Yun Zhao,Wenbo Shi

DOI: https://doi.org/10.11591/telkomnika.v12i10.5407

2014-01-01

Abstract:The telecare medical information system (TMIS) could improve quality of medical care since it allows patients to enjoy health-care delivery services in their home. However, the privacy and security influence the development of the TMIS since it is employed in open networks. Recently, Wu and Xu proposed a privacy authentication scheme for the TMIS and claimed that their scheme could overcome weaknesses in previous schemes. However, we will demonstrate that their scheme is venerable to the server spoofing attack and cannot provide user anonymity. To overcome weaknesses in their scheme, we also propose a new authentication scheme for the TMIS. Analysis shows that our scheme not only overcome weaknesses in Wu et al.’s scheme, but also has better performance.

XIE Qi,CHEN De-ren,YU Xiu-yuan

IF: 2.034

2010-01-01

Systems Engineering

Abstract:In 2009, Park, et al. proposed an efficient remote user authentication protocol. They claimed that their protocol was the first password and smart card based remote user authentication scheme which can resist the off-line password guessing attack, and had many advantages over existing solutions such as no password tables and timestamp, low communication and computational costs. However, this paper shows that their protocol cannot resist the forgery attack and off-line password guessing attack. To overcome the security weaknesses, two improved schemes based on either nonce or timestamp without affecting the merits of the Park, et al. scheme are proposed. Technical discussions are provided to show that the improved protocol is secure, efficient and practical.

Xiong Li,Jianwei Niu,Marimuthu Karuppiah,Saru Kumari,Fan Wu

DOI: https://doi.org/10.1007/s10916-016-0629-8

IF: 4.92

2016-01-01

Journal of Medical Systems

Abstract:Benefited from the development of network and communication technologies, E-health care systems and telemedicine have got the fast development. By using the E-health care systems, patient can enjoy the remote medical service provided by the medical server. Medical data are important privacy information for patient, so it is an important issue to ensure the secure of transmitted medical data through public network. Authentication scheme can thwart unauthorized users from accessing services via insecure network environments, so user authentication with privacy protection is an important mechanism for the security of E-health care systems. Recently, based on three factors (password, biometric and smart card), an user authentication scheme for E-health care systems was been proposed by Amin et al., and they claimed that their scheme can withstand most of common attacks. Unfortunate, we find that their scheme cannot achieve the untraceability feature of the patient. Besides, their scheme lacks a password check mechanism such that it is inefficient to find the unauthorized login by the mistake of input a wrong password. Due to the same reason, their scheme is vulnerable to Denial of Service (DoS) attack if the patient updates the password mistakenly by using a wrong password. In order improve the security level of authentication scheme for E-health care application, a robust user authentication scheme with privacy protection is proposed for E-health care systems. Then, security prove of our scheme are analysed. Security and performance analyses show that our scheme is more powerful and secure for E-health care systems when compared with other related schemes.

Fan Wu,Lili Xu

DOI: https://doi.org/10.1007/s10916-013-9958-z

IF: 4.92

2013-01-01

Journal of Medical Systems

Abstract:Nowadays, patients can gain many kinds of medical service on line via Telecare Medical Information Systems(TMIS) due to the fast development of computer technology. So security of communication through network between the users and the server is very significant. Authentication plays an important part to protect information from being attacked by malicious attackers. Recently, Jiang et al. proposed a privacy enhanced scheme for TMIS using smart cards and claimed their scheme was better than Chen et al.’s. However, we have showed that Jiang et al.’s scheme has the weakness of ID uselessness and is vulnerable to off-line password guessing attack and user impersonation attack if an attacker compromises the legal user’s smart card. Also, it can’t resist DoS attack in two cases: after a successful impersonation attack and wrong password input in Password change phase. Then we propose an improved mutual authentication scheme used for a telecare medical information system. Remote monitoring, checking patients’ past medical history record and medical consultant can be applied in the system where information transmits via Internet. Finally, our analysis indicates that the suggested scheme overcomes the disadvantages of Jiang et al.’s scheme and is practical for TMIS.

