ORIGINAL PAPER

A More Secure Authentication Scheme for Telecare MedicineInformation Systems

He Debiao & Chen Jianhua & Zhang Rui

Received: 19 December 2010 /Accepted: 31 January 2011 /Published online: 1 March 2011# Springer Science+Business Media, LLC 2011

Abstract It is important to guarantee the privacy and thesecurity of the users in the telecare medicine informationsystem. Recently, Wu et al.’s proposed an authenticationscheme for mobile devices in telecare medicine informationsystem. They added the pre-computing idea within thecommunication process to avoid the time-consumingexponential computations. They also claimed their schemecan withstand various attacks. We will show that theirscheme suffers from the impersonation attack to theinsider’s attack. In order to overcome the weaknesses, wepropose an improved scheme to eliminate the weakness.Our scheme is not only more secure than Wu et al.’sscheme, but also has better performance. Then our schemeis more efficient and appropriate to collocating with lowpower mobile devices for the telecare medicine informationsystem.

Keywords Telecare medicine information system .

Authentication scheme . Efficiency . Pre-computing .

Time-consuming

Introduction

The telecare medicine information system(TMIS) enablesor supports health-care delivery services. The more recentavailability of lower-cost telecommunication systems andcustom made physiological monitoring devices have madeit possible to bring the advantages of telemedicine directlyinto the patient’s home, i.e. a connection between patients

at home and doctors at a clinical center or home health-care(HHC) agency[1].

In the TMIS, the privacy and security issues address thepatients’ rights to understand and control the use of theirprotected health information, such as name, address,telephone number, medical record number, etc. At the sametime, other protected health information, such as theelectronic medical record (EMR), is directly interrelatedwith the patient’s privacy. Obviously, the security in theTMIS becomes a significant concern. Specifically speaking,the most concerned security issue is of how to ensureinformation privacy and security during transmissionthrough the insecure Internet[2].

Relevant user authentication schemes are generally usedto solve this kind of problem in TMIS because theseprotocols are regarded as the primary safeguards in networkelectronic applications. Authentication schemes can ensurethat the system’s resources are not obtained fraudulently byillegal users. Password-based user authentication scheme isone of the simplest and the most convenient authenticationmechanisms in targeting insecure networks. It providesonly the legal users to use the resources of remote systems.Many Internet applications are based on password-basedauthentication schemes, for example, remote login, privatecorporations, database management systems, school sys-tems, etc. [3–8]. Surely it is suitable for the TMIS.However, the current Internet environment is vulnerable tovarious attacks such as replay attacks, on-line and off-linepassword guessing attacks, modification attacks, andstolen-verifier attacks. Hence, a strong authenticationscheme is needed between users and server.

Recently, Wu et al.’s[9] proposed an efficient authenti-cation scheme for TMIS. In their scheme, they added a newphase named the pre-computing phase. In this phase, theuser computes certain values that require costly, time-

H. Debiao (*) :C. Jianhua : Z. RuiSchool of Mathematics and Statistics, Wuhan University,Wuhan, Hubei 430072, Chinae-mail: hedebiao@163.com

J Med Syst (2012) 36:1989–1995DOI 10.1007/s10916-011-9658-5

consuming exponential operation in advance, and thenstores them into the storage device. When these values areneeded, the user can extract them from the device rapidly tothus raise performance. They claimed their scheme issecure and very suitable for low computation mobiledevices such as in the TMIS.

In this paper, we will demonstrate Wu et al.’s scheme[9]suffers from the impersonation attack to the insider’s attack.In order to overcome the weakness, we also propose animproved scheme.

Review of Wu et al.’s scheme

Wu et al.’s scheme employs two kinds of cryptographic andmathematical methods and theorems, namely hash functionand discrete logarithms problem. The reader can get thetheir description in [9], we will not give the description herein order to save space.

The notations used throughout this paper are describedas in the following.

& ID: the user’s identity;& pw: the user’s password;& S: the server in the TMIS;& h(·): a secure one-way hash function;& ||: the concatenation operation;& p, q: two large prime numbers such that p = 2q + 1;& g: a generator of Z

»p;

Wu et al.’s scheme consists of four phases, namely theregistration phase, the pre-computing phase, the authenti-cation phase, and the password change phase. The detaileddescriptions of each phase will be given as follows.

