Recently, a password authentication and update scheme has been presented by Islam and Biswas to remove the security weaknesses in Lin and Huang’s scheme. Unfortunately, He et al., Wang et al., and Li have found out that Islam and Biswas’ improvement was vulnerable to offline password guessing attack, stolen verifier attack, privilege insider attack, and denial of service attack. In this paper, we further analyze Islam and Biswas’ scheme and demonstrate that their scheme cannot resist password compromise impersonation attack. In order to remedy the weaknesses mentioned above, we propose an improved anonymous remote authentication scheme using smart card without using bilinear paring computation. In addition, the verifier tables are no longer existent, and the privacy of users could be protected better. Furthermore, our proposal not only inherits the advantages in Islam and Biswas’ scheme, but also provides more features, including preserving user anonymity, supporting offline password change, revocation, reregistration with the same identifier, and system update. Finally, we compare our enhancement with related works to illustrate that the improvement is more secure and robust, while maintaining low performance cost.

1. Introduction

With the fast development of communication terminals and networks, users could obtain lots of services distributed over the world, whenever and wherever. Nevertheless, more and more security issues prevent the advanced technologies from moving forward, and more and more people start to concern about the security problems of their information and communication applications. In detail, how to access the remote server securely is concerned by all users as a key issue. Generally speaking, the first line of defense for remote communication systems is authentication, which permits the legal users to obtain their desired services securely, while it rejects the illegal users to access to the servers. After that, to guarantee private communications over the insecure public networks, key agreement provides us the session keys, which are used to encrypt and decrypt the subsequent information transmitted over public channels (e.g., the Internet and radio). In other words, authentication and key agreement plays important roles in guaranteeing the security of the information and communication systems. In this paper, we will focus on the remote authentication and private communication.

Due to the property of easy-to-memory, the password has become the most popular and widely adopted method for authentication, since Lamport’s [1] contributions on remote authentication using hash function in 1981. However, the convenient property leads to the weakness of low entropy, which can be the target for adversaries to attack, for example, password guessing (online or offline) attacks [2] and verifier stolen attacks. In addition, password-verifier tables are heavy burdens for servers to store and manage. Furthermore, password-verifier tables are threatened by the attackers, who can compromise these verifier tables and reveal (guess) user’s password or masquerade as the legal user. In 2000, Peyravian and Zunic [3] presented one method for protecting and changing passwords in authentication schemes while being transmitted over untrusted networks [4]. Their scheme did not use any symmetric-key or public-key cryptosystems but only employed a collision resistant hash function. In 2002, Hwang and Yeh [5] pointed out that the scheme in [3] was vulnerable to guessing attack, server spoofing, and data eavesdropping attack, and they also proposed two improved schemes to enhance the security of the scheme in [3]. Later on, Lin and Hwang [6] cryptanalyzed the improved schemes in [5] and showed that their improvements were vulnerable to a denial of service attack and did not provide the forward secrecy property in session key distribution. Moreover, Lin and Hwang fixed the schemes in [5] to avoid those problems. Actually for many applications, the authentication schemes, which are based on the password (as the only authentication factor), are insufficient; therefore smart card (as the second authentication factor) based on remote user password authentication schemes [79] has been proposed to overcome the vulnerabilities caused by the low-entropy password and verifier tables. In 2011, Hafizul Islam and Biswas [10] designed a password authentication and update scheme based on elliptic curve cryptography as an improvement of Lin and Hwang’s [6] scheme, which was demonstrated to be vulnerable to password guessing attack, insider attack, server spoofing attack, and data eavesdropping attack. Unfortunately, He [11] and Wang et al. [12] found out that their improved scheme was not secure as they claimed in [10] and several attacks were demonstrated effectively in [10], for example, offline password guessing attack, stolen verifier attack, privilege insider attack, and denial of service attack. Recently, Li [13] also pointed out that Hafizul Islam and Biswas’ [10] scheme was vulnerable to offline password guessing attack, stolen verifier attack, and insider attack. Li presented an advanced smart card-based scheme using bilinear paring computation while providing an anonymous version.

In this paper, we further analyze the scheme in [10] and point out that the scheme is insecure to resist password compromise impersonation (PCI) attack [1416]. Furthermore, the comments on the existing attacks suggest that we should pay attention to the low-entropy password, avoid using the weak password-verifier table, and take the advantages of the challenge-response mechanism properly, so as to prevent the scheme from being vulnerable to various attacks. In addition, the public key cryptosystem increases the performances cost for users and servers; for example, users should maintain and verify the servers’ public keys (certificates) and servers should store users’ password verifiers. In order to overcome the shortcomings in [10], we focus on designing an improved password authentication and update scheme. Our improvement is based on the secure one-way function, symmetric encryption/decryption, pseudorandom generator, and elliptic curve cryptosystem without the expensive bilinear paring computation. Finally, our proposal satisfies and achieves the following requirements and goals in the environment of symmetric key cryptosystem.

