Skip to main content
SpringerLink
Log in

A privacy preserving three-factor authentication protocol for e-Health clouds

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

E-Health clouds are gaining increasing popularity by facilitating the storage and sharing of big data in healthcare. However, such an adoption also brings about a series of challenges, especially, how to ensure the security and privacy of highly sensitive health data. Among them, one of the major issues is authentication, which ensures that sensitive medical data in the cloud are not available to illegal users. Three-factor authentication combining password, smart card and biometrics perfectly matches this requirement by providing high security strength. Recently, Wu et al. proposed a three-factor authentication protocol based on elliptic curve cryptosystem which attempts to fulfill three-factor security and resist various existing attacks, providing many advantages over existing schemes. However, we first show that their scheme is susceptible to user impersonation attack in the registration phase. In addition, their scheme is also vulnerable to offline password guessing attack in the login and password change phase, under the condition that the mobile device is lost or stolen. Furthermore, it fails to provide user revocation when the mobile device is lost or stolen. To remedy these flaws, we put forward a robust three-factor authentication protocol, which not only guards various known attacks, but also provides more desired security properties. We demonstrate that our scheme provides mutual authentication using the Burrows–Abadi–Needham logic.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

References

  1. Pawar P, Jones V, Van Beijnum BJF et al (2012) A framework for the comparison of mobile patient monitoring systems. J Biomed Inform 45(3):544–556

    Article  Google Scholar 

  2. Abbas A, Khan SU (2014) A review on the state-of-the-art privacy-preserving approaches in the e-health clouds. IEEE J Biomed Health Inform 18(4):1431–1441

    Article  MathSciNet  Google Scholar 

  3. Raghupathi W, Raghupathi V (2014) Big data analytics in healthcare: promise and potential. Health Inf Sci Syst 2(1):3

    Article  Google Scholar 

  4. Sun J, Reddy C (2013) Big data analytics for healthcare. In: Proc. \(19{\rm th}\) ACM SIGKDD int’l conf. knowledge discovery and data mining

  5. Xia Z, Wang X, Sun X, Wang Q (2015) A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data. IEEE Trans Parallel Distrib Syst. doi:10.1109/TPDS.2015.2401003

  6. Fu Z, Sun X, Liu Q, Zhou L, Shu J (2015) Achieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computing. IEICE Trans Commun E98-B(1):190–200

  7. Li H, Yang Y, Luan T, Liang X, Zhou L, Shen X (2015) Enabling fine-grained multi-keyword search supporting classified sub-dictionaries over encrypted cloud data. IEEE Trans Dependable Secur Comput. doi:10.1109/TDSC.2015.2406704

  8. Ren Y, Shen J, Zheng Y, Wang J, Chao H-C (2015) Efficient data integrity auditing for storage security in mobile health cloud. Peer-to-Peer Netw Appl. doi:10.1007/s12083-015-0346-y

  9. Ren Y, Shen J, Wang J, Han J, Lee S (2015) Mutual verifiable provable data auditing in public cloud storage. J Internet Technol 16(2):317–323

    Google Scholar 

  10. He D, Zeadally S, Wu L (2015) Certificateless public auditing scheme for cloud-assisted wireless body area networks. IEEE Syst J. doi:10.1109/JSYST.2015.2428620

  11. Li H, Lin X, Yang H, Liang X, Lu R, Shen X (2014) EPPDR: an efficient privacy-preserving demand response scheme with adaptive key evolution in smart grid. IEEE Trans Parallel Distrib Syst 25(8):2053–2064

    Article  Google Scholar 

  12. Jiang Q, Ma J, Li G et al (2013) An enhanced authentication scheme with privacy preservation for roaming service in global mobility networks. Wirel Pers Commun 68(4):1477–1491

    Article  Google Scholar 

  13. Guo P, Wang J, Li B, Variable Lee S A (2014) Threshold-value authentication architecture for wireless mesh networks. J Internet Technol 15(6):929–936

    Google Scholar 

  14. Zhao D, Peng H, Li L, Yang Y (2014) A secure and effective anonymous authentication scheme for roaming service in global mobility networks. Wirel Pers Commun 78(1):247–269

    Article  Google Scholar 

  15. O’Gorman L (2003) Comparing passwords, tokens, and biometrics for user authentication. Proc IEEE 91(12):2021–2040

    Article  Google Scholar 

  16. Lamport L (1981) Password authentication with insecure communication. Commun ACM 24(11):770–772

    Article  MathSciNet  Google Scholar 

  17. Farash MS, Attari MA (2014) An efficient client-client password-based authentication scheme with provable security. J Supercomput 70(2):1002–1022

    Article  MathSciNet  Google Scholar 

  18. Jiang Q, Ma J, Li G et al (2013) An improved password-based remote user authentication protocol without smart cards. Inf Technol Control 42(2):113–123

