An Improved and Secure Anonymous Biometric-Based User Authentication with Key Agreement Scheme for the Integrated EPR Information System

Nowadays, many hospitals and medical institutes employ an authentication protocol within electronic patient records (EPR) services in order to provide protected electronic transactions in e-medicine systems. In order to establish efficient and robust health care services, numerous studies have been carried out on authentication protocols. Recently, Li et al. proposed a user authenticated key agreement scheme according to EPR information systems, arguing that their scheme is able to resist various types of attacks and preserve diverse security properties. However, this scheme possesses critical vulnerabilities. First, the scheme cannot prevent off-line password guessing attacks and server spoofing attack, and cannot preserve user identity. Second, there is no password verification process with the failure to identify the correct password at the beginning of the login phase. Third, the mechanism of password change is incompetent, in that it induces inefficient communication in communicating with the server to change a user password. Therefore, we suggest an upgraded version of the user authenticated key agreement scheme that provides enhanced security. Our security and performance analysis shows that compared to other related schemes, our scheme not only improves the security level, but also ensures efficiency.


Introduction
The development of Information and Communication Technology (ICT) with the prevalent use of the mobile Internet, smart devices, social network services, and cloud services has brought remarkable changes to our daily lives. This development has also affected the medical field, which has retained a number of conventional and inefficient methods. Recently, a large number of hospitals providing health care services have instituted EPR systems in order to remotely communicate with patients, and to efficiently process their medical records and disease management [1]. The EPR system allows the sharing of patients' medical histories, such as hospital records, diagnosis records, personal information, treatment records, and research records. Using the EPR system, all patient information is available electronically, on screen, at any PLOS ONE | DOI: 10 hospital location, at any time. In addition, EPR provides the most recent and accurate information, enabling faster diagnoses, treatment plans and discharge processes for the patient [2]. Fig 1 illustrates the integrated EPR information system. While the users enjoy simplicity and efficiency in EPR information systems, security has emerged as a major issue in both academic and industrial fields [3,4]. In order to guarantee reliability, authentication protocol provides security and mutual authentication when users access a foreign network.
Especially, in order to improve the security, various cryptography techniques are used in authentication protocol. Khan et al. [23] and Lee & Hsu [24] apply a chaotic map technique in their scheme. In 2015, Giri et al. [25] presented an RSA-based authentication method for TMIS. However, Amin & Biswas [26] demonstrated that Giri et al.'s scheme [25] cannot guarantee protection against off-line password guessing attacks and insider attacks, and suggested an improved mechanism based on an RSA cryptosystem. In addition, Chaudhry et al. [27], Irshad et al. [28], Islam & Khan [29], Amin & Biswas [30], and Amin et al. [31,32] presented authentication mechanisms using elliptic curves cryptography (ECC) for TMIS.
In 2012, Wu et al. [33] first presented an efficient user authentication technique for an integrated EPR information system. They used lightweight operations in their protocol including one-way hash operations and bitwise XOR operations in order to enhance efficiency. However, Lee et al. [34] pointed out that Wu et al. [33] overlooked the possibility of stolen smart card attack through power consumption analysis [35]. Lee et al. [34] then suggested an improved version that addressed the issue of Wu et al.'s [33] technique. However, Wen [36] demonstrated that Lee et al.'s scheme [34] still had some weaknesses, such as off-line password guessing attacks and user impersonation attacks, and proposed an enhanced new strategy. Unfortunately, Li et al. [37] demonstrated that Wen's scheme [36] cannot prevent password disclosure attack nor provide efficient password change. In 2015, Das [38] discovered that Lee et al.'s scheme [34] and Wen's scheme [36] shared the same three vulnerabilities. First, the password change phase of both schemes had no verification process of the user's previous password. Second, their schemes were not protected against insider attack. Third, in their studies, formal security analysis was not conducted. In an attempt to compensate for these defects, Das [38] presented an upgraded scheme. However, Mir et al. [39] discovered that Das's scheme [38] is not protected against off-line/on-line password guessing attacks, and propose a secure anonymous authentication mechanism. Li et al. [40] recently also demonstrated that Das's scheme [38] could not satisfy security requirements because it is not protected against modification attacks and user duplication attacks. They then suggested an enhanced new authentication mechanism.
However, we have discovered that Li et al.'s scheme [40] comprises critical security weaknesses. Their scheme: (i) cannot prevent off-line password guessing attacks and server spoofing attacks, (ii) is unable to preserve user anonymity, (iii) does not identify incorrect passwords promptly in login stage, and (iv) has non-user-friendly password changing procedure, since it requires communication with the server. In this current research, our main contribution is as follows. First, we describe the weaknesses of the above scheme. Second, we propose a more developed authentication mechanism for an integrated EPR information system. Third, we show that the proposed mechanism satisfies the various security requirements. Finally, we demonstrate that the proposed mechanism has good performance in terms of computation cost and time consumption.
The remainder of this paper is structured as follows. Section 2 provides some background information on prior knowledge. In Section 3, we briefly explain Li et al.'s authentication procedure. Section 4 demonstrates the vulnerabilities of Li et al.'s scheme. A detailed explanation of our proposed scheme is provided in Section 5. In Section 6, we evaluate whether our proposed scheme can withstand various attacks while satisfying our claim that the basic requirements of the security scheme are provided. In Section 7, we analyze the performance of the proposed scheme and in Section 8, we provide a conclusion to the paper. 38,40,[42][43][44], we outline some of the important requirements of an authentication scheme. In Section 6, these requirements will be employed in order to scrutinize the security of prior schemes and our proposed scheme.

