Computer Science Section
An Improved Smart Card Based Remote user Authentication Scheme with Session
Key Agreement During the Verification Phase
1
Manoj KUMAR, 2M. K. GUPTA, 3Saru KUMARI
1
Department of Mathematics, R. K. College, Shamli (Muzaffarnagar ) Uttar Pradesh, India, 2Department of Mathematics,
Chaudhary Charan Singh University, Meerut, Uttar Pradesh, India, 3Department of Mathematics, Agra College, Agra-282004,
Uttar Pradesh, India.
1
yamu_balyan@yahoo.co.in, 2mkgupta2002@hotmail.com, 3saryusiirohi@gmail.com
Abstract–In 2009, Hsiang-Shih’s proposed an improvement to
Yoon-Ryu-Yoo’s scheme to prevent offline password guess
attack and parallel session attack; and Kim-Chung proposed a
more secure improvement to Yoon-Yoo’s scheme to with stand
offline password leak, masquerading attacks and stolen verifier
attack. This article shows that the two improved schemes are
still vulnerable to offline password guess attack, insider attack
or extended insider attack, denial of service attack and other
security flaws. We also propose an improved scheme that not
only retains the advantages of the aforementioned schemes but
also enhances its security by withstanding the flaws discussed.
Keywords: Remote User Authentication, Information Secu-
rity, Smart Card, Session Key.
I. INTRODUCTION
Design and development of smart-card based authentication
systems was started back in 1993 by Chang and Wu with the
introduction of a remote password authentication scheme
with smart card [1]. Since then many researchers have pro-
posed various smart card based password authentication
schemes [2-17].
In 2002, Chien et al. [4] proposed an efficient password
based remote user authentication scheme with smart cards
using hash functions. However Hsu [7] pointed out parallel
session attack on it. In 2004, Ku and Chen [11] pointed out
reflection attack [18], insider attack [19] and lack of repara-
bility in Chien et al.’s scheme and also gave an improved
scheme which they claimed to withstand the pointed out at-
tacks. In the same year Yoon et al. [17] demonstrated that
Ku- Chen’s scheme is not resistant to the parallel session
attack and insecure in changing password; they also pre-
sented an improvement to remove these security flaws. In
2009, Hsiang-Shih in [20] stated that Yoon et al.’s scheme is
vulnerable to parallel session attack which was stated by
Duan et al. [21], masquerading attack and password guess
attack. To remedy these pitfalls, they presented an improved
scheme [20] to enhance the security of Yoon et al.’s scheme.
In 2004, Lee et al. enhanced Chien et al.’s scheme [4] by
eliminating parallel session attack [22,23]. In 2005, Yoon-
Yoo in [24] showed that Lee et al.’s scheme is also vulner-
able to some insidious attacks, such as masquerading server
attack. In 2009, Kim-Chung [25] demonstrated that Yoon-
38
Yoo’s scheme easily reveals a user’s password and is vulner-
able to masquerading user (server) attack and stolen verifier
attack. To modify Yoon-Yoo’s method they proposed a new
user authentication scheme.
In this paper, we show that both the two improved schemes
[20,25] are vulnerable to offline password guess attacks pro-
vided that the information stored in the smart card is re-
vealed, insider attack or extended insider attack, denial of
service attack and some other attacks (sub attacks). We also
show that the scheme [20] fails to provide mutual authentica-
tion due to impersonation attacks provided that the secret
(shared between user and server) is guessed. In addition, this
paper contributes an improved scheme using only hash func-
tions [26] which not only inherits the merits of schemes
[20,25] but also enhances its security.
The balance of this paper is organized as follows. The next
section reviews and analyzes Hsiang-Shih’s scheme [20].
Section 3 provides review and analyses of Kim-Chung’s
scheme [25]. We then describe an improved smart card based
remote user authentication scheme with session key agree-
ment in section 4. In section 5, we discuss the security and
achievements of our proposed scheme. Section 6 is about
comparison of our scheme with other related schemes. Fi-
nally we conclude this article in the last section.
II. REVIEW AND ANALYSIS OF SHIANG-SHIH’S SCHEME
2.1. Review of Hsiang-Shih’s scheme
Notations used throughout this paper are as follows:
• U: the user.
• ID: the identity of U.
• PW: the password of U.
• SC: the smart card of U.
• TR: the registration timestamp of U.
• S: the remote server.
• ADB: the account-database maintained by S.
• x, k: two permanent secret keys of S.
• h(.): a cryptographic hash function.
• KSESS: the session key.
• UA: the attacker.
• ⊕: the bitwise Xor operation.
• ⇒: a secure channel.
• →: a common channel.
• ||: the string concatenation.
 Journal of Applied Computer Science & Mathematics, no. 11 (5) /2011, Suceava
We now examine remote user authentication scheme [20]
proposed by Hsiang-Shih in 2009.
2.1.1. Registration phase: With this phase U initially regis-
ters or re-registers to S. Let n denote the number of times U
re-registers to S.
(1) U selects a random number b and computes h(b ⊕ PW).
(2) U ⇒ S:{ID, h(PW), h(b ⊕ PW)}.
(3) If it is U’s initial registration, S creates an entry for U in
the ADB and stores n = 0 in this entry. Otherwise, S sets
n = n +1 in the existing entry for U.
(4) Next, S computes P = h(EID ⊕ x), R= P ⊕ h(b ⊕ PW),
where EID = (ID || n) and V= h(P ⊕ h(PW)).
(5) S ⇒ U: a smart card containing V, R and h(.).
(6) U enters b into his SC.
2.1.2. Login phase: When U wants to login S, the following
operations are performed:
(1) U inserts his smart card into the smart card reader, and
then enters ID and PW.
(2) U’s SC computes C1 = R ⊕ h(b ⊕ PW) and C2 = h(C1 ⊕
TU), where TU denotes U’s current timestamp.
(3) U → S:{ID, TU, C2}.
