Skip to main content

Advertisement

SpringerLink
Log in

On the Security Flaws in ID-based Password Authentication Schemes for Telecare Medical Information Systems

  • Patient Facing Systems
  • Published:
Journal of Medical Systems Aims and scope Submit manuscript

Abstract

Telecare medical information systems (TMIS) enable healthcare delivery services. However, access of these services via public channel raises security and privacy issues. In recent years, several smart card based authentication schemes have been introduced to ensure secure and authorized communication between remote entities over the public channel for the (TMIS). We analyze the security of some of the recently proposed authentication schemes of Lin, Xie et al., Cao and Zhai, and Wu and Xu’s for TMIS. Unfortunately, we identify that these schemes failed to satisfy desirable security attributes. In this article we briefly discuss four dynamic ID-based authentication schemes and demonstrate their failure to satisfy desirable security attributes. The study is aimed to demonstrate how inefficient password change phase can lead to denial of server scenario for an authorized user, and how an inefficient login phase causes the communication and computational overhead and decrease the performance of the system. Moreover, we show the vulnerability of Cao and Zhai’s scheme to known session specific temporary information attack, vulnerability of Wu and Xu’s scheme to off-line password guessing attack, and vulnerability of Xie et al.’s scheme to untraceable on-line password guessing attack.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Boyd, C., and Mathuria, A., Protocols for authentication and key establishment. Berlin Heidelberg: Springer, 2003.

    Book  Google Scholar 

  2. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Cryptographic Hardware and Embedded Systems-CHES 2004. LNCS, Vol. 3156, pp. 16–29. Springer 2004

  3. Cao, T., and Zhai, J., Improved dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 37(2):1–7, 2013.

    MathSciNet  Google Scholar 

  4. Chen, H. M., Lo, J. W., Yeh, C. K., An efficient and secure dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 36(6):3907–3915 , 2012.

    Article  Google Scholar 

  5. Cheng, Z., Nistazakis, M., Comley, R., Vasiu, L.: On the indistinguishability-based security model of key agreement protocols-simple cases. IACR Cryptology ePrint Archive, https://eprint.iacr.org/2005/129.pdf (2005)

  6. Das, A. K., and Goswami, A., A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37(3):1–16, 2013.

    Article  Google Scholar 

  7. Das, A. K., and Bruhadeshwar, B., An improved and effective secure password-based authentication and key agreement scheme using smart cards for the telecare medicine information system. J. Med. Syst. 37(5):1–17, 2013.

    Article  Google Scholar 

  8. Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., Shalmani, M.T.M.: On the power of power analysis in the real world: A complete break of the keeloq code hopping scheme. In: Advances in Cryptology–CRYPTO 2008, pp. 203–220. Springer (2008)

  9. Hao, X., Wang, J., Yang, Q., Yan, X., Li, P., A chaotic map-based authentication scheme for telecare medicine information systems. J. Med. Syst. 37(2):1–7, 2013.

    Article  Google Scholar 

  10. He, D., Chen, J., Zhang, R., Weaknesses of a dynamic id-based remote user authentication scheme. Int. J. Electron. Secur. Digit. Forensic 3(4):355–362, 2010.

    Article  Google Scholar 

  11. He, D., Kumar, N., Chilamkurti, N., Lee, J. H., Lightweight ECC Based RFID Authentication Integrated with an ID Verifier Transfer Protocol. J. Med. Syst. 38(10):1–6, 2014.

    Article  Google Scholar 

  12. He, D., Chen, Y., Chen, J., Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol. Nonlinear Dyn. 69(3):1149–1157, 2012.

    Article  MATH  MathSciNet  Google Scholar 

  13. He, D., Chen, J., Zhang, R., A more secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1989–1995, 2012.

    Article  Google Scholar 

  14. He, D., Kumar, N., Chen, J., Lee, C. C., Chilamkurti, N., Yeo, S. S.: Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimedia Systems pp. 1–12 2013. doi:10.1007/s00530-013-0346-9.

