Applied Mathematics & Information Sciences

Author Country (or Countries)



In 2013, Chang et al. proposed an untraceable dynamic-identity-based remote user authentication scheme with verifiable password update. In this paper, we analyze Chang et al.s scheme and show that their scheme suffers from off-line password guessing attack, server spoofing attack and impersonation attack. Moreover, their scheme is traceable since the attacker can obtain the identity of the user. Thereby, we propose an alternative scheme based on elliptic curve cryptosystem and completely automated public turing test to tell computer and humans apart (CAPTCHA) technique. Besides, we demonstrate the completeness of the proposed scheme through the BAN-logic. Compared with other related existing schemes, the proposed scheme is relatively more secure and well suited for the practical application environment.