An enhanced dynamic ID-based authentication scheme for telecare medical information systems Academic research paper on "Computer and information sciences"

Journal of King Saud University - Computer and Information Sciences (2015) xxx, xxx-xxx

King Saud University

Journal of King Saud University -Computer and Information Sciences

www.ksu.edu.sa www.sciencedirect.com

Journal of

King Saud University -

Computer and

Information Sciences

An enhanced dynamic ID-based authentication scheme for telecare medical information systems

Ankita Chaturvedi, Dheerendra Mishra *, Sourav Mukhopadhyay

Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur 721302, India Received 25 August 2014; revised 24 October 2014; accepted 9 December 2014

KEYWORDS

Telemedicine;

Password based authentication;

Smart card;

Security;

Privacy

Abstract The authentication schemes for telecare medical information systems (TMIS) try to ensure secure and authorized access. ID-based authentication schemes address secure communication, but privacy is not properly addressed. In recent times, dynamic ID-based remote user authentication schemes for TMIS have been presented to protect user's privacy. The dynamic ID-based authentication schemes efficiently protect the user's privacy. Unfortunately, most of the existing dynamic ID-based authentication schemes for TMIS ignore the input verifying condition. This makes login and password change phases inefficient. Inefficiency of the password change phase may lead to denial of service attack in the case of incorrect input in the password change phase. To overcome these weaknesses, we proposed a new dynamic ID-based authentication scheme using a smart card. The proposed scheme can quickly detect incorrect inputs which makes the login and password change phase efficient. We adopt the approach with the aim to protect privacy, and efficient login and password change phases. The proposed scheme also resists off-line password guessing attack and denial of service attack. We also demonstrate the validity of the proposed scheme by utilizing the widely-accepted BAN (Burrows, Abadi, and Needham) logic. In addition, our scheme is comparable in terms of the communication and computational overheads with relevant schemes for TMIS.

© 2015 The Authors. Production and hosting by Elsevier B.V. on behalf of King Saud University. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

1. Introduction

The omnipresence and easy access of the Internet, provides a scalable platform for healthcare services. One of the popular

Corresponding author. E-mail address: dheerendra@maths.iitkgp.ernet.in (D. Mishra). Peer review under responsibility of King Saud University.

health care services is telecare medical information systems (TMIS) which supports healthcare delivery services to the patients' homes. As we are moving from paper based health records to electronic health records, the TMIS offers an easy access of electronic records to remote users. TMIS is making a difference by employing information and communication technologies to enhance the quality of healthcare related services in the management of chronic diseases.

Increasing computation power has made the adversary powerful enough so that he can control communications over the public network (Aloul et al., 2009a; Mishra et al., 2014a; Alfantookh, 2006). Thus, authorized communication is required to ensure in TMIS. To reduce the adversary threat,

http://dx.doi.org/10.1016/j.jksuci.2014.12.007

1319-1578 © 2015 The Authors. Production and hosting by Elsevier B.V. on behalf of King Saud University. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

smart card based authentication schemes are designed and developed (Aloul et al., 2009b; Mishra et al., 2014b; Al-Muhtadi, 2007), which goal is to address the following attributes:

One time registration: It allows the patient to register once with the medical server and then he can access the services any number of times.

Efficient login phase: A login phase should be capable of detecting incorrect login inputs. In other words, smart card should not execute the login session in the case of wrong identity or password input.

Efficient password change phase: The scheme should be able to quickly detect incorrect inputs in the password change phase.

User-friendly password change phase: A user should be allowed to change his password input and only allows a patient to update his password freely without the medical server's assistance.

Mutual authentication and session key agreement: It allows a patient and medical servers to mutually authenticate each other and establish a common key, which should be constructed with the equal participation of both the user and server.

Security attributes: The smart card based authentication scheme must be able to withstand man-in-the middle attack, impersonation attack, guessing attack, insider attack, replay attack, stolen smart card attack and known session-specific temporary information attack. Moreover, the scheme should support session key agreement, key freshness property, mutual authentication and forward secrecy.

