Abstract
E-Health clouds are gaining increasing popularity by facilitating the storage and sharing of big data in healthcare. However, such an adoption also brings about a series of challenges, especially, how to ensure the security and privacy of highly sensitive health data. Among them, one of the major issues is authentication, which ensures that sensitive medical data in the cloud are not available to illegal users. Three-factor authentication combining password, smart card and biometrics perfectly matches this requirement by providing high security strength. Recently, Wu et al. proposed a three-factor authentication protocol based on elliptic curve cryptosystem which attempts to fulfill three-factor security and resist various existing attacks, providing many advantages over existing schemes. However, we first show that their scheme is susceptible to user impersonation attack in the registration phase. In addition, their scheme is also vulnerable to offline password guessing attack in the login and password change phase, under the condition that the mobile device is lost or stolen. Furthermore, it fails to provide user revocation when the mobile device is lost or stolen. To remedy these flaws, we put forward a robust three-factor authentication protocol, which not only guards various known attacks, but also provides more desired security properties. We demonstrate that our scheme provides mutual authentication using the Burrows–Abadi–Needham logic.
Similar content being viewed by others
References
Pawar P, Jones V, Van Beijnum BJF et al (2012) A framework for the comparison of mobile patient monitoring systems. J Biomed Inform 45(3):544–556
Abbas A, Khan SU (2014) A review on the state-of-the-art privacy-preserving approaches in the e-health clouds. IEEE J Biomed Health Inform 18(4):1431–1441
Raghupathi W, Raghupathi V (2014) Big data analytics in healthcare: promise and potential. Health Inf Sci Syst 2(1):3
Sun J, Reddy C (2013) Big data analytics for healthcare. In: Proc. \(19{\rm th}\) ACM SIGKDD int’l conf. knowledge discovery and data mining
Xia Z, Wang X, Sun X, Wang Q (2015) A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data. IEEE Trans Parallel Distrib Syst. doi:10.1109/TPDS.2015.2401003
Fu Z, Sun X, Liu Q, Zhou L, Shu J (2015) Achieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computing. IEICE Trans Commun E98-B(1):190–200
Li H, Yang Y, Luan T, Liang X, Zhou L, Shen X (2015) Enabling fine-grained multi-keyword search supporting classified sub-dictionaries over encrypted cloud data. IEEE Trans Dependable Secur Comput. doi:10.1109/TDSC.2015.2406704
Ren Y, Shen J, Zheng Y, Wang J, Chao H-C (2015) Efficient data integrity auditing for storage security in mobile health cloud. Peer-to-Peer Netw Appl. doi:10.1007/s12083-015-0346-y
Ren Y, Shen J, Wang J, Han J, Lee S (2015) Mutual verifiable provable data auditing in public cloud storage. J Internet Technol 16(2):317–323
He D, Zeadally S, Wu L (2015) Certificateless public auditing scheme for cloud-assisted wireless body area networks. IEEE Syst J. doi:10.1109/JSYST.2015.2428620
Li H, Lin X, Yang H, Liang X, Lu R, Shen X (2014) EPPDR: an efficient privacy-preserving demand response scheme with adaptive key evolution in smart grid. IEEE Trans Parallel Distrib Syst 25(8):2053–2064
Jiang Q, Ma J, Li G et al (2013) An enhanced authentication scheme with privacy preservation for roaming service in global mobility networks. Wirel Pers Commun 68(4):1477–1491
Guo P, Wang J, Li B, Variable Lee S A (2014) Threshold-value authentication architecture for wireless mesh networks. J Internet Technol 15(6):929–936
Zhao D, Peng H, Li L, Yang Y (2014) A secure and effective anonymous authentication scheme for roaming service in global mobility networks. Wirel Pers Commun 78(1):247–269
O’Gorman L (2003) Comparing passwords, tokens, and biometrics for user authentication. Proc IEEE 91(12):2021–2040
Lamport L (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772
Farash MS, Attari MA (2014) An efficient client-client password-based authentication scheme with provable security. J Supercomput 70(2):1002–1022
Jiang Q, Ma J, Li G et al (2013) An improved password-based remote user authentication protocol without smart cards. Inf Technol Control 42(2):113–123
Chen TY, Lee CC, Hwang MS, Jan JK (2013) Towards secure and efficient user authentication scheme using smart card for multi-server environments. J Supercomput 66(2):1008–1032
Arshad H, Nikooghadam M (2015) Security analysis and improvement of two authentication and key agreement schemes for session initiation protocol. J Supercomput. doi:10.1007/s11227-015-1434-8
Wang D, He D, Wang P, Chu C-H (2015) Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans Dependable Secur Comput 12(4):428–442. doi:10.1109/TDSC.2014.2355850
Wang D, Wang N, Wang P, Qing S (2015) Preserving privacy for free: efficient and provably secure two-factor authentication scheme with user anonymity. Inf Sci. doi:10.1016/j.ins.2015.03.070
Lee JK, Ryu SR, Yoo KY (2002) Fingerprint-based remote user authentication scheme using smart cards. Electron Lett 38(12):554–555
Lin CH, Lai YY (2004) A flexible biometrics remote user authentication scheme. Comput Stand Interfaces 27(1):19–23
Ku WC, Chang ST, Chiang MH (2005) Further cryptanalysis of fingerprint-based remote user authentication scheme using smartcards. Electron Lett 41(5):240–241
Khan MK, Zhang JS (2007) Improving the security of ‘a flexible biometrics remote user authentication scheme’. Comput Stand Interfaces 29(1):82–85
Rhee HS, Kwon JO, Lee DH (2009) A remote user authentication scheme without using smart cards. Comput Stand Interfaces 31(1):6–13
