A secure remote authentication scheme preserving user anonymity with non-tamper resistant smart cards

Anonymity is one of the important properties of remote authentication schemes to preserve user privacy. Besides, it can avoid unauthorized entities from using the user ID and other intercepted information to forge legal login messages. In 2004, Das et al. first proposed a remote user authentication scheme with smart cards using dynamic ID to protect user anonymity. Later, in 2005, Chien and Chen demonstrated that Das et al.'s scheme fails to preserve user anonymity and then presented a new scheme to remedy this problem. In 2007, Hu et al. pointed out that Chien-Chen's scheme cannot preserve user anonymity if the smart card is nontamper resistant; i.e., the secret information stored in the smart card can be revealed. They then proposed an improved scheme to cope with this problem. In this paper, however, we will show that Hu et al.'s scheme still cannot preserve user anonymity under their assumption. In addition, their scheme is also vulnerable to the offline password guessing attack. We then present an improvement to overcome these weaknesses, while preserving all the merits of their scheme.

[1]  Eun-Jun Yoon,et al.  Further improvement of an efficient password based remote user authentication scheme using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[2]  Yen-Cheng Chen,et al.  An efficient nonce-based authentication scheme with key agreement , 2005, Appl. Math. Comput..

[3]  Jianping Yin,et al.  An Anonymous Digital Cash and Fair Payment Protocol Utilizing Smart Card in Mobile Environments , 2006, 2006 Fifth International Conference on Grid and Cooperative Computing Workshops.

[4]  Marc Joye,et al.  On Second-Order Differential Power Analysis , 2005, CHES.

[5]  Cheng-Chi Lee,et al.  Security enhancement for a dynamic ID-based remote user authentication scheme , 2005, International Conference on Next Generation Web Services Practices (NWeSP'05).

[6]  William P. Marnane,et al.  Correlation Power Analysis of Large Word Sizes , 2007 .

[7]  Dong Hoon Lee,et al.  Anonymous and Traceable Authentication Scheme using Smart Cards , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[8]  Wei-Kuan Shih,et al.  Efficient Remote Mutual Authentication and Key Agreement with Perfect Forward Secrecy , 2009 .

[9]  M.K. Khan,et al.  An efficient and secure remote mutual authentication scheme with smart cards , 2008, 2008 International Symposium on Biometrics and Security Technologies.

[10]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[11]  Chen Yang,et al.  Password-Based Access Control Scheme with Remote User Authentication Using Smart Cards , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[12]  Marko Hölbl,et al.  Cryptanalysis and Improvement of an "Improved Remote Authentication Scheme with Smart Card' , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[13]  Cheng-Chi Lee,et al.  A password authentication scheme over insecure networks , 2006, J. Comput. Syst. Sci..

[14]  Manik Lal Das,et al.  EARS: Efficient Entity Authentication in Remote Systems , 2008, Fifth International Conference on Information Technology: New Generations (itng 2008).

[15]  Wei-Chi Ku,et al.  Weaknesses and improvement of Wang et al.'s remote user password authentication scheme for resource-limited environments , 2009, Comput. Stand. Interfaces.

[16]  Wei-Kuan Shih,et al.  A Secure Remote Mutual Authentication and Key Agreement without Smart Cards , 2009 .

[17]  C. Bindu,et al.  Improved Remote User Authentication Scheme Preserving User Anonymity , 2008 .

[18]  Hung-Yu Chien,et al.  A remote authentication scheme preserving user anonymity , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[19]  Bin Wang,et al.  A Forward-Secure User Authentication Scheme with Smart Cards , 2006, Int. J. Netw. Secur..

[20]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[21]  Manik Lal Das,et al.  A Simple and Secure Authentication and Key Establishment Protocol , 2008, 2008 First International Conference on Emerging Trends in Engineering and Technology.

[22]  Amit K. Awasthi Comment on A dynamic ID-based Remote User Authentication Scheme , 2004, ArXiv.

[23]  Wen-Bing Horng,et al.  Efficient and complete remote authentication scheme with smart cards , 2008, 2008 IEEE International Conference on Intelligence and Security Informatics.

[24]  Ashutosh Saxena,et al.  A novel remote user authentication scheme using bilinear pairings , 2006, Comput. Secur..

[25]  Wei-Kuan Shih,et al.  Weaknesses and improvements of the Yoon-Ryu-Yoo remote user authentication scheme using smart cards , 2009, Comput. Commun..

[26]  Min Gyo Chung,et al.  More secure remote user authentication scheme , 2009, Comput. Commun..

[27]  Stefan Mangard,et al.  Successfully Attacking Masked AES Hardware Implementations , 2005, CHES.

[28]  Wen-Bing Horng,et al.  Improvement of Wang-Li's Forward-Secure User Authentication Scheme with Smart Cards , 2008, 2008 Eighth International Conference on Intelligent Systems Design and Applications.

[29]  Chun-I Fan,et al.  Robust remote authentication scheme with smart cards , 2005, Comput. Secur..

[30]  Ashutosh Saxena,et al.  A dynamic ID-based remote user authentication scheme , 2004, IEEE Transactions on Consumer Electronics.

[31]  Wei-Chi Ku,et al.  Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[32]  Yupu Hu,et al.  Security Analysis of Authentication Scheme with Anonymity for Wireless Environments , 2006, 2006 International Conference on Communication Technology.

[33]  Cheng-Chi Lee,et al.  A simple remote user authentication scheme , 2002 .

[34]  Jia-Yong Liu,et al.  A new mutual authentication scheme based on nonce and smart cards , 2008, Comput. Commun..

[35]  Yu Han,et al.  Improved Differential Power Analysis Attacks on AES Hardware Implementations , 2007, 2007 International Conference on Wireless Communications, Networking and Mobile Computing.

[36]  Wei-Chi Ku,et al.  Impersonation Attack on a Dynamic ID-Based Remote User Authentication Scheme Using Smart Cards , 2005, IEICE Trans. Commun..

[37]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.