Wu et al. (2012) introduced an efficient authentication scheme for TMIS, which is better than the previously proposed schemes for low computing devices by adding the pre-computing phase. In the pre-computing phase, the user performs an exponential operation, and then stores the calculated values into the storage device such that a user can extract these values from the device whenever he requires. However, He et al. (2012) demonstrated that Wu et al.'s scheme fails to resist an impersonation attack. They also introduced an enhanced scheme and claimed that their proposed scheme eliminates the drawbacks of Wu et al.'s scheme. They also claimed that their scheme is more appropriate for low power mobile devices for TMIS. Although Wei et al. (2012) identified that both Wu et al.'s and He et al.'s schemes are inefficient to meet two-factor authentication, whereas an efficient password based authentication scheme using a smart card should achieve two-factor authentication. They also presented an improved smart card based authentication scheme for TMIS to ensure two-factor authentication. In 2012, Zhu (2012) demonstrated that Wei et al.'s scheme is vulnerable to off-line password guessing attack. He also presented an improved scheme for TMIS and claimed that his scheme could overcome the weaknesses of Wei et al.'s scheme. However, his scheme does not protect anonymity which enables an adversary to track the consumer's current location and login history (Mishra and Mukhopadhyay, 2014). Although consumer's anonymity during message exchange ensures consumer's privacy by preventing an attacker from acquiring a consumer's sensitive personal information.

Chen et al. (2012) proposed a dynamic ID-based authentication scheme for TMIS which protects user anonymity and has less computation overhead. However, in 2013, Lin (2013) demonstrated that user identity is compromised under the dictionary attack and the password can be derived with the stolen smart card in Chen et al's scheme. He also proposed an improved scheme which efficiently resists dictionary attack and protects anonymity. Unfortunately, Lin's scheme does not include the input verifying condition. This makes login and password change phases inefficient. The inefficiency of the login phase causes extra communication and computation overhead. The inefficient password change phase in Lin's scheme causes denial of service attack (DOS) in the case of incorrect input in password change (Mishra, 2015b). The DOS attack does not allow an authorized user to access the resources (Alfantookh, 2006). Xie et al. (2013) showed that Chen et al.'s scheme is vulnerable to an impersonation attack and off-line password guessing attack using a stolen smart card. Additionally, they presented an improved scheme for TIMS to overcome the weaknesses of Chen et al.'s scheme. However, Xie et al.'s scheme also failed to present an efficient login and password change phase (Mishra, 2015b). Cao and Zhai (2013) demonstrated that Chen et al's scheme is vulnerable to an off-line identity guessing attack and undetectable online password guessing attack using a stolen smart card. They also proposed an improved authentication scheme to resist guessing attacks. Their scheme efficiently protects anonymity and password guessing attack, but does not present an efficient login phase and has an unfriendly password change phase (Mishra, 2015b). The smart card cannot identify the correctness of the input in the above discussed schemes (Lin, 2013; Wei et al., 2012; Xie et al., 2013; Zhu, 2012; Xu et al., 2014; Lee et al., 2013; Jiang et al., 2014) which either causes DOS attack or makes the password chance phase unfriendly. The schemes (Lin, 2013; Wei et al., 2012; Xie et al., 2013; Zhu, 2012; Xu et al., 2014; Lee et al., 2013; Jiang et al., 2014) present an inefficient password change phase (Mishra, 2015b; Mishra, 2015a) and the schemes (Cao and Zhai, 2013; Jiang et al., 2013; Wu and Xu, 2013) have an unfriendly password change phase as every time before changing the password the user has to establish an authorized session with the server, that is, user cannot independently change his/her password in these schemes. More detailed characterization of security attributes of the schemes (Wei et al., 2012; Zhu, 2012; Lee et al., 2013; Chen et al., 2012; Cao and Zhai, 2013; Xie et al., 2013; Lin, 2013; Xu et al., 2014) is presented in Table 1.

Motivation: Many of the schemes (Lin, 2013; Wei et al., 2012; Xie et al., 2013; Zhu, 2012; Xu et al., 2014; Lee et al., 2013) cannot identify the correctness of input which leads to a denial of service scenario in the case of incorrect input in the password change phase (Mishra, 2015a,b). A single mistake in the password change phase does not allow a user to login to the server using the same smart card. In other words, an authorized user can never use the smart card to login to the server if he/she commits a mistake in password change. It is a serious security pitfall as user's may himself/herself cause denial of service attack. In general, a user cannot be considered an expert who never commits a mistake. It is always be possible that a human may sometimes forget the password or commit a mistake while entering the password. Moreover, a user may have several accounts and may use different passwords

Table 1 Security attributes comparison of some recent password based authentication schemes for TMIS.

Security attributes Schemes

Wei et al. Zhu Lee et al. Chen et al. Cao and Zhai Xie et al. Lin Xu et al.

(2012) (2012) (2013) (2012) (2013) (2013) (2013) (2014)

User anonymity X X P P P P P P

Insider attack P P P P P P P P

Off-line password guessing X P P X P P P P

attack

Replay attack P p P P X P P P

Session key agreement P X P P P P P P

Session key verification P - P X P X X P

Efficient password change X X X P P X X X

Denial of service attack X X X P P X X X

User-friendly password X X X P X P P P

change phase

Efficient login X X X P X X X X

for different accounts; in that case it is also possible to use one account password in another account by mistake. Thus, the mistake in the password change phase should not affect the outcome the denial of service attack. In order to overcome this drawback, efficient authentication schemes should be able to quickly detect incorrect inputs so that the denial of service scenario can be avoided for authorized users.