    MathSciNet  Google Scholar 

  19. Chen TY, Lee CC, Hwang MS, Jan JK (2013) Towards secure and efficient user authentication scheme using smart card for multi-server environments. J Supercomput 66(2):1008–1032

    Article  Google Scholar 

  20. Arshad H, Nikooghadam M (2015) Security analysis and improvement of two authentication and key agreement schemes for session initiation protocol. J Supercomput. doi:10.1007/s11227-015-1434-8

  21. Wang D, He D, Wang P, Chu C-H (2015) Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans Dependable Secur Comput 12(4):428–442. doi:10.1109/TDSC.2014.2355850

    Article  Google Scholar 

  22. Wang D, Wang N, Wang P, Qing S (2015) Preserving privacy for free: efficient and provably secure two-factor authentication scheme with user anonymity. Inf Sci. doi:10.1016/j.ins.2015.03.070

  23. Lee JK, Ryu SR, Yoo KY (2002) Fingerprint-based remote user authentication scheme using smart cards. Electron Lett 38(12):554–555

    Article  Google Scholar 

  24. Lin CH, Lai YY (2004) A flexible biometrics remote user authentication scheme. Comput Stand Interfaces 27(1):19–23

    Article  Google Scholar 

  25. Ku WC, Chang ST, Chiang MH (2005) Further cryptanalysis of fingerprint-based remote user authentication scheme using smartcards. Electron Lett 41(5):240–241

    Article  Google Scholar 

  26. Khan MK, Zhang JS (2007) Improving the security of ‘a flexible biometrics remote user authentication scheme’. Comput Stand Interfaces 29(1):82–85

    Article  Google Scholar 

  27. Rhee HS, Kwon JO, Lee DH (2009) A remote user authentication scheme without using smart cards. Comput Stand Interfaces 31(1):6–13

    Article  Google Scholar 

  28. Kim HS, Lee SW, Yoo KY (2003) ID-based password authentication scheme using smart cards and fingerprints. ACM SIGOPS Oper Syst Rev 37(4):32–41

    Article  MathSciNet  Google Scholar 

  29. Scott M (2004) Cryptanalysis of an ID-based password authentication scheme using smart cards and fingerprints. ACM SIGOPS Oper Syst Rev 38(2):73–75

    Article  Google Scholar 

  30. Li CT, Hwang MS (2010) An efficient biometrics-based remote user authentication scheme using smart cards. J Netw Comput Appl 33(1):1–5

    Article  Google Scholar 

  31. Li X, Niu JW, Ma J, Wang WD, Liu CL (2011) Cryptanalysis and improvement of a biometric-based remote authentication scheme using smart cards. J Netw Comput Appl 34(1):73–79

    Article  Google Scholar 

  32. Das AK (2012) Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards. IET Inf Secur 5(3):145–151

    Article  Google Scholar 

  33. An Y (2012) Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards. J Biomed Biotechnol. doi:10.1155/2012/519723

  34. Chen C, Lee C, Hsu C (2012) Mobile device integration of a fingerprint biometric remote authentication scheme. Int J Commun Syst 25(2):585–97

    Article  Google Scholar 

  35. Khan MK, Kumari S, Gupta MK (2014) More efficient key-hash based fingerprint remote authentication scheme using mobile device. Computing 96(9):793–816

    Article  MathSciNet  Google Scholar 

  36. Tan Z (2014) A user anonymity preserving three-factor authentication scheme for telecare medicine information systems. J Med Syst 38(3):1–9

    Article  Google Scholar 

  37. Yoon EJ, Yoo KY (2013) Robust biometrics-based multi-server authentication with key agreement scheme for smart cards on elliptic curve cryptosystem. J Supercomput 63(1):235–255

    Article  Google Scholar 

  38. Fan CI, Lin YH (2009) Provably secure remote truly three factor authentication scheme with privacy protection on biometrics. IEEE Trans Inf Forensics Secur 4(4):933–945

    Article  Google Scholar 

  39. Dodis Y, Reyzin L, Smith (2004) A fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Proceedings of EUROCRYPT, pp 523–540

  40. Huang X, Xiang Y, Chonka A, Zhou J, Deng RH (2011) A generic framework for three-factor authentication: preserving security and privacy in distributed systems. IEEE Trans Parallel Distrib Syst 22(8):1390–1397

    Article  Google Scholar 

  41. Li X, Niu J, Wang Z, Chen C (2013) Applying biometrics to design three-factor remote user authentication scheme with key agreement. Secur Commun Netw 7(10):1488–1497

    Google Scholar 

  42. Li X, Niu JW, Khan MK, Liao JG, Zhao XK (2014) Robust three-factor remote user authentication scheme with key agreement for multimedia systems. Secur Commun Netw. doi:10.1002/sec.961

