# A lightweight pseudonym authentication and key agreement protocol for multi-medical server architecture in TMIS.

AbstractTelecare Medical Information System (TMIS) helps the patients to gain the health monitoring information at home and access medical services over the mobile Internet. In 2015, Das et al proposed a secure and robust user AKA scheme for hierarchical multi-medical server environment in TMIS, referred to as DAKA protocol, and claimed that their protocol is against all possible attacks. In this paper, we first analyze and show DAKA protocol is vulnerable to internal attacks, impersonation attacks and stolen smart card attack. Furthermore, DAKA protocol also cannot provide confidentiality. We then propose a lightweight pseudonym AKA protocol for multi-medical server architecture in TMIS (short for PAKA). Our PAKA protocol not only keeps good security features declared by DAKA protocol, but also truly provides patient's anonymity by using pseudonym to protect sensitive information from illegal interception. Besides, our PAKA protocol can realize authentication and key agreement with energy-saving, extremely low computation cost, communication cost and fewer storage resources in smart card, medical servers and physical servers. What's more, the PAKA protocol is proved secure against known possible attacks by using Burrows-Abadi-Needham (BAN) logic. As a result, these features make PAKA protocol is very suitable for computation-limited mobile device.

Keywords: multi-medical server; privacy-preserving; authentication; BAN logic

1. Introduction

Telecare Medical Information System (TMIS) builds a convenient connection between patients and doctors and helps the patients to gain the health monitoring information at home and access medical services over the mobile Internet. With the increasing dependence on the Internet, however, the single-medical server cannot meet people's basic needs. The research [1] found that one user averagely logins into 25 different servers in each month. The traditional authentication protocol is in a single medical server environment where each patient has to repetitively register in the different servers and remember numerous different usernames and passwords for different medical servers. It is especially inconvenient and inefficient for the patients in TMIS. In the real TMIS, many patients may use the same username and password to access different medical servers simply for convenience, this easily increases the risk of disclosure of patient's usernames and passwords. Once the patient's usernames and passwords are leaked out and occasionally got by an attacker, the attacker may use the compromised username and password to login to other medical servers the patient has registered. Thus, if there is a system where a user can login to several medical servers to access different medical services only by one username and a password, it is convenient for the patients. Luckily, multi-medical server system can realize the above hypothesis and solve the problem of repeated registration which is inherent in single-medical server scenarios of TMIS. Meanwhile, TMIS can provide various resources to the patient like health educators, physicians, care-givers, public health organizations and home-care service. TMIS can get a mass of user data from different servers, which increases the leakage likelihood of user privacy. Obviously, patients' privacy protection is an urgent demanding in medical environment. The protocols designed for TMIS should take users' privacy-protection into account. At same time, most patients are mobile phone users. So computation-limited and energy-limited problems are also inevitable. Therefore, it is very important and urgent to design patients' securely and efficiently remote authentication protocols in multi-medical server environment for TMIS.

1.1 Related Work

Due to the widespread applications of Internet multi-medical servers and the great convenience of remote medical services, how to securely access the remote medical servers and get the corresponding service has received considerable attention. In recent years, many remote AKA protocols are successively proposed in Telecare Medical Information System (TMIS) [2-9]. Wu et al [2] proposed a novel authentication protocol for TMIS. However, He et al [3] shows that Wu et al's protocol [2] cannot resist insider attacks and impersonation attacks. In 2012, Wei et al. [4] showed that both of protocols in [2] and [3] failed to meet multi-factor authentication and further proposed an improved protocol at same time. Thereafter, Zhu et al [5] described Wei et al's protocol [4] is vulnerable to off-line password guessing attack. Then, Lee-Liu [6] demonstrated that the new protocol in [5] cannot withstand parallel session attack and presented an improved one. In 2013, Tan et al. [7] proposed an efficient biometrics-based authentication scheme for TMIS, which was claimed to resist many kinds of attacks. However, Yan et al. [8] declared that the protocol in [7] is vulnerable to Dos attack. In order to eliminate the drawbacks in [7], a new scheme [8] proposed for better security protection and performance. Unfortunately, Mishra et al. [9] shows that Yan et al's scheme [8] suffers from password guessing attack and they also proposed a securely enhanced protocol. However, all schemes above are suitable for single-medical server environment. They cannot meet the various requirements of people and the rapid development of multi-medical servers. In last few years, a large number of user authentication protocols for multi-server system have been proposed [10-14]. Thought the protocols in [10-14] have some advantages (such as strong-anonymity), these authentication protocols need heavy calculations because of the public encryption/signature algorithms or other time-consuming computation (such as bilinear pairing). Therefore, these protocols are not suitable for the energy-limited mobile devices. Consider a huge number of mobile terminal users have limit computation and energy (battery-powered), they frequently login in the remote medical servers according to their needs. The lightweight remote AKA protocols are urgently required. Because hashing operations and XOR operations require very little computations and energy, the lightweight remote AKA protocols only by using hashing operations and XOR operations are significant. In other words, the efficient and energy-saving AKA protocols keep pace with the development of the mobile Internet. Amin et al. [15] first proposed a novel AKA protocol for accessing remote multi-medical server in TMIS, which was claimed to resist many kinds of attacks. However, Das et al. proposed a new protocol (abbreviated DAKA) [16] and showed Amin et al's scheme [15] is vulnerable to internal attack, replay attack and the man-in-middle attack. The DAKA protocol further proposed an improved protocol in order to overcome the flaws in Amin et al's protocol, and claimed that their protocol is against all possible attacks. Unfortunately, after careful analysis, we found the DAKA [16] protocol still suffers from internal attack, impersonation attack and stolen smart card attack. Furthermore, it also cannot provide confidentiality. In order to fix the flaws, a lightweight pseudonym authentication and key agreement (PAKA, for short) protocol for multi-medical server architecture in TMIS is proposed in this paper.

1.2 Our Contributions

In our PAKA, the patient [U.sub.i] can remotely log in the physical server [PS.sub.jk] who is under the jurisdiction of the medical server [MS.sub.i] [U.sub.i] and [MS.sub.j] need to register at the registration center MRS in advance. And in AKA progress, [MS.sub.j] authenticates [U.sub.i], and sends [U.sub.i] 's login request to [PS.sub.jk]. After verifying the validity of [MS.sub.j] 's message, [PS.sub.jk] directly sends message to [U.sub.i]. Hereafter, U. and [PS.sub.jk] not only realize mutual authentication but also establish a session key. Compared with [16], the PAKA protocol not only needs lower computational consumption and communication consumption, but also can provide the following security features.

* First, the PAKA protocol can provide user's anonymity to protect patient's privacy by randomized pseudonym. The medical server and physical server only verify that the authenticated patient is a legal patient, but do not know his true identity. Hence, our PAKA protocol is practical in the privacy enhanced scenarios.

* Second, the PAKA protocol can realize authentication and key agreement among the mobile terminal patients, different remote medical servers and physical servers only by using hashing and XOR operations, both of which require little computation and energy cost, storage overhead for mobile terminals patients. A patient can login in several different medical servers to obtain different medical services by using only one single username and a password without repeated registration problem. The whole protocol still adopts the classic three handshakes of 'request-challenge-response' and does not increase interaction numbers and communication overload. Compared with other exiting protocols in TMIS (showed in Table 2), the PAKA protocol is more lightweight and efficient. Hence, it is very suitable for computation-limited mobile devices.