Kim HS, Lee SW, Yoo KY (2003) ID-based password authentication scheme using smart cards and fingerprints. ACM SIGOPS Oper Syst Rev 37(4):32–41
Scott M (2004) Cryptanalysis of an ID-based password authentication scheme using smart cards and fingerprints. ACM SIGOPS Oper Syst Rev 38(2):73–75
Li CT, Hwang MS (2010) An efficient biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 33(1):1–5
Li X, Niu JW, Ma J, Wang WD, Liu CL (2011) Cryptanalysis and improvement of a biometric-based remote authentication scheme using smart cards. J Netw Comput Appl 34(1):73–79
Das AK (2012) Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf Secur 5(3):145–151
An Y (2012) Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards. J Biomed Biotechnol. doi:10.1155/2012/519723
Chen C, Lee C, Hsu C (2012) Mobile device integration of a fingerprint biometric remote authentication scheme. Int J Commun Syst 25(2):585–97
Khan MK, Kumari S, Gupta MK (2014) More efficient key-hash based fingerprint remote authentication scheme using mobile device. Computing 96(9):793–816
Tan Z (2014) A user anonymity preserving three-factor authentication scheme for telecare medicine information systems. J Med Syst 38(3):1–9
Yoon EJ, Yoo KY (2013) Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. J Supercomput 63(1):235–255
Fan CI, Lin YH (2009) Provably secure remote truly three factor authentication scheme with privacy protection on biometrics. IEEE Trans Inf Forensics Secur 4(4):933–945
Dodis Y, Reyzin L, Smith (2004) A fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Proceedings of EUROCRYPT, pp 523–540
Huang X, Xiang Y, Chonka A, Zhou J, Deng RH (2011) A generic framework for three-factor authentication: preserving security and privacy in distributed systems. IEEE Trans Parallel Distrib Syst 22(8):1390–1397
Li X, Niu J, Wang Z, Chen C (2013) Applying biometrics to design three-factor remote user authentication scheme with key agreement. Secur Commun Netw 7(10):1488–1497
Li X, Niu JW, Khan MK, Liao JG, Zhao XK (2014) Robust three-factor remote user authentication scheme with key agreement for multimedia systems. Secur Commun Netw. doi:10.1002/sec.961
Mishra D, Kumari S, Khan MK et al (2015) An anonymous biometric—based remote user—authenticated key agreement scheme for multimedia systems. Int J Commun Syst. doi:10.1002/dac.2946
He D, Kumar N, Lee J-H (2014) Enhanced three-factor security protocol for USB consumer storage devices. IEEE Trans Consum Electron 60(1):30–37
He D, Wang D (2015) Robust biometrics-based authentication scheme for multi-server environment. IEEE Syst J 9(3):816–823
Odelu V, Das AK, Goswami A (2015) A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans Inf Forensics Secur 10(9):1953–1966
Wu F, Xu L, Kumari S, Li X (2015) A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client–server networks. Comput Electr Eng. doi:10.1016/j.compeleceng.2015.02.015
Yu J, Wang G, Mu Y, Gao W (2014) An efficient and improved generic framework for three-factor authentication with provably secure instantiation. IEEE Trans Inf Forensics Secur 9(12):2302–2313
Juels A, Sudan M (2002) A fuzzy vault scheme. In: Proceedings of international symposium on information theory (ISIT), p 408
Nagar A, Nandakumar K, Jain A K (2008) Securing fingerprint template: fuzzy vault with minutiae descriptors. In: Proceedings of 19th international conference on pattern recognition, pp 1–4
Mishra D, Mukhopadhyay S, Kumari S, Khan MK, Chaturvedi A (2014) Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J Med Syst 38(5):1–11
Jin ATB, Ling DNC, Goh A (2004) Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recognit 37(11):2245–2255
Hankerson D, Menezes A, Vanstone S (2004) Guide to elliptic curve cryptography. In: Lecture notes in computer science. Springer, Berlin
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Proceedings of advances in cryptology (Crypto’99). LNCS, pp 388–397
Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 51(5):541–552
Jiang Q, Ma J, Li G, Yang L (2014) An efficient ticket based authentication protocol with unlinkability for wireless access networks. Wirel Pers Commun 77(2):1489–1506
Jiang Q, Ma J, Lu X, Tian Y (2015) An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks. Peer-to-Peer Netw Appl 8(6):1070–1081
Mishra D (2015) On the security flaws in id-based password authentication schemes for telecare medical information systems. J Med Syst 39(1):1–16
Mishra D (2015) Understanding security failures of two authentication and key agreement schemes for telecare medicine information systems. J Med Syst 39(3):1–8
Burrows M, Abadi M, Needham R (1990) A logic of authentication. ACM Trans Comput Syst 8(1):18–36
Acknowledgments
This work is supported by National Natural Science Foundation of China (Program Nos. 61202389, U1405255, U1135002, 61572379, 61372075, 61472310), National High Technology Research and Development Program (863 Program) (Program No. 2015AA011704), Fundamental Research Funds for the Central Universities (Program No. JB140302), Natural Science Foundation of Hubei Province of China under Grant 2015CFB257, the PAPD fund, and Collaborative Innovation Center of Atmospheric Environment and Equipment Technology (CICAEET). Sincere appreciations are also extended to the Deanship of Scientific Research at King Saud University for funding this Prolific Research Group (PRG-1436-16).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Jiang, Q., Khan, M.K., Lu, X. et al. A privacy preserving three-factor authentication protocol for e-Health clouds. J Supercomput 72, 3826–3849 (2016). https://doi.org/10.1007/s11227-015-1610-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-015-1610-x