User anonymity:
In an authentication mechanism, even if an attacker extracts some information stored in a smart card or eavesdrops the exchanged message in the communication group, the user's identity should be preserved.

Mutual authentication:
An authentication mechanism should execute several steps to achieve mutual authentication which is to test all transmitted messages to judging the legitimacies.
3. Session key agreement: After the verification process has completed, the user and server should assign the session key to each other.
4. Password verification process: If a user erroneously enters an incorrect password in the login phase, the password should be detected before performing the verification phase.

User friendliness:
An authentication mechanism provides a password change procedure with which a user can freely update their password without communicating with the server.
6. Robustness: An authenticated key agreement mechanism should be immune to different types of attacks, such as insider attacks, off-line password guessing attacks, replay attacks, and user impersonation attacks.

Bio-hash function
Recently, three-factor authentication mechanism has frequently been used, which complements the two-factor authentication mechanism using ID and PW by adding biometric information in order to increase security. In a number of studies on the three-factor authentication mechanism [11,20,21,45,46], the bio-hash function has been applied to the user's biometric information. In 2004, Jin et al. [41] suggested a fingerprint-based function to identify the user's legitimacy. The bio-hash technique employs the particular tokenized pseudo-random numbers to each of users measuring biometric feature arbitrarily onto two fold strands. The bio-hash function H(Á) is a one-way function with a feature that can reduce the probability of denial of service. In order to improve security, our proposed scheme adopts the user's biometric information applied in the bio-hash function. The details are as follows in Section 5.

Description of Li et al.'s scheme
In this section, we briefly review Li et al.'s authentication mechanism [40] in order to cryptanalyze their scheme. Their scheme consists of the following phases: registration, login, verification, and password change.  Table 1 shows the notations employed in the remainder of this paper.

Registration phase
1. U i inputs his/her ID i and PW i , and U i generates a random secret number X u that is only retained by user U i . U i computes RPW i = h(X u ||PW i ) and sends a registration request message hID i , RPW i i to S j through a secure channel.
2. S j verifies the user's ID i . If it is valid, 2. The smart card selects a random number r 1 and computes h(r 1 ), s 2 = h(RPW i ||s 1 ) and 3. Finally, U i sends the login request message hN, ID i , C 1 , h(r 1 )i to S j through a public network.

Verification phase
1. S j verifies the user's ID i . If it holds, S j accepts the login request and proceeds with the next step. Otherwise, S j rejects the login request and this phase is terminated.

S j retrieves the R stored in the access control table and computes
S j then verifies whether hðr 0 1 Þ ¼ hðr 1 Þ. If this holds, S j proceeds to the next step. Otherwise, this phase is terminated.
3. S j selects a random number r 2 and computes a ¼ r 2 È hðr 0 1 jjs 0 2 Þ and b ¼ hðs 0 2 jjr 2 jjr 0 1 Þ. S j then sends an authentication request message ha, bi to U i through a public network. Anonymous Biometric-Based User Authentication Scheme for the Integrated EPR Information System 4. U i computes h(r 1 ||s 2 ), r 0 2 ¼ a È hðr 1 jjs 2 Þ and hðs 2 jjr 0 2 jjr 1 Þ. U i then verifies whether b ¼ hðs 2 jjr 0 2 jjr 1 Þ. If this holds, U i successfully authenticates S j . Subsequently, U i computes C 2 ¼ hðr 0 2 jjs 2 Þ È hðRPW i jjs 1 Þ and sends the acknowledgement message hC 2 i to S j through a public network. 5. S j computes u ¼ hðr 2 jjs 0 2 Þ È C 2 and verifies whether s 0 2 ¼ hðuÞ. If this holds, S j successfully authenticates the U i and stores r 0 1 in its access control table. 6. Finally, S j computes a shared session key SK U i ;S j ¼ hðr 0 1 jjr 2 jjajjbjjN jjID i Þ and the U i also computes the same shared session key SK U i ;S j ¼ hðr 1 jjr 0 2 jjajjbjjN jjID i Þ successfully.
Password change phase ; N i to S j through a secure channel.

