An Efficient Lightweight Authentication and Key Agreement Protocol for Patient Privacy

Seyed Amin Hosseini Seno,Mahdi Nikooghadam and Rahmat Budiarto

1Department of Computer Engineering,Ferdowsi University of Mashhad,Mashhad,9177948974,Iran

2Department of Informatics,Faculty of Science and Technology,Universitas Alazhar Indonesia,Jakarta,12110,Indonesia

Abstract: Tele-medical information system provides an efficient and convenient way to connect patients at home with medical personnel in clinical centers.In this system, service providers consider user authentication as a critical requirement.To address this crucial requirement,various types of validation and key agreement protocols have been employed.The main problem with the two-way authentication of patients and medical servers is not built with thorough and comprehensive analysis that makes the protocol design yet has flaws.This paper analyzes carefully all aspects of security requirements including the perfect forward secrecy in order to develop an efficient and robust lightweight authentication and key agreement protocol.The secureness of the proposed protocol undergoes an informal analysis, whose findings show that different security features are provided,including perfect forward secrecy and a resistance to DoS attacks.Furthermore, it is simulated and formally analyzed using Scyther tool.Simulation results indicate the protocol’s robustness,both in perfect forward security and against various attacks.In addition,the proposed protocol was compared with those of other related protocols in term of time complexity and communication cost.The time complexity of the proposed protocol only involves time of performing a hash function Th, i.e.,:O(12Th).Average time required for executing the authentication is 0.006 seconds;with number of bit exchange is 704,both values are the lowest among the other protocols.The results of the comparison point to a superior performance by the proposed protocol.

Keywords: Authentication; key agreement protocol; tele-medical; Scyther;perfect forward secrecy

1 Introduction

With the rapid development and advancement of information technology, new Internet-based services have emerged, such as online banking, online medicine, and online training.Since all of these services utilize the potentially insecure environment of the Internet, the disclosure of important and sensitive information is a major concern for users.

Medical online service is one of the most sensitive Internet-based services, in which patient medical records are stored in databases and transmitted over the Internet.These records contain confidential information on patient illness and treatment.To take advantage of telemedicine,patients must register with a medical provider.After the initial registration process, whenever telemedicine services are accessed, the user and the server must authenticate to each other.If each party confirms the other party’s identity, the two can reach a key agreement and exchange their messages through the shared key.

When Internet-based communications are not secure, it is very possible that an unauthorized party disclosures patient information and resulting violation of patient’s privacy.To address this issue, many research works have focused on the security and authentication of telecommunications protocols [1–6].Nevertheless, the proposed protocols are still lack of perfect forward secrecy feature.This research work attempts to address the issue and come up with a robust and efficient lightweight authentication and key agreement protocol for patient privacy in network communications by considering perfect forward secrecy.A robust protocol should be developed based on comprehensive analysis and evaluation on the security requirements.Thus, this work begins with investigating the existing relevant protocols to reveal the flaws and strengths then design the protocol in such a way to avoid the flaws.

The article is organized as follows.Section 2 reviews previous studies and Section 3 analyzes the Mehmood et al.[7] protocol.Section 4 proposes a secure and efficient protocol for authentication and key exchange which is resistant to various attacks.Section 5 deals with the security analysis of the introduced protocol, while Section 6 presents formal analysis using Scyther tool [8].Then, Section 7 compares the proposed protocol with similar ones in terms of time complexity.Finally, Section 8 provides conclusion and discusses future work.

2 Related Works

In 2012, Wu et al.[9] introduced a “password and smart card” authentication protocol.However, in the same year, Debiao et al.[10] revealed that the Wu et al.protocol was not resistant to “insider and impersonation”attacks and so they introduced an improved protocol.Tan et al.[11] proposed a biometric-based authentication protocol for Telecare medical information system (TMIS), claiming it was resistant to all attacks and could meet various security needs.Finding that the Tan et al.[11] protocol was not immune to DoS and replay attacks, Arshad and Arshad et al.[12] introduced a new three-factor biometric-based protocol.In 2015, Giri et al.[13]demonstrated that the Khan et al.[14] protocol was not resistant to the Stolen-verifier attack and off-line password guessing attack and then developed an RSA encryption-based validation protocol to ward off this attack.When studying the Giri et al.[13] protocol in 2015, Amin et al.[15]discovered that it was vulnerable to insider and password guessing attacks and, thus, could not meet the security requirement of anonymity.In the same year, Arshad et al.[16] demonstrated that the Muhaya protocol [17] was not resistant to the Stolen-verifier attack and off-line password guessing attack and unable to meet the “perfect forward secrecy” security requirement, so Arshad et al.proposed an Elliptic-curve cryptography (ECC)-based authentication scheme for TMIS, in which the user is anonymous.

