An improved authenticated key agreement protocol for telecare medicine information system

In telecare medicine information systems (TMIS), identity authentication of patients plays an important role and has been widely studied in the research field. Generally, it is realized by an authenticated key agreement protocol, and many such protocols were proposed in the literature. Recently, Zhang et al. pointed out that Islam et al.’s protocol suffers from the following security weaknesses: (1) Any legal but malicious patient can reveal other user’s identity; (2) An attacker can launch off-line password guessing attack and the impersonation attack if the patient’s identity is compromised. Zhang et al. also proposed an improved authenticated key agreement scheme with privacy protection for TMIS. However, in this paper, we point out that Zhang et al.’s scheme cannot resist off-line password guessing attack, and it fails to provide the revocation of lost/stolen smartcard. In order to overcome these weaknesses, we propose an improved protocol, the security and authentication of which can be proven using applied pi calculus based formal verification tool ProVerif.

protocol could not resist insider attack and impersonation attack. And they gave an improved protocol using smartcard. However, Wei et al. (2012) showed that He et al. 's protocol failed to resist off-line password guessing attack, and they also proposed an improved scheme, but Wei et al. 's scheme has the same security defects. In order to fix the above drawbacks, Zhu (2012) proposed an improved scheme. Unfortunately, Zhu et al. 's scheme has been proven insecure by Muhaya (2015). Wu et al. (2012) proposed a password-based user authentication scheme for the integrated EPR information system. Later, Islam and Biswas (2014) found that Wu et al. 's (2012) scheme cannot resist privileged-insider attack, off-line password guessing attack and ephemeral secret leakage attack.
It's an interesting topic to improve security and computation efficiency of the authentication schemes. Pu et al. (2010) designed an anonymous authentication scheme for TMIS service using the elliptic curve cryptography (ECC). Chen et al. (2012) proposed a dynamic-identity based authentication scheme for TMIS. However, Jiang et al. (2013) showed Chen et al. 's scheme ) cannot withstand impersonation attack, off-line password guessing attack and denial-of-service attack. Recently, Xu et al. (2014) proposed a two-factor authentication key agreement protocol using ECC. Unfortunately, Islam and Khan (2014) showed that Xu et al. 's scheme (Xu et al. 2014) can neither withstand replay attack, nor provide the revocation of lost/lost smart or achieve strong authentication in login and authentication phases. In order to overcome the above defects, they proposed a new anonymous two-factor authentication protocol for TMIS. Recently, Zhang and Zhou (2015) pointed out that Islam et al. 's protocol has many security defects such as: (1) Any legal but malicious patient can reveal other user's identity; (2) An attacker can launch off-line password guessing attack and the impersonation attack if he knows legal user's identity. Zhang et al. then proposed a new ECC-based authenticated key agreement scheme in order to fix the above security problems. In 2015, Chaudhry et al. (2015) also showed that Islam et al. 's protocol (Islam and Khan 2014) suffers from user impersonation attacks and server impersonation attacks. And then they proposed an improved two-factor authentication protocol for TMIS. In fact, Chaudhry et al. 's scheme is insecure under lost/stolen smartcard disguised attack and off-line password guessing attack, for that an insider adversary can extract information (r i , h()) from the memory of the user's smart card. As we generally use passwords which are low-entropy keys, the following attack is feasible in practice: suppose that PW ′ is the guessed password and l i is the user's identity, an insider adversary (e.g. a malicious server) can compute l ′ i = h(ID i ||PW ′ ||r i ); if l ′ i = l i , then the adversary successfully found the correct password PW i .
As biometric keys can maintain uniqueness property, they can neither be forged nor guessed easily. Therefore, biometric keys have been widely adpoted in authentication protocols. In 2010, Li and Hwang (2010) proposed a biometric based remote user authentication scheme using user's biometric key to identify the correct user. Li et al. (2011) showed that Li and Hwang's scheme is vulnerable to man-in-the-middle attack, and they proposed an improved biometrics-based remote user authentication scheme. However, Truong et al. (2012) pointed that Li et al. 's scheme cannot resist stolen verifier attack, reply attack and man-in-the-middle attack, and they proposed an improved remote user authentication scheme. However, the login and password change phase of their scheme is not efficient for practice. Later, Awasthi and Srivastava (2013) proposed a new robust biometrics-based remote user authentication scheme using smart cards in order to avoid the time-consuming exponential operations. Unfortunately, Dheerendra et al. (2014) demonstrated that Awasthi et al. 's scheme fails to resist online and off-line password guessing attack, and they proposed an improved biometrics-based authentication scheme for TMIS. In 2014, He and Wang (2014) proposed a robust multi-server authentication scheme using biometrics-based smart card. But Vanga et al. (2015) pointed that He and Wang's scheme is vulnerable to a known session-specific temporary information attack and impersonation attack. And they proposed a secure biometrics-based multi-server authentication protocol using biometrics-based smart card, and provided simulation results of their scheme for the formal security verification using Automated Validation of Internet Security Protocols and Applications (AVISPA) tool (AVISPA; Lv et al. 2013).

