The Cryptanalysis of Lees Chaotic Maps-Based Authentication and Key Agreement Scheme using Smart card for Telecare Medicine Information Systems

The Telecare medicine information system (TMIS) is developed to provide Telecare services to the remote user. A user can access remote medical servers using internet without moving from his place. Although remote user and server exchange their messages/data via public networks. An adversary is considered to be enough powerful that he may have full control over the public network. This makes these Telecare services vulnerable to attacks. To ensure secure communication between the user and server many password based authentication schemes have been proposed. In 2013, Hao et al. presented chaotic maps-based password authentication scheme for TMIS. Recently, Lee identified that Hao et al.’s scheme fails to satisfy key agreement property, such that a malicious server can predetermine the session key. Lee also presented an efficient chaotic map-based password authentication and key agreement scheme using Smart cards for TMIS. In this article, we briefly review Lee’s scheme and demonstrates the weakness of Lee’s scheme. The study shows that the Lee’s scheme inefficiency of password change phase causes denial of service attack and login phase results extra computation and communication overhead.

💡 Research Summary

The paper conducts a thorough cryptanalysis of the chaotic‑maps‑based authentication and key‑agreement protocol proposed by Lee for Telecare Medicine Information Systems (TMIS). Lee’s scheme, which employs a smart‑card, a master key (mk), one‑way hash functions h and H, and symmetric encryption/decryption primitives, is organized into four phases: parameter generation, registration, authentication, and password‑change. During registration the server stores on the smart‑card the values IM1 = mk ⊕ r, IM2 = h(mk‖r) ⊕ ID, D1 = h(ID‖mk) ⊕ h(PW⊕b) and D2 = h(PW) ⊕ b, where b is a user‑chosen random.

The authors identify three critical weaknesses. First, an offline password‑guessing attack is feasible because an adversary who extracts the smart‑card data (IM1, IM2, D1, D2) and eavesdrops on the exchanged messages (M1, M2) can iteratively guess a password PW*. For each guess the attacker computes b* = D2 ⊕ h(PW*) and K* = D1 ⊕ h(PW*‖b*). By checking whether the captured authentication tag X1 equals h(K*‖IM1‖IM2‖T_u(K)‖T1), the attacker can confirm a correct guess. This attack does not rely on any weakness of the hash function; it exploits the fact that critical secret material is stored in clear form on the card.

Second, the login phase suffers from unnecessary computational and communication overhead. The smart‑card does not verify the correctness of the entered password before proceeding. If a user inputs an incorrect PW*, the card still generates a random nonce u, computes b* and K* as above, and sends a forged authentication message M1* to the server. The server’s timestamp check passes, but the tag verification fails, causing the session to abort. Nevertheless, the smart‑card and server have each performed several hash evaluations, XORs, and a chaotic‑map operation, amounting to roughly 4·T_X + 6·T_h + T_ch time units, which is wasted when the password is wrong.

Third, the password‑change phase is vulnerable to a denial‑of‑service (DoS) attack. The smart‑card updates D1 and D2 without first confirming that the supplied old password matches the stored one. If the user mistakenly supplies an incorrect old password while providing a new password PW_new, the card computes a wrong b* and consequently replaces D1 and D2 with corrupted values D1′ and D2′. Subsequent authentication attempts will always fail because the derived session key K′ will not match the server’s expectation, effectively locking the legitimate user out of the system unless the card is re‑issued.

These flaws mirror similar design problems found in earlier smart‑card based protocols (e.g., Guo‑Chang 2012, Hao et al. 2013), where password validation is deferred until after expensive cryptographic operations and where secret parameters are stored in plaintext on the card. The paper recommends concrete mitigations: (i) store only hashed or asymmetrically encrypted secrets on the card; (ii) perform early password verification in both the login and password‑change phases to abort immediately on incorrect input; (iii) incorporate password‑verification results into the authentication messages to avoid unnecessary hash and chaotic‑map computations.

In conclusion, while Lee’s protocol aims to improve efficiency for TMIS environments, its structural weaknesses render it insecure against offline password guessing, cause avoidable performance penalties, and open a pathway for DoS attacks. The presented analysis not only exposes these vulnerabilities but also offers guidance for designing more robust, efficient authentication schemes for tele‑health applications.