2.1.3. Verification phase: On receiving the login request
{ID,TU,C2}, S and SC, both execute the following operations:
(1) If either ID or TU is invalid or TS -TU ≤ 0, where TS de-
notes S’s current timestamp, S reject U’s login request.
Otherwise, S computes h(h(EID ⊕ x) ⊕ TU). If the com-
puted result equals the received C2, S accepts U’s login
request and computes C3 = h(h(EID ⊕ x) ⊕ h(TS)),
where TS denotes S’s current timestamp. Otherwise, S
rejects U’s login request.
(2) S → U:{TS, C3}.
(3) If either TS is invalid or TS = TU, U terminates this ses-
sion. Otherwise, U computes h(C1 ⊕ h(TS)) and then
compares the result to the received C3. If equal, U suc-
cessfully authenticates S.
2.1.4. Password change phase: This phase is invoked when-
ever U wants to change his PW with a new one, say PWNEW.
(1) U inserts his SC into the smart card reader, enters ID and
PW, and requests to change password.
(2) SC computes P* = R⊕h(b⊕PW) and V* = h(P* ⊕ h(PW)).
(3) SC verify if V* = V(stored), then U is allowed to enter
PWNEW, otherwise SC rejects the PW change request.
(5) SC computes RNEW=P*⊕h(b⊕PWNEW) which yields
h(EID⊕x)⊕h(b⊕PWNEW), then replaces R with RNEW.
(6) Computes VNEW=h(P*⊕ h(PWNEW) which yields h(h(EID
⊕ x) ⊕ h(PWNEW)), then replaces V with VNEW.
2.2. Security analysis of Hsiang-Shih’s scheme
2.2.1. Offline password guessing attack: Suppose that UA has
obtained V, R, b and h(.) stored in the stolen SC by monitor-
ing the power consumption [27] or by analyzing the leaked
information [28] then he can guess a candidate’s password
PW*. For this he computes P* = R ⊕ h(b ⊕ PW*) and V* =
39
h(P* ⊕ h(PW*). If V* = V; which implies P* = P and PW* =
PW. Such a procedure is repeated offline until the correct
password PW is yielded. We claim that this is a serious secu-
rity threat to the scheme [20] because if UA possess the SC
and he successfully guesses the password of U and then he
can act as a legal user to access the services provided by S.
2.2.2. Denial of service attack(DoS): If UA gets SC of U for a
short duration and he successfully guesses the PW of U as
described in 2.2.1, then he can change PW of U and then re-
place SC. Consequently U will face the DoS attack when he
will login S as the PW is changed without U’s awareness.
2.2.3. Offline secret value guessing attack: We show that
Hsiang-Shih’s scheme is vulnerable to the following offline
secret (shared between U and S) value h(EID ⊕ x) guessing
attack. Suppose UA intercepts and records a login request
{ID, TU, C2 = h(C1 ⊕ TU)} of U where C1 is none other than
P = h(EID ⊕ x). Now UA selects a value P*, computes h(P* ⊕
TU) and checks if h(P* ⊕TU) = C2 which implies P* = P.
2.2.4. User impersonation attack: If UA successfully guesses
the secret value P = h (EID ⊕ x), as described in 2.2.3, then
for some previously intercepted login request {ID, TU, C2},
UA can impersonate U to login S at TU* (>TU) by sending {ID,
TU* , C2 = h (P ⊕ TU* )} to S where TU* is the fresh time stamp.
Since TU* is fresh so S accepts the login request sent by UA
and believes it to come from U. In this case though UA nei-
ther knows the PW nor possess SC of U yet successfully lo-
gin S and enjoys the services (provided by S) meant for U.
2.2.5. Server impersonation attack: Suppose UA blocks the
login request of U, computes C3* = h(P ⊕ h( TS* ) at TS* (>TU),
where TS* is the current timestamp, send { TS* , C3* } to U to
impersonate S and fool U. Since TS* is fresh so U accepts the
message { TS* , C3* } sent by UA and believes it to come from S
2.2.6. Server’s secret key guessing attack: If UA has exactly
guessed P = h(EID ⊕ x) (as described in attacks 2.2.1 and
2.2.3), and knows about ID of U from some previously inter-
cepted login message, then UA can guess the secret key x of
S. Since EID = h(ID || n), where n is a non-negative integer
which denote the number of times U re-registers to S, UA can
guess the correct combination n* and x* and check if com-
puted h(h(ID || n*) ⊕ x*) = P(already guessed correctly).
However domain for the value of x is very large but domain
for the value of n is quite small because U will re-register
only if needed. Thus such an offline guessing attack can be
mounted successfully.
2.2.7. Password guessing attack through password change
phase: If UA steals or obtains the SC of U, he can guess the
PW of U through initiating the password change phase. UA
inserts the SC of U into the smart card reader, enters ID of U
(known to UA from some previously intercepted login re-
 Computer Science Section
quest) and a guessed password PW*. If step 2 and step 3 of
password change phase have been successfully performed,
then SC allows UA to enter the new PW, it means PW* is the
correctly guessed password of U; otherwise UA tries again.
2.2.8. Extended insider attack: During the registration phase
U sends h(PW) and h(b ⊕ PW), where b is a random number,
to S. An insider of S can easily guess the password of U
through h(PW) and he can impersonate U to access other
servers. Once password PW* is guessed successfully; insider
can also guess the random number b*, computes h(b* ⊕
PW*)and checks if h(b* ⊕ PW*) = h(b ⊕ PW) (sent). There-
fore not only the password but the value of the random num-
ber b can also be guessed by the insider of S. Like password,
U may also use the same value of random numbers b for dif-
ferent servers (as per the design of the remote login authenti-
cation scheme).
2.2.9. Smart card forgery attack: Since in login phase U is
not verified by the SC so any false updating of values in SC
or change in SC’s parameters is not detectable. If UA steals
the SC of U and appends any value X (say) to R (say) stored
in SC, then SC would contain {V, R ⊕ X, b, h(.))} and then
replaces the SC of U. Next when U login to S the SC com-
putes C1* = R ⊕ X ⊕ h(b ⊕ PW) and C2* = h( C1* ⊕ TU). Then
U will not be able to pass step 1 of verification phase because
the value h(h(EID ⊕ x) ⊕ TU) computed by S will not be
equal to the sent C2* . So U will have to face denial of service
due to the SC forgery.
