#### Abstract

Compared with traditional paper medical records, electronic medical records have many advantages such as easy transmission, high efficiency, better accuracy, and easier storage. The further development and penetration of electronic medical records will raise increasingly critical transmitted-data accuracy and security issues. Previous studies have proposed a verifier-based three-party authentication scheme and to provide high efficiency and security, with low computation and transmission costs. However, this protocol fails to achieve anonymity, is vulnerable to tracking attacks, and is inefficient. In this paper, we propose a new authentication scheme which provides patient anonymity and resistance to tracking attacks, while reducing computation and communication costs. The proposed system is easier to implement and is more suitable for use in remote electronic medical record exchange systems.

#### 1. Introduction

Aging societies experience increasing rates of chronic disease (e.g., heart disease, diabetes, cardiovascular diseases, and mental health issues) which must be frequently observed and monitored. Patients with such illnesses require periodic hospital- or clinic-based checkups, which can be inconvenient and stressful for elderly people. The digitization of medical measurement equipment (e.g., blood pressure monitors, blood glucose meters) allows for diagnostic information to be stored electronically and transmitted to remote locations for analysis and monitoring, enabling patients to avoid hospital visits while enabling their health care to closely monitor their status. Such electronic medical records (EMR) [1–3] has many advantages over conventional paper medical records, such as easy transmission, high efficiency, better accuracy, and ease of storage. However, their increased convenience raises significant security issues such as patient privacy and data integrity.

Telecare medicine information systems (TMIS) [4–6] involve the transmission of remote digital medical information or health reports through the combination of computers, communication systems to provide patients, and medical institutions with a secure data transmission platform and allow them to obtain medical record or health reports securely and conveniently. However, there are many security issues such as patient privacy and data integrity. Many identification and authentication protocols have been proposed to protect patient privacy and information. TMIS with three-party authentication is a secure data transmission platform that allows an authentication server and two participants (a medical institution or doctor and a patient) to generate a session key and a secure channel to verify their identities and then exchange data securely.

Lin and Lee [7] proposed a verifier-based three-party authentication scheme to provide high efficiency and security, along with low computation and transmission costs. However, this protocol fails to achieve anonymity and is vulnerable to tracking attacks. In addition, when authenticating a participant, it takes considerable time for the server to locate the verifiers, making the system difficult to implement. We thus propose a new authentication scheme which provides anonymity and resistance to tracking attacks, while reducing computation and communication costs. The proposed system is easier to implement and is more suitable for use in remote electronic medical record exchange systems.

The remainder of this paper is organized as follows. Section 2 reviews and analyzes verifier-based three-party authentication schemes without server public key including Lee et al.’s [8], Wang-Mo’s [9], Kwon et al.’s [10], and Lin-Lee’s [7] schemes. Section 3 introduces notations and security requirements for our scheme. Section 4 presents our proposed protocol, and the security analysis is given in Section 5. Section 6 provides a comparison of the proposed protocol and other related works. Finally, an implementation is described in Section 7 and a conclusion is drawn in Section 8.

#### 2. Related Works

This section reviews four verifier-based three-party authentication schemes without server public key including Lee et al.’s [8], Wang-Mo’s [9], Kwon et al.’s [10], and Lin-Lee’s [7] schemes and analyzes the weaknesses of their schemes.

##### 2.1. Review of Lee et al.’s Scheme

Lee et al. [8] proposed a verifier-based authentication scheme without server’s public key based on the Diffie-Hellman key exchange. Their scheme enables each client to only remember a memorable password. The normal procedure of their scheme is shown in Figure 1.

###### 2.1.1. Initialization Phase

A client and a trusted authentication server share a verifier for a password , and a client and share a verifiers for a password , where and .

