Notes on “a password-based remote user authentication scheme without smart card”

Recently, Chen et al. proposed a remote user authentication scheme for non-tamper-proof storage devices like Universal Serial Bus (USB) stick. A little later, He et al. found that Chen et al.'s scheme suffers from device stolen attack, insider attack and lack of forward secrecy. He et al. improved the scheme by Chen et al. by presenting another scheme. Nonetheless, we detect some security problems in the scheme by He et al.. We show that He et al.'s scheme is vulnerable to off-line password guessing attack. Besides, an attacker can not only impersonate the user impersonation but can also establish a session key with the server, as a result, the scheme lacks proper mutual authentication. Further, the scheme does not protect user's privacy and a user cannot freely change his password at his will as password updating requires interaction with the server.

[1]  Muhammad Khurram Khan,et al.  Cryptanalysis and Improvement of ‘A Privacy Enhanced Scheme for Telecare Medical Information Systems’ , 2012, Journal of Medical Systems.

[2]  Manoj Kumar,et al.  Cryptanalysis and security enhancement of Chen et al.’s remote user authentication scheme using smart card , 2012, Central European Journal of Computer Science.

[3]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[4]  Muhammad Khurram Khan,et al.  More secure smart card-based remote user password authentication scheme with user anonymity , 2014, Secur. Commun. Networks.

[5]  Muhammad Khurram Khan,et al.  Cryptanalysis and improvement of ‘a robust smart‐card‐based remote user password authentication scheme’ , 2014, Int. J. Commun. Syst..

[6]  Chunhua Su,et al.  Two robust remote user authentication protocols using smart cards , 2010, J. Syst. Softw..

[7]  Chin-Chen Chang,et al.  Remote password authentication with smart cards , 1991 .

[8]  Wei-Kuan Shih,et al.  Security enhancement on an improvement on two remote user authentication schemes using smart cards , 2011, Future Gener. Comput. Syst..

[9]  Chun-I Fan,et al.  Robust remote authentication scheme with smart cards , 2005, Comput. Secur..

[10]  Lih-Chyau Wuu,et al.  A Secure Password-Based Remote User Authentication Scheme without Smart Cards , 2012, Inf. Technol. Control..

[11]  Dong Hoon Lee,et al.  A remote user authentication scheme without using smart cards , 2009, Comput. Stand. Interfaces.

[12]  Wei Guo,et al.  Cryptanalysis and improvement on a parallel keyed hash function based on chaotic neural network , 2013, Telecommun. Syst..

[13]  Muhammad Khurram Khan,et al.  Improving the security of 'a flexible biometrics remote user authentication scheme' , 2007, Comput. Stand. Interfaces.

[14]  Manoj Kumar,et al.  An Improved Efficient Remote Password Authentication Scheme with Smart Card over Insecure Networks , 2011, Int. J. Netw. Secur..

[15]  Yuefei Zhu,et al.  Robust smart-cards-based user authentication scheme with user anonymity , 2012, Secur. Commun. Networks.

[16]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[17]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[18]  Min-Shiang Hwang,et al.  A new remote user authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[19]  Xiong Li,et al.  An enhanced smart card based remote user password authentication scheme , 2013, J. Netw. Comput. Appl..

[20]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[21]  Xiong Li,et al.  An improved timestamp-based password authentication scheme: comments, cryptanalysis, and improvement , 2014, Secur. Commun. Networks.

[22]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[23]  Zuowen Tan,et al.  Security Analysis of Two Password Authentication Schemes , 2009, 2009 Eighth International Conference on Mobile Business.

[24]  Debiao He,et al.  Improvement on a Smart Card Based Password Authentication Scheme , 2012 .

[25]  Debiao He,et al.  Cryptanalysis and Improvement of a Password-Based Remote User Authentication Scheme without Smart Cards , 2013, Inf. Technol. Control..