& Registration phase

To initialize, the server selects two large primenumbers p and q such that p = 2q + 1. The server thenchooses its secret key x ∈ Z and an appropriate one-wayhash function h(·). The server keeps x secretly andpublishes p and h(·).

When a patient wants to register to become a new legaluser, he must first submit his or her identity ID andpassword PW to the remote telecare server. The registrationphase proceeds in the following steps:

Step 1: The patient submits the registration request R =(ID, pw) to the server through a secure channel.

Step 2: Upon receiving R, the server verifies thelegitimacy of the user, and then computesb ¼ h IDð Þx½ �pw�1

mod p.Step 3: The server stores the ID, β and h(·) into the smart

card or the mobile device.

& Pre-computing phase

For successfully fulfilling the authentication phase, someexponential module operations need to be computed.However, the computation ability and battery capacity ofthe smart card or the mobile device is limited, so it isdifficult to finish all the exponential module operationwhen login on the TMIS. Wu et al. added the pre-computing phase to solve the problem in their scheme. Inthis phase, the computation of certain values that requirethe costly, time-consuming exponential operation is done inadvance, and then stored into the smart card or the mobiledevice. When these values are needed, the user can extractthem from the device rapidly to thus raise performance andalso maintain high level of security. It proceeds in thefollowing steps:

Step 1: The user chooses several random values r1i, wherei = 1, 2,..., c, and c is a positive integer, the size ofwhich depends on the storage capacity of themobile device. All r1i are then sent to the serverthrough a secure channel.

Step 2: The server uses the value β and the received r1i tocompute each different b0 ¼ br1i ¼ h IDð Þx�r1i½ �pw�1

mod p

and W ¼ h IDð Þr1i mod p, and then stores all sets of(β′, W) into the smart card or the mobile device.

Step 3: When all stored (β′, W) have been used, the userneeds to repeat the step 1 and step 2 for generatingthe new sets, and then overwrites them into theprevious ones.

& Authentication phase

When a legal user wants to login into the TMIS andacquires some services after a correction authentication, hemust first key in his ID and pw. Then all of theauthentication procedure will run with the following steps:

Step 1: The device fetches one set of (β′, W) which hadbeen pre-computed and stored in its storage space.It then takes user’s password pw to computeb00 ¼ b0pw ¼ h IDð Þx�r1i mod p. Next, it computesR1 ¼ h W jjbµjjIDð Þ, and sends M1 = (ID, R1, W) tothe telecare server.

Step 2: When receiving M1, the server uses its secretnumber x to calculate b000 ¼ Wx mod p. Then theserver uses the b000 to check whether R1 ¼h W jjb000jjIDð Þ or not. If the computation is notthe same as the R1, the server will reject therequest. Furthermore, the server generates arandom number r2, computes sk ¼ h b000jjr2ð Þand h1 ¼ h skjjr2ð Þ, and sends M2 ¼ r2; h1ð Þ tothe user.

Step 3: When the user receives the values M2, he uses β″and r2 to compute sk ¼ h b00jjr2ð Þ. And then hechecks whether h1 ¼ hðskjjr2Þor not. If the com-putation is not the same as the h1, the user will

1990 J Med Syst (2012) 36:1989–1995

reject the server. Furthermore, the user computesh2 ¼ h IDjjskð Þ, and sends M3 = (h2) to the server.

Step 4: The server computes the value h IDjjskð Þ andcompares whether h IDjjskð Þ and h2 are equiva-lent or not. If they are equivalent, the user isauthenticated and granted to access the resourcesby the server.

& Password change phase

When a legal user wants to change the password, he/shefirstly starts the mobile device and then keys in the oldpassword pw, followed with the new password pwnew. Thedevice will execute the following steps:

Step 1: Compute bnew ¼ bpw�pw�1new mod p ¼ h IDð Þ½ �pw�1�pw�pw�1

new ¼h IDð Þ½ �pw�1

new .Step 2: Compute b0new ¼ b0pw � pw�1

new ¼ h IDð Þx�r1i½ �pw�1�pw�pw�1new ¼

h IDð Þx�r1i½ �pw�1new mod p.

Step 3: Replace the original β with the new one βnew, andthe original β′ with the new one b0new, and then thepassword is changed.

