Mathematical and Computer Modelling 44 (2006) 223–228

www.elsevier.com/locate/mcm

An efficient and complete remote user authentication scheme using

smart cards
Horng-Twu Liaw a,∗ , Jiann-Fu Lin b,1 , Wei-Chen Wu c,2
a Department of Information Management, Shih Hsin University, No. 1, Lane 17, Sec. 1, Muja Road, Wenshan Chiu 116, Taipei, Taiwan, ROC
b Department of Management Information System, Takming College, No. 56, Sec. 1, WenHu Road, NeiHu Chiu 114, Taipei, Taiwan, ROC
c Department of Information Management, National Central University, No. 300, Jhongda Road, Jhongli City,
Taoyuan County 32001, Taiwan, ROC

Received 9 October 2003; accepted 9 January 2006

Abstract

In this paper, we propose an efficient and complete remote user authentication scheme using smart cards. Compared with other
smart card-based schemes, our scheme achieves more functionality. The important merits include: (1) a dictionary of verification
tables is not required to authenticate users; (2) users can choose their password freely; (3) mutual authentication is provided between
the user and the remote system; (4) the communication cost and the computational cost are very low; (5) users can update their
password after the registration phase; (6) a session key agreed by the user and the remote system is generated in every session; and
(7) the nonce-based scheme does not require a timestamp to solve the serious time synchronization problem.
c 2006 Elsevier Ltd. All rights reserved.

Keywords: Password; Authentication; Security; Session key; Smart card

1. Introduction

Computer systems and their interconnections via networks have increased the dependence of both organizations
and individuals on the information stored. This dependence, in turn, has led to a heightened awareness of the need
for information security and the protection of data and resources from electronic eavesdropping, electronic fraud and
network-based attacks. Consequently, cryptography and network security have matured, leading to the development
of smart cards to enforce network security.
In 1981, a remote password authentication scheme was proposed by Lamport [11] over an insecure channel. Since
then, several schemes [3,6,8,9,12–16] have been proposed to address this problem for achieving more functionality
and efficiency.

∗ Corresponding author. Tel.: +886 2 22368225x3344; fax: +886 2 22367114.

E-mail addresses: htliaw@cc.shu.edu.tw (H.-T. Liaw), alfu@mail.takming.edu.tw (J.-F. Lin), 944403005@cc.ncu.edu.tw (W.-C. Wu).
1 Tel.: +886 2 26585801x5120.
2 Tel.: +886 939630107.

c 2006 Elsevier Ltd. All rights reserved.

0895-7177/$ - see front matter
doi:10.1016/j.mcm.2006.01.015
224 H.-T. Liaw et al. / Mathematical and Computer Modelling 44 (2006) 223–228

