Privacy Protection for E-Health Systems by Means of Dynamic Authentication and Three-Factor Key Agreement Source: IEEE Transactions on Industrial Electronics, Vol. 65, No.3, pp. 2795-2805, Mar. 2018. Author: Liping Zhang, Yixin Zhang, Shanyu Tang, and He Luo Speaker: Joyun Liu Date: 06/13/2019 1

Introduction Proposed scheme Outline Analysis Conclusions 2

Introduction(1/2) Secure channel Public channel Malicious user Home Patient Home Smart device Medical server Hospital Patient’s family Company Doctor 3

Introduction(2/2) Malicious user Password Biometric Smart card Three-Factor Two-Factor Computational complexity 4

Proposed scheme(1/6)-Notations Description 𝑈 𝑖 The ith user participates in a phase S The medical server of the e-health system 𝐼𝐷 𝑖 , 𝑃𝑊 𝑖 The identity and the password of 𝑈 𝑖 𝐼𝐷 𝑆𝐶 The identity of the smart card 𝑇 𝑖 , 𝐵 𝑖 The biometric template and the biometric data of 𝑈 𝑖 ∆ A matching algorithm of biometrics ℎ 𝐵𝑖𝑜 (·) A secure biohash function s The master key of the medical server 𝐶 j The jth transmitted value in this scheme 𝑟 𝑥 High-entropy random numbers h(·) A collision free hash function ⊕ The exclusive-or operation || The concatenation operation f(·) Dynamic strings generating algorithm Registration phase Login phase Authentication phase 5 [38] A. Lumini and L. Nanni, “An improved BioHashing for human authentication,” Pattern Recognit., vol. 40, pp. 1057–1065, Mar. 2007.

Proposed scheme(2/6)-Dynamic authentication Login request message Search in the database 𝐵 𝑖 ⊕ 𝑟 𝑖 f( 𝑟 𝑗 ) Ciphertext Plaintext Table in the database Decrypt Biometric identity Dynamic string … 𝑇 𝑖 ⊕ 𝑟 𝑖 f( 𝑟 𝑗 ) 𝐵 𝑖 ⊕ 𝑟 𝑖 Retrieve Match Generate Compute Replace 𝑟 𝑗 ′ f(𝑟 𝑗 ′ ) Success Failed Encrypt Anonymity Untraceability Abort 𝑟 𝑗 ′ Response message 6

{ 𝐼𝐷 𝑆𝐶 , h(·), ℎ 𝐵𝑖𝑜 (·), 𝑋, 𝑌, 𝑍} Proposed scheme(3/6)-Registration phase User 𝑈 𝑖 Medical server S Secure channel Public channel Chooses 𝐼𝐷 𝑖 and 𝑃𝑊 𝑖 Input 𝑇 𝑖 𝐶 1 = h( 𝐼𝐷 𝑖 || 𝑃𝑊 𝑖 || ℎ 𝐵𝑖𝑜 ( 𝑇 𝑖 )) Generates random 𝑟 1 𝐶 2 = 𝑇 𝑖 ⊕ 𝑟 1 Stores { 𝐶 2 , 𝑊 0 , 𝑊} in database Generates random 𝑟 2 𝑊 0 = NULL 𝑊 = h( ℎ 𝐵𝑖𝑜 (( 𝐶 2 )⊕ 𝑟 2 )) M = h( ℎ 𝐵𝑖𝑜 ( 𝐶 2 ) || s) 𝑋 = h( 𝐼𝐷 𝑆𝐶 || 𝐶 1 || M)⊕ 𝑟 2 𝑌= M⊕ 𝐶 1 Writes { 𝐼𝐷 𝑆𝐶 , h(·), ℎ 𝐵𝑖𝑜 (·), 𝑋, 𝑌} into the smart card { 𝐶 1 , 𝐶 2 } Smart card 𝑍 = 𝑟 1 ⊕ ℎ 𝐵𝑖𝑜 ( 𝑇 𝑖 ) Writes 𝑍 into the smart card Smart card { 𝐼𝐷 𝑆𝐶 , h(·), ℎ 𝐵𝑖𝑜 (·), 𝑋, 𝑌, 𝑍} Database { 𝐶 2 , 𝑊 0 , 𝑊} 7

{ 𝐼𝐷 𝑆𝐶 , h(·), ℎ 𝐵𝑖𝑜 (·), 𝑋, 𝑌, 𝑍} Proposed scheme(4/6)-Login phase User 𝑈 𝑖 Medical server S Smart card { 𝐼𝐷 𝑆𝐶 , h(·), ℎ 𝐵𝑖𝑜 (·), 𝑋, 𝑌, 𝑍} Inputs 𝐼𝐷 𝑖 , 𝑃𝑊 𝑖 , 𝐵 𝑖 Inserts the smart card 𝐶 1 ∗ = h( 𝐼𝐷 𝑖 || 𝑃𝑊 𝑖 || ℎ 𝐵𝑖𝑜 ( 𝐵 𝑖 )) 𝑀 ∗ = 𝑌⊕ 𝐶 1 ∗ 𝑟 2 ∗ = 𝑋⊕h( 𝐼𝐷 𝑆𝐶 || 𝐶 1 ∗ || 𝑀 ∗ ) 𝑟 1 ∗ = 𝑍⊕ ℎ 𝐵𝑖𝑜 ( 𝐵 𝑖 ) 𝐶 3 = ℎ 𝐵𝑖𝑜 𝐵 𝑖 ⊕ 𝑟 1 ∗ ⊕ 𝑟 2 ∗ Generates random 𝑟 3 𝐶 4 = 𝐵 𝑖 ⊕ 𝑟 1 ∗ ⊕h( 𝑀 ∗ || 𝑟 3 ) 𝐶 5 = 𝑟 3 ⊕ ℎ 𝐵𝑖𝑜 ( 𝐵 𝑖 ⊕ 𝑟 1 ∗ ) { 𝐶 3 , 𝐶 4 , 𝐶 5 } 8

