Cryptanalysis on Secure ECC based Mutual
Authentication Protocol for
Cloud-Assisted TMIS
Diksha1*,
Meenakshi2
1*,2Srinivasa
Ramanujan Department Of Mathematics, Central University Of Himachal Pradesh, Dharamshala,
176215, Himachal
Pradesh, India.
*Corresponding
Author E-mail: dikshachouhan1035@gmail.com
ABSTRACT:
The creation
of TMIS (Telecare Medical Information System) makes it simpler for patients to receive
healthcare services and opens up options for seeking medical attention and storing
medical records with access control. With Wireless Medical Sensor Network and cloud-based
architecture, TMIS gives the chance to patients to collect their physical health
information from medical sensors and also upload this information to the cloud through
their mobile devices. The communication is held through internet connectivity, therefore
security and privacy are the main motive aspects of a secure cloud-assisted TMIS.
However, because very sensitive data is transmitted between patients and doctors
through the cloud server, thus security protection is important for this system.
Recently, Kumar et al designed a mutual authentication protocol for cloud-assisted
TMIS based on ECC [2]. In this paper, we revisited this scheme and traced out that
their scheme has some significant pitfalls like health report revelation attack,
and report confidentiality. In this study, we will provide the cryptanalysis of
the scheme developed by Kumar et al.
KEYWORDS: TMIS, Cloud Computing, Digital signature,
Cryptanalysis, ECC.
1. INTRODUCTION:
With
the advancement in technology, patients can receive care from medical professionals
through the internet. The inaccessibility of remote locations and unavailability
of facilities makes modern healthcare facilities difficult and these healthcare
facilities are as expert advice, proper diagnosis, clinical tests, etc. Due to poor
return on investments, no one is interested to invest in these areas and also doctors
are not interested to serve in those areas which are under development. This leads
the patients to have to travel long distances and spend a lot of money to get medical
treatment. Some patients leave their hopes on their fates or lived with treatments
from local health workers. In this case, a platform Telecare Medical Information
System (TMIS) facilitates the patients and doctors with the communication between
them and provides medical assistance in the patient’s home. At the moment, everyone
is paying close attention to cloud computing. It exhibits a significant potential
for providing medical services online in TMIS due to its profitable specialties
including on-demand self-service, more resilience, and resource sharing.
TMIS can gain various financial and functional
advantages from cloud-based architecture, including flexible medical data storage,
lower costs, better accessibility, and higher standards of care. But it also faces
a lot of problems like reliability, privacy, security, and many others. Since the
patient’s data is transmitted between the entities over an insecure public channel.
Therefore data security, confidentiality, and also its authenticity are major priorities
in cloud-based TMIS.
The likelihood of a mischievous insider
for consumers of cloud services is increased by the consolidation of IT services
and clients under one management domain and the general lack of transparency into
provider methods and procedures. A provider could choose to keep secrets about how
it supervises personnel and provides them access to physical and digital resources,
analyses, and reports on quality management. To further complicate matters, hiring
standards and procedures for cloud staff are frequently hidden or not disclosed
at all. This type of circumstance presents an interesting opportunity for an enemy,
who may be engaged in a nation-state-sponsored attack, organized crime, hobbyist
hackers, or even industrial crime. Such an adversary might be able to gather sensitive
information or take total control of the cloud services thanks to the level of access
allowed with little to no chance of being detected [3].
A safe cloud-assisted TMIS has required
some important characteristics such as:
a) Message
authentication: The system's
users must be able to confirm that a message delivered over an unsecured channel
was actually sent to and received by a legitimate recipient without interference
from an unauthorised third party.
b) Patient
anonymity: Any of the messages on the public channel
should not express the true identity of the patient and anyone can’t estimate and
find the patient’s true identity.
c) Patient
unlinkability: Any outsider
can’t estimate the relationship between patient and doctor.
d) Report
confidentiality: The sensitive
data of the patient should be accessible by only the appointed doctor.
e) Non-repudiation: The patient, hospital, and doctor cannot
contest the veracity of the digital signature they placed on a document or the message
they sent.
2. RELATED
WORKS:
In 2012,
Patra et al proposed a cloud-based model for making a rural healthcare information
system [4]. Furthermore, Chen et al. put forth a cloud-based plan for exchanging
medical data. They use the pairing technology with an asymmetric key to encrypt
the information in this scheme [5]. But later on, this scheme faced some problems
[6]. In 2015, an improved patient-server mutual authentication protocol for TMIS
was proposed by Amin et al. [7]. This protocol concerns a biometric-based remote
user authentication scheme for TMIS. Wu et al also propose a mutual authentication
scheme for this healthcare application [8]. In 2014, Wen et al introduced an anonymous
authentication scheme for TMIS [9]. Further, Xu et al provided a secure and effective
two-factor mutual authentication and key agreement mechanism for TMIS based on the
ECC [10]. Moreover, with the help of WMSN, He et al built a strong anonymous authentication
technique for healthcare applications [11]. Later on, a symmetric key-based authentication
method for wireless medical sensor networks was proposed by Jangirala et al [12].