Security analysis of Wu et al.’s scheme

Vulnerability to the impersonation attack

In this section, we show that Wu et al.’s scheme isvulnerable to the impersonation attack during user authen-tication phase. Suppose a user A with IDA is trying toimpersonate a user B with IDB. A can impersonate Bsuccessfully through the following steps.

Step 1. First, A extracts the data b0A and WA stored on herown the smart card or the mobile device throughthe method of Kocher et al. [10] or Messerges etal.[11]. With her own password, she can easilycomputes b00A ¼ b0A

pwA ¼ h IDAð Þx�r1i mod p andR1 ¼ h WAjjb00AjjIDB

� �. She then sends the login

message M1 = (IDB, R1, WA) to the server.Step 2: When receiving M1 = (IDB, R1, WA), the server

uses its secret number x to calculate b000 ¼Wx

A mod p. Then the server uses the b000 to checkwhether R1 ¼ h WAjjb000jjIDBð Þ or not. It is obvi-ous h WAjjb000jjIDBð Þ and R1 are equal since b000 ¼h IDAð Þx�r1i and WA ¼ h IDAð Þr1i . Then the servergenerates a random number r2, computes sk ¼h b000jjr2ð Þ and h1 ¼ h skjjr2ð Þ, and sends M2 = (r2,h1) to the user.

Step 3: When A receives the values M2 = (r2, h1), he usesb00A and r2 to compute sk ¼ h b00Ajjr2

� �. And then

he checks whether h1 ¼ h skjjr2ð Þor not. It isobvious h skjjr2ð Þ and h1 are equal since b00A ¼

b000 ¼ WxA mod p. A computes h2 ¼ h IDBjjskð Þ,

and sends M3 = (h2) to the server.Step 4: After receiving M3 = (h2),The server computes the

va lue h IDBjjskð Þ and compares whe therh IDBjjskð Þ and h2 are equivalent or not. It isobvious M3 can pass the check of the server sinceA and the server have computed the same sessionkey sk.

Then A impersonate the user B successfully and isgranted to access the resources by the server.

The reason user in Wu et al.’s scheme is able to mountan impersonation attack because the user’s identity isindependent of the secret value b0A and WA in the loginphase. In order to resist the impersonation attack, theauthentication scheme must ensure that the server must usethe user’s identity in order to recover b0A.

Vulnerability to the insider’s attack

In real environments, it is likely that the user uses thesame password to access several servers for his conve-nience[12]. If a privileged insider of the server S haslearned the user A’s password, he may try to impersonateA to access other servers. In the first step of theregistration phase, A’s password PWA will be revealed toS because it is transmitted directly to S. Then theprivileged insider of S may try to access the serversoutside this system. If the targeted outside server adoptsthe normal password authentication scheme, it is possiblethat the privileged insider of S can successfully imperson-ate A to login it by using pwA. Although it is also possiblethat all the privileged insiders of S are trusted and A doesnot use the same password to access several servers, theimplementers and the users of the scheme should be awareof such a potential weakness. For this reason, in severalpassword authentication schemes, the user’s password isnot exposed to others including the registration center andthe servers. Clearly, Wu et al.’s scheme is vulnerable to aninsider attack.

Improved scheme

In order to overcome the weakness described in section 3,we propose an improved scheme in this section. Ourscheme involves four phases like Wu et al. et al.’s scheme.

& Registration phase

As shown in Fig. 1, in this phase, the user A initiallyregisters with the server S. To initialize, the server selectslarge prime numbers p and q such that p = 2q + 1, agenerator g of Z

»q and chooses its secret key x 2 Z

»q, a one-

J Med Syst (2012) 36:1989–1995 1991

way hash function h �ð Þ : 0; 1f g ! Z»p . The server keeps x

secret.

Step 1: The user generates a random number r, chooseshis identity ID and password pw and computespw ¼ h pwjjrð Þ, then A sends the registrationrequest R ¼ ID; pwð Þ to the server S over a securecommunication channel.

Step 2: Upon receiving R, S computes b ¼ g1

xþh IDð Þ �pwmod p and stores ID, β, h(·) and p into asmart card.

& Pre-computing phase

Like Wu et al. did, we also add the pre-computing phase.In this phase, the computation of certain values that requirethe costly, time-consuming exponential operation is done inadvance, and then stored into the smart card or the mobiledevice. When these values are needed, the user can extractthem from the device rapidly to thus raise performance andalso maintain high level of security. It proceeds in thefollowing steps:

Step 1: The user chooses several random values r1i, wherei = 1, 2,..., c, and c is a positive integer, the size ofwhich depends on the storage capacity of themobile device. All r1i are then sent to the serverthrough a secure channel.