Proposed scheme(5/6)-Authentication phase User 𝑈 𝑖 Medical server S 𝑊 ∗ = h( 𝐶 3 ) Searches 𝑊 ∗ in 𝑊 and 𝑊 0 for 𝐶 2 If 𝑊 ∗ is found in 𝑊 0 , set 𝑊 = 𝑊 0 𝑀 ′ = h( ℎ 𝐵𝑖𝑜 ( 𝐶 2 ) || s) 𝑟 3 ∗ = 𝐶 5 ⊕ ℎ 𝐵𝑖𝑜 ( 𝐶 2 ) 𝐵 𝑖 ⊕ 𝑟 1 ∗ = 𝐶 4 ⊕h( 𝑀 ′ || 𝑟 3 ∗ ) ∆ ( 𝐶 2 , 𝐵 𝑖 ⊕ 𝑟 1 ∗ ) Generates random 𝑟 4 𝐶 6 = 𝑟 4 ⊕h( 𝐵 𝑖 ⊕ 𝑟 1 ∗ ) 𝐶 7 = h(( 𝐵 𝑖 ⊕ 𝑟 1 ∗ ) || 𝑟 3 ∗ || 𝑟 4 ) Database Biometric identity( 𝐶 2 ) Dynamic string( 𝑊 0 ) string(𝑊) 01001…011 NULL 01110…100 01100…110 11001…010 10111…011 … 10101…010 10110…101 01011…111 𝑊 ∗ { 𝐶 6 , 𝐶 7 } 9

Proposed scheme(6/6)-Authentication phase User 𝑈 𝑖 Database Medical server S Biometric identity( 𝐶 2 ) Dynamic string( 𝑊 0 ) string(𝑊) 01001…011 NULL 01110…100 01100…110 11001…010 10111…011 … 10101…010 10110…101 01011…111 𝑟 4 ∗ = 𝐶 6 ⊕h( 𝐵 𝑖 ⊕ 𝑟 1 ∗ ) 𝐶 7 =? h(( 𝐵 𝑖 ⊕ 𝑟 1 ∗ ) || 𝑟 3 || 𝑟 4 ∗ ) 𝑋 𝑛𝑒𝑤 = h( 𝐼𝐷 𝑆𝐶 || 𝐶 1 ∗ || 𝑀 ∗ )⊕ 𝑟 4 ∗ SK = h( 𝑀 ∗ || 𝑟 3 || 𝑟 4 ∗ ) 𝐶 8 = h( ℎ 𝐵𝑖𝑜 ( 𝐵 𝑖 ⊕ 𝑟 1 ∗ ⊕ 𝑟 4 ∗ )⊕ 𝑟 4 ∗ ) { 𝐶 8 } 𝐶 8 =? h( ℎ 𝐵𝑖𝑜 ( 𝐵 𝑖 ⊕ 𝑟 1 ∗ ⊕ 𝑟 4 )⊕ 𝑟 4 ) SK = h( 𝑀 ′ || 𝑟 3 ∗ || 𝑟 4 ) 𝑊 𝑛𝑒𝑤 = h( ℎ 𝐵𝑖𝑜 (( 𝐶 2 )⊕ 𝑟 4 )) Replaces ( 𝑊 0 , 𝑊) with (𝑊, 𝑊 𝑛𝑒𝑤 ) 𝐶 9 = h(SK || 𝑟 4 ) { 𝐶 9 } 𝐶 9 =? h SK || 𝑟 4 Accepts SK and replaces 𝑋 with 𝑋 𝑛𝑒𝑤 10

Analysis(1/3)-Security analysis [21] H. L. Yeh, T. H. Chen, K. J. Hu, and W. K. Shih, “Robust elliptic curve cryptography-based three factor user authentication providing privacy of biometric data,” IET Inf. Secur., Vol. 7, pp. 247–252, Sep. 2013. [23] F. Wu, L. L. Xu, S. Kumari, and X. Li, “A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client-server networks,” Comput. Elect. Eng., Vol. 45, pp. 274–285, Jul. 2015. [8] R. Amin, S. K. H. Islam, G. P. Biswas, M. K. Khan, and X. Li, “Cryptanalysis and enhancement of anonymity preserving remote user mutual authentication and session key agreement scheme for E-Health care systems,” J. Med. Syst., Vol. 39, Nov. 2015, Art. no. 140. [19] X. L. Li, Q. Y. Wen, and W. M. Li, “A three-factor based remote user authentication scheme: Strengthening systematic security and personal privacy for wireless communications,” Wireless Pers. Commun., Vol. 86, pp. 1593–1610, Feb. 2016. 11

Analysis(2/3)-Performance analysis 𝑇 ℎ :The time for executing a one-way hash function. 𝑇 𝑏ℎ :The time for executing a one-way biohash function. 𝑇 𝑠 :The time for executing a symmetric key encryption/decryption operation. 𝑇 𝑚 :The time for executing a scalar multiplication operation of an elliptic curve. 𝑇 𝑎 : The time for executing a point addition operation of an elliptic curve. 𝑇 𝑒 : The time for executing a modular exponentiation operation. 12

Analysis(3/3)-Performance analysis 13

Conclusions Security Efficiency 14