Professional Documents
Culture Documents
An Improved Secure Authentication and Key Agreement Scheme For Healthcare Applications
An Improved Secure Authentication and Key Agreement Scheme For Healthcare Applications
• Step 1. The user selects a user ID IDi and a password obtain Vi as Vi = encAi (ki ||(Ni )x ||(Mi )x ) where (Ni )x
pwi and enters his biometric parameter BIOi . He also and (Mi )x are the xth dimension of Ni and Mi , respec-
selects random numbers ai and bi . The mobile device tively. Next, he computes Xi = h(qi ||bi ||Vi ). At then end,
then calculates pi = h(IDi ||pwi ||ai ||H(BIOi )). At the he sends hVi , bi , Xi , mi .p, Tp i to the server.
end, hpi , bi , ai i is sent to the server via a secure channel. • Step 3. Once the message is received at the server,
• Step 2. Upon receiving the message, the server calculates the server first checks the freshness of the message by
Ai = h(IDs ||bi ||s), Bi = Ai ⊕pi , Ci = h(pi ||Ai ||ai ||bi ) checking the time stamp Tp and then, calculates Ai =
and Kpub = s.p. It then sends hBi , Ci , kpub i to the user h(IDs ||bi ||s) where IDs is the server’s ID and s is its
(his mobile device) through a secure channel. secret key (both available to the server), and bi has been
• Once the user receives the message, he adds ai and bi to sent to the server in previous step. Having Ai , the server
the message and stores hai , bi , Bi , Ci , kpub , H(.), h(.)i to is now able to decrypt Vi as decAi (Vi ) = (ki∗ ||Ni∗ ||Mi∗ )
the mobile device’s memory. and obtain ki∗ , Ni∗ and Mi∗ . Now, the server can calculate
key10 = Ni .s = s.ni .p where s is the server’s secret
B. Login and Authentication Phase key. Having key10 , the server decrypts ki to obtain Fi
The following are the steps required when the user wants and qi as DEC(key10 )x (ki ) = (Fi ||qi ). Then, it calculates
to login to the server and authentications himself. Xi∗ = (qi ||bi ||Vi ) and compares it with Xi received
from the user. If equal, the message correctness and
• Step 1. The user (i.e., the patient) enters his IDi∗ , pwi∗ , authenticity is verified. Now, the server selects timestamp
and his biometric BIOi∗ . To verify that the mobile device Ts and random number gi and then adds two points
belongs to the user (e.g., has not been stolen), at first, Mi and Ni to obtain M Ni as M Ni = Mi + Ni . At
random parameters ai and bi are extracted from the the end, the server computes the session key SK as
card. Then, the following calculations are performed: SK = h(Fi ||qi ||Ai ||(M Ni )x ||gi .mi .p) and Auths =
p∗i = h(IDi∗ ||pwi∗ ||ai ||H(BIOi∗ )), A∗i = Bi ⊕ p∗i , h(SK||Xi ||Fi ) and sends hgi .p, Auths , Ts i) to the user.
SCi∗ = h(A∗i ||Pi∗ ||ai ||bi ). At the end, Ci∗ is compared • Step 4. Upon receiving the message, the user first
with the Ci stored on the mobile device. If equal, it is checks its freshness. He then calculates the session key
proved that the mobile device indeed belongs to the user. SK = h(Fi ||qi ||Ai ||(M Ni )x ||gi .mi .p) and Authp as
• Step 2. The user then selects three random numbers Authp = h(SK||Xi ||Fi ) and compares Authp with
ni , mi , qi and calculates two points Ni = ni .p and Mi = Auths received from the server to verify the message.
mi .p on elliptic curve. It then computes another point on Now, both parties have agreed on a shared session key.
elliptic curve (key1 ) by multiplying ni and the server’s
public key Kpub as key1 = ni .Kpub = ni .s.p. He then V. I NFORMAL S ECURITY A NALYSIS OF THE P ROPOSED
selects time stamp Tp and computes Fi = h(qi ||mi ||ni ). S CHEME
It then encrypts (Fi ||qi ) with the xth ’s dimension of key1 In this section, we informally show that the proposed
to obtain ki . In other words, ki = EN C(key1 )x (Fi ||qi ). scheme is resistant against various attacks, and can provide
The user then encrypts ki ||(Ni )x ||(Mi )x with Ai to perfect forward secrecy and mutual authentication.
