Chi-Yao Weng

A Secure Chaotic Maps and Smart Cards Based Password Authentication and Key Agreement Scheme with User Anonymity for Telecare Medicine Information Systems

Telecare medicine information system (TMIS) is widely used for providing a convenient and efficient communicating platform between patients at home and physicians at medical centers or home health care (HHC) organizations. To ensure patient privacy, in 2013, Hao et al. proposed a chaotic map based authentication scheme with user anonymity for TMIS. Later, Lee showed that Hao et al.’s scheme is in no provision for providing fairness in session key establishment and gave an efficient user authentication and key agreement scheme using smart cards, in which only few hashing and Chebyshev chaotic map operations are required. In addition, Jiang et al. discussed that Hao et al.’s scheme can not resist stolen smart card attack and they further presented an improved scheme which attempts to repair the security pitfalls found in Hao et al.’s scheme. In this paper, we found that both Lee’s and Jiang et al.’s authentication schemes have a serious security problem in that a registered user’s secret parameters may be intentionally exposed to many non-registered users and this problem causing the service misuse attack. Therefore, we propose a slight modification on Lee’s scheme to prevent the shortcomings. Compared with previous schemes, our improved scheme not only inherits the advantages of Lee’s and Jiang et al.’s authentication schemes for TMIS but also remedies the serious security weakness of not being able to withstand service misuse attack.

A Secure RFID Tag Authentication Protocol with Privacy Preserving in Telecare Medicine Information System

Radio Frequency Identification (RFID) based solutions are widely used for providing many healthcare applications include patient monitoring, object traceability, drug administration system and telecare medicine information system (TMIS) etc. In order to reduce malpractices and ensure patient privacy, in 2015, Srivastava et al. proposed a hash based RFID tag authentication protocol in TMIS. Their protocol uses lightweight hash operation and synchronized secret value shared between back-end server and tag, which is more secure and efficient than other related RFID authentication protocols. Unfortunately, in this paper, we demonstrate that Srivastava et al.’s tag authentication protocol has a serious security problem in that an adversary may use the stolen/lost reader to connect to the medical back-end server that store information associated with tagged objects and this privacy damage causing the adversary could reveal medical data obtained from stolen/lost readers in a malicious way. Therefore, we propose a secure and efficient RFID tag authentication protocol to overcome security flaws and improve the system efficiency. Compared with Srivastava et al.’s protocol, the proposed protocol not only inherits the advantages of Srivastava et al.’s authentication protocol for TMIS but also provides better security with high system efficiency.

A Hash Based Remote User Authentication and Authenticated Key Agreement Scheme for the Integrated EPR Information System

To protect patient privacy and ensure authorized access to remote medical services, many remote user authentication schemes for the integrated electronic patient record (EPR) information system have been proposed in the literature. In a recent paper, Das proposed a hash based remote user authentication scheme using passwords and smart cards for the integrated EPR information system, and claimed that the proposed scheme could resist various passive and active attacks. However, in this paper, we found that Das’s authentication scheme is still vulnerable to modification and user duplication attacks. Thereafter we propose a secure and efficient authentication scheme for the integrated EPR information system based on lightweight hash function and bitwise exclusive-or (XOR) operations. The security proof and performance analysis show our new scheme is well-suited to adoption in remote medical healthcare services.

A Secure Cloud-Assisted Wireless Body Area Network in Mobile Emergency Medical Care System

Recent advances in medical treatment and emergency applications, the need of integrating wireless body area network (WBAN) with cloud computing can be motivated by providing useful and real time information about patients’ health state to the doctors and emergency staffs. WBAN is a set of body sensors carried by the patient to collect and transmit numerous health items to medical clouds via wireless and public communication channels. Therefore, a cloud-assisted WBAN facilitates response in case of emergency which can save patients’ lives. Since the patient’s data is sensitive and private, it is important to provide strong security and protection on the patient’s medical data over public and insecure communication channels. In this paper, we address the challenge of participant authentication in mobile emergency medical care systems for patients supervision and propose a secure cloud-assisted architecture for accessing and monitoring health items collected by WBAN. For ensuring a high level of security and providing a mutual authentication property, chaotic maps based authentication and key agreement mechanisms are designed according to the concept of Diffie-Hellman key exchange, which depends on the CMBDLP and CMBDHP problems. Security and performance analyses show how the proposed system guaranteed the patient privacy and the system confidentiality of sensitive medical data while preserving the low computation property in medical treatment and remote medical monitoring.

A Secure Dynamic Identity and Chaotic Maps Based User Authentication and Key Agreement Scheme for e-Healthcare Systems

Secure user authentication schemes in many e-Healthcare applications try to prevent unauthorized users from intruding the e-Healthcare systems and a remote user and a medical server can establish session keys for securing the subsequent communications. However, many schemes does not mask the users’ identity information while constructing a login session between two or more parties, even though personal privacy of users is a significant topic for e-Healthcare systems. In order to preserve personal privacy of users, dynamic identity based authentication schemes are hiding user’s real identity during the process of network communications and only the medical server knows login user’s identity. In addition, most of the existing dynamic identity based authentication schemes ignore the inputs verification during login condition and this flaw may subject to inefficiency in the case of incorrect inputs in the login phase. Regarding the use of secure authentication mechanisms for e-Healthcare systems, this paper presents a new dynamic identity and chaotic maps based authentication scheme and a secure data protection approach is employed in every session to prevent illegal intrusions. The proposed scheme can not only quickly detect incorrect inputs during the phases of login and password change but also can invalidate the future use of a lost/stolen smart card. Compared the functionality and efficiency with other authentication schemes recently, the proposed scheme satisfies desirable security attributes and maintains acceptable efficiency in terms of the computational overheads for e-Healthcare systems.

