Department of Computer Science and Software Engineering, International Islamic University, Islamabad, Pakistan.
Center of Excellence in Information Assurance, King Saud University, Riyadh, Saudi Arabia.
J Med Syst. 2015 Nov;39(11):175. doi: 10.1007/s10916-015-0335-y. Epub 2015 Sep 23.
Telecare medicine information system (TMIS) offers the patients convenient and expedite healthcare services remotely anywhere. Patient security and privacy has emerged as key issues during remote access because of underlying open architecture. An authentication scheme can verify patient's as well as TMIS server's legitimacy during remote healthcare services. To achieve security and privacy a number of authentication schemes have been proposed. Very recently Lu et al. (J. Med. Syst. 39(3):1-8, 2015) proposed a biometric based three factor authentication scheme for TMIS to confiscate the vulnerabilities of Arshad et al.'s (J. Med. Syst. 38(12):136, 2014) scheme. Further, they emphasized the robustness of their scheme against several attacks. However, in this paper we establish that Lu et al.'s scheme is vulnerable to numerous attacks including (1) Patient anonymity violation attack, (2) Patient impersonation attack, and (3) TMIS server impersonation attack. Furthermore, their scheme does not provide patient untraceability. We then, propose an improvement of Lu et al.'s scheme. We have analyzed the security of improved scheme using popular automated tool ProVerif. The proposed scheme while retaining the plusses of Lu et al.'s scheme is also robust against known attacks.
远程医疗信息系统(TMIS)为患者提供了在任何地方远程便捷的医疗服务。由于底层的开放式架构,远程访问中患者的安全和隐私成为关键问题。认证方案可以在远程医疗服务期间验证患者和 TMIS 服务器的合法性。为了实现安全性和隐私性,已经提出了许多认证方案。最近,Lu 等人(J. Med. Syst. 39(3):1-8, 2015)提出了一种基于生物特征的三因素认证方案,用于 TMIS 以消除 Arshad 等人(J. Med. Syst. 38(12):136, 2014)方案的漏洞。此外,他们强调了他们的方案对各种攻击的稳健性。然而,在本文中,我们证明了 Lu 等人的方案容易受到多种攻击,包括(1)患者匿名性侵犯攻击,(2)患者模拟攻击,和(3)TMIS 服务器模拟攻击。此外,他们的方案无法提供患者的不可追踪性。然后,我们提出了 Lu 等人方案的改进。我们使用流行的自动化工具 ProVerif 分析了改进方案的安全性。所提出的方案在保留 Lu 等人方案的优点的同时,也对已知攻击具有稳健性。
