# Robust biometric-based anonymous user authenticated key agreement scheme for Telecare Medicine Information Systems.

AbstractAt present, numerous hospitals and medical institutes have implemented Telecare Medicine Information Systems (TMIS) with authentication protocols to enable secure, efficient electronic transactions for e-medicine. Numerous studies have investigated the use of authentication protocols to construct efficient, robust health care services, and recently, Liu et al. presented an authenticated key agreement mechanism for TMIS. They argued that their mechanism can prevent various types of attacks and preserve a secure environment. However, we discovered that Liu et al.'s mechanism presents some vulnerabilities. First, their mechanism uses an improper identification process for user biometrics; second, the mechanism is not guaranteed to protect against server spoofing attacks; third, there is no session key verification process in the authentication process. As such, we describe how the above-mentioned attacks operate and suggest an upgraded security mechanism for TMIS. We analyze the security and performance of our method to show that it improves security relative to comparable schemes and also operates in an efficient manner.

Keywords: Authentication, Fuzzy extractor, Session key verification, Telecare Medicine Information Systems (TMIS)

1. Introduction

Recent advances in Information and Communication Technology (ICT) and the growing prevalence of mobile Internet in smart devices, including access to social networking services and cloud services, have brought about remarkable changes in our daily lives. These developments have also influenced the medical field, which to date has adhered to conventional, inefficient processes [1, 2]. Recently, a large number of hospitals instituted Telecare Medicine Information Systems (TMIS) to remotely communicate with patients and efficiently process medical and disease management records [3]. The purpose of TMIS is to build a telecare service for patients to conveniently receive remote medical services. The TMIS server stores patient information, disease management records, and research records. Doctors and patients can conveniently use telecare services by connecting to a remote server for patients to receive care for their given conditions at home and can to check their prescriptions and treatment information [4]. Users can enjoy the simplicity and efficiency of TMIS, but security has emerged as a major issue from an academic and from an industry perspective [5, 6]. To guarantee reliability for all parties, an authentication protocol should afford security and efficiency for users to access an off-site network.

Lamport [7] first presented an authentication technique that uses passwords, and many related studies have been conducted since then to improve security and efficiency [8-29, 36-38, 42, 46, 51]. In 2010, Wu et al. [8] first presented a two-factor authentication technique for a TMIS environment. However, He et al. [9] pointed out that Wu et al. [8] overlooked impersonation attacks and insider attacks. He et al. [9] then suggested an improved version that solved the flaws in Wu et al.'s scheme. Later, Wei et al. [10] demonstrated that Wu et al.'s scheme [8] and He et al.'s scheme [9] contained vulnerabilities against off-line password guessing attacks and proposed an enhanced version. Later, Mishra et al. [11] proposed a biometric-based authentication scheme with a nonce for TMIS.

In 2012, Wu et al. [12] presented an efficient user authentication technique for an integrated electronic patient records (EPR) system. However, Lee et al. [13] pointed out that Wu et al. [12] overlooked the stolen smart card attack through a power consumption analysis and thus suggested an improved version [13]. Later, Wen [14] demonstrated that Lee et al.'s scheme [13] still presented some weaknesses to off-line password guessing attacks and user impersonation attacks, and proposed a new, enhanced strategy. In 2015, Khan et al. [15] pointed out that Wu et al.'s scheme [12] and Lee et al.'s scheme [13] possessed several security vulnerabilities and proposed an improved scheme. In the same year, Das [16] discovered that Lee et al.'s scheme [13] and Wen's scheme [14] possessed the same three vulnerabilities. First, the password change phase for both schemes offered no verification process for the user's old password. Second, their schemes were unsafe against insider attacks. Third, their studies did not include a formal security analysis. Das [16] presented an upgraded scheme to compensate for these defects. However, Li et al. [17] recently demonstrated that Das's scheme [16] could not fulfill security requirements because his scheme is susceptible to modification attacks and user duplication attacks.

In 2014, Mishra et al. [18] presented a biometric-based authentication scheme using a symmetric key cryptosystem for TMIS to further improve security. In the same year, Xu et al. [19] presented another authenticated key agreement mechanism based on Elliptic Curve Cryptography (ECC) for TMIS. However, Islam and Khan [20] proved that Xu et al.'s scheme [19] is imperfect because their scheme cannot guarantee protection against replay attacks and does not support a smart card revocation process. Islam and Khan [20] then presented an upgraded method to address Xu et al.'s [19] deficiencies. Mishra [21] also proved that Xu et al.'s scheme [19] and Lee's scheme [22] cannot guarantee protection against several security weaknesses. In 2015, Chaudhry et al. [23] presented an improved two-factor authentication protocol based on ECC for TMIS. In 2016, Wazid et al. [24], Irshad et al. [25] and Chaudhry et al. [26] proposed a three-factor authentication and key agreement scheme for TMIS using ECC. Meanwhile, Giri et al. [27] presented an RSA-based user authentication mechanism for TMIS, but in the same year, Amin and Biswas [28] claimed that Giri et al.'s scheme [27] cannot guarantee protection against off-line password guessing attacks and insider attacks, and thus suggested an improved mechanism.

Recently, Liu et al. [29] presented an authentication method, arguing that it can resist various types of attacks. However, we discovered that Liu et al.'s method [29] includes critical security weaknesses. Their scheme (i) uses an improper identification process for user biometrics, (ii) cannot guarantee protection against a server spoofing attack, (iii) and cannot provide a session key verification processes.

In this study, we describe how previously-stated attacks operate and propose a more developed version for TMIS. The remainder of this paper is organized as follows. Section 2 introduces some preliminary knowledge. Liu et al.'s authentication mechanism is described in Section 3. Section 4 demonstrates the vulnerabilities in Liu et al.'s mechanism, and our proposed method is provided with a detailed explanation in Section 5. In Section 6, we evaluate whether our proposed scheme can withstand various attacks and also satisfy the basic requirements claimed in the security scheme, in Section 7, we analyze the performance of the proposed scheme, and finally, Section 8 contains the conclusion to this paper.

2. Preliminary Knowledge

In this section, we first describe the basic knowledge for an elliptic curve cryptosystem [30] and a fuzzy extractor [31]. We then describe the threat model that is to be used in Section 4. The elliptic curve cryptosystem is the security basis for Liu et al.'s scheme and for our proposed scheme. Detailed information on the elliptic curve cryptosystem and a fuzzy extractor can be found in [30] and [31], respectively.

2.1 Elliptic Curve Cryptosystem (ECC)

In 1985, Victor Miller and Neal Kobiltz [30] presented Elliptic Curves Cryptography (ECC) as a public-key cryptosystem, and these days, ECC is the most frequently used technique to guarantee privacy and assure the confidentiality of digital data. Furthermore, various studies on authentication mechanisms have implemented ECC to increase security [19, 20, 34, 51].

In ECC, when the large prime p (p > 3), parameters a, b [member of] [F.sub.p] (prime finite field), and 4[a.sup.3] + 27[b.sup.2] = 0 mod p are given, the elliptic equation can be described as E: [y.sup.2] = [x.sup.3] + ax + b mod p. Given a point W [member of] [E.sub.p](a, b) and integer n, multiplication is defined as nW = W + W + ... + W(n times). When considering ECC, three levels of security are commonly considered:

* ECDLP (Elliptic Curve Discrete Logarithm Problem): Given J, W in [E.sub.p](a, b), it is impossible to acquire an integer n [member of] [F.sup.*.sub.P] such that J = nW.

* CDHP (Computational Diffie-Hellman Problem): Given W, cW, and rWin [E.sub.p](a, b) for c, r [member of] [F.sup.*.sub.P], it is impossible to acquire the point crP.

* DDHP (Decisional Diffie-Hellman Problem): Given W, cW, rW, and tWin [E.sub.p](a, b) for c, r, t [member of] [F.sup.*.sub.P], it is impossible to decide whether tW = crW.

2.2 Fuzzy Extractor

A user's biometric data is very sensitive information. Thus, when user identification is conducted using biometric data, secure and accurate matching is needed. To address this concern, Dodis et al. [31] presented a fuzzy extractor technique. According to prior research [31], a fuzzy extractor method is divided into the generation process (Gen) and reproduction process (Rep). A detailed description of each part is as follows:

* Gen[??]: The Gen function performs probabilistic production. Given the input of a user's biometric information Bio, the output of Gen(Bio) is a secret value [O.sub.i] and a random ancillary parameter [par.sub.i], (Gen(Bio) = ([O.sub.i], [par.sub.i])).

* Rep[??]: The Rep function performs a deterministic reproduction process. Given the user's biometric information Bio and the corresponding random ancillary parameter [par.sub.i], the output of Rep(Bio, [par.sub.i]) is a secret value [O.sub.i], (Rep(Bio, [par.sub.i]) = [O.sub.i]).

To date, many authentication studies have been conducted [32-34] based on the fuzzy extractor technique. Our proposed scheme also adopts the user's biometric information to apply a fuzzy extractor, and the details are given below in Section 5.

2.3 Threat Model

This subsection describes the threat model that we constructed with some common assumptions, including the capabilities of an attacker in a TMIS environment.

* All existing smart cards have vulnerabilities because confidential information stored within them can be extracted by physically monitoring the power consumption [35], meaning that an attacker can read and acquire data stored on the smart card.

* An attacker can control the public channels between the user and the server, meaning that the attacker can intercept any messages are transmitted via the public channel [36, 37].

* An attacker can modify and resend the intercepted/eavesdropped message [53-57].

* An attacker can easily guess low-entropy passwords and identities off-line in polynomial time [38].

3. Description of Liu et al.'s Scheme

In this section, we briefly review Liu et al.'s authentication mechanism [29] and cryptanalyze their scheme that consists of registration, login and authentication, password change, and lost/stolen smart card revocation phases. Table 1 displays the notation employed in the remainder of this paper.

3.1 Registration Phase

1) [U.sub.i] inputs [ID.sub.i] and [PW.sub.i] and generates a random number [R.sub.1]. [U.sub.i] computes L = h([R.sub.1][parallel][PW.sub.i]) and sends {[ID.sub.i], L} to S through a secure channel.

2) S checks the [U.sub.i]'s [ID.sub.i]. If it is a new one, S records N = 0, otherwise, S records N = N+1. S then maintains ([ID.sub.i], N, CID) in its database.

3) S computes [A.sub.i] = h(s [symmetry] [ID.sub.i]) and [B.sub.i] = [A.sub.i], [symmetry] L. S then issues a smart card with the parameters {[B.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, CID} and sends it to [U.sub.i] through a secure channel.

4) Upon receiving the smart card, [U.sub.i] imprints his/her biometrics Bio, and computes [C.sub.i] = [R.sub.1] [symmetry] h(Bio) and [D.sub.i] = h([ID.sub.i][parallel][PW.sub.i][parallel][R.sub.1]). [U.sub.i] stores [C.sub.i] and [D.sub.i] in the smart card's memory. Finally, the smart card includes the information {[B.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, CID, [C.sub.i], [D.sub.i]}.

3.2 Login and Authentication Phase

1) [U.sub.i] inserts [U.sub.i]'s smart card into a card reader, inputs his/her [ID.sub.i] and [PW.sub.i], and imprints biometric Bio. The smart card computes [R.sub.1]' = [C.sub.i] [symmetry] h(Bio) and [D.sub.i]' = h([ID.sub.i][parallel][PW.sub.i][parallel][R.sub.1]'), and compares [D.sub.i]' with the stored value [D.sub.i] in the smart card. If it holds, the smart card acknowledges the legitimacy of U, and proceeds with the next step. Otherwise, it terminates the login process.

