Cryptanalysis of Cryptanalysis and Improvement of Yan et al Biometric-Based Authentication Scheme for TMIS

Remote user authentication is critical requirement in Telecare Medicine Information System (TMIS) to protect the patient personal details, security and integrity of the critical medical records of the patient as the patient data is transmitted over insecure public communication channel called Internet. In 2013, Yan proposed a biometric based remote user authentication scheme and claimed that his scheme is secure. Recently, Dheerendra et al. demonstrated some drawbacks in Yan et al scheme and proposed an improved scheme to erase the drawbacks of Yan et al scheme. We analyze Dheerendra et al scheme and identify that their scheme is vulnerable to off-line identity guessing attack, and on successfully mounting it, the attacker can perfom all major cryptographic attacks.

💡 Research Summary

The paper addresses the critical need for secure remote user authentication in Telecare Medicine Information Systems (TMIS), where patients’ personal and medical data traverse the public Internet. It begins by reviewing Yan et al.’s 2013 biometric‑based authentication protocol, which combines a user’s password, biometric template, and a server‑stored secret to achieve mutual authentication. Although Yan’s scheme was initially praised for its simplicity, subsequent analyses revealed weaknesses such as inadequate integrity checks during key exchange and the exposure of a hashed user identifier (ID) that could be targeted by offline attacks.

In response, Dheerendra et al. (2022) proposed an “improved” version that adds client‑generated nonces (r1, r2), timestamps, and extra hash computations, aiming to mitigate replay attacks and strengthen session key derivation. The authors of the current study meticulously reconstruct Dheerendra’s protocol flow: the client sends ID, a hash of password‖r1, and a biometric hash; the server validates these values, generates a fresh nonce r2, and replies with a hash of ID‖password‖r2 together with a timestamp. Both parties then derive a session key K = H(ID‖password‖r1‖r2).

The core contribution of the paper is a comprehensive cryptanalysis that demonstrates the “improved” scheme remains vulnerable to an offline identity‑guessing attack. Because the user identifier is transmitted as a deterministic hash of the form H(ID‖x) (where x is a server secret), an adversary who intercepts authentication messages can mount a dictionary attack against a relatively small space of plausible IDs (e.g., national ID numbers, hospital‑issued patient numbers). By pre‑computing H(ID‖x) for all candidate IDs, the attacker can match the intercepted hash and recover the exact ID.

Once the ID is known, the attacker proceeds to an offline password‑guessing phase. The intercepted client message contains H(PW‖r1) and the server’s response includes H(ID‖PW‖r2). Since the nonces r1 and r2 are transmitted in clear (or can be derived from the messages), the attacker can iterate over plausible passwords, compute the corresponding hashes, and compare them against the captured values. This process requires only computational effort, no further interaction with the server, and therefore qualifies as a true offline attack.

Successful recovery of both ID and password enables a cascade of further attacks:

1. Impersonation – The attacker can forge a legitimate login request, bypassing biometric verification because the biometric hash can be replayed or substituted with a pre‑recorded template.
2. Session Key Extraction – With ID, PW, r1, and r2 known, the attacker computes the session key K, granting decryption capability for any subsequent encrypted traffic between the client and server.
3. Replay / Forged Token Attack – The timestamp included in the server’s response is validated within a relatively wide time window. An attacker who has captured a valid token can replay it within that window to gain unauthorized access.
4. Denial‑of‑Service – By repeatedly sending malformed or forged authentication messages, the attacker can exhaust server resources, especially if the server performs expensive hash computations before discarding invalid requests.

The paper quantifies the attack’s feasibility by estimating the entropy of typical patient IDs (often 8–12 digits) and common password policies in healthcare settings. Even with modest computational resources, a modern GPU cluster can exhaust the search space within hours, highlighting the practical danger.

Beyond the technical exposition, the authors discuss the real‑world implications for TMIS: compromised patient records, unauthorized modification of treatment plans, and potential legal liabilities for healthcare providers. They argue that any protocol that allows offline derivation of secret credentials from intercepted traffic is unsuitable for high‑risk medical environments.

To remediate the identified flaws, the paper proposes a set of design principles:

• Zero‑Knowledge Identifier Transmission – Replace deterministic ID hashes with cryptographic commitments or anonymous credentials that do not reveal the underlying identifier.
• Public‑Key Based Mutual Authentication – Employ elliptic‑curve Diffie‑Hellman (ECDH) or similar key‑exchange mechanisms where the server’s public key is authenticated via a certificate authority, eliminating the need to transmit password‑derived values.
• Nonce‑Only Challenge‑Response – Use server‑generated nonces only, and avoid transmitting client‑generated nonces in clear. The client should prove knowledge of the password via a zero‑knowledge proof (e.g., Schnorr protocol) rather than a simple hash.
• Tight Timestamp Validation – Reduce the allowed clock skew to a few seconds and incorporate sequence numbers or monotonic counters to prevent replay.
• Formal Security Verification – Model the protocol in a tool such as ProVerif or Tamarin to automatically detect replay, impersonation, and key‑compromise attacks before deployment.

The conclusion reiterates that Dheerendra et al.’s “improved” scheme, while well‑intentioned, fails to address the fundamental vulnerability of exposing credential‑derived hashes on an insecure channel. The authors call for a redesign that embraces modern cryptographic primitives, rigorous formal analysis, and a threat model aligned with the high‑stakes nature of tele‑medicine. Future research directions include lightweight blockchain‑based identity management, homomorphic encryption for privacy‑preserving biometric verification, and multi‑factor authentication frameworks tailored to resource‑constrained medical devices.