S j retrieves R stored in the access control table and computes
If this holds, S j accepts the password change request and proceeds with the next step. Otherwise, the password change request is rejected and this phase is terminated.
S j then sends the password change update message hs 00 1 ; N 00 i to U i through a secure channel. 4. Upon receiving the password change update message, the smart card replaces the existing values s 1 and N with the new values s 00 1 and N 00 , respectively. Finally, the smart card contains the information fID i ; hðÁÞ; N 00 ; s 00 1 ; X u g.

Security pitfalls of Li et al.'s scheme
In this section, we show that Li et al.'s scheme [40] possesses some security vulnerabilities. The following attacks are based on the assumptions that an attacker can extract all of the parameters stored in the smart card by physically monitoring its power consumption [35] and that the attacker can intercept or modify any messages in the public channel [11,14,15]. Under these two assumptions, the following problems have been observed and their detailed descriptions are given below.

Off-line password guessing attack
This attack is an attempt to identify a password until the correct password is found, and is carried out due to the tendency of many users to create simple, brief passwords for the sake of convenience. For this reason, authentication schemes for all password-based users should be designed to prevent a guessing attack; however, Li et al.'s scheme [40] does not provide sufficient protection against such an attack. We therefore propose a scenario for an off-line password-guessing attack using Li et al.'s scheme. The following is a detailed description of this scenario: Step.1. An attacker extracts {X u , ID i , h(Á), N, s 1 } from U i 's lost smart card [35].
Step.2. The attacker collects a valid login request message hN, ID i , C 1 , h(r 1 )i from the previous session.
Step.3. The attacker selects a password candidate PW Ã i .
Step.6. The attacker repeats the above steps from 3 to 5 until the computed result h(r 1 ) Ã is equal to the breached secret h(r 1 ).
Step.7. If h(r 1 ) Ã and h(r 1 ) correspond, PW Ã i would be an accurate password. If not, the attacker repeats the above steps until the correct password is found. Therefore, Li et al's scheme [40] is vulnerable to the off-line password guessing attack. In addition, if an attacker obtains the user's password, they can successfully launch a user impersonation attack.

Server spoofing attack
The security of the password-based user authentication mechanism is based on the intelligence of the password. Thus, if an attacker gains a password, they can pretend to be a legal server. Unfortunately, Li et al.'s scheme allows an attacker to disguise a legal server if the attacker obtains the user's password PW i through the guessing attack. The following is a detailed description of this scenario: Step.1. An attacker extracts {X u , ID i , h(Á), N, s 1 } from U i 's lost smart card [35].
Step.2. The attacker collects a valid login request message hN, ID i , C 1 , h(r 1 )i from the previous session.
Step.3. The attacker obtains the PW i through the off-line password guessing attack.
Step.5. The attacker then sends an authentication request ha Ã , b Ã i to U i through a public network.
Step.7. U i verifies whether b Ã ¼ hðs 2 jjr 0 2 jjr 1 Þ. Finally, U i successfully finishes the verification process because b Ã , which is created by the attacker, is equal to hðs 2 jjr 0 2 jjr 1 Þ. Through the aforementioned descriptions, it is demonstrated that the attacker can successfully disguise a legal server in Li et al's scheme [40].

Lack of user's anonymity
In modern networks environments, the leakage of user-related information can expedite an outside attacker to identify every specific user. In such a case, the user's privacy data is at risk of being disclosed to an untrusted third party who disobeys the user's will. Therefore, user anonymity is highly considered as a essential property for user authentication mechanism. However, in Li et al.'s scheme [40], an attacker can easily obtain the user's identity through monitoring the public channels [11,14,15] because the user's ID i is in plain text form during the login phase. In addition, if the attacker obtains the smart card, the user's identity ID i can also be easily exposed through physically monitoring the smart card's power consumption [35]. With this information, the attacker can also try to launch various types of attacks, which lead to many malicious scenarios. For this reason, user anonymity cannot be preserved in Li et al.'s authentication scheme.

