Tele Care

See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/321690298
A Robust Mutual Authentication Scheme Based on Elliptic Curve

Cryptography for Telecare Medical Information Systems
Article in IEEE Access · December 2017

DOI: 10.1109/ACCESS.2017.2780124
CITATIONS READS
3 66
4 authors, including:
Shuming Qiu Haseeb Ahmad

Beijing University of Posts and Telecommunications National Textile University
17 PUBLICATIONS 8 CITATIONS 34 PUBLICATIONS 76 CITATIONS
SEE PROFILE SEE PROFILE
Licheng Wang
Beijing University of Posts and Telecommunications
96 PUBLICATIONS 527 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
HomEnc4IoT View project
ICN&NDN View project
All content following this page was uploaded by Haseeb Ahmad on 11 December 2017.
The user has requested enhancement of the downloaded file.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2017.2780124, IEEE Access
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/ACCESS.2017.DOI
A Robust Mutual Authentication Scheme

Based on Elliptic Curve Cryptography
for Telecare Medical Information
Systems
SHUMING QIU1,2 , GUOAI XU1 , HASEEB AHMAD3 , AND LICHENG WANG1
1
School of CyberSpace security, Beijing University of Posts and Telecommunications, Beijing 100876, China
2
Elementary Educational College, Jiangxi Normal University, Nanchang 330022, China
3
Department of Computer Science, National Textile University, Faisalabad, 37610, Pakistan
Corresponding author: Guoai Xu (e-mail: xga@bupt.edu.cn).
This research is supported by the National Key Research and Development Plan (Grant No. 2017YFB0801901).
ABSTRACT The telecare medical information systems (TMIS) provide the convenience to the pa-
tients/users to be served at home. Along with such ease, it is essential to preserve the privacy and to provide
the security to the patients/users in TMIS. Often, authentication protocols are adopted to guarantee privacy
and secure interaction between the patients/users and remote server. Recently, Chaudhry et al. pointed out
that Islam et al.’s scheme based on smart card is prone to user impersonation and server impersonation
attacks. Chaudhry et al. later presented a enhanced scheme based on Elliptic curve cryptography (ECC)
to remedy the weaknesses of Islam et al.’s scheme. Unfortunately, we find some important limitations
in both schemes. We remark that their scheme is prone to off-line password guessing attack, user/server
impersonation attack and man-in-middle attack. To overcome these limitations, we present an improved
authentication scheme keeping apart the threats encountered in the design of Chaudhry et al.’s scheme.
Moreover, the presented scheme can also resist all known attacks. We prove the security of the proposed
scheme with the help of widespread Burrows-Abadi-Needham Logic (BAN-Logic). A brief comparison
with the previous works provides that the presented protocol is more efficient and more secure than other
related schemes.
INDEX TERMS Telecare medicine information systems, elliptic curve cryptography, smart card, off-line
password guessing attack, authentication, BAN-Logic.
I. INTRODUCTION it as vulnerable against the off-line password guessing attack

ITH the rapid development of networking and com- and the server-spoofing attack. Subsequently, Yang et al.
W munication technologies in the recent past, telecare
medical information systems (TMIS) offer an efficient and
[38] also proposed an improved scheme to improve security.
However, in 2006 Huang et al. [14] pointed that Yang et
convenient connection between patients and the medical al.’s [38] scheme cannot resist the stolen-verifier, the off-line
server. The patients can be served with the medical services password guessing and the Denning-Sacco attacks as well as
via public networks, hence, the privacy preservation is con- it is not suitable for the low computation power equipments
sidered as a very critical issue in TMIS. Hitherto, numerous because of the high computational cost [7], [13]. In 2005,
authentication and key agreement schemes are proposed for Durlanik and Sogukpinar [8] firstly use the Elliptic Curve
TMIS. Cryptography (ECC) to propose an efficient authentication
scheme in the foundation of Yang et al.’s [38] work. In
The original authentication scheme is based on hyper text
precise terms, the ECC could provide the same security with
transport protocol (HTTP) digest authentication and was
a smaller key size as compared to the traditional public key
proposed in 1999 [11]. In 2005, Yang et al. [38] proved it
cryptography. In many subsequent works, numerous authen-
insecure and proposed the improved version based on the
tication schemes are proposed using ECC [2], [6], [10], [21],
Diffie-Hellman key exchange protocol. The authors remarked
VOLUME 0, 0000 1
2169-3536 (c) 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
S. Qiu et al.: Mutual Authentication Scheme Based on ECC
[25], [27], [39]–[41]. However, most among these protocols TABLE 1. Notations and abbreviations
for TMIS have some security limitations. Therefore, it is a

challenging academic topic to design a more secure session Symbol Description
key agreement scheme. S Server
In 2013, Xu et al. proposed a secure and efficient authen- Ui Patient/User
tication and key agreement scheme based on ECC for TMIS. IDi Identity of Ui
The underlying scheme provides the patient anonymity by P Wi Password of Ui
employing the dynamic identity. However, in 2014 Islam et ri , ai Random numbers of Ui
al. pointed out that Xu et al.’s protocol is not appropriate ks Secret key of S
for practical use because: (1) it fails to provide strong au- rs , cs Random numbers of S
thentication in login and authentication phases; (2) it does || The string concatenation operation
not facilitate to update the password correctly during the ⊕ The bitwise XOR operation
password change phase; (3) it does not offer provide the re- A Malicious adversary
vocation of lost/stolen smart card; and (4) it fails to resist the h(·) Collision free one-way hash function
strong replay attack. To overcome the security weaknesses −→ An insecure channel
of Xu et al.’s scheme, Islam et al. devised an anonymous =⇒ A secure channel
and provably secure two-factor authentication protocol based SK Session key between U and S
on ECC. But in the year 2015, Chaudhry et al. proved that
Islam et al.’s protocol suffers from user impersonation and
server impersonation attacks. Furthermore, in order to cope notations used in this paper are displayed in Table 1.
with the draw backs of Islam et al.’s protocol, Chaudhry
et al. also proposed an enhanced protocol to improve the A. THREAT MODEL
security of Islam et al.’s protocol. Unfortunately, we suspect Throughout this paper, according to [29] [32], the capacities
that the Chaudhry et al.’s scheme has some potential security of the adversary A are summarized as follows:
vulnerabilities. 1. The adversary A is able to control the open commu-
In this paper, we concentrate on revisiting the scheme nication channel completely, that is, he can intercept,
of Chaudhry et al. and present a more secure and efficient modify, delete, block, and resend the messages over the
scheme. We find that Chaudhry et al.’s scheme is also suscep- open channel.
tible to off-line password guessing attack, server imperson- 2. The adversary A can list all pairs of (IDi , P Wi ) from
ation attack, user impersonation attacks and man-in-middle (DP W , DID ) in a polynomial time, where DP W and
attack. We observe that off-line identity guessing attack is a DID denote the space of passwords in DP W and the
fatal attack in their protocol. In our proposed protocol, we space of identities in DID , respectively.
utilize the technique of "fuzzy-verifiers" [32] to resist off- 3. The adversary A can either intercept the password of the
line identity guessing attack. Moreover, our scheme not only user via malicious device or extract the parameters from
addresses the security problems of Chaudhry et al.’s [5] and smart card, but both methods cannot be used together.
Islam et al.’s [16] schemes, but also retains all their merits as 4. While evaluating forward secrecy, the adversary A can
depicted in Table 5. Although, our scheme employs complex obtain server’s private key or comprise the user’s pass-
elliptic curve point multiplication operation, however, as a word.
trade off, it offers resistance against all known-attacks. In
terms of safety performance and efficiency, the proposed III. REVIEW OF CHAUDHRY ET AL.’S SCHEME
scheme is more secure and efficent and has many excellent In this section, we review Chaudhry et al.’s authentication
features compared with counterparts. scheme [5] for TMIS. Their scheme is composed of three
The remainder of this paper is organized as follows: phases including registration phase, login phase and authen-
Section II introduces some notations and the capacities of tication phase, and password updating phase.
adversary. The review and cryptanalysis of Chaudhry et al.’s
scheme is detailed in Section III and Section IV. Section V A. THE REGISTRATION PHASE
presents our proposed scheme. Section VI and Section VII Step 1:Firstly the patient Ui picks up his identity, pass-
present a conventional and a BAN-Logic security analysis of word, and a random number as IDi , P Wi and
our scheme, respectively. The performance and functionality ri ∈ Zp∗ , respectively. Subsequently, Ui computes
comparisons among the proposed scheme and other related li = h(IDi ||P Wi ||ri ) and resultant li along with
schemes are discussed in Section VIII. Finally, concluding IDi that is transmitted towards server S over a
thoughts are detailed in Section IX. secure channel.
Step 2:After receiving registration request from particular
II. PRELIMINARIES patient Ui , server S performs the identity verifi-
In this section, we show some notations and introduces the cation. If Ui is a new user, it set ti = 0, other-
capacities of adversary of the authentication scheme. Some wise sets ti = ti + 1 and stores {IDi , ti } in its
2 VOLUME 0, 0000
database. Afterwards, S chooses a random number C. PASSWORD UPDATING PHASE