2) The smart card selects random numbers [N.sub.u] and [R.sub.2], and computes V = [N.sub.u]P, I = [N.sub.u] [Pub.sub.s], [K.sub.u] = h(I[parallel][R.sub.2]), [A.sub.i] = [B.sub.i] [symmetry] L, [E.sub.i] = h(V[parallel]N[parallel]CID|[A.sub.i][parallel][R.sub.2]) and [F.sub.i] = [E.sub.Ku]([ID.sub.i][parallel][R.sub.2][parallel][E.sub.i][parallel]CID). The smart card then sends a login request [M.sub.1] = {V, [F.sub.i], [R.sub.2]} to S through a public channel.

3) S verifies the freshness of the random number [R.sub.2]. If it holds, S accepts the login request and proceeds with the next step. Otherwise, S rejects the login request and terminates this phase.

4) S computes I = sV, [K.sub.s] = h(I[parallel][R.sub.2]), and decrypts [G.sub.1] to obtain [ID.sub.i]', [R.sub.2], [E.sub.i] and CID. S further computes [A.sub.i]' = h(s [symmetry] [ID.sub.i],) and [E.sub.i]' = h(V[parallel]N[parallel]CID[parallel][A.sub.i]'/[parallel][R.sub.2]), and verifies whether [E.sub.i]' = [E.sub.i]. If it holds, S proceeds with the next step. Otherwise, S terminates this phase.

5) S selects random numbers [N.sub.s] and [R.sub.3], and computes W=[N.sub.u]P, J=[N.sub.u]V, [K.sub.u] = h(J[parallel][R.sub.3]), [G.sub.i] = [E.sub.Ks] ([Pub.sub.s][parallel][R.sub.3]) and sk = h([ID.sub.i][parallel][Pub.sub.s][parallel]I[parallel]J[parallel][R.sub.2][parallel][R.sub.3]). S then sends an authentication request [M.sub.2] = {W, [G.sub.i], [R.sub.3]} to [U.sub.i] through a public channel.

6) [U.sub.i] verifies the freshness of the random number [R.sub.3]. If it holds, [U.sub.i] accepts the authentication request and proceeds with the next step. Otherwise, [U.sub.i] rejects the authentication request and terminates this phase.

6) [U.sub.i] computes J = [N.sub.u]W, [K.sub.s] = h(J[parallel][R.sub.3]), and decrypts [G.sub.i] to obtain [Pub.sub.s]' and [R.sub.3]. [U.sub.i] then verifies whether [Pub.sub.s]' = [Pub.sub.s]. If it holds, U successfully authenticates S and computes a shared session key sk = h([ID.sub.i][parallel][Pub.sub.s][parallel]I[parallel]J[parallel][R.sub.2][parallel][R.sub.3]). Otherwise, [U.sub.i] terminates this phase.

3.3 Password Change Phase

1) [U.sub.i] inserts [U.sub.i]'s smart card into a card reader, inputs his/her [ID.sub.i], and [PW.sub.i], and imprints biometric Bio. The smart card computes [R.sub.1]' = [C.sub.i] [symmetry] h(Bio) and [D.sub.i]' = h([ID.sub.i][parallel][PW.sub.i][parallel][R.sub.1]'), and verifies whether [D.sub.i]' = [D.sub.i], where [D.sub.i]- is stored in the smart card. If it holds, the smart card proceeds with the next step. Otherwise, it terminates the password change process.

2) [U.sub.i] inputs a new random number [R.sup.new.sub.1] and new password [PW.sup.new.sub.i], and computes [C.sup.new.sub.i] = [R.sup.new.sub.1] [symmetry] h(Bio) and [D.sup.new.sub.i] = h([ID.sub.i][parallel][PW.sup.new.sub.i][parallel][R.sup.new.sub.1]).

3) The smart card replaces {[C.sub.i], [D.sub.i]} with the new values {[C.sup.new.sub.i], [D.sup.new.sub.i]}. Consequently, the smart card contains the information {[B.SUB.I], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, CID, [C.sup.new.sub.i], [D.sup.new.sub.i]}.

3.4 Lost/Stolen Smart Card Revocation Phase

1) [U.sub.i] inputs [ID.sub.i], new password [PW.sup.new.sub.i] and biometric Bio, and generates a new random number [R.sup.new.sub.1]. [U.sub.i] computes [L.sup.new] = h([R.sup.new.sub.1][parallel][PW.sup.new.sub.i]), [C.sup.new.sub.i] = [R.sup.new.sub.1] [symmetry] h(Bio) and [D.sup.new.sub.i] = h([ID.sub.i][parallel][PW.sup.new.sub.i][parallel][R.sup.new.sub.1]), and sends a {[ID.sub.i], [L.sup.new], [C.sup.new.sub.i], [D.sup.new.sub.i]} to S through a secure channel.

2) S checks the [U.sub.i]'s [ID.sub.i]. If it is valid, S selects a new smart card identity [CID.sup.new] and records N = N+1. S then updates ([ID.sub.i], N, [CID.sup.new]) in its database.

3) S computes [A.sub.i] = h(s [symmetry] [ID.sub.i]) and [B.sup.new.sub.i] = [A.sub.i] [symmetry] [L.sup.new]. S then issues a new smart card with the parameters {[B.sup.new.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, [CID.sup.new]} and sends it to [U.sub.i] through a secure channel.

4) Upon receiving the smart card, [U.sub.i] stores [C.sup.new.sub.i] and [D.sup.new.sub.i] in the smart card's memory. Finally, the smart card includes the information {[B.sup.new.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, [CID.sup.new], [C.sup.new.sub.i], [D.sup.new.sub.i]}.

4. Security Weaknesses of Liu et al.'s Scheme

In this section, we show that Liu et al.'s scheme [29] possesses some security vulnerabilities. Based on an attacker capabilities, as described in Section 2.3, we found that their scheme has a biometric identification problem and is vulnerable to a server spoofing attack. In addition, we found that their scheme cannot provide a session key verification process, and the details are as follows.

4.1 Biometric Identification Problem

During the login phase in Liu et al.'s scheme [29], [U.sub.i] inserts U-'s smart card into a card reader and inputs his/her [ID.sub.i] and [PW.sub.i] to imprint the biometric Bio. After computing [R.sub.1]' = [C.sub.i] [symmetry] h(Bio) and [D.sub.i]' = h([ID.sub.i][parallel][PW.sub.i][parallel][R.sub.1]'), they take a comparative test between [D.sub.i]' and [D.sub.i], which is computed in the registration phase and is saved in the smart card

so as to verify the correctness of the input [ID.sub.i] and [PW.sub.i]. However, their scheme can cause problems in that the user's biometric information is simply computed by using a one-way hash function. That is, there is a risk that the value [R.sub.1] = [C.sub.i] [symmetry] h(Bio) that includes the user's biometric information created during the registration phase may be different from the value [R.sub.1]' = [C.sub.i] [symmetry] h(Bio) created during the login phase since the one-way hash function amplifies the difference in the input in the value of the output [39]. Also, the user's biometric information obtained from fingerprints, among others, is has very subtle features, and thus the same person's biometric information can produce a mismatch each time it is entered. Accordingly, assuming that the user enters a correct PW, the verification process may still not operate properly when perceiving [D.sub.i]' and [D.sub.i] as different. To overcome these problems, some experts [32-34] have suggested employing a fuzzy extractor [31] to obtain the biometric information.

4.2 Server Spoofing Attack

A server spoofing attack [40] is such where an attacker masquerades as a legitimate server with a counterfeited authentication request by employing public information accumulated from a stolen smart card and eavesdropped transmission messages. Unfortunately, Liu et al.'s scheme is susceptible to such attacks. The following is a detailed description:

Step.1 After an attacker has stolen a smart card, the attacker can extract {[B.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, CID, [C.sub.i], [D.sub.i]} from the card through A power consumption technique [35].

Step.2 The attacker intercepts a valid login request {V, [F.sub.i], [R.sub.2]} from the previous session.

Step.3 The attacker selects random numbers [N.sup.*.sub.s] and [R.sup.*.sub.3], and computes [W.sup.*] = [N.sup.*.sub.s]P, [J.sup.*] = [N.sup.*.sub.s]V, [K.sup.*.sub.s] = h([J.sup.*] [parallel][R.sup.*.sub.3]) and [G.sup.*.sub.i] = E[.sub.Ks*]([Pub.sub.s][parallel][R.sup.*.sub.3]). S then sends a counterfeited authentication request [M.sup.*.sub.2] = {[W.sup.*], [G.sup.*.sub.i], [R.sup.*.sub.3]} to [U.sub.i] through a public channel.

Step.4 [U.sub.i] first verifies the freshness of the random number [R.sup.*.sub.3] and computes [J.sup.*] = [N.sub.u][W.sup.*], [K.sup.*.sub.s] = h([J.sup.*][parallel][R.sup.*.sub.3]). [U.sub.i] then decrypts [G.sup.*.sub.i] and verifies whether [pub.sup.*.sub.s] = [Pub.sub.s].

Step.5 If the above verification process is successfully carried out, [U.sub.i] assures that the counterfeited authentication request is a legal message.

In Step. 5, it is obvious that [U.sub.i] can undoubtedly verify [pub.sup.*.sub.s] = [Pub.sub.s] since the values in the attacker's counterfeited request {[W.sup.*], [G.sup.*.sub.i], [R.sup.*.sub.3]} are exactly equal to [U.sub.i]'s real authentication request {W, Gi, [R.sub.3]}. Therefore, the attacker can successfully disguise a legitimate server in Liu et al. 's scheme [29].

4.3 Absence of a Session Key Verification Process

According to [41, 42], the authenticated key agreement scheme suggests an authentication procedure to verify the coherence of session keys generated between a server and a user. However, in Liu et al. 's scheme, a user makes his/her own session key after verifying the authentication request message without a coherence test. That is to say, the user can hardly be sure whether or not the new session key is correct. The following procedures are required to ensure accurate session key distribution between a user and a server: 1) after generating a session key, the server sends an authentication request, including this session key's information, 2) the user should guarantee the accuracy of the session key from the server, verifying the received authentication request message.

5. The Proposed Scheme

In this section, we suggest a refined version of the authentication protocol to offer improved security by resolving the vulnerabilities Liu et al.'s scheme [29]. In our refined version, we use a fuzzy extractor to provide proper biometric identification [31]. In addition, we insert the session key verification process into the authentication phase to satisfy the requirements of the session key agreement [41, 42]. Our proposed method also consists of four phases, including registration, login, authentication and password change. Fig. 1-4 describes our proposed scheme, and the notation employed in the proposed scheme is displayed in Table 1.

5.1 Registration Phase

The registration phase begins when [U.sub.i] sends a registration request with his/her identity and a hashed password to S. S then issues a smart card that stores several pieces of information. In contrast with Liu et al.'s method, our registration phase uses a fuzzy extractor to correctly obtain the user's biometric information Bio. The following describes this process in detail.

1) [U.sub.i] inputs [ID.sub.i] and [PW.sub.i] and generates a random number [R.sub.1]. [U.sub.i] computes L = h([R.sub.1][parallel]PW) and sends a registration request {[ID.sub.i], L} to S through a secure channel.

2) S checks [U.sub.i]'s [ID.sub.i]. If it is a new one, S records N = 0, otherwise, S records N = N + 1. S then maintains ([ID.sub.i], N, CID) in its database.

3) Scomputes [A.sub.i] = L [symmetry] h(s[parallel][ID.sub.i]). S then issues a smart card with the parameters {[A.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, CID} and sends it to [U.sub.i] through a secure channel.

4) Upon receiving the smart card, [U.sub.i] imprints his/her biometrics Bio, and computes Gen(Bio) = ([O.sub.i], [par.sub.i]), [B.sub.i] = [R.sub.1] [symmetry] h([O.sub.i]) and [C.sub.i] = h([ID.sub.i][parallel][PW.sub.i][parallel][R.sub.1]). [U.sub.i] stores [B.sub.i], [C.sub.i] and [par.sub.i], in the smart card's memory. Finally, the smart card includes {[A.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, CID, [B.sub.i], [C.sub.i], ()[par.sub.i]} (.)