Our contributions: In this article, we propose an improved scheme with the aim to achieve an efficient login phase and password change phase. The proposed scheme protects the user's privacy and resists guessing attack. Moreover, we demonstrate the validity of the proposed scheme through the BAN (Burrows, Abadi, and Needham) logic.

Organization of the article: The rest of the article is sketched as follows: The proposed password based authentication scheme for TMIS is presented in Section 2. Section 3 presents the security analysis. Section 4 discuss the comparative performance of the proposed scheme. Finally, the conclusion is drawn in Section 5.

2. Proposed password based authentication scheme

In this section, we propose an improved scheme to ensure efficient authorized communication. The proposed scheme is designed with the aim to provide an anonymous and efficient authentication phase. In this scheme, a new user first completes his registration with the server, and achieved a personalized smart card. Then, the registered user can establish an authorized session with the server. The scheme comprises of four phases, namely, registration, login, authentication and password change. The notations used in the proposed scheme are given in Table 2.

2.1. Registration phase

The server S generates two large primes p and q of 512-bits and computes N — pq of 1024-bits modulus. S also chooses a prime number e and an integer d such that ed = 1 mod (p — 1) (q — 1). S keeps p, q and d secret, and makes N and e public. Then a new user U can register to the server and achieve a personalized smart card as follows:

Step 1. User U chooses a password of his choice and a random number b. U computes W — h(PWu||b) and submits the registration request with a message (IDU, W) to S via secure channel.

Step 2. Upon receiving the Us request, S verifies whether IDU is previously registered or not. If IDU is already registered, S asks for a new identity. Otherwise, S computes H — h(d ® IDU) and v — W ® H. Then S personalizes smart card SC by embedding the parameters {N, v, e, h(-)} and returns SC to U via secure channel. S stores IDU in registered users' database.

Step 3. U computes H — v ® W, A — b ® h(IDU||PWU) and B — h(b||H||h(IDU||PWu)). Then U stores A and B into the smart card (see Fig. 1).

2.2. Login phase

A register user with a valid smart card generates the login message and sends the login message to the server as follows:

Table 2 Meaning of symbols used throughout the paper.

Notation Descryption

S A trustworthy server

p, q Two large primes

N Product of p and q

ZN Ring of integers modulo N

e Public key of S

d Private/secret key of S

E Adversary/attacker

SC Smart card

U User/patient

IDU Identity of U

PWu Password of U

h(-) A collision resistant one-way hash function

© XOR

II String concatenation operation

AT Valid time delay in message transmission

Step 1. User U inserts his smart card SC into the card Step 1. reader and inputs ZD^ and PW^. Step 1.

Step 2. SC computes b — A ® h(1Du||PWu), W — h(PWu||b) and H — v ® W. SC verifies B — h(b||H|| h(/D„||PW^)). If the verification does not hold, SC terminates the session. Otherwise, SC selects a random number ru, and computes R — h(/D^||ru|| Step P2. H||TU) and X —(/D„||ru||R)e mod N where Tu is Step P3. the current timestamp. SC sends the message (X, T„) to S (see Fig. 2).

User U inputs PW(7 and /Dw.

The smart card SC computes ||PWy) and

achieves b — A ® h(/D„||PW^), W — h(PW^||b) and

H — v ® W. SC verifies B — h(b||H||h(1Du||PWu)). If the verification does not hold, SC terminates the session. Otherwise, SC asks for a new password. User U enters new password PWnew. The smart card SC computes Wnew — h(PWnew||b), v„ew — H ® Wnew,A„ew — b ® h(1Du||PW„ew), and Bnew — h(b||H||h(1Du||PW„ew)). SC replaces A with Anew,B with B„ew, and v with v„ew (see Fig. 4).

2.3. Authentication phase

3. Security analysis

User and server mutually authenticate each other and establish a session key as follows:

Step 1. Upon receiving the message (X, Tu) at time TU, S verifies TU — Tu 6 Dt. If the verification holds, S computes Xd mod N —(/D„||rU||R) and

H — h(d ® /D„). S verifies R — h(/D„||rU||H||TU). If the verification holds, S considers U as an authorized user.

Step 2. S computes the session key skSU — h(H® r„ ® Tu ® Ts) and Y — h(1Du||sksu||H). Finally, S responds with the message (Y, Ts).