###### 2.1.2. Verification Phase

This phase allows and to share a secret key confidentially via . The details of the execution steps are described as follows (Figure 1).(1): chooses a random number , computes , and sends to .(2) and : chooses a random number , computes , and sends and to and , respectively.(3) and : after receiving and , chooses two random numbers , computes , , , and , and sends and to and , respectively.(4) and : computes and , sends to , where . computes and , and sends to , where .(5) and : verifies whether and are valid. If they do, computes and and sends and to and , respectively.(6) verifies and verifies .

Finally, possesses a session key and possesses a session key .

###### 2.1.3. Weaknesses of Lee et al.’s Scheme

Wang and Mo [9] showed that the Lee et al.’s scheme [8] is not resistant to an impersonation attack if an attacker once has stolen ’s verifier .

##### 2.2. Review of Wang-Mo’s Scheme

In order to withstand an impersonation attack of the Lee et al.’s scheme [8] under verifier-stolen situation, Wang and Mo [9] modified as and as , respectively. Therefore, if both verifiers and are stole, an impersonation attack does not work without and .

However, Lin and Lee [7] showed that the Wang and Mo’s scheme [9] do not realize key confirmation. If the transmitted EMRs or EHRs are encrypted by using an unconfirmed key, their integrity and confidentiality are unsure.

##### 2.3. Review of Kwon et al.’s Scheme

This section reviews Kwon et al.’s scheme [10]. The normal procedure of their scheme is shown in Figure 2.

###### 2.3.1. Initialization Phase

and share a verifier and for a password , and and share a verifiers and for a password , where and .

###### 2.3.2. Verification Phase

This phase allows and to share a secret key confidentially via . The details of the execution steps are described as follows (Figure 2):(1): broadcasts .(2), and : chooses a random number , computes , and sends to . chooses a random number , computes , and sends to .(3) and : chooses random numbers , computes , , and , and sends and to and , respectively. Moreover, computes and .(4) and : after receiving , computes , , and and sends to . After receiving , computes , , and and sends to .(5) and : verifies whether and are correct. If so, chooses a random number , computes , , , and , and sends and to and , respectively.(6) verifies and verifies .

Finally, possesses a session key and possesses a session key .

###### 2.3.3. Weaknesses of Kwon et al.’s Scheme

Lin and Lee [7] showed that the Kwon et al.’s scheme [10] do not realize key confirmation. If the transmitted EMRs or EHRs are encrypted by using an unconfirmed key, their integrity and confidentiality are unsure.

##### 2.4. Review of Lin-Lee’s Scheme

This section reviews Lin-Lee’s scheme [7] (including the initialization and verification phases). The normal procedure of their scheme is shown in Figures 3 and 4.

and represent two medical institutions, and stands for a trusted authentication server.

###### 2.4.1. Initialization Phase

As shown in steps in Figure 3, and send their verifiers to via a secure and verified channel to register their verifiers. The details of the steps are as follows: sends verifier to , and sends verifier to , where and .

###### 2.4.2. Verification Phase

Assume and need to exchange EMR or EHR confidentially via authentication server . As shown in steps , , and in Figure 3, and process a mutual authentication with and each other, perform a key agreement to obtain a session key, and exchange encrypted EMR or EHR encrypted by the session key. The details of the execution steps are described as follows:(1): chooses a random number , computes , and sends , , to .(2): sends and to .(3): chooses two random numbers , computes and , sends to , and sends to .(4): chooses a random number , computes , and sends , , and to .(5) : computes , , , and .(6): sends , to .(7): computes , uses and to evaluate , , , and , and sends to .(8): computes , uses and to evaluate , , , and , and sends to .(9): sends to .(10) authenticates : verifiers whether the values in are correct. If so, the identity of is valid.(11): sends to .(12) authenticates : verifiers whether the values in are correct. If so, the identity of is valid.(13) authenticates , : verifiers whether the equations and are hold. If so, the identities of and are valid.(14); : computes , and , sends to , and sends to .(15) authenticates : verifiers whether is correct. If so, the identity of is valid.(16) authenticates : verifiers whether is correct. If so, the identity of is valid.

Finally, possesses a session key and possesses a session key .