[FIGURE 1 OMITTED]

5.2 Login and Authentication Phase

The login and authentication phase begins when [U.sub.i] accesses S, and several verification processes are executed to judge the legitimacy of [U.sub.i] and S. The main difference the Liu et al. 's scheme in the login and authentication phase is the use of a time-stamp to prevent replay attacks and the addition of the session key verification steps. The following describes this process in detail.

1) [U.sub.i] inserts [U.sub.i]'s smart card into a card reader, inputs his/her [ID.sub.i] and [PW.sub.i], and imprints biometric Bio. The smart card computes Rep(Bio, [par.sub.i]) = [O.sub.i], [R.sub.1]' = [B.sub.i] [symmetry] h([O.sub.i]) and [C.sub.i]' = h([ID.sub.i][parallel][PW.sub.i][parallel][R.sub.1]'), and compares [C.sub.i]' with the stored value [C.sub.i] in the smart card. If it holds, the smart card acknowledges the legitimacy of [U.sub.i], and proceeds with the next step. Otherwise, it terminates the login process.

2) The smart card selects random numbers [N.sub.u] and time-stamp [T.sub.u], and then computes V = [N.sub.u]P, I = [N.sub.u][Pub.sub.s], [D.sub.i] = [ID.sub.i], [symmetry] I, [E.sub.i] = [A.sub.i], [symmetry] h([R.sub.1][parallel][PW.sub.i]) and [F.sub.i] = h([ID.sub.i][parallel]V[parallel][E.sub.i][parallel][T.sub.u]). The smart card then sends a login request [M.sub.1] = {V, [D.sub.i], [F.sub.i], [T.sub.u]} to S through a public channel.

3) S checks the freshness of the time-stamp [T.sub.u] through |[T.sub.u]' - [T.sub.u]| [less than or equal to] [DELTA]T. If it holds, S accepts the login request and proceeds with the next step. Otherwise, S rejects the login request and terminates this phase.

4) S computes I = sV, [ID.sub.i]' = [D.sub.i] [symmetry] I, and [F.sub.i]' = h([ID.sub.i]'[parallel]V[parallel]h(s[parallel][ID.sub.i]')[parallel][T.sub.u]), and verifies whether [F.sub.i]' = [F.sub.i]. If it holds, S proceeds with the next step. Otherwise, S terminates this phase.

5) S selects random numbers [N.sub.s] and time-stamp [T.sub.s], and computes W = [N.sub.s]P, J = [N.sub.s]V, sk = h([ID.sub.i]'[parallel]h(s[parallel][ID.sub.i]')[parallel]I[parallel]J[parallel][T.sub.u][parallel][T.sub.s]), and [G.sub.i], = h(sk[parallel][ID.sub.i]'[parallel]J[parallel][T.sub.s]). S then sends an authentication request [M.sub.2] = { W, [G.sub.i], [T.sub.s]} to [U.sub.i] through a public channel.

6) [U.sub.i] checks the freshness of the time-stamp [T.sub.s] through |[T.sub.s]' - [T.sub.s]| [less than or equal to] [DELTA]T. If it holds, [U.sub.i] accepts the authentication request and proceeds with the next step. Otherwise, [U.sub.i] rejects the authentication request and terminates this phase.

7) [U.sub.i] computes J = [N.sub.u]W, sk = h([ID.sub.i][parallel][E.sub.i][parallel]I[parallel]J[parallel][T.sub.u][parallel][T.sub.s]) and [G.sub.i]' = h(sk[parallel][ID.sub.i][parallel]J[parallel][T.sub.s]), and verifies whether [G.sub.i]' = [G.sub.i]. If it holds, [U.sub.i] successfully authenticates S and assures that the session key sk is securely shared between [U.sub.i] and S. Otherwise, [U.sub.i] terminates this phase.

[FIGURE 2 OMITTED]

5.3 Password Change Phase

The password change phase begins when the [U.sub.i] wants to change his/her old password [PW.sub.i] to a new password [PW.sup.new.sub.i]. In the password change phase of our scheme, [U.sub.i] communicates without any assistance from S. In addition, to validate the legitimacy of [U.sub.i], our scheme uses secret value [O.sub.i] from the fuzzy extractor.

1) [U.sub.i] inserts [U.sub.i]'s smart card into a card reader, inputs his/her [ID.sub.i] and [PW.sub.i], and imprints biometric Bio. The smart card computes Rep(Bio, [par.sub.i]) = [O.sub.i], [R.sub.1]' = [B.sub.i] [symmetry] h([O.sub.i]) and [C.sub.i] = h([ID.sub.i][parallel][PW.sub.i][parallel][R.sub.1]') and compares [C.sub.i] with the stored value [C.sub.i] in the smart card. If it holds, the smart card proceeds with the next step. Otherwise, it terminates the password change process.

2) [U.sub.i] inputs a new password [PW.sup.new.sub.i], and computes [A.sup.new.sub.i] = h([R.sub.1][parallel][PW.sup.new.sub.i]) [symmetry] [A.sub.i] [symmetry] h([R.sub.1][parallel][PW.sub.i]) and [C.sup.new.sub.i]= h([ID.sub.i][parallel][PW.sup.new.sub.i][parallel][R.sub.1]).

3) The smart card replaces {[A.sub.i], [C.sub.i]} with new values {[A.sup.new.sub.i], [C.sup.new.sub.i]}. Consequently, the smart card contains the information {[A.sup.new.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, CID, [B.sub.i], [C.sup.new.sub.i], [par.sub.i]}.

Fig. 3. Password change phase of our proposed scheme User ([U.sub.i]) Server (S) Inputs [ID.sub.i], [PW.sub.j], Bio Rep{Bio, [par.sub.i] = [O.sub.i] [R'.sub.1] = [B.sub.i] [symmetry] h([O.sub.i]), [C'.sub.i] = h([ID.sub.i][parallel][PW.sub.i][parallel][R'.sub.i]) Verifies [C'.sub.i] = [C.sub.i] Inputs a new password [PW.sup.new.sub.i] [A.sup.new.sub.i] = h([R.sub.1] [parallel][PW.sup.new.sub.i]) [symmetry] [A.sub.i] [symmetry] h([R.sub.1][parallel][PW.sub.i]) [A.sup.new.sub.i] = h([ID.sub.i][parallel][PW.sup.new.sub.i][parallel][R.sub.1]) Replaces the {[A.sub.i], [C.sub.i]} with the new values {[C.sup.new.sub.i], [C.sup.new.sub.i]} Finally, the smartcard contains {[A.sup.new.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h(*), N, CID, [B.sub.i], [C.sup.new.sub.i], [par.sub.i]}

5.4 Lost/Stolen Smart card Revocation Phase

The revocation phase begins when [U.sub.i] revokes the smart card and wants to reissue the smart card. Our scheme provides lost/stolen smart card revocation with the same login identity.

1) [U.sub.i] inputs [ID.sub.i] and [PW.sup.new.sub.i], and generates a random number [R.sup.new.sub.1]. [U.sub.i] computes [L.sup.new] = h([R.sup.new.sub.1][parallel][PW.sup.new.sub.i]) and sends a revocation request {[ID.sub.i], [L.sup.new]} to S through a secure channel.

2) S checks [U.sub.i]'s [ID.sub.i]. If it is valid, S selects a new smart card identity [CID.sup.new] and records N = N +1. S then updates ([ID.sub.i], N, [CID.sup.new]) in its database.

3) S computes [A.sup.new.sub.i] = [L.sup.new] [symmetry] h(s[parallel][ID.sub.i]). S then issues a new smart card with parameters {[A.sup.new.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, [CID.sup.new]} and sends it to [U.sub.i] through a secure channel.

4) Upon receiving the smart card, [U.sub.i] imprints his/her biometrics Bio, and computes Gen(Bio) = ([O.sub.i], [par.sub.i]), [B.sup.new.sub.i] = [R.sup.new.sub.1] [symmetry] h([O.sub.i]) and [C.sup.new.sub.i] = h([ID.sub.i][parallel][PW.sup.new.sub.i][parallel][R.sup.new.sub.1]). U then stores [B.sup.new.sub.i], [C.sup.new.sub.i] and [par.sub.i] in the smart card's memory. Finally, the smart card includes {[A.sup.new.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, [CID.sup.new], [B.sup.new.sub.i], [C.sup.new.sub.i], [par.sub.i]}.

[FIGURE 4 OMITTED]

6. Security Analysis and Proof of the Proposed Scheme

In this section, we first scrutinize whether our proposed scheme can not only withstand various attacks, but also satisfy the basic requirements claimed by the security scheme. We then adopt Burrows-Abadi-Needham (BAN) logic [43] to prove that a session key can be correctly shared between U and S. We conduct a formal security proof based on the real-or-random (ROR) model proposed by Abdalls et al. [44] and simulate our scheme using the AVISPA tool [45].

6.1 Security Analysis of the Proposed Scheme

In this subsection, our proposed scheme is examined against various attacks and is evaluated according to the suitability of the basic requirements mentioned in prior studies [8-29]. We also conduct a comparative analysis [18-20, 24, 25, 27-29], as is illustrated in Table 2, and the results are as follows.

6.1.1 Preserves User Anonymity

Our scheme shields the user's identity [ID.sub.i] transmitted in messages from potential risks of exposure to fulfill user anonymity. Even if an attacker obtains [D.sub.i] = [ID.sub.i] [symmetry] I by snatching a login request [M.sub.1] = { V, [D.sub.i], [F.sub.i], [T.sub.u]}, it is impossible to calculate [ID.sub.i] since there is no knowledge of the value I = sV.

6.1.2 Provides Mutual Authentication

In the login and authentication phase of our proposed scheme, [U.sub.i] and S authenticate each other through some verification processes. In detail, S first verifies the login request [M.sub.1] = {V, [D.sub.i], [F.sub.i], [T.sub.u]} by checking whether [F.sub.i]' = [F.sub.i]. [U.sub.i] also verifies the authentication request [M.sub.2] = { W, [G.sub.i], [T.sub.s]} by checking whether [G.sub.i]' = [G.sub.i]. If all these verification processes are successfully finished, mutual authentication has been executed properly.

6.1.3 Provides Proper Biometric Identification

In contrast with Liu et al.'s scheme, our scheme uses a fuzzy extractor technique to provide an accurate user identification process. During the login phase, after [U.sub.i] inputs his/her [ID.sub.i] and [PW.sub.i], and imprints biometric Bio, the smart card computes Rep(Bio, [par.sub.i]) = [O.sub.i], [R.sub.1]' = [B.sub.i] [symmetry] h([O.sub.i]) and [C.sub.i]' = h([ID.sub.i][parallel][PW.sub.i][parallel][R.sub.1]'), and compares [C.sub.i]' with the stored [C.sub.i] value in the smart card. Even though [U.sub.i]' s biometric information Bio is imprinted slightly differently, the correct secret value [O.sub.i] is constantly derived from the fuzzy extractor process [31]. Therefore, our scheme can prevent a biometric matching error and provides a proper identification process.

6.1.4 Protects against an Off-line Password Guessing Attack

An attacker can obtain {[A.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, CID, [B.sub.i], [C.sub.i], [par.sub.i]} from the stolen smart card and can intercept the login request [M.sub.1] = { V, [D.sub.i], [F.sub.i], [T.sub.u]}. Using these values, the attacker may try to guess the correct password [PW.sub.i]. However, without knowing [ID.sub.i] and [O.sub.i], the attacker cannot guess [PW.sub.i]. In addition, [O.sub.i] is secret information that only U knows.

6.1.5 Protects against a User Impersonation Attack

In our scheme, an attacker should modify the login request values { V, [D.sub.i], [F.sub.i], [T.sub.u]} after obtaining the value of [ID.sub.i] to succeed in a user impersonation attack. However, as we mentioned above, it is impossible for an attacker to obtain the value of [ID.sub.i]. Thus, an attacker cannot generate a suitable login request to cheat S.

