Privacy protection for telecare medicine information systems using a chaotic map-based three-factor authenticated key agreement scheme

Telecare Medicine Information Systems (TMIS) provides flexible and convenient e-health care. However the medical records transmitted in TMIS are exposed to unsecured public networks, so TMIS are more vulnerable to various types of security threats and attacks. To provide privacy protection for TMIS, a secure and efficient authenticated key agreement scheme is urgently needed to protect the sensitive medical data. Recently, Mishra et al. proposed a biometrics-based authenticated key agreement scheme for TMIS by using hash function and nonce, they claimed that their scheme could eliminate the security weaknesses of Yan et al.’s scheme and provide dynamic identity protection and user anonymity. In this paper, however, we demonstrate that Mishra et al.’s scheme suffers from replay attacks, man-in-the-middle attacks and fails to provide perfect forward secrecy. To overcome the weaknesses of Mishra et al.’s scheme, we then propose a three-factor authenticated key agreement scheme to enable the patient enjoy the remote healthcare services via TMIS with privacy protection. The chaotic map-based cryptography is employed in the proposed scheme to achieve a delicate balance of security and performance. Security analysis demonstrates that the proposed scheme resists various attacks and provides several attractive security properties. Performance evaluation shows that the proposed scheme increases efficiency in comparison with other related schemes

Dependable and secure computing in medical information systems

Medical information systems facilitate ambulatory patient care, and increase safer and more intelligent diagnostic and therapeutic capabilities through automated interoperability among distributed medical devices. In modern medical information systems, dependability is one of the most important factors for patient safety in the presence of delayed or lost system alarm and data streams due to the intermittent medical device network connection or failure. In addition, since the medical information need to be frequently audited by many human operators as well as the automated medical devices, secure access control is another pivotal factor for patient privacy and data confidentiality against inside or outside adversaries. In this study, we propose a dependable and secure access policy enforcement scheme for disruption-tolerant medical information systems. The proposed scheme exploits the external storage node operated by the device controller, which enables reliable communications between medical devices. Fine-grained data access control is also achieved, while the key escrow problem is resolved such that any curious device controller or key generation center cannot decrypt the private medical data of patients. The proposed scheme allows the device controller to partially decrypt the encrypted medical information for the authorized receivers with their corresponding attributes without leaking any confidential information to it. Thus, computational efficiency at the medical devices is also enhanced by enabling the medical devices to delegate most laborious tasks of decryption to the device controller. (C) 2012 Elsevier B.V. All rights reserved.This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (2012R1A1A1001835)