bs and computes α = ((bs + ks )/li ) mod p, Bi = Firstly, Ui inserts the smart card SC into the card reader
bs G, ui = h(ks G||li ) and Oi = h(IDi ||ks ) ⊕ li . and then inputs its IDi , P Wi . Afterwards, the smart card
S then stores {E/Fp , G, ui , Bi , α, h(), p, ti , Oi } in computes the followings:
smart card.
Step 3:Upon receiving the smart card, the patient/user li = h(IDi ||P Wi ||ri ), ks G = (αli )G − Bi
inserts ri into SC.
and u∗i = h(ks G||li ). The smart card SC then checks
whether u∗i is equal to ui . If u∗i is not equal to ui , then
B. THE LOGIN AND AUTHENTICATION PHASE
SC refuses the request. Otherwise, SC requires Ui inputting
The login process proceeds as follows: its new password P Winew and new rinew ∈ Zp∗ . Then, SC
Step 1:Patient Ui enters his identity IDi and password calculates the following:
P Wi , then the smart card computes as follows:
linew = h(IDi ||P Winew ||rinew ),
li = h(IDi ||P Wi ||ri ), ks G = (αli )G − Bi
αnew = (bs + ks )/linew mod p,
and u∗i = h(ks G||li ). The smart card SC then
checks whether u∗i is equal to ui . If u∗i is not unew
i = h(ks G||linew )
equal to ui , SC aborts the session. Otherwise,
SC generates a random number ai ∈ Zp∗ and a and
time stamp Ti1 and computes P IDi = ID ⊕ Oinew = h(IDi ||ks ) ⊕ linew .
ai G, Ci = ai (ks G) and Gi = h(IDi ||Oi ⊕
li ||Ci ||Ti1 ||ks G||Ni ). Then Ui sends the following SC further stores unew i , rinew , αnew , Oinew in place of
ui , ri , α, Oi in smart card, respectively.
mi = {P IDi , Ci , Gi , Ti1 }
IV. CRYPTANALYSIS OF CHAUDHRY ET AL.’S SCHEME
to S.
In this section, we show that Chaudhry et al.’s scheme is
Step 2:Once receiving mi , S verifies the validity of Ti1 .
vulnerable to off-line password guessing attack, (user) server
If it is not valid, S ends the session. Other-
impersonation attack and man-in-middle attack. These at-
wise, S calculates IDi0 = P IDi ⊕ (Ci ks−1 ) and
tacks are also based on the assumptions that a malicious ad-
G0i = h(IDi0 ||h(IDi0 ||ks )||Ci ||Ti1 ||ks G||Ni ). S
versary A has total control over the communication channel
then checks whether G0i is equal to Gi and ends
connecting U and S in authentication phase. Thus, A can
the session if G0i is not equal to Gi . Otherwise S
intercept, insert, delete, or modify any messages transmitted
selects a random number cs ∈ Zp∗ and a time stamp
via public channel [9], [20], [36].
Ti2 , then S calculates the following:
Cs = cs (ks G), Csi = cs (Ci ), A. OFF-LINE PASSWORD GUESSING ATTACK
In off-line password guessing attack, the adversary A stole
SK = h(IDi0 ||h(IDi0 ||ks )||Ci ||Cs ||Csi ||ks G) the legal user’s smart card and extracts some useful param-
eters from it, and/or intercepts the messages from insecure
and
channel, then A tries to guess the user’s correct password
Gs = h(SK||Cs ||Ti2 ||ks G)
and identity. In this subsection, we show that the scheme
and stores {IDi , Ni , Ti2 } in its database. Finally, S of Chaudhry et al. cannot resist off-line password guessing
sends the following attack. We give the attack in four cases as below:
• Case 1: (Via verification value in smart card) In this
ms = {Cs , Gs , Ti2 } case, the adversary A firstly only extracts the datum
to Ui . {ui , ri } stored in smart card. Afterwards, A can guess
Step 3:After receiving ms , Ui checks the validity of Ti2 the legal user U ’s password and identity by performing
and subsequently computes the following: the following steps:
Step1: A first guesses P W ∗ and ID∗ from the pass-
Cis = ai (Cs ), word dictionary space DP W and the identity
dictionary space DID , respectively.
SK 0 = h(IDi ||Oi ⊕ li ||Ci ||Cs ||Cis ||ks G),
Step2: A calculates li∗ = h(ID∗ ||P W ∗ ||ri ).
G0s = h(SK 0 ||Cs ||Ti2 ||ks G. Step3: Since ks = li α − bs and ks G = (li α − bs )G =
(li α)G − bs G = (li α)G − Bi , A computes
Ui then verifies whether G0s is equal to Gs and ends u∗i = h((ks G)∗ ||l∗ ).
the session if not equal. Otherwise Ui accepts the Step4: A checks whether u∗i is equal to the value of
session key SK. parameter ui . If they are equal, A finds the
VOLUME 0, 0000 3
correct password and identity of user U . Oth- from his own smart card. Then, Uj computes
erwise, A can repeat steps (1), (2), (3) and (4) lj = h(IDj ||P Wj ||rj ) and ks G = (lj α)G −
until it finds the correct password and identity. Bj .
The time complexity of the above attack is: O(|DP W | ∗ Step2: A(Uj ) guesses P W ∗ and ID∗ from the pass-
|DID | ∗ (2Th + Tm + Ta )), where Th is the running word dictionary space DP W and the identity
time for hash computation, Ta is the running time for dictionary space DID , respectively.
point addition and Tm is the running time for point Step3: A calculates li∗ = h(ID∗ ||P W ∗ ||ri ).
multiplication, |DP W | and |DID | denote the number of Step4: A computes (ks G)∗ = (li∗ α)G − Bi .
passwords in DP W and the number of identity in DID , Step5: A checks whether (ks G)∗ is equal to the value
respectively. Usually |DID | ≤ |DP W | ≤ 106 [30], [31], of parameter ks G in Step 1. If they are equal, A
therefore, the above attack is quite efficient in the first finds the correct password and identity of user
case. In fact, the reason for the success of the above U . Otherwise, A can repeat steps (2), (3), (4)
attack is that, A obtains the verification value ui in smart and (5) until finding the correct password and
card and uses it to verify the correctness of the guessing identity.
password and identity. We observe that, the purpose of The time complexity of the above attack is : O(Th +
the designer is to verify the legitimacy of the login with Tm + Ta + |DP w | ∗ |DID | ∗ (Th + Tm + Ta )). Therefore,
this data ui and to help legal user freely change his the above attack based on the third case is also quite
password locally no needing to communicate with the efficient. By observing, we find that the key reason
server. for the success of the above attack is that, any legal
• Case 2: (Via verification value in public channel) patient can computes the common value ks G, then A
In this case, the adversary A intercepts the login re- guesses the password and identity of the other users
quest messages {Ci , Gi , Ti1 } and extracts the datum and computes (ks G)∗ . If the guessing is correct, it must
{ui , Oi , ri , Ni } stored in smart card. Afterwards, A also result in ks G = (ks G)∗ . According to the complexity, it
can guess the legal user U ’s password and identity by shows that A can verify the correctness of the guessing
performing the following steps: password and identity.
Step1: A first guesses P W ∗ and ID∗ from the pass- • Case 4: (The legitimate patient acts as an attacker
word dictionary space DP W and the identity II) Similarly to Case 3, we also show that a legitimate
dictionary space DID , respectively. patient Uj can act as a malicious opponent A for off-
Step2: A calculates li∗ = h(ID∗ ||P W ∗ ||ri ). line password guessing attack. But the adversary A
Step3: A computes (ks G)∗ = (li∗ α)G − Bi . extracts the datum {ui , E/Ep , G, ri } stored in smart
Step4: A calculates the following: card. Whereafter, A guesses the legal user U ’s password
and identity by implementing the following steps:
G∗i = h(ID∗ ||Oi ⊕ li∗ ||Ci ||Ti1 ||(ks G)∗ ||Ni ).
Step1: Uj extracts the following datum
Step5: A checks whether G∗i is equal to the value