Dheerendra Mishra,Sourav Mukhopadhyay

DOI: https://doi.org/10.48550/arXiv.1309.5255

2013-09-20

Abstract:Remote user authentication is desirable for a Telecare medicine information system (TMIS) to verify the correctness of remote users. In 2013, Jiang et al. proposed privacy preserving authentication scheme for TMIS. Recently, Wu and Xu analyzed Jiang's scheme and identify serious security flaws in their scheme, namely, user impersonation attack, DoS attack and off-line password guessing attack. In this article, we analyze Wu and Xu's scheme and show that their scheme is also vulnerable to off-line password guessing attack and does not protect user anonymity. Moreover, we identify the inefficiency of incorrect input detection of the login phase in Wu and Xu's scheme, where the smart card executes the login session in-spite of wrong input.

Cryptography and Security

s k hafizul islam,muhammad khurram khan,xiong li

DOI: https://doi.org/10.1371/journal.pone.0131368

IF: 3.7

2015-01-01

PLoS ONE

Abstract:Over the past few years, secure and privacy-preserving user authentication scheme has become an integral part of the applications of the healthcare systems. Recently, Wen has designed an improved user authentication system over the Lee et al.'s scheme for integrated electronic patient record (EPR) information system, which has been analyzed in this study. We have found that Wen's scheme still has the following inefficiencies: (1) the correctness of identity and password are not verified during the login and password change phases; (2) it is vulnerable to impersonation attack and privileged-insider attack; (3) it is designed without the revocation of lost/stolen smart card; (4) the explicit key confirmation and the no key control properties are absent, and (5) user cannot update his/her password without the help of server and secure channel. Then we aimed to propose an enhanced two-factor user authentication system based on the intractable assumption of the quadratic residue problem (QRP) in the multiplicative group. Our scheme bears more securities and functionalities than other schemes found in the literature.

Chun-Ta Li,Tsu-Yang Wu,Chin-Ling Chen,Cheng-Chi Lee,Chien-Ming Chen

DOI: https://doi.org/10.3390/s17071482

2017-06-23

Abstract:In recent years, with the increase in degenerative diseases and the aging population in advanced countries, demands for medical care of older or solitary people have increased continually in hospitals and healthcare institutions. Applying wireless sensor networks for the IoT-based telemedicine system enables doctors, caregivers or families to monitor patients' physiological conditions at anytime and anyplace according to the acquired information. However, transmitting physiological data through the Internet concerns the personal privacy of patients. Therefore, before users can access medical care services in IoT-based medical care system, they must be authenticated. Typically, user authentication and data encryption are most critical for securing network communications over a public channel between two or more participants. In 2016, Liu and Chung proposed a bilinear pairing-based password authentication scheme for wireless healthcare sensor networks. They claimed their authentication scheme cannot only secure sensor data transmission, but also resist various well-known security attacks. In this paper, we demonstrate that Liu-Chung's scheme has some security weaknesses, and we further present an improved secure authentication and data encryption scheme for the IoT-based medical care system, which can provide user anonymity and prevent the security threats of replay and password/sensed data disclosure attacks. Moreover, we modify the authentication process to reduce redundancy in protocol design, and the proposed scheme is more efficient in performance compared with previous related schemes. Finally, the proposed scheme is provably secure in the random oracle model under ECDHP.

Shengbao Wang,Xin Zhou,Kang Wen,Bosen Weng,Peng Zeng

DOI: https://doi.org/10.1109/jiot.2022.3228921

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Very recently, Masud et al. (2022) proposed a lightweight and anonymity-preserving user authentication scheme to establish secure communication between the doctor, the gateway, and sensor nodes in IoT-based healthcare, aiming to ensure the privacy of the patients’ physiological data. In this article, however, we carefully revisit their scheme and first point out that the scheme is not practically implementable in its current form, and second we show that it is vulnerable to session key disclosure attacks, off-line password guessing attacks, and traceability attacks, under the assumption that the attacker can gain access to the sensor nodes and the doctor’s device. We also propose fixes for each of these issues or vulnerabilities.