Chen et al also put forward a cloud-assisted secure authentication technique for
healthcare systems [13]. To address these issues with Chen et al's method, Chiou
et al offered a modified authentication scheme in 2016. Chiou et al, however, noted
that this framework does not provide message authentication, patient anonymity,
etc [14]. Further, Mohit et al reviewed [14] and offered a mutual authentication
framework based on cloud for healthcare systems [15] due to some pitfalls in the
scheme [14]. Also, a cloud-assisted effective mutual authentication protocol for
healthcare systems was introduced by Kumar et al [16]. For the TMIS environment,
Li et al proposed a cloud-assisted mutual authentication framework with preserved
privacy [1]. In 2018, Kumar et al reviewed Li et al’s scheme and presented a framework
for cloud-assisted TMIS with mutual authentication using ECC [2]. But now, we reviewed
this protocol and established some design flaws like health report revelation attack,
and report confidentiality.
The remaining
paper is split up into different sections as follows:
Section
3 represents the review of the scheme [2] and the difficulties which are faced by
this scheme described in section 4. Lastly, section 5 discusses the conclusion of
this paper.
3. REVIEW OF KUMAR ET AL.
SCHEME[2]
A mutual
authentication and preserved privacy framework for cloud-assisted TMIS is offered
by Kumar et al. In their scheme, total five important roles of bodies take place.
This programme is divided into four stages: the upload phase for healthcare centre,
the patient data upload phase, the treatment phase, and the checkup phase.
1. H uploads the inspection
medical report of P in C in the Healthcare Centre Upload Phase (HUP).
2. In the Patient data upload
phase (PUP), P uploads his/her current medical report from the embedded body sensor
to C.
3. In the treatment phase (TP),
D will recommend treatments to C for P of the appropriate body.
4. P obtains the report from
C during the Checkup Phase (CP), as directed by D.
Notations:
IDx
|
Entity
x’s unique identity
|
NID
|
Dynamic
pseudo random number
|
snx
|
Serial
number of xth participant
|
PRx
|
Private
key of x
|
PKx
|
Public
key of x
|
A
|
Adversary
|
mH
|
Inspection
report of P generated by H
|
Si(M)
|
Using key i to sign M
|
mB
|
Health
report of P from body sensor
|
h(.)
|
Hash function
|
mD
|
Medical
report of P generated by D
|
SKxy
|
Session-key
between x and y
|
Kx
|
Computing
key of x entity
|
G
|
Elliptic
curve group (additive)
|
G
|
Base point
of G
|
Sigx
|
Signature
of entity x
|
Zp*
|
Additive
group of large prime of order p
|
Vi(M)
|
Using key i to verify M
|
HUP:
The registration
of P takes place in H, where an NID is allotted or assigned to P by H with the help of mobile device securely. P’s inspection
report mH=(IDP, dataP) is uploaded (in C) by H
after mutual authentication between H and C in this phase and this happen with following
procedure:
1.) Initially,
H sends a massage which consist of IDH, random number a (from Zp*)
and TH1 to C through secure channel.
2.) After getting
this message, C checks the validity of TH1 with TC1 - TH1
≤ ∆T. Then a random number b (є Zp*)
is generated by C and also C computes S1= h(IDH||a||b||TH1),
K1= h(IDH||a||TH1) which is used for the encryption
of the (b, S1,TC2) to get E1. After that, C sends
(E1, TC2) to H via public channel.
3.) When this
message is collected by H, then firstly H verifies TH2-TC2 ≤
∆T (if not, then the session will be terminated) and ready the key K1’
to decrypt the E1. Where K1’= h(IDH||a||TH1)
and E1= EK1(b, S1, TC2). After that,
H computes S1’=h(IDH||a||b||TH1) and verifies that
S1’=? S1. Then H computes SKHC = h(IDH||S1’||abg||TC1)
and key K2 =h(IDP||IDH||NID) to encrypt mH
i.e. CH = EK2(mH). Next, H makes digital signature
SigH = SPRH(h(mH)), S2 = h(SKHC||CH||SigH||TH3)
and encrypts E2 = ESKHC(IDP, S2,CH,
NID, SigH, TH3). Sends the message (E2, TH3)
to C via public channel.