of parameter Gi in login messages. If they {E/Ep , G, Bj , rj , α, h(), p}
are equal, A finds the correct password and
from his own smart card and computes lj =
identity of user U . Otherwise, A can repeat
h(IDj ||P Wj ||rj ) and ks G = (lj α)G − Bj .
steps (1), (2), (3), (4) and (5) until finding the
Step2: A(Uj ) guesses P W ∗ and ID∗ from the pass-
correct password and identity.
word dictionary space DP W and the identity
The time complexity of the above attack is also:
dictionary space DID , respectively.
O(|DP w | ∗ |DID | ∗ (2Th + Tm + Ta )). Therefore, the
Step3: A calculates li∗ = h(ID∗ ||P W ∗ ||ri ).
attack based on the second case is also quite efficient.
Step4: A computes u∗i = h(ks G||l∗ ).
Actually, the reason for the success of the above attack is
Step5: A checks whether u∗i is equal to the value of
that, A obtains the verification value Gi in login request
parameter ui in Step 1. If they are equal, A
messages and uses it to verify the correctness of the
finds the correct password and identity of user
guessing password and identity.
U . Otherwise, A can repeat steps (2), (3), (4)
• Case 3: (The legitimate patient acts as an attacker I)
and (5) until finding the correct password and
In this case, we show that a legitimate patient Uj can
identity.
act as a malicious opponent A for off-line password
guessing attack. The adversary A extracts the datum The time complexity of the above attack is : O(Th +
{E/Ep , G, Bi , ri } stored in smart card. Afterwards, A Tm + Ta + |DP w | ∗ |DID | ∗ 2Th ). Therefore, the above
also can guess the legal user U ’s password and identity attack based on the fourth case is also quite efficient.
by performing the following steps: Similarly to Case 3, the key reason for the success of the
above attack is that, any legal patient can computes the
Step1: Firstly, Uj extracts the following datum
common value ks G, then A guesses the password and
{E/Ep , G, Bj , rj , α, h(), p} identity of the other users but computes u∗i . If ui = u∗i ,
4 VOLUME 0, 0000
it is assured that the guessing is correct. Step1: Upon capturing the login request message from U ,
Therefore, any of the above cases illustrates that the scheme A selects a random number c∗s ∈ Zp∗ and Tis ∗
.
∗ ∗ ∗ ∗ ∗
of Chaudhry et al. cannot resist off-line password guessing Then, A computes Cs = cs (ks G), Csi = cs (Ci ),
attack. SK ∗ = h(IDi ||Oi ⊕ li ||Ci ||Cs∗ ||Csi∗
||ks G), and
∗ ∗ ∗ ∗
Gs = h(SK ||Cs ||Ti2 ||ks G). Afterwards, A
B. USER IMPERSONATION ATTACK sends a challenge message {Cs∗ , G∗s , Ti∗2 } to Ui .
Once the scheme of Chaudhry et al. is vulnerable to the Step2: On receiving the challenge message from A, Ui
off-line password guessing attack, the adversary becomes checks the validity of the timestamp Ti∗2 . If it is
capable to impersonate other legal patients/users. To do so, found as valid, A computes Cis = a∗i (G∗s ), and
the adversary A captures the login request message {Ti1 } then calculates the session key
and performs the following steps.
SK = h(IDi ||Oi ⊕ li ||Ci ||Cs ||Cis ||ks G)
Step1: A computes li = h(IDi ||P Wi ||Ri ) by the already
guessed correct identity and password. Subsequent- and G0s = h(SK||Cs∗ ||Ti∗2 ||ks G). Then A verifies
ly, A computes ks G = (αli )G − Bi . At present A ?
selects a random number a∗i ∈ Zp∗ and computes G0s = G∗s . It is obvious that these expressions are
the followings: equal. Therefore, Ui accepts the session key SK
with the server who is indeed the adversary A.
P IDi∗ = IDi ⊕ a∗i G, Ci∗ = a∗i (ks G) Accordingly, the adversary A successfully launches a server
and impersonation attack and gets a session key SK with Ui .
Moreover, since A also obtains ks G of server S and com-
G∗i = h(IDi ||Oi ⊕ li ||Ci∗ ||Ti1 ||ks G||Ni ). putes h(ID||ks ) = li ⊕ Oi utilizing the obtained sensitive
Then, A sends the following login request message information, the adversary can perform similar server imper-
sonation attacks on all users. Therefore, the scheme cannot
{P IDi∗ , Ci∗ , G∗i , Ti1 } resist server impersonation attack.
to server S.
Step2: After receiving the login request message from D. MAN-IN-MIDDLE ATTACK
A, S checks the timestamp Ti1 and then com- According to our analyses, we have shown that Chaudhry
putes IDi0 = P IDi∗ ⊕ (Ci∗ ks−1 ) and G0i = et al.’s scheme is vulnerable to off-line password guessing
h(IDi0 ||Oi ⊕ li ||Ci∗ ||Ti1 ||ks G||Ni ), and checks attack, user impersonation attack and server impersonation
? attack. It is easy to understand that the adversary can imper-
G0i = G∗i . Obviously, it is true. Therefore, S
chooses the random cs and Ti2 , and then com- sonate patient/user to server and vice versa. Therefore, the
putes Cs = cs (ks G), Csi = cs (Ci∗ ), SK = adversary can launch the man-in-middle attack. Thus, it is
h(IDi0 ||h(IDi0 ||ks )||Ci∗ ||Cs ||Csi ||ks G) and Gs = remarked that Chaudhry et al.’s scheme cannot resist man-in-
h(SK||Cs ||Ti2 ||ks G). Subsequently, S also stores middle attack.
{IDi , Ni , Ti1 } in its database. Finally, a challenge
message {Cs , Gs , Ti2 } is sent from server S to A. V. OUR PROPOSED SCHEME
Step3: Upon reception of the challenge message from The underlying section proposes an improved mutual authen-
∗
server S, A computes Cis = a∗i (Gs ) and then tication scheme based on ECC for TMIS. In our scheme, we
calculates the session key as follows: use random numbers to avoid replay attack, therefore, we
don’t need to assume that both Ui and S are synchronized
SK ∗ = h(IDi0 ||Oi ⊕ li ||Ci∗ ||Cs ||Cis
∗
||ks G). with their clocks. Meanwhile, the proposed scheme not only
Thus, an adversary A can impersonate successfully a legal overcomes weaknesses of Chaudhry et al.’s [5] scheme and
patient/user to the server. Therefore, Chaudhry et al.’s scheme Islam et al.’s [16] scheme, but also achieves mutual authen-
becomes insecure against user impersonation attack. tication and resists various attacks. The proposed scheme
consists of three phases: registration phase, authentication
C. SERVER IMPERSONATION ATTACK and key agreement phase, and password changing phase. The
According to off-line password guessing attack, once the notations of the proposed protocol are listed in Table 1 and
scheme of Chaudhry et al. is vulnerable to the off- the registration and authentication process of our scheme is
line password guessing attack, the adversary A obtain- presented in Fig. 1.
s the correct {IDi , P Wi } of U and computes li =
h(IDi ||P Wi ||Ri ), ks G = (αli )G − Bi . Now, A waits for A. REGISTRATION PHASE
U to send a login request message {P IDi , Ci , Gi , Ti1 } to 1. The patient Ui chooses a password P Wi , an identi-
S, and subsequently captures the message. Afterwards A ty IDi and a random number ri ∈ Zp∗ . Subsequent-
can launch a server impersonation attack by performing the ly, Ui computes li = h(IDi ||P Wi ||ri ).
following steps: 2. Ui ⇒ S: {IDi , li }.
VOLUME 0, 0000 5
Patient (Ui ) Sever (S)
Registration Phase:
Inputs IDi , P Wi Selects an integer 24 ≤ n0 ≤ 28
and selects a random number ri ∈ Zp∗
Computes li = h(IDi ||P Wi||ri ) {IDi , li } Computes Ai = h((h(IDi ) ⊕ h(li )) mod n0 )
Selects a random number rs ∈ Zp∗
Computes T = h(IDi ||ks ||rs )
Oi = T ⊕ li
Smart Card Stores {IDi , rs } in database.
Stores ri in smart card (SC) Stores {Ai , Oi , G, n0 , h()} in a new smart card.
Login and Authentication Phase:

