Weakness and Improvement of the Smart Card Based Remote User Authentication Scheme with Anonymity

Today, people benefit various services through networks. However, due to the open environment of communications, networks are vulnerable to variety of security risks. Remote access capability is one of the critical functions for network systems. The remote user authentication scheme provides the server a convenient way to authenticate users before they are allowed to access database and obtain services. The smart card is one of the most reliable and efficient tools for remote user authentication. In some scenarios, remote user authentication schemes even require mechanisms to preserve user anonymity. In 2012, Shin et al. proposed a smart card based remote user authentication scheme. Their scheme has merits of providing user anonymity, key agreement, freely updating password and mutual authentication. They also claimed that their scheme can provide resilience to potential attacks of smart card based authentication schemes. In this article, we show that their scheme has several defects such as it cannot resist the impersonation attack, denial-of-service attack, off-line guessing attack and stolen-verifier attack. Furthermore, their scheme also suffers from high hash computation overhead and validations steps redundancy. We propose an improved scheme to overcome the drawbacks. The improved scheme has the merits of dynamic identity, user anonymity, forward and backward secrecy, mutual authentication, and low computation overhead. Moreover, the scheme can resist the replay attack, off-line guessing attack, smart card loss attack, impersonation attack and insider attack.