* Third, the PAKA protocol can provide three-factor authentication including the smart card (something the user has), password (something the user knows) and biometric key (something the user is). Because biometric key is difficult to lose, forget, copy, share, guess or break, it is believed to be a reliable authentication factor [17], [18]. In our PAKA protocol, the smart card is used to authenticate the cardholder. Only the entered identity, password and biometric key all are correct, then the smart card can be activated and interact with the remote medical servers to help patient with authentication. The biometric key is obtained by a fuzzy extractor which can output the same random string when the input is close to the original biometric information. It make our protocol is more robust and fault-tolerant.

* Fourth, by using the BAN logic, the PAKA protocol is proved secure against possible known attacks and satisfies the secure requirements of AKA protocols for multi-medical server architecture. Hence, the PAKA is practical in complex network environment.

The rest of paper is organized as follows. Some mathematical preliminaries about fuzzy biometrics extractor is introduced in Section 2. Section 3 briefly reviews the DAKA protocol and Section 4 analyses its weaknesses. The PAKA protocol is presented in Section 5. Detailed security analysis and proof are given in Section 6. The comparisons of the performance and security features between PAKA protocol with other related schemes are discussed in Section 7. Section 8 concludes this paper.

2. Preliminaries

Here, we briefly introduce the mathematical preliminaries about biometrics and fuzzy extractor [10], [11], [19]. The fuzzy extractor is a tuple (M,l,t) consisted by two procedures: the probabilistic generation procedure (Gen) and the deterministic reproduction procedure (Rep).

* Gen is a probabilistic generation procedure, which on input biometric data [B.sub.i] [member of] M, outputs an extracted string [[sigma].sub.i] [member of] [{0,1}.sup.l], and an auxiliary string [tau], [member of] {[0,1}.sup.1], where l =| [[sigma].sub.i] |, ([[sigma].sub.i], [[tau].sub.i]) = Gen([B.sub.i]).

* Rep is a deterministic reproduction procedure that allows to recover [[sigma].sub.i] from the corresponding auxiliary string [[tau].sub.i], and any vector [B'.sub.i] close to [B.sub.i], where [[sigma].sub.i] = Rep([B'.sub.i], [[tau].sub.i].), for all [B.sub.i], [B'.sub.i] satisfying dis([B.sub.i], [B'.sub.i])[less than or equal to]t (t is the tolerance threshold).

The uniqueness of individual biological information makes it suitable for authentication protocols. Compared with poor password, biometric key has more advantages [20],[21]. Thus, the probability to guess the biometric data [[sigma].sub.i] by an attacker is approximately [[1]/[[2.sup.l]]] [11].

3. Review of the DAKA Protocol

The DAKA protocol is composed of Registration, Login, Authentication, Password and Biometric Update and Dynamic Medical Server Addition [16], which is shown in Fig. 1. To simplify the subsequent description, some notations are given in Table 1. At the beginning, the medical registration server MRS selects his private key [X.sub.r], where | [X.sub.r]|=l and a cryptographically secure one-way hash function h(*) : [{0,1}.sup.*] [right arrow] [{0,1}.sup.l]. Medical server [MS.sub.j] sets up the secret session key [X.sub.jk] with each physician server [PS.sub.jk] respectively, where | [X.sub.jk] |=l. The DAKA protocol is briefly reviewed as follows.

3.1 Registration phase

1) Medical Server Registration Phase: If a medical server [MS.sub.j] wants to provide the medical services to the remote patients, he/she needs to register in MRS firstly.

Rs1 MS, chooses his/her [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. Then, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

Rs2 Upon receiving the registration message [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], MRS computes [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. Then, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

Rs3 After receiving the message [X.sub.j], [MS.sub.j] keeps ([MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]) secretly.

2) User Registration Phase: A patient [U.sub.i] needs to register in MRS with the following steps if he wants to get remote medical services:

Ru1 [U.sub.i] chooses his/her [ID.sub.i], [PW.sub.i] and a random number [R.sub.i], gets personal biometric data [B.sub.i], and computes biometric key [[sigma].sub.i], by ([[sigma].sub.i],[[tau].sub.i]) = Gen([B.sub.i]), [RPW.sub.i] = h{[ID.sub.i] [parallel] [R.sub.i] [parallel] [PW.sub.i]). Then, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

Ru2 On receiving the registration message from [U.sub.i] MRS computes [A.sub.j] = h([ID.sub.i] [parallel] [X.sub.j]) [direct sum] [RPW.sub.i], [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], where 1 [less than or equal to] j [less than or equal to] m + m', where m' is reserved space to increase the number of servers in the future. Stores [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] in smart card, where t is the error--tolerance threshold of fuzzy extractor. Then, [??]: Smart card;

Ru3 [U.sub.i] computes [e.sub.i] = h([Id.sub.i] [parallel] [[sigma].sub.i]) [direct sum] [R.sub.i], [f.sub.i] = h([ID.sub,i] [parallel][RPW.sub.i] [parallel] [[sigma].sub.i]). Finnaly [??] [??] are stored in [U.sub.i]'s smart card

3.2 Login phase

L1 [U.sub.i] inserts his/her smart card into the card reader, and inputs his/her [ID.sub.i], [PW.sub.i], [B'.sub.i];

L2 The smart card computes [[sigma].sub.i] = Rep([B'.sub.i], [[tau].sub.i]), [R.suib.i] = [e.sub.i] [direct sum]h{[ID.sub.i] [parallel] [[sigma].sub.i]), [RPW.sub.i] = h([ID.sub.i] [parallel] [R.sub.i] [parallel] [PW.sub.i]), and checks [f.sub.i] = h([ID.sub.i] [parallel] [RPW.sub.i] [parallel] [[sigma].sub.i]). If it does not match, the session is terminated. Otherwise;

L3 The smart card generates a random number [R.sub.c], the current time-stamp [TS.sub.C], and computes [M.sub.i] = [A.sub.j] [cross product] [RPW.sub.i] = h([ID.sub.i] [parallel] [X.sub.j]), [??], [M.sub.3] = [ID.sub.i] [direct sum] [M.sub.2], [M.sub.4] = [ID.sub.i] [direct sum] [M.sub.1] [direct sum] [R.sub.c], [M.sub.5] = h [M.sub.1] [parallel] [M.sub.3] [parallel] [M.sub.4] [parallel] [R.sub.c] [parallel] [TS.sub.c]). Then, [??] [??];

3.3 Authentication phase

V1 Upon receiving msg1, [MS.sub.j] reads the current time-stamp [TS.sup.*.sub.c], and checks |[TS.sup.*.sub.c] - [TS.sub.c]|[less than or equal to][DELTA]T. If the verification fails, the request is rejected. Otherwise, [MS.sub.j] computes [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] [M.sub.9] = [M.sub.4] [direct sum] [M.sub.7] [direct sum] [M.sub.8] = [R.sub.c], and checks [M.sub.10] =h([M.sub.8] [parallel][M.sub.3] [parallel][M.sub.4] [parallel][M.sub.9] [parallel][TS.sub.c]) ? = [M.sub.5]. If it does not hold, [MS.sub.j] terminates it. Otherwise,