###### 2.4.3. Weaknesses of Lin-Lee’s Scheme

We find Lin-Lee’s scheme [7] has three drawbacks: (1) does not provide anonymity, (2) vulnerable to tracking attack, and (3) inefficiency.

*(1) Does Not Provide Anonymity*. Medical institution transmits data and to in the step of verification phase, while medical institution transmits the same data ( and ) to in the step of verification phase. An attacker can obtain the identity ( and ) of both and by eavesdropping on the transmission; thus the scheme does not provide anonymity.

*(2) Vulnerable to Tracking Attack*. The data and are transmitted in both step and step of verification phase. An adversary can track institutions and easily from the identity ( and ); thus the scheme is vulnerable to tracking attack.

*(3) Inefficiency*. The scheme needs 16 exponentiations; therefore the computation cost of Lin-Lee’s scheme is inefficiency.

#### 3. Preliminary

##### 3.1. Notations

Notations section shows the notations used in our protocol, where is the pseudo ID of , is a data encrypted by using symmetric key encryption algorithm and sent to from , and , , and represent medical institutions , , or server .

##### 3.2. Attacker Model

In our scheme, we assume that the channels between and , and , and and are insecure. Any identity communicates with each other via an insecure public channel, offering adversaries opportunities to intercept. In the following, we present the assumptions of the attacker model [18–21].(1)An adversary may eavesdrop on all communications between protocol actors over the public channel.(2)An attacker can modify, delete, resend, and reroute the eavesdropped message.(3)An attacker cannot be a legitimate server.(4)The attacker knows the protocol description, which means the protocol is public.

##### 3.3. Security Requirements

The security requirements of our proposed scheme are listed as follows:(1)Data integrity: an adversary cannot alter the transmitted data without being detected.(2)Anonymity: an adversary cannot know the identities of medical institutions through the eavesdropped data.(3)Authenticity: any participant can authenticate other participants including the server.(4)Medical record confidentiality: an adversary (including the server) cannot disclose any medical records.(5)Medical record nonforgeability: an adversary cannot successfully forge electronic medical records.(6)Resistance to asynchronous attacks: the system can process a successful authentication even if the data stored in participants’ database may be asynchronous when a session cannot be normally completed.(7)Resistance to tracking attack: an adversary cannot trace the medical institution or through the eavesdropped data.

#### 4. Proposed Scheme

In this section, we propose a new three-party authentication scheme to achieve the functional requirements outlined in Definition 1 and the security goals outlined in Definition 2. The procedure of the proposed scheme is shown in Figure 5.

*Definition 1 (functional requirements of our scheme). *Our scheme features three roles: medical institution , medical institution , and authentication server . Our scheme is functional if it provides that (1) , , and can authenticate each other; (2) and can obtain a common session key; (3) and can exchange electronic medical records; (4) is not required to have a public key; and (5) it is efficient to implement.

*Definition 2 (security requirements of our scheme). *Our scheme is secure if it achieves the following: (1) data integrity, (2) anonymity, (3) authenticity, (4) medical record confidentiality, (5) medical record nonforgeability, (6) resistance to asynchronous attacks, and (7) resistance to tracking attacks.

##### 4.1. Initialization Phase

This phase establishes the required parameters.(1)The system chooses one large prime number .(2)The system chooses one primitive root modulo .(3) and each chooses a random number, respectively, and and, respectively, computes , .(4) and , respectively, generate symmetric keys and and use them to register with .(5) and , respectively, compute and .(6) stores , , and , where or .