2.2.10. Modification of account database attack: S creates an
entry for each user in the ADB and stores n, where n denotes
the number of times a user re-registers to S. UA may shuffle
these values of different users or may change the values of
every user consequently causing failure of verification of U
and hence denial of services provided by S. It is so because
U’s SC would contain EID = (ID || n) corresponding to the
exact value of n calculated by S during registration phase and
EID calculated during verification phase will correspond to
the tampered value of n
.2.2.11. Drawback: During step 1 in the registration phase, U
has to select a random number b, and remember or record it
until he receives his smart card from S so that he can enter b
into his smart card in step 5. Since b is a random number, it is
not easy for U to remember it. If U records b by writing down
on a slip of paper, he has to protect that slip of paper. Thus
the process of registration in Hsiang-Shih’s scheme is incon-
venient for U.
III. REVIEW AND ANALYSIS OF KIM-CHUNG’S SCHEME
3.1. Review of Kim-Chung’s scheme
3.1.1. Registration phase: In this phase, the user U initially
registers with S.
(1) U ⇒ S:{ID, PW}; U chooses his ID and PW, and sends
them over a secure communication channel to S.
(2) Upon receiving ID and PW, S derives K1 = h(ID ⊕ x)
40
⊕ N and K2 = h(lD ⊕ x ⊕ N) ⊕ h(PW ⊕ h(PW)), where
N is a random number unique to the user U. Then S
computes a quantity R = K1 ⊕ h(PW).
(3) S stores the secure information K1, K2, R, and h(.) into
user’s SC.
(4) S ⇒ U:{SC}
3.1.2. Login phase: In this phase, U sends a login request to S
whenever U wants to access some resources upon S.
(1) U inserts his SC, into a smart card reader and then inputs
his ID and PW.
(2) SC computes C1 = R ⊕ h(PW). If C1 ≠ K1(stored), then
SC rejects U’s login request.
(3) Otherwise, SC computes C*=K2⊕h(PW⊕h(PW)) and
C2=h( C1* ⊕TU), where TU denotes U’s current timestamp.
(4) U → S:{ID, TU, C1, C2}.
3.1.3. Verification phase: In this phase, S verifies the authen-
ticity of the login message requested by the U.
(1) If either ID is not valid or TU is not fresh, S aborts the
current session. Otherwise, S computes N* = C1 ⊕ h(ID
⊕ x) and checks if h(h(ID ⊕ x ⊕ N*) ⊕ TU) is equal to
the received C2. If not, S terminates the current session.
Otherwise, S successfully authenticates U and computes
C3 = h(h(ID ⊕ x ⊕ N*) ⊕ C2 ⊕ TS), where TS is S’s cur-
rent timestamp.
(2) S → U:{TS, C3}.
(3) On receiving {TS, C3), U checks the freshness of TS. If
TS is not fresh, U terminates the current session.
(4) Otherwise, U checks again if h( C1* ⊕ C2 ⊕ TS) is equal
to the received C3. If not equal, U terminates the current
session. Otherwise, U now successfully authenticates S.
3.1.4. Password change phase: In this phase, the user U
changes his password any time he wants.
(1) U inserts his SC into a smart card reader and then types
in his ID and PW.
(2) The SC computes K1* = R ⊕ h(PW) and compares K1* ,
with the stored K1. If they are not equal, the SC rejects
the password change request. Otherwise, U chooses a
new password PWNEW.
(3) The SC then computes RNEW = K1* ⊕ h(PWNEW) and
K2NEW = K2 ⊕ h(PW ⊕ h(PW)) ⊕ h(PWNEW ⊕
h(PWNEW)). It now replaces R and K2 with newly up-
dated RNEW and K2NEW, respectively.
3.2. Security analysis of Kim-Chung’s scheme
3.2.1. Offline password guessing attack: Suppose that UA
steals the SC of U and obtains the values K1, K2, R and h(.)
stored in the SC. Next UA guess a password PW* for U,
computes K1* = R ⊕ h(PW*) and then checks if K1* = K1
(stored) which implies PW* = PW.
