Security Analysis and Improvement of ‘a More Secure Anonymous User Authentication Scheme for the Integrated EPR Information System’

Abstract

Over the past few years, secure and privacy-preserving user authentication scheme has become an integral part of the applications of the healthcare systems. Recently, Wen has designed an improved user authentication system over the Lee et al.’s scheme for integrated electronic patient record (EPR) information system, which has been analyzed in this study. We have found that Wen’s scheme still has the following inefficiencies: (1) the correctness of identity and password are not verified during the login and password change phases; (2) it is vulnerable to impersonation attack and privileged-insider attack; (3) it is designed without the revocation of lost/stolen smart card; (4) the explicit key confirmation and the no key control properties are absent, and (5) user cannot update his/her password without the help of server and secure channel. Then we aimed to propose an enhanced two-factor user authentication system based on the intractable assumption of the quadratic residue problem (QRP) in the multiplicative group. Our scheme bears more securities and functionalities than other schemes found in the literature.

1 Introduction

Due to the rapid progress of the communication technologies and information security, anonymous and secure remote user mutual authentication schemes are widely employed in the integrated electronic patient record (EPR) information system [1–8]. The online services provided by the EPR information system not only save patient’s valuable time, but also helps doctor to take correct and quick clinical decision based on the digital information available on the remote location server of EPR information system [9–11]. In addition, with this online facility, the patient residing at home can access his/her confidential health report [12–15] stored on the EPR server through the internet. On the other hand, the doctor can access and analyze patient’s data and can also inform the patients in a timely manner. Accordingly, to provide such type of facilities to the patients and the doctors, many healthcare systems are now being replaced the traditional paper-based system with digital service over wireless networks [16–21]. However, the privacy and confidentiality of patient health data must be maintained when these are accessed from the server over the internet [22–24]. Since the internet is ubiquitous in nature and thus the malicious adversaries may try to collect the confidential data of the patients. Thus, a robust and flexible authentication scheme usable in integrated EPR information system is required to access patient’s data over any insecure channel [25–29].

1.1 Related Works

In order to maintain the security and privacy of the integrated EPR information system, many smart card based (two-factor) user authentication systems have been presented recently [2, 3, 30–34]. However, it has been analyzed from the security community that the previous schemes are no longer provide required security and functional requirements of a robust user authentication system [12, 13, 17, 25, 28, 29]. In 2012, Wu et al. [32] devised a new user authentication scheme for the integrated EPR information system with password and smart card. Then they argued that their scheme [32] resists all the vulnerabilities and includes all the functionalities. However, Lee et al. [2] demonstrated that Wu et al.’s scheme [32] is incapable to resist the stolen verifier attack and the lost smart card attack. Then an improved scheme was proposed by them and claimed that the scheme [2] is strong enough to remove the known vulnerabilities. Recently, Wen [3] has adopted the intractability assumption of the quadratic residue problem (QRP) [35, 36] and designed an enhanced scheme over the scheme proposed by Lee et al. [2].

1.2 Motivation and Contribution

The Wen’s scheme [3] is analyzed to be secure and efficient than other schemes [2, 35], however, this paper identifies many inefficiencies on Wen’s scheme [3]. This paper carefully analyzed that Wen’s scheme [3] is suffering from the following problems: (1) it can not check user identity and password in the login and password change phases; (2) it is weak against the impersonation attack and privileged-insider attacks; (3) it has no facility to revoke the lost/stolen smart card; (4) the explicit key confirmation and the no key control properties of the session key are absent, and (5) it does not update user password without any secure channel and the remote server’s assistance. In this study, the authors have considered all the security and functionality features, and consequently presented a new user authentication scheme, which is suitable for the application of integrated EPR information system. The performance studies have proved that the proposed design has eliminated the pitfalls of Wen’s scheme [3]. Our user authentication would be more applicable for healthcare applications, such as the integrated EPR information system.

1.3 Organization of the Paper

We organized the rest parts of this paper as follows. The quadratic residue problem required to understand the rest of this paper is explained in Section 2. We explained the Wen’s authentication scheme in Section 3. The weaknesses of Wen’s scheme are presented in Section 4. The improved scheme is proposed in Section 5, and its security and functionality discussions are proposed in Section 6. The Section 7 provides a comparative analysis and the Section 8 concludes the paper.

2 Quadratic Residue Problem

In this section, we briefly introduce the quadratic residue problem (QRP) [36]. Suppose that the composite number n is the product of two large prime numbers p and q. We can say that b is a quadratic residue modulus n, if the equation b ≡ a ² mod n is solvable in the multiplicative group $Z_n^{*}$. The set of quadratic residue modulo n is defined as

$$\begin{array}{ccc}\hfill Q{R}_n& =& \{b:\exists a\in Z_n^{*}\text{such}\text{that}b\equiv a^2\text{mod}n\}\hfill \end{array}$$ (1)

In cryptography, many schemes/protocols [3, 35] are designed under the intractability assumption of the QRP. The hardness assumption of QRP is equivalent to the factoring the large modulus n. That is for given b ∈ QR _n, it is infeasible for a polynomial time bounded algorithm to find a without factoring the public modulus n.

3 Description of the Wen’s User Authentication Scheme

Here, we present Wen’s two-factor user authentication scheme [3]. Initially, the remote medical server S selects two large prime numbers p, q and calculates the modulus as n = pq. Now, S made public n, whereas p and q are kept secret. The list of notations needed to understand the later part of the paper are described in Table 1.

Table 1. Descriptions of various notations.

Notations	Description
U i	The patient (User)
ID i	The identity of U i
PW i	The password of U i
S	The medical server of integrated EPR information system
K	The secret key of S
c i	The counter maintained in S’s database against the user U i
H(⋅)	The secure and collision-resistance one-way hash function
p, q	Two large prime numbers
n	The publicly known modulus such that n = pq
$b{\in }_R{Z}_n^{*}$	The number b randomly chosen from $Z_n^{*}$
⊕	The bitwise XOR operator
∥	The concatenation operator
SK	The session key agreed between U i and S
𝓐	The active/passive adversary

The following phases are used to described Wen’s authentication scheme.

