An Improved Secure Authentication and Key
Agreement Scheme for Healthcare Applications
Mahdi Nikooghadam
Computer Engineering Department
Faculty of Engineering
Ferdowsi University of Mashhad
Mashhad, Iran
mahdi.nikooghadam@mail.um.ac.ir
Abstract—Telecare medical information systems are developed
to establish an online convenient communication platform for
patients and medical staff to exchange healthcare related services.
Being installed on Internet, these systems are prone to different
security and privacy threats, which may result in leakage of
sensitive health-related data and privacy compromise of the
patients. Hence, a major challenge is to establish a secure com-
munication channel between the patients and medical servers,
where parties are mutually authenticated and a session key is
agreed upon and shared between them for further information
exchange. Recently, Ostad-Sharif et al. presented an ECC-
based anonymous authentication and key agreement method for
healthcare applications. In this article, we first prove that Ostad-
sharif et al.’s scheme is vulnerable to key compromise password
guessing attacks and key compromise impersonation attacks.
Then, we propose a secure and efficient authentication and
key agreement scheme for telecare medical information systems
which can provide mutual authentication and perfect forward
secrecy, and resists against key compromise password guessing
attacks, key compromise impersonation attacks, insider attacks,
and replay attacks. The security of the proposed scheme is also
proved formally with the Scyther tool.
Index Terms—Authentication, Key Agreement, Cryptanalysis,
Healthcare, TMIS
I. I NTRODUCTION
Recent advances in information technology has led to the
growth and development of healthcare related applications,
such as telecare medical information systems (TMISs). The
aim of establishing these systems is to provide efficient online
healthcare services for patients, doctors and medical staff. In
such systems, the patients’ medical information such as blood
pressure are stored in medical databases. Doctors then can
easily access the data, review them and provide appropriate
advice for patients. Despite all the benefits, establishing a
secure and privacy-aware communication between the parties
and the server is still a major concern. Failure to provide secure
communication may lead to the unauthorized access to the
patients’ private health data or false data injection, resulting
in the mistrust of patients to such systems. Hence, research has
recently focused on providing secure authentication schemes
for TMISs [1], [2], [4]–[6], [8], [9].
Recently, Ostad-Sharif et al. [1] studied the remote authenti-
cation and key agreement scheme presented by Ravanbakhsh
Haleh Amintoosi
Computer Engineering Department
Faculty of Engineering
Ferdowsi University of Mashhad
Mashhad, Iran
amintoosi@um.ac.ir
TABLE I
N OTATIONS USED IN O STAD -S HARIF ET AL .’ S SCHEME [1]
symbol description
IDp Identity of patient
IDs Identity of server
P Wp Password of patient
s Private key of server
rp , x p Random numbers generated by patient
rs , xs Random numbers generated by server
E Elliptic curve
G Base point of elliptic curve
SK Shared key between patient/mobile device and server
Tp Current timestamp
Ek (.)/Dk (.) The symmetric encryption/decryption with the key k
hi (.) One-way hash functions
k Concatenation operation
⊕ Bitwise (XOR) operation
and Nazari [2] for e-health systems, and pointed out that it
is susceptible to known session specific temporary informa-
tion attack and suffers from perfect forward insecurity. They
also proposed an anonymous and un-linkable authentication
scheme based on Elliptic Curve Cryptography (ECC) for
TMIS. In this paper, we first show that their proposed scheme
is vulnerable to key compromise password guessing attack and
key compromise impersonation attack. We then propose an au-
thentication and key agreement scheme for healthcare systems
that is robust to attacks including key compromise password
guessing attack and key compromise impersonation attack and
provides perfect forward secrecy and mutual authentication.
II. R ELATED W ORK
In this section, we briefly describe some of the recent
related articles that have focused on providing authentication
and key agreement schemes for healthcare applications. In
2018, Ravanbakhsh and Nazari [2] proposed an authentication
scheme for e-healthcare systems. However, Ostad-Sharif et
al. [1] showed that Ravanbakhsh and Nazari’s scheme is prone
to known-session-specific temporary information attacks, and
cannot provide perfect forward secrecy. In 2019, Ostad-Sharif
et al. [7] proposed a new user authentication and session key
agreement protocol for healthcare systems and showed that
Registration Phase
patient Server
Selects IDp and P Wp
selects a random number rp
Computes OP Wp = h0 (IDp ||rp ||P Wp )
IDp , OP Wp
(Secure Channel)
Check the validity of IDp
Computes Ap = h0 (IDp ||s)
Computes Bp = OP Wp ⊕ Ap
Selects a random number rs
Computes EIDp = Es (IDp ||rs )
EIDp , Bp