Inserts SC and inputs IDi , P Wi
Computes li = h(IDi ||P Wi ||ri )
Ai = h((h(IDi ) ⊕ h(li )) mod n0 )
Computes T = h(IDi ||ks ||rs )
?
Checks A′i = Ai using datum in database.
Computes T = Oi ⊕ li
(IDi′ ||Ci′ ) = T ⊕ P IDi
Generates: ai ∈ Zp∗ ?
Computes Ci = ai G Checks IDi′ = IDi
{P IDi , Gi } Computes G′i = h(IDi′ ||T ||Ci′ )
P IDi = T ⊕ (IDi ||Ci )
?
Checks G′i = Gi
Gi = h(IDi ||T ||Ci )
Generates cs ∈ Zp∗ , compute Cs = cs G
SK = h(IDi′ ||T ||cs Ci′ ||Ci′ ||Cs )
{Cs , Gs } Gs = h(SK||Cs ||T ||Ci′ )
SK ′ = h(IDi ||T ||ai Cs ||Ci ||Cs )
G′s = h(SK||Cs||T ||Ci )
?
Checks G′s = Gs
If valid, then S is authenticated. Computes Mi′ = h(SK||T ||Ci′)
{Mi } ?
Computes Mi = h(SK||T ||Ci) Checks Mi′ = Mi
If valid, then U is authenticated.
Session Key: SK = SK ′
FIGURE 1. Registration and authentication phase of the proposed scheme.
3. After receiving the registration message, S chooses 1. Ui inserts the smart card SC into a card read-
a random number rs ∈ Zp∗ and calculates the er and inputs IDi , P Wi . SC calculates li =
following: h(IDi ||P Wi ||ri ), and then computes A0i =
h((h(IDi ) ⊕ li ) mod n0 ). Then, SC checks the
Ai = h((h(IDi ) ⊕ li ) mod n0 ), correctness of A0i by comparing the value of Ai
sorted in SC. If A0i = Ai , IDi , P Wi are accepted
T = h(IDI ||ks ||rs ), Oi = T ⊕ li
as valid. Otherwise, the session is terminated. SC
and stores {IDi , rs } in its database, where n0 is an continues computing T = Oi ⊕ li and chooses
integer and 24 ≤ n0 ≤ 28 [32]. a random number ai ∈ Zp∗ , and computes the
4. S ⇒ Ui : a smart card SC containing following:
{Ai , Oi , n0 , h(·), p, G}. Ci = ai G, P IDi = T ⊕ (IDi ||Ci ),
5. Ui stores ri in SC. Gi = h(IDi ||T ||Ci ).
B. LOGIN AND MUTUAL AUTHENTICATION PHASE 2. Ui → S : {P IDi , Gi }.