Our contributions
In this paper, we show that Zhang et al. 's protocol (Zhang and Zhou 2015) is vulnerable to lost/stolen smartcard disguised attack and off-line password guessing attack. And then we propose an improved protocol using biometric keys (fingerprint, face and palmprint, etc.) to resolve the security problems. Furthermore, we provide the simulation results of our scheme for the formal security verification, using applied pi calculus based formal verification tool ProVerif. Our protocol overcomes the weaknesses of Islam et al. 's scheme and Zhang et al. 's scheme, and has the similar efficiency in comparison with their schemes.
The rest of paper is organized as follows: we first review Zhang et al. 's protocol in second section, and show the security weaknesses of Zhang et al. 's protocol in third section. Then, we propose an improved authentication protocol for TMIS is in fourth section. The security analysis of the improved scheme is given in fifth section. We prove the session key secrecy and authentication property using pi calculus based ProVerif in sixth section. In seventh section, we compare security and computation cost between our scheme and other related schemes. We conclude the paper in eighth section.

Review of Zhang et al.'s scheme
In this section, we review Zhang et al. 's scheme. There are two participants in Zhang et al. 's protocol, patient U and telecare server S. Table 1 shows the notations used in this paper.

Initialization phase
S selects an elliptic curve E p (a, b) over a prime finite field F p and a base point P over E p (a, b). Followed that, S chooses a random number s ∈ Z * p as his secret value, and computes Q s = sP, and selects a one-way hash function H (·) : {0, 1} * → Z * p , and publishes {E p (a, b), P, H(·), Q s } and keeps s as a secret value.
2. Upon receiving (ID, l), S verifies user's legitimacy in his database. If ID is a new patient, S sets N = 0, otherwise, U is re-registering to the system, S sets N = N + 1, and stores (ID, N, T) into its database, where T is the current registration time.
b)} into the smart card, and sends it to U via a secure way. 4. On obtaining the smartcard, U stores the number r in it.

U inserts his smart card into the terminal and inputs his identity ID and password
PW. The smartcard computes l = H(r||PW), µ ′ = H (ID ⊕ l), and checks whether µ ′ = µ holds. If not, it aborts the session; otherwise, it selects a random number a and a current timestamp T 1 . Then, smartcard computes V = aP, I = aQ s , Then, smartcard sends login information m 1 = {V, G 1 , T 1 } to U via the public channel. 2. After receiving m 1 at T 2 , S checks whether T 2 − T 1 < ∆T is valid. If it is true, S computes I = sV, K s = H (I||T 1 ), and decrypts G 1 to get ID ′ and D ′ , and checks if ID ′ is found in the database. If not, S terminates the session; otherwise, S computes σ * = H (s ⊕ ID ′ ) and checks whether D ′ = H (V ||N ||σ * ) holds. If not, this session terminates; otherwise, S selects a random number c and computes W = cP, J = cV, , and checks whether G ′ 2 = G 2 holds. If not, it aborts the session; otherwise, U authenticates S successfully.

Password updating phase
U inserts his smart card into the terminal and enter his ID and PW when he wants to update its password.
1. The smartcard computes l = H (r||PW ), µ ′ = H (ID ⊕ l), and checks whether µ ′ = µ holds. If not, it aborts the session; otherwise, it selects a new random number r * and a new password PW * , and updates corresponding value in the smart card.

Lost/stolen smartcard revocation phase
When U's smartcard is lost or stolen, it will request S for its revocation.
1. U chooses its new password PW * and new random number r * , and computes l * = H (r * ||PW * ), and submits (ID, l * ) to S over a secure channel. 2. S firstly checks the registration credentials of U. If the credential provided by U is valid, S updates N as N = N + 1 for the tuple (ID, N, T 1 ) to revoke the smartcard. 3. S computes σ = H (s ⊕ ID), v * = σ ⊕ l * , µ * = H (ID ⊕ l * ), and stores {v * , µ * , P, H (·), Q s , N , E p (a, b)} into the smart card, and sends it to U via a secure way. 4. On obtaining the smartcard, U stores the random number r * in it. Finally, the smartcard stores {r * , v * , µ * , P, H (·), Q s , N , E p (a, b)}.

