Cryptanalysis and security enhancement of Zhu's authentication scheme for Telecare medicine information system

The concept of Telecare medicine information systems TMISs has evolved to provide better health care to the masses. So the control of access to privileged services provided by TMIS is a crucial concern. Recently, Zhu proposed an authentication scheme for TMIS, which he claimed to be more suitable for TMIS environments than the scheme of Wei et al. especially regarding resistance to offline password guessing attack. However, this paper shows that Zhu's scheme still suffers from offline password guessing attack. We also show how an attacker can impersonate a legal user merely by intercepting a login request and how a legal user patient may often become victim of denial-of-service in crucial TMIS applications. We further show its vulnerability to online password guessing attack and smart card loss attack. To sort out these discrepancies from Zhu's scheme, we propose an improved scheme with session key establishment and user anonymity. Moreover, this improvement is achieved without adding any complex operation; even the communication cost of the proposed scheme is lesser than that in Zhu's scheme. Analysis shows the robustness as well as the simplicity of the proposed scheme. Copyright © 2014 John Wiley & Sons, Ltd.

[1]  Jian Ma,et al.  An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards , 2012, J. Netw. Comput. Appl..

[2]  Xiong Li,et al.  Applying biometrics to design three-factor remote user authentication scheme with key agreement , 2014, Secur. Commun. Networks.

[3]  Yu-Fang Chung,et al.  A Secure Authentication Scheme for Telecare Medicine Information Systems , 2012, Journal of Medical Systems.

[4]  Debiao He,et al.  Cryptanalysis and improvement of an extended chaotic maps-based key agreement protocol , 2012, Nonlinear Dynamics.

[5]  Hung-Ming Chen,et al.  An Efficient and Secure Dynamic ID-based Authentication Scheme for Telecare Medical Information Systems , 2012, Journal of Medical Systems.

[6]  Xiong Li,et al.  An improved timestamp-based password authentication scheme: comments, cryptanalysis, and improvement , 2014, Secur. Commun. Networks.

[7]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[8]  Hu Jin,et al.  An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security , 2012 .

[9]  Manoj Kumar,et al.  Cryptanalysis and security enhancement of Chen et al.’s remote user authentication scheme using smart card , 2012, Central European Journal of Computer Science.

[10]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[11]  Jian Wang,et al.  Strong Authentication Scheme for Telecare Medicine Information Systems , 2011, Journal of Medical Systems.

[12]  Wenfen Liu,et al.  An Improved Authentication Scheme for Telecare Medicine Information Systems , 2012, Journal of Medical Systems.

[13]  Muhammad Khurram Khan,et al.  Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme' , 2011, Comput. Commun..

[14]  Kuan-Lin Chen,et al.  Consistency Analysis of the Duration Parameter Within a Syllable for Mandarin Speech , 2013, Inf. Technol. Control..

[15]  Wei Liang,et al.  Cryptanalysis of a dynamic identity‐based remote user authentication scheme with verifiable password update , 2015, Int. J. Commun. Syst..

[16]  Debiao He,et al.  An efficient remote user authentication and key agreement protocol for mobile client-server environment from pairings , 2012, Ad Hoc Networks.

[17]  Jianhua Chen,et al.  A secure mutual authentication scheme for session initiation protocol using elliptic curve cryptography , 2012, Secur. Commun. Networks.

[18]  Xiong Li,et al.  An enhanced smart card based remote user password authentication scheme , 2013, J. Netw. Comput. Appl..

[19]  Zhian Zhu,et al.  An Efficient Authentication Scheme for Telecare Medicine Information Systems , 2012, Journal of Medical Systems.

[20]  Zhang Rui,et al.  A More Secure Authentication Scheme for Telecare Medicine Information Systems , 2012, Journal of medical systems.

[21]  Muhammad Khurram Khan,et al.  More secure smart card-based remote user password authentication scheme with user anonymity , 2014, Secur. Commun. Networks.

[22]  Muhammad Khurram Khan,et al.  More efficient key-hash based fingerprint remote authentication scheme using mobile device , 2014, Computing.

[23]  Jian Ma,et al.  A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments , 2013, Math. Comput. Model..

[24]  Peng Gong,et al.  On the security of a dynamic identity-based remote user authentication scheme with verifiable password update , 2015, Int. J. Commun. Syst..

[25]  Muhammad Khurram Khan,et al.  Cryptanalysis and improvement of ‘a robust smart‐card‐based remote user password authentication scheme’ , 2014, Int. J. Commun. Syst..

[26]  S. Gritzalis,et al.  Managing Medical and Insurance Information Through a Smart-Card-Based Information System , 2000, Journal of Medical Systems.

[27]  Debiao He,et al.  Improvement on a Smart Card Based Password Authentication Scheme , 2012 .

[28]  Debiao He,et al.  Cryptanalysis and Improvement of a Password-Based Remote User Authentication Scheme without Smart Cards , 2013, Inf. Technol. Control..

[29]  Xiong Li,et al.  Cryptanalysis and improvement of a biometrics-based remote user authentication scheme using smart cards , 2011, J. Netw. Comput. Appl..

[30]  Xiong Li,et al.  Applying LU Decomposition of Matrices to Design Anonymity Bilateral Remote User Authentication Scheme , 2013 .

[31]  Jianhua Chen,et al.  An ID-based client authentication with key agreement protocol for mobile client-server environment on ECC with provable security , 2012, Inf. Fusion.

[32]  Chien-Ding Lee,et al.  A Cryptographic Key Management Solution for HIPAA Privacy/Security Regulations , 2008, IEEE Transactions on Information Technology in Biomedicine.

[33]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[34]  Chou Chen Yang,et al.  Secure authentication scheme for session initiation protocol , 2005, Comput. Secur..

[35]  Muhammad Khurram Khan,et al.  An Authentication Scheme for Secure Access to Healthcare Services , 2012, Journal of Medical Systems.