Absence of password verification process
During the Login phase of Li et al.'s scheme [40], if a user enters his/her identity and password, the smart card does not verify the validity of the password itself. This situation leads to other drawbacks as given below.
Case.1. Assume that the U i inputs the ID i and incorrect password PW Ã i during the login phase; the smart card then computes U i then sends a login request hN ; ID i ; C Ã 1 ; hðr 1 Þi to S j through a public channel. Upon receiving the login request, S j first checks the validity of the user's identity ID i . Then, S j retrieves the stored R in the access control table and com- If it holds, S j accepts the login request. Otherwise, the login request is rejected. However, it is obvious that hðr 0 Therefore, S j belatedly realizes that the entered password PW Ã i is an incorrect value and S j rejects U i 's login request. Consequently, if U i inputs an incorrect password by mistake, the login and verification phases are continued until they have been checked by S j , leading to unnecessary costs in communication and computation, If the password can be quickly verified at the beginning of the login phase, this situation would not occur and the unnecessary waste would be avoided.
Case.2. Assume that an attacker steals a user's smart card, and logs in to their system using the user's real ID i and fake password PW Ã i . The smart card computes a fake login request message hN ; ID i ; C Ã 1 ; hðr 1 Þi with a fake password PW Ã i . If the attacker sends a large number of such fake login request messages, S j will be busy processing these messages, and will meanwhile reject other legitimate users. Therefore, without a password verification process, the system suffer from a clogging attack, which is a type of denial of service (DoS) attack.

Inconvenient password change phase
The ideal authentication scheme based on a password should be designed without restricting the user's ability to alter their password stored in smart cards [11,15]. Moreover, after carrying out a verification process on an existing password, the self-alteration procedure should be performed within the smart card, without extra communication to server S j , in order to enhance efficiency. However, since a password verification procedure functions with assistance from S j in Li et al.'s scheme, it is considered to be inefficient and not user-friendly.

Scalability problem
Li et al.'s scheme [40], in order to strengthen security, it is suggested that the server comprises an access control table to save the information such as the user's identity, latest login number, and registration times. Accordingly, the server needs to retain each user's access control table. However, the increased amount of user information needing to be retained places more burden on the server, since the number of access control table will increase as the number of users' increases. Moreover, the use of the access control table is inefficient in terms of computation time, since the changed values at each phase need to be recorded in the access control table.

The proposed scheme
In this section, we suggest a refined version of the authentication protocol to offer enhanced security by resolving the vulnerabilities of Li et al.'s [40] scheme. In the proposed scheme, in order to resist an off-line password guessing attack and server spoofing attack, we use biometrics information with Biohashing H(Á) [41] to securely conceal the password. We also include a password verification process at the beginning of the login phase to ensure high efficiency and resist a denial of service (DoS) attack. In addition, we remove the access control table to reduce the server load and modify the password change process to provide userfriendly access. Our proposed protocol also consists of four phases: registration, login, verification and password change. Login phase 1. U i inserts U i 's smart card into a card reader and inputs his/her ID i , PW i , and imprints biometric B i . The smart card then computes e 0 = h(ID i ||PW i ||H(B i )), and compares it with the stored e in the smart card. If this holds, the smart card acknowledges the legitimacy of user U i , and proceeds with the next step. Otherwise, it terminates the login process.
2. The smart card selects a random number r 1 , and computes 3. Finally, U i sends the login request message hDID i , v, C 1 , C 2 i to S j through a public network.
Verification phase S j verifies the user's ID 0 i . If this holds, S j accepts the login request and proceeds with the next step. Otherwise, S j rejects the login request and this phase is terminated.
2. S j computes r 0 If this holds, S j proceeds to the next step. Otherwise, this phase is terminated.
3. S j selects a random number r 2 and computes a ¼ r 2 È hðr 0 1 jjC 0 2 Þ and b ¼ hðC 0 2 jjr 2 jjr 0 1 Þ. S j then sends an authentication request message ha, bi to U i through a public network. 4. U i computes r 0 2 ¼ a È hðr 1 jjC 2 Þ and b 0 ¼ hðC 2 jjr 0 2 jjr 1 Þ. U i then verifies whether b 0 = b. If this holds, U i successfully authenticates S j . Then, U i computes C 3 ¼ hðr 1 jjr 0 2 jjC 2 jjhðID i jjRPW i ÞÞ and sends the acknowledgement message hC 3 i to S j through a public network. 5. S j computes C 0 3 ¼ hðr 0 1 jjr 2 jjC 0 2 jjv È KÞ and verifies whether C 0 3 ¼ C 3 . If this holds, S j successfully authenticates U i . 6. Finally, S j computes a shared session key SK U i ;S j ¼ hðr 0 1 jjr 2 jjajjbjjID 0 i Þ and U i also computes the same shared session key SK U i ;S j ¼ hðr 1 jjr 0 2 jjajjbjjID i Þ successfully.
Password change phase 1. U i inserts U i 's smart card into a card reader and inputs ID i , and the old password PW i , and then imprints biometric B i . The smart card computes e 0 = h(ID i ||PW i ||H(B i )). The smart card then verifies whether e 0 i ¼ e i , where e i is stored in the smart card. If this condition is not satisfied, it terminates this phase. Otherwise, the smart card proceeds to the next step.