Step 2: The server uses the value β and the received r1i tocompute each different b0 ¼ b þ pwð Þr1i � pw ¼g

r1ixþh IDð Þ � pwmod p and W ¼ gr1i mod p, and then

stores all sets of (β′, W) into the smart card or themobile device. Then the server issues the smartcard or the mobile device to the user.

Step 3: After receiving the smart card or the mobiledevice, the user inputs r into it.

Step 4: When all stored (β′, W) have been used, the userneeds to repeat the step 1 to step 2 for generatingthe new sets, and then overwrites them into theprevious ones.

& Authentication phase

When a legal user wants to login into the TMIS andacquires some services after a correction authentication, hemust first key in his ID and pw. Then all of theauthentication procedure, as shown in Fig. 2, will run withthe following steps:

Step 1: The device fetches one set of (β′, W) which hadbeen pre-computed and stored in its storage space.It then takes user’s password pw to computepw ¼ h pwjjrð Þ, b00 ¼ b0 þ pwmod p ¼ g

r1ixþh IDð Þ mod p.

Next, it computes R1 ¼ h W jjb00jjIDð Þ, and sendsM1 = (ID, R1, W) to the telecare server.

Step 2: When receiving M1, the server uses its secretnumber x to calculate b000 ¼ W ðxþh IDð Þ�1

mod p.Then the server uses the b000 to check whetherR1 ¼ h W jjb000jjIDð Þ or not. If the computation isnot the same as the R1, the server will reject therequest. Furthermore, the server generates arandom number r2, computes sk ¼ h b000jjr2ð Þand h1 ¼ h skjjr2ð Þ, and sends M2 = (r2, h1) tothe user.

Step 3: When the user receives the values M2, he uses β″and r2 to compute sk ¼ h b00jjr2ð Þ. And then hechecks whether h1 ¼ h skjjr2ð Þor not. If the com-

Fig. 1 Registration phase of ourscheme

Telecare ServerUser

1

( )

1

1) ( || );

mod

mod ;

( || || );

ir

x h ID

pw h pw r

pw p

g p

R h W ID

β β

β

+

=

′′′ = +

=′′=

1( ( )

?

1

2

1 2

3)Check ;

mod ;

Check ( );

Generate ;

( );

x h ID

ID

W p

R h W ID

r

h h sk r

β

β

−+′′′ =

′′′=

=

2 2 14) ( , )M r h=

2

?

1 2

2

5) ( || );

Check ( ||||

);

( );

sk h r

h h sk r

h h ID sk

β′′=

==

1 12) ( , , )M ID R W=

3 26) ( )M h=?

27)Check ( ||

||

|| ||

)h h ID sk=

Fig. 2 Authentication phase ofour scheme

1992 J Med Syst (2012) 36:1989–1995

putation is not the same as the h1, the user willreject the server. Furthermore, the user computesh2 ¼ h IDjjskð Þ, and sends M3 = (h2)to the server.

Step 4: The server computes the value h IDjjskð Þ andcompares whether h IDjjskð Þ and h2 are equiva-lent or not. If they are equivalent, the user isauthenticated and granted to access the resourcesby the server.

& Password change phase

When a legal user wants to change the password, he/shefirstly starts the mobile device and then keys in the oldpassword pw, followed with the new password pwnew. Thedevice will execute the following steps:

Step 1: Compute pw ¼ h pwjjrð Þ and pwnew ¼ h pwnewjjrð Þ.Step 2: Compute bnew ¼ b þ pw� pwnew mod p ¼ g

1xþh IDð Þ � pwnew.

Step 3: Compute b0new ¼ b0 þ pw� pwnew mod p ¼ gr1i

xþh IDð Þ � pwnew.Step 4: Replace the original β with the new one βnew, and

the original β′ with the new one b0new, and then thepassword is changed.

Security analysis

In this section, we would like to examine the security of ourproposed scheme in terms of the following possible attacks:Impersonation attacks, Insider’s attacks, Replay attacks,Man-in-the-middle attacks, Modification attacks, Stolen-verifier attacks, Off-line password guessing attack, On-linepassword guessing attack.