Stores < EIDp , Bp , rp > in his/her mobile device

Login and Authentication Phase

Patient/mobile device Server
Enters his/her IDp and P Wp
Retrieves rp from the memory
Computes OP Wp = h0 (IDp ||rp ||P Wp )
Retrieves Bp from the memory
Computes Ap = OP Wp ⊕ Bp
Generates a random number xp in Zq∗
Computes Xp = h1 (IDp ||pwp ||xp )G
Captures its current time Tp
Computes Vp = h2 (IDp ||Ap ||Xp ||Tp )
(EIDp , Xp , Vp , Tp )

Check the freshness of Tp

Decrypts (IDp ||rs ) = Ds (EIDp )
Computes Ap = h0 (IDp ||s)
Checks h2 (IDp ||Ap ||Xp ||Tp ) =?Vp
Generates a random number xs ∈ Zq∗
Computes Xs = h1 (IDs ||s||xs ).G
Computes K = h1 (IDs ||s||xs )Xp
Computes SK = h3 (IDp ||Tp ||K)
Selects a random number rsnew ∈ Zq∗
Encrypts EIDpnew = Es (IDp ||rsnew )
Computes OEIDpnew = EIDpnew ⊕ h4 (SK)
Computes Vs = h2 (Ap ||Xs ||EIDpnew ||SK)
OEIDpnew , Xs , Vs

