Skip to main content
SpringerLink
Log in

A Secure and Robust Password-Based Remote User Authentication Scheme Using Smart Cards for the Integrated EPR Information System

  • Mobile Systems
  • Published:
Journal of Medical Systems Aims and scope Submit manuscript

Abstract

An integrated EPR (Electronic Patient Record) information system of all the patients provides the medical institutions and the academia with most of the patients’ information in details for them to make corrective decisions and clinical decisions in order to maintain and analyze patients’ health. In such system, the illegal access must be restricted and the information from theft during transmission over the insecure Internet must be prevented. Lee et al. proposed an efficient password-based remote user authentication scheme using smart card for the integrated EPR information system. Their scheme is very efficient due to usage of one-way hash function and bitwise exclusive-or (XOR) operations. However, in this paper, we show that though their scheme is very efficient, their scheme has three security weaknesses such as (1) it has design flaws in password change phase, (2) it fails to protect privileged insider attack and (3) it lacks the formal security verification. We also find that another recently proposed Wen’s scheme has the same security drawbacks as in Lee at al.’s scheme. In order to remedy these security weaknesses found in Lee et al.’s scheme and Wen’s scheme, we propose a secure and efficient password-based remote user authentication scheme using smart cards for the integrated EPR information system. We show that our scheme is also efficient as compared to Lee et al.’s scheme and Wen’s scheme as our scheme only uses one-way hash function and bitwise exclusive-or (XOR) operations. Through the security analysis, we show that our scheme is secure against possible known attacks. Furthermore, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against passive and active attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. Aumasson, J.P., Henzen, L., Meier, W., Plasencia, M.N., Quark: A lightweight hash. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES 2010), LNCS, vol. 6225, pp. 1–15, 2010.

  2. AVISPA, Automated Validation of Internet Security Protocols and Applications, 2013. Accessed on January 2013. http://www.avispa-project.org/.

  3. AVISPA, AVISPA Web Tool, 2014. Accessed on April 2014. http://www.avispa-project.org/web-interface/expert.php/.

  4. Basin, D., Modersheim, S., OFMC, L. Vigano., A symbolic model checker for security protocols. Int. J. Inf. Secur. 4(3):181–208, 2005.

    Article  Google Scholar 

  5. Chang, Y.-F., Yu, S.-H., Shiao, D.-R., An uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37(2):1–9, 2013.

    MATH  Google Scholar 

  6. Chatterjee, S., and Das, A.K., An effective ECC-based user access control scheme with attribute-based encryption for wireless sensor networks. Secur. Commun. Netw., 2014. doi:10.1002/sec.1140.

  7. Das, A.K, Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf. Secur. 5(3):145–151, 2011.

    Article  Google Scholar 

  8. Das, A.K., A random key establishment scheme for multi-phase deployment in large-scale distributed sensor networks. Int. J. Inf. Secury. 11(3):189–211, 2012.

    Article  Google Scholar 

  9. Das, A.K., A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications. Netw. Sci. 2(1-2):12–27, 2013.

    Article  Google Scholar 

  10. Das, A.K., A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks. Peer-to-Peer Netw. Appl., 2014. doi:10.1007/s12083-014-0324-9.

  11. Das, A.K., Chatterjee, S., Sing, J.K., A novel efficient access control scheme for large-scale distributed wireless sensor networks. Int. J. Found. Comput. Sci. 24(5):625–653, 2013.

    Article  MATH  MathSciNet  Google Scholar 

  12. Das, A.K., and Goswami, A., A secure and efficient uniqueness-and-anonymity-preserving remote user authentication scheme for connected health care. J. Med. Syst. 37(3):1–16, 2013.

    Article  Google Scholar 

  13. Das, A.K., Massand, A., Patil, S., A novel proxy signature scheme based on user hierarchical access control policy. J. King Saud University - Comput. Inform. Sci. 25(2):219–228, 2013.

    Article  Google Scholar 

  14. Das, M.L., Two-factor user authentication in wireless sensor networks. IEEE Trans. Wirel. Commun. 8(3):1086–1090, 2009.

    Article  Google Scholar 

  15. Dolev, D., and Yao, A., On the security of public key protocols. IEEE Trans. Inf. Theory 29(2):198–208, 1983.

    Article  MATH  MathSciNet  Google Scholar 

  16. Kocher, P., Jaffe, J., Jun, B., Differential power analysis. In: Proceedings of Advances in Cryptology - CRYPTO’99, LNCS, vol. 1666, pp. 388–397, 1999.

  17. Lee, T.-F., Chang, I.-P., Lin, T.-H., Wang, C.-C., A secure and efficient password-based user authentication scheme using smart cards for the integrated EPR information system. J. Med. Syst. 37(3), 2013.

  18. Manuel, S., Classification and generation of disturbance vectors for collision attacks against SHA-1. Des. Codes Crypt. 59(1-3):247–263, 2011.

    Article  MATH  MathSciNet  Google Scholar 

  19. Messerges, T.S., Dabbish, E.A., Sloan, R.H., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002.

    Article  MathSciNet  Google Scholar 

  20. Mishra, D., On the security flaws in id-based password authentication schemes for telecare medical information systems. J. Med. Syst. 39(1), 2014.

  21. Mishra, D., Das, A.K., Mukhopadhyay, S., A secure and efficient ECC-based user anonymity-preserving session initiation authentication protocol using smart card, 2014. doi:10.1007/s12083-014-0321-z.

  22. Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M.K., Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J. Med. Sys 38(5), 2014.

  23. Mishra, D., Srinivas, J., Mukhopadhyay, S., A secure and efficient chaotic map-based authenticated key agreement scheme for telecare medicine information systems. J. Med. Sys 38(10), 2014.

  24. Sarkar, P., A simple and generic construction of authenticated encryption with associated data. ACM Trans Inf. Syst. Secur. 13(4):33, 2010.

    Article  Google Scholar 

  25. Stallings, W., Cryptography and network security: Principles and practices. 3 ed. Englewood Cliffs: Prentice Hall, 2003.

    Google Scholar 

  26. Secure Hash Standard: Secure hash standard, FIPS PUB 180-1, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, April 1995 (1995)

  27. Stinson, D.R., Some observations on the theory of cryptographic hash functions. Des. Codes Crypt. 38(2):259–277, 2006.

    Article  MATH  MathSciNet  Google Scholar 

  28. Wen, F., A more secure anonymous user authentication scheme for the integrated EPR information system. J. Med. Syst. 38(5):42, 2014.

    Article  Google Scholar 

  29. Wu, Z.Y., Chung, Y.-F., Lai, F., Chen, T.-S., A password-based user authentication scheme for the integrated EPR information system. J. Med. Syst. 36(2):631–638, 2012.

    Article  Google Scholar 

Download references

Acknowledgments

The authors would like to acknowledge the many helpful suggestions of the anonymous reviewers and the Editor, which have improved the content and the presentation of this paper.

Conflict of interests

The author declares that thre is no conflict of interest.

Author information

Authors and Affiliations

  1. Center for Security, Theory and Algorithmic Research International Institute of Information Technology, Hyderabad, 500 032, India

    Ashok Kumar Das

Authors
  1. Ashok Kumar Das
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ashok Kumar Das.

Additional information

This article is part of the Topical Collection on Mobile Systems

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Das, A.K. A Secure and Robust Password-Based Remote User Authentication Scheme Using Smart Cards for the Integrated EPR Information System. J Med Syst 39, 25 (2015). https://doi.org/10.1007/s10916-015-0204-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10916-015-0204-8

Keywords

Search

Navigation