Liu Wenhao, Xie Qi, Wang Shengbao, Hu Bin
Hangzhou Key Laboratory of Cryptography and Network Security, Hangzhou Normal University, Hangzhou, 311121 China.
Springerplus. 2016 May 3;5:555. doi: 10.1186/s40064-016-2018-7. eCollection 2016.
In telecare medicine information systems (TMIS), identity authentication of patients plays an important role and has been widely studied in the research field. Generally, it is realized by an authenticated key agreement protocol, and many such protocols were proposed in the literature. Recently, Zhang et al. pointed out that Islam et al.'s protocol suffers from the following security weaknesses: (1) Any legal but malicious patient can reveal other user's identity; (2) An attacker can launch off-line password guessing attack and the impersonation attack if the patient's identity is compromised. Zhang et al. also proposed an improved authenticated key agreement scheme with privacy protection for TMIS. However, in this paper, we point out that Zhang et al.'s scheme cannot resist off-line password guessing attack, and it fails to provide the revocation of lost/stolen smartcard. In order to overcome these weaknesses, we propose an improved protocol, the security and authentication of which can be proven using applied pi calculus based formal verification tool ProVerif.
在远程医疗信息系统(TMIS)中,患者身份认证起着重要作用,并且在研究领域已经得到广泛研究。一般来说,它是通过认证密钥协商协议来实现的,文献中提出了许多这样的协议。最近,Zhang等人指出Islam等人的协议存在以下安全弱点:(1)任何合法但恶意的患者都可以泄露其他用户的身份;(2)如果患者的身份被泄露,攻击者可以发起离线密码猜测攻击和身份冒充攻击。Zhang等人还提出了一种改进的具有隐私保护的TMIS认证密钥协商方案。然而,在本文中,我们指出Zhang等人的方案无法抵抗离线密码猜测攻击,并且它未能提供对丢失/被盗智能卡的撤销功能。为了克服这些弱点,我们提出了一种改进的协议,其安全性和认证性可以使用基于应用pi演算的形式化验证工具ProVerif来证明。