  15. Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M. K., Chaturvedi, A., Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. Journal of medical systems 38(5):1–11, 2014.

    Article  Google Scholar 

  16. Mishra, D., Mukhopadhyay, S., Chaturvedi, A., Kumari, S., Khan, M. K., Cryptanalysis and improvement of yan et al.s biometric-based authentication scheme for telecare medicine information systems. J. Med. Syst. 38(6):1–12, 2014.

    Article  Google Scholar 

  17. Kim, K. W., and Lee, J. D., On the security of two remote user authentication schemes for telecare medical information systems. J. Med. Syst. 38(5):1–11, 2014.

    Article  Google Scholar 

  18. Xu, X., Zhu, P., Wen, Q., Jin, Z., Zhang, H., He, L., A secure and efficient authentication and key agreement scheme based on ecc for telecare medicine information systems. J. Med. Syst. 38(1):1–7, 2014.

    Article  Google Scholar 

  19. Lin, T. H., and Lee, T. F., Secure verifier-based three-party authentication schemes without server public keys for data exchange in telecare medicine information systems. J. Med. Syst. 38(5):1–9, 2014.

    Google Scholar 

  20. He, D., and Wu, S., Security flaws in a smart card based authentication scheme for multi-server environment. Wirel. Pers. Commun. 70(1):323–329, 2013.

    Article  Google Scholar 

  21. Mishra, D., Srinivas, J., Mukhopadhyay, S., A Secure and Efficient Chaotic Map-based Authenticated Key Agreement Scheme for Telecare Medicine Information Systems. J. Med. Syst. 38(10):1–10, 2014.

    Article  Google Scholar 

  22. Islam, S. H., and Biswas, G., An improved id-based client authentication with key agreement scheme on ecc for mobile client-server environments. Theor. Appl. Inform. 24(4):293–312, 2012.

    Article  Google Scholar 

  23. Jiang, Q., Ma, J., Lu, X., Tian, Y., Robust chaotic map-based authentication and key agreement scheme with strong anonymity for telecare medicine information systems. J. Med. Syst. 38(2):1–8, 2014.

    Article  Google Scholar 

  24. Jiang, Q., Ma, J., Ma, Z., Li, G., A privacy enhanced authentication scheme for telecare medical information systems. J. Med. Syst. 37(1):1–8, 2013.

    Article  MathSciNet  Google Scholar 

  25. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Advances in Cryptology-CRYPTO’99, pp. 388–397. Springer (1999)

  26. Kukafka, R., Ancker, J.S., Chan, C., Chelico, J., Khan, S., Mortoti, S., Natarajan, K., Presley, K., Stephens, K., Redesigning electronic health record systems to support public health. J. Biomed. Inform. 40(4):398–409, 2007.

    Article  Google Scholar 

  27. Kumari, S., Khan, M. K., Kumar, R., Cryptanalysis and improvement of a privacy enhanced scheme for telecare medical information systems. J. Med. Syst. 37(4):1–11, 2012.

    Google Scholar 

  28. Lee, T.F., An efficient chaotic maps-based authentication and key agreement scheme using smartcards for telecare medicine information systems. J. Med. Syst. 37(6):1–9, 2013.

    Article  Google Scholar 

  29. Lee, T.F., and Liu, C. M., A secure smart-card based authentication and key agreement scheme for Telecare medicine Information Systems. J. Med. Syst. 37(3):1–8, 2013.

    Google Scholar 

  30. Lin, H.Y., On the security of a dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 37(2):1–5, 2013.

    Article  Google Scholar 

  31. Lin, S.S., Hung, M.H., Tsai, C.L., Chou, L.P., Development of an ease-of-use remote healthcare system architecture using rfid and networking technologies. J. Med. Syst. 36(6):3605–3619 , 2012.