Step 3. Upon receiving the responder's message (Y, Ts) at time T's, SC checks whether the condition (TS — Ts) 6 Dt holds. If the condition holds, SC computes session key skUS — h(H ® ru ® Tu ® Ts).

Then SC verifies Y — h(/D„ ||skUS ||H). If the verification holds, U considers skUS as the session key and S as a authorized server (see Fig. 3).

2.4. Password change phase

A legal user U can change the password of the smart card without the server's assistance. To change the password, he inserts the smart card into the card reader, and inputs current password and identity. The smart card verifies the correctness of the current password and identity. If the verification holds, the smart card asks for a new password and then completes the password update. The description of password change phase is as follows:

In this section, we show how the proposed scheme satisfies desirable security attributes.

3.1. Authentication proof based on BAN logic

Some notations used in BAN logic analysis are described as follows:

P| = X: The principal P believes the statement X. P/ X : P sees X, means that P has received a message X. P| ~ X : P once said X, means that P| = X when P sent it. P| ) X : P controls X, P has an authority on X (Jurisdiction over X).

](X): The message X is fresh.

P| = Q$P : P and Q use K (shared key) to communicate with each other.

P $ Q : x is a shared secret information between P and Q. {X}K: The formula X is encrypted under K. (X)Y: The formula X is combined with formula Y. (X)K: The formula X is hashed with the key K.

! P : K is public key of P.

P ^ Q : X is a secret formula, known only to P and Q.

In order to describe logical postulates of BAN logic in formal terms (Burrows et al., 1989; Syverson and Cervesato, 2001), we present the following rules: Rule (1). Message meaning rule: For shared secret keys:

P| = Q $ P; P / {x}k p| = q|~x

Figure 1 Registration phase: a new user U registers with his identity IDu and achieve a personalized smart card with stored parameters {N, v, e, h(-)}. U also stores A and B into the smart card.

Public channel

Figure 2 Login phase: a user U generates a login message (X, Tu) using the smart card, and sends it to server S.

Figure 3 Authentication phase: user and server verify the authenticity of each other and draw a session key.

Figure 4 Password change phase: a user changes the password of the smart card without server assistance.

If P believes that K is shared with Q and sees X encrypted under k, then P believes that Q once said X. Rule (2). The nonce verification rule:

P| = ](X), P| = Q|~X

P| = Q| = X

If P believes that X has been uttered recently (freshness) and P believes that Q once said X, and then P believes that Q believes X.

Rule (3). The jurisdiction rule:

P| = Q|)X, P| = Q|=X P| = X

If P believes that Q has jurisdiction over X, and P believes that Q believes a message X, then P believes X. Rule (4). The freshness rule:

P| = «(X) P| = «(X, Y)

If one part is known to be fresh, then the entire formula must be fresh.

According to the analytic procedures of the BAN logic, the proposed protocol will satisfy the following goals:

Goal 1. U| = (U $S);

Goal 2. S| = (U $$S);

The protocol generic type:

Message 1. U ! S : (IDu|N|h(IDu||r„||H||T„))emodN, Tu

Message 2. S ! U : h(IDU||sk||H), Ts

Idealize form of the protocol:

Message 1. U ! S : {IDu, ru, (IDu, ru, TU)H}e, T„

Message 2. S ! U : (IDu, U $$ S)H, Ts

We make the following assumptions about the initial state of the protocol to analyze the proposed protocol:

A1 U |

A2 S| ^ fl(r,);

A3 U | = (U $S);

A4 S| = (U $S);

A5 U| = S| = (U $ S);

A6 S| = U | = (U $ s);

We analyze the idealized form of the proposed protocol based on the BAN logic rules and the assumptions. The main proofs are described as follows:

According to the message 1, we could get:

S1: S / (IDu, ru, Tu)b, Tu

According to the assumption A4, we apply the message meaning rule to get: S2: S| = U| ~ Tu

According to the assumption A1, we apply the freshness conjuncatenation rule to get:

S3: S| = ](IDu, ruTu)H

According to the S2 and S3, we apply nonce verification rule to obtain

S4: S| = U| = (IDu, ru, Tu)h

According to the assumption A4 and S4, we apply the jurisdiction rule to get:

S5: S| = Tu

According to sk — h(H® ru ® Tu ® Ts), S5 and A2, we could obtain

S6: S| = (U$S) (Goal 2.)

According to the message 2, we could obtain:

S7: U/ (IDV, U*

' S)H, Ts

According to the assumption A3, we apply the message meaning rule to get:

S8: U| = S| ~ Ts

According to the assumption A2, we apply the freshness conjuncatenation rule to get:

S9: U| = ](IDu, U $ S)h

According to the S8 and S9, we apply nonce verification rule to obtain

S10: U|=S| = (IDu, U $ S)h

According to the assumption A3 and S10, we apply the jurisdiction rule to get:

S11: U| = Ts

According to sk — h(H® ru ® Tu ® Ts), S11 and A1, we could obtain

U| = (U $S)

(Goal 1.)

