Secure and Efficient Smart Card Based Remote User Password Authentication Scheme

In distributed systems, the smart card based password authentication, as one of the most convenient and efficient two-factor authentication mechanisms, is widely used to ensure that the protected services are not available to unauthorized users. Recently, Li et al. demonstrated that the smart card based password authentication scheme proposed by Chen et al. cannot provide perfect forward secrecy as they claimed. In addition, the password change phase of the scheme is unfriendly and inefficient. Subsequently, Li et al. presented an enhanced smart card based password authentication scheme to overcome the above flaws existing in Chen et al.’s scheme. Furthermore, Kumari and Khan, and Jiang et al. demonstrated that Chen et al.’s scheme cannot resist off-line password guessing attacks, and also proposed an improved scheme, respectively. In this study, we first illustrate that Li et al.’s scheme, and Kumari and Khan’s scheme both fail to achieve the basic security requirement of the smart card based password authentication, namely, once the private information stored in the smart card has been extracted, the schemes would be vulnerable to off-line password guessing attacks. We also point out that Jiang et al.’s scheme, as well as Kumari and Khan’s scheme cannot provide perfect forward secrecy. Then, we introduce a new smart card based password authentication scheme. By presenting concrete analysis of security and performance, we show that the proposed scheme cannot only resist various well-known attacks, but also is more efficient than other related works, and thus is feasible for practical applications.