Weaknesses of Zhang et al.'s scheme
Through careful analysis, we find that Zhang et al. 's protocol is vulnerable to off-line password guessing attack and lost/stolen smartcard disguised attack. The detailed analyses are described as follows.

Off-line password guessing attack
If an insider adversary in TMIS can extract information (r, μ) from the memory of the user's smart card (Zhang and Zhou 2015). Generally speaking, password is not highentropy keys (Abadi and Fournet 2001). Therefore, the following attack is feasible in practice. Suppose that PW ′ is the guessed password, and an insider adversary (e.g. the user's colleague or malicious server) may know the user's identity easily. The insider adversary in TMIS who knows ID can compute l ′ = H (r||PW ′ ), µ ′ = H (ID ⊕ l ′ ) = H (ID ⊕ H (r||PW ′ )), and checks whether µ ′ = µ holds. If it is true, the insider adversary has guessed the correct password. Otherwise, it repeatedly guesses a new password until he succeeds.

Failure to provide the revocation of lost/stolen smartcard
Though the Zhang et al. 's scheme has lost/stolen smartcard revocation phase, an insider adversary can still use the lost/stolen smartcard to pass through the authentication process. The reason is that σ = H (s ⊕ ID) and ID in the new smart card are the same as that of the lost/stolen smartcard, and N = N + 1, according to off-line password guessing attack, the adversary can easily get PW and compute the correct authentication request message m 1 = {V, G, T 1 }, which can pass the authentication of the server.

The improved scheme
In our improved scheme, {s, E p (a, b), P, H(·), Q s } are the same as that of Zhang et al. 's scheme.

Registration phases
When a user U wants to become a legal user, he should register to S as follows.
1. U selects his identity ID, password PW and a random number r, and computes l = H (r||PW ), and sends (ID, l) to S via a secure way. 2. Upon receiving (ID, l), S verifies user's legitimacy in his database. If ID is a new patient, S sets N = 0, otherwise, U is re-registering to the system, S sets N = N + 1, and stores the tuple (ID, N, N c ) to its database, where N c is the identity of the smart card. 3. S computes α = H (s ⊕ ID), β = α ⊕ l and stores {β, P, H (·), Q s , N , N c , E p (a, b)} into the smart card, and sends it to U via a secure way. 4. On obtaining the smartcard, U scans and enters his personal biometrics Bio. It is worth mentioning that no one can get Bio except U and the biometrics scanner can be combined in the smart card reader. U computes µ = r ⊕ H (Bio), θ = H (ID||PW ||r), U stores (µ, θ) in the smart card.

Login and authentication phases
In this phase, the user U and the server S can be authenticated each other and establish the session key sk, which showed in Algorithm 1.

U inserts his smart card into the terminal and inputs his identity ID, password PW
and Bio. The smartcard computes r ′ = µ ⊕ H (Bio), θ ′ = H (r ′ ||PW ||ID), and checks whether θ ′ = θ holds. If not, it aborts the session; otherwise, it selects two random numbers a and N 1 . Then, smartcard computes V = aP, I = aQ s , K u = H (I||N 1 ), α = β ⊕ l, γ = H (V , N , N 1 , α, N c ) and G 1 = E K U (ID||N 1 ||γ ||N c ). Then, smartcard sends login information m 1 = {V, G 1 , N 1 } to S via the public channel. 2. After receiving m 1 , S checks whether N 1 is a fresh nonce or not. If it is true, S computes I = sV, K s = H (I||N 1 ), and decrypts G 1 to get ID ′ , N c , γ and N 1 , and checks whether or not ID ′ is found in the database. If not, S terminates the session; otherwise, S computes α * = H (s ⊕ ID), γ * = H (V , N , N 1 , α * , N c ), and checks whether γ * = γ holds. If is not true, S terminates the session; otherwise, it selects two random numbers c and N 2 for computing W = cP, J = cV, ||N 1 ||N 2 ), and S sends m 2 = {W, G 2 , N 2 } to U via the public channel. If N 2 is not a fresh nonce number, abort, otherwise, smartcard computes J = aW, K = H (J ||N 2 ), and decrypts G 2 to get Q s and N 2 , and checks whether or not Q ′ s = Q s holds. If not, smartcard terminates the session; otherwise, U authenticates S successfully, and computes sk = H (ID||Q s ||I||J ||N 1 ||N 2 ). random number r * and a new password PW * , and updates corresponding value in the smart card. 2. The smartcard computes µ * = r * ⊕ H (Bio), θ * = H (ID||PW * ||r * ) and replaces (μ, θ) with (µ * , θ * ).