    Article  Google Scholar 

  32. Martin-Sanchez, F., Iakovidis, I., Nørager, S., Maojo, V., De Groen, P., Van der Lei, J., Jones, T., Abraham-Fuchs, K., Apweiler, R., Babic, A., et al., Synergy between medical informatics and bioinformatics: facilitating genomic medicine for future health care. J. Biomed. Inform. 37(1):30–42 , 2004.

    Article  Google Scholar 

  33. Messerges, T.S., Dabbish, E.A., Sloan, R.H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002.

    Article  MathSciNet  Google Scholar 

  34. Pizziferri, L., Kittler, A.F., Volk, L.A., Honour, M.M., Gupta, S., Wang, S., Wang, T., Lippincott, M., Li, Q., Bates, D.W., Primary care physician time utilization before and after implementation of an electronic health record: a time-motion study. J. Biomed. Inform. 38(3):176–188, 2005.

    Article  Google Scholar 

  35. Potlapally, N.R., Ravi, S., Raghunathan, A., Jha, N.K., A study of the energy consumption characteristics of cryptographic algorithms and security protocols. IEEE Trans. Mobile Comput. 5(2):128–143, 2006.

    Article  Google Scholar 

  36. Pu, Q., Wang, J., Zhao, R., Strong authentication scheme for telecare medicine information systems. J. Med. Syst. 36(4):2609–2619, 2012.

    Article  Google Scholar 

  37. Rivest, R. L., Shamir, A., Adleman, L., A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2):120–126, 1978.

    Article  MATH  MathSciNet  Google Scholar 

  38. Wei, J., Hu, X., Liu, W., An improved authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3597–3604, 2012.

    Article  Google Scholar 

  39. Wong, D. S., Fuentes, H. H., Chan, A. H.: The performance measurement of cryptographic primitives on palm devices. . In: Proceedings 17th Annual Computer Security Applications Conference (ACSAC 2001), pp. 92–101. IEEE (2001)

  40. Wu, F., and Xu, L., Security analysis and improvement of a privacy authentication scheme for telecare medical information systems. J. Med. Syst. 37(4):1–9, 2013. doi:10.1007/s10916-013-9958-z.

    Article  MATH  Google Scholar 

  41. Wu, Z. Y., Lee, Y. C., Lai, F., Lee, H. C., Chung, Y., A secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1529–1535, 2012.

    Article  Google Scholar 

  42. Xie, Q., Zhang, J., Dong, N., Robust anonymous authentication scheme for telecare medical information systems. J. Med. Syst. 37(2):1–8, 2013.

    Article  Google Scholar 

  43. Xu, X., Zhu, P., Wen, Q., Jin, Z., Zhang, H., He, L., A secure and efficient authentication and key agreement scheme based on ecc for telecare medicine information systems. J. Med. Syst. 38(1):1–7, 2014.

    Article  Google Scholar 

  44. Zhu, Z., An efficient authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6): 3833–3838, 2012.

    Article  Google Scholar 

  45. Mishra, D., A Study On ID-based Authentication Schemes for Telecare Medical Information System. arXiv preprint arXiv:1311.0151, 2013.

  46. Mishra, D., and Mukhopadhyay, S.: Cryptanalysis of Wu and Xu’s authentication scheme for Telecare Medicine Information Systems. arXiv preprint arXiv:1309.5255 (2013)

Download references

Author information

Authors and Affiliations

  1. Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur, 721 302, India

    Dheerendra Mishra

Authors
  1. Dheerendra Mishra
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dheerendra Mishra.

Additional information

This article is part of the Topical Collection on Patient Facing Systems

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Mishra, D. On the Security Flaws in ID-based Password Authentication Schemes for Telecare Medical Information Systems. J Med Syst 39, 154 (2015). https://doi.org/10.1007/s10916-014-0154-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10916-014-0154-6

Keywords

Search

Navigation