##### 4.2. Verification Phase

This phase presents the process of mutual authentication, key exchange, and data transmission among , , and .(1): obtains the current time , computes , and sends , , and to .(2) authenticates : verifies whether holds, uses to find , decrypts via key to obtain , , and , and evaluates whether equals . If it is, the identity of is authenticated.(3) updates : updates .(4) updates : updates .(5): obtains the current time , uses to find , computes , and sends and to .(6) authenticates : verifies whether holds, decrypts via key to obtain and , and evaluates whether equals . If so, the identity of is authenticated.(7): computes and sends to .(8) authenticates : decrypts via key to obtain and and evaluates whether equals . If so, the identity of is authenticated.(9): computes and sends to .(10) authenticates : decrypts via key to obtain , , and and evaluates whether equals . If so, the identity of is authenticated. then computes .(11): computes and sends to .(12) updates : updates .(13) authenticates : computes , decrypts via key to obtain and , and evaluates whether equals . If so, the identity of is authenticated, while the data is also obtained.(14): computes and sends to .(15) authenticates : decrypts via key to obtain and and evaluates whether equals . If so, the identity of is authenticated, while the data is also obtained.

#### 5. Security Analysis

In this section, we analyze our protocol according to the security requirements defined in Section 3.3. The proof uses security reduction similar to that used in the random oracle model [22]. In other words, based on the security goal and attacker model, we prove that “if one claimed security property of our scheme is broken then one* atomic primitive* is broken,” where the atomic primitive means some basic cryptographic algorithm or hard mathematical problem. Therefore, our scheme provides this claimed security property since the atomic primitive is assumed to be secure.

##### 5.1. Data Integrity

If the transmitted data is altered, postdecryption verification will fail, thus ensuring data integrity. Theorem 4 proves the property of data integrity from Definition 3.

*Definition 3 (modified symmetric encryption problem). *Let , , and , where . If and can be evaluated from given and , then we say the modified symmetric encryption problem is solved (the probability of solving this problem is denoted as ).

Theorem 4 (data integrity). *In our scheme, if an adversary can change to successfully, then the modified symmetric encryption problem can be solved.*

*Proof. *In our scheme, assume an adversary tries to change to from eavesdropped and . Let be a random oracle: input and to output and such that , where (i.e., ). In Definition 3, let and , and let , be input parameters of and obtain output and . Let and ; then is evaluated. Therefore, , which means the modified symmetric encryption problem can be solved if exists.

##### 5.2. Anonymity

If the attacker wants to obtain or , he has to use or to evaluate them. However, cannot be evaluated from because of the nonreversible one-way hash function. Moreover, evaluating requires decrypting using the key , which is not obtained or evaluated through the eavesdropped data, therefore ensuring anonymity. Theorem 6 proves the property of data integrity from Definition 5.

*Definition 5 (modified hash problem). *Let , and . If can be evaluated from given and , then we say the modified hash problem is solved (the probability of solving this problem is denoted as ).

Theorem 6 (anonymity). *In our scheme, if an administrator can obtain from and , then the modified hash problem can be solved.*

*Proof. *In our scheme, assume an adversary tries to evaluate from eavesdropped and . Let be a random oracle: input and to output (i.e., ). In Definition 5, let , and let and be input parameters of and obtain output . Let ; then is evaluated. Therefore, , which means the modified hash problem can be solved if exists.

##### 5.3. Authenticity

Authenticating a participant requires evaluating whether is equal to . Although an adversary can create a new or obtain through the eavesdropped data, he cannot obtain or to decrypt to achieve successful authentication, therefore ensuring authenticity. Theorem 8 proves the property of data integrity from Definition 7.

*Definition 7 (joint modified symmetric encryption problem). *Let and , where . If can be evaluated from given and , then we say the joint modified symmetric encryption problem is solved, where (the probability of solving this problem is denoted as ).

Theorem 8 (authenticity). *In our scheme, if and can be forged, then the joint modified symmetric encryption problem can be solved.*

*Proof. *In our scheme, assume an adversary tries to evaluate to forge the identity of from and eavesdropped , . Let be a random oracle: input to output , (i.e., ). In Definition 7, let , , and be input parameters of and obtain output , . Let and , and then are evaluated. Therefore, , which means the joint modified symmetric encryption problem can be solved if exists.

