An Improved Password-Based Remote User Authentication Protocol without Smart Cards

Authentication is one of the fundamental mechanisms to enable a legitimate user to log into a remote server in an insecure environment. Many authentication protocols have been proposed in the literature for preventing unauthorized parties from access resources. Recently, Chen et al. proposed a password-based remote user authentication and key agreement scheme using common storage devices, such as USB sticks. They claimed that the scheme can withstand off-line dictionary attacks even if the authentication information stored in the device is obtained by the adversary. However, we observe that Chen et al.’s scheme is insecure against off-line dictionary attacks in this case. To remedy this security flaw, we propose an improved authentication protocol without using smart cards. Compared with the previous schemes, our scheme not only provides more security guarantees, but also is more efficient both in computation and communication cost. DOI: http://dx.doi.org/10.5755/j01.itc.42.2.2079