On the Security of an Efficient and Secure Dynamic ID-Based Remote User Authentication Scheme

A remote user authentication scheme [1] is used to verify the legitimacy of remote users’ login requests through an insecure channel. Password-based authentication scheme is the most common method to check the validity of the login message and authenticate the user. Recently, many authentication schemes [1]–[12] have been proposed to improve the security and practicability of authentication. Quite recently, Wang et al. [12] proposed an efficient and secure dynamic ID-based remote user authentication scheme based on the one-way secure hash function. Wang et al. claimed that their scheme has the following merits: 1) it allows users to change and choose passwords freely; 2) server does not maintain any verifier tables because it uses a smartcard to store a secret key; 3) it provides mutual authentication between user and remote server; 4) it overcomes the fatal drawback that user’s authentication is independent of the password; 5) it is secure to against ID-theft [9]–[11], replay attacks and insider attacks, etc. Unfortunately, we find that Wang et al.’s scheme [12] is still vulnerable to impersonation attacks. Accordingly, this letter demonstrates that Wang et al.’s scheme is vulnerable to impersonation attacks, in which an attacker can easily impersonate any legal user.

[1]  Wei-Chi Ku,et al.  Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards , 2004, IEEE Transactions on Consumer Electronics.

[2]  Amit K. Awasthi,et al.  Security Analysis of A Dynamic ID-based Remote User Authentication Scheme , 2004, IACR Cryptol. ePrint Arch..

[3]  Hung-Min Sun,et al.  An Efficient Remote User Authentication Scheme Using Smart Cards , 2000 .

[4]  Hung-Min Sun,et al.  An efficient remote use authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[5]  Min-Shiang Hwang,et al.  A new remote user authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[6]  Ashutosh Saxena,et al.  A dynamic ID-based remote user authentication scheme , 2004, IEEE Transactions on Consumer Electronics.

[7]  Cheng-Chi Lee,et al.  A remote user authentication scheme using hash functions , 2002, OPSR.

[8]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[9]  Cheng-Chi Lee,et al.  A simple remote user authentication scheme , 2002 .

[10]  Yan-yan Wang,et al.  A more efficient and secure dynamic ID-based remote user authentication scheme , 2009, Comput. Commun..

[11]  Wei-Kuan Shih,et al.  Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[12]  Cheng-Chi Lee,et al.  A flexible remote user authentication scheme using smart cards , 2002, OPSR.