V2 [MS.sub.j] generates a random number [R.sub.s], reads times-tamp [TS.sub.S], and computes [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

V3 Upon receiving msg2, [PS.sub.jk] checks the validity of [TS.sub.S], by | [TS.sup.*.sub.s] - [TS.sub.S] |[less than or equal to] [DELTA]T, where [TS.sup.*.sub.S] is the current time-stamp of [PS.sub.jk], if it does not hold, [PS.sub.jk] rejects the session. Otherwise, [PS.sub.jk] computes [?/], [M.sub.17] = [M.sub.12] [direct sum] [M.sub.16] = [ID.sub.i], [M.sub.18] = [M.sub.13] [direct sum] h([M.sub.17] [parallel] [X.sub.jk]) = [R.sub.s], [M.sub.19] = [M.sub.14] [direct sum] [M.sub.17] [direct sum] [M.sub.18] = [R.sub.c], and check [M.sub.18] = h([M.sub.17] [parallel][M.sub.16] [parallel] [M.sub.12] [parallel] [M.sub.13] [parallel] [M.sub.14] [parallel] [M.sub.19] [parallel] [M.sub.18] [parallel] [TS.sub.S]) ? = [M.sub.15]. If it does not hold, [PS.sub.jk] rejects the session. Otherwise,

V4 [PS.sub.jk] generates a random number [R.sub.k], reads timestamp [TS.sub.k] and computes [M.sub.21] = h([M.sub.17] [parallel] [X.sub.jk]), [M.sub.22] = [ID.sub.i] [direct sum] [R.sub.c] [direct sum] [R.sub.k], [M.sub.23] = [M.sub.1] [direct sum] [R.sub.k], [SK.sub.ijk] = h([ID.sub.i] [parallel] [ID.sub.jk] [parallel] [R.sub.c] [parallel] [R.sub.k] [parallel] [M.sub.1] [parallel] [TS.sub.k]), [M.sub.2], = h([SK.sub.ijk] [parallel] [M.sub.22] [parallel] [M.sub.23] [parallel] [R.sub.c] [parallel] [R.sub.k] [parallel] [TS.sub.k]). Then, [PS.sub.jk] [right arrow] [U.sub.i] :msg3={[ID.su.jk], [M.sub.22], [M.sub.23], [M.sub.24], [TS.sub.k]};

V5 Upon receiving msg3, [U.sub.i] checks the validity of [TS.sub.k], by | [TS.sub.k.sup.*] - [TS.sub.k] |[less than or equal to] [DELTA]T, where [TS.sub.k] is the current time-stamp of [U.sub.i], if it does not hold, [U.sub.i] rejects the session, Otherwise, [U.sub.i] computes [M.sub.25] = [M.sub.22] [direct sum] [ID.sub.i] [direct sum] [R.sub.c] = [R.sub.k], [M.sub.26] = [M.sub.23] [direct sum] [M.sub.25] = h([ID.sub.i] [parallel] [X.sub.jk]), [SK.sub.ijk] = h{[ID.sub.i] [parallel] [ID.sub.jk] [parallel] [R.sub.c] [parallel] [R.sub.k] [parallel] [M.sub.1] [parallel] [TS.sub.k]), and checks [M.sub.27] = h([SK.sub.ijk] [parallel] [M.sub.22] [parallel] [M.sub.23] [parallel] [R.sub.c] [parallel] [R.sub.k] [parallel] [M.sub.1] [parallel] [TS.sub.k])? = [M.sub.25]. If it is not equal, the session is terminated. Otherwise, [PS.sub.jk] is authenticated by [U.sub.i]. At last, [U.sub.i] and [PS.sub.jk] share the session key [SK.sub.ijk] = h([ID.sub.i] [parallel] [ID.sub.jk] [parallel] [R.sub.c] [parallel] [R.sub.k] [parallel] [M.sub.1] [parallel] [TS.sub.k]).

3.4 Password and Biometric Update Phase and Dynamic Medical Server Addition Phase

Due to both of above phases have nothing with security analysis of the DAKA protocol, we will not repeat them here. For more details, please refer to [16].

4. Cryptanalysis of DAKA Protocol

In this section, we will show that the DAKA protocol is vulnerable to internal attack, impers -onation attack and stolen smart card attack. Moreover, DAKA protocol also cannot provide confidentiality. The details are as follows. First, we have to consider the adversary model of password and smart card based authentication protocols [22-24].

* The adversary A can eavesdrop, intercept, delete, and modify all messages of the common communication channel;

* A can obtain the secret information [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] in the smart card by using side-channel attacks [25-27].

4.1 Internal attacks

Assume that adversary A is a malicious patient with identity [ID.sub.m]. Once he logged in the medical server [MS.sub.j], and obtained the [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] on public channel at same time. Then he calculates [M.sub.11] = [ID.sub.m] [direct sum] [M.sup.m.sub.12], which is static between [MS.sub.j] and [PS.sub.jk]. When a legitimate patient [U.sub.i] logins the medical system, A can [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]; Next, A does the calculations as follows: [M.sub.1] [direct sum] [M.sub.2]= [A.sub.j] [direct sum] [P.sub.j], [M.sub.3] [direct sum] [M.sub.4] = [M.sub.1] [direct sum] [M.sub.2] [direct sum] [R.sub.c], [R.sub.c] = [M.sub.3] [direct sum] [M.sub.4] [direct sum] [A.sub.j] [direct sum] [P.sub.j] (Here, A can obtains [R.sub.c]), ID, = [M.sub.11] [direct sum] [M.sub.12], [R.sub.s] = [M.sub.14] [direct sum] [ID.sub.1] [direct sum] [R.sub.c], h([ID.sub.i] [parallel] [X.sub.jk])= [M.sub.13] [direct sum] [R.sub.S], [R.sub.k] = [M.sub.22] [direct sum] [ID.sub.i] [direct sum] [R.sub.c]. Then, A can compute the session key [SK.sub.jk] = h([ID.sub.i] [parallel] [ID.sub.jk] [parallel] [R.sub.c] [parallel] [R.sub.k] [parallel] h([ID.sub.i] [parallel] [X.sub.jk])[parallel] [TS.sub.k]) shared with [U.sub.i] and [PS.sub.jk]. Hence, the DAKA protocol suffers from internal attacks.

4.2 Impersonation attacks

Above, we know that A can obtain [M.sub.11], [R.sub.c]. Then, A can initiate impersonation attacks.

