Abstract
An integrated EPR (Electronic Patient Record) information system of all the patients provides the medical institutions and the academia with most of the patients’ information in details for them to make corrective decisions and clinical decisions in order to maintain and analyze patients’ health. In such system, the illegal access must be restricted and the information from theft during transmission over the insecure Internet must be prevented. Lee et al. proposed an efficient password-based remote user authentication scheme using smart card for the integrated EPR information system. Their scheme is very efficient due to usage of one-way hash function and bitwise exclusive-or (XOR) operations. However, in this paper, we show that though their scheme is very efficient, their scheme has three security weaknesses such as (1) it has design flaws in password change phase, (2) it fails to protect privileged insider attack and (3) it lacks the formal security verification. We also find that another recently proposed Wen’s scheme has the same security drawbacks as in Lee at al.’s scheme. In order to remedy these security weaknesses found in Lee et al.’s scheme and Wen’s scheme, we propose a secure and efficient password-based remote user authentication scheme using smart cards for the integrated EPR information system. We show that our scheme is also efficient as compared to Lee et al.’s scheme and Wen’s scheme as our scheme only uses one-way hash function and bitwise exclusive-or (XOR) operations. Through the security analysis, we show that our scheme is secure against possible known attacks. Furthermore, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against passive and active attacks.
Similar content being viewed by others
References
Aumasson, J.P., Henzen, L., Meier, W., Plasencia, M.N., Quark: A lightweight hash. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES 2010), LNCS, vol. 6225, pp. 1–15, 2010.
AVISPA, Automated Validation of Internet Security Protocols and Applications, 2013. Accessed on January 2013. http://www.avispa-project.org/.
AVISPA, AVISPA Web Tool, 2014. Accessed on April 2014. http://www.avispa-project.org/web-interface/expert.php/.
Basin, D., Modersheim, S., OFMC, L. Vigano., A symbolic model checker for security protocols. Int. J. Inf. Secur. 4(3):181–208, 2005.
Chang, Y.-F., Yu, S.-H., Shiao, D.-R., An uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37(2):1–9, 2013.
Chatterjee, S., and Das, A.K., An effective ECC-based user access control scheme with attribute-based encryption for wireless sensor networks. Secur. Commun. Netw., 2014. doi:10.1002/sec.1140.
Das, A.K, Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf. Secur. 5(3):145–151, 2011.
Das, A.K., A random key establishment scheme for multi-phase deployment in large-scale distributed sensor networks. Int. J. Inf. Secury. 11(3):189–211, 2012.
Das, A.K., A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Netw. Sci. 2(1-2):12–27, 2013.
Das, A.K., A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks. Peer-to-Peer Netw. Appl., 2014. doi:10.1007/s12083-014-0324-9.
Das, A.K., Chatterjee, S., Sing, J.K., A novel efficient access control scheme for large-scale distributed wireless sensor networks. Int. J. Found. Comput. Sci. 24(5):625–653, 2013.
Das, A.K., and Goswami, A., A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37(3):1–16, 2013.
Das, A.K., Massand, A., Patil, S., A novel proxy signature scheme based on user hierarchical access control policy. J. King Saud University - Comput. Inform. Sci. 25(2):219–228, 2013.
Das, M.L., Two-factor user authentication in wireless sensor networks. IEEE Trans. Wirel. Commun. 8(3):1086–1090, 2009.
Dolev, D., and Yao, A., On the security of public key protocols. IEEE Trans. Inf. Theory 29(2):198–208, 1983.
Kocher, P., Jaffe, J., Jun, B., Differential power analysis. In: Proceedings of Advances in Cryptology - CRYPTO’99, LNCS, vol. 1666, pp. 388–397, 1999.
Lee, T.-F., Chang, I.-P., Lin, T.-H., Wang, C.-C., A secure and efficient password-based user authentication scheme using smart cards for the integrated EPR information system. J. Med. Syst. 37(3), 2013.
Manuel, S., Classification and generation of disturbance vectors for collision attacks against SHA-1. Des. Codes Crypt. 59(1-3):247–263, 2011.
Messerges, T.S., Dabbish, E.A., Sloan, R.H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002.
Mishra, D., On the security flaws in id-based password authentication schemes for telecare medical information systems. J. Med. Syst. 39(1), 2014.
Mishra, D., Das, A.K., Mukhopadhyay, S., A secure and efficient ECC-based user anonymity-preserving session initiation authentication protocol using smart card, 2014. doi:10.1007/s12083-014-0321-z.
Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M.K., Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J. Med. Sys 38(5), 2014.
Mishra, D., Srinivas, J., Mukhopadhyay, S., A secure and efficient chaotic map-based authenticated key agreement scheme for telecare medicine information systems. J. Med. Sys 38(10), 2014.
Sarkar, P., A simple and generic construction of authenticated encryption with associated data. ACM Trans Inf. Syst. Secur. 13(4):33, 2010.
Stallings, W., Cryptography and network security: Principles and practices. 3 ed. Englewood Cliffs: Prentice Hall, 2003.
Secure Hash Standard: Secure hash standard, FIPS PUB 180-1, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, April 1995 (1995)
Stinson, D.R., Some observations on the theory of cryptographic hash functions. Des. Codes Crypt. 38(2):259–277, 2006.
Wen, F., A more secure anonymous user authentication scheme for the integrated EPR information system. J. Med. Syst. 38(5):42, 2014.
Wu, Z.Y., Chung, Y.-F., Lai, F., Chen, T.-S., A password-based user authentication scheme for the integrated EPR information system. J. Med. Syst. 36(2):631–638, 2012.
Acknowledgments
The authors would like to acknowledge the many helpful suggestions of the anonymous reviewers and the Editor, which have improved the content and the presentation of this paper.
Conflict of interests
The author declares that thre is no conflict of interest.
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Mobile Systems
Rights and permissions
About this article
Cite this article
Das, A.K. A Secure and Robust Password-Based Remote User Authentication Scheme Using Smart Cards for the Integrated EPR Information System. J Med Syst 39, 25 (2015). https://doi.org/10.1007/s10916-015-0204-8
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-015-0204-8