information security and applied cryptography.

PRADEEP CHAUDHARY is currently an

Assistant Professor with the Department of
Statistics, Ch. Charan Singh University,
Meerut, Uttar Pradesh, India. He received
his Ph.D., M.Phil and M.Sc degree in
Statistics in 2004, 1998, 1996 respectively,
from CCS University, Meerut, UP, India.
He is a Gold Medalist in his M.Phil as well
as M.Sc degree. He has also served as a
Research Assistant, Directorate of
Institutional Finance and Sarvhit Bima,
Government of U.P., India; and as Assistant

3 VOLUME XX, 2017

2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.