3.1 Registration Phase

In this phase, the patient U _i performs the registration through secure channel to the integrated EPR information server S in order to obtain a valid smart card. We explained this phase by the following steps:

• Step 1. U _i sends a registration request with his/her 〈ID _i, PW _i〉 to S over a secure channel.

• Step 2. S verifies the correctness of ID _i and computes v = H(K⊕ID _i).

• Step 3. S calculates s ₁ = H(PW _i∣∣K), s ₂ = H(H(PW _i∣∣s ₁)) and N = v⊕s ₂.

• Step 4. S initiates a counter c _i = 0 against U _i and insert a tuple 〈ID _i, c _i〉 in the database. Then S issues a new smart card against U _i that includes the information 〈H(⋅), N, s ₁, c _i〉.

• Step 5. S sends the smart card to U _i over a secure channel.

3.2 Login Phase

For the login purpose, U _i performs the following steps:

• Step 1. U _i inserts the smart card into the specific card reader and keys his/her 〈ID _i, PW _i〉. Smart card then selects a number r and computes s ₂ = H(H(PW _i∣∣s ₁)).

• Step 2. Smart card computes c _i = c _i + 1 and M ₁ = (ID _i∣∣N∣∣s ₂∣∣r∣∣c _i)² mod n. Now, U _i sends M ₁ as a login message to S over a public network.

3.3 Authentication Phase

In this phase, the user (patient) U _i and the server S perform mutual authentication and then agreed on common secret session key. The description of this phase is given with the following steps:

• Step 1. When S received M ₁, then extracts (ID _i∣∣N∣∣s ₂∣∣r∣∣c _i) from M ₁ based on Chinese Remainder Theorem (CRT) using the secret primes p and q. Now, S takes the tuple 〈ID _i, $c_i^{\prime }\rangle$ from his/her own database and verifies whether $c_i^{\prime }>c_i$ holds. If $c_i^{\prime }>c_i$ is incorrect, then S aborts the session. Otherwise, S updates the tuple 〈ID _i, $c_i^{\prime }\rangle$ to 〈ID _i, c _i〉 and continues to the next steps.

• Step 2. S computes v = H(K⊕ID _i), $s_2^{\prime }=N\oplus v$ and verifies it with s ₂. If $s_2^{\prime }=s_2$, S then accepts U _i as an legitimate user. S computes the session key SK = H(s ₂∣∣r∣∣1).

• Step 3. S also performs the calculation of the response message as M ₂ = H(s ₂∣∣r∣∣0) and then sends it to U _i over a public network.

• Step 4. When U _i received M ₂, then computes $M_2^{\prime }$ = H(s ₂∣∣r∣∣0) and checks whether $M_2^{\prime }$ = M ₂ is correct or not. If $M_2^{\prime }\ne M_2$, U _i aborts the session. Otherwise, U _i authenticates S and computes the session key SK = H(s ₂∣∣r∣∣1).

The complete description of login phase and authentication phase of Wen’s scheme [3] is further presented in Table 2.

Table 2. Login and Authentication phases of Wen’s scheme [3].

User Ui/Smartcard		Server S
User Ui:
Insert ⟨ID i, PW i⟩
Smartcard:
Select a random number r
Compute s 2 = H(H(PW i∣∣s 1), c i = c i + 1
Compute M 1 = (ID i∣∣N∣∣s 2∣∣r∣∣c i)2 mod n
	$\underset{(\mathrm{\text{via a public channel}})}{\overset{M_1}{\to }}$
		Extract ⟨ID i, N, s 2, r, c i⟩ from M 1
		Obtain ⟨ID i, $c_i^{\prime }⟩$ from database
		If ($c_i^{\prime }\le c_i$)
		abort the session
		Else
		update ⟨ID i, $c_i^{\prime }⟩$ to ⟨ID i, c i⟩
		Compute v = H(K⊕ID i), $s_2^{\prime }=N\oplus v$
		If ($s_2^{\prime }\ne s_2$)
		abort the session
		Else
		authenticate U i
		Compute the session key SK = H(s 2∣∣r∣∣1)
		Compute M 2 = H(s 2∣∣r∣∣0)
	$\underset{(\mathrm{\text{via a public channel}})}{\overset{M_2}{\leftarrow }}$
Smartcard:
Compute $M_2^{\prime }$ = H(s 2∣∣r∣∣0)
If ($M_2^{\prime }$ M 2)
abort the session
Else
authenticate S
Compute the session key SK = H(s 2∣∣r∣∣1)

3.4 Password Change Phase

This phase is executed by U _i and in the cooperation of S. By this phase, U _i is allowed to update his/her old password to a new password with the following operations:

• Step 1. U _i delivers his/her 〈ID _i, PW _i, PW _new〉 to S using a secure channel.

• Step 2. S computes v = H(K∣∣ID _i), $s_1^{*}$ = H(PW _new∣∣K), $s_2^{*}=H(H(P{W}_{new}\mid \mid s_1^{*}))$ and $N^{*}=v\oplus s_2^{*}$. S then securely sends $\langle s_1^{*}$, N*〉 to U _i. On receiving $\langle s_1^{*}$, N*〉 from S, U _i updates the old smart card’s memory as 〈ID _i, H(⋅), N*, $s_1^{*}\rangle$.

Note: In the password change phase of Wen’s scheme [3], the counter c _i is not incorporated in the smart card and we consider it as typo. Here we assumed that S sends the tuple $\langle s_1^{*}$, N*〉 to U _i and then U _i updates the old smart card’s memory to 〈H(⋅), N*, $s_1^{*}$, c _i〉.