Chaudhry et al.[18] evaluated Amin and Biswas protocol [19] and reported its lack of resistance to stolen smart card attacks and an ineffective password change phase.They further improved the protocol.

Jiang et al.[19] examined the three-factor authentication protocol proposed by Lu et al.[20]and declared it to be vulnerable to password guessing and user and server impersonation attacks.After making enhancements to the three-factor protocol, they provided a more viable solution to the security issues proposed by Lu et al.[20].Zhang et al.[21] presented a three-factor plan for medical service authentication, by then, Aghili et al.[22], showed to be at risk of DoS and insider attacks.

At the same time, Ostadsharif et al.[23] reviewed the protocols presented in [13,15] and found they were not resistant to key compromise impersonation attacks.In addressing this, they introduced a new protocol for authentication and key agreement between patients and medical practitioners.Later, Kumari et al.[24] reported that the protocol of Ostadsharif et al.[25] still failed to resist key compromise impersonation attacks.Furthermore, Khatoon et al.[26] presented a physician and medical practitioner authentication protocol, which Amintoosi et al.[4] reviewed the same year, concluding that its security did not provide perfect forward secrecy and was open to known-session-specific temporary information attacks.

Ravanbakhsh et al.[2] then came up with an interesting scheme for authentication and key agreement in telemedicine, which, although their design had several advantages, but their design could not meet the “perfect forward secrecy” and is not resistant to “known session-specific temporary information attack”.Sowjanya et al.[27] examined the plan proposed by Li et al.[28]and concluded that the plan [28] has shortcomings such as not meeting the security requirements of Perfect Forward Secrecy.Also, He et al.[29] states that the plan in their other article [30]unable to meet the “perfect forward secrecy” security requirement Lastly, He et al.introduced a protocol for remote patient and physician authentication and claimed that it was resistant to all attacks and met various security requirements.The present study, nevertheless, proves that this protocol does not satisfy the security demands of perfect forward secrecy.Tab.1 summarizes existing protocols and their issues in chronological time.

Table 1:Existing protocols and issues in chronological time

Table 1:Existing Protocols and issues in chronological time

3 Analyzing the Weaknesses of the Mehmood et al.’s Protocol

This section briefly reviews the protocol by Mehmood et al.[7] and analyzes the weaknesses of its security.Authentication and key authentication protocols usually include three phases:registration, authentication, and password change.According to Fig.1, in the registration phase,the communication channel between the two channel entities is assumed to be secure.Furthermore, the parties communicate through a secure channel or in person.During the login and authentication process (Fig.2), the channel is considered unsafe and the attacker can listen to the channel.Tab.2 provides the symbols employed in Mehmood et al.’s protocol.

Figure 1:Registration phase of Mehmood et al.[7] protocol

Figure 2:Authentication phase of Mehmood et al.[7] protocol

Table 2:Symbols used in Mehmood et al.[7] protocol

Mehmood et al.[7] presented a protocol for two-way authentication of patients and medical servers, declaring that it was resistant to most attacks and fulfilled various security needs.This section, however, proves that this protocol does not provide perfect forward secrecy and is vulnerable to DoS attacks.

3.1 Perfect Forward Secrecy

The security system of Perfect Forward Secrecy assumes that an attacker should not be able to access the session key even if long term parameters, such as the server’s secret key, are compromised.However, if such a breach occurs in Mehmood et al.’s protocol, the attacker can,in fact, obtain the session key.To explain the matter, one can suppose that the attacker has the secret key of the server.Because parameterNIDiis exchanged on the public channel (an insecure channel), the attacker can decode this parameter and obtainiduiandrs.As assumed that the attacker already have had the server’s secret key and now also to possess parameteridui, the attacker can then calculateXibased onXi=h(idui||xs).However, because there is aGiparameter on the public channel inru1=Gi⊕h(idui||Xi)and the attacker had acquiredXiandiduiin the previous steps, the attacker can now obtainru1.