In a traditional password scheme, each user has an identity and a secret password. If a person wants to log into a
network system, they must submit their identity and the corresponding password. To avoid storing a plain password
table in a public network system, the scheme [12] proposed a dictionary of verification tables to store each user and
the corresponding one-way hashing value of passwords in the remote system. Such a verification table has some risks
of modification because the passwords are stored in a remote system. Therefore, several schemes [3,6,13–16] without
verification tables have been proposed to achieve user independence from the remote system. Once a user wants to
change a stored password, a connection is made to the remote system and the password is then updated. This proposed
scheme [6] allows users to select and change their passwords without revealing them to the remote system. In this
paper, we propose a scheme in which a smart card can update passwords after the registration phase without using a
verification table and connecting to the remote system.
To resist replay attacks, several timestamp-based schemes [3,6,10,13–16] were used. However, such schemes can
lead to serious clock synchronization problems. To avoid these synchronization problems, a complicated scheme [16]
was proposed without timestamps. In this paper, we proposed a nonce-based and simplified scheme to solve the serious
clock synchronization problem.
In 1996, Wang et al. [15] proposed a smart card-based password authentication scheme. In the scheme, a timestamp
was used to avoid the attack of message replay. Unfortunately, Chan et al. [2] showed that the Wang et al. scheme
was breakable. An intruder could easily construct a valid login request from a previously intercepted one and replay
it later to pass the authentication process of the remote system. In 1999, Yang et al. [16] proposed two password
authentication schemes with smart cards for preventing malicious replay attacks; one is timestamp-based and the other
is nonce-based. In these schemes, users could choose their passwords freely and a directory of verification tables was
not required to authenticate users. However, Sun [14] showed that the Yang et al. password authentication scheme was
insecure against forgery. Recently, Hwang et al. [7] proposed a remote user authentication scheme using smart cards.
Their scheme was based on ElGamal’s public key scheme [5]. The proposed scheme could resist replaying attack by
including a timestamp and the remote system did not need verification tables for verifying the legitimacy of the login
users. Unfortunately, Chan et al. [1] showed that the Hwang et al. scheme was breakable. A legitimate user could
impersonate other legal users by constructing valid user identities and passwords without knowing the secrete key of
the remote system. Later, Sun [13] presented a scheme that was more efficient than the Hwang et al. scheme. More
recently, Chien et al. [3] also proposed an efficient and practical scheme. However, in 2002, Hwang et al. [6] proposed
a simple remote user authentication scheme using smart cards. Their scheme allowed users to select and change their
passwords without revealing them to the server.
The current scheme integrates all the advantages proposed by the previous schemes, and involves two new phases
in addition to the registration, login and verification phases. One is a session phase that encrypts individual private
messages using a session key which has a limited lifespan. The other is an updated password phase based on the
Hwang et al. scheme [6] and allows users to update their passwords after the registration phase without revealing
them to the remote system. On top of this, our proposed scheme is nonce-based and free from any synchronization
problems.
In Section 2, we propose an efficient and complete remote password authentication scheme. This scheme has
several merits: (1) the remote system does not need a dictionary of verification tables to authenticate users; (2) users
can choose their password freely; (3) mutual authentication is provided, between the user and the remote system;
(4) the communication cost and the computational cost are very low; (5) users can update their password after the
registration phase; (6) a session key agreed by the user and the remote system can be generated in every session;
and (7) the timestamp is discarded to avoid the serious time synchronization problem. In Section 3, we examine the
security. In Section 4, we evaluate the efficiency of our scheme and a comparison is given. Finally, we conclude this
paper in Section 5.

2. Our scheme

In this section, we propose an efficient and complete remote password authentication scheme using smart cards.
The security of our scheme depends on the secure one-way hash function and is nonce-based. The nonce is a random
number that is generated and has a value that has not been used before, to avoid replay attack and the serious time
synchronization problem. Our scheme consists of five phases: the registration phase, the login phase, the verification
phase, the session phase and the updated password phase. We demonstrate our scheme as follows:
 H.-T. Liaw et al. / Mathematical and Computer Modelling 44 (2006) 223–228 225

Registration phase: Let x be a secret key maintained by the remote system, h( ) be a secure one-way hash function
with fixed-length output and Ui denote the ith user who submits their identity IDi and password PWi to the remote
system for registration. The remote system then performs the following operations:
1. Compute Ui ’s secret information vi = h(IDi , x) and ei = vi ⊕ PWi .
2. Write h( ) and ei into the memory of a smart card and issue the card to Ui .

Login phase: When Ui wishes to log into the remote system, they must insert the smart card into the terminal and
type their identity IDi and password PWi . The smart card then performs the following operations:
1. Generate a nonce Ni , where Ni is a random number.
2. Compute C = h(ei ⊕ PWi , Ni ).
3. Send the message (IDi , C, Ni ) to the remote system.