4 Security Pitfalls of Wen’s Authentication Scheme

This section is presented to identify and analyze the security and design issues of Wen’s authentication scheme [3]. The following problems have been observed and their detailed descriptions are given below:

4.1 Login Phase is Inefficient and Unfriendly

We claimed that the design of login phase of Wen’s authentication scheme is inefficient and unfriendly. In this phase, U _i keys his/her 〈ID _i, PW _i〉 into the smart card and then the smart card computes the login message M ₁ without verifying the correctness of the entered login identity ID _i and the password PW _i. If U _i incorrectly enters the login identity and the password by mistake, then the smart card computes the incorrect login message M ₁ and then transfer it to S. On receiving M ₁, S checks it and accordingly informs U _i. Therefore, the correctness of 〈ID _i, PW _i〉 will be checked by S not by the smart card. However, this kind of design puts unnecessary burden on S. In the literature, efficient smart card based authentication schemes are proposed [28, 29, 37] where instead of S, the smart card is responsible for checking the correctness of 〈ID _i, PW _i〉 before computing the login message M ₁. The complete description of the problem we pointed out in Wen’s scheme [3] is explained as follows:

• Case 1: Here we will show how the login and authentication phases will faced problem if U _i mistakenly insert the incorrect login identity $I{D}_i^{*}$ instead of the correct identity ID _i.

  • Step 1. U _i enters $\langle I{D}_i^{*}$, PW _i〉 into the smart card and then the smart card selects a random number r and calculates s ₂ = H(H(PW _i∣∣s ₁), c _i = c _i + 1 and M ₁ = ${(I{D}_i^{*}\mid \mid N\mid \mid s_2\mid \mid r\mid \mid c_i)}^2$ mod n. The smart card then sends M ₁ to S over a public channel.
  • Step 2. In the authentication phase, S extracts $(I{D}_i^{*}\mid \mid N\mid \mid s_2\mid \mid r\mid \mid c_i)$ from M ₁ based on the Chinese Remainder Theorem (CRT) using the secret primes p and q. Now, S observed that $I{D}_i^{*}$ is incorrect by comparing it with the tuples 〈ID _i, $c_i^{\prime }\rangle$ stored in the database and accordingly he/she aborts the session.
• Case 2: Now we show that the login and authentication phases of Wen’s scheme [3] will suffer from the problem as described below if U _i mistakenly insert the incorrect password $P{W}_i^{*}$ instead of the correct password PW _i.

  • Step 1. U _i enters 〈ID _i, $P{W}_i^{*}\rangle$ into the smart card and then the smart card selects a random number r and calculates $s_2^{*}=H(H(P{W}_i^{*}\mid \mid s_1)$, c _i = c _i + 1 and M ₁ = ${(I{D}_i\mid \mid N\mid \mid s_2^{*}\mid \mid r\mid \mid c_i)}^2$ mod n. The smart card then sends M ₁ to S over a public network.
  • Step 2. In the authentication phase, S extracts $(I{D}_i\mid \mid N\mid \mid s_2^{*}\mid \mid r\mid \mid c_i)$ from M ₁ based on the Chinese Remainder Theorem (CRT) using the secret primes p and q. In this case, S found that ID _i and the condition $c_i^{\prime }>c_i$ are correct and thus performs additional verifications. Then S computes v = H(K⊕ID _i) and

    $$\begin{array}{ccc}\hfill s_2^{\prime }& =& N\oplus v\hfill \\ & =& v\oplus s_2\oplus v\hfill \\ & =& s_2\hfill \\ & =& H\left(H\right(P{W}_i\left|\right|s_1\left)\right)\hfill \\ & \ne & s_2^{*}\left[\text{Since}H\right(H(P{W}_i^{*}\left|\right|s_1)\ne H(H(P{W}_i\left|\right|s_1\left)\right]\hfill \end{array}$$

    Although, U _i is a legal user, however, S rejects him/her since the verification equation $s_2^{\prime }$ = $s_2^{*}$ is not satisfied.

From the above discussions, we can assured that an efficient and robust authentication scheme must verifies the login identity and password before proceed to the authentication phase.

4.2 Password Change Phase is Inefficient and Unfriendly

The password change phase of Wen’s scheme [3] is also inefficient and unfriendly [28, 29, 37]. In this phase, U _i sends his/her 〈ID _i, PW _i, PW _new〉 to S through a secure channel. S computes v = H(K∣∣ID _i), $s_1^{*}$ = H(PW _new∣∣K), $s_2^{*}=H(H(P{W}_{new}\mid \mid s_1^{*}))$ and $N^{*}=v\oplus s_2^{*}$. S then securely sends $\langle s_1^{*}$, N*〉 to U _i. On receiving $\langle s_1^{*}$, N*〉 from S, U _i updates the smart card’s memory as 〈ID _i, H(⋅), N*, $s_1^{*}$, c _i〉. However, the following inefficiencies have been observed in Wen’s scheme:

• Case 1: The user U _i must used a secure channel to deliver 〈ID _i, PW _i, PW _new〉 to S and S also used the secure channel to send $\langle s_1^{*}$, N*〉 to U _i. However, each and every password change, Wen’s scheme [3] needs two secure communication channels and it is costly and difficult to achieve in real environments. As a result, U _i will not be interested to change his/her password periodically. However, due to the security reasons, it is recommended to change the password periodically.

• Case 2: For the password change operation of smart card based authentication scheme, it is recommended that the smart card itself change the password without any connection with the remote server S [37].

• Case 3: During the password change, the correctness of the entered old identity and password 〈ID _i, PW _i〉 must be verified before changing the old password PW _i to a new password PW _new.

However, all of the aforesaid conditions are not incorporated in the password change phase of the Wen’s authentication scheme [3].

4.3 Impersonation Attack

In Wen’s scheme, the old password PW _i has no role in the password change operation. Therefore, if the adversary chooses two random passwords $P{W}_i^{\prime }$ and $P{W}_i^{\prime \prime }$, and issues a password change request on behalf of U _i to S by sending 〈ID _i, $P{W}_i^{\prime }$, $P{W}_i^{\prime \prime }\rangle$. Upon receiving the password change request, S computes v = H(K∣∣ID _i), $s_1^{\prime \prime }$ = $H(P{W}_i^{\prime \prime }\mid \mid K)$, $s_2^{\prime \prime }=H(H(P{W}_i^{\prime \prime }\mid \mid s_1^{\prime \prime }))$ and $N^{\prime \prime }=v\oplus s_2^{\prime \prime }$, and sends $\langle s_1^{\prime \prime }$, N′′〉 to the adversary. Upon receiving $\langle s_1^{\prime \prime }$, N′′〉, the adversary chooses a sufficiently large value $c_i^{\prime \prime }$ as the counter and then stores the tuple 〈ID _i, H(⋅), N′′, $s_1^{\prime \prime }$, $c_i^{\prime \prime }\rangle$ into a smart card. It can be noted that, the adversary can successfully impersonate U _i by using this smart card and 〈ID _i, $P{W}_i^{\prime \prime }\rangle$.