4.) Then C verifies
TC3-TH3 ≤ ∆T after collecting the message from H and computes
the session key SKCH = h(IDH||S1||abg||TC1)
to decrypt E2. Next, C computes S2’ = h(SKCH||CH||SigH||TH3)
and check whether S2’= S2 or not. If not then session will
stop there otherwise C stores NID, IDP, SigH, CH.
PUP:
The embedded
sensor in the patient’s body collects the health information mB= (IDP,
dataB) and securely sends this information to the patient’s mobile phone.
C gives the sequence number snx and mH to P after making the
request by P (using his/her IDP and NID) to C.
1.) P receives
a health report from the embedded body sensor in form of mB and sends
(IDP, NID, TP1) to C through the trustable channel.
2.) After receiving
this message, C verifies TC4-TP1 ≤ ∆T. Next, C computes I
= snx + h(NID||IDP) and generates the random number c (є Zp*).
Then C computes the hash value S3 = h(NID||IDP||CH||SigH||c||TC5),
encrypts the message (SigH, CH, S3, IDH,
c, TC5) using the snx and gets E3. Further, C sends
(E3, I, TC5) to P via a public channel.
3.) P verifies
TP2-TC5 ≤ ∆T after getting the message (E3, I,
TC5) from C and computes Y = I + h(NID||IDP) to decrypt E3.
After that, P computes S3’= h(NID||Y||CH||SigH||c||TC5)
and verifies whether S3’ = S3 or not. The session will end
there if it does not. Otherwise, P generates random number d (є Zp*)
and computes the session key SKPC = h(IDP||IDH||CH||S3’||cdg||TC5).
Now, P computes a key K3 = h(IDP||IDH||NID) for
decryption of mH* = DK3(CH) and checks
mH* = mH. Furthermore, P verifies whether VPKH(SigH)
= h(mH) or not. After verification, P computes K4 = h(IDP||IDD||Y)
and encrypts CP = EK4(mH, mB). Moreover,
P makes the digital signature SigP = SPRP(h(mB)),
computes the hash value S4
= h(SKPC||CP||SigP||S3’||cdg||TP3)
and using Y as a key to encrypt E4 =
EY(d, S4, SigP, CP, TP3).
Lastly, through a public channel, P communicates the message (E4, TP3)
to C.
4.) On accepting
this message, C checks TC6-TP3 ≤ ∆T. If hold, then C decrypts
E4 with snx, computes SKCP = h(IDP||IDH||CH||S3||cdg||TC5)
and computes S4’ = h(SKCP||CP||SigP||S3||cdg||TP3)
to check whether S4 = S4’ or not. In that case, C ends the
session. If not, C verifies P and saves CP, IDP, and SigP
in the database.
TP:
The authentication establishes between D and C in this
phase. D takes the report of the patient from C for diagnosis. After that D uploads
the treatment report mD = (IDP, dataD) for the
respective patient in C.
1.) D sends
a message (IDD, r, TD1) to C through a secure channel. (Where
r is the generated random number.)
2.) After collecting
this message, C firstly verifies TC7-TD1 ≤ ∆T, computes J=snx
+ h(IDD||r), generates the random number s, computes the hash value S5 = h(IDP||IDD||SigH||SigP||CP||TC8),
encrypts (SigP, SigH, IDP, NID, CP,
s, S5, TC8) using snx (i.e. E5) and
sends the message (E5, J, TC8) to D through the insecure channel.
3.) D verifies TD2-TC8 ≤ ∆T after
receiving this message and computes Z = J + h(IDD||r) to decrypt E5
and gets (NID, IDP, SigP, SigH, s, S5,
CP, TC8). After that, D computes S5’ = h(IDP||IDD||SigH||SigP||CP||TC8)
and checks S5’ =? S5. After this verification D successfully
authenticates C and computes the key K5 = h(IDP||IDH||NID).
Moreover, D uses this key K5 to decrypt CP and gets the P’s
reports mH, mB. Further, D performs VPKH(SigH)
= h(mH) and VPKP(SigP) = h(mB). If it
holds, then D diagnoses these reports and makes treatment report mD,
using key K5 to encrypt CD = EK5(mH,
mB, mD). Next, D makes his/her digital signature SigD
= SPRD(h(mD)) and computes S6 = h(IDP||IDD||CD||SigD||SigP||TD3).
Also, D computes session key SKDC = h(S6||IDP||IDD||SigD||SigP||rsg||TD3),
encrypts E6 = EZ(SigD, CD, S6,
TD3) and sends the message (E6, TD3) to C through
a public channel.