6.1.6 Protects against a Server Spoofing Attack

An attacker can obtain {[A.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h[??], N, CID, [B.sub.i], [C.sub.i], [par.sub.i]} from the stolen smart card and can intercept the login request [M.sub.1] = { V, [D.sub.i], [F.sub.i], [T.sub.u]}. The attacker then tries to modify [M.sub.2] = { W, [G.sub.i], [T.sub.s]} to impersonate the legitimate S. However, in our scheme, the attacker cannot compute [G.sub.i] = h(sk[parallel][ID.sub.i][parallel]J[parallel][T.sub.s]) because the user's [ID.sub.i] is an unknown value. Thus, our proposed scheme can withstand a server spoofing attack.

6.1.7 Provides a Session Key Verification Process

In our scheme, a session key sk = h([ID.sub.i]'[parallel]h(s[parallel][ID.sub.i]')[parallel]I[parallel]J[parallel][T.sub.u][parallel][T.sub.s]), the value W = [N.sub.s]P, and [G.sub.i] = h(sk[parallel][ID.sub.i]'[parallel]J[parallel][T.sub.s]) are generated for the server S to send [M.sub.2] = {W, [G.sub.i], [T.sub.s]} to user [U.sub.i]. [U.sub.i] computes J = [N.sub.u]W, sk = h([ID.sub.i],[parallel][E.sub.i][parallel]I[parallel]J[parallel][T.sub.u][parallel][T.sub.s]) and [G.sub.i]' = h(sk[parallel][ID.sub.i][parallel]J[parallel][T.sub.s]), and measures the coherence between [G.sub.i]' and [G.sub.i] to verify the received authentication request. Since [G.sub.i] includes the information of session key sk generated by S, [U.sub.i] may be sure that S's session key is accurate if the results of the comparison are correct.

6.1.8 Protects against a Replay Attack

In our scheme, all transmitted messages [M.sub.1] = {V, [D.sub.i], [F.sub.i], [T.sub.u]} and [M.sub.2] = {W, [G.sub.i], [T.sub.s]} include time-stamps [T.sub.u] or [T.sub.s]. Suppose that the attacker intercepts these messages and tries to access [U.sub.i] or S. Through the time-stamp checking process, [U.sub.i] or S immediately identify whether received message is valid or not. Thus, our proposed scheme can withstand a replay attack.

6.1.9 Protects against an Insider Attack

During the registration phase of our scheme, [PW.sub.i] is transmitted not as a revealed condition but as a form of L = h([R.sub.1][parallel][PW.sub.i]) when [U.sub.i] sends a registration request {[ID.sub.i], L} to S to prevent an insider attack. Thus, the insider attack would never occur in our scheme.

6.2 Authentication Proof with BAN Logic

In this subsection, we use Burrows-Abadi-Needham (BAN) logic [43] to verify the legitimacy of the session keys distributed to participants who communicate using our proposed protocol. BAN logic is a well-known formal logic that can be used to analyze the security of cryptographic protocols. The basic notation for BAN logic is as follows.

* A [??] S: A sees the sentence S.

* A |[equivalent to] S: Sentence S is believed by A.

* #(S): It makes a fresh sentence S.

* A |~ S: A said the sentence S.

* [<s>.sub.K]: Combine the sentence S using K.

* [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] Sentence S is controlled by A.

* [??]: For secure communication, A and B share a secret key K.

* [(S).sub.K]: Perform the hash operation on sentence S using K.

Generally, BAN logic provides the following rules.

1. Message-meaning rule: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

2. Nonce-verification rule: [[A|[equivalent to]#(S), A|[equivalent to]B|~S]/[A|[equivalent to]B|~S]]

3. The believe rule: [[A|[equivalent to]S, A|[equivalent to]T]/[A|[equivalent to](S,T)]]

4. Freshness-conjuncatenation rule: [[A|[equivalent to]#(S)]/[A|[equivalent to]B|[equivalent to]S]]

5. Jurisdiction rule: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Mutual authentication means that the user and the server share a session key and trust each other when the session key is distributed correctly. This is converted to notation using BAN logic below. Thus, if the following goals are derived through further proof, it can be assumed that mutual authentication between the user and the server has been well performed [46].

* Goal 1. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

* Goal 2. [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Our message can be transformed into an idealized form as follows.

* Message 1. u [right arrow] S: F, [<S>.sub.I], [([ID.sub.i], [E.sub.i], [T.sub.u]).sub.a], [T.sub.u]

* Message 2. S [right arrow] U: W, [(sk, [ID.sub.i], [T.sub.s]).sub.a], [T.sub.s]

We define the following several assumptions and these assumptions will be further used in the proof.

* [A.sub.1]: U |[equivalent to] #([T.sub.u])

* [A.sub.2]: s |[equivalent to] #([T.sub.s])

* [A.sub.3]: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

* [A.sub.4]: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

* [A.sub.5]: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

* [A.sub.6]: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

We use BAN logic rules, idealized form, and some pre-defined assumptions to deploy our proof as follows.

Based on Message 1, we could derive:

* [P.sub.1]: S [??] [([ID.sub.i], [E.sub.i], [T.sub.u]).sub.a], [T.sub.u]

Based on assumption [A.sub.4], we adapt the message-meaning rule to derive:

* [P.sub.2]: S |[equivalent to] U |~ [T.sub.u]

Based on assumption [A.sub.1] and the freshness conjuncatenation rule, we derive:

* [P.sub.3]: S |[equivalent to] #[([ID.sub.i], [E.sub.i], [T.sub.u]).sub.a]

Based on [P.sub.2], [P.sub.3] and the nonce verification rule, we derive:

* [P.sub.4]: S |[equivalent to] U |[equivalent to] [([ID.sub.i], [E.sub.i], [T.sub.u]).sub.a]

Based on [A.sub.4], [P.sub.4] and the jurisdiction rule, we derive:

* [P.sub.5]: S |[equivalent to] [T.sub.u]

Based on [P.sub.5], assumption [A.sub.2], and sk, we derive:

* [P.sub.6]: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] < Goal 2. >

Based on Message 2, we could derive:

* [P.sub.7]: U [??][(sk, [ID.sub.i], [T.sub.s]).sub.a], [T.sub.s]

Based on assumption [A.sub.3], we adapt the message-meaning rule to derive:

* [P.sub.8]: U |[equivalent to] S |~ [T.sub.s]

Based on assumption [A.sub.2] and the freshness conjuncatenation rule, we derive:

* [P.sub.9]: U |[equivalent to] #[(sk, [ID.sub.i], [T.sub.s]).sub.a]

Based on [P.sub.8], [P.sub.9] and the nonce verification rule, we derive:

* [P.sub.10]: U |[equivalent to] S |[equivalent to] [(sk, [ID.sub.i], [T.sub.s]).sub.a]

Based on [A.sub.3], [P.sub.10] and the jurisdiction rule, we derive:

* [P.sub.11]: U |[equivalent to] [T.sub.s]

Based on [P.sub.11], assumption [A.sub.1], and sk, we derive:

* [P.sub.12]: [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] < Goal 1. >

Based on < Goal. 1 > and < Goal.2 >, we are assured that our proposed scheme provides mutual authentication and agreement of the session key sk, which is correctly shared between U and S.

6.3 Formal Security Analysis using Random Oracle Model

In this subsection, we describe the formal security analysis using the real-or-random (ROR) model proposed by Abdalls et al. [44].

6.3.1 Real-or-Random Model

In our scheme, there are two participants, a user [U.sub.i] and a server S.

- Participants. Let [[PI].sup.t.sub.S] denote the instance t of S and [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] denote the instance u of [U.sub.i]. These instances are called oracles.

- Partnering. The partner of an instance [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] for user [U.sub.i] is the instance [[PI].sup.t.sub.S] of server S, and vice versa. [[PI].sup.t.sub.S] is called the partner ID [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] of [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]. The partial transcript of all exchanged messages is unique, and [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] is the session ID for the current session.

- Freshness. If the session key SK is not revealed to an adversary A, the instance [[PI].sup.t.sub.S] or [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] is fresh.

- Adversary. In the ROR model, the adversary A has the ability to control all communications and the A uses the following queries:

* Execute ([[PI].sup.t], [[PI].sup.u]): A executes this query to obtain a message sent between two honest communication participants, which models the eavesdropping attack.

* Send([[PI].sup.t], m): This query models an active attack where A sends a message m to a participant instance and takes a response message.

* CorruptSC([MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]): This query models the smart card lost attack. It outputs the information stored in the smart card.

* Test([[PI].sup.t]): This query models the semantic security of the session key SK and follows the ROR model indistinguishability [44]. At the beginning of the experiment, an unbiased coin c is flipped, and the result is used to determine the output of the Test() query while remaining secret to adversary A. When A executes this query and the session key SK is established and fresh, the instance [[PI].sup.t] returns SK if c = 1, a random number in the same domain if c = 0, and otherwise, it returns [perpendicular to].

- Semantic security of the session key. In the ROR model, adversary A challenges the experiment to distinguish between the real session key SK of the instance and the random session key. A can execute a number of Test queries to either the user instance or the server instance. The result of the Test query must be consistent with respect to random bit c. At the end of the experiment, A returns a bit c'. If c' = c, A wins the game. Let Succ denote the event that wins the game. The advantage of in breaking the semantic security of the protocol P is [Adv.sup.ake.sub.p] = | 2 Pr [Succ] - 1 |. Therefore, if [Adv.sup.ake.sub.p] [less than or equal to] [eta], for any sufficiently small [eta] > 0, P is a secure authentication protocol in the ROR sense.

- Random oracle. In this paper, all participants and the adversary A use a one-way hash function h[??] modeled as a Hash oracle. When a two-tuple (x, y) table of binary strings and hash query h(x) are given, if x is discorved, the oracle returns y. Otherwise, it returns a uniformly random string y, and the pair (x, y) is stored in the corresponding table.

6.3.2 Formal Security Proof

We employ the following difference lemma [47] in order to describe our formal proof.

Lemma 1 (Difference lemma). Let Suc[c.sub.1], Suc[c.sub.2], and Suc[c.sub.3] denote the events defined in some probability distribution. Let Suc[c.sub.1] [and] Suc[c.sub.3] [??]Suc[c.sub.2] [and] Suc[c.sub.3]. Then, we have

|PrSuc[c.sub.1] - PrSuc[c.sub.2] | [less than or equal to] PrSuc[c.sub.3]

Theorem 1. Let A be an adversary operating within polynomial time t for our protocol P in a random oracle. Let D be a uniformly distributed password dictionary and l be the number of bits in biometrics key [O.sub.i]. The probability of P's session key security (SK-security) being broken by is as follows.

[Adv.sup.ake.sub.p] [less than or equal to] [[q.sup.2.sub.h]/[|Hash|]] + [[q.sub.send]/[[2.sup.l-1].|D|]] + 2[Adv.sup.ECDLP](t)

where [q.sub.h], |Hash|, [q.sub.send], |D|, and [Adv.sup.ECDLP](t) denote the number of Hash queries, the range space of the one-way hash function, the number of Send queries, the size of D, and the advantage of in breaking the ECDLP, respectively.

proof. The formal proof of our scheme consists of five different games [G.sub.i], for i = 0, 1, 2, 3, 4. Let Suc[c.sub.i] denote the event that A succeed in guessing the bit c in the game [G.sub.i]. Our protocol P runs from game [G.sub.0] to game [G.sub.4], and in game [G.sub.4], it will show that A has a negligible advantage to break SK-security.