3.2. Discussion on the possible attacks 3.2.1. User anonymity and unlinkability

The login message (X, Tu) is encrypted with the server's public key and includes user's identity along with random value r, i.e., X — (IDU||ru||R)e mod N. As X is encrypted with the server's public key, no adversary can retrieve IDU from X. Moreover, the smart card does not include the user's identity. Therefore, an adversary cannot identify the message source. The times-tamp Tu is distinct for each session. This ensures distinct login messages for each session. Thus an adversary cannot link between any two login messages. Unlinkability and anonymity make communication completely private.

3.2.2. Insider attack

A malicious insider in the server's system may try to achieve the user's password. However, the user does not submit the password PWU in its original form, i.e., user submits h(PWU||b) instead of PWU to the server. Therefore, a malicious insider cannot know the user's password PWU as hash function h(-) cannot be reverted. Moreover, an adversary cannot perform the password guessing attack as the user does not submit b to S.

3.2.3. Efficient login phase

The smart card SC can identify the correctness of the input in the following cases as follows:

Case-1 If a user inputs an incorrect password PWU and correct identity IDU.

The smart card SC computes h(1D U||PWU) and achieves b* — A ® h(1D u||PWU), W* — h(PWUl|b*) and H* — v ® W*.

The smart card SC computes B* — h(b*||H*||h(1DU||PWU))

and verifies B — B*. The verification does not hold as B—B*. Therefore, SC terminates the session.

Case-2 If a user inputs incorrect identity IDU and correct password PWU.

The smart card SC computes h (IDU ||PWy) and achieves b'* — A ® h(1DU ||PWu ), W'* — h(PWu ||U'*) and H'* — v ® W'*. The smart card SC computes B'* — h(b'*||H'*||h(1DU||PWu)) and verifies B —— B'*. The verification does not hold as B—B'*. Therefore, SC terminates the session.

Case-3 If a user inputs incorrect identity IDU and incorrect password PWU.

The smart card SC computes h(1DU ||PWU) and achieves b''* — A ® h(1DU||PWU), W''* — h(PWUl|b''*) andH''* — v ® W''*. The smart card SC computes B''* — h(b''*||H''*||h(1DU||

P^WU)) and verifies B —— B''*. The verification does not hold as B—B''*. Therefore, SC terminates the session.

In all the cases, smart card can efficiently detect the incorrect input and terminate the session. This shows that the proposed scheme has an efficient login phase.

3.2.4. User-friendly and efficient password changes phase

The user can change his password without the server's assistance. Moreover, the smart card verifies the correctness of

inputs using the condition B — h(b||H||h(IDU||PWU)) which includes identity and password, and is similar to the login phase. As the login phase can efficiently verify the correctness of the input, the password change phase can also be efficient to detect the incorrect input.

3.2.5. Stolen smart card attack

An adversary can retrieve the parameters (N, v, e, A, B) from the stolen smart card and try to generate a valid login message using the achieved parameters. However, to construct the valid login message (X, Tu), is equivalent to achieve a user's long-term key H along with identity IDU as R — h(IDU||ru||H||Tu).

As H is protected with password PWU, an adversary cannot use the stolen smart card to generate a valid login message.

3.2.6. Off-line password guessing attack

To succeed a password guessing attack, verification of the guessed password is necessary. The password is associated with the following values: v — h(PWU||b) ® h(d® IDU), A — b® h(IDU||PWU) and B — h(b||H||h(IDU||PWU)). To verify the password using the expression B — h(b||H||h(IDU||PWU)), an adversary needs to achieve b and H. Although H cannot be achieved without knowing b as H— v ® h(PWU||b). Since b — A ® h(IDU||PWU), to retrieve b, user identity IDU is needed. Neither the smart card nor the transmitted message includes the user's identity. This shows that the proposed scheme resists the password guessing attack.

3.2.7. Replay attack

Replay attack is the most common attack in the authentication process. However, the common countermeasures are timestamp and random number. In the proposed scheme, the transmitted login message (X, Tu) includes timestamp. Moreover, to modify the message (X(— (IDU||ru||R')e mod N), TE) using current timestamp TE, an adversary has to compute R0 — h(IDU||ru||H||TE). The computation of R' requires H along with IDU. Since, H and IDU are secret, an adversary cannot replay the previously transmitted messages.