Computes K = h1 (IDp ||P Wp ||Xp )Xs

Computes SK = h3 (IDp ||Tp ||K)
Computes EIDpnew = OEIDpnew ⊕ h4 (SK)
Computes h2 (Ap ||Xs ||EIDpnew ||SK) =?Vs
If so, substitutes EIDp with EIDpnew
Fig. 1. User registration, login and authentication phase of Ostad-Sharif et al’s scheme [1]
their scheme could solve security drawbacks while incurring
low overhead. However, Kumari et al. [3] demonstrated that
it is not secure against key compromise password guessing
attacks and key compromise impersonation attacks. As can be
obtained from the above discussion, we are still in need for a
secure authentication and key agreement scheme that addresses
the drawbacks mentioned above. Our proposed scheme is
shown to satisfy such requirements.
III. OVERVIEW AND C RYPTANALYSIS OF O STAD -S HARIF
ET AL .’ S S CHEME
In this section, we review and analyse Ostad-Sharif et al.’s
scheme [1] and show that it suffers from key compromise
password guessing attack and key compromise impersonation
attack. It is worth mentioning that we follow the process
presented by Kumari et al. [3] for the cryptanalysis.
A. Overview of Ostad-Sharif et al.’s Scheme
The notations used in Ostad-Sharif et al’s scheme are shown
in Table I. The protocol is also demonstrated in Figure 1.
Before accessing the medical server services, the medical
server sends the required log-in information to the patient’s
mobile device through the registration phase to register the
user. Once registration is done, the patient can share a key
with the server via the authentication phase. The shared key
can then be used for their subsequent secure communications.
B. Cryptanalysis of Ostad-Sharif et al.’s Scheme
In this section, we demonstrate that Ostad-Sharif et al.’s
scheme [1] suffers from the key compromise password guess-
ing attack and key compromise impersonation attack.
1) Key Compromise Password Guessing Attack: As men-
tioned in [3], this attack happens when the adversary possesses
the compromised secret key of the server and procures the pa-
tient’s mobile phone and thus, obtains the patient’s password.
• Assume that the adversary has access to the pa-
tient’s mobile phone. So, he can obtain the parameters
EIDp , Bp , rp which were stored in the mobile device at
the end of the registration phase.
• Also assume that the adversary is in the possession of the
server’s secret key s. So, he decrypts EIDp as EIDp =
Es (IDp ||rs ), and obtains the parameters IDp and rs .
• Having IDp and s, he can compute Ap = h(IDp ||s).
• Now, the adversary has Ap and Bp . So, he can obtain
OP Wp from Bp = OP Wp ⊕ Ap .
• As can be seen in equation OP Wp = h(IDp ||rp ||pw),
all the parameters except for the patient’s password pw
are available to the adversary. So, the adversary attempts
guessing the password pw∗ for possible password of
patient, and checks whether OP Wp =?h(IDp ||rp ||pw∗ ).
The equality of the two sides of the equation ensures
the correctness of the guessed password pw∗ . If not, the
adversary tries with another password. By repeating the
password guessing and comparing process, and due to
short length of passwords (in bits), he will eventually be
able to guess the patient’s password.
TABLE II
N OTATIONS USED IN OUR P ROPOSED P ROTOCOL
symbol description
IDi Identity of patient
IDs Identity of server
P Wi Password of patient
s Private key of server
kpub = s.p Public key of server
ni , mi , qi Random numbers generated by patient
gi Random number generated by server
E Elliptic curve
p Base point of elliptic curve
SK Shared key between patient/mobile device and server
Tp , Ts Current timestamp
enc(.)/dec(.) The symmetric encryption/decryption with the key k
EN C(.)/DEC(.) The Asymmetric encryption/decryption with the key k
h(.) One-way hash function
H(.) One-way hash function for biometric parameter
k Concatenation operation
⊕ Bitwise (XOR) operation
2) Key Compromise Impersonation Attack: As mentioned
in [7], key compromise impersonation attack happens when
the adversary can impersonate the patient if he has access
to the private key of the server. In the following, we show
that Ostad-Sharif et al.’s scheme is prone to key compromise
impersonation attack.
• Assume that the server’s private key s has been compro-
mised. Since EIDp is communicated on public channel,
the adversary can get and decrypt it with s to obtain IDp
and rs as EIDp = Es (IDp ||rs ).
• Having IDp and s, he is now able to compute Ap as
Ap = h0 (IDp ||s).
• Now that the adversary has Ap and IDp , he can select
his own Tp0 and Xp0 instead of Tp and Xp and compute
Vp0 = h2 (IDp ||Ap ||Xp0 ||Tp0 ) to impersonate the patient.
• The adversary then sends the message
(EIDp , Xp0 , Vp0 , Tp0 ) to the server.
• Upon receiving the message, the server has to
check whether h2 (IDp ||Ap ||Xp ||Tp ) =?Vp to au-
thenticate the patient. However, in fact, it checks
h2 (IDp ||Ap ||Xp0 ||Tp0 ) =?Vp0 , and since Xp0 , Tp0 and Vp0
have been selected by the adversary aimingly, the result
of the above comparison will be true and the adversary
is authenticated. In other words, the adversary can imper-
sonate the patient.
IV. T HE P ROPOSED P ROTOCOL
In this section, we describe the details of our proposed