RG1: Mutual Authentication. Client and server can securely authenticate each other with their own credentials (secret key and verifier table for server, password and smart card for user). In other words, anyone else cannot impersonate any of the legal participants to cheat the intended partners. In detail, the scheme should be secure to resist known common attacks, which can threat the security of mutual authentication, for example, replay attack, reflection attack, parallel session attack, man-in-the-middle attack, known session key attack, forgery attack, and password compromise impersonation attack.

RG2: Session Key Distribution. The legal participants in the scheme should generate a secure session key. In addition, the session key should be only shared between the participants and anyone else could not reveal it. Furthermore, the session key should be generated fresh with key privacy, forward secrecy, and out of key control.

RG3: Password Change. Users can change their passwords securely and freely without interacting with the remote server; that is, users could securely change their passwords offline.

RG4: Revocation and Reregistration. Users can revoke their credentials for some secure concerns and reregister without changing their identifiers in the same server.

RG5: System Update. The master key of the server should be changed termly for security or system update.

RG6: Credentials Leakage Resistant. For users, the password should be protected securely to resist various kinds of guessing attacks launched by insider users, servers, or adversaries. For servers, there are no verifier tables stored in its database to resist verifier-stolen attack or insider server attack.

RG7: Denial of Service Resistance. The server should provide the mechanism to resist the denial of service (DoS) attack caused by exhausted resources (computation, memory, or connection) and malicious password change.

RG8: Preserving User Anonymity. The user’s identifier should be protected from being hijacked or theft, because the user’s privacy will be concerned in most applications, and any one cannot obtain the user’s identifier except the legal participants.

In the rest of the paper, we briefly review Hafizul Islam and Biswas’ scheme [10] in Section 2. The analysis and comments on their scheme are presented in Section 3. Furthermore, an improved scheme is proposed in Section 4. In addition, the analysis, comparison, and comments of our proposal are shown in Section 5. The paper si concluded in Section 6. Finally, notations used in this paper are shown in Notations section.

2. Review

In this section, the scheme of Hafizul Islam and Biswas [10] is reviewed in brief. There are four phases in Hafizul Islam and Biswas’ [10] scheme, including registration phase, password authentication phase, password change phase, and session key distribution phase. The details of their scheme are described as follows.

2.1. Registration Phase

The client registers to the server with identity and password verifier and collects the server’s public key . Then, stores each legal client’s identity , password-verifier , and a status-bit in a write protected file, where the status-bit indicates the status of the client in the server (logged-in or logged-off).

2.2. Password Authentication Phase

Step A1.   keys and into the terminal. selects a random number , computing where the symmetric key is the -coordinate of . Finally, sends the login request message, to the remote server.

Step A2.   checks the validity of and computes its corresponding decryption keys by calculating After decrypting compares received with decrypted and with . If all the conditions are satisfied, selects a random number and computes At last, sends its response message, to the client.

Step A3.   retrieves by subtracting from . If the hash value of retrieved is equal to received computes and sends it to the remote server.

Step A4.   computes with its own copies of and and compares the results with the received . If they are equal, accepts the client’s login request, otherwise rejects.

2.2.1. Password Change Phase

Step C1.  .

Step C2.  .

Step C3.  .

Step C4.  : password change granted/denied.

If wants to change the old password to a new one , then computes the corresponding password verifier in Step C3. If the authentication token is authenticated, then subtracts from to extract the new password verifier . Finally, replaces with to finish the password change phase if and only if the hash value of is equal to received .

2.3. Session Key Distribution Phase

Step D1.  .

Step D2.  .

Step D3.  .

Step D4.  : key distribution granted/denied.

In this protocol, two random numbers are chosen by the client and the server, respectively. computes the final session key as and computes

3. Analysis

In this section, we demonstrate that Hafizul Islam and Biswas’ [10] scheme is vulnerable to password compromise impersonation attack. In addition, the comments on the scheme show the security weaknesses caused by the low-entropy password, weak password-verifier table, and improper challenge-response mechanism.

3.1. Password Compromise Impersonation Attack

The password as the unique secret information of the client plays the key role in the password-based remote authentication schemes. Intuitively, the adversary could impersonate the client, who compromises his/her password, to cheat the remote server as the trivial attack. However, the password compromise impersonation [1416] as a special attack indicates that the adversary could impersonate the remote server to cheat the client himself/herself using his/her compromised password.