##### 5.4. Medical Record Confidentiality

Obtaining medical records requires using the session key (or ) to decrypt (or ), where the session key is generated from one’s own private key (or ) and the public key (or ) of the opposite side. An attacker can neither evaluate the private keys or , nor obtain the public keys or due to anonymity. Therefore, the scheme ensures medical record confidentiality. Theorem 10 proves the property of data integrity from Definition 9.

*Definition 9 (second modified symmetric problem). *Let , and . If can be evaluated from given and , then we say the second modified symmetric problem is solved (the probability of solving this problem is denoted as ).

Theorem 10 (medical record confidentiality). *In our scheme, if attacker can obtain , then the second modified symmetric problem can be solved.*

*Proof. *In our scheme, assume an adversary tries to obtain from eavesdropped and . Let be a random oracle: input and to output (i.e., ). In Definition 9, let and be input parameters of and obtain output . Let , then is evaluated. Therefore, , which means the second modified symmetric problem can be solved if exists.

##### 5.5. Medical Record Nonforgeability

After decrypting (or ), (or ) have to authenticate each other via checking (or ). If an attacker wants to forge a medical record (or ), he/she has to evaluate the session key (or ) to encrypt both and (or both and ). Since the attacker cannot evaluate the session key, our scheme provides medical record nonforgeability. Theorem 12 proves the property of data integrity from Definition 11.

*Definition 11 (second joint modified symmetric encryption problem). *Let and , . If can be evaluated from given and , , then we say the second joint modified symmetric encryption problem is solved (the probability of solving this problem is denoted as ).

Theorem 12 (medical record nonforgeability). *In our scheme, if can be modified successfully, then the second joint modified symmetric encryption problem can be solved.*

*Proof. *In our scheme, assume an adversary tries to forge from and eavesdropped , . Let be a random oracle: input and to output (i.e., ). In Definition 11, let , and be input parameters of and obtain output . Let , then is evaluated. Therefore, , which means the second joint modified symmetric encryption problem can be solved if exists.

##### 5.6. Resistance to Asynchronous Attacks

If an attacker wants to block a communication to make an asynchronous attack, he/she can use the following methods to cause* A* and* S* to update asynchronously, causing the system fail in the future.(A)Blocking : if does not receive the data sent from , does not update and , nor does update . Therefore, an asynchronous attack based on this blocking method will fail.(B) Blocking : if does not receive the data sent from , will not update . In the next authentication session, will use to determine the information of . Therefore, this blocking method is resisted.(C)Blocking or : blocking or has the same result as blocking which prevents asynchronous attacks.(D)Blocking or : blocking or does not affect any update of .

##### 5.7. Resistance to Tracking Attack

Since changes in each round and the relationship between the previous and current and cannot be found, where or , the scheme is resistant to tracking attacks. Theorem 14 proves the property of data integrity from Definition 13.

*Definition 13 (modified hash problem). *Let , , If can be evaluated from given , and , then we say the modified hash problem is solved, where (the probability of solving this problem is denoted as ).

Theorem 14 (resistance to tracking attack). *In our scheme, if attacker can evaluate , then the modified hash problem can be solved.*

*Proof. *In our scheme, assume an adversary tries to evaluate to track user from eavesdropped , , , and . Let be a random oracle: input , , , and to output (i.e., ). In Definition 13, let , , , and be input parameters of and obtain output . Let , then is evaluated. Therefore, , which means the modified hash problem can be solved if exists.

#### 6. Comparison

This section compares the performance of our proposed method with previous verifier-based three-party authentication and key agreement (3PAKA) protocols without server public keys in terms of two aspects: computation and communication loadings (as shown in Table 1) and system properties (as shown in Table 2). From Table 1, our scheme is superior to previous schemes in terms of computation and communication performance. Table 2 shows that, unlike other schemes, our proposed scheme provides anonymity and resistance to tracking attacks. Therefore, our scheme is superior to previous schemes in terms of security.

