Skip to content
BY-NC-ND 3.0 license Open Access Published by De Gruyter Open Access March 28, 2012

Cryptanalysis and security enhancement of Chen et al.’s remote user authentication scheme using smart card

  • Saru Kumari EMAIL logo , Mridul Gupta and Manoj Kumar
From the journal Open Computer Science

Abstract

Recently (2011) Chen et al. found that Wang et al.’s scheme (2007) is vulnerable to impersonation attacks and parallel session attacks; and then proposed a security enhancement of Wang et al.’s scheme. Chen et al. claimed to inherit the merits and eradicate the flaws of the original scheme through their improved scheme. Unfortunately, we found that Chen et al.’s scheme inherits some flaws of the original scheme, like the known-key attack, smart card loss attack and its serious consequences. In addition, Chen et al.’s scheme is not easily reparable and is unable to provide forward secrecy. Thus Chen et al.’s scheme still has scope for security enhancement. Finally, we propose an improved scheme with better security strength. Moreover, we analyze the performance of our scheme and prove that ours is suitable for applications with high security requirements.

[1] Chan C.K., Cryptanalysis of a remote user authentication schemes using smart cards, IEEE Trans. Consum. Electron., 46, 992–993, 2000 http://dx.doi.org/10.1109/30.92045110.1109/30.920451Search in Google Scholar

[2] Chang C.C., Hwang K.F., Some forgery attacks on a remote user authentication scheme using smart cards. Inf., 14, 289–294, 2003 10.15388/Informatica.2003.022Search in Google Scholar

[3] Chen T.H., Hsiang H.C., Shih W.K., Security enhancement on an improvement on two remote user authentication schemes using smart cards, Future Gener. Comp. Sy., 27, 377–380, 2011 http://dx.doi.org/10.1016/j.future.2010.08.00710.1016/j.future.2010.08.007Search in Google Scholar

[4] Chien H.Y., Jan J.K., Tseng Y.M., An efficient and practical solution to remote authentication, smart card., Comput. Secur., 21, 37–375, 2002 http://dx.doi.org/10.1016/S0167-4048(02)00415-710.1016/S0167-4048(02)00415-7Search in Google Scholar

[5] Chien H.Y., Chen C.H., A remote authentication scheme preserving user anonymity (In: Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05)), 2, 245–248, 2005 Search in Google Scholar

[6] Diffie W., Oorschot P.C. Van, Wiener M.J., Authentication and authenticated key exchanges., Design. Code. Cryptogr., 2, 107–125, 1992 http://dx.doi.org/10.1007/BF0012489110.1007/BF00124891Search in Google Scholar

[7] El Gamal T., A public-key cryptosystem and a signature scheme based on discrete logarithms, IEEE Trans. Inf. Theory, 31, 469–472, 1985 http://dx.doi.org/10.1109/TIT.1985.105707410.1109/TIT.1985.1057074Search in Google Scholar

[8] Fan C.I., Chan Y.C., Zhang Z.K., Robust remote authentication scheme with smart cards., Comput. Secur., 24, 619–628, 2005 http://dx.doi.org/10.1016/j.cose.2005.03.00610.1016/j.cose.2005.03.006Search in Google Scholar

[9] Gong L., A security risk of depending on synchronized clocks, SIGOPS, 26, 49–53, 1992 http://dx.doi.org/10.1145/130704.13070910.1145/130704.130709Search in Google Scholar

[10] Goripathi T., Das M.L., Saxena A., An improved bilinear pairing based remote user authentication scheme, Comp. Stand. Inter., 2009, 31, 181–185 http://dx.doi.org/10.1016/j.csi.2007.11.01610.1016/j.csi.2007.11.016Search in Google Scholar

[11] Haller N.M., The S/KEY one-time password system, RFC1760, February 1995 10.17487/rfc1760Search in Google Scholar

[12] Horng G., Password authentication without using password table, Inform. Process. Lett., 55, 247–250, 1995 http://dx.doi.org/10.1016/0020-0190(95)00087-S10.1016/0020-0190(95)00087-SSearch in Google Scholar

[13] Hsu C.L., Security of Chien et al.’s remote user authentication scheme using smart cards. Comp. Stand. Inter., 26, 167–169, 2004 http://dx.doi.org/10.1016/S0920-5489(03)00094-110.1016/S0920-5489(03)00094-1Search in Google Scholar