3.2.2. Denial of service (DoS) attack: If UA gets SC of U for
a short duration and he successfully guesses the password of
 Journal of Applied Computer Science & Mathematics, no. 11 (5) /2011, Suceava

U as described in 2.2.1, then he can change password of U (or to change his PW), he insert his SC into the smart card
and then replace SC. Consequently U will face the DoS when reader of a terminal, enters PIN to activate his SC and then
he will login S as the PW is changed without U’s awareness. inputs his ID and PW. Then SC performs the following steps:
3.2.3. Password guessing attack through password change User Server
phase: If UA steals or obtains the SC of U, he can guess the
Registration Phase:
password of U through initiating the password change phase. Selects ID {ID} Q ←h(EID⊕x), where EID=(ID||TR)
UA inserts the SC of U into the smart card reader, enters ID of V ← h(PW0||ID)
U (known to UA from some previously intercepted login re- C ← Q⊕V
quest) and a guessed password PW*. If step 2 of password D ← h(Q||PW0||ID)⊕V
change phase has been successfully performed, then SC al- E ← k⊕V
{SC} Stores C, D, E, h(.) in SC
lows UA to enter the new password, it means PW* is the cor- Sets PIN
rectly guessed password of U; otherwise UA tries again. Changes PW0 with his chosen PW

3.2.4. Insider attack: During the registration phase U sends Login (password) change Phase:
PW to S so the insider of S gets the password of U and he can ⎧even integer, for login request
impersonate U to access other servers. Here insider of S has Sets n = ⎨
no need of even guessing the password of U. ⎩odd integer, for password change request
V ← h(PW||ID)
IV. PROPOSED SCHEME h(Q||PW||ID) ← D⊕V
Q ← C⊕V
Computes h(Q||PW||ID)
To counter the afore-discussed weaknesses, we now propose Aborts if retrieved & computed h(Q||PW||ID) are unequal
an improved scheme; fig.1 shows the entire protocol structure E ← Q⊕r
of the scheme. The server maintains an account-database k ← E⊕V
(ADB) containing two main entries, the user’s identity (ID) DID ← ID⊕h(r|| k ||TU)
and the user’s registration timestamp (TR). The ADB is C1 ← h(n||Q||r||TU||ID)
{n, e, TU, DID, C1}
signed by the private key of S. In addition S will routinely
and frequently make offsite back up of the ADB. We assume Verification Phase: Verify TU
that the offsite backup is well protected. If any unauthorized r ← e⊕Q
modification of the ADB occurs, S will detect it and then ID ← DID⊕h(r⊕k||TU)
Verify ID
restore the ADB using the offsite backup. The registration
phase, the login phase the verification phase, the password C1* ← h(n||Q||r||TU||ID)
change phase and the revocation phase of the improved *
Abort if C1 ≠ C1
scheme are described as follows: C2 ← h(C1||TS||Q||ID}
Verify TS {TS, C2} Even n, KSESS ← h(C2||TS||Q||ID||k)
4.1. Registration Phase: In this phase the user U initially reg-
isters or re-registers with the server S. C2* ← h(C1||TS||Q||ID)
(1) U freely chooses his identity ID. *
Abort if C2 ≠ C2
(2) U ⇒ S:{ID}. Even n, KSESS ← h(C2||TS||Q||ID||k)
(3) On receiving U’s registration request at T, S checks if
whether U is a registered user. If it is U’s initial registra- User Smart card
tion, S creates an entry for U in the ADB and stores ID Password change Phase:
and TR = T in this entry. Otherwise S updates the value Odd n, input ID, PWNEW
of TR with T in the existing entry for U. Next S com- {ID PWNEW}
putes: Q = h(EID ⊕ x), where EID = (ID || TR), V = CNEW ← Q⊕h(PWNEW||ID)
h(PW0 || ID), C = Q ⊕V, and D = h(Q || PW0 || ID) ⊕ V DNEW ← h(Q||PWNEW||ID)⊕h(PWNEW||ID)
and E = k ⊕ V, where PW0 is the default password ENEW ← k⊕h(PWNEW||ID)
known to U. C ← CNEW, D ← DNEW, E ← ENEW
(4) S ⇒ U:{SC}; a SC containing C, D, E, and h(.) User Server
(5) On receiving SC, U sets a PIN (Personal Identification
Revocation Phase:
Number) for activating his SC, and is required to Lost smart card {SC is lost}
change his default password PW0 with his own selected TR ← TC in ADB,
password PW by invoking the password change phase. Revocation accomplished
Note: If U suspects, any tampering with SC (compromise in Starts re-registration
{ID}
the values stored in SC), he can re-register to S with his ID.
4.2. Login (Password change) phase: If U wishes to login S Figure 1. Proposed Scheme

41
 Computer Science Section
⎧even integer, for login request
(1) Sets n = ⎨
⎩odd integer, for password change request
(2) Computes V = h(PW || ID), then retrieves h(Q || PW ||ID)
= D ⊕ V and Q = C ⊕ V.
(3) Computes h (Q || PW || ID) and compares retrieved and
computed values of h (Q || PW || ID), if unequal, SC re-
jects U’s login (password change) request; otherwise.
(4) Generates a random number r, computes e=Q ⊕ r and
retrieves k = E ⊕ V.
(5) Acquires the current time stamp TU and computes DID =
ID ⊕ h(r || k || TU) and C1 = h( n || Q || r || TU || ID).
(6) U → S:{n, e, TU, DID, C1}.
Note: If U enters incorrect PIN more than thrice, then the SC
denies working further and displays re-registration need.
4.3. Verification phase: After the login (password change)
request {n, e, TS, DID, C1} is received, S and SC execute the
following operations:
(1) Verify the freshness of TU. If it fails, rejects U’s request.
Otherwise computes Q = h(EID ⊕ x) and retrieves
r = e ⊕ Q and ID = DID ⊕ h(r || k || TU).
(2) Check the validity of ID. If it fails, reject U’s request.
Otherwise computes C1* = h(n || Q || r || TU || ID).
(3) If C1* ≠ C1 rejects, U’s request. Otherwise computes C2 =
h (C1 || TS || Q || ID) where TS is the current time stamp.
(4) S→U:{TS, C2}.
(5) If n is even; computes KSESS = h(C2 || TS || Q || ID || k) .
On receiving {TS, C2}, SC of U performs the following:
(6) Verify the freshness of TS, if it fails, give up the request.
Otherwise computes C2* = h(C1 || TS || Q || ID).
(7) If C2* ≠ C2, give up the request. Otherwise for an even n,
computes KSESS = h(C2 || TS || Q || ID || k), the session key
for securing subsequent communication with S, and con-
tinues the current session. Otherwise,
(8) Ask U to input his ID and new password PWNEW.
(9) Computes CNEW = Q ⊕ h(PWNEW || ID),
DNEW = h(Q || PWNEW || ID) ⊕ h(PWNEW || ID)
ENEW = k ⊕ h(PWNEW || ID)
(10) Replace C, D and E with CNEW, DNEW, and ENEW respect.
4.4. Revocation phase: If U loses his SC, he securely informs
S about the loss. Then S may change TR with the current
timestamp TC in ADB to immediately revoke the access au-
thority of U to maintain U’s immediate security. Later the
revoked user U may re-register to S without changing his ID.
V. SECURITY AND ACHIEVEMENTS ANALYSIS OF THE PRO-
POSED SCHEME
5.1. Security analysis
5.1.1. Resistance to offline password guessing attack
(1) Possessing the smart card of U: Suppose UA is in posses-
sion of the SC of U and obtains the secret information
42
stored inside it. But he can’t guess PW of U because the val-
ues C, D and E stored inside SC are indifferent to each other
in such a way that they do not yield any combination (when
any two or all three are Xored) helpful in guessing the pass-
word. Moreover UA neither knows ID of U nor Q (the shared
secret between U and S) and secret key k of S to even start
the guessing of U’s password.