Impersonation Medical server [MS.sub.j]:

* A intercepts msg2. Then, A computes [ID.sub.i] = [M.sub.11] [direct sum] [M.sub.12], [R.sub.S] = [M.sub.14] [direct sum] [ID.sub.i] [direct sum] [R.sub.c], h([ID.sub.i] [parallel] [X.sub.jk]) = [M.sub.13] [direct sum] [R.sub.s]. Next, A forges authentication information. A chooses a random number [R.sub.A], and computes [M.sub.13] = h([ID.sub.i] [parallel] [X.sub.jk]) [direct sum] [R.sub.A], [M.sub.14.sup.A] = [ID.sub.i] [direct sum] [R.sub.c] [direct sum] [R.sub.A], [M.sub.15.sup.*] = h([ID.sub.i] [parallel] [M.sub.11] [parallel] [M.sub.12] [parallel] [M.sub.13.sup.A] [parallel] [M.sub.14.sup.A] [parallel] [R.sub.c] [parallel] [R.sub.A] [parallel] [TS.sub.S]). Then, [??];

* On receiving the message from A, [PS.sub.jk] computes [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], [M.sub.17] = [M.sub.12] [direct sum] [M.sub.16] = [ID.sub.i], [M.sub.18.sup.*] = [M.sub.13.sup.A] [direct sum] h([M.sub.17] [parallel] [X.sub.jk]) = [R.sub.A], [M.sub.19.sup.A] = [M.sub.14.sup.A] [direct sum] [M.sub.17] [direct sum] [M.sub.18.sup.A] =[R.sub.c], and checks [M.sub.20.sup.A] = h([M.sub.17] [parallel] [M.sub.16] [parallel] [M.sub.12] [parallel] [M.sub.13.sup.A] [parallel] [M.sub14.sup.A] [parallel] [M.sub.19] [parallel] [M.sub.18.sup.A] [parallel] [TS.sub.S])? = [M.sub.15.sup.A]. It is easy to see that [M.sub.20.sup.A] = [M.sub15.sup.A], A is verified by the [PS.sub.jk].

Impersonation Physical server [PS.sub.jk]:

* A intercepts msg2. A generates a random number [R.sub.A], and computes [M.sub.12.sup.A] = [ID.sub.i] [direct sum] [R.sub.A], [??], [M.sub.24.sup.A]= h([SK.sub.iA] [parallel] [M.sub.22.sup.A] [parallel] [M.sub.23.sup.A] [parallel] [R.sub.c] [parallel] [R.sub.A] [parallel] [TS.sub.k]). Then, A [right arrow] [U.sub.i]:{[ID.sub.jk], [M.sub.22.sup.A], [M.sub.23.sup.A], [M.sub.24.sup.A], [TS.sub.k]};

* [U.sub.i] computes [M.sub.25.sup.A] = [M.sub.22.sup.A] [direct sum] [ID.sub.i] [direct sum] [R.sub.c] = [R.sub.A], [M.sub.26] = [M.sub.23.sup.A] [direct sum] [??] [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], and checks [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

It is easy to see that [M.sub.21.sup.A] = [M.sub.25.sup.A], A is verified by [U.sub.i].

Hence, the DAKA protocol is vulnerable to impersonation attacks.

4.3 Stolen smart card attack

An efficient biometric based multi-server medical system must not allow an adversary A to misuse a user's stolen smart card to compute the session keys without knowing the user's biometric and password. In this attack, we show the DAKA protocol cannot resist the stolen smart card such that A can achieve server's secret key and previously established session key. A has obtained the secret information [??] (1 [less than or equal to] j [less than or equal to] m + m ) in the smart card. A gets the previously transmitted message: msg1, msg2 and msg3. From above, we know A can obtain {[ID.sub.i], [ID.sub.jk], [R.sub.c], [R.sub.k], h([ID.sub.i] [parallel] [X.sub.jk]), [TS.sub.k]}. Then, A computes [SK.sub.ijk] = h([ID.sub.i] [parallel] [ID.sub.jk] [parallel] [R.sub.c] [parallel] [R.sub.k] [parallel] h([ID.sub.i] [parallel] [X.sub.jk]) [parallel] [TS.sub.k]). Thus, it is clear that A can achieve all established session keys by using the stolen smart card.

4.4 Lack of confidentiality

According to previous analysis, we know that the session key of [U.sub.i] and [PS.sub.jk] is easily obtained by A. A can also achieve all the confidential data that are transferred between the [U.sub.i] and [PS.sub.jk] using the established session key. Therefore, the DAKA protocol cannot ensure confidentiality.

5. Our Proposed Improved Protocol

To overcome the afored-discussed security flaws of the DAKA protocol, a lightweight pseudonym biometrics-based protocol (PAKA) is proposed. Our PAKA protocol is made up of six basic phases: Registration phase, Login phase, Authentication phase, Password and Biometric change phase and Smart card upgrade phase. The detailed steps of these phases are described as follows. The Registration phase, Login phase and Authentication phase are further illustrates in Fig. 2, Fig. 3, Fig. 4 respectively.

5.1. Registration phase

1) Medical Server Registration Phase: If [MS.sub.j] wants to be a legal medical server in the system. It needs to register in MRS firstly. The following steps show the detailed interactive process between [MS.sub.j] and MRS, which is also shown in Fig. 2.

Rs1 [MS.sub.j] chooses his/her [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. Then, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Rs2 Upon receiving the registration message from [MS.sub.j], MRS chooses a random value [[beta].sub.j], computes [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. Then, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

Rs3 After receiving the message [X.sub.j] from MRS, [MS.sub.j] calculates [BMS.sub.j] = [X.sub.j] [direct sum] [z.sub.j], [z.sub.j] is the secret key of [MS.sub.j].

2) User Registration Phase: When a patient [U.sub.i] wants to access medical services in the system, he/she should register in MRS firstly. The following steps run between [U.sub.i] and MRS as shown in Fig. 3.

Ru1 [U.sub.i] chooses his/her [ID.sub.i], [PW.sub.i], a random number [R.sub.i], gets personal biometric data [B.sub.i], and computes biometric key [[sigma].sub.i] by {[[sigma].sub.i], [[tau].sub.i]) = Gen([B.sub.i]), [RPW.sub.i] = h([ID.sub.i] [parallel] [R.sub.i], [parallel] [PW.sub.i]). Then, [??], [RPW.sub.i];

Ru2 Upon receiving the registration message from [U.sub.i], MRS chooses a random value [[alpha].sub.i], computes [X.sub.i], [A.sub.i], [C.sub.ij], [D.sub.ij], [E.sub.ij] as Fig. 3, and stores [??] in smart

card,

where j = 1,2,......,m. Here, m is the number of server. Then, [??] : Smart card;

Ru3 [U.sub.i] computes [e.sub.i], [f.sub.i] as Fig. 3, and adds {[e.sub.i], [f.sub.i], [[tau].sub.i]} to the smart card. Finally, [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII],

[[tau].sub.i], h(*)} are stored in [U.sub.i] 's smart card.

5.2. Login phase

When [U.sub.i] wants to login to [MS.sub.j] to get medical services, the following operations will be performed as shown in Fig. 4:

L1 [U.sub.i] inserts his/her smart card into the card reader, inputs his/her [ID.sub.i], [PW.sub.i] and his/her biometric data [B'.sub.i] read by special equipment;

L2 The smart card computes biometric key [[SIGMA].sub.I], [R.sub.I], [RPW.sub.i] as Fig.4, and checks [f.sub.i]? = h([ID.sub.i] [parallel] [RPW.sub.i] [parallel] [[sigma].sub.i]). If it does not match, the smart card terminates the session. Otherwise, the smart card generates a random value [R.sub.c] and computes [X.sub.i], [C.sub.ij], [D.sub.ij], [M.sub.1], [M.sub.2] as Fig. 4.