Moreover, in Tables 3 and 4, we compare our proposed method with previous RSA-based 3PAKA schemes in terms of computation and communication loadings and system properties. Our protocol is a secure scheme providing 3PAKA and data exchange in medical environment, and the computation and communication loadings for providing only 3PAKA (without data exchange) in our scheme are different (lesser). In Table 4, Chang et al.’s [11] and Tso’s [12] schemes do not support mutual authentication, and Deebak et al.’s scheme [14] requires clients to logon the system successfully before starting the 3PAKA protocol in each time. In the logon phase of Deebak et al.’s scheme [14], each IP multimedia system (IMS) client enters his/her credentials into the registration form to avail the multimedia services, like video, voice, and data, and subsequently, the IMS server executes some steps to verify whether the client authorization is success or not. Moreover, each client has to perform two hash and two XOR functions in the logon phase, and the server has to perform four inverse computations in the authentication phase. Furthermore, we also compare our proposed method with other recently published 3PAKA schemes in terms of computation and communication loadings (Table 5) and system properties (Table 6). The schemes [15, 16] are smart card based schemes and some of their security and efficiency are based on smart cards. The properties “resistance to verifier-stolen attacks” of the schemes [11–13, 17] are all “N/A” because they are password-based schemes without verifiers. From Tables 3–6, our scheme is superior to previous RSA-based and other recently published 3PAKA schemes in terms of security and computation and communication performance.

#### 7. Implementation

This section presents the implementation of our scheme in mobile phones (Android 4.1) and PCs (Windows 7). The mobile system is implemented on Google Nexus S with a 1 GHz processor and 512 MB RAM. The PC implementation used Windows 7 Professional with an Intel (R) core (TM) CPU i5-650 @3.2 Hz and 4 GB RAM. The server (Server 1) and the user (Server 2) are implemented on Windows 7, while the user (Telecare) is implemented on Android. The hash function used is SHA-256 [23] and the symmetric encryption algorithm is AES [24]. Figure 6 shows the scheme flow in terms of data transmission and Figure 7 shows the data transfer renderings.

**(a)**Initial (on the end )

**(b)**Initial (on the end )

**(c)**Initial (on the end )

**(d)**Connected with (on the end )

**(e)**Verification data received from (on the end )

**(f)**Verification data received from (on the end )

**(g)**Verification data received from (on the end )

**(h)**Verification data received from (on the end )

**(i)**(Verification) data received from (on the end )

**(j)**(Verification) data received from (on the end )In our implementation, we assume that the system times of the server and the users and are synchronized. However, their system times are difficult to be synchronized. Fortunately, the experience in implementation shows that the system time difference between the server and the users is within miniseconds. By assuming the maximum system time difference between the clients and the server is 1000 miniseconds and the values and are between 10 ms and 30 ms, we suggest to set and to −990 ms and 1030 ms, respectively (in real situation, the values and are suggested to be measured again for much accuracy).

#### 8. Conclusion

In this paper, we review Lin-Lee’s protocol and demonstrate its lack of anonymity and resistance to tracking attacks. We propose an enhanced three-party authentication scheme for use in telecare medicine information systems, which provides high standards of security issues and performance. The proposed scheme does not need server public keys, reduces computation costs, and resolves two significant security issues (anonymity and resistance to tracking attacks). Comparisons with other approaches show the proposed scheme provides improved security while incurring computational, communication, and transaction costs comparable to other methods.

#### Notations

: | Medical institutions |

: | Server |

: | A large prime |

: | Primitive root modulo |

: | of |

: | Pseudo of |

: | The last pseudo of |

: | The time of |

: | The current time |

: | The th time threshold |

, : | Private keys of and |

, : | Public keys of and |

: | A symmetric key of |

, : | Section keys between and |

: | Encrypted data from to |

: | A one-way hash function |

: | A symmetric encryption using key |

: | A symmetric decryption using key . |

#### Disclosure

This article does not contain any studies with human participants or animals performed by any of the authors.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work is partially supported by the Ministry of Science and Technology under Grant MOST 104-2221-E-182-012 and by the CGMH project under Grant BMRPB46.