(2) Intercepting the login (password change) request of U or
response message of S: In the login (password change) re-
quest {n, e, TU, DID, C1 = h(n || Q || r || TU || ID) does not con-
tain any password information but Q = C ⊕ h(PW || ID) re-
sulting in C1 = (n || (C ⊕ h(PW || ID)) || r || TU || ID) may be
used to guess the PW. However C is secure inside the SC, ID
and r are not traveling openly over an insecure network (ID
and r are well embedded within DID and e respectively). UA
cannot retrieve r without knowing Q which is nowhere open-
ly available. Although TU and n can be intercepted from the
network, correct PW in C1 can’t be guessed without knowing
C (or Q), ID and r (or Q). For similar reasons password can-
not be guessed from the response message {TS, C2 = h(C1 ||
TS || Q || ID) } sent by S to U during verification phase.
(3) Also the way of detecting the valid password of U by the
SC during login (password change) phase together with the
values stored in the SC do not contribute in guessing the
password because the value h(Q || PW || ID) (whose retrieved
and computed values are to be compared) is neither stored
alone in the SC (inside the SC it is embedded in D) nor trav-
els over the insecure network.
5.1.2. Resistance to insider attack: During the registration
phase if U’s PW is revealed to S, the insider of S may imper-
sonate U to access other servers if U uses the same PW for
them. In the registration phase of the proposed scheme, U
only sends his identity ID to S, therefore PW is not revealed
to S. In addition, U is required to change the default PWO
with his own selected PW. Since the insider cannot obtain
PW, the improved scheme can withstand the insider attack.
5.1.3. Resistance to parallel session and reflection attack:
Parallel session attacks in [4,11] and reflection attacks in [5]
are resulted from symmetric computations of response mes-
sages on both the ends; S and SC. In our scheme, suppose UA
wants to mount the parallel session attack by initiating a par-
allel session when U sends his login request to S. Then when
U sends the login (PW change) request {n, e, TU, DID, C1} to
S, UA either sends {n, e, TU, DID, C1} or {n, e, TU* , DID, C1},
where TU* (> TU). In former case the request replay is detect-
able by S due to the presence of timestamp, thus no response
message will be sent by S corresponding to the replay of UA,
and consequently UA has no scope of sending a fabricated
message to U to fool him. In the later case parallel session
attack is detectable while checking C1* = C1. Due to presence
of time stamp TU in C1 (sent) and timestamp TU* in C1* (com-
 Journal of Applied Computer Science & Mathematics, no. 11 (5) /2011, Suceava
puted), C1* and C1 differ from each other. For similar reasons
the same attempt, to fool U and S, cannot be a success with
the response message {TS, C2} sent to U by S. Thus due to
timestamps and asymmetric construction of messages C1 and
C2, our scheme can withstand these two kinds of attacks.
5.1.4. Resistance to replay attack: Since our scheme uses
timestamps, so during the verification phase server will check
the freshness of each login (PW change) request message to
avoid the replay attack as does in Ku-Chen’s [9] scheme.
Except this the login messages C1 and the response message
C2 are designed so as to avoid the replay attack. That is Cl
created by the SC contains fresh timestamp TU and C2 created
by the server contains the fresh C1. A replayed C2 containing
an old C1 will never pass the check performed by SC.
5.1.5. Resistance to smart card forgery attack: The smart cart
cannot be forged because of the following facts:
• SC is activated by PIN (know only to U) of U.
• If PIN is entered incorrect thrice, then SC denies
working further and displays re-registration need.
• In step 3 of login (password change) phase U is au-
thenticated by SC itself.
5.1.6. Resistance to man-in-the middle attack: Suppose UA
attempts a man-in the middle attack by altering the login
(password change) request {n, e, TU, DID, C1} into {n, e*,
DID*, C1* }. But this alteration requires the knowledge of Q, k
and ID, so the attempt is useless. Similarly UA cannot alter
the response message {TS, C2} into { TS* , C2* ).
5.1.7. Resistance to the server’s secret key (x) guessing at-
tack: The secret key x of server cannot be disclosed even if
the SC is lost or stolen. The values C, D and E stored inside
the SC are constituted of four factors: TR, x, PW and ID. Due
to one way hash function UA can’t have any guess about any
one of these without knowing the remaining others.
Another situation can be of eavesdropping, which may
occur by intercepting a login (password change) request {n,
e, TU, DID, C1}. In {n, e, TU, DID, C1}; e, DID and C1 are so
indifferent to UA that the requirement of simultaneously
guessing the four values r, ID, k and Q exactly will never let
UA towards guessing any value constituting e, DID and C1.
5.1.8. Resistance to denial of service attack: Even if smart
card is lost for some reason, UA cannot update the SC of U
with the false verification information or false password for
the next login. This is because of the reasons explained in
5.1.5. Moreover, for password change, first the SC of U is
required to successfully complete the entire verification phase
involving S and then changes the PW within itself without
any contribution of S. Therefore unlike schemes [20,25] mul-
tiple repeated wrong attempts of UA are not possible in our
scheme. Thus it can withstand the denial of service attack.
5.1.9. Resistance to impersonation attacks: Suppose UA has
recorded one of U’s previous login messages say {n, e, TU,
43
DID, C1}. If UA knows Q, ID and k then he can select a ran-
dom number r* and computes e* = Q ⊕ r*, DID* = ID ⊕ h(r ||
k || TU* ) and C1* = h(n || Q || r* || TU* || ID) at TU* , the current
timestamp, and sends the forged login message {n, e*, TU* ,
DID*, C1* } to S. Next UA can intercept and seize the message
{TS, C2 = h( C1* || TS || Q || ID) sent back by S to U and forges
it as C2* = h( C1* || TS* || Q || ID) where TS* is the current time
stamp when forgery is done, and sends { TS* , C2* } to U, to
fool U and S. However since UA does not know Q, ID and k,
he cannot make fool of U and S. Besides, direct replay of the
recorded login and response message does not work as dis-
cussed in 5.1.4.
