1. Privacy Protection for E-Health Systems by
Means of Dynamic Authentication and
Three-Factor Key Agreement
Source: IEEE Transactions on Industrial Electronics, Vol. 65, No.3, pp , Mar
Author: Liping Zhang, Yixin Zhang, Shanyu Tang, and He Luo
Speaker: Joyun Liu
Date: 06/13/2019 1

2. Introduction
Proposed scheme
Outline
Analysis
Conclusions 2

3. Introduction(1/2) Secure channel Public channel Malicious user Home
Patient
Home
Smart device
Medical server
Hospital
Patient’s family
Company
Doctor 3

4. Introduction(2/2) Malicious user Password Biometric Smart card
Three-Factor
Two-Factor
Computational complexity 4

5. Proposed scheme(1/6)-Notations
Description
𝑈 𝑖
The ith user participates in a phase S
The medical server of the e-health system
𝐼𝐷 𝑖 , 𝑃𝑊 𝑖
The identity and the password of 𝑈 𝑖
𝐼𝐷 𝑆𝐶
The identity of the smart card
𝑇 𝑖 , 𝐵 𝑖
The biometric template and the biometric data of 𝑈 𝑖 ∆
A matching algorithm of biometrics
ℎ 𝐵𝑖𝑜 (·)
A secure biohash function s
The master key of the medical server
𝐶 j
The jth transmitted value in this scheme
𝑟 𝑥
High-entropy random numbers
h(·)
A collision free hash function ⊕
The exclusive-or operation ||
The concatenation operation
f(·)
Dynamic strings generating algorithm
Registration phase
Login phase
Authentication phase 5
[38] A. Lumini and L. Nanni, “An improved BioHashing for human authentication,” Pattern Recognit., vol. 40, pp. 1057–1065, Mar

6. Proposed scheme(2/6)-Dynamic authentication
Login request message
Search in the database
𝐵 𝑖 ⊕ 𝑟 𝑖
f( 𝑟 𝑗 )
Ciphertext
Plaintext
Table in the database
Decrypt
Biometric
identity
Dynamic
string …
𝑇 𝑖 ⊕ 𝑟 𝑖
f( 𝑟 𝑗 )
𝐵 𝑖 ⊕ 𝑟 𝑖
Retrieve
Match
Generate
Compute
Replace
𝑟 𝑗 ′
f(𝑟 𝑗 ′ )
Success
Failed
Encrypt
Anonymity
Untraceability
Abort
𝑟 𝑗 ′
Response message 6

7. { 𝐼𝐷 𝑆𝐶 , h(·), ℎ 𝐵𝑖𝑜 (·), 𝑋, 𝑌, 𝑍}
Proposed scheme(3/6)-Registration phase
User 𝑈 𝑖
Medical server S
Secure channel
Public channel
Chooses 𝐼𝐷 𝑖 and 𝑃𝑊 𝑖
Input 𝑇 𝑖
𝐶 1 = h( 𝐼𝐷 𝑖 || 𝑃𝑊 𝑖 || ℎ 𝐵𝑖𝑜 ( 𝑇 𝑖 ))
Generates random 𝑟 1
𝐶 2 = 𝑇 𝑖 ⊕ 𝑟 1
Stores { 𝐶 2 , 𝑊 0 , 𝑊} in database
Generates random 𝑟 2
𝑊 0 = NULL
𝑊 = h( ℎ 𝐵𝑖𝑜 (( 𝐶 2 )⊕ 𝑟 2 ))
M = h( ℎ 𝐵𝑖𝑜 ( 𝐶 2 ) || s)
𝑋 = h( 𝐼𝐷 𝑆𝐶 || 𝐶 1 || M)⊕ 𝑟 2
𝑌= M⊕ 𝐶 1
Writes { 𝐼𝐷 𝑆𝐶 , h(·), ℎ 𝐵𝑖𝑜 (·), 𝑋, 𝑌}
into the smart card
{ 𝐶 1 , 𝐶 2 }
Smart card
𝑍 = 𝑟 1 ⊕ ℎ 𝐵𝑖𝑜 ( 𝑇 𝑖 )
Writes 𝑍 into the smart card
Smart card
{ 𝐼𝐷 𝑆𝐶 , h(·), ℎ 𝐵𝑖𝑜 (·), 𝑋, 𝑌, 𝑍}
Database
{ 𝐶 2 , 𝑊 0 , 𝑊} 7

8. { 𝐼𝐷 𝑆𝐶 , h(·), ℎ 𝐵𝑖𝑜 (·), 𝑋, 𝑌, 𝑍}
Proposed scheme(4/6)-Login phase
User 𝑈 𝑖
Medical server S
Smart card
{ 𝐼𝐷 𝑆𝐶 , h(·), ℎ 𝐵𝑖𝑜 (·), 𝑋, 𝑌, 𝑍}
Inputs 𝐼𝐷 𝑖 , 𝑃𝑊 𝑖 , 𝐵 𝑖
Inserts the smart card
𝐶 1 ∗ = h( 𝐼𝐷 𝑖 || 𝑃𝑊 𝑖 || ℎ 𝐵𝑖𝑜 ( 𝐵 𝑖 ))
𝑀 ∗ = 𝑌⊕ 𝐶 1 ∗
𝑟 2 ∗ = 𝑋⊕h( 𝐼𝐷 𝑆𝐶 || 𝐶 1 ∗ || 𝑀 ∗ )
𝑟 1 ∗ = 𝑍⊕ ℎ 𝐵𝑖𝑜 ( 𝐵 𝑖 )
𝐶 3 = ℎ 𝐵𝑖𝑜 𝐵 𝑖 ⊕ 𝑟 1 ∗ ⊕ 𝑟 2 ∗
Generates random 𝑟 3
𝐶 4 = 𝐵 𝑖 ⊕ 𝑟 1 ∗ ⊕h( 𝑀 ∗ || 𝑟 3 )
𝐶 5 = 𝑟 3 ⊕ ℎ 𝐵𝑖𝑜 ( 𝐵 𝑖 ⊕ 𝑟 1 ∗ )
{ 𝐶 3 , 𝐶 4 , 𝐶 5 } 8