[14] Hwang M.S., Li L.H., A new remote user authentication scheme using smart card, IEEE Trans. Consum. Electron., 46, 28–30, 2000 http://dx.doi.org/10.1109/30.82637710.1109/30.826377Search in Google Scholar

[15] Jan J.K., Chen Y.Y., Paramita Wisdom’ password authentication scheme without verification tables, J. Syst. Software, 42, 45–57, 1998 http://dx.doi.org/10.1016/S0164-1212(98)00006-510.1016/S0164-1212(98)00006-5Search in Google Scholar

[16] Khan M.K., Zhang J., Improving the security of a flexible biometrics remote user authentication scheme, Comp. Stand. Inter., 29, 82–85, 2007 http://dx.doi.org/10.1016/j.csi.2006.01.00210.1016/j.csi.2006.01.002Search in Google Scholar

[17] Khan M.K., Fingerprint biometric-based self-authentication and deniable authentication schemes for the electronic world, IETE Tech. Rev., 26, 191–195, 2009 http://dx.doi.org/10.4103/0256-4602.5070310.4103/0256-4602.50703Search in Google Scholar

[18] Kim S.K., Chung M.G., More secure remote user authentication scheme, Comput. Commun., 32, 1018–1021, 2009 http://dx.doi.org/10.1016/j.comcom.2008.11.02610.1016/j.comcom.2008.11.026Search in Google Scholar

[19] Kocher P., Jaffe J., Jun B., Differential power analysis (In: Advances in Cryptology, CRYPTO’99), 388–397, 1999 10.1007/3-540-48405-1_25Search in Google Scholar

[20] Ku W.C., Chang S.T., Chiang, M.H., Further cryptanalysis of fingerprint-based remote user authentication scheme using smartcards, IEE Electron. Lett., 41, 240–241, 2005 http://dx.doi.org/10.1049/el:2004765810.1049/el:20047658Search in Google Scholar

[21] Ku W.C., Chang S.T., Impersonation attack on a dynamic ID-based remote user authentication scheme using smart cards, IEICE Trans. Commun., E88-B, 2165–2167, 2005 http://dx.doi.org/10.1093/ietcom/e88-b.5.216510.1093/ietcom/e88-b.5.2165Search in Google Scholar

[22] Ku W.C., Chen S.M., Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards, IEEE Trans. Consum. Electron., 50, 204–207, 2004 http://dx.doi.org/10.1109/TCE.2004.127786310.1109/TCE.2004.1277863Search in Google Scholar

[23] Kumar M., New remote user authentication scheme using smart cards, IEEE Trans. Consum. Electron., 50, 597–600, 2004 http://dx.doi.org/10.1109/TCE.2004.130943310.1109/TCE.2004.1309433Search in Google Scholar

[24] Lamport L., Password authentication with insecure communication, Commun. ACM, 24, 770–771, 1981 http://dx.doi.org/10.1145/358790.35879710.1145/358790.358797Search in Google Scholar

[25] Lee C.C., Hwang M.S., Yang, W.P., A flexible remote user authentication scheme using smart cards, ACMOSR, 36, 46–52, 2002 10.1145/567331.567335Search in Google Scholar

[26] Lee N.Y., Chiu Y.C., Improved remote authentication scheme with smart card, Comp. Stand. Inter., 27, 177–180, 2005 http://dx.doi.org/10.1016/j.csi.2004.06.00110.1016/j.csi.2004.06.001Search in Google Scholar

[27] Leung K.C., Cheng L.M., Fong A.S., Chan C.K., Cryptanalysis of a modified remote user authentication scheme using smart cards, IEEE Trans. Consum. Electron., 49(4), 1243–1245, 2003 http://dx.doi.org/10.1109/TCE.2003.126122410.1109/TCE.2003.1261224Search in Google Scholar

[28] Liao I.E., Lee C.C., Hwang, M.S., A password authentication scheme over insecure networks, J. Comput. Syst. Sci. Int., 72, 727–740, 2006 http://dx.doi.org/10.1016/j.jcss.2005.10.00110.1016/j.jcss.2005.10.001Search in Google Scholar

[29] Liao Y.P., Wang S.S., A secure dynamic ID-based remote user authentication scheme for multi-server environment, Comp. Stand. Inter., 31, 24–29, 2009 http://dx.doi.org/10.1016/j.csi.2007.10.00710.1016/j.csi.2007.10.007Search in Google Scholar