5.1.10. Resistance to modification of account database (ADB)
attack: In our scheme, S maintains an ADB, which contains
user’s identities and registration timestamps. If UA performs
any tampering with the ADB of S, it is detectable by S be-
cause the ADB is signed by the private key of S and is regu-
larly verified by S. In addition, S will routinely and fre-
quently make offsite backup of the ADB. If S detects any
unauthorized modification within the ADB then S can restore
the ADB using the offsite backup, which is assumed to be
well protected. Thus, the proposed scheme can withstand the
modification of ADB attack.
5.2. Achievements of the proposed scheme
5.2.1. Freely choosing and securely changing password: In
some remote authentication schemes as in [9,16] strong
passwords are assigned to users by the servers. These pass-
words are usually too long (1024 bits or more) to remember.
In our scheme users can freely choose their own passwords
(easy to remember). In addition our scheme is more secure in
changing passwords and withstands DoS. It provides the
password change phase with the help of the server verifica-
tion, yet users can change their passwords at will without
letting S know about their password. It is unlike the insecure
password change procedure in [8,11,17] and inviting pass-
word guessing and denial of service attack in [20,25].
5.2.2. Efficiency and practicability: The SC needs only six
hash operations during the login (PW change) phase, verifica-
tion phase and session key generation. Due to low computa-
tion cost in the SC, our scheme guarantees user efficiency.
Also, S uses only five hash operations, thus server efficiency
is also guaranteed. These low computation costs in both, SC
and S, make the scheme more efficient and practical.
5.2.3. Mutual authentication: In this scheme mutual authenti-
cation between U and S is achieved by sending challenge
messages C1 and C2. U’s SC, sends C1 as a challenge to S to
be authenticated. No one other than the legal user (together
with his SC) can create a valid C1 without knowing ID, PW
and Q. If U inputs the correct ID and PW, then C1 contains
the correct shared secret Q and correct ID and will pass the
 Computer Science Section

validation of S because only S and U know Q. Thus S be- PW0 with his own selected password PWNEW by invoking
lieves that U is a valid user. Similarly, S sends C2 as a re- password change phase. U can securely login S by using his
sponse message to U’s SC for authentication. Because C2 new SC and PWNEW. From now on, the compromised Q and
contains the shared secret Q, fresh challenge C1 and ID of the V have been revoked automatically that is UA’s login request
valid user, it will pass the validation of U’s SC. Thus U be- which is derived from Q and V, will be rejected. Thus our
lieves S is a legal server. scheme is easily reparable.
5.2.4. Session key agreement: Unlike in [20,25] our scheme 5.2.8. Secret key forward secrecy: If S’s secret key x is re-
provides a session key agreement during the verification vealed through some accident, then S must re-initialize the
phase. A session key KSESS = h(C2 || TS || Q || ID || k) is gener- secret key x as the new system parameter. However with the
ated by both S and U. Since C2 contains C1 that in turn con- revealed key x, UA cannot compute Q = h(EID ⊕ x) = h (ID ||
tains TU, KSESS will be different for each login session. Since TR) ⊕ x) and verification factors e = Q ⊕ r, DID = ID ⊕ h(r ||
Q and k can’t be retrieved and ID and PW are known only to k || TU) and C1 = h(n || Q || r || TU || ID), as UA does not know
U, KSESS will not be known by UA. Thus U and S can se- about k and the legitimate user’s registration timestamp TR
curely use KSESS to encrypt and decrypt subsequent messages. and ID. Therefore, in our scheme, UA cannot impersonate
5.2.5. Anonymity of user: Whenever U wants to login, SC legal users using the revealed key x unlike in [29].
computes a dynamic identity DID = ID ⊕ h(r || k || TU) for U. 5.2.9. Perfect forward secrecy: Suppose UA has intercepted
DID is different for each login (password change) request all U’s transmitting and receiving messages {n, e, TU, DID,
since the time stamp TU (recorded from terminal) and random C1, TS, C2} and has obtained shared secret Q by some means.
number r (generated by the SC) are different at each request, Then UA can compute r = e ⊕ Q but to create a valid login
and hence h(r || k || TU) acts as a session key to hide U’s ID request UA must know ID of U and secret key k of S. For
during the transmission of the login (password change) re- similar reasons UA cannot know about KSESS = h(C2 || TS || Q
quest. Since the correct r can only be retrieved from e by one || ID || k). Thus our scheme can provide forward secrecy [30].
knowing the correct Q, and correct k can only be retrieved by
the legal user’s SC, so UA cannot obtain ID of U from DID VI. COMPARISON WITH OTHER RELATED SCHEMES
contained in the intercepted request. Suppose if UA has inter-
cepted login request and possess U’s SC, he may use the SC In this section we evaluate our proposed scheme by com-
to derive U’s ID from DID ⊕ (DID* ⊕ ID*), where ID* is a paring it with other related schemes [17,20,24,25] in terms of
forged identity provided by UA to the SC and DID* is com- security features, achievements and computational complex-
puted by the SC and can be intercepted by UA. It is so be- ity given by Table.1, Table.2 and Table.3 respectively.