Debiao He,Ding Wang,Shuhua Wu

DOI: https://doi.org/10.5755/j01.itc.42.2.2554

2013-01-01

Abstract:Recently, Chen et al. [B. Chen, W. Kuo, L. Wuu, A secure password-based remote user authentication scheme without smart cards, Information Technology and Control 41(1) (2012) 53-59] proposed a secure password-based remote user authentication scheme without smart cards and claimed that their scheme could withstand various attacks. Although Chen et al.’s scheme has many benefits; we find that it is vulnerable to the device stolen attack and the privileged insider attack. We also find that their scheme does not support perfect forward secrecy and no key control. Therefore, we propose an improved scheme to overcome weaknesses and maintain the benefits of the original scheme. DOI: http://dx.doi.org/10.5755/j01.itc.42.2.2554

Qi Jiang,Zhiren Chen,Bingyan Li,Jian Shen,Li Yang,Jianfeng Ma

DOI: https://doi.org/10.1007/s12652-017-0516-2

IF: 3.662

2017-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:The deployment of telecare medical information system (TMIS) over public networks gives rise to the threat of exposing sensitive medical information to illegal entities. Although a number of three-factor authentication (3FA) schemes have been developed to address this challenge, most of them are found to be flawed. Understanding security and privacy failures of authentication protocols is a prerequisite to both fixing existing protocols and designing future ones. In this paper, we investigate the 3FA protocol of Lu et al. for TMIS (J Med Syst 39:32, 2015) and reveal that it cannot achieve the claimed security and privacy goals. (1) It fails to provide anonymity and untraceability, and is susceptible to the following attacks targeting user privacy: identity revelation attack, identity guessing attack and tracking attack. (2) It is susceptible to offline password guessing attack, user impersonation attack, and server impersonation attack. Then we present an improved 3FA scheme and show that the new scheme fulfills session key secrecy and mutual authentication using the formal verification tool ProVerif. Moreover, detailed heuristic security analysis is also presented to demonstrate that our new scheme is capable of withstanding various attacks, and provides desired security features. Additionally, performance analysis shows that our proposed protocol is a practical solution for TMIS.

Feifei Wang,Guoai Xu,Lize Gu

DOI: https://doi.org/10.1155/2019/4656281

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:Nowadays, remote user authentication protocol plays a great role in ensuring the security of data transmission and protecting the privacy of users for various network services. In this study, we discover two recently introduced anonymous authentication schemes are not as secure as they claimed, by demonstrating they suffer from offline password guessing attack, desynchronization attack, session key disclosure attack, failure to achieve user anonymity, or forward secrecy. Besides, we reveal two environment-specific authentication schemes have weaknesses like impersonation attack. To eliminate the security vulnerabilities of existing schemes, we propose an improved authentication scheme based on elliptic curve cryptosystem. We use BAN logic and heuristic analysis to prove our scheme provides perfect security attributes and is resistant to known attacks. In addition, the security and performance comparison show that our scheme is superior with better security and low computation and communication cost.

Zhen-Fu Cao,Da-Zhi Sun

DOI: https://doi.org/10.1109/ICMLC.2006.259062

2006-01-01

Abstract:For providing the login service in multi-server environments, Fan, Xu, and Li presented a remote user authentication scheme using smart cards. In this paper, we demonstrate that Fan-Xu-Li's scheme is vulnerable to the parallel session attack. That is, when a legal user logs in a server, an adversary without knowing any secret information can easily impersonate the user to log in other authorized servers. It means that a serious security flaw exists in Fan-Xu-Li's scheme. In addition to being practical, it is desirable to avoid relying on timestamps for security in their scheme. We therefore propose an improved scheme to overcome above disadvantages. As a unilateral authentication mechanism, our improved scheme is more suitable for real-life cryptographic applications than Fan-Xu-Li's scheme.