Security analysis of the proposed scheme
In this section, we first adopt Burrows-Abadi-Needham (BAN) logic [47] to prove that a session key can be correctly generated between U i and S j . We then verify that our proposed scheme is secure against various attacks through both informal and formal security analysis.

Authentication proof with BAN logic
In this subsection, based on the BAN logic technique, we verify the legitimacy of session keys distributed to the participants who communicate in our proposed protocol. BAN logic [47] is applied, which is a well-known formal logic technique used to analyze the security of cryptographic protocols. Table 2 shows the basic notations to determine BAN logic. In order to determine the reasonable postulates of BAN logic, five logic rules are also offered as follows.
• Message-meaning rule: UjU$ K S;U ⊲<C> K UjSj$C : If U trusts that the key K is shared with S, U sees the C combined with K, then U trusts S once said C. : If U trusts that S has jurisdiction over C, and U trusts that S trusts a condition C, then U also trusts C.
Through our analysis, we intend to meet the following two goals.

• Goal 2. S j ðU ! sk SÞ
Next, all transmitted messages in our authentication scheme can be transmuted into an idealized form as follows.
In order to analyze our mechanism, we define the following assumptions.
• A1: U j ](r 1 ) Now, we describe our main proof as follows. In order to describe our proof, we use predefined information, including five logic rules, three messages and six assumptions.
According to Message 1, we could derive the following: • V1: S⊲ < ID i > v ; < ID i > r 1 ; ðr 1 Þ ID i Based on assumption A4 and the message meaning rule, we derive: • V2: S j U j* v Based on V2 and the message meaning rule, we derive: • V3: S j U j* ID i Based on V3 and the message meaning rule, we derive: • V4: S j U j* r 1 Based on assumption A1, V4 and the freshness conjuncatenation rule, we derive: Based on V4, V5 and the nonce verification rule, we derive: Based on V3, V6 and the jurisdiction rule, we derive: • V7: S j r 1 Based on Message 2, we derive: Based on assumption A2, V3 and the message meaning rule, we derive: • V9: U j Sj* r 2 Based on assumption A2 and the freshness conjuncatenation rule, we derive: Based on V9, V10 and the nonce verification rule, we derive: Based on V9, V11 and the jurisdiction rule, we derive: • V12: U j r 2 Based on sk, V12 and assumption A1, we derive: Based on Message 3, we derive: • V14: S ⊲ (r 1 , r 2 , ID i ) v Based on sk, V3, V7 and assumption A2, we derive: • V15: S j ðU ! sk SÞ (Goal 2.) The above description clearly shows that U i and S j achieve mutual authentication, and based on (Goal.1) and (Goal.2), U i and S j trust that session key sk is securely shared between them.