3.2.8. User impersonation attack

An adversary E can masquerade as a legitimate user to login to the server. However, the proposed scheme can resist this attack as follows:

E can try to login to the server using replay attack. Although the proposed scheme resists the replay attack. E can try to generate a valid login message (X, TE) for a random value rE and current timestamp TE, where X' — (IDU||rE||R')e mod N. To compute X',E has to compute R'. However, no unauthorized user can compute R' due to following facts:

- To compute R', user's secret key H and identity IDU are needed as R' — h(IDu||rE||H||Te).

- Neither the smart card nor the transmitted messages includes IDU. Thus, an adversary cannot achieve IDU.

- To retrieve H from v, the password is needed. Since the password is only known to the user, an adversary cannot achieve H.

This shows that the proposed scheme resists user impersonation attack.

3.2.9. Server impersonation attack

An adversary E can masquerade as a server and try to respond with a valid message to the user. When the user U sends the login message (X, Tu) to the server, E can intercept the message and try to respond with the valid message. However, an adversary cannot successfully impersonate a valid user which is justified as follows:

E can try to responde with the old transmitted message (Y, Ts) to a user. However, the timestamp mechanism reveals the replay of message. Moreover, to replace Ts with

current timestamp TE,E has to compute Y' — h(IDu|| skSu||H) as skSU — h(H ® ru ® Tu ® TS) includes timestamp. To compute skSU, H and ru are needed. E can try to responde with the message (YE, TE), where Ye — h(IDu||skEu||H) and skEu — h(H ® rE ® Tu ® Ts) for random value rE and current timestamp TE. To compute skEU, E needs H.

To retrieve H from v, the password is needed. Since the password is only known to the user, an adversary cannot get H.

This shows that the proposed scheme resists server impersonation attack.

3.2.10. Man-in-the middle attack

An adversary E may try to establish independent connections with license server and consumer. Since the user's message is encrypted with server's public key, an adversary cannot modify the user's message. Moreover, server's response message does not include any session value. This shows that the proposed scheme resists man-in-the middle attack.

3.2.11. Known key secrecy

An adversary cannot achieve or guess any secret from any compromised session key as the session key is the hashed output of user long-term key along with random value and timestamp, i.e., sk — h(H ® ru ® Tu ® Ts). Moreover, the secret key includes the timestamp which ensures a unique key for each session. These facts show that compromise of a particular session key does not result in compromise of the other session key.

3.2.12. Known session-specific temporary information attack

If the short term secret value ru is compromised, then adversary cannot compute session key sk — h(H ® ru ® Tu) as to compute session key, user's long-term key H is needed along with the random value ru where H is protected with the password.

3.2.13. Forward secrecy

If user's long-term key H is compromised, an adversary cannot achieve the established session key sk — h(H ® ru ® Tu ® Ts) as the session key includes a random value ru, which is encrypted with the server's public key e, i.e., X — (IDUHru||R)e mod N. Therefore, an adversary cannot be achieved ru using H.

3.2.14. Key freshness property

Each session key involves a random number and timestamp where random numbers and timestamps are different for each session. The uniqueness of these values guarantees the unique key for each session. The unique key construction for each session ensures the key freshness property.

3.2.15. Mutual authentication

Server verifies user's authenticity with the condition

R — h(IDUHruH H||Tu) where to compute R, H and IDU are needed. The user verifies authenticity of the server with the

condition Y — h(IDU||sk||H), to compute Y, again H and IDU are needed. Since, IDU and H are secret, user and server can correctly verify the authenticity of each other.

4. Performance analysis

In this section, we show the efficiency analysis of proposed schemes with similar password based remote user authentication protocols based on smart card for the TMIS. Let the user identity ID, password PW, random variables, time stamp and output size of hash function is 128-bits while e, X, n all are of 1024-bits. Let Th, TE and TX denote the time complexity of the hash function, exponential operation and XOR operation, respectively. It is well known that the time complexity of the XOR operation is negligible as compared to two other operations. So, we do not take TX into account. In general, the time complexity associated with Th, TE and TX can be more or less expressed as Te > Th > Tx (Potlapally et al., 2006; Wong et al., 2001). Then, the extra communication and computation overheads are as follows:

In Lin's scheme, computation of W, CID, R, X is required in the login phase, and Xd mod N, H, R, CID, k, V, k' and V is required in the verification phase. So the computation overhead in the login phase is 3 Th + TE and the verification phase is 7Th + TE. The user and server transmit the messages (X, R, Ti) and (V, k), therefore the communication overhead is 1536(— 4 x 128 + 1024) bits. The smart card stores the values N, v, e and t, therefore, the memory required is 2304(— 2 x 128 + 2 x 1024).