Once the patient Ui registers to the server successfully, he 3. After obtaining {P IDi , Gi }, S calculates the fol-
can send the login request to the server S when he wants to lowing:
be served follows: T = h(IDi ||ks ||rs )
6 VOLUME 0, 0000
firstly by using the stored datum and server’s pri- Anew

i = h((h(IDi ) ⊕ h(linew )) mod n0 ).
vate key. S then computes IDi0 ||Ci0 = P IDi ⊕ T Finally, SC stores Anew , Oinew , rinew in place of
? i
and checks IDi0 = IDi by searching database Ai , Oi , ri in smart card, respectively.
list. If they are not equal, S judges that the input
password is wrong. Once the wrong times exceeds VI. SECURITY ANALYSIS
a fixed value (such as 5), S forms a judgement In this section, we prove that our scheme can withstand all
that the smart card has been usurped by some known attacks.
attacker. What’s more, S locks the smart card un-
til Ui re-registers. Otherwise, S computes G0i = A. USER ANONYMITY
?
h(IDi0 ||T ||Ci0 ) and verifies G0i = Gi . In case In the proposed scheme, on the one hand, there is no iden-
of invalidation, S exits the session and counts a tity notions transmitted in the open channel. On the other
number N = 1. And S suspends the card until hand, suppose the adversary A eavesdrops the messages
Ui re-registers in case if N exceeds some threshold {P IDi , Gi } and {Cs , Gs } from the public channel. But to
value (such as 5). Otherwise, S generates a random obtain the correct identity IDi of Ui , A is needed T that
number cs and computes the following: is not available since T is protected by the private key ks
of S. Moreover, A cannot guess the correct identity, since,
Cs = cs G, SK = h(IDi0 ||T ||cs Ci0 ||Ci0 ||Cs ), Ci = ai G is not available. Further, even if A obtains the
Gs = h(SK||Cs ||T ||Ci0 ). smart card of Ui and extracts the information in SC, A
cannot recover the identity of Ui since IDi is protected by
4. S → Ui : {Cs , Gs }. one-way hash function and modulo operator. Therefore, our
5. On receiving the message {Cs , Gs }, Ui computes proposed scheme provides the user anonymity.
the following:
SK 0 = h(IDi ||T ||ai Cs ||Ci ||Cs ), B. OFF-LINE PASSWORD GUESSING ATTACK
According to our analysis, in Chaudhry et al.’s scheme, the
G0s = h(SK||Cs ||T ||Ci ). attacker can guess the correct identity and password by using
? any of the three cases in IV-A. But in proposed scheme, the
Afterwards, Ui verifies whether G0s = Gs . If these
adversary A cannot guess the correct identity and password
are not equal, the session is terminated. Otherwise,
of Ui even if it extracts the information in SC. We suppose
S is authenticated by Ui and Ui accepts the session
that A can guess the IDi0 and P Wi0 satisfying the equation
key SK 0 . Then, Ui computes Mi = h(SK||T ||Ci ).
A0i = Ai . But A still cannot be sure if the IDi0 and P Wi0 are
6. Ui → S : {Mi }.
the correct IDi and P Wi . A can only guess the correct value
7. After receiving the challenge message {Mi }, S
by launching on-line guessing. But because the number of
computes Mi0 = h(SK||T ||Ci0 ) and checks
? the IDi0 and P Wi0 is enough larger to resist on-line guessing
whether Mi0 = Mi . If it is validated, then Ui is attack, so the smart card SC will be suspended until Ui re-
authenticated. registers once the wrong login times exceeds the a fixed value
8. Finally, both the patient Ui and the server S agree N (such as 5). Accordingly, our scheme has a good resistance
on a common session key SK = SK 0 . to off-line password guessing attack.
C. PASSWORD UPDATING PHASE C. PRIVILEGED INSIDER ATTACK
This phase facilitates the user to update her/his password on Consider a scenario where an insider can access the registra-
its own will for which Ui and S can execute the following tion information {IDi , li } of a valid patient and Ui turns as
steps and the password updating process of our scheme is an adversary A. A cannot get the password P Wi since it is
presented in Fig. 2. protected by random number ri and one-way hash function.
1. Firstly, Ui inserts the smart card into the card read- Therefore, the proposed scheme can withstand the privileged
er. Ui then inputs IDi , P Wi and a new password insider attack.
P Winew .
2. The smart card SC calculates li = h(IDi ||P Wi ||ri ), D. USER IMPERSONATION ATTACK
and computes A0i = h((h(IDi ) ⊕ h(li )) mod n0 ). To impersonate a legitimate patient, the adversary A has
Subsequently, SC verifies whether A0i is equal to to obtain the identity IDi and password P Wi of U , or
Ai . If they are not equal, SC rejects Ui to change construct {P IDi , Gi }. Firstly, it is impossible for A to
the password. guess the correct identity and password of Ui according to
3. Otherwise, SC generates a random number rinew "off-line password guessing attack". Secondly, to construct
and calculates the following: {P IDi , Gi }, A has to get the key parameter T . It is still
not possible to recover T without knowing the secret key
linew = h(IDi ||P Winew ||rinew ),
ks . Therefore, our scheme resists against user impersonation
Oinew = li ⊕ linew ⊕ Oi , attack.
VOLUME 0, 0000 7
Patient (Ui ) Smart Card (SC)

Password update phase:
Inputs IDi , P Wi , P Winew
{IDi , P Wi , P Winew }
Computes li = h(IDi ||P Wi ||ri )

A′i = h((h(IDi ) ⊕ h(li ))mod n0 )
?
Checks A′i = Ai
Generates a random number rinew ∈ Zp∗
linew = h(IDi ||P Winew ||rinew )
Oinew = li ⊕ linew ⊕ Oi
Anew
i = h((h(IDi ) ⊕ linew )mod n0 )
Stores Anew
i , Oinew , rinew in place of Ai , Oi , ri
FIGURE 2. Password updating phase of the proposed scheme.
E. SERVER IMPERSONATION ATTACK I. PERFECT FORWARD SECRECY