4.4 Privileged-Insider Attack

It is difficult for a user to remember a number of passwords, if he/she registers himself/herself to different applications or servers with different passwords [37, 38]. Therefore, it is common in real-life environments that a user accesses a number of servers with the common password and identity. However, if the password of the user is known by some means to the privileged-insider of a server, then of course he may try to impersonate the user to access other application servers. We can define the insider attacker is any manager of the authentication server, whose intention is to leak the secret information leading to compromise the system. In the registration phase of Wen’s authentication scheme [3], U _i transmitted 〈ID _i, PW _i〉 in plaintext form to S, then the malicious privileged-insider of S may impersonate U _i by login to other application servers using the known 〈ID _i, PW _i〉. Therefore, Wen’s authentication scheme is not secure against privileged-insider attack.

4.5 Absence of Lost/Stolen Smart Card Revocation Phase

In a smart card based authentication scheme, the revocation of lost/stolen smart card plays a vital role in order to provide the adequate security to the end user [39]. However, Wen’s scheme [3] has not offered such an important security features. In the design of two-factor user authentication system, most of the researchers offers a realistic assumption that the smart card is non-temper resistance. It includes that if an adversary obtains a smart card, then he/she can perform some off-line analysis by monitoring the timing information, power consumption and reverse engineering techniques as presented in [40–42] and can obtain the information from the lost smart card. Now the adversary may apply some off-line procedure on the extracted information and may get success to find the correct password of the user. If the adversary found the correct password, then he/she can masquerade the corresponding legal user by using the guessed password and the lost smart card [37–39]. Thus, the cryptographic research community suggested that the lost/stolen smart card revocation phase must be incorporated in two-factor user authentication scheme so that the remote server can distinguish the lost smart card and the new smart card.

4.6 Absence of Explicit Session Key Confirmation Property

According to the analysis provided in [43], an authenticated key agreement (AKA) scheme must have the explicit session key confirmation (implicit key authentication and key confirmation) property. The implicit key conformation property includes that the user X is assured that Y can compute the session key. However, the explicit key confirmation property states that the user X is assured that the user Y has actually computed the session key. Therefore, only the explicit key confirmation property provides the stronger assurances that X and Y hold the same session key. A key agreement scheme that includes explicit key authentication is termed as authenticated key agreement with key confirmation (AKC) scheme. In the authentication phase of Wen’s scheme [3], S computes M ₂ = H(s ₂∣∣r∣∣0) and sends it to U _i. On receiving M ₂, U _i computes $M_2^{\prime }$ = H(s ₂∣∣r∣∣0) and authenticates S if the verification $M_2^{\prime }$ = M ₂ is correct. After this verification, U _i computes the session key as SK = H(s ₂∣∣r∣∣1). As the authentication message M ₂ does not include the session key information, therefore, the explicit session key confirmation property is not achieved in Wen’s authentication scheme.

4.7 Absence of No Key Control Property

The no key control property of an AKA scheme means that none of the users have control over others [38, 43, 44]. That is none of the users or even an adversary can force other so that the session key to be a pre-selected value or it may lie within a set consisting of small number of elements. Thus, we can say that an AKA scheme has the no key control property if the session key is computed with the contributions of all the participants. In Wen’s scheme [3], we observed that the final session key agreed between U _i and S is SK = H(s ₂∣∣r∣∣1), where U _i chooses the random number r. Now it is clear that S has no contribution on the session key. Therefore, the no key control property is absent in Wen’s authentication scheme.

5 The Proposed User Authentication Scheme

In the following, an improved user authentication scheme is presented that not only eliminates the inefficiencies of Wen’s authentication scheme [3], but also includes additional security and functional properties of a two-factor authentication scheme. Similar to the Wen’s scheme, the security of our user authentication scheme is based on the intractable assumption of the quadratic residue problem (QRP) in the multiplicative group $Z_n^{*}$ [3, 35, 36]. Initially, the remote server S of the integrated EPR information system selects two large prime numbers p, q. S discloses the public modulus n, whereas p and q are kept secret from the outsiders. S also selects $K{\in }_R{Z}_n^{*}$ as his/her secret (private) key. Our enhanced scheme includes the following phases, called registration phase, login phase, authentication phase, password change phase and lost/stolen smart card revocation phase. The complete explanation of these phases are given below.

5.1 Registration Phase

In this phase, a legal user U _i registerers himself/herself to the remote server S and obtains a valid medical smart card from S. The following steps are executed by U _i and S:

• Step 1. U _i issues a registration request with his/her identity ID _i to S over a secure channel.

• Step 2. On receiving ID _i, S checks whether ID _i is fresh or not. If it is found in the S’s database, then S informs U _i to supply a fresh login identity. Otherwise, S selects a number $b_i{\in }_R{Z}_n^{*}$ and then computes A _i = H(ID _i∣∣K∣∣b _i). After that, S initiates a counter c _i = 0 [3] and selects a new smart card that includes the information 〈H(⋅), n, A _i, c _i〉. Then S securely delivers the smart card to the user U _i. S includes the tuple 〈ID _i, c _i, b _i〉 into the database [45].

• Step 3. On receiving the smart card, U _i inserts the smart card into the card reader and keys his/her login identity ID _i and the password PW _i into the smart card. Then the smart card computes B _i = H(ID _i∣∣PW _i), C _i = A _i⊕B _i and D _i = H(A _i∣∣B _i). Now the smart card deletes the information 〈A _i, B _i〉 from the memory and then updates it by the tuple 〈H(⋅), n, C _i, D _i, c _i〉.