Furthermore, due to the relationshiprs1=m2⊕h(idui||Xi)has parameterm2on the public channel and the attacker had obtainediduiandXiin the previous steps, the attacker is able to acquirers1.As a result, the attacker can procure the session key from relationshipSK= h(Xi||idui||rs1||ru1).

3.2 DOS Attack

When the user sends the first message to the server, the initial action taken before authentication is decryption, which is a demanding operation.During this strain on the server, the attacker can repeatedly send the message, thuskeepingthe server extremely busy and unable to respond to requests.

4 A Secure and Efficient Protocol for Authentication and Key Exchange

In order to address the drawbacks of Mehmood et al.[7] protocol, this work introduces a secure and efficient ECC-based protocol for authentication and key exchange.This scheme features registration, authentication, key agreement, and password update stages, for which a detailed description will be provided.Tab.3 presents the symbols utilized in the proposed protocol.

Table 3:Symbols used in the proposed protocol

4.1 Registration Phase

As seen in Fig.3, during the registration process, the patient selects his/her own ID (IDi) and a password (pwi).Then, after selecting a random number,ai, the proposed protocol computesAiasAi=h(IDi||pwi||ai)and finally sendsAiandIDito the server via a secure channel.Upon receiving a message from the patient, the server obtains parametersBi,HIDi,Di,Qi, andGifrom relationships described in the following.In the registration process for each patient, theQianddiparameters are ultimately saved in the server’s memory.Additionally, theDi,Bi,Gi,bianddiparameters are stored in the patient’s smart card, which is sent to the patient.The patient then adds theaiandWi=Gi⊕Aiparameter to the smart card and the registration process finishes.

ComputeHIDi=h(bi||IDi)

ComputeBi=h(Ai||HIDi)

Selects random numberdi

ComputeDi=h(Bi||IDi||Ai)

ComputeQi=h(HIDi||s)

ComputeGi=Bi⊕Qi

Figure 3:Registration phase of the proposed protocol

4.2 Login and Authentication Phase

In this phase, the patient and server authenticate each other, after which the patient can log into the server.As presented in Fig.4, during the login and authentication stage of the proposed protocol, the patient inserts his/her smart card into the card reader and enters the correctIDand password.Initially, through the following relationships, the smart card is verified as belonging to the patient in question and, therefore, not stolen.

Figure 4:Login and authentication phase of the proposed protocol

At this point, parameterMiis obtained from relationMi=h(Qi||Gi||HIDi||Bi||Tu)and the timestamp (Tu)is selected.Finally, parametersMi,Tu,BiandHIDiare sent to the server.

As soon as it receives the patient’s message, the server checks for its freshness.Possessing its own secret key, the server obtains parameterQifrom the relationQi=h(HIDi||s).Then, from the following relationships, the server determines whether the message received is fake or not; in other words, the authenticity of the patient message is verified.

ComputeQi=h(HIDi||s)

ComputeGi=Bi⊕Qi

Compute=h(Qi||Gi||HIDi||Bi||Tu)

CheckMi=

Now, the server selects the timestamp (Ts) and obtains the session key from the relationshipSKi= h(Qi||di||Gi).Also acquired is parameterAuthsfrom the following relation.Finally, the server sendsAuthsandTsto the patient.

Auths=h(SKi||Gi||Qi||Ts)

As soon as it receives the server’s message, the patient checks for its freshness.After creating the session key from the following relationship, the patient authenticates the received message to verify its authenticity and identity.In this manner, the login and authentication phase of the proposed protocol finishes.

ComputeSKi= h(Qi||di||Gi)

ComputeAuths=h(SKi||Gi||Qi||Ts)

CheckAuths=?Authu

4.3 Change Password Phase

In this phase, the patient can securely change his/her password.To do so, the patient first enters the password () as well as ID (.Then, the following relationships are computed to determine if the smart card belongs to the patient in question.

At this point, the patient enters the new password (The following relationships are computed and then parameterreplaces parameterDiin the smart card.

5 Security Analysis of the Proposed Protocol

The security parameters of the proposed protocol are discussed in the following sections.