Informal security analysis
In this subsection, we examine the security our proposed scheme against various attacks, and the suitability of the basic requirements, as described in Section 2.1, are evaluated. Also, we perform a comparative analysis of previous schemes [9,10,27,28,33,38,40], which is illustrated in Table 3. The results are described as follows. Proposition 1. Resistant to insider attack. Proof. Insider attack means that an insider can directly obtain the user's password from the server and can then access the user's account in another server by using the same password. This attack occurs due to the disclosure of U i 's password PW i during the registration phase. However, in our scheme, PW i is transmitted not as a revealed condition but as a form of RPW i = h(PW i ||H(B i )) with a value of biometrics, H(B i ), when U i sends a registration request hID i , RPW i i to S j to prohibit insider attack. Thus, our scheme is secure against insider attack. Proposition 2. Preserve user anonymity. Proof. User anonymity is valuable information for the user authentication mechanism, because the disclosure of a user's identity can allow an unauthorized party to track the user's login pattern. Our scheme shields user's identity ID i transmitted by messages from the potential risks of exposure in order to fulfill user anonymity. Even if an attacker obtains C 1 by snatching login request hDID i , v, C 1 , C 2 i, it is impossible to calculate ID i since the random number r 1 is not known. Proposition 3. Provide mutual authentication. Proof. In the verification phase of our proposed scheme, U i and S j can authenticate each other by a number of checking processes. In detail, S j first verifies the login request by checking whether C 2 is correct. U i also verifies the authentication request by checking whether b is correct. Lastly, S j verifies the acknowledgement message by checking whether or not C 3 is valid. If all these verification processes are successfully completed, mutual authentication has been executed properly. Proposition 4. Resistant to off-line password guessing attack. Proof. An off-line password guessing attack occurs when an attacker attempts to guess a password and eventually finds the exact user's password in an off-line environment by using the information stored in the smart card or intercepted packets. In our scheme, an attacker can obtain {v, h(Á), H(Á), e} from the stolen smart card and intercept the login request hDID i , v, C 1 , C 2 i. Using these values, the attacker may try to guess the correct password PW i . However, without knowing ID i and H(B i ), the attacker cannot guess PW i . In addition, H(B i ) is hashed biometric information, which is only known by U i . Therefore, our proposed scheme can withstand an off-line password guessing attack. Proposition 5. Resistant to user impersonation attack. Proof. An user impersonation attack occurs when an attacker pretends to be the legal user with the counterfeited login request by using the information that has accumulated from the smart cards and the intercepted packets. Suppose that an attacker obtains {v, h(Á), H(Á), e} from the stolen smart card. The attacker then generates a random number r Ã 1 and attempts to compute DID i = ID i È N, In order to compute DID i , C Ã 1 , and C Ã 2 , the attacker must obtain S j 's secret key K. However, it is impossible to obtain K in our scheme. Therefore, the attacker cannot generate a sufficient login request hDID i ; v; C Ã 1 ; C Ã 2 i to deceive S j . Proposition 6. Resistant to server spoofing attack. Proof. A server spoofing attack occurs when an attacker masquerades as a legal server with the counterfeited authentication request by using the information stored in the smart card and the intercepted packets. Suppose that an attacker obtains {v, h(Á), H(Á), e} from the stolen smart card and intercepts the login request hDID i , v, C 1 , C 2 i. The attacker then generates a random number r Ã 2 and attempts to Anonymous Biometric-Based User Authentication Scheme for the Integrated EPR Information System modify the authentication request ha, bi to impersonate a legal S j . However, the attacker cannot compute a sufficient authentication request to deceive U i because it is impossible to obtain r 1 . In addition, as mentioned above, our scheme can guarantee protection against off-line password guessing attacks. Therefore, our proposed scheme can withstand a sever spoofing attack. Proposition 7. Resistant to replay attack. Proof. A replay attack occurs when an attacker deceives a legitimate participant by recycling of the same packets acquired in previous sessions. Suppose that an attacker intercepts the previous login request hDID i , v, C 1 , C 2 i. The attacker might then pretend to be a valid user to login to the server by sending the message. However, if the attacker sends the previous login request, the server would obviously reject the request, because our scheme can detect an invalid random number by comparing it to the C 2 value. In addition, our scheme uses different random numbers in each session. Therefore, our proposed scheme can withstand a replay attack.
Proposition 8. Provide a password verification process. Proof. It is a possible for a user to input an incorrect password by mistake. However, for the password verification procedure, an incorrect password will be detected after performing the authentication phase. Our scheme overcomes this type of inefficiency problem, evaluating the correctness of the password by verifying the value e in the early login phase. Proposition 9. Provide an efficient password change phase. Proof. In general, the smart card should carry out the verification process by itself when password alteration occurs. The efficiency of a security scheme can be increased through its own process without communicating to the server S j . Our proposed scheme performs existing password checks in a self-verification process within the smart card. After examining, it will switch the computed value e new from the new password with the existed value e in a convenient and efficient way.
Proposition 10. Provide session key agreement. Proof. In our scheme, U i and S j compute the session key SK U i ;S j after the mutual authentication process. In addition, the session key is generated by the random number and a one-way hash function. Hence, this session key is different in each session, and it is not possible to derive the session key from the intercepted messages and stolen smart card. Thus, our scheme guarantees that each session key is generated and distributed in a secure way.
Proposition 11. No time synchronization. Proof. In timestamp-based authentication protocols, when transmitting a message between a user and a server, the clocks of all devices should be synchronized. Therefore, the possibility that an error has occurred is high. However, to avoid this problem, our scheme uses a random numbers r 1 , r 2 based authentication mechanism instead of a time-stamp technique.