Siqiong Fan,Zhenfu Cao,Xiaolei Dong

DOI: https://doi.org/10.1049/cp.2014.1279

2014-01-01

Abstract:Remote user authentication scheme has been widely adopted in the cyberworld to provide security and privacy because of various online threats and insecure communications. In the past few decades, many smart card-based authentication schemes are put forward. In such schemes, a user only need to maintain an identity and a password and employ a smart card to fulfill the authentication with a remote server. In 2014, Lee et al. put forward an authentication scheme using smart based on the hash function. However, we find that novel as it is, the scheme still has some severe security and performance weaknesses such as a verification table should stored in their scheme, it is easy to suffer the stolen verifier attack. Besides, it has the problem of synchronization between the server and users, failure of protecting users' anonymity and it is unfriendly to users since the inability of supporting changing the password freely. In this paper, we propose an improved authentication scheme supporting the Diffie-Hellman key exchange protocol using hash functions and the ElGamal cryptosystem. Besides the drawbacks in Lee et al.'s scheme, our proposed scheme overcomes the offline password guessing attack, man-in-the-middle attack and so on. At last, we show that our scheme is more suitable and secure for practical use.

Qi Jiang,Bingyan Li,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-319-49106-6_89

2017-01-01

Abstract:Although a number of three-factor authentication schemes have been developed to ensure that sensitive medical information are only available to legal users in telecare medical information system, most of them are found to be flawed. Understanding security and privacy failures of authentication protocols is a prerequisite to both fixing existing protocols and designing future ones. In this paper, we analyze an enhanced three-factor authentication scheme of Lu et al., and reveal that it cannot achieve the claimed security and privacy goals. (1) It fails to provide anonymity and untraceability, and is susceptible to the following attacks targeting user privacy: identity revelation attack and tracking attack. (2) It is also susceptible to offline password guessing attack, user impersonation attack, and server impersonation attack.

Wang Yuanbing,Liu Wanrong,Li Bin

DOI: https://doi.org/10.1109/access.2021.3099299

IF: 3.9

2021-01-01

IEEE Access

Abstract:With the rapid development and evolution of wireless network technology, electronic health has shown great potential in continuously monitoring the health of patients. The wireless medical sensor network (WMSN) has played an important role in this field. In WMSN, medical sensors are placed on patients to collect relevant health data and transmitted to medical professionals in hospitals or at home through insecure channels. These health data need to be highly protected because they contain patient-related private information. Once the information is leaked or maliciously modified, it will cause the wrong diagnosis and endanger the health of patients. To protect information privacy and security from being stolen by illegal users, this article reviews the solutions of Farash et al. and further points out the existing vulnerabilities, such as privileged insider attack, user anonymity invalidation, and offline password guessing attack. In order to overcome these drawbacks, we use the Elliptic Curve Cryptography to propose an improved anonymous authentication protocol for a smart healthcare system. The security of our protocol is verified by Burrows-Abadi-Needham logic and Automated Validation of Internet Security Protocols and Applications (AVISPA) tools, and security features and efficiency analysis are performed with other related schemes. The results show that the improved protocol provides better security protection while ensuring computational and communication efficiency.

Wenting Li,Bin Li,Yiming Zhao,Ping Wang,Fushan Wei

DOI: https://doi.org/10.1155/2018/8539674

2018-01-01

Abstract:Nowadays wireless sensor networks (WSNs) have drawn great attention from both industrial world and academic community. To facilitate real-time data access for external users from the sensor nodes directly, password-based authentication has become the prevalent authentication mechanism in the past decades. In this work, we investigate three foremost protocols in the area of password-based user authentication scheme for WSNs. Firstly, we analyze an efficient and anonymous protocol and demonstrate that though this protocol is equipped with a formal proof, it actually has several security loopholes been overlooked, such that it cannot resist against smart card loss attack and violate forward secrecy. Secondly, we scrutinize a lightweight protocol and point out that it cannot achieve the claimed security goal of forward secrecy, as well as suffering from user anonymity violation attack and offline password guessing attack. Thirdly, we find that an anonymous scheme fails to preserve two critical properties of forward secrecy and user friendliness. In addition, by adopting the "perfect forward secrecy (PFS)" principle, we provide several effective countermeasures to remedy the identified weaknesses. To test the necessity and effectiveness of our suggestions, we conduct a comparison of 10 representative schemes in terms of the underlying cryptographic primitives used for realizing forward secrecy.