5.1 Perfect Forward Secrecy

According to Nikooghadam et al.[31], the security measure of Perfect Forward Secrecy assumes that an attacker cannot obtain the session key even if the secret key of one of the parties is disclosed or if long term parameters are exposed.In the proposed protocol, the session key is equal toSKi= h(Qi||di||Gi), such that the attacker cannot access parameterdi, even when it is able to acquire the secret key of the server.Sincediis a random parameter, the attacker cannot obtain it.

5.2 Anonymity

In anonymity, it is presumed that the attacker cannot access the identity of the parties if it intercepts all messages transmitted on the public channel.In the proposed protocol, even if the attacker hears all messages transmitted on the public channel, it will not be able to obtain the parties’IDs.

5.3 Replay Attack

In the replay attack, the attacker is assumed to intercept an old message from the public channel and send it to the parties after a period of time.In the proposed protocol, such attack does not occur due to the use of time stamps and random parameters.

5.4 DoS Attack

A DoS attack occurs when a substantial operation, such as scalar multiplication, is performed by one of the two entities.The proposed protocol would not experience such an attack as no considerable jobs are undertaken, such as decoding or scalar multiplication.

5.5 User Impersonation Attack

Due to the two-way authentication between the patient and server, impersonation is not possible.One can consider the scenario in which the attacker sends fake parameters, i.e.,:Mi,Tu,Bi, andHIDi, instead of the main parameters.Since the attacker does not have the server’s secret key, it is not able to obtain theQiparameter nor is feasible to continue.

5.6 Server Impersonation Attack

Since there is a session key within theAuthsparameter andAuthsis used for authentication,the attacker cannot obtain the session key and, therefore, cannot impersonate.Furthermore, with the output of the Scyther tool, there is also no possibility of impersonation attacks occurring.

5.7 Insider Attack

In the insider attack, it is assumed that the attacker is on the server side and intends to acquire the user password.Consequently, in the registration stage, the proposed protocol does not send the patient’s password directly to the server.Therefore, the password is sent to the service provider in the form ofAi=h(IDi||pwi||ai).As a result, such an attack is not possible.

5.8 Password Guessing Attack

The assumption of the password guessing attack is that the user password cannot be guessed even if the attacker intercepts all the messages transmitted on the public channel.Because the user password is in the format ofAi=h(IDi||pwi||ai), it has been exchanged and, therefore, cannot be guessed.

5.9 Known-Session-Specific Temporary Information Attack

In this attack, it is presumed that the attacker cannot obtain nor construct the session key,even if it acquires random parameters.Furthermore, in the session key, there are long term parameters, such asQi.Therefore, if the attacker acquires random parameters, the long term parameters shall prevent this attack.

5.10 Stolen-Verifier Attack

The stolen-verifier attack assumes that it is not possible for the attacker to access the session key if it has acquired the parameters within the server memory or the smart card.In the proposed protocol, since the server’s memory is tamper-proof, such parameters cannot be stolen.In addition, since there are no important parameters inside the smart card, the attacker cannot obtain the session key by stealing it.

6 Formal Security Analysis with Scyther

Scyther [8] is a powerful and effective tool for analyzing and identifying potential attacks and security protocol vulnerabilities.This official tool automatically analyzes protocol and scrutinizes its behavior when faced with most possible attacks.Implementation code Scyther tool is shown in Fig.5.

Figure 5:Implementation code of Scyther

Fig.6 provides the output of the proposed protocol review by Scyther, i.e.,:

Figure 6:Evaluation of proposed protocol by Scyther tool [8]

— The Niagree feature ensures the parties in communication are confident that messages are securely transmitted and in correct order between them.

— The Nisynch feature makes sure that messages exchanged between parties cannot be decrypted and resent.

— The Alive feature guarantees that the protocol steps are approved by the parties in communication.

— The Weakagree feature sees to it that the protocol does not impersonate.

— The secret property also ensures that the relevant parameter remains safe.

As shown in Fig.6, the proposed authentication protocol provides all of the above features.

According to the material presented and evaluated by the usage of the Scyther tool, Tab.4 compares the security of the proposed protocol with that of other similar protocols.Based on the information in this table, the proposed protocol is resistant to various attacks and meets various security requirements.