Formal security analysis
In this subsection, through the formal proof method, we demonstrate that our proposed scheme is secure. First, we specify a hash function as follows.
Definition 1 A hash function f: {0, 1} Ã ! {0, 1} n is a one-direction function [48,49] that takes the input x 2 {0, 1} Ã of arbitrary length and outputs a bit string with a fixed-length f(x) 2 {0, 1} n that is referred to as the "message digest" or "hash value". When using cryptographic hash functions, the following three common levels of security must be considered: • It is impossible to acquire input x under the conditions of the hash value y = h(x) and the given hash function h(Á). Formal security verification using AVISPA tool In this subsection, we simulate our scheme for the formal security verification using the Automated Validation of Internet Security Protocols and Applications(AVISPA) tool [50] in order to prove that our scheme can withstand both passive and active attacks. We first overview the structure of the AVISPA tool, and then specify our authentication mechanism using High Level Protocols Specification Language(HLPSL) [51]. Lastly, we conduct a simulation using the AVISPA tool and show that our scheme guarantees safety.
Overview of AVISPA tool. AVISPA is a well-known formal method, which has been used to verify the security of protocols. AVISPA provides the specification of security protocols and properties by using a modular and expressive specification language. A number of authentication studies have been conducted [12,19,26,[30][31][32]39] based on the AVISPA simulation tool. The AVISPA tool can be utilized by external users because the web-interface is accessible from the website [52]. It is also provided as a package(SPAN) that can be installed on the Linux and Mac OS operating systems. The architecture of the AVISPA tool is illustrated in Fig 4. As shown in Fig 4, the tool takes a specification, as an input, written in HLPSL and produces the results of the test, as an output, from the different back-ends. More specifically, specifications of protocols written in HLPSL are automatically translated by the HLPSL2IF into Intermediate Format (IF) specifications, which are then given as input to the different backends. The back-ends consist of four parts [50]: On-the-fly Model-Checker(OFMC), Constraint-Logic-based Attack Searcher(CL-AtSe), SAT based Model Checker(SATMC), and Tree Automata-based on Automatic Approximations for the Analysis of Security Protocols (TA4SP). A detailed description of each part is as follows: • On-the-fly Model-Checker(OFMC): uses different symbolic techniques to explore the state space in a demand-driven way.
• SAT based Model Checker(SATMC): uses SAT-solvers in order to find a proposition leading to a fail in the model.
• Tree Automata-based on Automatic Approximations for the Analysis of Security Protocols (TA4SP): uses regular tree languages in order to evaluate the intruder knowledge.
Specifying the proposed scheme. This section provides descriptions of the specifications of our scheme in HLPSL. We first implement the basic roles for a user U i and a server S j during the registration, login, and verification phase, and then specify the other roles for the session, environment, and goal. In our specifications, the type declaration channel(dy) indicates that the channel is influenced by the Dolev-Yao threat model [53]. The attacker has full manage over the public channel, such that the attacker can intercept or eavesdrop on all messages sent by agents. In addition, the declaration secret({K}, subs1, S j ) indicates that the secret key K is only known to S j and secret({IDi, PWi, Bi}, subs2, U i ) indicates that hID i , PW i , B i i are only known to U i . In our implementation, we assume that the bio-hash function H(Á) is the same as the one-way hash function h(Á). The role specification of the user U i is shown in Fig 5. During the registration phase, U i sends a registration request message hID i , RPW i i to server S j through a secure channel using Snd() operation, and receives the information {v, h(Á), H(Á)} stored in the smart card from S j using Rcv() operation securely. During the login and verification phase, U i generates a random number r 1 using new() operation and sends the login request message hDID i , v, C 1 , C 2 i to S j through a public channel. U i then receives the authentication request message ha, bi from S j through a public channel. Finally, U i sends the acknowledgement message hC 3 i to S j through a public channel. The declaration witness(Ui, Sj, alice_bob_r1, R1 0 ) indicates that U i has freshly generated the random number R1 for S j . The declaration request(Sj, Ui, bob_alice_r2, R2 0 ) denotes that U i authenticates the server S j . We similarly implemented the role for the server S j as shown in Fig 6. During the registration phase, S j receives the registration request message hID i , RPW i i from the user U i through a secure channel. After receiving the registration request message, the S j issues a smart card with the {v, h(Á), H(Á)} and sends it to U i through a secure channel using the Snd() operation. During the login and verification phase, S j receives the login request message hDID i , v, C 1 , C 2 i from the user U i through a public channel. The S j then generates a random number r 2 and sends the authentication request message ha, bi to U i through a public channel. Finally, S j receives the acknowledgement message hC 3 i from the user U i through a public channel using the Rcv() operation. The declaration witness(Sj, Ui, bob_alice_r2, R2 0 ) indicates that S j has freshly generated the random number R2 for U i . The declaration request(Ui, Sj, alice_ bob_r1, R1 0 ) indicates that S j authenticates the user U i .
We have therefore provided the specification in HLPSL for the roles including the session, environment, and gaol. The detailed specification of each role is described in Fig 7. The session part involves the starting parameters, local variables, and composition of agents. The environment part involves the global constants, attacker knowledge, security goals, and the composition of more than one session run in parallel. In our simulation, the following two secrecy goals and two authentications are verified: • secrecy_of subs1: indicates that the secret key K is only known to the legal server S j .
• secrecy_of subs2: indicates that the information including ID i , PW i and B i is only known to the legal user U i . • authentication_on alice_bob_r1: indicates that U i generates a random number r 1 , where r 1 is only taken to U i . If the server S j securely receives it from the message, S j then authenticates U i .
• authentication_on bob_alice_r2: indicates that S j generates a random number r 2 , where r 2 is only taken to S j . If the user U i securely receives it from the message, U i also authenticates S j .
Simulation results. We simulated our proposed scheme using the AVISPA tool in order to check that our scheme can guarantee safety. The simulation results under the OFMC and CL-AtSe back-ends are shown in Fig 8. The results clearly demonstrate that our scheme is SAFE under each bank-end. Therefore, we conclude that our proposed scheme can guarantee protection against passive and active attacks such as replay and man-in-the middle attacks.