authentication and key agreement scheme to provide secure
communication in healthcare systems. Our proposed scheme
has two phases: Registration (shown in Figure 2), and Login
and Authentication (shown in Figure 3). Table II demonstrates
the notations used in the proposed scheme.
A. Registration Phase
The following are the steps performed when the user (i.e.,
the patient) wants to register to the medical server.
Registration Phase
patient
Selects IDi , pwi and BIOi
selects random numbers ai , bi
Computes pi = h(IDi ||pwi ||ai ||H(BIOi ))
Adds ai , bi to mobile device
Stores < ai , bi , Bi , Ci , kpub , H(.), h(.) > in his/her mobile device
Fig. 2. User registration phase of the proposed scheme
• Step 1. The user selects a user ID IDi and a password
pwi and enters his biometric parameter BIOi . He also
selects random numbers ai and bi . The mobile device
then calculates pi = h(IDi ||pwi ||ai ||H(BIOi )). At the
end, hpi , bi , ai i is sent to the server via a secure channel.
• Step 2. Upon receiving the message, the server calculates
Ai = h(IDs ||bi ||s), Bi = Ai ⊕pi , Ci = h(pi ||Ai ||ai ||bi )
and Kpub = s.p. It then sends hBi , Ci , kpub i to the user
(his mobile device) through a secure channel.
• Once the user receives the message, he adds ai and bi to
the message and stores hai , bi , Bi , Ci , kpub , H(.), h(.)i to
the mobile device’s memory.
B. Login and Authentication Phase
The following are the steps required when the user wants
to login to the server and authentications himself.
• Step 1. The user (i.e., the patient) enters his IDi∗ , pwi∗ ,
and his biometric BIOi∗ . To verify that the mobile device
belongs to the user (e.g., has not been stolen), at first,
random parameters ai and bi are extracted from the
card. Then, the following calculations are performed:
p∗i = h(IDi∗ ||pwi∗ ||ai ||H(BIOi∗ )), A∗i = Bi ⊕ p∗i ,
SCi∗ = h(A∗i ||Pi∗ ||ai ||bi ). At the end, Ci∗ is compared
with the Ci stored on the mobile device. If equal, it is
proved that the mobile device indeed belongs to the user.
• Step 2. The user then selects three random numbers
ni , mi , qi and calculates two points Ni = ni .p and Mi =
mi .p on elliptic curve. It then computes another point on
elliptic curve (key1 ) by multiplying ni and the server’s
public key Kpub as key1 = ni .Kpub = ni .s.p. He then
selects time stamp Tp and computes Fi = h(qi ||mi ||ni ).
It then encrypts (Fi ||qi ) with the xth ’s dimension of key1
to obtain ki . In other words, ki = EN C(key1 )x (Fi ||qi ).
The user then encrypts ki ||(Ni )x ||(Mi )x with Ai to
Server
hpi , bi , ai i
(Secure Channel)
Computes Ai = h(IDs ||bi ||s)
Computes Bi = Ai ⊕ pi
Computes Ci = h(pi ||Ai ||ai ||bi )
Computes Kpub = s.p
hBi , Ci , kpub i
Secure Channel
obtain Vi as Vi = encAi (ki ||(Ni )x ||(Mi )x ) where (Ni )x
and (Mi )x are the xth dimension of Ni and Mi , respec-
tively. Next, he computes Xi = h(qi ||bi ||Vi ). At then end,
he sends hVi , bi , Xi , mi .p, Tp i to the server.
• Step 3. Once the message is received at the server,
the server first checks the freshness of the message by
checking the time stamp Tp and then, calculates Ai =
h(IDs ||bi ||s) where IDs is the server’s ID and s is its
secret key (both available to the server), and bi has been
sent to the server in previous step. Having Ai , the server
is now able to decrypt Vi as decAi (Vi ) = (ki∗ ||Ni∗ ||Mi∗ )
and obtain ki∗ , Ni∗ and Mi∗ . Now, the server can calculate
key10 = Ni .s = s.ni .p where s is the server’s secret
key. Having key10 , the server decrypts ki to obtain Fi
and qi as DEC(key10 )x (ki ) = (Fi ||qi ). Then, it calculates
Xi∗ = (qi ||bi ||Vi ) and compares it with Xi received
from the user. If equal, the message correctness and
authenticity is verified. Now, the server selects timestamp
Ts and random number gi and then adds two points
Mi and Ni to obtain M Ni as M Ni = Mi + Ni . At
the end, the server computes the session key SK as
SK = h(Fi ||qi ||Ai ||(M Ni )x ||gi .mi .p) and Auths =
h(SK||Xi ||Fi ) and sends hgi .p, Auths , Ts i) to the user.
• Step 4. Upon receiving the message, the user first
checks its freshness. He then calculates the session key
SK = h(Fi ||qi ||Ai ||(M Ni )x ||gi .mi .p) and Authp as
Authp = h(SK||Xi ||Fi ) and compares Authp with
Auths received from the server to verify the message.
Now, both parties have agreed on a shared session key.
V. I NFORMAL S ECURITY A NALYSIS OF THE P ROPOSED
S CHEME
In this section, we informally show that the proposed
scheme is resistant against various attacks, and can provide
perfect forward secrecy and mutual authentication.
Login and Authentication Phase
Patient/mobile device Server
Enters his/her IDi∗ , pwi∗ and BIOi∗
Retrieves ai , bi from the memory
Computes p∗i = h(IDi∗ ||pwi∗ ||ai ||H(BIOi∗ ))
Computes A∗i = Bi ⊕ p∗i
Computes Ci∗ = h(A∗i ||p∗i ||ai ||bi )
Checks Ci∗ =?Ci
Selects random numbers ni , mi , qi
Computes Ni = ni .p, Mi = mi .p
key1 = ni .Kpub = ni .s.p
Captures its current time Tp
Computes Fi = h(qi ||mi ||ni )
Computes ki = EN C(key1 )x (Fi ||qi )
Computes Vi = encAi (ki ||(Ni )x ||(Mi )x )
Computes Xi = h(qi ||bi ||Vi )
hVi , bi , Xi , mi .p, Tp i