In proposed scheme, A cannot cheat Ui by masquerading as Assuming that the private key ks of S is compromised
S. Without having the value of T , A cannot recover IDi and and that the adversary A obtains the data rs , IDi , P Wi , A
Ci . So A cannot calculate the correct response message Gs . can compute T . But to calculate the previous session key
Therefore, our scheme is resistant to server impersonation SK = h(IDi ||T ||cs Ci ||Ci ||Cs ), A must need ai or cs . It
attack. is impossible to compute ai from Ci or cs from Cs and
calculate cs Ci due to the intractability of ECDLP and
CDHP . Thus, even if obtaining {SC, IDi , P Wi , ks , rs },
F. REPLAY ATTACK the adversary A is still not able to compute the session key
In our scheme, utilization of nonce ai , cs and two-way SK. Consequently, the proposed scheme provides perfect
challenge response mechanism impart resistance to replay forward secrecy.
attack. If A replays the login request {P IDi , Gi }, then S
would disrupt the session as the replayed Gi would not VII. SECURITY PROOF WITH BAN-LOGIC
pass the verification test since random number ai used in In this section, we present the security analysis of our pro-
each session is different. Furthermore, A cannot replay the posed scheme using Burrows-Abadi-Needham Logic (BAN-
respond message {Cs , Gs }, since, random number cs is also Logic) [3]. We provide that the proposed scheme allows the
different in each session. Accordingly, replay of any message user to establish a session key with the server. Suppose that
is useless and our scheme is safe from the replay attack. X & Y are symbols of statements, A & B are symbols for
principals, and K is symbol for cryptographic encryption
key. Firstly, we list some basic logic notations of BAN-Logic
G. MUTUAL AUTHENTICATION
as listed in Table2. Secondly, we mention some basic BAN-
In our scheme, S authenticates Ui by verifying whether G0i logic postulates, and provide the idealized form, security
equals to Gi and checking whether Mi0 equals to Mi ; Ui goals and initiative premises of proposed scheme. Finally,
authenticates S by testing whether G0s equals to Gs . Con- we complete the security analysis using BAN-Logic. In this
sequently, proposed scheme achieves mutual authentication. section, for convenience, let U be denoted as Ui .
• Basic BAN-Logic postulates:
K
←→B,AC(XK )
H. MAN-IN-MIDDLE ATTACK R1. Message meaning rule: A|≡AA|≡B|∼X ,
In our scheme, the adversary A cannot launch the man-in- that is, if A believes that A and B share K, and
middle attack, since, it cannot pass through the authentica- sees X is encrypted with K, then A believes B
tion from S and Ui . If A wants to pass the authentication once said X.
from S, it must know the password and identity of Ui . R2. Nonce-verification rule: A|≡](X),A|≡B|∼X
A|≡B|≡X ,
From Subsection VI-B, it is clear that A cannot to obtain that is, if A believes the freshness of X and
the IDi , P Wi of Ui . Meanwhile, A also cannot pass the that B once said X, then A believes that B
authentication from Ui since it cannot get the private key ks trusts X.
of S. Accordingly, the proposed scheme resists against the R3. Jurisdiction rule: A|≡B|⇒X,A|≡B|≡X , that is, if
A|≡X
man-in-middle attack. A believes that B controls X, and A believes
that B believes X, then A believes X.
8 VOLUME 0, 0000
sk
TABLE 2. BAN-Logic notations with T , then U believes S once said (U ←→
S, Cs , Ci0 ). Thus, we obtain the following:
Symbol Description
sk
A| ≡ X P believes on X U | ≡ S| ∼ (U ←→ S, Cs , Ci0 ).
ACX A observes/receives X
A| ∼ X A once said X (or A sends X) S3. From A1, A2 and the freshness rule, we can observe
A| ⇒ X A controls X that, because U believes freshness of Cs then U
sk
](X) X is fresh believes freshness of (U ←→ S, Cs , Ci0 ). Accord-
K
A ←→ B A and B communicate using shared key K
ingly, we can get the following:
(X, Y )K Take hash of X and Y using K as key sk
U | ≡ ](U ←→ S, Cs , Ci0 ).
< X >K X is xor-ed with the key K
S4. From S2, S3 and the nonce-verification rule and the
freshness rule, we find that, if U believes freshness
sk
A|≡](X) of (U ←→ S, Cs , Ci0 ) and believes S once said it,
R4. Freshness rule: A|≡](X,Y ) , that is, if A believes sk
freshness of X then A believes freshness of then U believes that S trusts (U ←→ S, Cs , Ci0 ).
(X, Y ). Hence, we deduce the following:
R5. Believe rule: A|≡B|≡(X,Y
A|≡B|≡X
)
or A|≡X,A|≡Y
A|≡(X,Y ) , that
sk
U | ≡ S| ≡ (U ←→ S, Cs , Ci0 ).
is, if A believes that B believes (X, Y ), then A
believes that B believes X; or if A believes X S5. From S4 and the believe rule, if U believes that S
sk
and B believes Y , then A believes (X, Y ). believes (U ←→ S, Cs , Ci0 ), then U believes that S
sk
believes (U ←→ S). Therefore, we obtain the first
• Idealized scheme:
goal as below:
– Message1: U → S: < IDi ||Ci > T ,
U ←→S sk
(IDi , Ci ) T . U | ≡ S| ≡ (U ←→ S) (Goal1).
U ←→S
sk
– Message2: S → U : Cs , (U ←→ S, Cs , Ci0 ) T . S6. From Goal1, A7 and the jurisdiction rule, if U
U ←→S
sk sk
– Message3: U → S: (U ←→ S, Ci ) T . believes that S controls (U ←→ S), and U be-
U ←→S sk
lieves that S believes (U ←→ S), then U believes
• Security goals: sk
sk
(U ←→ S). Thus, we get the second goal as
Goal1. U | ≡ S| ≡ (U ←→ S). following:
sk
Goal2. U | ≡ (U ←→ S). sk
sk
Goal3. S| ≡ U | ≡ (U ←→ S). U | ≡ (U ←→ S) (Goal2).
sk
Goal4. S| ≡ (U ←→ S). S7. From Message3, it indicates that S observes the
sk
message (U ←→ S, Ci ) T from U . Then we
•Initiative premises: U ←→S
have the following:
A1. U | ≡ ](ai ).
sk
A2. U | ≡ ](Cs ). S C (U ←→ S, Ci ) T .
U ←→S
A3. S| ≡ ](cs ).
A4. S| ≡ ](Ci ). S8. From S7, A6 and the message-meaning rule, it
T states clearly that, because S believes that U and S
A5. U | ≡ (U ←→ S). sk
T share T , and sees (U ←→ S, Ci ) is encrypted with
A6. S| ≡ (U ←→ S). sk
sk T , then S believes U once said (U ←→ S, Ci ). So
A7. U | ≡ S ⇒ (U ←→ S).
sk we obtain the following:
A8. S| ≡ U ⇒ (U ←→ S).
sk
Now, we utilize BAN-Logic postulates and rules to provide S| ≡ U | ∼ (U ←→ S, Ci ).
that U and S successfully share a common session key sk.
S9. From A4 and the freshness rule, we can find that,
S1. From Message2, it shows that U receives the mes- because S believes freshness of Ci then S believes
sk
sage (U ←→ S, Cs , Ci0 ) T from S. So we have sk
freshness of (U ←→ S, Ci ). Consequently, we get
U ←→S
the following: the following:
sk sk
U C (U ←→ S, Cs , Ci0 ) T . S| ≡ ](U ←→ S, Ci ).
U ←→S
S2. From S1, A5 and the message-meaning rule, it S10. From S8, S9 and the nonce-verification rule and the
illustrates that, because U believes that U and S freshness rule, we see that, if S believes freshness
sk sk
share T , and sees (U ←→ S, Cs , Ci0 ) is encrypted of (U ←→ S, Ci ) and believes U once said it, then
VOLUME 0, 0000 9
sk
S believes that U trusts (U ←→ S, Ci ). Hence, we 1Tmi ≈ 388.51ms, 9Th +7Tpm +1Tpa +1Tmi ≈ 628.85ms
deduce the following: and 13Th + 4Tpm ≈ 270.39ms, respectively. In Chaudhry et
sk al.’s scheme [5], the authors asserted that their protocol has
S| ≡ U | ≡ (U ←→ S, Ci ). better efficiency than Islam et al.’s protocol. But in fact, their
S11. From S10 and the believe rule, if S believes that U protocol’s computational costs is more than Islam et al.’s pro-
sk
believes (U ←→ S, Cs , Ci0 ), then S believes that U tocol. We observe that our protocol has better performance
sk than [5], [16], [28], [33], [35] and the computational costs of
believes (U ←→ S). In short, we get the third goal
our proposed protocol is only 270.39ms. Therefore, in terms
as following:
of efficiency, the proposed protocol performs the best.
sk
S| ≡ U | ≡ (U ←→ S) (Goal3). In Table 5, we find that [5], [16], [28], [33], [35] lack some
security ingredients and have more security problems than
S12. From Goal3, A8 and the jurisdiction rule, if S the proposed scheme. In Chaudhry et al.’s scheme [5], the au-
sk
believes that U controls (U ←→ S), and S be- thors declared that their protocol improved varient against us-
sk
lieves that U believes (U ←→ S), then S believes er and server impersonation attack and man-in-middle attack
sk applicable on Islam et al.’s scheme [16]. While according to
(U ←→ S). Thereupon we obtain the fourth goal
as below: our analysis, we point out that Chaudhry et al.’s scheme [5] is
sk
not only still vulnerable to server and user impersonation and
S| ≡ (U ←→ S) (Goal4). man-in-middle attacks, but also vulnerable to off-line identity
According to Goal1, Goal2, Goal3 and Goal4, we conclude guessing attack. We find that off-line identity guessing attack
that U (S) has trusted that S(U ) believes on the session key is a fatal attack in their protocol. In our proposed protocol,
sk between them is shared successfully. we utilize the technique of "fuzzy-verifiers" [32] to resist off-
line identity guessing attack. Therefore, the proposed scheme
VIII. COMPARATIVE PERFORMANCE ANALYSIS not only amends these security problems of Chaudhry et
This section analyzes the performance of our proposed al.’s [5] and Islam et al.’s [16] schemes but also retains all
scheme by comparing it with Chaudhry et al’s [5] , Tu et their merits as depicted in Table 5. Although, our scheme
al’s [28], Wei et al.’s [33], Xu et al.’s [35] and Islam et al.’s also employs complex elliptic curve point multiplication
[16] schemes. To compare the computational complexity, we operation, however as a trade off, it can resist all known-
neglect the lightweight operations like exclusive-OR opera- attacks which are very important ingredients of the security
tion and string concatenation. Some operations’s descriptions of mutual authentication. In terms of safety performance,
used in our paper are presented as follows: the proposed scheme is more secure and has many excellent
features compared with the counterparts.
• Tpa : the time for executing an elliptic curve point
addition operation.
IX. CONCLUSION
• Tpm : the time for executing a point multiplication
operation. In this paper, we present a security analysis of Chaudhry
• Tme : the time for executing a modular exponentiation
et al.’s [5] scheme and shown that Chaudhry et al.’s [5]
operation. scheme is vulnerable to off-line password guessing attack,
• Tmi : the time for executing a modular inversion opera-
user and server impersonation attack and man-in middle
tion. attack. In order to remove these limitations, we present a new
• Th : the time for executing a hash operation.
scheme with refined security. The proposed scheme inherits
the merits of the Chaudhry et al.’s [5] and Islam et al.’s [16]
According to the experimental results performed as [12],
schemes and resists the aforementioned attacks with a lower
Tpa , Tpm , Tme , Tmi and Th are referring to the running
computational costs than others. Meanwhile, we conduct
time listed in Table 3 which takes 100ms, 130ms, 380ms,
the security analysis of our proposed scheme using BAN-
30ms and 1ms on Philips Hipersmart card with clock speed
Logic. Finally, in comparison with the previously proposed
36MHz, respectively. While for server side Pentium IV Pro-
schemes, our scheme is more efficient and more secure than
cessor with clock speed 3GHz these operations takes 0.1ms,
other related schemes.
1.17ms, 3.16ms, 0.3ms and 0.01ms, respectively.
Now, we present the comparative analysis at two levels:
REFERENCES
• Comparison of computational complexity (Table 4)
[1] J. Arkko, V. Torvinen , G. Camarillo, A. Niemi, and T. Haukka, “Security
• Comparison of security features (Table5) mechanism agreement for SIP sessions,” IETF Internet Draft, Jun(2002).
From Table 4, the computational costs of login and au- [2] R. Arshad and N. Ikram, “Elliptic curve cryptography based mutual
authentication scheme for session initiation protocol,” Multimed Tools
thentication phases in Tu et al.’s scheme [28], Xu et al.’s Appl, 66(2):165-178(2013).
scheme [35], Islam et al.’s scheme [16], Wei et al.’s scheme [3] M. Burrow, M. Abadi, and R. M. Needham, “A logic of authentication,”
[33], Chaudhry et al’s scheme [5] and our proposed scheme ACM Transactions on Computer Systems, 8(1): 18-36(1990).
[4] S. A. Chaudhry, I. Khan, A. Irshad, M. U. Ashraf, M. K. Khan, and H. F.
are 8Th + 6Tpm + 1Tpa ≈ 497.55ms, 11Th + 6Tpm ≈ Ahmad, “A provably secure anonymous authentication scheme for session
399.56ms, 10Th +6Tpm +1Tpa ≈ 499.55ms, 10Th +2Tme + initiation protocol,” Secur Commun Netw, doi:10.1002/sec.1672(2016).
10 VOLUME 0, 0000
TABLE 3. The time of executing cryptographic operations
Tpa Tpm Tme Tmi Th