Wenbo Shi,Debiao He,Shuhua Wu

DOI: https://doi.org/10.1504/ijict.2014.057971

2013-01-01

International Journal of Information and Communication Technology

Abstract:n authentication scheme allows the user and the server to authenticate each other and establish a session key for future communication in an open network. Very recently, Wen et al. proposed a DoS-resistant ID-based password authentication scheme without using smart card. They claimed that their scheme could overcome various attacks. However, in this paper, we will point out that Wen et al.'s scheme is vulnerable to an impersonation attack and a privileged insider attack. To overcome weaknesses, we also propose an improved scheme. The analysis shows our scheme not only overcomes weaknesses in Wen et al.'s scheme but also has better performance. Then our scheme is more suitable for practical applications.

Mengxia Shuai,Nenghai Yu,Hongxia Wang,Ling Xiong,Yue Li

DOI: https://doi.org/10.4018/joeuc.20210501.oa1

2021-01-01

Journal of Organizational and End User Computing

Abstract:Security and privacy issues in wireless medical sensor networks (WMSNs) have attracted lots of attention in both academia and industry due to the sensitiveness of medical system. In the past decade, extensive research has been carried out on these security issues, but no single study exists that addresses them adequately, especially for some important security properties, such as user anonymity and forward secrecy. As a step towards this direction, in this paper, the authors propose a lightweight three -factor anonymous authentication scheme with forward secrecy for personalized healthcare applications using only the lightweight cryptographic primitives. The proposed scheme adopts pseudonym identity technique to protect users' real identities and employs one-way hash chain technique to ensure forward secrecy. Analysis and comparison results demonstrate that the proposed scheme can not only reduce execution time by 34% as compared with the most effective related schemes, but also achieve more security and functional features.

Saru Kumari,Muhammad Khurram Khan,Xiong Li,Fan Wu

DOI: https://doi.org/10.1002/dac.2853

2014-01-01

International Journal of Communication Systems

Abstract:SummaryRecently, Jiang et al. and He et al. independently found security problems in Chen et al.'s remote user authentication scheme for non‐tamper‐proof storage devices like Universal Serial Bus stick and proposed improvements. Nonetheless, we detect that the schemes proposed by Jiang et al. and He et al. overlook a user's privacy. We also observe that Jiang et al.'s scheme is vulnerable to insider attack and denial of service attacks and lacks forward secrecy. We point out that the password changing facility in He et al.'s scheme is equivalent to undergoing registration, whereas in Jiang et al.'s scheme, it is unsuitable. Moreover, the login phase of both the schemes is incapable to prevent the use of wrong password leading to the computation of an unworkable login request. Therefore, we design a new scheme with user anonymity to surmount the identified weaknesses. Without adding much in communication/computational cost, our scheme provides more security characteristics and keeps the merits of the original schemes. As compared with its predecessor schemes, the proposed scheme stands out as a more apt user authentication method for common storage devices. We have also presented a formal proof of security of the proposed scheme based on the logic proposed by Burrows, Abadi and Needham (BAN logic). Copyright © 2014 John Wiley & Sons, Ltd.

Guoai Xu,Feifei Wang,Miao Zhang,Junhao Peng

DOI: https://doi.org/10.1109/access.2020.2978891

IF: 3.9

2020-01-01

IEEE Access

Abstract:Wireless medical sensor networks (WMSNs) are playing an increasingly important role in smart healthcare applications. Since the data transmitted in WMSNs is closely related to patient's life and health, and considering the resource-constrain feature of the sensor node, constructing an authentication scheme for WMSNs is a formidable task. Recently, Soni et al. presented an elliptic curve cryptosystem based three-factor authentication scheme for WMSNs. However, we discover that their scheme suffers from serious vulnerabilities, such as sensor node capture attack, no forward secrecy, and the violation of three-factor security. To enhance the security and efficiency, we present a novel scheme using Rabin cryptosystem and chaotic maps. We use several widely-accepted security analysis methods to verify the correctness and security of our scheme. The Burrows-Abadi-Needham logic proof confirms the completeness of our scheme. The heuristic analysis indicates that our scheme is resistant to potential attacks and provides various security attributes like forward secrecy and three-factor security. Furthermore, we demonstrate that our scheme is provably secure in the random oracle model. Finally, the performance comparisons indicate that our scheme is superior to the related schemes both in security and efficiency and is more applicable to WMSNs owing to low overhead of the sensor node.