L3 [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

6.3. Authentication phase

Upon receiving the login request msg1, [MS.sub.j] performs the following operations:

V1 [ MS.sub.j] computes [X.sub.j] [D.sub.ij], [R.sub.c], as Fig. 4. Then [MS.sub.j] checks the pair([C.sub.ij], [R.sub.c]) according to [C.sub.ij]

and [M.sub.2] ? = h([C.sub.ij] [parallel] [D.sub.ij] [parallel] [R.sub.c]). If that above equality does not hold, the login request is rejected. Otherwise;

V2 [MS.sub.j] replaces the [R.sub.c.sup.old] with [R.sub.c], stores the pair ([C.sub.ij], [R.sub.c]) in database (Here, in order to protect the reply and man-in-the-middle attack in our protocol, [MS.sub.j] stores the pair (([C.sub.ij], [R.sub.c]) in database. Meanwhile, the pair ([C.sub.ij], [R.sub.c]) will be changed according to user's login.), chooses a random value Rs, and computes [M.sub.3], [M.sub.4], [M.sub.5], [M.sub.6] as Fig. 4. Then, [??];

V3 Upon receiving msg2, [PS.sub.jk] computes [R.sub.s], [R.sub.c], h([C.sub.ij] [parallel] [D.sub.ij] [parallel] [ID.sub.jk]) as Fig. 4. Then,

[PS.sub.jk] checks

the pair ([C.sub.ij], [R.sub.s]) (Here, the reason is same to [MS.sub.j]), and [M.sub.6] ? = h([M.sub.5] ||[R.sub.C]||[R.sub.S]\[ID.sub.jt] \\ [??] \\ [X.sub.jk]).

If the above verification fails, the login request will be rejected. Otherwise;

V4 [PS.sub.jk] generates a random value [R.sub.k] and computes [M.sub.7], [SK.sub.ijk], [M.sub.g] as Fig. 4. Then,

[PS.sub.jk] [right arrow] [U.sub.i],:mSg3={[ID.sub.jk], [M.sub.7], [M.sub.8]};

V5 On receiving msg3, [U.sub.i] computes [R.sub.k], [SK.sub.ijk] as Fig.4, and checks [M.sub.8]?=h([SK.sub.ijk], || h([C.sub.ij] ||[D.sub.ij] \\[ID.sub.jk]) || [R.sub.c] || [R.sub.k]). If it does not hold, the session is terminated.Otherwise, [SK.sub.ijk] is valid. Meanwhile, [U.sub.i] and [PS.sub.jk] realize mutual authentication.

6.4. Password and Biometric Update Phase

It is invoked whenever [U.sub.i], wants to change the old [PW.sub.i], [B.sub.i], to the [PW.sub.i,.sup.new] [B.sub.i,.sup.new]; without the help of MRS:

C1 [U.sub.i] inserts his/her smart card into card reader and enters [ID.sub.i], [PW.sub.i], [B.sub.i.sup'].

C2 The smart card computes [??], and checks [f.sub.i]? = h([ID.sub.i] || [RPW.sub.i] || [[sigma].sub.i]). If it does not match, the session is terminated Or else, [U.sub.i], computes ([[sigma].sub.i.sup.new]) = Gen([B.sub.i.sup.new]), [RPW.sub.i.sup.new] = h([ID.sub.i], || [R.sub.i] || [PW.sub.i.sup.new]), [A.sub.i.sup.new]=[A.sub.i], [direct sum] [RPW.sub.i],[direct sum] [RPW.sub.i.sup.new, [E.sub.ij.sup.new]=h([ID.sub.i], || [RPW.sub.i] [direct sum] [direct sum] [E.sub.ij] h(ID.sub.i]||[RPW.sub.,i.sup.new]), [??], and updates {[A.sub.i], [e.sub.i], [f.sub.i] [E.sub.ij], [[tau].sub.i]} with [??] in smart card.

6.5. Smart card upgrade phase

Suppose that MRS adds some the new servers such as [MS.sub.m] in the system and [U.sub.i] wants to get some medical services from them. At this time, he/she needs to upgrade his/her smart card.

R1 [U.sub.i] chooses his/her [ID.sub.i], [PW.sub.i], a random value [R.sub.i], gets personal biometric [B.sub.i] and computes biometric key [[sigma].sub.i], by ([[sigma].sub.i], [[tau].sub.i]) = Gen([B.sub.i]), [RPW.sub.i], =h([ID.sub.i] || [R.sub.i] ||[PW.sub.i]). Then, [U.sub.i] [??] MRS : [ID.sub.i], [RPW.sub.i];

R2 Upon receiving the registration message from [U.sub.i], MRS computes [X.sub.i] = h([ID.sub.i] \\ [X.sub.r]), [A.sub.i] =[X.sub.i] [direct sum] [RPW.sub.i], [C.sub.im] = h([ID.sub.i] ||[??] || [X.sub.i]), [D.sub.im] = h([C.sub.im] | |[X.sub.im], [E.sub.im] = h([ID.sub.i] || [RPW.sub.i]) [direct sum] [D.sub.im], and stores {< [??], [E.sub.im] >}in smart card, where j = 1, 2,......, m. Here, m is the number of server. Then, MRS [??] [U.sub.i]: Smart card;

R3 [U.sub.i].computes [e.sub.i].=h([ID.sub.i].|| [[sigma].sub.i].) [direct sum] [R.sub.i], [f.sub.i] = h([ID.sub.i] || [RPW.sub.i][[sigma].sub.i]). Finally {<[??], [E.sub.im] >}are added [U.sub.i] 's smart card.

6. Security Analysis and Proof of PAKA Protocol

In this section, we will analyze the security of the PAKA protocol under the same adversary model mentioned in Section 4.

7.1. Security analysis

1) Patient anonymity: The PAKA protocol adopts an anonymous blind identity [??] instead of the static identity [ID.sub.i]. in the public communication channel. By using a collision resistant hash function, onewayness property ensures malicious adversary A cannot extract the [U.sub.t]'s [ID.sub.i]. from the eavesdropped [C.sub.tj]. Further, in the PAKA protocol, service provider [MS.sub.J] and [PS.sub.jk] cannot know [U.sub.t] 's real identity either. In this way, PAKA protocol provides patient anonymity, which can prevent the privacy leakage of patient identity.

2) Perfect forward secrecy: In our PAKA protocol, [SK.sub.ijk] = h([C.sub.ij] || [ID.sub.jk] || [R.sub.c] || [R.sub.k] \\ h([C.sub.ij] || [D.sub.ij] || [ID.sub.jk])) is the session key shared between [U.sub.i] and [PS.sub.jk], wherein [R.sub.c] and [R.sub.k] are random values chosen by [U.sub.i] and [PS.sub.jk] respectively, which are different in each session run. [SK.sub.ijk] is hash value which cannot disclose any information. Therefore, A cannot infer any valuable information from the forward and backward session keys even if he gets the current session key.