cause DID ⊕ ID = h(r || k || TU) = DID* ⊕ ID*. Although the
TABLE 1. COMPARISON OF SECURITY FEATURES
time stamp TU can be provided from outside by UA to the SC, Schemes→ Yoon et Yoon- Hsiang- Kim- Ours
the random number r cannot be obtained from UA, it must be ↓Attacks al.’s Yoo’s Shih’s Chung’s
Offline password guessing Yes Yes Yes Yes No
generated by the SC itself and k is to be retrieved by the SC Insider attack No Yes Yes Yes No
itself. Thus user is anonymous in our scheme. Parallel sess. and Reflection
Replay attack
Yes
No
No
No
No
No
No
No
No
No
Smart card forgery attack Yes No Yes No No
5.2.6. Revocation facility: The value TR is protected in C and Man-in-the middle attack No No No No No
Server’s secret key guessing Yes Yes Yes No No
D stored inside U’s SC. At the SC loss/theft/when essential, S Denial of service attack Yes Yes Yes Yes No
revoke the SC of U by replacing the stored TR with the cur- Impersonation attacks Yes Yes Yes No No
Modification of ADB attack Yes Yes Yes No No
rent time stamp TC. Since the revoked SC contains TR, there- Smart card loss attack Yes Yes Yes Yes No
fore the SC will not pass the verification phase performed by PW guessing in PW change
Offline secret value guessing
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
S. However U’s account is still kept in the database, U can
re-register to S to obtain a new SC with a new timestamp. TABLE 2. COMPARISON OF AHIEVEMENTS
Schemes→ Yoon Yoon- Hsiang- Kim- Ours
5.2.7. Easily reparable: If U finds or suspects that V = h(PW ↓Achievements
Freely choose & change PW
et al.’s
Yes
Yoo’s
Yes
Shih’s
Yes
Chung’
Yes Yes
|| ID) or Q = h(EID ⊕ x) has been compromised, he can Mutual authentication No No No Yes Yes
Session key agreement No No No No Yes
change his password or re-registers to S by submitting his User anonymity No No No No Yes
Revocation facility No No No No Yes
identity. Upon receiving U’s registration request at TC, S up- Reparability Yes Yes Yes Yes Yes
dates the value of TR with the current time stamp TC in the Secret key forward secrecy No No No No Yes
Perfect forward secrecy No No No No Yes
existing entry for U and then computes QNEW = h(EIDNEW ⊕
x), CNEW = QNEW ⊕ h(PW0 || ID), DNEW = h(QNEW || PW0 || ID) TABLE 3. COMPARISON OF COMPUTATIONAL COMPLEXITY
⊕ h(PW0 || ID) and ENEW = k ⊕ h(PW0 || ID), where EIDNEW Schemes→ Yoon et Yoon- Hsiang- Kim- Ours
↓Phases &entities al.’s Yoo’s Shih’s Chung’
= (ID || TC) and PW0 is the default password known to U. Registration Phase
SC(excluding PW change)
2H
5H
1H
2H
4H
4H
4H
4H
3H
6H
Next S stores {CNEW, DNEW, ENEW, h(.)} in U’s new SC. After S 1H 2H 4H 4H 5H
SC(in PW change only) 2H - 6H 4H 2H
receiving this new SC from S, U is required to set the PIN for Total 10H 5H 18H 16H 16H
activating his SC and is required change his default password

44
 Journal of Applied Computer Science & Mathematics, no. 11 (5) /2011, Suceava
For the computation complexity we are not considering
much cheaper operations such as exclusive-OR operation and
string concatenation. None of the compared schemes use the
expensive symmetric encryption (decryption) and much more
expensive exponential function. All these schemes use some
or all of the following functions: hash functions, exclusive-
OR operation, timestamps, string concatenation and random
number generation. But only our scheme provides the session
key agreement and achieves more security features as com-
pared to other schemes, yet the cost of computation both on
SC and S are remarkably low. Undoubtedly our scheme is
more secure, achieves more and maintains low computational
complexity.
VI. CONCLUSION
In this paper, we present cryptanalysis of two password au-
thentication schemes based on smart cards. We showed that
they are both vulnerable to the offline password guessing
attack, provided that the information stored in the smart card
is revealed, insider attack, denial of service attack and some
other attacks (sub attacks). We propose an improved remote
user authentication scheme using smart cards which not only
carries the advantages and withstands the security pitfalls of
the two analyzed schemes but also achieves features like free-
ly choosing and securely changing passwords, mutual authen-
tication, session key generation, user anonymity, revocation
facility, reparability, secret key forward secrecy and perfect
forward secrecy. We also evaluate our scheme by comparing
it with some related schemes in terms of security features,
achievements and computational complexity. Our scheme is
more secure, achieves more and maintains low computational
complexity.
REFERENCES
[1] C.C. Chang, T.C. Wu, Remote password authentication with
smart cards, IEE Proceedings-E 138 (3) (1991) pp. 165-168.
[2] L. Lamport, Password authentication with insecure communi-
cation, Communication ACM, vol. (24) (1981) pp. 770-772.
[3] H.Y. Chien, C.H. Chen, A remote authentication scheme pre-
serving user anonymity, In Proc. 19th Inter. Conf. Advanced In-
formation Netw. and Applications, Taipei Taiwan, (2005) pp.
245-248.
[4] H.Y. Chien, J.K. Jan, Y.M. Tseng, An efficient and practical
solution to remote authentication: smart card, Comp. Security,
vol. (21) (2002) pp. 372-375.
[5] M.L. Das, A. Saxena, V.P. Gulati, A dynamic ID-based remote
user authentication scheme, IEEE Trans. on Cons. Elect., vol.
(50) (2004) pp. 629-631.
[6] C.I. Fan, Y.C. Chan, Z.K. Zhang, Robust remote authentication
scheme with smart cards”, Computer Security, vol. (24) (2005)
pp. 619-628.
[7] C.L. Hsu, Security of Chien et al.’s remote user authentication
scheme using smart cards, Comp. Stand. Interf., vol. (26)
(2004) pp. 167-169.
45
[8] M.S. Hwang, C.C. Lee, Y.L. Tang, A simple remote user au-
thentication scheme”, Math. Comput. Model., vol. (36) (2002)
pp. 103-107.
[9] M.S. Hwang, L.H. Li, A new remote user authentication
scheme using smart cards, IEEE Trans. on Cons. Elect., Vol
(46) (2000) pp. 28-30.
[10] W.S. Juang, Efficient password authenticated key agreement
using smart cards, Comp. Security, vol. (23) (2004) pp. 167-
173.
[11] W.C. Ku, S.M. Chen, Weakness and improvements of an effi-
cient password based remote user authentication scheme using
smart, IEEE Trans.on Consumer Elect., vol. (50) (2004) pp.