- Game [G.sub.0]: This game is a real attack by the adversary A against protocol P in the random oracle. Note that bit c is chosen at the beginning of this game. By definition, we have

[Adv.sup.ake.sub.p] = |2 pr[[Succ.sub.0]]-1| (1)

- Game [G.sub.1]: This game simulates an eavesdropping attack of an adversary A using the Execute([[PI].sup.t], [[PI].sup.u]) oracle. The attacker also queries the Test oracle and determines whether the result is a real session key SK or some other random value. The session key SK is computed by the server Sas SK = h([ID.sub.i]'[parallel]h(s[parallel][ID.sub.i'])[parallel]I[parallel]J[parallel][T.sub.u][parallel][T.sub.s]), and the same session key is computed by the user [U.sub.i] as SK = h([ID.sub.i][parallel][E.sub.i][parallel]I[parallel]J[parallel][T.sub.u][parallel][T.sub.s]). To compute [E.sub.i], A has to know s. Therefore, A cannot compute [E.sub.i] because s is a master secret key of S. Furthermore, A has to know the random numbers [N.sub.u] and [N.sub.s] to know I and J calculated via ECC point multiplication. Thus, the probability of an adversary A winning this game through an eavesdropping attack does not increase. Then, [G.sub.0] and [G.sub.1] have the same probability, so we obtain the following:

Pr[[succ.sub.0]] = Pr[[succ.sub.1]] (2)

- Game [G.sub.2]: [G.sub.2] is an extension of [G.sub.1], and Send and Hash oracle simulations have been added. In this game, an adversary A models an active attack that sends a fabricated message to deceive the participants, and A can repeatedly generate hash queries to discover collisions. The messages [M.sub.1] = { V, [D.sub.i], [F.sub.i], [T.sub.u]} and [M.sub.2] = { W, [G.sub.i], [T.sub.s]} are associated with random numbers [N.sub.u] and [N.sub.s], and time-stamps [T.sub.u] and [T.sub.s]. Therefore, the messages are guaranteed to be random and there is no collision when querying the Send oracle. Using the birthday paradox [48], we obtain

|Pr[Suc[c.sub.1]] = Pr[Suc[c.sub.2]]| [less than or equal to] [[q.sup.2.sub.h]/[2|Hash|]] (3)

- Game [G.sub.3]: This game simulates the CorruptSC oracle and models a lost smart card attack. Adversary A can attempt a dictionary attack using the information from a smart card and can attempt to obtain a password [PW.sub.i] and biometric key [O.sub.i]. Our protocol P uses a strong fuzzy extractor that extracts up to l random bits. Therefore, the probability that A can guess the biometric key [O.sub.i] [member of] [{ 0, 1 }.sup.l] is approximately [1/[[2.sup.l]]] [24]. Since the number of wrong passwords inputs is controlled by the system, we obtain the following:

|[P.sub.r][Suc[c.sub.2]] = Pr[Suc[c.sub.3]] | [less than or equal to] [[q.sub.send]/[[2.sup.l].|D|]] (4)

- Game [G.sub.4]: In this game, adversary A tries to acquire session key SK through eavesdropped messages [M.sub.1] = {V, [D.sub.i], [F.sub.i], [T.sub.u]} and [M.sub.2] = { W, [G.sub.i], [T.sub.s]}. As mentioned for [G.sub.1], A cannot compute [E.sub.i] because the master secret key s is only known to S. In addition, since the values V and W are based on the difficulty of ECDLP, it is impossible to compute the random numbers [N.sub.u] and [N.sub.s]. Thus, we obtain

|[P.sub.r][Suc[c.sub.3]] = Pr[Suc[c.sub.4]] | [less than or equal to] [Adv.sup.ECDLP](t) (5)

All session keys are random and independent, and the c value is not exposed to Adversary A. Therefore, it is clear that

Pr[[succ.sub.4]] = [1/2] (6)

Combining Equations (1)-(6) and Lemma 1, the results are as follows:

[Adv.sup.ake.sub.p] [less than or equal to] [[q.sup.2.sub.h]/[|Hash|]] + [[q.sub.send]/[[2.sup.l-1].|D|]] + 2[Adv.sup.ECDLP](t)

6.4 Simulation of the Proposed Scheme using AVISPA Tool

In this subsection, we demonstrate that our scheme can withstand both passive and active attacks by simulating its use in the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool [45].

6.4.1 Overview of AVISPA Tool

The AVISPA is a formal tool that is widely used to verify protocol security. The protocol specification is written in High Level Protocols Specification Language (HLPSL) [49] and is translated into the Intermediate Format (IF) by a Translator HLPSL2IF. The result is then treated as the input value of the different back-end procedures. The back-ends provided by AVISPA consist of the On-the-fly Model-Checker (OFMC), Constraint Logic-based Attack Searcher (CL-AtSe), SAT based Model Checker (SATMC), and Tree Automata-based on Automatic Approximations for the Analysis of Security Protocols (TA4SP). In this paper, we first specify our authentication mechanism based on HLPSL and then derive the results of the simulation using two back-ends OFMC and CL-AtSe.

6.4.2 Specifying the Proposed Scheme

This section provides descriptions of the specifications of our scheme in HLPSL. We have implemented the basic roles for a user [U.sub.i] and a server S for each phase, and we then specify the other roles for the session, environment, and goal. Fig. 5 shows that the role specification of the user [U.sub.i] for our scheme.

Fig. 5. Role specification in HLPSL for the user [U.sub.i] role user (Ui. Sj : agent. SKuisj: symrnetrickey. H : hash_func, Snd. Rev: chamiel(dy)) played_by [U.sub.i] def= local State : nat. IDi. L. PWi. R1, S. N, CID, Tu. Nu. V. P. I. PUBs. Di. Ei. Fi. Ns, Ts, W, J. Ai. SK. Gi: text. Mul: hash_fuuc const user_server_t1, user_server_ni, subs1 : protocol_id init State := 0 transition % Registration phase 1. State = 0 [and] Rcv(start) =|> State' := 1 [and] R1' := new() [and] L':= H(R1'. PWi) [and] Snd({IDi.L'}_SKuisj) [and] secret({IDi, PWi, R1'}, subs1, {Ui)) 2. State = 1 [and] Rcv({H.xor(L', H(S.IDi)).N.CID}_SKuisj) =|> % Login phase State' : = 2 [and] Tu' := new() [and] Nu' := new() [and]V':=Mul(Nu',P) [and]I' :=Mul(Nu',PUBs) [and]Di' := xor(IDi, I') [and]Ei':=xor(xor(L', H(S.IDi)), H(R1'.PWi)) [and] Fi' := H(IDi.V'.Ei'.Tu') [and] Snd(V'.Di'.Fi'.Tu') [and] witness(Ui. Sj. user_server_t1. Tu') [and] witness(Ui. Sj. user_serverni, Nu') % Authentication phase 3. State = 2 [and] Rcv(Mul(Ns',P).H(H(IDi.H(S.IDi).Mul(Nu'.PUBs). Mul(Ns',V').Tu'.Ts').IDi.Mul(Ns'.V').Ts').Ts') =|> State' := 3 [and] request(Sj. Ui. server_user_t2, Ts') [and] request(Sj, Ui. server_user_nj, Ns') end role

During the registration phase, [U.sub.i] sends {[ID.sub.i], L} to S through a secure channel using the Snd( ) operation and a symmetric key SKuisj. The type declaration channel(dy) indicates that the channel is influenced by the Dolev-Yao threat model [50]. The model means that the attacker can control the communication channels and can intercept or eavesdrop on any messages sent by agents. The declaration secret({ IDi, PWi, R1' }, sub1, { Ui}) indicates that the ([ID.sub.i], [PW.sub.i], [R.sub.1]) are only known to [U.sub.i]. Then, [U.sub.i] receives the smart card with the parameters {[A.sub.i], h[??], N, CID} from S using Rcv( ) operation. During the login and authentication phase, [U.sub.i] generates a random number [N.sub.u] and time-stamp [T.sub.u] using the new( ) operation. The [U.sub.i] computes V = [N.sub.u]P, I = [N.sub.u][Pub.sub.s], [D.sub.i], = [ID.sub.i], [symmetry] I, [E.sub.i], = [A.sub.i], [symmetry] h([R.sub.1][parallel][PW.sub.i]) and [F.sub.i], = h([ID.sub.i] [parallel] V[parallel][E.sub.i][parallel][T.sub.u]). [U.sub.i], then sends the login request message [M.sub.1] = {V, [D.sub.i], [F.sub.i], [T.sub.u]} to Sthrough a public channel. The declaration witness(Ui, Sj, user_server_t1, Tu') indicates that [U.sub.i] has a recently generated a time-stamp [T.sub.u] for S. Similarly, the declaration witness(Ui, Sj, user_server_ni, Nu') indicates that [U.sub.i] has recently generated a random number [N.sub.u] for S. [U.sub.i] finally receives the authentication request message [M.sub.2] = { W, [G.sub.i], [T.sub.u]} from S through a public channel.

Fig. 6 shows the role specification of the server S for our scheme. In the registration phase, S receives the registration request message {[ID.sub.i], L} from [U.sub.i]. After receiving the message, S issues a smart card with parameters {[A.sub.i], N, CID} and sends it to [U.sub.i], using the Snd( ) operation and symmetric key SKuisj. During the login and authentication phase, S receives the login request message [M.sub.1] = {V, [D.sub.i], [F.sub.i], [T.sub.u]} from the [U.sub.i] through a public channel. S then generates a random number [N.sub.s] and time-stamp [T.sub.s] using a new( ) operation. Finally S computes W = [N.sub.s]P, J = [N.sub.s]V, sk = h([ID'.sub.i][parallel]h(s[parallel][ID'.sub.i])[parallel]I[parallel]J[parallel][T.sub.u][parallel][T.sub.s]), and [G.sub.i] = h(sk[parallel][ID'.sub.i][parallel]J[parallel][T.sub.s]), and send the authentication request message [M.sub.2] = {W, [G.sub.i], [T.sub.s]} to [U.sub.i] through a public channel. The declaration witness(Sj, Ui, server_user_nj, Ns') indicates that [U.sub.i] has recently generated a random number [N.sub.s] for [U.sub.i]. The declaration request(Ui, Sj, user_server_ni, Nu ') indicates that S authenticates user [U.sub.i].

Fig. 6. Role specification in HLPSL for the server S role server (Ui.Sj : agent. SKuisj: symmetric_key. H : hash_func. Snd.Rcv: channel{dy)) played_by Sj def= local State : nat, IDi, L, PWi, R1, S, N, CID, Tu, Nu, V, P, I, PUBs, Di, Ei, Fi, Ns, Ts, W, J, Ai, SK, Gi: text. Mul: hash_func const server_user_t2, server_user_nj, subs1. subs2 : protocol_id init State := 0 transition %Registration phase 1. State = 0 [and] Rcv{{IDi.H(R1'.PWi)}_SKuisj) =|> State' := 1 [and] secret({IDi.PWi.R1'}, subs1, {Ui}) [and] Ai' := xor(H(R1'.PWi), H(S.IDi)) [and] secret({S}, subs2, {Sj}) [and] Snd({H.xor(H(R1'.PWi), H(S.IDi)).N.CID}_SKuisj) %Login phase 2. State = 1 [and] Rcv{Mul(Nu',P).xor(xor(L', H(S.IDi)), H(R1'.PWi)).H(IDi.Mul(Nu'.P).xor(xor(L', H(S.IDi)), H(R1'.PWi)).Tu').Tu') =|> %Authentication phase State' := 2 [and] Ts' := new() [and] Ns' :=new() [and] W' := Mul(Ns'.P) [and] J' := Mul(Ns'.Mul(Nu'.P)) [and] SK' := H(IDi.H(S.IDi).Mul(S.Mul(Nu'.P)).J'.Tu'.Ts') [and] Gi' := H(SK'.IDi.J'.Ts') [and] Snd(W'.Gi'.Ts') [and] wituess{Sj, Ui, server_user_t2, Ts') [and] wituess(Sj, Ui, server_usei_nj, Ns') [and] requestfUi, Sj, user server t1, Tu') [and] request(Ui, Sj, user_server_ni, Nu') end role

In Fig. 7, we have provided the specification in HLPSL for the roles including the session, environment, and goal. In the session segment, the participants in the communication, including the user and server, and other basic roles are instanced as concrete arguments. The environment segments cover the global constant, session composition and intruder knowledge. Finally, in the goal segment, several secrecy goals and authentication goals are specified. In our implementation, we have specified two secrecy goals and four authentication goals.