Server 0.1ms 1.17ms 3.16ms 0.3ms 0.01ms
User/Client 100ms 130ms 380ms 30ms 1ms
TABLE 4. Comparison of computational complexity
Scheme User Computations Server Computations Total

Tu et al. [28] 4Th + 3Tpm + 1Tpa ≈ 494ms 4Th + 3Tpm ≈ 3.55ms 8Th + 6Tpm + 1Tpa ≈ 497.55ms
Xu et al. [35] 6Th + 3Tpm ≈ 396ms 5Th + 3Tpm ≈ 3.56ms 11Th + 6Tpm ≈ 399.56ms
Islam et al. [16] 6Th + 3Tpm + 1Tpa ≈ 496ms 4Th + 3Tpm ≈ 3.55ms 10Th + 6Tpm + 1Tpa ≈ 499.55ms
Wei et al. [33] 5Th + Tme ≈ 385ms 5Th + 1Tme + 1Tmi ≈ 3.51ms 10Th + 2Tme + 1Tmi ≈ 388.51ms
Chaudhry et al. [5] 5Th + 4Tpm + 1Tpa ≈ 625ms 4Th + 3Tpm + 1Tmi ≈ 3.85ms 9Th + 7Tpm + 1Tpa + 1Tmi ≈ 628.85ms
Ours 8Th + 2Tpm ≈ 268ms 5Th + 2Tpm ≈ 2.39ms 13Th + 4Tpm ≈ 270.39ms
TABLE 5. Comparison of Security Features
Tu et al. [28] Xu et al. [35] Islam et al. [16] Wei et al. [33] Chaudhry et al. [5] Ours
F1 - Yes Yes No Yes Yes
F2 Yes No Yes Yes Yes Yes
F3 Yes Yes No No No Yes
F4 Yes Yes No No No Yes
F5 - Yes No No No Yes
F6 Yes No Yes No Yes Yes
F7 - No No No No Yes
F8 Yes Yes No No Yes Yes
F9 - Yes Yes Yes Yes Yes
F1 : Provides user anonymity; F2 : Resists privileged insider attack ; F3 : Resists off-line password guessing
attack; F4 : Resists user impersonation attack; F5 : Resists server impersonation attack; F6 : Resists replay
attack; F7 : Resists man-in-middle attack ; F8 : Provides mutual authentication; F9 : Provides perfect forward
secrecy.
[5] S. A. Chaudhry, H. Naqvi, T. Shon, M. Sher, and M. S. Farash, “Cryptanal- based authenticated key agreement protocol using pairings,” Journal of
ysis and Improvement of an Improved Two Factor Authentication Protocol Computer and System Sciences, 78(1):142-150(2012).
for Telecare Medical Information Systems,” J. Medical Systems, 39(6): [16] S. Islam and M. Khan, “Cryptanalysis and improvement of authentication
66:1-66:11 (2015). and key agreement protocols for telecare medicine information systems,”
[6] T. H. Chen, H. L. Yeh, P. C. Liu, H. C. Hsiang, and W. K. Shih, “A secured J. Med. Syst, 38(10):135, 2014. doi:10.1007/s10916-014-0135-9.
authentication protocol for SIP using elliptic curves cryptography,” In: [17] W. S. Juang, “Efficient password authenticated key agreement using smart
FGCN2010, Part I, Communications in Computer and Information Sci- cards,” Computers and Security, 23(2):167-173(2004).
ence, 119:46-55(2010). [18] S. Kumari, M. Karuppiah, A. K. Das, et al, “Design of a secure
[7] D. Denning and G. Sacco, “Timestamps in key distribution systems,” anonymity-preserving authentication scheme for session initiation proto-
Commun ACM, 24:533-536(1981). col using elliptic curve cryptography,” J Ambient Intell Human Comput,
[8] A. Durlanik and I. Sogukpinar, “SIP authentication scheme using ECDH,” doi:10.1007/s12652-017-0460-1 (2017).
World Enformatika Soc Trans Eng Comput Technol, 8:350-353(2005). [19] H. Kilinc and T. Yanik, “A survey of SIP authentication and key
[9] T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh, and M. T. agreement schemes,” IEEE Communications Surveys and Tutorials,
Shalmani, “On the power of power analysis in the real world: a complete doi:10.1109/SURV.2013.091513.00050(2013).
break of the KeeLoq code hopping scheme,” Advances in Cryptology-
[20] L. Lamport, “Password authentication with insecure communication,”
CRYPTO, 2008,vol.5157 of Lecture Notes in Computer Science. Springer,
Communications of the ACM, vol. 24, no. 11, pp. 770- 772(1981).
Berlin, Germany. 5157:203ĺC220(2008).
[10] M. S. Farash and M. A. Attari, “An Enhanced authenticated key agreement [21] F. W. Liu and H. Koenig, “Cryptanalysis of a SIP authentication scheme,”
for session initiation protocol,” Inf Technol Control, 42(4):333-342 (2013). In: 12th IFIP TC6/TC11 International Conference, CMS 2011, Lecture
[11] J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach and A. Notes in Computer Science, 7025: 134-143(2011).
Luotonen, “HTTP Authentication: Basic and digest access authentication,” [22] Y. R. Lu, L. X. Li, and Y. X. Yang, “Robust and efficient au-
IETF RFC, 2617(1999). thentication scheme for session initiation protocol,” Math Probl Eng,
[12] D. He, “An efficient remote user authentication and key agreement proto- doi:10.1155/2015/894549. Article ID 894549, 9(2015).
col for mobile clientĺCserver environment from pairings,” Ad Hoc Netw, [23] Y. R. Lu, L. X. Li, H. P. Peng, and Y. X. Yang, “A secure and efficient
10(6):1009-1016, 2012. mutual authentication scheme for session initiation protocol,” Peer-toPeer
[13] D. He, J. Chen, and Y. Chen, “A secure mutual authentication scheme Netw Appl, 9(2):449-459 (2016).
for session initiation protocol using elliptic curve cryptography,” Secur [24] C. Shen, E. Nahum, H. Schulzrinne, and C. P. Wright, “The impact of
Commun Netw, 5(12):1423-1429(2012). TLS on SIP server performance: measurement and modeling,” IEEE/ACM
[14] H. F. Huang, W. C. Wei, and G. E. Brown, “A new efficient authentica- Transactions on Networking, 20(4):1217-1230(2012).
tion scheme for session initiation protocol,” In: 9th Joint Conference on [25] H. Tang H and X. Liu, “Cryptanalysis of Arshad et al’.s ECC-based mutual
Information Sciences(2006). authentication scheme for session initiation protocol,” Multimed Tools
[15] M. Hölbl, T. Welzer, and B. Brumen, “An improvedtwo-party identity- Appl, 65(3):165-178(2013).
VOLUME 0, 0000 11
[26] M. Thomas, “SIP Security Requirements,” IETF Internet Draft, Work In

