Cryptanalysis and improvement of ‘a robust smart‐card‐based remote user password authentication scheme’

With the use of smart card in user authentication mechanisms, the concept of two-factor authentication came into existence. This was a forward move towards more secure and reliable user authentication systems. It elevated the security level by requiring a user to possess something in addition to know something. In 2010, Sood et al. and Song independently examined a smart-card-based authentication scheme proposed by Xu et al. They showed that in the scheme of Xu et al., an internal user of the system can turn hostile to impersonate other users of the system. Both of them also proposed schemes to improve the scheme of Xu et al. Recently, Chen et al. identified some security problems in the improved schemes proposed by Sood et al. and Song. To fix these problems, Chen et al. presented another scheme, which they claimed to provide mutual authentication and withstand lost smart card attack. Undoubtedly, in their scheme, a user can also verify the legitimacy of server, but we find that the scheme fails to resist impersonation attacks and privileged insider attack. We also show that the scheme does not provide important features such as user anonymity, confidentiality to air messages, and revocation of lost/stolen smart card. Besides, the scheme defies the very purpose of two-factor security. Furthermore, an attacker can guess a user's password from his or her lost/stolen smart card. To meet these challenges, we propose a user authentication method with user anonymity. We show through analysis and comparison that the proposed scheme exhibits enhanced efficiency in contrast to related schemes, including the scheme of Chen et al. Copyright © 2013 John Wiley & Sons, Ltd.

[1]  Muhammad Khurram Khan,et al.  Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme' , 2011, Comput. Commun..

[2]  Chunguang Ma,et al.  Security flaws in two improved remote user authentication schemes using smart cards , 2014, Int. J. Commun. Syst..

[3]  Manoj Kumar,et al.  An Improved Efficient Remote Password Authentication Scheme with Smart Card over Insecure Networks , 2011, Int. J. Netw. Secur..

[4]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[5]  Xinsong Liu,et al.  Cryptanalysis of a dynamic ID-based remote user authentication with key agreement scheme , 2012, Int. J. Commun. Syst..

[6]  Marcos A. Simplício,et al.  Cryptanalysis of an efficient three-party password-based key exchange scheme , 2012, Int. J. Commun. Syst..

[7]  Lih-Chyau Wuu,et al.  Robust smart‐card‐based remote user password authentication scheme , 2014, Int. J. Commun. Syst..

[8]  Yuh-Min Tseng,et al.  Towards generalized ID-based user authentication for mobile multi-server environment , 2012, Int. J. Commun. Syst..

[9]  Anh Duc Duong,et al.  Robust Mobile Device Integration of a Fingerprint Biometric Remote Authentication Scheme , 2012, 2012 IEEE 26th International Conference on Advanced Information Networking and Applications.

[10]  Allen Roginsky,et al.  Hash-based encryption system , 1999, Comput. Secur..

[11]  Xiaotie Deng,et al.  Two-factor mutual authentication based on smart cards and passwords , 2008, J. Comput. Syst. Sci..

[12]  Xiaomin Wang,et al.  Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards , 2007, Comput. Stand. Interfaces.

[13]  Min-Shiang Hwang,et al.  A new remote user authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[14]  Chun Chen,et al.  Lightweight and provably secure user authentication with anonymity for the global mobility network , 2011, Int. J. Commun. Syst..

[15]  Ashutosh Saxena,et al.  A dynamic ID-based remote user authentication scheme , 2004, IEEE Transactions on Consumer Electronics.

[16]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[17]  Hung-Yu Chien,et al.  An Efficient and Practical Solution to Remote Authentication: Smart Card , 2002, Comput. Secur..

[18]  Kee-Young Yoo,et al.  Improvement of Chien et al.'s remote user authentication scheme using smart cards , 2005, Comput. Stand. Interfaces.

[19]  Hong-bin Tang,et al.  Weakness of remote authentication scheme of Chen et al. , 2014, Int. J. Commun. Syst..

[20]  Yingjiu Li,et al.  Cryptanalysis of Hsiang-Shih's authentication scheme for multi-server architecture , 2011, Int. J. Commun. Syst..

[21]  Ronggong Song Advanced smart card based password authentication protocol , 2010, Comput. Stand. Interfaces.

[22]  Shashikala Tapaswi,et al.  Comments on symmetric key encryption based smart card authentication scheme , 2010, 2010 2nd International Conference on Computer Technology and Development.

[23]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[24]  Kuldip Singh,et al.  An improvement of Xu et al.'s authentication scheme using smart cards , 2010, Bangalore Compute Conf..

[25]  Manoj Kumar,et al.  Cryptanalysis and security enhancement of Chen et al.’s remote user authentication scheme using smart card , 2012, Central European Journal of Computer Science.

[26]  Dengguo Feng,et al.  An improved smart card based password authentication scheme with provable security , 2009, Comput. Stand. Interfaces.