* secrecysub 1: indicates that the values ([ID.sub.i], [PW.sub.i], [R.sub.1]) are only known to [U.sub.i].

* secrecysub 2: indicates that the master key S is only known to S.

* authenticationon user_server_t1: indicates that if S receives the time-stamp [T.sub.u], which is generated by [U.sub.i], S then authenticates [U.sub.i].

* authentication_on user_server_ni: indicates that if S receives the random number [N.sub.u], which is generated by [U.sub.i], S then authenticates [U.sub.i].

* authentication_on server_user_t2: indicates that if [U.sub.i] receives the time-stamp [T.sub.s], which is generated by S, [U.sub.i] then authenticates S.

* authentication_on server_user_nj: indicates that if [U.sub.i] receives the random number [N.sub.s], which is generated by S, [U.sub.i] then authenticates S.

Fig. 7. Role specification in HLPSL for the session, environment and goal role session(Ui.Sj : agent. SKuisj: symmetric_key, H : hash_func) def= local SI. S.T. RI. RJ: channel (dy) composition user(Ui. Sj. SKuisj, H. SI. RI) [and] server(Ui, Sj, SKuisj, H, SJ, RJ) end role goal secrecy_of subs1 secrecy_of subs2 authentication_on user_server_t1 authentication_on user_server_ni authentication_on server_user_t2 authentication_on server_user_nj end goal environment) role environment() def= const ui, sj: agent, skuisj : symmetric_key, h : hash_func, tu, ts : text, user_server_t1, server_user_t2, user_server_ni, server_user_nj, subs1, subs2 : protocol_id intruder_knowledge = {ui, sj, h, tu. ts} composition session(ui, sj. skuisj, h) [and] session(ui. sj, skuisj. h) end role

6.4.3 Simulation results

This section describes the results of the simulation result conducted for our scheme. The results of the simulation under the OFMC and CL-AtSe back-ends are shown in Fig. 8, which clearly shows that our scheme is SAFE under each back-end. Therefore, it is obvious that our scheme can prevent passive and active attacks, including replay and man-in-the-middle attacks.

Fig. 8. Simulation results under the OFMC and CL-AtSe back-ends SUMMARY SAFE DETAILS BOUNDED_NUMBER_OF_SESSIONS PROTOCOL /home/jaewook/Desktop/span/testsuite/results/TIIS_v1. if GOAL as specified BACKEND OFMC STATISTICS TIME 28 ms parseTime 0 ms visitedNodes: 14 nodes depth: 4 plies SUMMARY SAFE DETAILS BOUNDED_NUMBER_OF_SESSIONS TYPED_MODEL PROTOCOL /home/jaewook/Desktop/span/testsuite/results/TIIS_v1.if GOAL As specified BACKEND CL-AtSe STATISTICS Analysed : 8 states Reachable : 8 states Translation: 0.02 seconds Computation: 0.00 seconds

7. Performance of the Proposed Scheme

In this section, we have compared the computational costs and execution time for the proposed scheme against other schemes [18-20, 24, 25, 27-29]. We then analyzed the memory capacity of the smart card and estimate the message exchange cost.

In general, the computational cost is examined based on the respective operations in the authentication protocol. Accordingly, this analysis of the computational cost concentrates on the operations that are conducted by the members, such as the user and server. To evaluate the computational costs, we define the following computational parameters:

* [T.sub.H] : the time to execute a one-way hash function

* [T.sub.M] : the time of point multiplication in a group

* [T.sub.S] : the time for symmetric key encryption/decryption

* [T.sub.E] : the time of modular exponential

* [T.sub.A] : the time of point addition in a group

* [T.sub.Fe] : the time for the fuzzy extractor

Table 3 provides a summary of the comparison for the computational overhead. The results show that Mishra et al.'s [18], Xu et al.'s [19], Islam & Khan's [20], Wazid et al.'s [24], Irshad et al.'s [25], Giri et al.'s [27], Amin & Biswas's [28], Liu et al.'s [29], and the proposed scheme require total computational overheads of 24[T.sub.H]+3[T.sub.S], 15[T.sub.H]+6[T.sub.M], 16[T.sub.H]+8[T.sub.M]+1[T.sub.A], 28[T.sub.H]+3[T.sub.M]+3[T.sub.S]+2[T.sub.A]+4[T.sub.Fe], 29[T.sub.H]+13[T.sub.M]+5[T.sub.S]+3[T.sub.Fe], 17[T.sub.H]+3[T.sub.E], 26[T.sub.H]+2[T.sub.E], 20[T.sub.H]+6[T.sub.M]+4[T.sub.S], and 16[T.sub.H]+6[T.sub.M]+3[T.sub.Fe], respectively.

Based on the results in Table 3, we performed an experiment on the execution time to obtain an objective comparison between our scheme and the other schemes [18-20, 24, 25, 27-29]. In order to measure the execution time for the authentication protocol, the following methods are generally used [37, 38]: (i) compute computational overhead, (ii) measure the execution time of the cryptographic operations used in the protocol, and (iii) substitute the measured time obtained by (ii) into (i). We performed a simulation to obtain the execution time of each cryptographic operation, and Table 4 shows our simulation environment and the measured value of each cryptographic operation. According to [51], the execution time of the fuzzy extractor operation [T.sub.Fe] is almost the same as that for the point multiplication operation [T.sub.M]. Thus, we assumed that these two operations consume the same amount of time.

We used the results of the simulation ([T.sub.H] [approximately equal to] 0.0002 s, [T.sub.M] [approximately equal to] 0.062 s, [T.sub.S] [approximately equal to] 0.0086 s, [T.sub.E] [approximately equal to] 0.521 s, [T.sub.A] [approximately equal to] 0.006 s, [T.sub.Fe] [approximately equal to] 0.062 s) to analyze the execution time of our scheme and other associated schemes [18-20, 24, 25, 27-29]. As shown in Table 5, we observed that the execution time of our proposed scheme requires 0.5612 s (16[T.sub.H] + 6[T.sub.M]+ 3[T.sub.Fe] [approximately equal to] 16 x 0.0002 s + 6 x 0.062 s + 3 x 0.062 s). The execution time for Mishra et al.'s [18] (24[T.sub.M] + 3[T.sub.S] [approximately equal to] 24 x 0.0002 s + 3 x 0.0086 s), Xu et al.'s [19] (15[T.sub.H] + 6[T.sub.M] [approximately equal to] 15 x 0.0002 s + 6 x 0.062 s), Islam & Khan's [20] (16[T.sub.H] + 8[T.sub.M] + 1[T.sub.A] [approximately equal to] 16 x 0.0002 s + 8 x 0.062 s + 1 x 0.006 s), Wazid et al.'s [24] (28[T.sub.H] + 3[T.sub.M] + 3[T.sub.S] + 2[T.sub.A] + 4[T.sub.Fe] [approximately equal to] 28 x 0.0002 s + 3 x 0.062 s + 2 x 0.006 s + 4 x 0.062 s), Irshad et al.'s [25] (29[T.sub.H] + 13[T.sub.M] + 5[T.sub.S] + 3 [approximately equal to] 29 x 0.0002 s + 13 x 0.062 s + 5 x 0.0086 s + 3 x 0.062 s), Giri et al.'s [27] (17[T.sub.H] + 3[T.sub.E] [approximately equal to] 17 x 0.0002 s + 3 x 0.521 s), Amin & Biswas's [28] (26[T.sub.H] + 2[T.sub.E] [approximately equal to] 26 x 0.0002 s + 2 x 0.521 s), Liu et al.'s [29] (20[T.sub.H] + 6[T.sub.M] + 4[T.sub.S] [approximately equal to] 20 x 0.0002 s + 6 x 0.062 s + 4 x 0.0086 s) are 0.0306 s, 0.375 s, 0.5052 s, 0.4774 s, 1.0408 s, 1.5664 s, 1.0472 s and 0.4104 s, respectively. The results show that our proposed scheme has satisfactory performance because we use lightweight operations including one-way hash operations and a point multiplication operation. On the other hand, the execution time for Giri et al. [27] and Amin & Biswas [28] using modular exponential operation of RSA cryptosystem require 1.5664 s and 1.0472 s, respectively, so these schemes are proven to ineffective. Compared with Mishra et al.'s [18] scheme based on symmetric key cryptography, the execution time of our scheme based on ECC was measured somewhat higher. However, symmetric key cryptography has a problem in that it becomes difficult to manage a key as the number of users communicating using the key increases [39]. In addition, when the sender and the receiver exchange keys, it is possible that the key will be captured by the attacker. Thus, we conclude that our proposed scheme also takes into account the needed efficiency.

As shown in Table 6, we also compared the message exchange cost and the memory capacity of the smart card between our scheme and the other associated schemes [18-20, 24, 25, 27-29]. Based on [20, 28], we assume that the output length of the values for [ID.sub.i], [PW.sub.i], hash function, [E.sub.p](a, b), prime p and [Pub.sub.s] is 160 bits long, and a large integer n of RSA is 1024 bits long. We also assume that the random numbers [R.sub.2] and [R.sub.3], symmetric encryption/decryption [E.sub.k]/[D.sub.k], fuzzy extractor value [par.sub.i] is 128 bits long, and time-stamp [T.sub.u], [T.sub.s] is 32 bits long. In Liu et al.'s scheme [29], the communication packets consist of two parts, a login request [M.sub.1] = {V, [F.sub.i], [R.sub.2]} and an authentication request [M.sub.2] = { W, [G.sub.i], [R.sub.3]}. Thus, the message exchange cost for the login request is (160+128+128) = 416 bits, and the authentication request is also (160+128+128) = 416 bits. In our proposed scheme, the messages composed of [M.sub.1] = {V, [D.sub.i], [F.sub.i], [T.sub.u]} and [M.sub.2] = {W, [G.sub.i], [T.sub.s]}. Thus, the message exchange cost for the login request is (160+160+160+32) = 512 bits, and the authentication request is (160+160+32) = 352 bits. In terms of the smart card's memory capacity, the smart card {[B.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h(*), CID, [C.sub.i], [D.sub.i]} in Liu et al.'s scheme [29] requires (160 X 7) = 1120 bits. In our scheme, the smart card {[A.sub.i], P, [E.sub.p](a, b), [Pub.sub.s], h(*), CID, [B.sub.i], [C.sub.i], [par.sub.i]} requires (160 x 7+128)=1248 bits. In conclusion, Table 6 shows that the message exchange cost for our proposed scheme is relatively lower when compared to those of the other schemes [18, 24, 25, 27, 28]. Even though our scheme needs slightly more memory capacity for the smart card than the other schemes, our authentication method guarantees safety against a various existing attacks, as is shown in Table 2.

8. Conclusion

In this paper, we analyzed the security weaknesses in Liu et al.'s scheme and demonstrated that their scheme uses an improper identification process for user biometrics and is susceptible to a server spoofing attack. In addition, we also showed that their scheme cannot provide a session key verification process. Therefore, we propose an extended version that addresses these defects. In our scheme, we use a fuzzy extractor to provide proper biometric identification and insert the session key verification process into the authentication phase to satisfy the requirements of the session key agreement. Our proposed scheme has been thoroughly assessed with respect to various security features, and a comparison of the performance of the proposed scheme against those presented in other studies was conducted. In conclusion, the proposed scheme is robust and exhibits a suitable efficiency.