PCI attack is defined as,in the password-based client-server remote authentication (or authenticated key distribution) scheme, the adversary is considered successful in a PCI attack if it can impersonate the uncorrupted remote server to communicate with the corrupted client , who compromised his/her password to the adversary. In other words, the goal of the adversary by launching PCI attack is to impersonate the remote server to cheat the client himself/herself without being detected. More detailed introductions about PCI attack could be found in the literatures [1416].

PCI Attack. Assume that the adversary not only can control the communication between the client and the server, that is, it can eavesdrop, record, intercept, modify, delete, insert messages, or even inject new messages during the protocol execution, but also can obtain the password of client . Then PCI attack can be performed as the following steps and referred to as the illustration in Figure 1.

Step 1.  The adversary intercepts the login request message, sent from to , when initializes a new password authentication session with in Step A1.

Step 2.   The adversary computes and decrypts with to obtain . Then the adversary generates a random number and computes where . Finally, the adversary sends the reply, to . Note that the verification procedures executed by the adversary could be ignored for simplicity, due to the purpose of impersonating the remote server.

Step 3.   After receiving the reply from the adversary, retrieves from , verifies the hash value of retrieved with received , and sends to the adversary.

Step 4.   According to the description of the original protocol, the adversary computes with its own copies of and and compares the results with the received . If they are equal, the adversary accepts the client’s login request, otherwise rejects.

The password change and session key distribution phases are vulnerable to PCI attack with the same procedures for different targets. First, the adversary could get the new password verifier by retrieving from using the decrypted in caused by the compromised password . Then the adversary could further launch offline password guessing attack to obtain the new password of the client. Secondly, the adversary can compute and share the session key where is computed by . Consequently, the adversary could also launch man-in-the-middle attack and modify the communications between and arbitrarily.


The first and most important weakness in Hafizul Islam and Biswas’ [10] scheme is the low-entropy password, which is usually vulnerable to guessing (online or offline) attacks. The reason for guessing attack is that the password is selected in a small space/set, which is called a dictionary with the size of , and therefore the password can be easy-to-remember. However, the small space of the dictionary is a double-edged swords; it provides the convenience for users and could be used by the adversary to guess the correct password through analyzing the security flaws in the algorithms. He [11], Wang et al. [12], and Li [13] have demonstrated that the adversary could launch various offline password guessing attacks, for example, tracing the password in the execution of the scheme to match the redundant information, using the verifier tables to confirm the guessed password, and obtaining the verifier table to guess the client’s password by the malicious system manager or the privileged insider. Furthermore, once the password of the client is compromised, the adversary not only can impersonate the client to cheat the remote server, but also can impersonate the remote server to cheat the client himself/herself. Finally, the serious security weaknesses caused by the unique low-entropy factor (password) show that the single factor cannot resist common attacks sufficiently and the second factor (smart card) should be introduced to overcome the security flaws while keeping the improved scheme efficient and practical.

Moreover, the threats on the weak password-verifier tables have shown in [11, 12], for example, offline password guessing attack and privileged insider attacks. The weak password-verifier tables have been the crucial targets for most adversaries, who can take these tables for further attack. Generally speaking, offline password guessing attack is always depending on the verifier tables, which provide the matching information. Moreover, various application servers could take the password-verifier tables carelessly, because the secret key is their crucial information for themselves, but password-verifier tables are not. In addition, the password-verifier tables are the same with the others usually, and the leakage of the password-verifier tables occasionally happens in real applications. Consequently, the weak password-verifier tables should be avoided in the future design.

The challenge-response mechanism should be used for resisting replay attack and contribute to the fresh session key. However, the improper challenge-response mechanism may be used by the adversary to launch DoS attack. In addition, the denial of service attack pointed by Wang et al. [12] is caused by the improper challenge-response mechanism, because the adversary could replay all the expired legal login request messages and delegate the resources of the server, for example, computation, memory, and connection. Another reason for the denial of service attack is the expensive cost of the bilinear paring operations. Thus, the improper challenge-response mechanism may cause important security issues or break down the system. Consequently, how to take the maximum advantage of challenge-response mechanism into the scheme is quite helpful for future design.

4. Enhancement

There are two participants in the protocol: the user as the client and the remote server . The proposed scheme is composed of five phases, namely, registration phase, authentication with key agreement phase, password change phase, revocation/reregistration phase, and key update phase. The details of the enhanced scheme are described as follows and illustrated in Figure 2.