4.) Upon receiving
this message, C verifies TC9-TD3 ≤ ∆T and decrypts Dsnx(E6).
Furthermore, C computes S6’ = h(IDP||IDD||CD||SigD||SigP||TD3)
and verifies S6’ =? S6. C authenticates D after only this
successful verification, now C computes SKCD = h(S6’||IDP||IDD||SigD||SigP||rsg||TD3).
Lastly C stores CD and SigD in its database.
CP:
After Treatment
Phase, P collects his/her encrypted report mD = (IDP, dataD)
from C after mutual authentication between
them.
1.) Firstly,
P sends the message (IDP, NID, x, snx, TP4) to
C through the secure channel. (Where x is the random number taken from Zp*).
2.) On accepting
this message, C verifies TC10-TP4 ≤ ∆T and generates a random
number y. Next, C computes S7 = h(SKCP||IDP||IDD||CD||xyg||SigP||TC11)
and with the help of session key, C encrypts E7 = ESKCP(IDD,
SigD, CD, S7, y, TC11). Lately, C sends
(E7, TC11) to P through the public channel.
3.) P verifies
TP4-TC11 ≤ ∆T and proceeds with the decryption of E7
using the session key. Now P compute S7’ = h(SKPC||IDP||IDD||CD||xyg||SigP||TC11)
and verifies S7’ =? S7. P authenticates C after only this
successful verification and decrypts the report CD using K4
= h(IDP||IDD||Y). Now P collects all his/her reports mH,
mB, mD and verifies the digital signature with the help of
the public key of D as VPKD(SigD) =? h(mD). If
verification holds, then P again encrypts reports(say CE) with the help
of the same key K4 such as CE = EK4(mH,
mB, mD), and computes S8=h(SKPC||S7’||CE||SigP||SigD||xyg||TP6).
Moreover, P encrypts E8 = ESKPC(CE, S8,
TP6) and uses the public channel to deliver the message (E8,
TP6) to C.
4.) After collecting
the message, C verifies TC12-TP5 ≤ ∆T and decrypts E8
using session key SKCP. Further, C computes S8’ = h(SKCP||S7’||CE||SigP||SigD||xyg||TP6) and checks S8 =? S8’. C
authenticates P after only this successful verification and stores CE
in its database.
4. THE CRYPTANALYSIS OF KUMAR
Et al’s scheme:
4.1 Health
report revelation attack:
4.1.1. Medical report
revelation attack in HUP:
When HUP starts, H sends its identity,
IDH, and random number m from Zp*.and sends IDH,
a, and TH1 to cloud server C through the trustable channel. In this case,
H is simply sending its own identity.
And after the third step, H sends E2
together with TH3 to C via insecure channel, where E2
is encrypted by session key SKHC as follows E2 = ESKHC(IDP,
NID, S2, CH, SigH, TH3), SKHC=h(IDH||A1'||abg||TC1),
K2=h(IDP||IDH||NID), CH = EK2(mH).
When C receives all these things, then
C checks the time stamp and computes SKHC=h(IDH||S1'||abg||TC1),
decrypts E2 with this session key. From this action of C, C gets IDP,
NID, CH, S2, SigH, and TH3.
Now the privileged insider of C, (let’s
say A) can compute K2, which was used to encrypt mH, and also
used for the decryption of CH because A has IDP, NID, IDH.
Thus A can decrypt mH = DK2(CH), which contains
the inspection report of the patient and the IDP.
4.1.2. Medical report
revelation attack in PUP:
After the third step in PUP, P sends
E4 together with TP3 to C via an insecure channel, where
E4 is encrypted by sequence number Y (= snx) as follows
E4 = EY(d, S4, SigP, CP,
TP3), and CP = EK4(mH,
mB) is encrypted by P with the help of key K4 = h(IDP||IDD||Y).
Whereas in TP, D decrypts (mH, mB) = DK5(CP)
with K5 = h(IDP||IDH||NID), and this key K5
is the same as K2.
But as in 4.1.1, A already got the key
K2, and using this key he/she can decrypt CP. Hence, the inspection
report mH together with the health report mB (generated by
sensors) will be revealed by A in PUP.
4.1.3. Medical report
revelation attack in TP:
Similarly, after the third step in TP,
D sends E6 = EZ(= snx)(SigD, CD,
S6, TD3) and TD3 to C via a public channel, where CD = EK5(mH,
mB, mD) is encrypted with the help of key K5 =
h(IDP||IDH||NID). Whereas P decrypts this CD with
the help of K4 = h(IDP||IDD||Y) in CP.
But IDP, IDD is
already present in the database of C, and Y(= snx) is engaged by C. Therefore,
the Privileged insider of C also has all these contents and hence can compute the
key K4 in TP.