References

[1] H. Takeda, Y. Matsumura, S. Kuwata, H. Nakano, N. Sakamoto and R. Yamamoto, "Architecture for networked electronic patient record systems," International journal of medical informatics, vol. 60, no. 2, pp. 161-167, November, 2000. Article (CrossRef Link)

[2] A.T. Chan, J. Cao, H. Chan and G. Young, "A web-enabled framework for smart card applications in health services," Communications of the ACM, vol. 44, no. 9, pp. 76-82, 2001. Article (CrossRef Link)

[3] S.H. Li, C.Y. Wang, W.H. Lu, Y.Y. Lin and D.C. Yen, "Design and implementation of a telecare information platform," Journal of medical systems, vol. 36, no. 3, pp. 1629-1650, 2012. Article (CrossRef Link)

[4] S. Gritzalis, C. Lambrinoudakis, D. Lekkas and S. Deftereos, "Technical guidelines for enhancing privacy and data protection in modern electronic medical environments," IEEE Transactions on Information Technology in Biomedicine, vol. 9, no. 3, pp. 413-423, 2005. Article (CrossRef Link)

[5] J. Hur and K. Kang, "Dependable and secure computing in medical information systems," Computer Communications, vol. 36, no. 1, pp. 20-28, 2012. Article (CrossRef Link)

[6] M. Nikooghadam and A. Zakerolhosseini, "Secure communication of medical information using mobile agents," Journal of medical systems, vol. 36, no. 6, pp. 3839-3850, 2012. Article (CrossRef Link)

[7] L. Lamport, "Password authentication with insecure communication," Communications of the ACM, vol. 24, no. 11, pp. 770-772, 1981. Article (CrossRef Link)

[8] Z.Y. Wu, Y.C. Lee, F. Lai, H.C. Lee and Y. Chung, "A secure authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 36, no. 3, pp. 1529-1535, 2010. Article (CrossRef Link)

[9] D. He, J. Chen and R. Zhang, "A more secure authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 36, no. 3, pp. 1989-1995, 2012. Article (CrossRef Link)

[10] J. Wei, X. Hu and W. Liu, "An improved authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 36, no. 6, pp. 3597-3604, 2012. Article (CrossRef Link)

[11] D. Mishra, S. Mukhopadhyay, S. Kumari, M.K. Khan and A. Chaturvedi, "Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce," Journal of medical systems, vol. 38, no. 5, pp. 41, 2014. Article (CrossRef Link)

[12] Z.Y. Wu, Y. Chung, F. Lai and T.S. Chen, "A password-based user authentication scheme for the integrated EPR information system," Journal of medical systems, vol. 36, no. 2, pp. 631-638, 2012. Article (CrossRef Link)

[13] T.F. Lee, I.P. Chang, T.H. Lin and C.C. Wang, "A secure and efficient password-based user authentication scheme using smart cards for the integrated epr information system," Journal of medical systems, vol. 37, no. 3, pp. 1-7, 2013. Article (CrossRef Link)

[14] F. Wen, "A more secure anonymous user authentication scheme for the integrated EPR information system," Journal of medical systems, vol. 38, no. 5, pp. 1-7, 2014. Article (CrossRef Link)

[15] M.K. Khan, A. Chaturvedi, D. Mishra and S. Kumari, "On the security enhancement of integrated electronic patient records information systems," Computer Science and Information Systems, vol. 12, no. 2, pp. 857-872, 2015. Article (CrossRef Link)

[16] A.K. Das, "A secure and robust password-based remote user authentication scheme using smart cards for the integrated epr information system," Journal of medical systems, vol. 39, no. 3, pp. 1-14, 2015. Article (CrossRef Link)

[17] C.T. Li, C.Y. Weng, C.C. Lee and C.C. Wang, "A hash based remote user authentication and authenticated key agreement scheme for the integrated EPR information system," Journal of medical systems, vol. 39, no. 11, pp. 1-11, 2015. Article (CrossRef Link)

[18] D. Mishra, S. Mukhopadhyay, A. Chaturvedi, S. Kumari and M.K. Khan, "Cryptanalysis and improvement of Yan et al.'s biometric-based authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 38, no. 6, pp. 24, 2014. Article (CrossRef Link)

[19] X. Xu, P. Zhu, Q. Wen, Z. Jin, H. Zhang and L. He, "A secure and efficient authentication and key agreement scheme based on ecc for telecare medicine information systems," Journal of medical systems, vol. 38, no. 1, pp. 1-7, 2014. Article (CrossRef Link)

[20] S.H. Islam and M.K. Khan, "Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems," Journal of medical systems, vol. 38, no. 10, pp. 1-16, 2014. Article (CrossRef Link)

[21] D. Mishra, "Understanding Security Failures of Two Authentication and Key Agreement Schemes for Telecare Medicine Information Systems," Journal of medical systems, vol. 39, no. 3, pp. 19, 2015. Article (CrossRef Link)

[22] T.F. Lee, "An efficient chaotic maps-based authentication and key agreement scheme using smartcards for telecare medicine information systems," Journal of medical systems, vol. 37, no. 6, pp. 9985, 2013. Article (CrossRef Link)

[23] S.A. Chaudhry, H. Naqvi, T. Shon, M. Sher and M.S. Farash, "Cryptanalysis and improvement of an improved two factor authentication protocol for telecare medical information systems," Journal of Medical Systems, vol. 39, no. 6, pp. 66, 2015. Article (CrossRef Link)

[24] M. Wazid, A.K. Das, S. Kumari, X. Li and F. Wu, "Design of an efficient and provably secure anonymity preserving three-factor user authentication and key agreement scheme for TMIS," Security and Communication Networks, vol. 9, no. 13, pp. 1983-2001, 2016. Article (CrossRef Link)

[25] A. Irshad, M. Sher, O. Nawaz, S.A. Chaudhry, I. Khan and S. Kumari, "A secure and provable multi-server authenticated key agreement for TMIS based on Amin et al.'scheme," Multimedia Tools and Applications, pp. 1-27, 2016. Article (CrossRef Link)

[26] S.A. Chaudhry, M.T. Khan, M.K. Khan and T. Shon, "A multiserver biometric authentication scheme for TMIS using elliptic curve cryptography," Journal of medical systems, vol. 40, no. 11, pp. 230. Article (CrossRef Link)

[27] D. Giri, T. Maitra, R. Amin and P.D. Srivastava, "An Efficient and Robust RSA-Based Remote User Authentication for Telecare Medical Information Systems," Journal of medical systems, vol. 39, no. 1, pp. 1-9, 2015. Article (CrossRef Link)

[28] R, Amin and G.P. Biswas, "An improved rsa based user authentication and session key agreement protocol usable in TMIS," Journal of Medical Systems, vol. 39, no. 8, pp. 1-14, 2015. Article (CrossRef Link)

[29] W. Liu, Q. Xie, S. Wang and B. Hu, "An improved authenticated key agreement protocol for telecare medicine information system," SpringerPlus, vol. 5, no. 1, pp. 555, 2016. Article (CrossRef Link)

[30] N. Koblitz, "Elliptic curve cryptosystems," Mathematics of computation, vol. 48, no. 177, pp. 203-209, 1987. Article (CrossRef Link)

[31] Y. Dodis, L. Reyzin, and A. Smith, "Fuzzy extractors: How to generate strong keys from biometrics and other noisy data," in Proc. of International Conference on the Theory and Applications of Cryptographic Techniques, pp. 523-540, 2004. Article (CrossRef Link)

[32] X. Li, Q. Wen, W. Li, H. Zhang and Z. Jin, "Secure privacy-preserving biometric authentication scheme for telecare medicine information systems," Journal of medical systems, vol. 38, no. 11, pp. 1-8, 2014. Article (CrossRef Link)

[33] M. Zhang, J. Zhang and Y. Zhang, "Remote three-factor authentication scheme based on Fuzzy extractors," Security and Communication Networks, vol. 8, no. 4, pp. 682-693, 2015. Article (CrossRef Link)

[34] Y. Choi, Y. Lee and D. Won, "Security improvement on biometric based authentication scheme for wireless sensor networks using fuzzy extraction," International Journal of Distributed Sensor Networks, vol. 2016, pp. 2, 2016. Article (CrossRef Link)

[35] P. Kocher, J. Jaffe, and B. Jun, "Differential power analysis," in Proc. of Advances in Cryptology (CRYPTO'99), 388-397, 1999.

[36] J. Kim, D. Lee, W. Jeon, Y. Lee and D. Won, "Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks," Sensors, vol. 14, no. 4, pp. 6443-6462, 2014. Article (CrossRef Link)

[37] J. Moon, Y. Choi, J. Kim and D. Won, "An Improvement of Robust and Efficient Biometrics Based Password Authentication Scheme for Telecare Medicine Information Systems Using Extended Chaotic Maps," Journal of medical systems, vol. 40, no. 3, pp. 1-11, 2016. Article (CrossRef Link)

[38] D. Kang, J. Jung, J. Mun, D. Lee, Y. Choi and D. Won, "Efficient and robust user authentication scheme that achieve user anonymity with a Markov chain," Security and Communication Networks, vol. 9, no. 11, pp. 1462-1476, 2016. Article (CrossRef Link)

[39] W. Stallings, Cryptography and network security: principles and practices, Pearson Education India, 2006.

[40] H.C. Hsiang and W.K. Shih, "Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment," Computer Standards & Interfaces, vol. 31, no. 6, pp. 1118-1123, 2009. Article (CrossRef Link)

[41] S. Blake-Wilson, D. Johnson, and A. Menezes, "Key agreement protocols and their security analysis," in Proc. of IMA International Conference on Cryptography and Coding, pp. 30-45, 1997. Article (CrossRef Link)

[42] S.H. Islam, M.K. Khan and X. Li, "Security analysis and improvement of 'a more secure anonymous user authentication scheme for the integrated EPR information system'," PloS one, vol. 10, no. 8, pp. e0131368, 2015. Article (CrossRef Link)

[43] M. Burrows, M. Abadi and R. Needham, "A logic of authentication," ACM Transactions on Computer System, vol. 8, pp. 18-36, 1990. Article (CrossRef Link)

[44] M. Abdalla, P. A. Fouque and D. Pointcheval, "Password-based authenticated key exchange in the three-party setting," in Proc. of International Workshop on Public Key Cryptography, Springer Berlin Heidelberg, pp. 65-84, 2005. Article (CrossRef Link)

[45] AVISPA, Automated validation of internet security protocols and applications, http://www.avispa-project.org/.

[46] O. Mir, J. Munilla and S. Kumari, "Efficient anonymous authentication with key agreement protocol for wireless medical sensor networks," Peer-to-Peer Networking and Applications, vol. 10, no. 1, pp. 79-91, 2017. Article (CrossRef Link)

[47] T. F. Lee, "Provably secure anonymous single-sign-on authentication mechanisms using extended Chebyshev chaotic maps for distributed computer networks," IEEE Systems Journal, 2015. Article (CrossRef Link)

[48] V. Boyko, P. MacKenzie and S. Patel, "Provably secure password-authenticated key exchange using Diffie-Hellman," in Proc. of International Conference on the Theory and Applications of Cryptographic Techniques, Springer Berlin Heidelberg, pp. 156-171, 2000. Article (CrossRef Link)

[49] D. von Oheimb, "The high-level protocol specification language HLPSL developed in the EU project AVISPA," in Proc. of APPSEM workshop, pp. 1-17, 2005.

[50] D. Dolev and A. Yao, "On the security of public key protocols," IEEE Transactions on information theory, vol. 29, no. 2, pp. 198-208, 1983. Article (CrossRef Link)

[51] A. K. Das, "A secure user anonymity-preserving three-factor remote user authentication scheme for the telecare medicine information systems," Journal of medical systems, vol. 39, no. 3, pp. 1-20, 2015. Article (CrossRef Link)

[52] W. Dai, Crypto++ Library, 5.6.1., http://www.cryptopp.com, 2011.