[30] Liu J.Y., Zhou A.M., Gao M.X., A new mutual authentication scheme based on nonce and smart cards, Comput. Commun., 31(10), 2205–2209, 2008 http://dx.doi.org/10.1016/j.comcom.2008.02.00210.1016/j.comcom.2008.02.002Search in Google Scholar

[31] Messerges T.S., Dabbish, E.A., Sloan R.H., Examining smart card security under the threat of power analysis attacks, IEEE Trans. Comput., 51(5), 541–552, 2002 http://dx.doi.org/10.1109/TC.2002.100459310.1109/TC.2002.1004593Search in Google Scholar

[32] Mitchell C.J., Chen L., Comments on the S/KEY user authentication scheme, ACMOSR, Oct, 30, 12–16, 1996 10.1145/240799.240801Search in Google Scholar

[33] Mitchell C., Limitation of challenge-response entity authentication, Electr. Lett., 25, 1195–1196, 1989 http://dx.doi.org/10.1049/el:1989080110.1049/el:19890801Search in Google Scholar

[34] Peyravian M., Roginsky A., Zunic, N.L., Hash-based enrcyption system, Comput. Secur., 18, 345–350, 1999 http://dx.doi.org/10.1016/S0167-4048(99)80080-710.1016/S0167-4048(99)80080-7Search in Google Scholar

[35] Shen J.J., Lin C.W., Hwang M.S., A modified remote user authentication scheme using smart cards, IEEE Trans. Consum. Electron., 49, 414–416, 2003 http://dx.doi.org/10.1109/TCE.2003.120953410.1109/TCE.2003.1209534Search in Google Scholar

[36] Shimizu A., A dynamic password authentication method by one-way function, IEICE Trans. Inf. Syst., J73-D-I, 630–636, July 1990 Search in Google Scholar

[37] Shimizu A., Horioka T., Inagaki H., A password authentication method for contents communication on the Internet, IEICE Trans. Commun., E81-B, 1666–1763, August 1998 Search in Google Scholar

[38] Sun H.M., An efficient remote user authentication scheme using smart cards, IEEE Trans. Consum. Electron., 46, 958–961, 2000 http://dx.doi.org/10.1109/30.92044610.1109/30.920446Search in Google Scholar

[39] Tsai J.L., Efficient multi-server authentication scheme based on one-way hash function without verification table, Comput. Secur., 27, 115–121, 2008 http://dx.doi.org/10.1016/j.cose.2008.04.00110.1016/j.cose.2008.04.001Search in Google Scholar

[40] Wang X.M., Zhang W.F., Jhang J.S., Khan M.K., Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards, Comp. Stand. Inter., 29, 507–512, 2007 http://dx.doi.org/10.1016/j.csi.2006.11.00510.1016/j.csi.2006.11.005Search in Google Scholar

[41] Wang Y.Y., Kiu J.Y., Xiao F.X., Dan J., A more efficient and secure dynamic IDbased remote user authentication scheme, Comput. Commun., 32, 583–585, 2009 http://dx.doi.org/10.1016/j.comcom.2008.11.00810.1016/j.comcom.2008.11.008Search in Google Scholar

[42] Yang J.H., Chang C.C., An ID-based remote mutual authentication with key agreement scheme for mobile devices on elliptic curve cryptosystem, Comput. Secur., 28, 138–143, 2009 http://dx.doi.org/10.1016/j.cose.2008.11.00810.1016/j.cose.2008.11.008Search in Google Scholar

[43] Yen S.M., Liao K.H., Shared authentication token secure against replay and weak key attacks, Inform. Process. Lett., 62, 77–80, 2009 10.1016/S0020-0190(97)00046-XSearch in Google Scholar

[44] Yoon E.J., Ryu E.K., Yoo K.Y., Further improvement of an efficient password based remote user authentication scheme using smart cards, IEEE Trans. Consum. Electron., 50, 612–614, 2004 http://dx.doi.org/10.1109/TCE.2004.130943710.1109/TCE.2004.1309437Search in Google Scholar

Published Online: 2012-3-28
Published in Print: 2012-3-1

© 2012 Versita Warsaw

This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License.

Downloaded on 4.2.2023 from https://www.degruyter.com/document/doi/10.2478/s13537-012-0003-y/html
Scroll Up Arrow