5.2 Login Phase

In this phase, U _i computes a login message and sends it to S for verification. The login phase includes the following steps:

• Step 1. U _i inserts the smart card into the specific card reader and keys his/her 〈ID _i, PW _i〉 into the smart card. The smart card computes B _i = H(ID _i∣∣PW _i), A _i = C _i⊕B _i and $D_i^{\prime }$ = H(A _i∣∣B _i). The smart card aborts the login process if $D_i^{\prime }\ne D_i$ holds. Otherwise, the smart card executes the following steps.

• Step 2. The smart card computes c _i = c _i + 1 and the login message M ₁ = (ID _i∣∣A _i∣∣a∣∣c _i)² mod n, where the number $a{\in }_R{Z}_n^{*}$ is chosen by the smart card. Then the smart card sends M ₁ to S over a public network.

5.3 Authentication Phase

• Step 1. Upon receiving M ₁, S then obtains (ID _i∣∣A _i∣∣a∣∣c _i) from M ₁ using the Chinese Remainder Theorem (CRT) with p and q. Now, S retrieves the tuple 〈ID _i, $c_i^{\prime }$, b _i〉, which is indexed by ID _i, from the database and compares whether $c_i^{\prime }>c_i$ holds. If it is incorrect, S terminates the session. Otherwise, S updates the tuple 〈ID _i, $c_i^{\prime }$, b _i〉 to 〈ID _i, c _i, b _i〉 and continues to the next step.

• Step 2. Now, S computes $A_i^{\prime }$ = H(ID _i∣∣K∣∣b _i) and verifies whether $A_i^{\prime }=A_i$ holds. If it is incorrect, S terminates the session, otherwise accepts the login message M ₁ and authenticates U _i.

• Step 3. S selects a number $b{\in }_R{Z}_n^{*}$ and computes d = a⊕b, the session key SK = H(ID _i∣∣a∣∣b∣∣A _i) shared with U _i and M ₂ = H(ID _i∣∣A _i∣∣d∣∣SK). Then S delivers the message {d, M ₂} to U _i over a public network.

• Step 4. On receiving {d, M ₂}, U _i computes b = d⊕a, the session key SK = H(ID _i∣∣a∣∣b∣∣A _i) and $M_2^{\prime }$ = H(ID _i∣∣A _i∣∣d∣∣SK). If $M_2^{\prime }\ne M_2$, U _i terminates the session. Otherwise, U _i authenticates S and accepts SK as the correct session key shared with S.

5.4 Password Change Phase

In the password change phase, the smart card is allowed to independently (i.e., without any assistance of S) change U _i’s old password PW _i to the new password $P{W}_i^n$. We described the password change phase with the following steps:

• Step 1. U _i inserts the smart card into the specific device and then keys his/her 〈ID _i, PW _i〉 into the smart card. The smart card then computes B _i = H(ID _i∣∣PW _i), A _i = C _i⊕B _i and $D_i^{\prime }$ = H(A _i∣∣B _i). The smart card aborts the password change if $D_i^{\prime }\ne D_i$ holds. Otherwise, the smart card executes the next step.

• Step 2. The smart card computes $B_i^n$ = $H(I{D}_i\mid \mid P{W}_i^n)$, $C_i^n$ = $A_i\oplus B_i^n$ and $D_i^n$ = $H(A_i\mid \mid B_i^n)$. Now, the smart card updates the tuple 〈H(⋅), n, C _i, D _i, c _i〉 to tuple 〈H(⋅), n, $C_i^n$, $D_i^n$, c _i〉 into the memory.

5.5 Stolen/Lost Smart Card Revocation Phase

This phase is designed to issue a new smart card if U _i lost his/her old smart card. The description of this phase includes the following steps:

• Step 1. The user U _i sends the smart card revocation request with his/her identity ID _i to S over a secure channel.

• Step 2. S verifies the correctness of the identity ID _i. If it is invalid, S terminates the request. Otherwise, S selects a new number $b_i^{\prime }{\in }_R{Z}_n^{*}$ and then computes $A_i^{\prime }=H(I{D}_i\mid \mid K\mid \mid b_i^{\prime })$. S updates the tuple 〈ID _i, c _i, b _i〉 to 〈ID _i, c _i, $b_i^{\prime }\rangle$ into his/her database. Now, S writes the information 〈H(⋅), n, $A_i^{\prime }$, c _i〉 into a new smart card and delivers it to U _i through a secure channel.

• Step 3. On receiving the new smart card, U _i inserts it into the card reader and inputs his/her login identity ID _i and the new password $P{W}_i^{\prime }$ into the smart card. Then the smart card computes $B_i^{\prime }$ = $H(I{D}_i\mid \mid P{W}_i^{\prime })$, $C_i^{\prime }$ = $A_i^{\prime }\oplus B_i^{\prime }$ and $D_i^{\prime }$ = $H(A_i^{\prime }\mid \mid B_i^{\prime })$. Now the smart card deletes the information $\langle A_i^{\prime }$, $B_i^{\prime }\rangle$ form the smart card and then updates the smart card’s memory with the tuple 〈H(⋅), n, $C_i^{\prime }$, $D_i^{\prime }$, c _i〉.

The complete description of the Login and Authentication phases of our user authentication scheme is further presented in Table 3.

Table 3. Login and authentication phases of the proposed user authentication scheme.

User Ui/Smartcard		Server S
User Ui:
Insert ⟨ID i, PW i⟩
Smartcard:
Compute B i = H(ID i∣∣PW i), A i = C i⊕B i
Compute $D_i^{\prime }$ = H(A i∣∣B i)
If ($D_i^{\prime }\ne D_i$)
terminate the session
Else
compute c i = c i + 1
Choose $a{\in }_R{Z}_n^{*}$
Compute M 1 = (ID i∣∣A i∣∣a∣∣c i)2 mod n
	$\underset{(\mathrm{\text{via a public channel}})}{\overset{M_1}{\to }}$
		Obtain ID i, A i, a, c i from M 1
		Retrieve ⟨ID i, $c_i^{\prime }$, b i⟩ from database
		If ($c_i^{\prime }\le c_i$)
		terminate the session
		Else
		update ⟨ID i, $c_i^{\prime }$, b i⟩ to ⟨ID i, c i, b i⟩
		Compute $A_i^{\prime }$ = H(ID i∣∣K∣∣b i)
		If ($A_i^{\prime }\ne A_i$)
		terminate the session
		Else
		select $b{\in }_R{Z}_n^{*}$
		Compute d = a⊕b and
		Session key SK = H(ID i∣∣a∣∣b∣∣A i)
		Compute M 2 = H(ID i∣∣A i∣∣d∣∣SK)
	$\underset{(\mathrm{\text{via a public channel}})}{\overset{\{d,M_2\}}{\leftarrow }}$
Smartcard:
Compute b = d⊕a and
Session key SK = H(ID i∣∣a∣∣b∣∣A i)
Compute $M_2^{\prime }$ = H(ID i∣∣A i∣∣d∣∣SK)
If ($M_2^{\prime }\ne M_2$)
terminate the session
Else
authenticate S and
Accept SK as session key

