Abstract
Telecare medical information systems (TMIS) enable healthcare delivery services. However, access of these services via public channel raises security and privacy issues. In recent years, several smart card based authentication schemes have been introduced to ensure secure and authorized communication between remote entities over the public channel for the (TMIS). We analyze the security of some of the recently proposed authentication schemes of Lin, Xie et al., Cao and Zhai, and Wu and Xu’s for TMIS. Unfortunately, we identify that these schemes failed to satisfy desirable security attributes. In this article we briefly discuss four dynamic ID-based authentication schemes and demonstrate their failure to satisfy desirable security attributes. The study is aimed to demonstrate how inefficient password change phase can lead to denial of server scenario for an authorized user, and how an inefficient login phase causes the communication and computational overhead and decrease the performance of the system. Moreover, we show the vulnerability of Cao and Zhai’s scheme to known session specific temporary information attack, vulnerability of Wu and Xu’s scheme to off-line password guessing attack, and vulnerability of Xie et al.’s scheme to untraceable on-line password guessing attack.
Similar content being viewed by others
References
Boyd, C., and Mathuria, A., Protocols for authentication and key establishment. Berlin Heidelberg: Springer, 2003.
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Cryptographic Hardware and Embedded Systems-CHES 2004. LNCS, Vol. 3156, pp. 16–29. Springer 2004
Cao, T., and Zhai, J., Improved dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 37(2):1–7, 2013.
Chen, H. M., Lo, J. W., Yeh, C. K., An efficient and secure dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 36(6):3907–3915 , 2012.
Cheng, Z., Nistazakis, M., Comley, R., Vasiu, L.: On the indistinguishability-based security model of key agreement protocols-simple cases. IACR Cryptology ePrint Archive, https://eprint.iacr.org/2005/129.pdf (2005)
Das, A. K., and Goswami, A., A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37(3):1–16, 2013.
Das, A. K., and Bruhadeshwar, B., An improved and effective secure password-based authentication and key agreement scheme using smart cards for the telecare medicine information system. J. Med. Syst. 37(5):1–17, 2013.
Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., Shalmani, M.T.M.: On the power of power analysis in the real world: A complete break of the keeloq code hopping scheme. In: Advances in Cryptology–CRYPTO 2008, pp. 203–220. Springer (2008)
Hao, X., Wang, J., Yang, Q., Yan, X., Li, P., A chaotic map-based authentication scheme for telecare medicine information systems. J. Med. Syst. 37(2):1–7, 2013.
He, D., Chen, J., Zhang, R., Weaknesses of a dynamic id-based remote user authentication scheme. Int. J. Electron. Secur. Digit. Forensic 3(4):355–362, 2010.
He, D., Kumar, N., Chilamkurti, N., Lee, J. H., Lightweight ECC Based RFID Authentication Integrated with an ID Verifier Transfer Protocol. J. Med. Syst. 38(10):1–6, 2014.
He, D., Chen, Y., Chen, J., Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol. Nonlinear Dyn. 69(3):1149–1157, 2012.
He, D., Chen, J., Zhang, R., A more secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1989–1995, 2012.
He, D., Kumar, N., Chen, J., Lee, C. C., Chilamkurti, N., Yeo, S. S.: Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimedia Systems pp. 1–12 2013. doi:10.1007/s00530-013-0346-9.
Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M. K., Chaturvedi, A., Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. Journal of medical systems 38(5):1–11, 2014.
Mishra, D., Mukhopadhyay, S., Chaturvedi, A., Kumari, S., Khan, M. K., Cryptanalysis and improvement of yan et al.s biometric-based authentication scheme for telecare medicine information systems. J. Med. Syst. 38(6):1–12, 2014.
Kim, K. W., and Lee, J. D., On the security of two remote user authentication schemes for telecare medical information systems. J. Med. Syst. 38(5):1–11, 2014.
Xu, X., Zhu, P., Wen, Q., Jin, Z., Zhang, H., He, L., A secure and efficient authentication and key agreement scheme based on ecc for telecare medicine information systems. J. Med. Syst. 38(1):1–7, 2014.
Lin, T. H., and Lee, T. F., Secure verifier-based three-party authentication schemes without server public keys for data exchange in telecare medicine information systems. J. Med. Syst. 38(5):1–9, 2014.
He, D., and Wu, S., Security flaws in a smart card based authentication scheme for multi-server environment. Wirel. Pers. Commun. 70(1):323–329, 2013.
Mishra, D., Srinivas, J., Mukhopadhyay, S., A Secure and Efficient Chaotic Map-based Authenticated Key Agreement Scheme for Telecare Medicine Information Systems. J. Med. Syst. 38(10):1–10, 2014.
Islam, S. H., and Biswas, G., An improved id-based client authentication with key agreement scheme on ecc for mobile client-server environments. Theor. Appl. Inform. 24(4):293–312, 2012.