204-207.
[12] I.E. Liao, C.C. Lee, M.S. Hwang, A password authentication
scheme over insecure networks, Comp.Syst. Sci, vol. (s72)
(2006) pp. 727-740.
[13] H.T. Liaw, J.F. Lin, W.C. Wu, An efficient and complete re-
mote user authentication scheme using smart cards, Math.
Comput. Model, vol. (44) (2006) pp. 223-228.
[14] W.G. Shieh, W.B. Horng, An improvement of Liaw-Lin-Wu’s
efficient and complete remote mutual authentication with smart
cards, WSEAS Trans.Info.Sci.Appl., vol.(4)(2007)pp. 1200-
1205.
[15] W.G. Shieh, J.M. Wang, Efficient remote mutual authentica-
tion and key agreement, Comput. Security, vol. (25) (2006) pp.
72-77.
[16] H.M. Sun, An efficient remote user authentication scheme
using smart cards”, IEEE Trans. on Cons. Elect., vol (46)
(2000) pp. 958-961.
[17] E.J. Yoon, E.K. Ryu, K.Y. Yoo, Further improvement of an
efficient password based remote user authentication scheme us-
ing smart cards, IEEE Trans. on Cons. Electronics, vol. (50)
(2004) pp. 612-614.
[18] C. Mitchell, Limitations of challenge-response entity authenti-
cation, Electronic letters 25 (17) (1989) pp. 1195-1196.
[19] W.C. Ku, C.M. Chen, H.L. Lee, Cryptanalysis of a variant of
Peyravian-Zynic’s password authentication scheme”, IEICE
Trans. on Communication E 86-B (5) (2003) pp. 1682-1684.
[20] H.C. Hsiang, W.K. Shih, Weaknesses and improvements of the
Yoon-Ryu-Yoo remote user authentication scheme using smart
cards, Computer Communications, vol. (32) (2009) pp. 649-
652.
[21] X. Duan, J.W. Liu, Q. Zhang, Security improvement on Chien
et al.’s remote user authentication scheme using smart cards,
The 2006 IEEE International Conference on Computational In-
telligence and Security. (CIS 2006) 2 (2006) pp. 1133-1135.
[22] S. Lee, H. Kim, K. Yoo, “Improved efficient remote user au-
thentication scheme using smart cards”, IEEE Trans. on Cons.
Elect., vol.50(2)(2004) pp. 565-567.
[23] S. Lee, H. Kim, K. Yoo, Improvement of Chien et al.’s remote
user authentication scheme using smart card” Computer Stan-
dards & Interfaces, vol. (27) (2004) pp. 181-183.
[24] E. Yoon, K. Yoo, More efficient and secure remote user au-
thentication scheme using smart cards, In Proc. of 11th Interna-
tional Conf. on Parallel and Distributed Sys., vol. (2) (2005)
pp. 73-77.
[25] S.K. Kim, M.G. Chung, More secure remote user authentica-
tion scheme, Comp. Comm., vol. (32) (2009) pp. 1018-1021.
[26] NIST FIPS PUB 180-2, Secure Hash Standard National Insti-
tute of Standards and Tech., U.S. Department of Commerce,
DRAFT, (2002).
 Computer Science Section

[27] P. Kocher, J. Jaffe, B. Jun, Differential power analysis, Proc. of
Advances in Cryptology (CRYPTO’99) (1999) pp. 388-397.
[28] T.S. Messerges, E.A. Dabbish, R.H. Sloan, Examining smart-
card security under the threat of power analysis attacks, IEEE
Transactions on Computers, vol. 51 (5) (2002) pp. 541-552.
[29] Jun-qing Liu, Jun Sun, Tian-hao Li, An enhanced remote login
authentication with smart card, Proceedings of IEEE Workshop
on Signal Processing System Design and Implementation, Nov
2-4,2005, Athems, Greece, Piscataway , NJ, USA: IEEE (2005)
pp. 229-232.
[30] W. Diffie, P.C. Van Oorschot, M.J. Wiener, Authentication and
authenticated key exchanges, Design Codes and Cryptography,
vol. (2)(1992)pp. 107-125.

Manoj Kumar is an Assistant Professor Department of Mathematics, Rashtriya Kishan Post Graduate College Shamli, Muzaf-
farnagar, Choudhary Charan Singh University Meerut, India. He is a member of Indian Mathematical Society, Indian Society
of Mathematics and Mathematical Science, Ramanujan Mathematical society, and Cryptography Research Society of India. He
is working as a reviewer for various International peer review Journals: Journal of System and Software, Journal of Computer
Security, International Journal of Network Security, The computer networks, computer and security, The Computer Journal
and Applied Mathematics Journal of Chinese University etc. He is also working as a Technical Editor for some International
peer review Journals- Asian Journal of Mathematics & Statistics, Asian Journal of Algebra, Trends in Applied Sciences Re-
search, Journal of Applied Sciences. He is also the member of Technical Programme Committee of various national and inter-
national conferences. He has published his research works at national and international level. His current research interests
include Cryptography and Applied Mathematics.
M.K.Gupta received his Ph.D in Mathematics in 1998 from Agra University, Agra (India). Currently he is a Professor & Head
of Mathematics Department, Institute of Advanced Studies, C.C. S. University, Meerut, U.P., India. He is also Dean, Faculty
of Engineering & Technology, C.C.S. University, Meerut (India). He worked as Recorder of the Section of Information and
Communication Science & Technology for the years 2004-2005 and 2005-2006 of the Indian Science Congress Association.
He has 25 years of teaching experience. His more than 35 research papers are published in International journals. His research
interests include general topology, approximation theory and cryptography.

Saru Kumari received her M.Sc, M.Phil degrees in mathematics from Institute of Advanced Studies, C.C. S. University,
Meerut (India) in 2000, 2005 respectively. She is an Assistant Professor, Department of Mathematics, Agra College Agra (In-
dia). Her research interests include cryptography, information security, and applied mathematics.

46