A Secure and Robust Password-Based Remote User Authentication Scheme Using Smart Cards for the Integrated EPR Information System

An integrated EPR (Electronic Patient Record) information system of all the patients provides the medical institutions and the academia with most of the patients’ information in details for them to make corrective decisions and clinical decisions in order to maintain and analyze patients’ health. In such system, the illegal access must be restricted and the information from theft during transmission over the insecure Internet must be prevented. Lee et al. proposed an efficient password-based remote user authentication scheme using smart card for the integrated EPR information system. Their scheme is very efficient due to usage of one-way hash function and bitwise exclusive-or (XOR) operations. However, in this paper, we show that though their scheme is very efficient, their scheme has three security weaknesses such as (1) it has design flaws in password change phase, (2) it fails to protect privileged insider attack and (3) it lacks the formal security verification. We also find that another recently proposed Wen’s scheme has the same security drawbacks as in Lee at al.’s scheme. In order to remedy these security weaknesses found in Lee et al.’s scheme and Wen’s scheme, we propose a secure and efficient password-based remote user authentication scheme using smart cards for the integrated EPR information system. We show that our scheme is also efficient as compared to Lee et al.’s scheme and Wen’s scheme as our scheme only uses one-way hash function and bitwise exclusive-or (XOR) operations. Through the security analysis, we show that our scheme is secure against possible known attacks. Furthermore, we simulate our scheme for the formal security verification using the widely-accepted AVISPA (Automated Validation of Internet Security Protocols and Applications) tool and show that our scheme is secure against passive and active attacks.

[1]  Stéphane Manuel,et al.  Classification and generation of disturbance vectors for collision attacks against SHA-1 , 2011, Des. Codes Cryptogr..

[2]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[3]  Ashok Kumar Das,et al.  An effective ECC-based user access control scheme with attribute-based encryption for wireless sensor networks , 2015, Secur. Commun. Networks.

[4]  Ashok Kumar Das,et al.  A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks , 2016, Peer-to-Peer Netw. Appl..

[5]  Muhammad Khurram Khan,et al.  Security Enhancement of a Biometric based Authentication Scheme for Telecare Medicine Information Systems with Nonce , 2014, Journal of Medical Systems.

[6]  Ashok Kumar Das,et al.  A Novel Efficient Access Control Scheme for Large-Scale Distributed Wireless Sensor Networks , 2013, Int. J. Found. Comput. Sci..

[7]  Tsung-Hung Lin,et al.  A Secure and Efficient Password-Based User Authentication Scheme Using Smart Cards for the Integrated EPR Information System , 2013, Journal of Medical Systems.

[8]  Sourav Mukhopadhyay,et al.  A secure and efficient ECC-based user anonymity-preserving session initiation authentication protocol using smart card , 2014, Peer-to-Peer Networking and Applications.

[9]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[10]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[11]  Sebastian Mödersheim,et al.  OFMC: A Symbolic Model-Checker for Security Protocols , 2004 .

[12]  Sagar Patil,et al.  A novel proxy signature scheme based on user hierarchical access control policy , 2013, J. King Saud Univ. Comput. Inf. Sci..

[13]  Ashok Kumar Das A random key establishment scheme for multi-phase deployment in large-scale distributed sensor networks , 2012, International Journal of Information Security.

[14]  Fengtong Wen A More Secure Anonymous User Authentication Scheme for the Integrated EPR Information System , 2014, Journal of Medical Systems.

[15]  Yu-Fang Chung,et al.  A Password-Based User Authentication Scheme for the Integrated EPR Information System , 2012, Journal of Medical Systems.

[16]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[17]  Ashok Kumar Das,et al.  An Improved and Effective Secure Password-Based Authentication and Key Agreement Scheme Using Smart Cards for the Telecare Medicine Information System , 2013, Journal of Medical Systems.

[18]  William Stallings,et al.  Cryptography and network security - principles and practice (3. ed.) , 2014 .

[19]  Ashok Kumar Das,et al.  A Secure and Efficient Uniqueness-and-Anonymity-Preserving Remote User Authentication Scheme for Connected Health Care , 2013, Journal of Medical Systems.

[20]  Fengtong Wen,et al.  A Robust Uniqueness-and-Anonymity-Preserving Remote User Authentication Scheme for Connected Health Care , 2013, Journal of Medical Systems.

[21]  Ashok Kumar Das,et al.  A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications , 2013 .

[22]  Dheerendra Mishra On the Security Flaws in ID-based Password Authentication Schemes for Telecare Medical Information Systems , 2014, Journal of Medical Systems.

[23]  Ashok Kumar Das,et al.  Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards , 2011, IET Inf. Secur..

[24]  Palash Sarkar,et al.  A Simple and Generic Construction of Authenticated Encryption with Associated Data , 2010, TSEC.

[25]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[26]  Manik Lal Das,et al.  Two-factor user authentication in wireless sensor networks , 2009, IEEE Transactions on Wireless Communications.

[27]  Douglas R. Stinson,et al.  Some Observations on the Theory of Cryptographic Hash Functions , 2006, Des. Codes Cryptogr..

[28]  Willi Meier,et al.  Quark: A Lightweight Hash , 2010, Journal of Cryptology.

[29]  Ya-Fen Chang,et al.  A Uniqueness-and-Anonymity-Preserving Remote User Authentication Scheme for Connected Health Care , 2013, Journal of Medical Systems.

[30]  Sourav Mukhopadhyay,et al.  A Secure and Efficient Chaotic Map-Based Authenticated Key Agreement Scheme for Telecare Medicine Information Systems , 2014, Journal of Medical Systems.