Verification phase: After receiving the authentication request message (IDi , C, Ni ), the remote system and smart
card execute the following steps to facilitate a mutual authentication between the user and the remote system. The
remote system performs the following operations:
1. Verify that IDi is a valid user identity. If not, the login request is rejected.
2. Compute vi0 = h(IDi , x) and check whether C = h(vi0 , Ni ). If not, the request is rejected; otherwise, the request
proceeds to step 4.
3. Generate a nonce Ns , where Ns is a random number.
4. Encrypt the message M = E vi (Ni , Ns ) and send it back to the smart card.
The smart card then performs the following operations:
1. After receiving the message M, decrypt the message Dei⊕P W i (M) to derive (Ni0 , Ns0 ) and verify whether Ni0 = Ni .
If yes, Ns0 is sent to the remote system. If no, the connection is disconnected.
2. Check whether Ns0 = Ns for the smart card. If yes, the mutual authentication is done.

Session phase: The security of a session phase is based on the exponential key exchange protocol proposed by Diffie
et al. [4]. When it is used a common session key is generated in this protocol to encrypt individual conversation
between the client and the remote system within a session. The session phase involves two public parameters q and α
where q is a large prime number and α is a primitive element mod q. The following operations are performed.
1. The remote system computes Si = α N s mod q and sends Si to the smart card.
2. Similarly, the smart card computes Wi = α Ni mod q and sends Wi to the remote system.
3. The remote system computes K s = (Wi ) N s mod q and the smart card computes K u = (Si ) N i mod q. Then both
of them check whether K s = K u . If yes, a new session is created. That is because:
K = (Si ) Ni mod q
= (α Ns mod q) Ni mod q
= (α Ns Ni mod q) mod q
= (α Ni mod q) Ns mod q
= (Wi ) Ns mod q.
4. If the remote system wants to send private data or message Ms to Ui , it encrypts message E ei 0 (Ms ⊕ K s ) with ei
and sends it to Ui . After Ui receives the message, the smart card decrypts the message and makes an exclusive
operation to derive Ms .
5. If Ui wants to send private data or message Mu to the remote system, it encrypts message E ei (Mu ⊕ K u ) and
send it to the remote system. After the remote system receives the message, it decrypts the message and makes an
exclusive operation to derive Mu .

Updated password phase: If Ui wants to change their password from PWi into PWi0 after registration, the following
procedure is performed.
226 H.-T. Liaw et al. / Mathematical and Computer Modelling 44 (2006) 223–228

1. Calculate ei0 = ei ⊕ PWi ⊕ PWi0 .

2. Update ei on the memory of smart card to set ei0 . That is done because
ei0 = vi ⊕ P Wi0
= h(I Di , x) ⊕ P Wi0
= ei ⊕ P Wi ⊕ P Wi0 .

3. Security analysis

In this section, we analyze the security of our scheme. The strength of our scheme can be demonstrated as follows:
1. The replay attacks in the login phase: An old login message was eavesdropped on by an attacker. They may try
to replay the old login message (IDi , C, Ni0 ) to the remote system for a new login request. Verifying whether
C = h(vi0 , Ni0 ) may fail because Ni0 is not always the same every time. The login request thus cannot succeed.
2. The replay attacks in the verification phase: Similarly, when an attacker has eavesdropped on an old verification
message, they may try to replay the old verification message M = E vi (Ni0 , Ns0 ) to the smart card for verification.
The verification of Ni0 = Ni and Ns0 = Ns cannot succeed because Ni0 and Ns0 are nonces and are used only once.
3. A secret x of the remote system cannot be obtained by anyone; it is infeasible to compute a secret vi and then
obtain the secret ei because of the one-way property of h(IDi , x). Suppose the smart card is stolen; no one can
derive x, which is protected by the one-way hash function.
4. No one can forge a valid C = h(ei ⊕ PWi , Ni ) because it must be derived from PWi . On the other hand, given a
valid C = h(ei ⊕ PWi , Ni ), no one can compute PWi because h( ) is a one-way hash function. Even given some
valid request messages (IDi , C j , N j ), 1 ≤ j ≤ n, the attacker has no way to derive another valid message because
of the one-way property of the secure one-way hash function.
5. The masqueraded remote system cannot succeed because an attacker cannot compute M = E vi (Ni , Ns ) unless
they know the secret vi , which then lead to Ni0 6= Ni and Ns0 6= Ns .
6. Even though α and q are public parameters, it is very difficult to obtain Ni and Ns directly from Si = α N s mod q
and Ui = α N i mod q. The difficulty lies in the complexity of computing discrete logarithms over finite fields.
7. An attacker who eavesdropped on E ei 0 (Ms ⊕ K s ) and E ei (Mu ⊕ K u ) cannot decrypt the message and make an
exclusive operation to derive Ms and Mu because the secrets ei , ei0 and session key K can never be found.
8. When a user loses the smart card, the intruder cannot update PWi because they do not know the owner’s PWi .
9. An attacker cannot steal Ni and Ns both at the same time to accumulate plaintext/ciphertext pairs
(Ni , Ns )/E vi (Ni , Ns ) and mount a known-ciphertext attack on vi because Ni appears during login phase step 3
and Ns will appear during the verification phase if Ni0 = Ni . Besides, a nonce is generated and the value has not
been used before.