Table 4:Security comparison

7 Analysis and Validation Using BAN Logic

In this section, we analyze and validate our proposed design using BAN logic.The logical assumptions and rules of the Burrows–Abadi–Needham (BAN) logic, as well as the security objectives and ideal forms, are defined in (1) to (6).The symbols used are shown in Tab.5.

Some assumptions are shown in Tab.6.

Table 5:Symbols of BAN logic

Table 6:Assumptions

Goals are as follows:

Idealized forms are as follows:

Message 1:Ui→S:((Gi,HIDi,Bi,Tu)Qi, (Gi)Qi, Tu,(IDi)bi)).

Message 2:S→

Based on the assumptions and logical rules of BAN logic, we analyze the ideal form of the proposed protocol as follows:According to the Message 1, we can obtain the following:

R1:S?((Gi,HIDi,Bi,Tu)Qi,＜Gi＞Qi,Tu,(IDi)bi).

Based on the assumption A2, and after applying the H rule to R1, R2 can be deduced as:

R2:S| ≡Ui| ～(Gi,HIDi,Bi,Tu).

Based on the assumption A7, and after applying the nonce verification rule H to R2, R3 can be deduced as:

R3:S| ≡Ui| ～(Gi,HIDi,Bi).

Based on the Message 2, R4 can be deduced as:

R4:Ui?(Ts,(Ui,Gi,Ts)Qi).

Based on the assumption A4, and after applying the H rule to R4, R5 can be deduced as:

R5:Ui| ≡S| ～(Ui,Gi,Ts).

Based on the applying the nonce verification rule to R5, R6 can be deduced as:

R6:Ui| ≡S| ≡(Gi).

Based on the assumptions A1, A3, A6, and the session key sk = h (Qi||di||Gi), R7 can be deduced as:

R7:Ui| ≡S| ≡(UiS).

Based on the assumption A5, and after applying the jurisdiction rule to R7, R8 can be deduced (which is Goal1) as:

R8:Ui| ≡(UiS).

Based on the R3, assumptions A2, A4 and the session key sk = h (Qi||di||Gi), R9 can be deduced as:

R9:S|≡Ui| ≡(UiS).

Based on the assumption A6, and after applying the jurisdiction rule to R9, R10 can be deduced (which is Goal2) as:

R10:S| ≡(UiS).

8 Analysis and Comparison of the Proposed Protocol’s Time Complexity with Other Similar Protocols

Based on research work by He et al.[30] the computation time of a fuzzy extraction operation, the time of performing a hash function, the time of performing symmetric encryption/decryption, the time of performing ECC point multiplication, the time of performing ECC point addition operation, and the time of modular exponentiation operation is 0.063075, 0.0005,0.0087, 0.063075, 0.000262, and 0.522 s, respectively and the symbol for each are listed in the Tab.7.Furthermore, for the communication cost, we have considered the size of an identifier or timestamp to be 32 bits, a nonce to be 64 bits, an EC point to be 320 bits, and a hash output to be 256 bits.

Table 7:Symbols used to calculate time complexity and approximate time

As exhibited in Tabs.8 and 9, the proposed protocol performs better than or closer to similar protocols in the past.The importance of this issue is apparent when the proposed protocol is able to meet security requirements with less complexity than of most similar protocols.

Table 8:Time complexity of the proposed protocol and other similar protocols

Table 9:The number of messages exchanged on the channel at the authentication stage

9 Conclusion

Having done revealing flaws in perfect forward secrecy and preventing DoS attacks of authentication and key agreement scheme proposed by Mehmood et al, this work has proposed a secure and ultra-lightweight protocol for medical services communication.The proposed protocol was analyzed in term of secureness and performance during the authentication stage was measured.Formal analysis using Scyther tool proves its robustness against various attacks, and demonstrates its ability to provide various security features.During the authentication stage, measurement results showed that the proposed protocol outperforms other existing protocol and achieves a satisfactory computational time and less number of bits in the exchanged messages.Telemedicine provides easy and secure access to patient information by physicians and access to the large number of specialist physicians needed by patients, even patients in remote and underprivileged areas, while saving time and money.

As future work, the proposed protocol can be implemented hardware-wise using the ARM and FPGA programming languages and the Cortex-M3 Microcontroller board, and the results can be reviewed.

Funding Statement:The authors received no specific funding for this study.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.