Login and Authentication Phase
Patient/mobile device Server
Enters his/her IDi∗ , pwi∗ and BIOi∗
Retrieves ai , bi from the memory
Computes p∗i = h(IDi∗ ||pwi∗ ||ai ||H(BIOi∗ ))
Computes A∗i = Bi ⊕ p∗i
Computes Ci∗ = h(A∗i ||p∗i ||ai ||bi )
Checks Ci∗ =?Ci
Selects random numbers ni , mi , qi
Computes Ni = ni .p, Mi = mi .p
key1 = ni .Kpub = ni .s.p
Captures its current time Tp
Computes Fi = h(qi ||mi ||ni )
Computes ki = EN C(key1 )x (Fi ||qi )
Computes Vi = encAi (ki ||(Ni )x ||(Mi )x )
Computes Xi = h(qi ||bi ||Vi )
hVi , bi , Xi , mi .p, Tp i
A. Key Compromise Impersonation Attack cannot impersonate himself as the user. Hence, the proposed
scheme is resistant to key compromise impersonation attack.
As mentioned before in Section III-B2, resistance to this
attack means that if the server’s secret key is compromised, B. Key Compromise Password Guessing Attack
it should not let the attacker to impersonate the server/user. As described before in Section III-B1, resistance to this
In our scheme, to verify that the message is indeed received attack means that if the server’s secret key is compromised,
from the user, the server calculates Xi∗ as Xi∗ = (qi ||bi ||Vi ), it should not let the attacker to guess the user’s password.
and compares it with Xi received from the user. If the attacker In our proposed scheme, in order to have access to the
wants to impersonate himself as the user, he has to create his user’s password pwi , the attacker should know the user’s
own Xi and hence, his own Vi . To do so, he should be able identity IDi and his biometric parameter BIOi as p∗i =
to decrypt Vi to access to its parameters. But, Vi has been h(IDi∗ ||pwi∗ ||ai ||H(BIOi∗ )), which both are kept private and
encrypted with Ai , as Ai = h(IDs ||bi ||s) which is dependant are inaccessible to the attacker. So, our scheme is secure
on the server’s identity IDs , inaccessible to the attacker. So, he against key compromise password guessing attack.
VI. F ORMAL S ECURITY A NALYSIS WITH S CYTHER
To analyse the security of our proposed scheme formally,
we used the Scyther tool [10], designed and extended for
identifying the security requirements and vulnerabilities of
protocols. Scyther provides the verification of user-defined as
well as automatically generated claims, where each claim rep-
resents a security property. The claim Alive ensures that a set
of events have been executed by an intended communication
party R. Nisynch ensures the sender has sent all exchanged
messages, and they all have been received to the receiver.
claim(R; secret; rt) implies that R claims that rt should
be unknown to the attacker. weakagree is used to guarantee
the robustness of the protocol against impersonation attack.
Figure 4 demonstrates the output of this analysis, showing
that the protocol can satisfy all the security requirements.
VII. C ONCLUSION AND F UTURE W ORK
Recent research has emphasized on the importance of the
Fig. 4. Formal Security Analysis of the Proposed Scheme provision of a secure and privacy-preserving communication
channel between different parties in TMISs. In this article, we
reviewed the work presented by Ostad-Sharif et al., and proved
C. Insider Attack
that it is prone to key compromise password guessing attack
In our proposed scheme, no sensitive information is stored and key compromise impersonation attack. Then, we propose a
on the server. So, even in the case of having an insider, he is secure and efficient authentication and key agreement scheme
not able to retrieve the user’s private information such as his for healthcare systems that addresses the drawbacks of related
password. So, the scheme is resistant to insider attack. work and can provide perfect forward secrecy and mutual
authentication. The security of the proposed scheme was also
D. Replay Attack
formally proved by the Scyther tool.
