In recent years, several dynamic identity-based two-factor user authentication using password and smartcard have been proposed to provide mutual authentication between the user and server over unreliable networks. However, the design of secure cryptographic schemes is still notoriously hard, and there have been several instances of detected flaws in published schemes. For example in 2010, Hao and Yu demonstrated thatWang et al.’s user authentication scheme is insecure against off-line password guessing and server masquerade attacks, and proposed an improved scheme. Subsequently in 2012, Chao pointed out that the improved scheme of Hao and Yu is, unfortunately, susceptible to off-line password guessing and server masquerade attacks, and prone to password backward security problem; and proposed an enhanced scheme. In this paper, we demonstrated that Chao’s enhanced scheme is not secure against user masquerade attack, server masquerade attack, insider attack and off-line password guessing attack in violation of its security claim as well as it fails to achieve users’ anonymity.
Hafizul Islam, SK; P. Biswas, G.; and Raymond Choo, Kim-Kwang
"Cryptanalysis of an Improved Smartcard-based Remote Password Authentication Scheme,"
Information Sciences Letters: Vol. 3
, Article 5.
Available at: https://digitalcommons.aaru.edu.jo/isl/vol3/iss1/5