4. Efficiency

In this section, we summarize the performances and criteria for authentication schemes. For a protection
mechanism for user authentication, the following criteria are crucial.
C1: No verification table: The remote system does not need the dictionary of verification tables to authenticate users.
C2: Freely chosen password: Users can choose their password freely.
C3: Mutual authentication: Whether the users and the remote system can authenticate each other.
C4: Lower communication and computation cost: Due to hardware constraints of a smart card, it usually does not
support power communication cost and higher bandwidth.
C5: Updated password: Users can update their passwords after the registration phase.
C6: Session key agreement: A session key agreed by the user and the remote system generated in every session.
C7: Time synchronization: Discard the timestamp to solve the serious time synchronization problem.
We made comparisons among the previous smart card schemes and our proposed scheme. Table 1 shows that our
scheme satisfies all criteria.
Table 2 gives several comparisons among various methods in the registration, login, verification, session and
updated password phases.
 H.-T. Liaw et al. / Mathematical and Computer Modelling 44 (2006) 223–228 227

Table 1
Comparisons among the smart card-based schemes

C1 C2 C3 C4 C5 C6 C7
Our scheme Yes Yes Yes Extremely low Yes Yes Yes
Wang and Chang [15] Yes Yes No Medium No No support No
Yang and Shieh [16] Yes Yes No Medium Yes No support Yes/Noa
Hwang and Li [7] Yes No No Medium No No support No
Sun [14] Yes No Yes Extremely low No No support No
Chien et al. [3] Yes Yes Yes Extremely low No No support No
Hwang et al. [6] Yes Yes No Extremely low Yes No support No
C1: no verification table; C2: freely chosen password; C3: mutual authentication; C4: lower communication and computation cost; C5: updated
password; C6: session key agreement; C7: time synchronization.
a Yang and Shieh proposed two schemes: timestamp-based and nonce-based.

