Abstract
Last few decades have witnessed boom in the development of information and communication technologies. Health-sector has also been benefitted with this advancement. To ensure secure access to healthcare services some user authentication mechanisms have been proposed. In 2012, Wei et al. proposed a user authentication scheme for telecare medical information system (TMIS). Recently, Zhu pointed out offline password guessing attack on Wei et al.’s scheme and proposed an improved scheme. In this article, we analyze both of these schemes for their effectiveness in TMIS. We show that Wei et al.’s scheme and its improvement proposed by Zhu fail to achieve some important characteristics necessary for secure user authentication. We find that security problems of Wei et al.’s scheme stick with Zhu’s scheme; like undetectable online password guessing attack, inefficacy of password change phase, traceability of user’s stolen/lost smart card and denial-of-service threat. We also identify that Wei et al.’s scheme lacks forward secrecy and Zhu’s scheme lacks session key between user and healthcare server. We therefore propose an authentication scheme for TMIS with forward secrecy which preserves the confidentiality of air messages even if master secret key of healthcare server is compromised. Our scheme retains advantages of Wei et al.’s scheme and Zhu’s scheme, and offers additional security. The security analysis and comparison results show the enhanced suitability of our scheme for TMIS.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Elberg, P. B., Electronic patient records and innovation in health care services. Int. J. Med. Inform. 64(2–3):201–205, 2001.
Leiner, F., Gaus, W., Haux, R., and Knaup-Gregori, P., Medical data management-a practical guide. Springer, New York, 2003.
Lovis, C., Baud, R. H., and Scherrer, R. H., Internet integrated in the daily medical practice within an electronic patient record. Comput. Biol. Med. 28(5):567–579, 1998.
Van’t Riet, A., Berg, M., Hiddema, F., and Sol, K., Meeting patients’ needs with patient information systems: Potential benefits of qualitative research methods. Int. J. Med. Inform. 64(1):1–14, 2001.
Lambrinoudakis, C., and Gritzalis, S., Managing medical and insurance information through a smart-card-based information system. J. Med. Syst. 24(4):213–234, 2000.
Wu, Z. Y., Lee, Y. C., Lai, F., Lee, H. C., and Chung, Y., A secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1529–1535, 2012. doi:10.1007/s10916-010-9614-9.
Dunlop, L., Electronic health records: Interoperability challenges and patient’s right for privacy. Shidler J. Comput. Technol. 3:16, 2007.
He, D. B., Chen, J. H., and Zhang, R., A more secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1989–1995, 2012. doi:10.1007/s10916-011-9658-5.
Wei, J., Hu, X., and Liu, W., An improved authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3597–3604, 2012. doi:10.1007/s10916-012-9835-1.
Zhu, Z., An efficient authentication scheme for telecare medicine information systems. J. Med. Syst. 36(6):3833–3838, 2012. doi:10.1007/s10916-012-9856-9.
Witteman, M., Advances in smart card security. Inf. Secur. Bull. 7:11–22, 2002.
Kocher P, Jaffe J, Jun B. (1999) Differential power analysis. Proceedings of Advances in Cryptology, Santa Barbara, CA, U.S.A., 388–397, 1999.
Messerges, T. S., Dabbish, E. A., and Sloan, E. A., Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5):541–552, 2002.
Chen, H. M., Lo, J. W., and Yeh, C. K., An efficient and secure dynamic id-based authentication scheme for telecare medical information systems. J. Med. Syst. 36(6):3907–3915, 2012. doi:10.1007/s10916-012-9862-y.
Khan, M. K., Kim, S. K., and Alghathbar, K., Cryptanalysis and security enhancement of a ‘more efficient & secure dynamic ID-based remote user authentication scheme. Comput. Commun. 34(3):305–309, 2010.
Kumari, S., Gupta, M. K., and Kumar, M., Cryptanalysis and security enhancement of Chen et al’.s remote user authentication scheme using smart card. Cent. Eur. J. Comput. Sci. 2(1):60–75, 2012.
Pu, Q., Wang, J., and Zhao, R., Strong authentication scheme for telecare medicine information systems. J. Med. Syst. 36(4):2609–2619, 2012. doi:10.1007/s10916-011-9735-9.
Xu, J., Zhu, W. T., and Feng, D. G., An improved smart card based password authentication scheme with provable security. Comput. Stand. Interfaces 31(4):723–728, 2009.
Acknowledgments
The authors would like to extend their sincere appreciation to the Deanship of Scientific Research at King Saud University for its funding of this research through the Research Group Project Number RGP-VPP-288.
Conflict of interest statement
Authors have no conflict of interest.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Khan, M.K., Kumari, S. An Authentication Scheme for Secure Access to Healthcare Services. J Med Syst 37, 9954 (2013). https://doi.org/10.1007/s10916-013-9954-3
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-013-9954-3