Progress Nov.(2001).
[27] J. L. Tsai, “Efficient nonce-based authentication scheme for session initia-
tion protocol,” Int J Netw Secur, 8(3):312-316(2009).
[28] H. Tu, N. Kumar, N. Chilamkurti, and S. Rho. “An improved authentica-
tion protocol for session initiation protocol using smart card,” Peer-to-Peer
Network Applied, (2014).
[29] D. Wang, D. He, P. Wang, and C. Chu. “Anonymous two-factor authenti-
cation in distributed systems: certain goals are beyond attainment,” IEEE
Trans Depend Secur Comput, 2015;12(4):428-442.
[30] D. Wang D, Z. Zhang, P. Wang, “Targeted online password guessing: An
underestimated threat,” Proc. ACM CCS, 16: 1242-1254(2016).
[31] D. Wang and P. Wang, “On the implications of zipfaŕs ˛ law in passwords,”
Proc. ESORICS, 111-131(2016).
[32] D. Wang and P. Wang, “Two birds with one stone: two-factor authentica-
tion with security beyond conventional bound,” IEEE Trans Depend Secur
Comput, 2016. https://doi.org/10.1109/TDSC.2016.2605087.
[33] J. Wei, X. Hu, and W. Liu, “An improved authentication scheme for
telecare medicine information systems,” J. Med. Syst, 36(6):3597-3604,
2012. doi:10.1007/s10916-012-9835-1.
[34] Q. Xie, “A new authenticated key agreement for session initiation proto-
col,” Int J Commun Syst, 25(1):47-54(2012).
[35] X. Xu, P. Zhu, Q. Wen, Z. Jin, H. Zhang, and L. He, “A secure and effi-
cient authentication and key agreement scheme based on ecc for telecare
medicine information systems,” J. Med. Syst, 38(1):1-7, 2014.
[36] W. H. Yang and S. P. Shieh, “Password authentication schemes with smart
cards,” Computers and Security, 18(8):727-733(1999).
[37] H. L. Yeh, T. H. Chen, and W. K, Shih, “Robust smart card secured
authentication scheme on SIP using elliptic curve cryptography,” Comput
Stand Interfaces, 36:397-402(2014).
[38] C. Yang, R. Wang, and W. Liu, “Secure authentication scheme for session
initiation protocol,” Comput Secur, 24:381-386(2005).
[39] E. J. Yoon and K. Y. Yoo, “Cryptanalysis of DS-SIP authentication scheme
using ECDH,” In: International Conference on New Trends in Information
and Service Science, 642-647(2009).
[40] E. J. Yoon and K. Y. Yoo, “A new authentication scheme for session
initiation protocol,” In: International Conference on Complex, Intelligent
and Soft-ware Intensive Systems, CISIS’09: 549-554(2009).
[41] E. J. Yoon, Y. N. Shin, I. S. Jeon, and K. Y. Yoo, “Robust mutual
authentication with a key agreement scheme for the session initiation
protocol,” IETE Tech Rev, 27(3):203-213(2010).
[42] Z. Zhang, Q. Qi , N. Kumar, N. Chilamkurti, and H. J. Jeong, “A se-
cure authentication scheme with anonymity for session initiation protocol
using elliptic curve cryptography,” Multimed Tools Appl, 74(10):3477-
3488(2015).
12 VOLUME 0, 0000
View publication stats http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

Tele Care

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tele Care

Uploaded by

Copyright:

Available Formats

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

A Robust Mutual Authentication Scheme Based on Elliptic Curve

Article in IEEE Access · December 2017

Shuming Qiu Haseeb Ahmad

SEE PROFILE SEE PROFILE

HomEnc4IoT View project

ICN&NDN View project

The user has requested enhancement of the downloaded file.

A Robust Mutual Authentication Scheme

I. INTRODUCTION it as vulnerable against the off-line password guessing attack

S. Qiu et al.: Mutual Authentication Scheme Based on ECC

for TMIS have some security limitations. Therefore, it is a

S. Qiu et al.: Mutual Authentication Scheme Based on ECC

database. Afterwards, S chooses a random number C. PASSWORD UPDATING PHASE

S. Qiu et al.: Mutual Authentication Scheme Based on ECC

S. Qiu et al.: Mutual Authentication Scheme Based on ECC

S. Qiu et al.: Mutual Authentication Scheme Based on ECC

Patient (Ui ) Sever (S)

Selects a random number rs ∈ Zp∗

Computes T = h(IDi ||ks ||rs )

Login and Authentication Phase:

FIGURE 1. Registration and authentication phase of the proposed scheme.

{Ai , Oi , n0 , h(·), p, G}. Ci = ai G, P IDi = T ⊕ (IDi ||Ci ),

5. Ui stores ri in SC. Gi = h(IDi ||T ||Ci ).

B. LOGIN AND MUTUAL AUTHENTICATION PHASE 2. Ui → S : {P IDi , Gi }.

S. Qiu et al.: Mutual Authentication Scheme Based on ECC

firstly by using the stored datum and server’s pri- Anew

S. Qiu et al.: Mutual Authentication Scheme Based on ECC

Patient (Ui ) Smart Card (SC)

Computes li = h(IDi ||P Wi ||ri )

FIGURE 2. Password updating phase of the proposed scheme.

E. SERVER IMPERSONATION ATTACK I. PERFECT FORWARD SECRECY

S. Qiu et al.: Mutual Authentication Scheme Based on ECC

S. Qiu et al.: Mutual Authentication Scheme Based on ECC

S. Qiu et al.: Mutual Authentication Scheme Based on ECC

TABLE 3. The time of executing cryptographic operations

Tpa Tpm Tme Tmi Th

TABLE 4. Comparison of computational complexity

Scheme User Computations Server Computations Total

TABLE 5. Comparison of Security Features

S. Qiu et al.: Mutual Authentication Scheme Based on ECC

[26] M. Thomas, “SIP Security Requirements,” IETF Internet Draft, Work In

You might also like