Performance analysis of the proposed scheme
In this section, we have conducted the comparison of the computational costs and execution time for the proposed scheme with other hash-based schemes [34,[38][39][40]. Generally, the computational cost is examined based on the respective operations in authentication protocol. Accordingly, this analysis of computational cost concentrates on the operations that are conducted by the members, such as user and server. For the evaluation of the computational costs, we define the computational parameter T H as the time taken to execute a one-way hash function/bio-hash function. Table 5 provides a summary of the comparison of the computational overheads. Table 5 shows that Lee et al. [34], Das [38], Mir et al. [39], Li et al. [40] and our proposed scheme require the total computational overheads of 19T H , 25T H , 27T H , 26T H , and 21T H , respectively.
The results show that our proposed scheme is relatively superior to that proposed in a number of related studies [38][39][40]. In addition, as is shown in Table 3, our proposed scheme guarantees safety against a variety of existing attacks. According to [40], the actual execution times for the one-way hash function T H is 0.2ms. In Table 5, we also listed the time consumption of our proposed scheme and of the schemes presented in the other related studies [34,[38][39][40]. Table 5 shows that the execution time of our proposed scheme requires only 4.2 ms (% 21 × 0.2 ms); it can therefore be considered as of minor significance. On the other hand, the execution time of Das's scheme [38], Mir et al.'s scheme [39] and Li et al.'s scheme [40] require 5.0ms (% 25 × 0.2 ms), 5.4 ms (% 27 × 0.2 ms) and 5.2 ms (% 26 × 0.2 ms), respectively; these schemes are therefore proven to be slightly ineffective compared to our scheme. Table 5 demonstrates that our proposed mechanism considers efficiency.

Conclusions
In this paper, we demonstrate that Li et al.'s scheme has a number of critical vulnerabilities and we propose an extended authentication scheme to overcome these defects. Our proposed scheme has been thoroughly verified in terms of a variety of security features, and the proof result demonstrates that a session key can be correctly generated between the communicating parties. In addition, a performance comparison for the proposed scheme in relation to the schemes proposed in other studies was carried out, and we consider that our proposed scheme has sufficient efficiency and robustness for an integrated EPR information system. In the future, we will propose a new authentication scheme applying the fuzzy extractor technique instead of the biohashing method and analyze the new scheme not only in terms of computation cost, but also in terms of communication and smart card storage cost.