Checks the freshness of Tp

Computes Ai = h(IDs ||bi ||s)
decAi (Vi ) = (ki∗ ||Ni∗ ||Mi∗ )
Computes key10 = Ni .s = s.ni .p
DEC(key10 )x (ki ) = (Fi ||qi )
Computes Xi∗ = (qi ||bi ||Vi )
Checks Xi =?Xi∗
Captures its current time Ts
Selects random number gi
Computes M Ni = Mi + Ni
Computes SK = h(Fi ||qi ||Ai ||(M Ni )x ||gi .mi .p)
Computes Auths = h(SK||Xi ||Fi )
hgi .p, Auths , Ts i

Checks the freshness of Ts

Computes M Ni = Mi + Ni
Computes SK = h(Fi ||qi ||Ai ||(M Ni )x ||mi .gi .p)
Computes Authp = h(SK||Xi ||Fi )
Checks Authp =?Auths
Fig. 3. Login and authentication phase of the proposed scheme

A. Key Compromise Impersonation Attack
As mentioned before in Section III-B2, resistance to this
attack means that if the server’s secret key is compromised,
it should not let the attacker to impersonate the server/user.
In our scheme, to verify that the message is indeed received
from the user, the server calculates Xi∗ as Xi∗ = (qi ||bi ||Vi ),
and compares it with Xi received from the user. If the attacker
wants to impersonate himself as the user, he has to create his
own Xi and hence, his own Vi . To do so, he should be able
to decrypt Vi to access to its parameters. But, Vi has been
encrypted with Ai , as Ai = h(IDs ||bi ||s) which is dependant
on the server’s identity IDs , inaccessible to the attacker. So, he
cannot impersonate himself as the user. Hence, the proposed
scheme is resistant to key compromise impersonation attack.
B. Key Compromise Password Guessing Attack
As described before in Section III-B1, resistance to this
attack means that if the server’s secret key is compromised,
it should not let the attacker to guess the user’s password.
In our proposed scheme, in order to have access to the
user’s password pwi , the attacker should know the user’s
identity IDi and his biometric parameter BIOi as p∗i =
h(IDi∗ ||pwi∗ ||ai ||H(BIOi∗ )), which both are kept private and
are inaccessible to the attacker. So, our scheme is secure
against key compromise password guessing attack.