9. Proposed scheme(5/6)-Authentication phase
User 𝑈 𝑖
Medical server S
𝑊 ∗ = h( 𝐶 3 )
Searches 𝑊 ∗ in 𝑊 and 𝑊 0 for 𝐶 2
If 𝑊 ∗ is found in 𝑊 0 , set 𝑊 = 𝑊 0
𝑀 ′ = h( ℎ 𝐵𝑖𝑜 ( 𝐶 2 ) || s)
𝑟 3 ∗ = 𝐶 5 ⊕ ℎ 𝐵𝑖𝑜 ( 𝐶 2 )
𝐵 𝑖 ⊕ 𝑟 1 ∗ = 𝐶 4 ⊕h( 𝑀 ′ || 𝑟 3 ∗ )
∆ ( 𝐶 2 , 𝐵 𝑖 ⊕ 𝑟 1 ∗ )
Generates random 𝑟 4
𝐶 6 = 𝑟 4 ⊕h( 𝐵 𝑖 ⊕ 𝑟 1 ∗ )
𝐶 7 = h(( 𝐵 𝑖 ⊕ 𝑟 1 ∗ ) || 𝑟 3 ∗ || 𝑟 4 )
Database
Biometric
identity( 𝐶 2 )
Dynamic
string( 𝑊 0 )
string(𝑊)
01001…011
NULL
01110…100
01100…110
11001…010
10111…011 …
10101…010
10110…101
01011…111
𝑊 ∗
{ 𝐶 6 , 𝐶 7 } 9

10. Proposed scheme(6/6)-Authentication phase
User 𝑈 𝑖
Database
Medical server S
Biometric
identity( 𝐶 2 )
Dynamic
string( 𝑊 0 )
string(𝑊)
01001…011
NULL
01110…100
01100…110
11001…010
10111…011 …
10101…010
10110…101
01011…111
𝑟 4 ∗ = 𝐶 6 ⊕h( 𝐵 𝑖 ⊕ 𝑟 1 ∗ )
𝐶 7 =? h(( 𝐵 𝑖 ⊕ 𝑟 1 ∗ ) || 𝑟 3 || 𝑟 4 ∗ )
𝑋 𝑛𝑒𝑤 = h( 𝐼𝐷 𝑆𝐶 || 𝐶 1 ∗ || 𝑀 ∗ )⊕ 𝑟 4 ∗
SK = h( 𝑀 ∗ || 𝑟 3 || 𝑟 4 ∗ )
𝐶 8 = h( ℎ 𝐵𝑖𝑜 ( 𝐵 𝑖 ⊕ 𝑟 1 ∗ ⊕ 𝑟 4 ∗ )⊕ 𝑟 4 ∗ )
{ 𝐶 8 }
𝐶 8 =? h( ℎ 𝐵𝑖𝑜 ( 𝐵 𝑖 ⊕ 𝑟 1 ∗ ⊕ 𝑟 4 )⊕ 𝑟 4 )
SK = h( 𝑀 ′ || 𝑟 3 ∗ || 𝑟 4 )
𝑊 𝑛𝑒𝑤 = h( ℎ 𝐵𝑖𝑜 (( 𝐶 2 )⊕ 𝑟 4 ))
Replaces ( 𝑊 0 , 𝑊) with (𝑊, 𝑊 𝑛𝑒𝑤 )
𝐶 9 = h(SK || 𝑟 4 )
{ 𝐶 9 }
𝐶 9 =? h SK || 𝑟 4
Accepts SK and replaces
𝑋 with 𝑋 𝑛𝑒𝑤 10

11. Analysis(1/3)-Security analysis
[21] H. L. Yeh, T. H. Chen, K. J. Hu, and W. K. Shih, “Robust elliptic curve cryptography-based three factor user authentication providing privacy of biometric
data,” IET Inf. Secur., Vol. 7, pp. 247–252, Sep
[23] F. Wu, L. L. Xu, S. Kumari, and X. Li, “A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client-server
networks,” Comput. Elect. Eng., Vol. 45, pp. 274–285, Jul
[8] R. Amin, S. K. H. Islam, G. P. Biswas, M. K. Khan, and X. Li, “Cryptanalysis and enhancement of anonymity preserving remote user mutual authentication
and session key agreement scheme for E-Health care systems,” J. Med. Syst., Vol. 39, Nov. 2015, Art. no. 140.
[19] X. L. Li, Q. Y. Wen, and W. M. Li, “A three-factor based remote user authentication scheme: Strengthening systematic security and personal privacy for
wireless communications,” Wireless Pers. Commun., Vol. 86, pp. 1593–1610, Feb 11

12. Analysis(2/3)-Performance analysis
𝑇 ℎ :The time for executing a one-way hash function.
𝑇 𝑏ℎ :The time for executing a one-way biohash function.
𝑇 𝑠 :The time for executing a symmetric key encryption/decryption operation.
𝑇 𝑚 :The time for executing a scalar multiplication operation of an elliptic curve.
𝑇 𝑎 : The time for executing a point addition operation of an elliptic curve.
𝑇 𝑒 : The time for executing a modular exponentiation operation. 12

13. Analysis(3/3)-Performance analysis13

14. Conclusions
Security
Efficiency 14