Journal of Society for e-Business Studies

Remote user authentication is a method, in which remote server verifies the legitimacy of a user over an common communication channel. Currently, smart card based remote user authentication schemes have been widely adopted due to their low computational cost and convenient portability for the mutual authentication. 2009 years, Wang et al.'s proposed a dynamic ID-based remote user authentication schemes using smart cards. They presented that their scheme preserves anonymity of user, has the feature of storing password chosen by the server, and protected from several attacks. However, in this paper, I point out that Wang et al.'s scheme has practical vulnerability. I found that their scheme does not provide anonymity of a user during authentication. In addition, the user does not have the right to choose a password. And his scheme is vulnerable to limited replay attacks. In particular, the parameter y to be delivered to the user is ambiguous. To overcome these security faults, I propose an enhanced authentication scheme, which covers all the identified weakness of Wang et al.'s scheme and an efficient user authentication scheme that preserve perfect anonymity to both the outsider and remote server.

Chen, C. M. and Ku, W. C., "Stolen-verifier attack on two new strong-password authentication protocol," IEICE Transactions on communications, E85-B, pp. 2519-2521, 2002.

Das, M. L., Saxena, A., and Gulati, V. P., "A dynamic ID-based remote user authentication Scheme," IEEE Transactions on Consume Electronics, Vol. 50, No. 2, pp. 629-631, 2004.

Fan, C. I., Chan, Y. C., Zhang, Z. K., "Robust remote authentication scheme with smart cards," Computers and Security, Vol. 24, No. 8, pp. 619-628, 2005.

Gong, L., "A security risk of depending on synchronized clock," Operating System Review, Vol. 26, No. 1, pp. 49-53, 1992.

Hwang, M. S. and Li, L. H., "A new ernote user authentication scheme using smart cards," IEEE Transactions on Consumer Electronics, Vol. 46, No. 1, pp. 28-30, 2000.

Khan, M. K., Kim, S. K., and Alghathbar, K., "Cryptanalysis and security enhancement of a more efficient and secure dynamic ID-based remote user authentication scheme," Computer Communications, Vol. 34, No. 3, pp. 305-309, 2011.

Ku, W. C. and Chen, S. M., "Weaknesses and improvements of an efficient password based remote user authentication scheme using smart card," IEEE Transactions on Consumer Electronics, Vol. 50, No. 1, pp. 204-207, 2004.

Lamport, L., "Password authentication with insecure communication," Communications of the ACM, Vol. 24, No. 11, pp. 770-772, 1981.

Lee, C. C., Hwang, M. S., and Yang, W. P., "A Flexible Remote User Authentication Scheme using Smart Cards," ACM Operating System Review, Vol. 36, No. 4, pp. 23-29, 2002.

Lee, N. Y. and Chiu, Y. C., "Improved remote authentication scheme with smart card," Computer Standard and Interface, Vol. 27, No. 2, pp. 177-180, 2005.

Liao, I. E., Lee, C. C., and Hwang, M. S., "Security enhancement for a dynamic ID-based remote user authentication scheme," KOREA : International Conference on Next Generation Web Services Practices, IEEE, 2005.

Liao, Y. P. and Wang, S. S., "A secure dynamic ID-based remote user authentication scheme for multi-server environment," Computer Standards and Interfaces, Vol. 31, No. 1, pp. 24-29, 2009.

Messerges, T. S., Dabbish, E. A., and Sloan, R. H., "Examining Smart Card Security under the Threat of Power Analysis Attack," IEEE Transactions on Computers, Vol. 51, No. 5, pp. 541-552, 2002.

Shin, K. C., "Vulnerability Analysis and Improvement in Man-in-the-Middle Attack for Remote User Authentication Scheme of Shieh and Wang et al.'s using Smart Card," The Journal of Society for e-Business Studies, Vol. 17, No. 4, pp. 1-16, 2012, (dx.doi.org/10.7838 /jsebs.2012.17.4.001).

Shin, K. C., "Analysis and Countermeasure for Authentication Scheme of Qi Xie's Based on Variable Authenticator," The Korean Institute of Information Technology, Vol. 10, No. 1, pp. 139-146, 2012.

Shin, K. C., "Vulnerability Analysis and Improvement of a Remote User Authentication Scheme by Legitimate Members," Korea Knowledge Information Technology Sciety, Vol. 7, No. 6, pp. 181-192, 2012.

Song, R., "Advance smart card based password authentication protocol," Computer Standards and Interface, Vol. 32, No. 5-6, pp. 321-325, 2010.

Wang, Y. Y., Kiu, J. Y., Xiao, F. X., and dan, J., "A more efficient and secure dynamic ID-based remote user authentication scheme," Computer Communications, Vol. 32, No. 4, pp. 583-585, 2009.

Xie, Q., Wang, J. K., Chen, D. R., and Wang, X. Y., "A novel user authentication scheme using smart card," College of Computer Science. Zhejiang University, Hangzhou, 310027, P R China, and Graduate School. Hangzhou Normal University, 2008.

Xu, J., Zhu, W., and Feng, D., "An improved smart card based password authentication scheme provable security," Computer Standard and Interface, Vol. 31, No. 4, pp. 723-728, 2009.