6 Security and Functionality Analysis of the Proposed Scheme

This section is designed to prove the security and functionality strengths of our proposed scheme [46–48]. Now, we described the following assumptions about the attack capability of active and passive adversaries:

• The adversary $\mathcal{\text{A}}$ controls the communication channel [49, 50] i.e., he/she may intercept, block, inject, remove, or modify, any messages transmitted over the public media, in other words, all the messages communicated between U _i and S are transmitted via $\mathcal{\text{A}}$.

• $\mathcal{\text{A}}$ may either (i) theft U _i’s smart card and obtain the secret data from it through monitoring the timing information, power consumption and reverse engineering techniques which are proposed in [40–42] and try to obtain U _i’s correct password in any off-line manner; or (ii) obtain U _i’s password directly by some means. However, $\mathcal{\text{A}}$ cannot do both (i) and (ii) [37, 38].

Based on the aforesaid assumptions, the following theorems have been stated and proved against the proposed user authentication scheme.

Theorem 1. The proposed user authentication scheme could provide the user anonymity and user unlinkability.

Proof. Users’ anonymity or secrecy, i.e., the protection of user’s identity from the adversary is a great concern in many internet applications including integrated EPR information system, telecare medical information system (TMIS), online order placement, Pay-TV, wireless communications, banking transactions, etc [51–53]. The anonymity means that an adversary $\mathcal{\text{A}}$ cannot figure out the real identity ID _i of U _i from the eavesdropped authentication messages M ₁ and {d, M ₂}. Suppose that $\mathcal{\text{A}}$ captures U _i’s authentication message M ₁ = (ID _i∣∣A _i∣∣a∣∣c _i)² mod n for a session. However, $\mathcal{\text{A}}$ cannot retrieve the identity ID _i from M ₁ due to the difficulties of quadratic residue problem and from M ₂ due to the one-way property of the hash function H(⋅). On the other hand, $\mathcal{\text{A}}$ cannot link that the two authentication messages M ₁ = (ID _i∣∣A _i∣∣a∣∣c _i)² mod n and $M_1^{\prime }$ = ${(I{D}_i\mid \mid A_i\mid \mid a^{\prime }\mid \mid c_i^{\prime })}^2$ mod n belong to the same user U _i and as a result the proposed scheme satisfies user anonymity and unlinkability [38, 45, 54].

Theorem 2. The proposed user authentication scheme could provide the perfect forward secrecy of the session key.

Proof. The perfect forward secrecy [43, 45, 55] ensures that a session key derived in a session will remains undisclosed even if the server’s secret key is compromised. In the proposed scheme, the session key is computed as SK = H(ID _i∣∣a∣∣b∣∣A _i), where A _i = H(ID _i∣∣K∣∣b _i) and the random numbers a and b are chosen by U _i and S, respectively. Therefore, even if $\mathcal{\text{A}}$ has the knowledge of secret key K of S, $\mathcal{\text{A}}$ needs to be extract a and b from M ₁ = (ID _i∣∣A _i∣∣a∣∣c _i)² mod n and {d = a⊕b, M ₂ = H(ID _i∣∣A _i∣∣d∣∣SK)} to derive the session key SK, however this is infeasible due to the quadratic residue problem [3, 35]. Thus, our scheme provides the functionality of session key perfect forward secrecy.

Theorem 3. The proposed user authentication scheme could resist the replay attack.

Proof. In replay attack, the adversary $\mathcal{\text{A}}$ captured a valid login message of previous session and then fraudulently replayed to current session to impersonate U _i or S. Assume that, in our scheme, $\mathcal{\text{A}}$ captured the previous login message M ₁ = (ID _i∣∣A _i∣∣a∣∣c _i)² mod n of U _i and replays it in the current session. However, S quickly detects that M ₁ is a replay message by comparing the counter c _i in the message M ₁ with the counter $c_i^{\prime }$ retrieves from S’s database. When U _i sends M ₁ = (ID _i∣∣A _i∣∣a∣∣c _i)² mod n to S, then S verifies it and stores the counter c _i to the tuple 〈ID _i, c _i, b _i〉. Now, if the same M ₁ is replayed by the adversary in future session then the computed counter c _i is equal to or less than the retrieved counter c _i. The counter c _i helps S to detect the replay attack [3]. Thus, the proposed user authentication scheme avoids the replay attack.

Theorem 4. The proposed user authentication scheme could resist the modification/forgery attack.

Proof. In the login phase, U _i sends M ₁ = (ID _i∣∣A _i∣∣a∣∣c _i)² mod n to S and S responds with the message {d = a⊕b, M ₂ = H(ID _i∣∣A _i∣∣d∣∣SK)} to U _i over an open channel. Since A _i is protected in M ₁ based on the difficulty of solving the QRP and in M ₂ by the one-way property of the hash function H(⋅), any modification of M ₁ and M ₂ by the adversary $\mathcal{\text{A}}$ will be detected by U _i and S through the verification equations $c_i^{\prime }>c_i$, $A_i^{\prime }=A_i$ and $M_2^{\prime }=M_2$. Therefore, our authentication scheme protects this kind of modification/forgery attack.

Theorem 5. The proposed user authentication scheme could resist the privileged-insider attack.