Consequently, all reports mH,
mB, mD of patients will be revealed by A.
4.2. Report
Confidentiality:
If these health reports are revealed
by the privilege insider of C (i.e. A), then the condition for report confidentiality
has been contradicted by these action of A.
(Here the condition for report confidentiality
is that the medical reports of P should be accessible by only appointed doctor.)
5. CONCLUSION:
When we
looked again at Kumar et al’s scheme which is with the mutual authentication approach,
we concluded that it is not capable of securely transmitting medical reports between
patients and doctors. Since these reports are made public by a privileged insider
of C, the patient's privacy is violated, and as a result, the reports' confidentially
is also ruined. As a result, this scheme doesn’t fulfill all the objectives of a
secure cloud-assisted Telecare Medical Information System.
6. REFERENCES:
1.
C.-T.
Li, D.-H. Shih, C.-C. Wang, Cloud-assisted mutual authentication and privacy preservation
protocol for telecare medical information systems, Computer methods and programs
in biomedicine 157 (2018) 191–203
2.
Kumar,
V., Ahmad, M., Kumari, A., A Secure Elliptic Curve Cryptography Based Mutual Authentication
Protocol for Cloud-assisted TMIS, Telematics and Informatics (2018).
3.
CSA,
“The notorious nine cloud computing top threats in 2013,” The Notorious Nine Cloud
Computing Top Threats in2013: pdf.
4.
Patra, M. R.; Das, R. K.; Padhy, R. P. CRHIS:
Cloud Based Rural Healthcare Information System. In Proceedings of the
6th International Conference on Theory and
Practice of Electronic Governance; ACM: Albany New York
USA, 2012; pp 402–405.
5.
C.-L.
Chen, T.-T. Yang, T.-F. Shih, A secure medical data exchange protocol based on cloud
environment, Journal of medical systems 38 (9) (2014) 112
6.
C.-T.
Li, C.-C. Lee, C.-C. Wang, T.-H. Yang, S.-J. Chen, Design flaws in a secure medical
data exchange protocol based on cloud environments, in: International Conference
on Algorithms and Architectures for Parallel Processing, Springer, 2015, pp. 435–444.
7.
R.
Amin, S. H. Islam, G. Biswas, M. K. Khan, M. S. Obaidat, Design and analysis of
an enhanced patient-server mutual authentication protocol for telecare medical information
system, Journal of medical systems 39 (11) (2015) 137.
8.
Wu,
F., and Xu, L., Security analysis and improvement of a privacy authentication scheme
for telecare medical information systems. J. Med. Syst 37(4):1–9, 2012. doi:10.1007/s10916-013-9958-z
9.
Wen,
F., and Guo, D., An improved anonymous authentication scheme for telecare medical
information systems.J. Med. Syst. 38(5):26, 2014. doi:10.1007/s10916-014-0026-0
10. Xu, X., Zhu, P., Wen, Q., Jin, Z., Zhang,
H., and He, L., A secure and efficient authentication and key agreement scheme based
on ecc for telecare medicine information systems. J. Med. Syst. 38(1):9994, 2013.
doi:10.1007/s10916-013-9994-8
11. D. He, N. Kumar, J. Chen, C.-C. Lee,
N. Chilamkurti, S.-S. Yeo, Robust anonymous authentication protocol for health-care
applications using wireless medical sensor networks, Multimedia Systems 21 (1) (2015)
49–60.
12. J. Srinivas, D. Mishra, S. Mukhopadhyay,
A mutual authentication framework for wireless medical sensor networks, Journal
of medical systems 41 (5) (2017) 80
13. C.-L. Chen, T.-T. Yang, M.-L. Chiang,
T.-F. Shih, A privacy authentication scheme based on cloud for medical environment,
Journal of medical systems 38 (11) (2014) 143.
14. S.-Y. Chiou, Z. Ying, J. Liu, Improvement
of a privacy authentication scheme based on cloud for medical environment, Journal
of medical systems 40 (4) (2016) 101.
15. P. Mohit, R. Amin, A. Karati, G. Biswas,
M. K. Khan, A standard mutual authentication protocol for cloud computing based
health care system, Journal of medical systems 41 (4) (2017) 50
16. V. Kumar, S. Jangirala, M. Ahmad, An
efficient mutual authentication framework for healthcare system in cloud computing,
Journal of medical systems 42 (8) (2018) 142
17. C.-T. Li, D.-H. Shih, C.-C. Wang, Cloud-assisted
mutual authentication and privacy preservation protocol for telecare medical information
systems, Computer methods and programs in biomedicine 157 (2018) 191–203