3) Impersonation attack: If A. can obtain the information {[A.sub.i,[??]],[E.sub.ij] >, [e.sub.i], [f.sub.i], [[tau].sub.i], h(x)} stored in the smart card and the information msg1= {[??], [ID.sub.jk],[C.sub.ij], [M.sub.1], [M.sub.2]), msg2= [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], msg3= {[ID.sub.jk], [M.sub.7], [M.sub.8]}; in public channel, A. (other medical servers, physician servers and malicious-legitimate patients) cannot get the secret information [D.sub.ij] only shared between [U.sub.i] and [MS.sub.j]. So A cannot figure out the valid authentication message [M.sub.2]=h([C.sub.ij]||[D.sub.ij]||[R.sub.c]) and [M.sub.8] =h([SK.sub.ijk] \\h([C.sub.ij] \\[D.sub.ij]\\[ID.sub.jk])\\[R.sub.c] \\[R.sub.k]) to pass the authentication. So the PAKA protocol can resist the impersonation attack.

4) Internal attacks: Assume that A is a malicious-legitimate patient, A uses his own smart card and information in public channel. He obtains nothing about other patients' secret information [D.sub.ij]. And he also cannot get the secret information [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. So he cannot succeed in forging authentication information [M.sub.2]=h([C.sub.ij]||[D.sub.ij]\\[R.sub.c]) and [??] to pass the authentication. Hence, the PAKA protocol can resist the internal attacks.

5)Password guessing attack : In our PAKA protocol, the password [PW.sub.i] is involved in [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], which are stored in the smart card. Assume that A has obtained the secret information {[A.sub.i],[E.sub.ij] [f.sub.i]} in the smart card using side-channel attacks [25-27]. However, guessing password [PW.sub.i] without knowing the biometric key [[sigma].sub.i] and identity [ID.sub.i] is a small probability event for A. Since biometric keys cannot be lost/forgotten, it is hard to forge and also copy [28]. Hence, A has no ability to derive the [PW.sub.i] from {[A.sub.i],[E.sub.ij],[f.sub.i]}. Thus, our PAKA protocol is secure against password guessing attack.

6) Stolen smart card attack: Assume that the [U.sub.]'s smart card was stolen by A, A obtained the secret information [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], where [A.sub.i]=[X.sub.i] [direct sum] [RPW.sub.i],, [e.sub.i], = h([ID.sub.i] || [[sigma].sub.i]) [direct sum] [R.sub.i], [E.sub.ij]=h([ID.sub.i] ||[RPW.sub.i]) [direct sum] [D.sub.ij],[f.sub.i] =h([ID.sub.i] ||[RPW.sub.i] | [[sigma].sub.i]). However, [X.sub.i], [X.sub.j], [RPW.sub.i], [ID.sub.i] and [D.sub.ij] are unknown to A and protected by onewayness hash function, A has no way to guess the [X.sub.i],[X.sub.j],[RPW.sub.i],[ID.sub.i] and [D.sub.ij] at the same time. Therefore, A cannot update the password of [U.sub.t]. Besides, since [X.sub.i],[X.sub.j],[RPW.sub.i],[ID.sub.i] and [D.sub.ij] are unknown to A, A cannot forge the valid login request msg1 by using the stolen smart card. Hence, our PAKA protocol is free from the stolen smart card attack.

7) Replay attack: Suppose A intercepts the massage msgl, where [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], and replies this message to [MS.sub.j]. However, [MS.sub.j] stores the pair ([C.sub.ij],[R.sub.c]) in its database. Later, when [MS.sub.j] receives the next login request message msgl, [MS.sub.j] computes [D.sub.ij] =h([C.sub.ij] ||[X.sub.j]), [??]), and compares [R.sub.c] corresponding to [C.sub.ij]. If it matches, [MS.sub.j] ensures that this request message is a replay message and rejects this request. Or else, [MS.sub.j] replaces [R.sub.c] with [R.sub.c.sup.new]. So does the [PS.sub.jk]. Hence, our PAKA protocol can resist the replay attack.

8) Man-in-the-middle attack: In this attack, A may try to impersonate a valid patient [U.sub.i], or a medical server [MS.sub.j], or a physician server [PS.sub.jk] by intercepting the message. However, in the PAKA protocol the secret value [D.sub.ij] is only shared between [U.sub.i] and [MS.sub.j], it will never be discovered by anybody else except [U.sub.t] and [MS.sub.j]. [PS.sub.jk] only knows the h([C.sub.ij]\\[D.sub.ij] \\[ID.sub.jk]). Hence, our PAKA protocol is secure against man-in-the-middle attack.

7.2. Security proof

In this section, we will prove the PAKA protocol can provide secure authentication and key agreement by using the widely-accepted BAN logic [10], [11], [29].

The notations and rules about BAN logic are illustrated as follows:

[sharp] (X):X is fresh. P [??] X : P has jurisdiction over X. P [??] X:P sees X. P |[equivalent to] X : P believes X is true. P |~ X: P once said X. < X [>.sub.r]: X is combined with Y. (X, Y): X or Y is one P [??] Q : X is secretly known to P and Q part of (X, Y). and trusted by them.

[??]: P and Q may use the shared key k to communicate. The key k will never be discovered by anyentity except P and Q.

* Rule1 : The message-meaning rule: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

* Rule2 : The nonce-verification rule: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

* Rule3 : The jurisdiction rule: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

* Rule4 : The freshness rule: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

According to the analytic procedures of the BAN logic, the PAKA protocol should achieve the following goals:

* Goal1: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

* Goal* [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

* Goal3: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

* Goal4: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

First, we idealize the communication messages of the PAKA protocol as follows: (In order to simplify, let A =h([C.sub.ij] | [D.sub.ij] || [ID.sub.jk]).

* msg1: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

* msg2: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

* msg3: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Second, the following assumptions about the initial state are made to analyze the PAKA protocol:

* H1: [U.sub.i][equivalent to][sharp]([R.sub.c])

* H2: [MS.sub.j] |[equivalent to][sharp]([R.sub.s]);

* H3: [PS.sub.jk]|[equivalent to][sharp]([R.sub.k]);

* H4: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

* H5: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

* H6: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

* H7: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

* H8: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

* H9: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

Third, the main proofs of the idealized form of PAKA protocol based on the BAN logic rules and assumptions is analyzed as follows:

From msg3, we get:

S1: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

From H4, S1 and Rule1, we get:

S2:=[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

From H1, S2, Rule2 and Rule4 we have:

S3: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

From H5, S3, and Rule3 we obtain:

S4: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];(Goal2)

From msg1, we get:

S5: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

From H6, S5 and Rule1, we also get:

S6: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

Here, we know that [MS.sub.j] |[equivalent to][sharp]([R.sub.c]), and [MS.sub.j] shares [R.sub.c] with [PS.sub.jk]. Then, [PS.sub.jk]

[PS.sub.jk]|[equivalent to][sharp]([R.sub.c]).

From msg2, we get:

S7: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];

From H7, S7 and Rulel, we also get:

S8:= [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

From S6, S8, Rule2 and Rule4 we also have:

S9= [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

From H8, S9 and Rule3 we also get:

S10. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

From H3, S6, and S10 we can obtain:

S11: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII];(Goal3)

From H9, S11, and Rule3 we also obtain:

S12. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

According to Goal1, Goal2, Goal3 and Goal4, we can conclude that our PAKA protocol is truly able to achieve the scheduled security goals.