Proof. To make the convenient access of different application servers, user generally registers himself/herself by the common login identity and passwords. It is harmful for the user that if the password is compromised to the privileged-insider of a server, then he/she can easily impersonate the user and can login to other applications. In the registration phase of our scheme, U _i only sends his/her login identity ID _i not any password to S. Upon receiving the smart card from S, U _i inserts his/her PW _i into the smart card. As a result, PW _i is not exposed to the privileged-insider of S. Therefore, our scheme withstands the privileged-insider attack.

Theorem 6. The proposed user authentication scheme could provide the off-line password guessing attack from lost/stolen smart card.

Proof. The off-line password guessing attack is infeasible in our scheme. Assume that 𝓐 obtains U _i’s smart card and extracts the parameters 〈H(⋅), n, C _i, D _i, c _i〉, where C _i = H(ID _i∣∣K∣∣b _i)⊕H(ID _i∣∣PW _i) and D _i = H(H(ID _i∣∣K∣∣b _i)∣∣H(ID _i∣∣PW _i)). Now $\mathcal{\text{A}}$ may try to guess the correct password PW _i of U _i in off-line processes. However, without knowing K and b _i, $\mathcal{\text{A}}$ cannot find PW _i. Thus, our user authentication scheme strongly resists the off-line password guessing attack from lost/stolen smart card.

Theorem 7. The proposed user authentication scheme could resist the ephemeral secret leakage attack.

Proof. This attacks states that the none of the session keys should be compromised with the disclosures of session random numbers (ephemeral secrets) [56]. The ephemeral secrets may be compromised [37, 45] and it is quite common in real environments due to the following reasons: (i) user and server depended on the internal/external source of random number generator which may be controlled by $\mathcal{\text{A}}$ and (ii) the random numbers are generally stored in insecure device. If the random numbers aren’t erased properly in each session, $\mathcal{\text{A}}$ may hijack users’ computer and learn the random numbers. In our scheme, U _i and S generate the session key as SK = H(ID _i∣∣a∣∣b∣∣A _i), where A _i = H(ID _i∣∣K∣∣b _i). Suppose that 〈a, b〉 is disclosed and $\mathcal{\text{A}}$ knows it. However, $\mathcal{\text{A}}$ cannot compute SK without A _i. Therefore, the ephemeral secret leakage attack is infeasible in the proposed scheme.

Theorem 8. The proposed user authentication scheme could resist the known-key attack.

Proof. This attack states that, none of the session keys are compromised even if the adversary $\mathcal{\text{A}}$ knows some other session keys [43]. In our scheme, U _i and S establish a session key SK = H(ID _i∣∣a∣∣b∣∣A _i), where A _i = H(ID _i∣∣K∣∣b _i). The numbers a and b are randomly chosen from $Z_n^{*}$ and hence SK is also random and independent in each session. Therefore, with the knowledge of previous session keys $\mathcal{\text{A}}$ cannot compute a new session key. Accordingly, the known-key attack is impossible in our user authentication scheme.

Theorem 9. The proposed user authentication scheme could resist the unknown key-share attack and provide the explicit key confirmation property of the agreed session key.

Proof. The unknown key-share attack [43] is a situation that U _i finishes the session by believing that he/she shares the session key SK correctly with S, however, S mistakenly believes that SK is instead shared with the adversary $\mathcal{\text{A}}$. In the proposed scheme, S computes the session key SK after validating the messages M ₁. To validate the message {d, M ₂} and to get the confirmation about the agreed session key SK, U _i computes SK = H(ID _i∣∣a∣∣b∣∣A _i), $M_2^{\prime }$ = H(ID _i∣∣A _i∣∣d∣∣SK) and authenticates S and accepts SK as the correct session key if the condition $M_2^{\prime }=M_2$ hold. Therefore, U _i and S mutually authenticate each other and then compute the session key SK, accordingly our scheme enjoys the unknown key-share attack resilience and explicit key confirmation of the session key.

Theorem 10. The proposed user authentication scheme could provide efficient and user friendly password change option.

Proof. Our scheme gives the flexibility to the user to choose low-entropy password by himself/herself and change the password periodically without remote server’s assistance [28, 29]. Moreover, the proposed scheme detects the wrong password and identity during the login phase and password change phase. In these processes, if U _i keys either wrong password $P{W}_i^{*}$ or identity $I{D}_i^{*}$ by mistake, the smart card reports the error message to U _i without any consultation with S [37]. On the other hand, if $\mathcal{\text{A}}$ thefts U _i’s smart card, however, he/she does not have the capability to update smart card’s memory without correct password PW _i, and consequently the denial of service (DoS) attack is eliminated in our scheme. If $\mathcal{\text{A}}$ tries to do the same with wrong password, the smart card will be locked immediately if the number of login failure exceeds the pre-defined limit.

Theorem 11. The proposed user authentication scheme could provide mutual authentication and session key agreement between the user and the remote server.

Proof. In our scheme, S authenticates U _i’s login message M ₁ = (ID _i∣∣A _i∣∣a∣∣c _i)² mod n by verifying the conditions $c_i^{\prime }>c_i$ and $A_i^{\prime }=?A_i$. Similarly, U _i verifies S’s response message 〈d, M ₂〉 by validating whether $M_2^{\prime }=M_2$ holds. Without 〈PW _i, K〉, $\mathcal{\text{A}}$ cannot impersonate none of U _i and S. Hence, the secure mutual authentication between U _i and S is achieved in our scheme. Moreover, after mutual authentication, U _i and S compute a random and unique session key SK = H(ID _i∣∣a∣∣b∣∣A _i), where A _i = H(ID _i∣∣K∣∣b _i).

7 Performance Analysis of the Proposed Scheme

In the following, we have performed the comparison analysis of our authentication scheme with the schemes proposed in [3, 34, 57–59]. Here, the following notations are described for this purpose:

• t _h : Time needed to execute a hash function.

• t _m : Time needed to execute a modular squaring computation.

• t _q : Time needed to execute a square root operation with the modulus n.

The comparative result of the proposed scheme and the schemes in [3, 34, 57–59] from the aspects of computation cost and communication round is listed in the Table 4. Our scheme proposed all the required phases where the schemes in [3, 34, 57–59] do not have password change phase and smartcard revocation phase. Furthermore, we observed that our scheme is more robust and computation and communication cost efficient than the schemes devised in [3, 34, 57–59].