Jiang, Q., Ma, J., Lu, X., Tian, Y., Robust chaotic map-based authentication and key agreement scheme with strong anonymity for telecare medicine information systems. J. Med. Syst. 38(2):1–8, 2014.
Jiang, Q., Ma, J., Ma, Z., Li, G., A privacy enhanced authentication scheme for telecare medical information systems. J. Med. Syst. 37(1):1–8, 2013.
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Advances in Cryptology-CRYPTO’99, pp. 388–397. Springer (1999)
Kukafka, R., Ancker, J.S., Chan, C., Chelico, J., Khan, S., Mortoti, S., Natarajan, K., Presley, K., Stephens, K., Redesigning electronic health record systems to support public health. J. Biomed. Inform. 40(4):398–409, 2007.
Kumari, S., Khan, M. K., Kumar, R., Cryptanalysis and improvement of a privacy enhanced scheme for telecare medical information systems. J. Med. Syst. 37(4):1–11, 2012.
Lee, T.F., An efficient chaotic maps-based authentication and key agreement scheme using smartcards for telecare medicine information systems. J. Med. Syst. 37(6):1–9, 2013.
Lee, T.F., and Liu, C. M., A secure smart-card based authentication and key agreement scheme for Telecare medicine Information Systems. J. Med. Syst. 37(3):1–8, 2013.
Lin, H.Y., On the security of a dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 37(2):1–5, 2013.
Lin, S.S., Hung, M.H., Tsai, C.L., Chou, L.P., Development of an ease-of-use remote healthcare system architecture using rfid and networking technologies. J. Med. Syst. 36(6):3605–3619 , 2012.
Martin-Sanchez, F., Iakovidis, I., Nørager, S., Maojo, V., De Groen, P., Van der Lei, J., Jones, T., Abraham-Fuchs, K., Apweiler, R., Babic, A., et al., Synergy between medical informatics and bioinformatics: facilitating genomic medicine for future health care. J. Biomed. Inform. 37(1):30–42 , 2004.
Messerges, T.S., Dabbish, E.A., Sloan, R.H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002.
Pizziferri, L., Kittler, A.F., Volk, L.A., Honour, M.M., Gupta, S., Wang, S., Wang, T., Lippincott, M., Li, Q., Bates, D.W., Primary care physician time utilization before and after implementation of an electronic health record: a time-motion study. J. Biomed. Inform. 38(3):176–188, 2005.
Potlapally, N.R., Ravi, S., Raghunathan, A., Jha, N.K., A study of the energy consumption characteristics of cryptographic algorithms and security protocols. IEEE Trans. Mobile Comput. 5(2):128–143, 2006.
Pu, Q., Wang, J., Zhao, R., Strong authentication scheme for telecare medicine information systems. J. Med. Syst. 36(4):2609–2619, 2012.
Rivest, R. L., Shamir, A., Adleman, L., A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2):120–126, 1978.
Wei, J., Hu, X., Liu, W., An improved authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3597–3604, 2012.
Wong, D. S., Fuentes, H. H., Chan, A. H.: The performance measurement of cryptographic primitives on palm devices. . In: Proceedings 17th Annual Computer Security Applications Conference (ACSAC 2001), pp. 92–101. IEEE (2001)
Wu, F., and Xu, L., Security analysis and improvement of a privacy authentication scheme for telecare medical information systems. J. Med. Syst. 37(4):1–9, 2013. doi:10.1007/s10916-013-9958-z.
Wu, Z. Y., Lee, Y. C., Lai, F., Lee, H. C., Chung, Y., A secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1529–1535, 2012.
Xie, Q., Zhang, J., Dong, N., Robust anonymous authentication scheme for telecare medical information systems. J. Med. Syst. 37(2):1–8, 2013.
Xu, X., Zhu, P., Wen, Q., Jin, Z., Zhang, H., He, L., A secure and efficient authentication and key agreement scheme based on ecc for telecare medicine information systems. J. Med. Syst. 38(1):1–7, 2014.
Zhu, Z., An efficient authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6): 3833–3838, 2012.
Mishra, D., A Study On ID-based Authentication Schemes for Telecare Medical Information System. arXiv preprint arXiv:1311.0151, 2013.
Mishra, D., and Mukhopadhyay, S.: Cryptanalysis of Wu and Xu’s authentication scheme for Telecare Medicine Information Systems. arXiv preprint arXiv:1309.5255 (2013)
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Patient Facing Systems
Rights and permissions
About this article
Cite this article
Mishra, D. On the Security Flaws in ID-based Password Authentication Schemes for Telecare Medical Information Systems. J Med Syst 39, 154 (2015). https://doi.org/10.1007/s10916-014-0154-6
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-014-0154-6