7. Performance Evaluation

In this section, the performance and security features of the PAKA protocol with other related protocols are given. The results are depicted in Table 2 and Table 3. Let h denote hash function operation and th be the time complexity for hash function operation. Since the time of concatenation operation and XOR operation are negligible as compared to the other time-consuming operations, we do not take them into account. The time of a fuzzy extractor operation is the same among these protocols, we also do not take them into account. Based on the results in [30], [t.sub.h] [approximately equal to] 0.0023 ms. Amin's protocol and the DAKA protocol need 0.0414ms and 0.0414ms, respectively. Our PAKA needs 0.0552ms, which slightly increase.

But it is much smaller than other AKA protocols which are based on public key encryption algorithms. Without loss of generality, assume that random values, times-stamps, the outputs of hash function and encryption is 160 bits [10]. Fig. 5 roughly shows the storage overhead of Amin, DAKA, and PAKA protocols, m is the number of Medical servers. 320m + 640[less than or equal to]480m +160 holds when m[greater than or equal to]3. Obviously, the number of servers in a multi-server medical system is easy to more than 3. With the increase of m, PAKA need fewer storage space than protocols [15], [16]. For the 8-bit microcontroller platform, the cost of receiving one byte is 28.6 uJ, which is roughly half of that reqired to transmit a byte (59.2uJ) [31-32], and one hash operation of SHA-1 is 5.9 uJ/byte. In patients' side, Amin et al's protocol needs 7.104 mJ, 1.716 mJ and 0.708 mJ for transmit, receive and hash operation respectively, and the DAKA protocol needs 7.104 mJ, 2.860 mJ and 0.708 mJ, respectively. The energy the PAKA needs is 5.920 mJ, 1.716 mJ and 1.180 mJ, respectively. A mobile user consumes 6.942 mJ to complete a login and AKA process. Even with 1% of energy available from a miniature 100 mAh battery, the device still can perform about 1900 PAKA handshakes.

8. Conclusion and Ongoing Work

System security and patients privacy-preserved are a challenging issue in distributed medical authentication systems. A lightweight pseudonym authentication and key agreement protocol (PAKA) for multi-medical server architecture in TMIS presented in this paper is trying to find a balance between the system security and patients privacy-preserved. The PAKA protocol investigates a systematic approach of multi-factor authentication: password, smart card, biological key. Only the register center MRS know patient's identity, it not only realizes anonymity to protect patient's privacy, but also addresses other prominent issues (e.g. error-tolerance). Meanwhile the PAKA protocol is proven secure by the BAN logic. Compared with the recently relevant schemes, the PAKA protocol has better performance (lightweight and energy-saving) and better security features. Thus, PAKA protocol is more secure and efficient for computation-limited mobile device. The future work is to fully identify the practical threats on multi-factor AKA protocols and develop concrete RFID based multi-factor AKA protocols in multi-medical server environment with better performance and wireless body area networks (WBAN).

References

[1] D. Florencio and C. Herley, "A large-scale study of web password habits," in Proc. of the 16th International Conference on World Wide Web. pp. 657-666, May 8-12, 2007. Article (CrossRef Link)

[2] Z. Y. Wu, Y. C. Lee, F. P. Lai, et al., "A secure authentication scheme for telecare medicine information systems," Journal of Medical Systems, vol.36, no.3, pp. 1529-1535, 2012. Article (CrossRef Link)

[3] D. He, J. Cao and R. Zhang, "A more secure authentication scheme for telecare medicine information systems," Journal of Medical Systems, vol.36, no.3, pp. 1989-1995, 2012. Article (CrossRef Link)

[4] J. Wei, X. Hu and W. Liu, "An improved authentication scheme for telecare medicine information systems," Journal of Medical Systems, vol. 36, no.6, pp. 3597-3604, 2012. Article (CrossRef Link)

[5] Z. Zhu, "An efficient authentication scheme for telecare medicine information systems," Journal of Medical Systems, vol. 36, no.6, pp. 3833-3838, 2012. Article (CrossRef Link)

[6] T.F. Lee, LP. Chang, T. H. Lin, et al., "A secure and efficient password-based user authentication scheme using smart cards for the integrated EPR information system," Journal of Medical Systems, vol. 37, no.3, pp. 3867-3872, 2012. Article (CrossRef Link)

[7] Z. Tan, "An efficient biometrics-based authentication scheme for telecare medicine information systems," Przeglad Elektrotechniczny, vol. 89, no.5, pp.200-204, 2013. Article (CrossRef Link)

[8] X. Yan, W. Li, P. Li, et al., "A secure biometrics-based authentication scheme for telecare medicine information systems," Journal of Medical Systems, vol. 37, no.5, pp. 1-6, 2013. Article (CrossRef Link)

[9] D. Mishra, A. Das and S. Mukhopadhyay, "A secure user anonymity preserving biometric-based multi-server authenticated key agreement scheme using smart cards," Expert Systems with Applications, vol. 41, no. 18, pp. 8129-8143, 2014. Article (CrossRef Link)

[10] D. He, D. Wang, "Robust biometrics-based authentication scheme for multiserver environment," IEEE Systems Journal, vol. 9, no.3, pp. 816-823, 2015. Article (CrossRef Link)

[11] V. Odelu, A. Das and A. Goswami, "A secure biometrics-based multi-server authentication protocol using smart cards," IEEE Transactions on Information Forensics and Security, vol. 10, no.9, pp. 1953-1966,2015. Article (CrossRef Link)

[12] A. Reddy, A. Das, E. Yoon, et al., "An anonymous authentication with key-agreement protocol for multi-Server architecture based on biometrics and smartcards," KSII Transactions on Internet & Information Systems, vol. 10, no.7, pp. 3371-3396, 2016. Article (CrossRef Link)

[13] Lee, Hanwook, et al., "Forward anonymity-preserving secure remote authentication scheme," KSII Transactions on Internet & Information Systems,vol. 10, no.3,pp. 1289-1310, 2016. Article (CrossRef Link)

[14] Y. Lu, et al., "Robust ID-based mutual authentication and key agreement scheme preserving user anonymity in mobile networks," KSII Transactions on Internet & Information Systems, vol. 10, no.3, pp. 1273-1288, March 31, 2016. Article (CrossRef Link)

[15] R. Amin and G. Biswas, "A novel user authentication and key agreement protocol for accessing multi-medical server usable in TMIS," Journal of Medical Systems, vol. 39, no.3, pp. 1-17, 2015. Article (CrossRef Link)

[16] A. Das, V. Odelu and A. Goswami, "A secure and robust user authenticated key agreement scheme for hierarchical multi-medical server environment in TMIS," Journal of Medical Systems, vol. 39, no.9, pp. 1-24, 2015. Article (CrossRef Link)

[17] E. Dawson, J. Lopez, et al., "BAAI: Biometric authentication and authorization infrastructure," in Proc. of IEEE Int. Conf. on Information Technology: Research and Education (ITRE), pp. 371-382, Aug. 11-23, 2003. Article (CrossRef Link)

[18] X, Li, J, Niu, K, M.K, et al., "Robust biometrics based three-factor remote user authentication scheme with key agreement," in Proc. of IEEE Int. Symp. Biometr. Security Technologies, pp. 105-110, July 2-5, 2013. Article (CrossRef Link)