In Xie et al.'s scheme, user's smart card computes h(PW), A, C1 and AID in the login phase. Therefore, computation cost in the login phase is 2Th + 2TE. In the verification phase, smart card computes Ksu, sksu and C'u while server computes AIDX(modn),Dsymm (RID), J, Cs, B, Km, skm and Cs. Therefore, the computation overhead in the verification phase is 6Th + TS + 4Te. The user transmits the message (AID, Tu) and (C2, Ts, B), therefore the communication overhead is 2432(— 3 x 128 + 2 x 1024) bits. The smart card stores the values {ID, SC, N, L, n, e}, therefore, the memory required is 2660 (— 4 x 128 + 2 x 1024) bits.

In Cao and Zhai's scheme, user's smart card computes h(b||PW) and AID in the login phase. Therefore, computation cost in the login phase is Th + TE. In the verification phase, smart card computes Ksu, Cs and Cu while the server computes AIDX(modn), J, Ks, Cs and Cu. Therefore, the computation overhead in the verification phase is 7 Th + TE. The user transmits the message (AID), (rs, Cs) and Cu. Therefore the communication overhead is 1408(— 3 x 128 + 1024) bits. The smart card stores the values {L, n, b}, therefore, the memory required is 1280 (— 2 x 128 + 1024) bits.

In the proposed scheme, computation of h(PWU||IDU), W, B, R, X in the login phase and Xd mod N, H, R, skSU, Y, skUS and Y in the verification phase. Therefore, the computation overhead in the login phase is 4 Th + TE and the verification phase is 6Th + TE. The user and server transmit the messages (X, Tu) and (Y, Ts), therefore the communication overhead is 1408(— 3 x 128 + 1024) bits. The smart card stores the parameter N, v, e, A and B. Therefore, the required memory is 2432(— 3 x 128 + 2 x 1024). (see Table 3)

It can be easily seen from Table 1 that most of the authentication schemes for TMIS do not protect privacy. The dynamic ID based authentication schemes protect privacy, but do not resist denial of service attack (Lin, 2013; Xie et al., 2013). Chen et al.'s dynamic ID-based authentication scheme (Chen et al., 2012) and Cao and Zhai's dynamic ID-based authentication scheme (Cao and Zhai, 2013) efficiently resist denial of service attack, but Chen et al.'s scheme does not resist password and identity guessing attacks, while Cao and Zhai's scheme does not withstand known session specific temporary information attack. However, the proposed scheme protects privacy and resists guessing and denial of service attacks. Moreover, the proposed scheme resists known session specific temporary information attack and attains forward secrecy. The proposed scheme satisfies desirable security and it is comparable in terms of the communication and computational overheads with the relevant schemes, this makes the proposed scheme more appropriate for TMIS.

Table 3 Performance comparison between the proposed scheme and other relevant schemes.

Overhead/schemes Chen et al.'s (2012) Lin's (2013) Cao and Zhai's (2013) Xie et al.'s (2013) Proposed scheme

l1 384 2304 bits 1280 2660 bits 2432 bits

l2 960 1536 bits 1408 2432 bits 1280 bits

l3 3Th 3Th + TE Th + TE 2Th + 2 Te 4Th + TE

¡4 8Th 7Th + TE 7Th + TE 6Th + TS + 4 Te 6Th + TE

¡5 11Th 10Th + 2 Te 8Th + 2 Te 8Th + Ts + 6 Te 10Th + 2 Te

¡6 2 2 3 2 2

S1 P P P P P

S2 X P P P P

S3 X P P P P

S4 X P P X P

S5 P P P P P

S6 X P P P P

S7 P P X X P

S8 P P P P P

S9 P X P X P

li : storage overhead; l2: communication overhead in login and authentication phases; l3: computation overhead in login phase; l4: computation overhead in verification phase; l5 : total computation overhead in login and authentication phases; l6 : number of messages exchanged; S1 : replay attack; S2: user's impersonation attack; S3: off-line password guessing attack; S4: on-line password guessing attack; S5: man-in-the middle attack; S6: forward secrecy; S7: known session specific temporary information attack; S8: insider attack; S9: denial of service attack.

5. Conclusion

We have discussed the failure of excising schemes for TMIS to present efficient login and password change phases in the literature. We have proposed an efficient and secure dynamic ID-based authentication scheme for TMIS. The proposed scheme maintains efficient login and password change phases where incorrect input can be quickly detected. Additionally, the scheme can efficiently resist guessing attacks and protect the user's privacy. Furthermore, the security analysis indicates that the proposed scheme satisfies all desirable security attributes. The performance analysis shows that the proposed scheme is comparable in terms of the communication and computational overheads with dynamic ID-based authentication schemes for TMIS.