Lost/stolen smartcard revocation phases
When U's smartcard is lost or stolen, it will request S for its revocation.

Security analysis
In this section, we analyze the security of the improved protocol. The following attacks assume that a malicious adversary can eavesdrop, modify, insert, or delete any messages transmitted via public channel.

The improved protocol can achieve mutual authentication
As V = aP, I = aQ s , K u = H (I||N 1 ), and G 1 = E K U (ID||N 1 ||γ ||N c ), only the legal user U can get the secret value (I, N 1 ) to generate a legal G 1 . S decrypts G 1 and checks whether ID ′ = ID holds. If it is true, S can authenticate U, otherwise, U cannot be authenticated by S. On the other hand, U can authenticate S by verifying whether Q ′ s = Q s hold. As a result, our protocol achieves the mutual authentication.

Malicious insider impersonation attack
Login phase: If a malicious user U A wants to impersonate U, he must forge a valid login message {V * , G * 1 , N 1 } where V * = a * P, I * = a * Q s , K * = H (I * ||N 1 ), and G * 1 = E K * (ID * ||N 1 ||γ ||N c ), however, U A can not get I, such that it has to forge an invalid one. When S receives the login request message from U, it will decrypt and compute G * 1 = E K * (ID * ||N 1 ||γ ||N c ), but the equation ID * = ID does not hold, therefore, S will reject the login request. Thus, our scheme can resist insider impersonation attack.

Off-line password guessing attack
If a malicious attacker has stolen user's smart card, then he can extract the information {θ, μ, β, P, H(·), N, Q s , E p (a, b)} from the smart card, where µ = r ⊕ H (Bio), θ = H (ID||PW ||r), l = H (r||PW ). Since r is protected by Bio and PW is protected by a one-way hash function, the attacker cannot know both of the real identity ID and the correct password PW. It is impossible to guess these two parameters correctly in polynomial time. Therefore, our protocol is secure against the off-line password guessing attack.

Strong replay attack
If a malicious attacker wants to replay a previously transmitted message of the sender or the receiver, the attack will fail since U and S choose different random numbers (N 1 , N 2 ) in each session. During the authentication phase, after S response the next login message m ′ 1 = {V ′ , G ′ 1 , N ′ 1 } using a valid nonce N 1 , the attacker can neither verify its validness nor obtain the session key assuming the intractability of Diffie-Hellman problem.

Lost/stolen smartcard attack
When the attacker attempts to insert the lost smart card into the device, it can't pass the authentication of the server, since the stolen card's N c is updated in the database of S.

Perfect forward secrecy
In our protocol, the session key is sk = H (ID||Q s ||I||J ||N 1 ||N 2 ), where I = aQ s = asP, J = cV = caP. Since a and c are random numbers chosen by U and S, their values are changed in each session run. Therefore, our protocol can provide perfect forward secrecy.

Formal verification
Some formal verification tools are used to prove the security of cryptographic protocols, such as BAN logic, AVISPA and ProVerif (Abadi et al. 2009). In this section, we prove the session key secrecy and authentication using formal verification tool ProVerif, which is based on applied pi calculus (Abadi and Fournet 2001). The reason is that ProVerif is performed automatically, and the errors can be detected easily, while the formal security proof is artificial structured, and the errors may not easy to be found.
The ProVerif code for the definition of functions, reduction, equation, free names and constants is as follows. Liu et al. SpringerPlus (2016) 5:555 We perform the above process in the latest version 1.88 of ProVerif. The performance results as shown in the Fig. 1. The experimental results show that our scheme is security.

Security and computation cost comparisons
The security comparison between our scheme and other recently proposed related schemes are given in Table 2.
Let T m be the time complexity of point multiplication in a group, T a be the time complexity of point addition in a group, T s be a symmetric key encryption/decryption operation and T h be a one-way hash operation. Table 3 illustrates the average running times of some commonly used operations estimated by Kilinc and Yanik (2014), and shows that point multiplication in a group is slower than point addition, hash function and symmetric encryption/decryption operation. If the scheme can prevent the attack or satisfy the property, the symbol 'Y' is used. Otherwise, the symbol 'N' is used.

Conclusion
In this paper, we have shown that Zhang et al. 's protocol cannot achieve some secure properties, including security against off-line password guessing attacks, and it fails to provide the revocation of lost/stolen smartcard. Technically, we adopt random numbers    based authentication mechanism, instead of the timestamps that may cause time synchronization problem. An improved protocol is proposed in order to overcome those weaknesses. The simulation results show that when compared with existing protocols, our protocol provides the same level of efficiency and better security guarantees for TMIS applications.