In replay attack, the adversary aims to capture an exchanges
message and resubmit it later. In our scheme, we prevent this R EFERENCES
attack by using timestamps and checking their freshness, thus [1] Ostad-Sharif, et al., An enhanced anonymous and unlinkable user authen-
avoiding the resubmission of old messages. tication and key agreement protocol for TMIS by utilization of ECC. Int
J Commun Syst. 32:e3913, (2019)
[2] Ravanbakhsh N, Nazari M. An efficient improvement remote user mutual
E. Perfect Forward Secrecy authentication and session key agreement scheme for E-healthcare systems.
As discussed in [8], perfect forward secrecy provision Multimed Tools Appl. vol. 77, no. 1, pp. 55-88, (2018)
[3] Kumari S. et al., Questioning Key Compromise Attack on Ostad-Sharif
means that if any of the longterms (e.g., such as the session et al.’s Authentication and Session key Generation Scheme for Healthcare
key, server’s public/private keys, etc.) has been compromised, Applications,” in IEEE Access, vol. 7, pp. 39717-39720, (2019)
the attacker should not be able to get access to the session [4] Chaudhry, S.A.,et al., An enhanced lightweight anonymous biometric
based authentication scheme for TMIS, Multimed Tools Appl vol. 77, no.
key. In our scheme, the session key includes mi .gi .p (or 5, pp. 5503-5524, (2019)
gi .mi .p) in which, mi and gi are random numbers. Even [5] Safkhani M. and Vasilakos A., A New Secure Authentication Protocol for
if the attacker has access to mi .p and mi .p, he is not able Telecare Medicine Information System and Smart Campus, IEEE Access,
vol. 7, pp. 23514-23526, (2019)
to compute mi .gi .p or gi .mi .p due to Elliptic Curve Diffie [6] Jiang, Q. et al., Security analysis and improvement of bio-hashing
Hellman (ECDH) algorithm. So, the proposed scheme can based three-factor authentication scheme for telecare medical information
provide perfect forward secrecy. systems, J Ambient Intell Human Comput, vol. 9, no. 4, pp: 1061-1073,
(2018)
[7] Ostad-Sharif A. et al., A robust and efficient ECC-based mutual authen-
F. Mutual Authentication tication and session key generation scheme for healthcare applications, J.
Med. Syst. vol. 43, no.10, (2019)
In our proposed scheme, once the user sends the message [8] Nikooghadam Mahdi, Amintoosi Haleh, A Secure and Robust Elliptic
(Vi , bi , Xi , mi .p, Tp ) to the server, the server authenticates the Curve Cryptography-based Mutual Authentication Scheme for Session
user by computing Xi∗ = (qi ||bi ||Vi ) and comparing it with Initiation Protocol, Security and Privacy, 2019;e92. (2019)
[9] Nikooghadam Mahdi, Amintoosi Haleh, Cryptanalysis of Khatoon
Xi received from the user. If equal, the user is authenticated et al.’s ECC-based Authentication Protocol for Healthcare Systems,
for the server. Similarly, once the message (gi .p, Auths , Ts ) http://arxiv.org/abs/1906.08424v1, (2019)
is received from the server, the user authenticates the server [10] Cremers C. Scyther, Semantics and Verification of Security Pro-
tocols [Ph.D. dissertation]. Eindhoven University of Technology;
by computing Authp = h(SK||Xi ||Fi ) and comparing it https://pure.tue.nl/ws/files/2425555/200612074.pdf, (2006)
with Auths received from the server. If equal, the server is
authenticated for the user. So, our scheme can provide mutual
authentication.