[53] A. K. Sutrala, A. K. Das, V. Odelu, M. Wazid and S. Kumari, "Secure anonymity-preserving password-based user authentication and session key agreement scheme for telecare medicine information systems," Computer Methods and Programs in Biomedicine, vol. 135, pp. 167-185, 2016. Article (CrossRef Link)

[54] M. H. Ibrahim, S. Kumari, A. K. Das, M. Wazid and V. Odelu, "Secure anonymous mutual authentication for star two-tier wireless body area networks," Computer methods and programs in biomedicine, vol. 135, pp. 37-50, 2016. Article (CrossRef Link)

[55] M. Wazid, A. K. Das, S. Kumari, X. Li and F. Wu, "Provably secure biometric-based user authentication and key agreement scheme in cloud computing," Security and Communication Networks, vol. 9, no. 17, pp. 4103-4119, 2016. Article (CrossRef Link)

[56] M. Wazid, S. Zeadally, A. K. Das and V. Odelu, "Analysis of Security Protocols for Mobile Healthcare," Journal of medical systems, vol. 40, no. 11, pp. 1-10, 2016. Article (CrossRef Link)

[57] S. Challa, M. Wazid, A. K. Das, N. Kumar, A. G. Reddy, E. J. Yoon and K. Y. Yoo, "Secure Signature-Based Authenticated Key Establishment Scheme for Future IoT Applications," IEEE Access, vol. 5, pp. 3028-3043, 2017. Article (CrossRef Link)

[ILLUSTRATION OMITTED]

Jaewook Jung received the M.S. degree in Electrical and Computer Engineering from Sungkyunkwan University, Korea in 2012. He is currently undertaking a Ph.D. course in Electrical and Computer Engineering at Sungkyunkwan University. His current research interests are in the areas of cryptography, forensics, authentication protocols, and mobile security

[ILLUSTRATION OMITTED]

Jongho Moon received the B.S. degree in Electrical and Computer Engineering from Sungkyunkwan University, Korea in 2012 and the M.S. degree in Electrical and Computer Engineering from Sungkyunkwan University, Korea in 2014. He is currently undertaking a Ph.D. course on Electrical and Computer Engineering in Sungkyunkwan University. His current research interests are reversing, cryptography, authentication protocols, and malware detection.

[ILLUSTRATION OMITTED]

Dongho Won received the B.S., M.S. and Ph.D. in Electronic Engineering from Sungkyunkwan University, South Korea. After working in the Electronics and Telecommunication Research Institute for two years, he joined Sungkyunkwan University, where he is currently a leader professor of Information and Communication Engineering. He also served as a President of the Korea Institute of Information Security and Cryptography. He has published 111 papers in international journals (SCI&SCIE) and presented 226 papers in international conferences. His research interests are in cryptology and Information Security.

Jaewook Jung, Jongho Moon and Dongho Won

Department of Computer Engineering, Sungkyunkwan University, 2066 Seoburo, Suwon, Gyeonggido 440-746, Republic of Korea.

[e-mail: jwjung@security.re.kr; jhmoon@security.re.kr; dhwon@security.re.kr]

(*) Corresponding author: Dongho Won

Received November 16, 2016; revised March 22, 2017; accepted April 23, 2017; published July 31, 2017

This research was supported by Basic Science Research Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Education(NRF-2010-0020210)

Table 1. Notation Notation Description [U.sub.i] User S TMIS server [ID.sub.i], [PW.sub.i] U's identity and password Bio U's biometric information s Master secret key of S [Pub.sub.s] Public key of S [E.sub.p](a, b) Elliptic curve on a prime field [F.sub.p] [E.sub.k]/[D.sub.k] Encrypt/Decrypt operation with symmetric key k Gen[??]/Rep[??] Fuzzy extractor [R.sub.1], [R.sub.2], [R.sub.3] Random numbers CID Smart card's identity h[??] One-way hash function [parallel] Concatenation operation [symmetry] XOR operation [T.sub.u], [T.sub.s] Time-stamps of U and S Table 2. Security comparison Schemes Mishra Xu et Islam & Features et al.'s al.'s Khan's [18] [19] [20] User anonymity [square root] [square root] [square root] Mutual [square root] [square root] [square root] authentication Proper biometric [square root] -- -- identification Off-line pw [square root] [square root] [square root] guessing attack Impersonation [square root] [square root] x attack Server spoofing x [square root] [square root] attack Session key [square root] [square root] [square root] verification Replay attack [square root] x [square root] Insider attack [square root] x [square root] Provides smart x x [square root] card revocation Provides formal x x [square root] security proof Schemes Wazid Irshad Giri et Features et al. et al. al.'s [24] [25] [27] User anonymity [square root] [square root] x Mutual [square root] [square root] [square root] authentication Proper biometric [square root] [square root] -- identification Off-line pw [square root] [square root] x guessing attack Impersonation [square root] [square root] [square root] attack Server spoofing [square root] [square root] [square root] attack Session key [square root] [square root] x verification Replay attack [square root] [square root] x Insider attack [square root] [square root] x Provides smart x x x card revocation Provides formal [square root] [square root] x security proof Schemes Amin & Liu et Our Features Biswas's al.'s Scheme [28] [29] User anonymity [square root] [square root] [square root] Mutual [square root] [square root] [square root] authentication Proper biometric -- x [square root] identification Off-line pw x [square root] [square root] guessing attack Impersonation [square root] [square root] [square root] attack Server spoofing [square root] x [square root] attack Session key [square root] x [square root] verification Replay attack x [square root] [square root] Insider attack [square root] [square root] [square root] Provides smart x [square root] [square root] card revocation Provides formal [square root] [square root] [square root] security proof Table 3. Computational overhead comparison Phases Registration Schemes Mishra et al.'s [18] 4[T.sub.H] + 1[T.sub.S] Xu et al.'s [19] 2[T.sub.H] Islam & Khan's [20] 2[T.sub.H]+2[T.sub.M] Wazid et al. [24] 6[T.sub.H] + 1[T.sub.S] + 1[T.sub.Fe] Irshad et al. [25] 4[T.sub.H] + 1[T.sub.M] + 1[T.sub.S] + 1[T.sub.Fe] Giri et al.'s [27] 3[T.sub.H] + 1[T.sub.E] Amin & Biswas's [28] 5[T.sub.H] Liu et al.'s [29] 4[T.sub.H] Proposed Scheme 4[T.sub.H] + 1[T.sub.Fe] Phases Login and Schemes authentication Mishra et al.'s [18] 14[T.sub.H] + 2[T.sub.S] Xu et al.'s [19] 12[T.sub.H] + 6[T.sub.M] Islam & Khan's [20] 10[T.sub.H] + 5[T.sub.M] + 1[T.sub.A] Wazid et al. [24] 14[T.sub.H] + 3[T.sub.M] + 2[T.sub.S] + 2T.4 + 1[T.sub.Fe] Irshad et al. [25] 17[T.sub.H] + 11[T.sub.M] + 4[T.sub.S] + 1[T.sub.Fe] Giri et al.'s [27] 9[T.sub.H] + 1[T.sub.E] Amin & Biswas's [28] 13[T.sub.H] + 2[T.sub.E] Liu et al.'s [29] 11[T.sub.H] + 6[T.sub.M] + 4[T.sub.S] Proposed Scheme 7[T.sub.H] + 6[T.sub.M] + 1[T.sub.Fe] Phases Password Schemes change Mishra et al.'s [18] 6[T.sub.H] Xu et al.'s [19] 2[T.sub.H] Islam & Khan's [20] 4[T.sub.H] + 1[T.sub.M] Wazid et al. [24] 8[T.sub.H] + 2[T.sub.Fe] Irshad et al. [25] 8[T.sub.H] + 1[T.sub.M] + 1[T.sub.Fe] Giri et al.'s [27] 5[T.sub.H] + 1[T.sub.E] Amin & Biswas's [28] 8[T.sub.H] Liu et al.'s [29] 5[T.sub.H] Proposed Scheme 5[T.sub.H] + 1[T.sub.Fe] Phases Total Schemes Mishra et al.'s [18] 24[T.sub.H] + 3[T.sub.S] Xu et al.'s [19] 15[T.sub.H] + 6[T.sub.M] Islam & Khan's [20] 16[T.sub.H] + 8[T.sub.M] + 1[T.sub.A] Wazid et al. [24] 28[T.sub.H] + 3[T.sub.M] + 3[T.sub.S] + 2[T.sub.A] + 4[T.sub.Fe] Irshad et al. [25] 29[T.sub.H] + 13[T.sub.M] + 5[T.sub.S] + 3[T.sub.Fe] Giri et al.'s [27] 17[T.sub.H] + 3[T.sub.E] Amin & Biswas's [28] 26[T.sub.H] + 2[T.sub.E] Liu et al.'s [29] 20[T.sub.H] + 6[T.sub.M] + 4[T.sub.S] Proposed Scheme 16[T.sub.H] + 6[T.sub.M] + 3[T.sub.Fe] Table 4. Simulation environment and execution time for each operation Feature Description Operating system 64-bit Windows 8 Compiler Visual C++ 2013 Software Cryptographic Library Crypto++ Library, 5.6.1 [52] Processor Intel(R) Core(TM) i5-4160 CPU, 3.60 GHz Memory (RAM) 8.0 GB Operations Execution time (seconds) Operations [T.sub.H] [approximately equal to] 0.0002 s [T.sub.E] [T.sub.M] [approximately equal to] 0.062 s [T.sub.A] [T.sub.S] [approximately equal to] 0.0086 s [T.sub.Fe] Operations Execution time (seconds) [T.sub.H] [approximately equal to] 0.521 s [T.sub.M] [approximately equal to] 0.006 s [T.sub.S] [approximately equal to] 0.062 s Table 5. Execution time comparison between our scheme and other schemes Schemes Mishra et al.'s Feature [18] Execution time [approximately equal to] 0.0306 s Schemes Giri et al.'s Feature [27] Execution time [approximately equal to] 1.5664 s Schemes Xu et al.'s Feature [19] Execution time [approximately equal to] 0.375 s Schemes Amin & Biswas's Feature [28] Execution time [approximately equal to] 1.0472 s Schemes Islam & Khan's Feature [20] Execution time [approximately equal to] 0.5052 s Schemes Liu et al.'s Feature [29] Execution time [approximately equal to] 0.4104 s Schemes Wazid et al. Irshad et al. Feature [24] [25] Execution time [approximately equal to] [approximately equal to] 0.4774 s 1.0408 s Schemes Proposed Scheme Feature Execution time [approximately equal to] 0.5612 s Table 6. Comparison of the message exchange cost and memory capacity of the smart card Feature Login phase Authentication Total cost Smart card Scheme phase Mishra et al.'s [18] 416 bits 608 bits 1024 bits 768 bits Xu et al.'s [19] 512 bits 352 bits 864 bits 768 bits Islam & Khan's [20] 512 bits 352 bits 864 bits 1088 bits Wazid et al. [24] 480 bits 640 bits 1120 bits 1184 bits Irshad et al. [25] 672 bits 640 bits 1312 bits 1088 bits Giri et al.'s [27] 1472 bits 288 bits 1760 bits 2656 bits Amin & Biswas's [28] 1344 bits 288 bits 1632 bits 1504 bits Liu et al.'s [29] 416 bits 416 bits 832 bits 1120 bits Proposed Scheme 512 bits 352 bits 864 bits 1248 bits

Printer friendly Cite/link Email Feedback | |

Author: | Jung, Jaewook; Moon, Jongho; Won, Dongho |
---|---|

Publication: | KSII Transactions on Internet and Information Systems |

Article Type: | Report |

Date: | Jul 1, 2017 |

Words: | 16049 |

Previous Article: | Novel multi-user conjunctive keyword search against keyword guessing attacks under simple assumptions. |

Next Article: | AKA-PLA: Enhanced AKA based on physical layer authentication. |

Topics: |