& Impersonation attacks

In Wu et al.’s scheme, the user’s identity is independentof the secret value b0A in the login phase, then the attackercan use the weakness to carry out the impersonation attack.In the improved scheme, the server uses the user’s identityto recover b0A, then if the attacker want to carry out theimpersonation attack using the data in his smart card, hewill face the discrete logarithms problem(DLP). Therefore,the proposed scheme can resist against the impersonationattacks.

& Insider’s attacks

In our improved scheme, A registers to S by presentingpw ¼ h pwjjrð Þ instead of pw ¼ h pwjjrð Þ, the insider of Scannot directly obtain pw. Moreover, as r is not revealed toS, the insider of S cannot obtain pw by performing an off-line guessing attack on pw. The improved scheme also doesnot maintain any verifier table. Thus, the improved schemecan resist the insider attack.

& Replay attacks

This attack fails in our scheme since we take use oftwo fresh and random variables r1 and r2 using theauthentication process. Suppose an adversary interceptsM1 = (ID, R1, W) in Step 1 and desires to use them inimpersonating the legal user to login into the server.However, since the adversary has no knowledge of r1,when he receives the new M2 = (r2, h1) in Step 2, hecannot compute the right M3 = (h2) in Step 3 for theserver’s verification. The server can easily discover thereplay attacks by checking the random number. For theserver authentication messages, the user also can easilydetect the replay attacks by checking whether or not h1 ¼h skjjr2ð Þ conforms with the current r2 and session key.Then, the replay attacks will fully fail.

& Man-in-the-middle attacks

Man-in-the-middle attack means that an active attackerintercepts the communication line between a legal user andthe server and uses some means to successfully masqueradeas both the server to the user and the user to the server.Then, the user will believe that he is talking to the intendedserver and vice versa.

In our scheme, the attack can’t generate the valid M1 andM3 without the value of g

1xþh IDð Þ and he cannot generate the

valid M2 without the value of x. S and Awill find the attackthrough check the correctness of h1 and h2 separately.

& Modification attacks

Table 1 Performance of different schemes

Xu et al.’sscheme

Wu et al.’sscheme

Our scheme

Computationalcost

4Ex + 7H 2Ex + 8H 1Ex + 9H + 1Add+ 1Inv

All rounds 3 3 3

Table 2 Possible attacks of different schemes

Xu et al.’sscheme

Wu et al.’sscheme

Ourscheme

Impersonation attacks Yes Yes No

Insider’s attacks Yes Yes No

Replay attacks No No No

Man-in-the-middle attacks No No No

Modification attacks No No No

Stolen-verifier attacks No No No

On-line passwordguessing attack

No No No

Off-line passwordguessing attack

No No No

J Med Syst (2012) 36:1989–1995 1993

The proposed scheme can resist against the modificationattacks. The attacker A may modify the communicationmessages M1, M2 and M3 being transmitted over aninsecure network. However, the proposed scheme candetect this modification attack, because it can verify thecorrectness of M1, M2 and M3 transmitted between twoparties, by validating R1, h1 and h2. Therefore, the proposedscheme can resist against the modification attacks.

& Stolen-verifier attacks

Stolen-verifier attacks mean that a machinated insidemember can steal or modify the passwords or the userverification tables stored in a server’s database. The proposedscheme would be free from the stolen-verifier attacks, sincethere is no such information needed on the server side; theserver can do the mutual authentication through its secretnumber x. Therefore, the inside member would not be able tosteal or modify the passwords. This attack is meaningless here.

& Off-line password guessing attacks

Off-line password guessing attacks mean that an attackercan employ some intercepted information or the self-generated parameters to guess the password of a specificuser. To avoid this kind of attack, there must be no verificationinformation for passwords in all exchanges. In our proposedscheme, an adversary can obtain all exchanged messages (ID,W, R1, r2, h1, h2) by passive attack, yet any relatedinformation about the password is unable to be acquired, e.g. the value β. Without them, the guessed password orcorrelated parameters cannot be compared with to determinewhether these values are correct or not. Therefore, the off-line password guessing attack is meaningless here.

& On-line password guessing attack

Suffering on-line password guessing attack means thatan attacker can successfully guess a legal user’s passwordon line. Since our scheme has the mutual authenticationfunction. Only the user with the right password can pass theauthentication of the server. Therefore, any attempt tolaunch a password guessing attack will be detected by theserver. Moreover, we can set both improvements to toleratesome times of wrong password logins, e.g., three times. Ifthe number of wrong login times is reached, the systemwould reject the login request. Under such a setting, ourscheme can resist the on-line password guessing attack.