[19] A. Makrushin, T. Scheidat and C. Vielhauer, "Improving reliability of biometric hash generation through the selection of dynamic handwriting features," Transactions on Data Hiding and Multimedia Security VIII Springer Berlin Heidelberg, pp. 19-41, 2012. Article (CrossRef Link)

[20] Q. Zhang, Y. Yin, et al., "A novel serial multimodal biometrics framework based on semi-supervised learning techniques," in Proc. of IEEE Trans. Inf. Forensics Security, vol. 9, no.10, pp. 1681-1694, 2014. Article (CrossRef Link)

[21] M. A. Pathak, B. Raj, S. D. Rane et al., "Privacy-preserving speech processing: cryptographic and string-matching frameworks show promise," IEEE Signal Process Magazine, pp. 62-74, vol. 30, no.2, 2013. Article (CrossRef Link)

[22] Y. Wang, "Password protected smart card and memory stick authentication against off-line dictionary attacks," in Proc. of 27th Information Security and Privacy Conference, Greece, pp. 489-500, June 4-6,2012. Article (CrossRef Link)

[23] D. He, D. Wang."Robust biometrics-based authentication scheme for multi-server environment," IEEE Systems Journal, vol. 9, no. 3, pp. 816-823, 2015. Article (CrossRef Link)

[24] D. He, S. Zeadally, N.Kumar, et al., "Anonymou s authentication for wireless body area networks with provable security," IEEE Systems Journal, vol.22, no.8, pp.1-12, 2016. Article (CrossRef Link)

[25] D. He, N. Kumar, H. Shen, et al., "One-to-many authentication for access control in mobile pay-TV Systems," Science China-Information Sciences, vol. 59, no. 5, pp. 1-14, 2016. Article (CrossRef Link)

[26] R. Pippal, C. Jaidhar and S. Tapaswi, "Robust smart card authentication scheme for multi-server architecture," Wireless Personal Communications, vol.72, no.1, pp.729-745, 2013. Article (CrossRef Link)

[27] N. Huyen,M. Jo,T. Nguyen,et al., "A beneficial analysis of deployment knowledge for key distribu -tion in wireless sensor networks," Security and Communication Networks, vol.5, no. 5 pp.485-495, 2012. Article (CrossRef Link)

[28] N. Zhang, Y. Zang and J. Tian, "The integration of biometrics cryptography--A new solution for secure identity authentication," Journal of Cryptologic Research, vol.2, no.2, pp. 156-176, 2015.Article (CrossRef Link)

[29] X. Li, J. Niu, S. Kumari. et al., "An enhancement of a smart card authentication scheme for multi-server architecture," Wireless Personal Communications, vol.80, no.l, pp. 175-192, 2015. Article (CrossRef Link)

[30] H. Kilinc and T. Yanik, "A survey of SIP authentication and key agreement schemes," IEEE Communications Surveys & Tutorials, vol.16, no.2, pp.1005-1023, 2014. Article (CrossRef Link)

[31] A. S. Wander, N. Gura, H. Eberle, et al., "Energy analysis of public-key cryptography for wireless sensor networks," in Proc. of 3rd IEEE International Conference on Pervasive Computing and Communications, pp.324-328,March 8-12, 2005. Article (CrossRef Link)

[32] Y. Li, W. Chen, Z. Cai, et al., "CAKA: A novel certificateless-based cross domain authenticated key agreement protocol for wireless mesh networks," Wireless Networks, vol.22, no.8, pp.2523-2535, 2016. Article (CrossRef Link)

Xiaoxue Liu (1), Yanping Li (1), Juan Qu (2), and Yong Ding (3)

(1) School of Maths, and Info. Science, Shaanxi Normal University Xi'an, China, 710119

[e-mail: 862417756@qq.com,lyp@snnu.edu.cn]

(2) School of Maths, and Stats., Chongqing Three Gorges University Chongqing,China, 404100

[e-mail: qulujuan@163.com]

(3) School of Computer Sci. and info, security, Guangxi Key Laboratory of Cryptography and Info. Security, Guilin,China, 541004

[e-mail: stonedingy@126.com]

(*) Corresponding author: Yanping Li

Received September 19, 2016; revised November 17, 2016; accepted December 13, 2016; published February 28, 2017

Xiaoxue Liu received her B. S. degree from Bohai Univ. in 2014. She now is a M.S. degree candidate in Applied Mathematics with the School of Mathematics and Information Science, Shaanxi Normal University, Xi'an, China. Her research interests include security protocols and its analysis.

Yanping Li received her M. S. degree from Shaanxi Normal University in 2004 and Ph. D degree from Xidian University in 2009, Xi'an, China. She now is an associate professor with the School of Mathematics and Information Science, Shaanxi Normal University. Her research interests include public key cryptography and its applications

Juan Qu received the M.S. degree in Applied Mathematics from Shaanxi Normal University in 2009.She currently is an associate professor at School of Mathematics and Statistics, Chongqing Three Gorges University. Her research interests include security protocols and its security analysis.

Yong Ding received the B.S. degree in Mathematics from Sichuan University in 1998 and his M.S. degree and Ph.D degree in Cryptography from Xidian University in 2002, 2005, respectively. He now is a professor in Guilin University of Electronic Technology, China. His current research interests include cryptography and information security.

Table 1. Notations Symbol Description [U.sub.i] the i th patient(user) who can access medical services from the physician servers with the help of [MS.sub.j] MRS medical registration server which is responsible for providing registration to new users/patients as well as [MS.sub.j], j = 1,2,.......,m. [MS.sub.j] the j th medical server [PS.sub.jk] k th physician server in [MS.sub.j] [ID.sub.i][ID.sub.Sj], identity of [U.sub.i], [MS.sub.j] [PS.sub.jk] [X.sub.r] master secret key hold by MRS [X.sub.jk] secret session key between [MS.sub.j] and [PS.jk] [z.sub.j] master secret key hold by [MS.sub.j] h(*) a cryptographically secure one way hash function [direct sum], [parallel] bitwise XOR operation and concatenation operation [right arrow] a public communication channel [??] a secure communication channel Table 2. Performance comparison among relevant authentication protocols Amin[15] DAKA[16] PAKA patient computation cost 6H 6H 10H medical server computation cost 6H 6H 7H physician server computation cost 6H 6H 7H communication cost/bit 2400 2880 2400 storage overhead/bit 480 (*)m+160 480 (*)m+160 320 (*)m+640 Table 3. Security features comparison among relevant authentication protocols Amin[15] DAKA[16] PAKA User anonymity No No Yes Forward secrecy No No Yes Session key agreement Yes Yes Yes Resistance to off-line password guessing attack No Yes Yes Resistance to key compromise impersonation attack No No Yes Resistance to man-in-middle attack No No Yes Provable security No Yes Yes

Printer friendly Cite/link Email Feedback | |

Title Annotation: | Telecare Medical Information System |
---|---|

Author: | Liu, Xiaoxue; Li, Yanping; Qu, Juan; Ding, Yong |

Publication: | KSII Transactions on Internet and Information Systems |

Article Type: | Report |

Date: | Feb 1, 2017 |

Words: | 9438 |

Previous Article: | KMMR: An efficient and scalable key management protocol to secure multi-hop communications in large scale wireless sensor networks. |

Next Article: | Reversible data hiding in JPEG images using ordered embedding. |

Topics: |