Xie Qi, Liu Wenhao, Wang Shengbao, Han Lidong, Hu Bin, Wu Ting
Hangzhou Key Laboratory of Cryptography and Network Security, Hangzhou Normal University, Hangzhou, 311121, China,
J Med Syst. 2014 Sep;38(9):91. doi: 10.1007/s10916-014-0091-4. Epub 2014 Jul 4.
Patient's privacy-preserving, security and mutual authentication between patient and the medical server are the important mechanism in connected health care applications, such as telecare medical information systems and personally controlled health records systems. In 2013, Wen showed that Das et al.'s scheme is vulnerable to the replay attack, user impersonation attacks and off-line guessing attacks, and then proposed an improved scheme using biometrics, password and smart card to overcome these weaknesses. However, we show that Wen's scheme is still vulnerable to off-line password guessing attacks, does not provide user's anonymity and perfect forward secrecy. Further, we propose an improved scheme to fix these weaknesses, and use the applied pi calculus based formal verification tool ProVerif to prove the security and authentication.
患者隐私保护、患者与医疗服务器之间的安全性和相互认证是远程医疗保健应用(如远程护理医疗信息系统和个人控制的健康记录系统)中的重要机制。2013年,Wen指出Das等人的方案容易受到重放攻击、用户假冒攻击和离线猜测攻击,随后提出了一种使用生物特征识别、密码和智能卡的改进方案来克服这些弱点。然而,我们表明Wen的方案仍然容易受到离线密码猜测攻击,不提供用户匿名性和完美前向保密性。此外,我们提出了一种改进方案来修复这些弱点,并使用基于应用pi演算的形式化验证工具ProVerif来证明安全性和认证性。