Fig. 4. Formal Security Analysis of the Proposed Scheme
C. Insider Attack
In our proposed scheme, no sensitive information is stored
on the server. So, even in the case of having an insider, he is
not able to retrieve the user’s private information such as his
password. So, the scheme is resistant to insider attack.
D. Replay Attack
In replay attack, the adversary aims to capture an exchanges
message and resubmit it later. In our scheme, we prevent this
attack by using timestamps and checking their freshness, thus
avoiding the resubmission of old messages.
E. Perfect Forward Secrecy
As discussed in [8], perfect forward secrecy provision
means that if any of the longterms (e.g., such as the session
key, server’s public/private keys, etc.) has been compromised,
the attacker should not be able to get access to the session
key. In our scheme, the session key includes mi .gi .p (or
gi .mi .p) in which, mi and gi are random numbers. Even
if the attacker has access to mi .p and mi .p, he is not able
to compute mi .gi .p or gi .mi .p due to Elliptic Curve Diffie
Hellman (ECDH) algorithm. So, the proposed scheme can
provide perfect forward secrecy.
F. Mutual Authentication
In our proposed scheme, once the user sends the message
(Vi , bi , Xi , mi .p, Tp ) to the server, the server authenticates the
user by computing Xi∗ = (qi ||bi ||Vi ) and comparing it with
Xi received from the user. If equal, the user is authenticated
for the server. Similarly, once the message (gi .p, Auths , Ts )
is received from the server, the user authenticates the server
by computing Authp = h(SK||Xi ||Fi ) and comparing it
with Auths received from the server. If equal, the server is
authenticated for the user. So, our scheme can provide mutual
authentication.
VI. F ORMAL S ECURITY A NALYSIS WITH S CYTHER
To analyse the security of our proposed scheme formally,
we used the Scyther tool [10], designed and extended for
identifying the security requirements and vulnerabilities of
protocols. Scyther provides the verification of user-defined as
well as automatically generated claims, where each claim rep-
resents a security property. The claim Alive ensures that a set
of events have been executed by an intended communication
party R. Nisynch ensures the sender has sent all exchanged
messages, and they all have been received to the receiver.
claim(R; secret; rt) implies that R claims that rt should
be unknown to the attacker. weakagree is used to guarantee
the robustness of the protocol against impersonation attack.
Figure 4 demonstrates the output of this analysis, showing
that the protocol can satisfy all the security requirements.
VII. C ONCLUSION AND F UTURE W ORK
Recent research has emphasized on the importance of the
provision of a secure and privacy-preserving communication
channel between different parties in TMISs. In this article, we
reviewed the work presented by Ostad-Sharif et al., and proved
that it is prone to key compromise password guessing attack
and key compromise impersonation attack. Then, we propose a
secure and efficient authentication and key agreement scheme
for healthcare systems that addresses the drawbacks of related
work and can provide perfect forward secrecy and mutual
authentication. The security of the proposed scheme was also
formally proved by the Scyther tool.
R EFERENCES
[1] Ostad-Sharif, et al., An enhanced anonymous and unlinkable user authen-
tication and key agreement protocol for TMIS by utilization of ECC. Int
J Commun Syst. 32:e3913, (2019)
[2] Ravanbakhsh N, Nazari M. An efficient improvement remote user mutual
authentication and session key agreement scheme for E-healthcare systems.
Multimed Tools Appl. vol. 77, no. 1, pp. 55-88, (2018)
[3] Kumari S. et al., Questioning Key Compromise Attack on Ostad-Sharif
et al.’s Authentication and Session key Generation Scheme for Healthcare
Applications,” in IEEE Access, vol. 7, pp. 39717-39720, (2019)
[4] Chaudhry, S.A.,et al., An enhanced lightweight anonymous biometric
based authentication scheme for TMIS, Multimed Tools Appl vol. 77, no.
5, pp. 5503-5524, (2019)
[5] Safkhani M. and Vasilakos A., A New Secure Authentication Protocol for
Telecare Medicine Information System and Smart Campus, IEEE Access,
vol. 7, pp. 23514-23526, (2019)
[6] Jiang, Q. et al., Security analysis and improvement of bio-hashing
based three-factor authentication scheme for telecare medical information
systems, J Ambient Intell Human Comput, vol. 9, no. 4, pp: 1061-1073,
(2018)
[7] Ostad-Sharif A. et al., A robust and efficient ECC-based mutual authen-
tication and session key generation scheme for healthcare applications, J.
Med. Syst. vol. 43, no.10, (2019)
[8] Nikooghadam Mahdi, Amintoosi Haleh, A Secure and Robust Elliptic
Curve Cryptography-based Mutual Authentication Scheme for Session
Initiation Protocol, Security and Privacy, 2019;e92. (2019)
[9] Nikooghadam Mahdi, Amintoosi Haleh, Cryptanalysis of Khatoon
et al.’s ECC-based Authentication Protocol for Healthcare Systems,
http://arxiv.org/abs/1906.08424v1, (2019)
[10] Cremers C. Scyther, Semantics and Verification of Security Pro-
tocols [Ph.D. dissertation]. Eindhoven University of Technology;
https://pure.tue.nl/ws/files/2425555/200612074.pdf, (2006)