References

Alfantookh, A.A., 2006. Dos attacks intelligent detection using neural

networks. J. King Saud Univ. Comput. Inf. Sci. 18, 31-51. Al-Muhtadi, J., 2007. An efficient overlay infrastructure for privacy-preserving communication on the internet. J. King Saud Univ. Comput. Inf. Sci. 19, 39-59. Aloul, F., Zahidi, S., El-Hajj, W., 2009a. Multi factor authentication

using mobile phones. Int. J. Math. Comput. Sci. 4 (2), 65-80. Aloul, F., Zahidi, S., El-Hajj, W., 2009b. Two factor authentication using mobile phones. In: IEEE/ACS International Conference on Computer Systems and Applications, 2009. AICCSA 2009. IEEE, pp. 641-644.

Burrows, M., Abadi, M., Needham, R.M., 1989. A logic of authentication. Proc. R. Soc. London A. Math. Phys. Sci. 426 (1871), 233271.

Cao, T., Zhai, J., 2013. Improved dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 37

(2), 1-7.

Chen, H.-M., Lo, J.-W., Yeh, C.-K., 2012. An efficient and secure dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 36 (6), 3907-3915. He, D., Chen, J., Zhang, R., 2012. A more secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36

(3), 1989-1995.

Jiang, Q., Ma, J., Ma, Z., Li, G., 2013. A privacy enhanced authentication scheme for telecare medical information systems. J. Med. Syst. 37 (1), 1-8. Jiang, Q., Ma, J., Lu, X., Tian, Y., 2014. Robust chaotic map-based authentication and key agreement scheme with strong anonymity for telecare medicine information systems. J. Med. Syst. 38 (2), 1-8. Lee, T.-F., Chang, I.-P., Lin, T.-H., Wang, C.-C., 2013. A secure and efficient password-based user authentication scheme using smart

cards for the integrated epr information system. J. Med. Syst. 37 (3), 1-7.

Lin, H.-Y., 2013. On the security of a dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 37 (2), 1-5.

Mishra, D., 2015a. Understanding security failures of two authentication and key agreement schemes for telecare medicine information systems. J. Med. Syst. 39 (3), 1-8.

Mishra, D., 2015b. On the security flaws in id-based password authentication schemes for telecare medical information systems. J. Med. Syst. 39 (1), 1-16.

Mishra, D., Mukhopadhyay, S., 2014. A privacy enabling content distribution framework for digital rights management. Int. J. Trust Manag. Comput. Commun. 2 (1), 22-39.

Mishra, D., Mukhopadhyay, S., Kumari, S., Khan, M.K., Chaturvedi, A., 2014a. Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J. Med. Syst. 38 (5), 1-11.

Mishra, D., Mukhopadhyay, S., Chaturvedi, A., Kumari, S., Khan, M.K., 2014b. Cryptanalysis and improvement of Yan et al.'s biometric-based authentication scheme for telecare medicine information systems. J. Med. Syst. 38 (6), 1-12.

Potlapally, N.R., Ravi, S., Raghunathan, A., Jha, N.K., 2006. A study of the energy consumption characteristics of cryptographic algorithms and security protocols. IEEE Trans. Mob. Comput. 5 (2), 128-143.

Syverson, P., Cervesato, I., 2001. The logic of authentication protocols. In: Foundations of Security Analysis and Design. Springer, pp. 63-137.

Wei, J., Hu, X., Liu, W., 2012. An improved authentication scheme for telecare medicine information systems. J. Med. Syst. 36 (6), 35973604.

Wong, D.S., Fuentes, H.H., Chan, A.H., 2001. The performance measurement of cryptographic primitives on palm devices. In: Proceedings 17th Annual Computer Security Applications Conference, 2001 (ACSAC 2001). IEEE, pp. 92-101.

Wu, F., Xu, L., 2013. Security analysis and improvement of a privacy authentication scheme for telecare medical information systems. J. Med. Syst. 37 (4), 1-9.

Wu, Z.-Y., Lee, Y.-C., Lai, F., Lee, H.-C., Chung, Y., 2012. A secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36 (3), 1529-1535.

Xie, Q., Zhang, J., Dong, N., 2013. Robust anonymous authentication scheme for telecare medical information systems. J. Med. Syst. 37 (2), 1-8.

Xu, X., Zhu, P., Wen, Q., Jin, Z., Zhang, H., He, L., 2014. A secure and efficient authentication and key agreement scheme based on ECC for telecare medicine information systems. J. Med. Syst. 38 (1), 1-7.

Zhu, Z., 2012. An efficient authentication scheme for telecare medicine information systems. J. Med. Syst. 36 (6), 3833-3838.