Table 4. Computation cost comparison of the proposed user authentication scheme with others.

Attributes	Wen [3]	Zhu [34]	Wu et al. [57]	Cheng et al. [58]	Lee [59]	Proposed
A 1	2t h + t m	2t h + t m	2t h + t m	t h	2t h	2t h
A 2	9t h + t q	5t h + t q	6t h + t m + 2t q	12t h + t m + t q	8t h + t m + 2t q	5t h + t m + t q
A 3	4t h	4t h + t m	NA	NA	NA	4t h
A 4	NA	NA	NA	NA	NA	3t h
A 5	2	3	2	2	2	2

A ₁: Computation cost in registration phase, A ₂: Computation cost in login phase and authentication phase, A ₃: Computation cost in password change phase, A ₄: Computation cost in smartcard revocation phase, A ₅: Number of message communications, NA: Not applicable (this pase is not proposed by the author (s)).

We also given a comparison in Fig 1 against the number of operations used in the registration and login phased of the schemes in [3, 34, 57–59] with the proposed scheme.

Fig 1. Number of hash, modular squaring and square root operations for registration and login phases.

In 2011, based on QRP, Wu et al [57] proposed a user authentication scheme using smartcard. However, the scheme is vulnerable to (1) privileged-insider attack since the plaintext password is sending to the server for registration, (2) the scheme does not verify the keyed password and identity in the login phase, (3) the scheme does not have password change phase, (4) it has no provision to revoke the lost/stolen smart card, (5) no session key agreement method is proposed and (6) user anonymity and unlinkability are violated as the identity is transmitted in plaintext form. In the year 2012, in order to ensure users’ privacy, Zhu [34] proposed a user authentication schemes for telecare medicine information systems. We carefully observed that the Zhu’s scheme [34] is not free from attack since (1) the scheme does not verify the correctness of the login identity and password in the login phase, (2) the scheme does not verify the correctness of the login identity and password in the password change phase, (3) the scheme has no provision to revoke the smartcard in case if the smartcard is stolen or lost, (4) the scheme does not design a session key agreement method during login and authentication phases, (5) user anonymity and user untracibility are not present in this scheme. In 2013, Cheng et al. [58] proposed a a biometric-based remote user mutual authentication and session key agreement scheme using QRP. However, Yoon [60] showed that the scheme is insecure from the stolen smart card attack, server spoofing attack and does not provide session key forward secrecy. We also observed that the scheme does not have provision for password change and lost/stolen smart card revocation. In addition, the scheme does not verify the correctness of keyed identity and password in the login phase. Further, the scheme is also suffered from the ephemeral secrets leakage attack as the session key solely depended on the random numbers chosen by the user and server. In 2015, Lee [59] proposed an efficient smartcard-based two-factor remote user mutual authentication scheme. However, we observed that the scheme is not secure since (1) the scheme does not proposed any password change method, (2) the scheme does not proposed any lost/stolen smart card revocation method, (3) The scheme has no provision for session key agreement during login and authentication phases, (4) the scheme does not verify the keyed password and identity in the login phase, (5) the privileged-insider attack since the plaintext password is sending to the server for registration.

In the comparative analysis of the proposed scheme and the schemes [3, 34, 57–59] with respect to security and functionality are included in the Table 5. Form Tables 4 and 5, it can be see that the proposed user authentication scheme includes more security and functional features compared to [3, 34, 57–59].

Table 5. Security and functionality comparison of the proposed scheme with other existing schemes.

Attributes	Wen [3]	Zhu [34]	Wu et al. [57]	Cheng et al. [58]	Lee [59]	Proposed
F 1	No	No	No	No	No	Yes
F 2	No	No	NA	NA	NA	Yes
F 3	No	Yes	Yes	No	Yes	Yes
F 4	No	Yes	No	Yes	No	Yes
F 5	No	No	No	No	No	Yes
F 6	No	NA	NA	No	NA	Yes
F 7	No	NA	NA	Yes	NA	Yes
F 8	No	Yes	NA	No	No	Yes
F 9	Yes	NA	NA	No	No	Yes
F 10	Yes	No	No	Yes	Yes	Yes
F 11	Yes	Yes	Yes	Yes	Yes	Yes
F 12	Yes	Yes	Yes	Yes	Yes	Yes
F 13	Yes	Yes	NA	No	Yes	Yes
F 14	Yes	Yes	Yes	Yes	Yes	Yes

F ₁: Login identity and password detection in the login phase; F ₂: Login identity and password detection in the password change phase; F ₃: Impersonation attack is avoided; F ₄: Privileged-insider attack is avoided; F ₅: Lost/stolen smart card revocation phase is present; F ₆: Explicit session key confirmation property is present; F ₇: No key control property is present; F ₈: Password is changed without any help from the server; F ₉: Ephemeral secrets leakage attack is avoided; F ₁₀: User anonymity and unlinkability are present; F ₁₁: Password guessing attack from lost smart card is avoided; F ₁₂: Replay attack is avoided; F ₁₃: Forward secrecy of the session key is present; F ₁₄: modification/forgery attack is avoided.

8 Conclusions

The privacy and confidentiality of patient information and the untraceability and anonymity of patient have considered important factors from the security research communities for any user authentication system used in different healthcare applications. In keeping with these requirements, Wen proposed an enhanced user authentication scheme against Lee et al.’s authentication scheme for the EPR information system. However, this paper analyzed Wen’s scheme and demonstrated that it has many security and design problems and thus, it may not be considered appropriate for the secure and efficient healthcare applications. We have then taken into consideration the intractability assumption of the quadratic residue problem in the multiplicative group and proposed another two-factor user authentication scheme with more security and functionality aspects than existing schemes.

Data Availability

All data are avaliable in the paper.

Funding Statement

The first author is supported by the Outstanding Potential for Excellence in Research and Academics (OPERA) award, Birla Institute of Technology and Science (BITS) Pilani, Pilani Campus, Rajasthan, India. The authors also extend their sincere appreciation to the Deanship of Scientific Research at King Saud University for its funding of this Prolific Research Group (PRG-1436-16). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.