Privacy-Preserving and Efficient Truly Three-Factor Authentication Scheme for Telecare Medical Information Systems.

Significant development of information technologies has made Telecare Medical Information Systems (TMISs) increasingly popular. In a TMIS, patients upload their medical data through smart devices to obtain a doctor's diagnosis. However, these smart devices have limited computing and storage capacities, so it is difficult to store substantial patient information and to support time-consuming operations. Moreover, although many three-factor authentication protocols have been proposed for TMISs, the problems of privacy leaks and other security flaws are serious. In addition, authentication factors are verified at the user side in most protocols, giving users a high level of trust and resulting in a potential lack of security. In this paper, we propose a novel efficient truly three-factor authentication protocol for TMISs. In our proposed protocol, three factors (i.e., password, smart card and biometrics) are verified at the server side, which reduces the storage and computational burden of the user side. Additionally, our proposed protocol uses only lightweight operators and is thus efficient. A formal proof analysis demonstrates that our proposed protocol is provably secure in the random oracle model. The performance evaluation shows that the proposed protocol is very efficient and suitable for TMISs.