Performance comparisons

For the convenience of evaluating the computational cost,we define some notations as follows

& Ex: an exponential operation.

& Inv: a modular inversion operation.& H: a one-way hash function operation.& Add: an addition operation.

We demonstrate the performance and the possible attacksof different scheme in the Table 1 and the Table 2separately. Apparently, the listed two schemes [8, 9] requiremore exponential operations leading to the need for morecalculation time resulting into inefficiency, while ourproposed scheme only requires one exponential operations,nine hash function operations and an addition operation inexecuting the authentication procedure. Notably, the time-consuming of computation on user side of this scheme is farless than others. Furthermore, Xu et al.’s scheme sufferedfrom the impersonation attack[9]. Wu et al.’s scheme[9]suffered from the impersonation attack to the inside attack.Ours on the contrary, with the analysis of the seven securityconcerns mentioned above shows security on using themechanism is assured. This shows that the scheme is moreefficient and appropriate to collocating with low powermobile devices for the TMIS.

Conclusion

The user authentication technology has been widelydeployed in various kinds of applications, such as remotehost login, withdrawals from automated cash dispensers,and physical entry to restricted areas. Wu et al. [8] proposeda password authentication scheme for the telecare medicineinformation system and demonstrated that it can withstandvarious attacks. However, by reviewing their scheme andanalyzing its security, we find his scheme is vulnerable tothe impersonation attack and the insider’s attack. In order toovercome the weakness, we propose an improved schemeand show our scheme can withstand many common attacks.

Acknowledgements The authors thank the anonymous reviewersand Prof. Ralph Grams for their valuable comments. This research wassupported by the Fundamental Research Funds for the CentralUniversities under Grants 201275786.

References

1. Lambrinoudakis, C., and Gritzalis, S., Managing medical andinsurance information through a smart-card-based informationsystem. J. Med. Syst. 24(4):213–234, 2000.

2. Lee, W. B., and Lee, C. D., A cryptographic key managementsolution for HIPAA privacy/security regulations. IEEE Trans. Inf.Technol. Biomed. 12(1):34–41, 2008.

3. Liao, E., Lee, C. C., and Hwang, M. S., A password authentica-tion scheme over insecure networks. J. Comput. Syst. Sci. 72(4):727–740, 2006.

4. Diffie, W., and Hellman, M., New directions in cryptology. IEEETrans. Inf. Theory 22(6):644–654, 1976.

1994 J Med Syst (2012) 36:1989–1995

5. Yang, C. C.,Wang, R. C., and Liu,W. T., Secure authentication schemefor session initiation protocol. Comput. Secur. 24:381–386, 2005.

6. Liu, J. Y., Zhou, A. M., and Gao, M. X., A new mutualauthentication scheme based on nonce and smart cards. Comput.Commun. 31(10):2205–2209, 2008.

7. He, D., Chen J., and Hu J., An ID-based client authentication withkey agreement protocol for mobile client-server environment onECC with provable security, Information Fussion, doi:10.1016/j.inffus.2011.01.001.

8. Xu, J., Zhu, W. T., and Feng, D. G., An improved smart cardbased password authentication scheme with provable security.Comput. Stand. Interfaces 31(4):723–728, 2009.

9. Wu, Z.-Y., Lee, Y.-C., Lai, F., Lee H.-C., and Chung, Y., ASecure Authentication Scheme for Telecare Medicine Infor-mation Systems. J. Med. Syst. doi:10.1007/s10916-010-9614-9.

10. Kocher, P., Jaffe, J., and Jun, B., Differential power analysis,Proc. Adv. Cryptology (CRYPTO'99). 388–397, 1999.

11. Messerges, T. S., Dabbish, E. A., and Sloan, R. H., Examiningsmart card security under the threat of power analysis attacks.IEEE Trans. Comput. 51(5):541–552, 2002.

12. Ku, W.-C., and Chen, S.-M., Cryptanalysis of a flexible remoteuser authentication scheme using smart cards [J].ACMSIGOPSOper. Syst. Rev. 39(1):90–96, 2005.

J Med Syst (2012) 36:1989–1995 1995