A Novel Provably-Secure ECC-based Authentication and Key Management Protocol for Telecare Medical Information Systems

Telecare medical information systems are becoming more and more popular due to the provision of delivering health services, including remote access to health profiles for doctors, staff, and patients. Since these systems are installed entirely on the Internet, they are faced with different security and privacy threats. So, a significant challenge is the establishment of a secure key agreement and authentication procedure between the medical servers and patients. Recently, an ECC-based authentication and key agreement scheme for telecare medical systems in the smart city has been proposed by Khatoon et.al. In this paper, at first, we descriptively analyze Khatoon et al.'s protocol and demonstrate that it is vulnerable against known-session-specific temporary information attacks and cannot satisfy perfect forward secrecy. Next, we propose a provably secure and efficient authentication and key agreement protocol using Elliptic Curve Cryptography (ECC). We informally analyze the security of the proposed protocol, and prove that it can satisfy perfect forward secrecy and resist known attacks such as user/server impersonation attack. We also simulate and formally analyze the security of the protocol using the Scyther tool. The results show its robustness against different types of attacks.