  43. Mishra D, Kumari S, Khan MK et al (2015) An anonymous biometric—based remote user—authenticated key agreement scheme for multimedia systems. Int J Commun Syst. doi:10.1002/dac.2946

  44. He D, Kumar N, Lee J-H (2014) Enhanced three-factor security protocol for USB consumer storage devices. IEEE Trans Consum Electron 60(1):30–37

    Article  Google Scholar 

  45. He D, Wang D (2015) Robust biometrics-based authentication scheme for multi-server environment. IEEE Syst J 9(3):816–823

    Article  Google Scholar 

  46. Odelu V, Das AK, Goswami A (2015) A secure biometrics-based multi-server authentication protocol using smart cards. IEEE Trans Inf Forensics Secur 10(9):1953–1966

    Article  Google Scholar 

  47. Wu F, Xu L, Kumari S, Li X (2015) A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client–server networks. Comput Electr Eng. doi:10.1016/j.compeleceng.2015.02.015

  48. Yu J, Wang G, Mu Y, Gao W (2014) An efficient and improved generic framework for three-factor authentication with provably secure instantiation. IEEE Trans Inf Forensics Secur 9(12):2302–2313

    Article  Google Scholar 

  49. Juels A, Sudan M (2002) A fuzzy vault scheme. In: Proceedings of international symposium on information theory (ISIT), p 408

  50. Nagar A, Nandakumar K, Jain A K (2008) Securing fingerprint template: fuzzy vault with minutiae descriptors. In: Proceedings of 19th international conference on pattern recognition, pp 1–4

  51. Mishra D, Mukhopadhyay S, Kumari S, Khan MK, Chaturvedi A (2014) Security enhancement of a biometric based authentication scheme for telecare medicine information systems with nonce. J Med Syst 38(5):1–11

    Article  Google Scholar 

  52. Jin ATB, Ling DNC, Goh A (2004) Biohashing: two factor authentication featuring fingerprint data and tokenised random number. Pattern Recognit 37(11):2245–2255

    Article  Google Scholar 

  53. Hankerson D, Menezes A, Vanstone S (2004) Guide to elliptic curve cryptography. In: Lecture notes in computer science. Springer, Berlin

  54. Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Proceedings of advances in cryptology (Crypto’99). LNCS, pp 388–397

  55. Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 51(5):541–552

    Article  MathSciNet  Google Scholar 

  56. Jiang Q, Ma J, Li G, Yang L (2014) An efficient ticket based authentication protocol with unlinkability for wireless access networks. Wirel Pers Commun 77(2):1489–1506

    Article  Google Scholar 

  57. Jiang Q, Ma J, Lu X, Tian Y (2015) An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks. Peer-to-Peer Netw Appl 8(6):1070–1081

    Article  Google Scholar 

  58. Mishra D (2015) On the security flaws in id-based password authentication schemes for telecare medical information systems. J Med Syst 39(1):1–16

    Article  Google Scholar 

  59. Mishra D (2015) Understanding security failures of two authentication and key agreement schemes for telecare medicine information systems. J Med Syst 39(3):1–8

    Article  Google Scholar 

  60. Burrows M, Abadi M, Needham R (1990) A logic of authentication. ACM Trans Comput Syst 8(1):18–36

    Article  MATH  Google Scholar 

Download references

Acknowledgments

This work is supported by National Natural Science Foundation of China (Program Nos. 61202389, U1405255, U1135002, 61572379, 61372075, 61472310), National High Technology Research and Development Program (863 Program) (Program No. 2015AA011704), Fundamental Research Funds for the Central Universities (Program No. JB140302), Natural Science Foundation of Hubei Province of China under Grant 2015CFB257, the PAPD fund, and Collaborative Innovation Center of Atmospheric Environment and Equipment Technology (CICAEET). Sincere appreciations are also extended to the Deanship of Scientific Research at King Saud University for funding this Prolific Research Group (PRG-1436-16).

Author information

Authors and Affiliations

  1. School of Cyber Engineering, Xidian University, Xi’an, China

    Qi Jiang & Jianfeng Ma

  2. School of Computer and Software, Nanjing University of Information Science and Technology, Nanjing, China

    Qi Jiang

  3. Center of Excellence in Information Assurance, King Saud University, Riyadh, Kingdom of Saudi Arabia

    Muhammad Khurram Khan

  4. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Xiang Lu

  5. School of Computer Science and Technology, Wuhan University, Wuhan, China

    Debiao He

Authors
  1. Qi Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Muhammad Khurram Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiang Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jianfeng Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Debiao He
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qi Jiang.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jiang, Q., Khan, M.K., Lu, X. et al. A privacy preserving three-factor authentication protocol for e-Health clouds. J Supercomput 72, 3826–3849 (2016). https://doi.org/10.1007/s11227-015-1610-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-015-1610-x

Keywords

Search

Navigation