A dynamic identity-based user authentication scheme for remote login systems

With the purpose of accessing numerous network resources and services with user anonymity, various dynamic identity ID-based user authentication schemes have been proposed. Recently, Khan et al. have pointed out the security weaknesses of the dynamic ID-based user authentication scheme of Wang et al. and proposed an improved version of dynamic ID-based user authentication scheme for remote login systems. They claimed that their scheme can withstand various security attacks and provide user anonymity. However, we found that the scheme of Khan et al. cannot preserve user anonymity if login message and system parameters are collected by the attacker. To ensure user anonymity, in this paper, we propose a new dynamic ID-based user authentication scheme for remote login environments and the proposed scheme enables the users real identity to mask periodically when the user logs into the remote server. Compared with the related schemes, the proposed scheme satisfies more admired criteria and it is suitable even for applications in low-power computing environments. Finally, we formally prove the security of the proposed scheme by employing the Burrows-Abadi-Needham logic. Copyright

Secure User Authentication and User Anonymity Scheme based on Quadratic Residues for the Integrated EPRIS

Abstract Remote user authentication has been widely used in the integrated electronic patient record information system (EPRIS) to protect the security and integrity of communication sessions between the login user and the medical server. Recently, Wen 17 presented the user authentication and user anonymity scheme based on the quadratic residues and claimed that his scheme is secure. However, we analyzed Wens scheme and identified that Wens scheme is vulnerable to password disclosure attack and does not provide efficiency in password change phase. As a result, in this paper, we propose an enhanced scheme for the integrated EPRIS with the aim to eliminate the weaknesses of Wens scheme. By comparing the performance with other related schemes, our scheme not only resists several hard security attacks but also retains lower computational and communication costs.

Towards secure authenticating of cache in the reader for RFID-based IoT systems

The use of radio frequency identification (RFID) in Internet of things (IoT) has led to a significant progress in numerous intelligent devices. However, due to its restrictions on computation ability, storage space and battery capacity, RFID-based IoT system has to confront with various security and efficiency challenges. Recently, a lightweight RFID mutual authentication protocol with cache in the reader is introduced by Fan et al., named LRMAPC. Fan et al.’s LRMAPC can achieve stronger security and privacy requirements and reduce the computation and storage overheads during authentication process. Unfortunately, we discover that Fan et al.’s LRMAPC is susceptible to reader impersonation attack, tag forgery attack and message eavesdropping attack. Besides, it fails to preserve mutual authentication between the reader and the database. In order to remedy these flaws mentioned above, we further present an advanced authentication mechanisms and demonstrate the correctness of the advanced LRMAPC through the Gong-Needham-Yahalom (GNY) logic analysis. Compared the security and efficiency with Fan et al.’s LRMAPC, the advanced LRMAPC satisfies desirable security requirements and maintains acceptable efficiency in terms of the costs of storage space and computation time. As a result, our advanced LRMAPC is a very promising solution for resource-constrained devices in RFID-based IoT systems.

Cryptanalysis and Improvement of an ECC-Based Password Authentication Scheme Using Smart Cards

Remote password authentication has been widely used in network systems and it aims to provide secure remote access control. In 2013, Li proposed a novel password authentication scheme based on elliptic curve cryptography and smart card [17]. However, we found that Li’s authentication scheme has a serious security problem in that all registered users’ sensitive passwords can be easily derived by the privileged-insider of remote server. Therefore, in this paper, we propose a slight modification on Li’s scheme to prevent the shortcomings. Our improved scheme not only inherits the advantages of Li’s password authentication scheme but also remedies the serious security weakness of not being able to withstand insider attack.

A novel three-party password-based authenticated key exchange protocol with user anonymity based on chaotic maps

Three-party authenticated key exchange (3PAKE) protocol allows two communication users to authenticate each other and to establish a secure common session key with the help of a trusted remote server. Recently, Farash and Attari propose an efficient and secure 3PAKE protocol based on Chebyshev chaotic maps and their protocol is supported by the formal proof in the random oracle model. However, in this paper, we analyze the security of Farash–Attari’s protocol and show that it fails to resist password disclosure attack if the secret information stored in the server side is compromised. In addition, their protocol is insecure against user impersonation attack and the server is not aware of having caused problem. Moreover, the password change phase is insecure to identify the validity of request where insecurity in password change phase can cause offline password guessing attacks and is not easily reparable. To remove these security weaknesses, based on Chebyshev chaotic maps and quadratic residues, we further design an improved protocol for 3PAKE with user anonymity. In comparison with the existing chaotic map-based 3PAKE protocols, our proposed 3PAKE protocol is more secure with acceptable computation complexity and communication overhead.