Table 2
Comparisons of computation costs

Registration Login Verification Session Updated password

Our scheme T( f ) T( f ) 2T ( f ) 2T (M E) 2T (⊕)
T (⊕) T (⊕) 2T (S) 2T (S)
T (q) T (q) T (⊕)
Wang and Chang [15] 3T (ME) 2T (ME) 2T (ME) No support No support
2T (MM) 2T (ME) T (Mf )
5T (M) T (Mf )
T (A) T (M)
T (D) T (D)
T (q)
Yang and Shieh [16] 2T (ME) 2T (ME) 2T (ME) No support No support
T (MM) T (MM) T (MM)
2T (M) 2T (M) T (Mf )
2T (D) T( f ) T (M)
T (q)
Hwang and Li [7] T (ME) 3T (ME) 2T (ME) No support No support
T (MM) 1T (MM)
T (Mf ) T( f )
T (D) T (⊕)
T (⊕)
T (q)
Sun [14] T( f ) T( f ) 2T ( f ) No support No support
T (⊕) T (⊕)
Chien et al. [3] T( f ) T( f ) 4T ( f ) No support No support
2T (⊕) 2T (⊕) 4T (⊕)
Hwang et al. [6] 2T ( f ) T( f ) 2T ( f ) No support T( f )
2T (⊕) 2T (⊕) 2T (⊕) 2T (⊕)
T ( f ): computation cost of one-way function; T (⊕): computation cost of exclusive-OR operation; T (S): computation cost of symmetric encryption;
T (or): computation cost of OR operation; T (q): computation cost of random number; T (M): computation cost of multiplication operation; T (D):
computation cost of division operation; T (A): computation cost of addition operation; T (Mf ): computation cost of one-way function; T (ME):
computation cost of modular exponentiation; T (MM): computation cost of modular multiplication.

5. Conclusions

We have proposed an efficient and complete remote user authentication scheme using smart cards that includes a
session key being agreed and an updated password phase. Our scheme can withstand the attack of replaying using a
nonce to solve the serious time synchronization problem. Compared with other smart card-based schemes, our scheme
achieves more functionality and satisfies all criteria.
228 H.-T. Liaw et al. / Mathematical and Computer Modelling 44 (2006) 223–228

References

[1] C.K. Chan, L.M. Cheng, Cryptanalysis of a remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics
46 (4) (2000) 992–993.
[2] C.K. Chan, L.M. Cheng, Remarks on Wang–Chang’s password authentication scheme, IEEE Electronics Letter 37 (1) (2001) 22–23.
[3] H.Y. Chien, J.K. Jan, Y.M. Tseng, An efficient and practical solution to remote authentication: smart card, Computers and Security 21 (4)
(2002) 372–375.
[4] W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6) (1976) 644–654.
[5] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Transactions on Information Theory 31
(4) (1985) 469–472.
[6] M.S. Hwang, C.C. Lee, Y.L. Tang, A simple remote user authentication scheme, Mathematical and Computer Modelling 36 (2002) 103–107.
[7] M.S. Hwang, L.H. Li, A new remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (1) (2000)
28–30.
[8] W.-C. Ku, S.-T. Chang, Impersonation attack on a dynamic id-based remote user authentication scheme using smart cards, IEICE Transactions
on Communications E88-B (5) (2005) 2165–2167.
[9] W.-C. Ku, S.-T. Chang, M.-H. Chiang, Further cryptanalysis of a fingerprint-based remote user authentication scheme using smart cards, IEE
Electronics Letters 41 (5) (2005) 240–241.
[10] W.-C. Ku, M.-H. Chiang, S.-T. Chang, Weaknesses of Yoon-Ryu-Yoo’s hash-based password authentication scheme, ACM Operating Systems
Review 39 (1) (2005) 85–89.
[11] L. Lamport, Password authentication with insecure communication, Communications of the ACM 24 (1981) 770–772.
[12] R.E. Lennon, S.M. Matyas, C.H. Mayer, Cryptographic authentication of time-invariant quantities, IEEE Transactions On Communications
29 (6) (1981) 773–777.
[13] H.M. Sun, An efficient remote user authentication scheme using smart cards, IEEE Transactions on Consumer Electronics 46 (4) (2000)
958–961.
[14] H.M. Sun, Cryptanalysis of password authentication schemes with smart cards, in: Information Security Conference 2001, May 2001,
pp. 221–223.
[15] S.J. Wang, J.F. Chang, Smart card based secure password authentication scheme, Computers and Security 15 (3) (1996) 231–237.
[16] W.H. Yang, S.P. Shieh, Password authentication schemes with smart cards, Computers and Security 18 (8) (1999) 727–733.