4.1. Registration Phase

When the client wants to register in the remote server as a legal client to obtain the services, the following steps should be performed.

Step R1.   The client chooses the identity with the password , generates a random number , and sends the registration request, to over the secure channel.

Step R2.   checks the validity of after receiving the registration request and computes the client’s authentication information where ,   is the secret key of and is the unique identifier (or random number) generated by for the smart card. Then the smart card is initialized by the parameters where is the generator of the elliptic curve cryptosystem. Next, sends the smart card to over the secure channel and maintains the client table as where indicates the log-in or log-off status and indicates if the client updates the latest authentication information .

Step R3.   The client initializes the smart card with the parameters , where . All the parameters in the smart card are and with are kept by the client as his/her own knowledge. Finally, the registration phase is finished and shares the secret, with to authenticate each other and establish the session key.

4.2. Authentication with Key Agreement Phase

When wants to access the remote server and obtains the desired services, the following operations should be executed.

Step A1.   The client inputs with into his/her smart card. The smart card computes and checks

If the equation holds, the smart card confirms the legal holder and sends the login request to . Note that once the smart card confirms its legal holder, that is, the equations and are true.

Step A2.   After receiving the login request, sends the precomputed challenge, to , where is a random number generated by . Note that the challenge could be seen as a client puzzle [17] and sent by the technology of completely automated public turing test to tell computers and humans apart (CAPTCHA) [18].

Step A3.   The client solves and inputs the challenge , and the smart card generates its own challenge computing where is a random number generated by the smart card. Then the smart card sends the response and its challenge, to .

Step A4.   After confirming the validity of the response , computes and decrypts to get . If finds in the client tables, then checks the of . If has logged-in (), terminates the session. Otherwise, extracts in the client table and computes where . After that, checks whether the computed value is equal to decrypted value

If it is, authenticates and computes the session key

Then computes the response and sends it to . In addition, sets up before replying the acceptance.

Step A5.   The smart card computes the session key

After receiving the response, the smart card decrypts and checks the validity of both and . If they are valid, authenticates and establishes the session key . Finally, mutual authentication and key agreement phase is finished successfully.

4.3. Password Change Phase

When the client wants to change the old password to a new one , the following offline steps should be performed after the smart card confirms its legal holder in Step A1.

Step P1.   Once the procedure is successfully verified, selects the password change option and inputs the new password .

Step P2.   The smart card computes

Finally, replaces by , and password change phase is finished.

4.4. Revocation/Reregistration Phase

When wants to revoke the his/her registration for security concern or reregister without changing his/her identity should delete the random number for revocation or chooses a new random number and executes the registration phase again for reregistration. After revocation phase, could not authenticate or reply the correct response to without . Similarly, The reregistration phase could make the old smart card expired, because . Consequently, revocation/reregistration phase is successfully finished.

4.5. System Update Phase

When the remote server requires updating the system or changing its secret key regularly, key update phase should be performed between and selects new key and establishes a new table containing where . If updates the secret key, then it initializes all the clients’ that is, all the clients should update their authentication information Note that the client could update their secret authentication information over a secure channel established by the session key . In other words, must maintain the original secret key and client tables for these specific users, who have not update their authentication information. Upon receiving stores replacing and deletes the old list in the original tables of while marking . Finally, the system update phase is finished successfully.

5. Analysis and Comments

In this section, the security analysis demonstrates that the improved scheme not only remedies the weaknesses mentioned above, but also can resist all known common attacks. Furthermore, the comparisons of the security attribute, performance cost, and functionality illustrate that the improved scheme is more secure, efficient, and practical than the scheme in [10].

5.1. Security Analysis

The security of the scheme is based on the secure cryptographic primitives, including one-way hash function, pseudorandom generator, and symmetric cryptosystem. Furthermore, the assumptions of discrete logarithm problem (DLP) and computational Diffie-Hellman and decisional Diffie-Hellman problems (CDHP and DDHP) on the elliptic curve are hard to be solved under the polynomial time algorithms [19, 20].

5.1.1. Impersonation Attack

The enhanced scheme can resist the following common attacks for the purpose of impersonation, including replay attack, reflection attack, parallel session attack, man-in-the-middle attack, known session key attack, forgery attack, and password compromise impersonation attack.(1)The technologies of client puzzle and challenge-response mechanism are introduced into resist replay attack, reflection attack, and parallel session attack. and can also contribute to the computation of the fresh session key , which can resist known session key attack.(2)The design of mutual authentication with key agreement can help to resist man-in-the-middle attack in our scheme; that is, the key agreement protocol is authenticated and the adversary could not launch man-in-the-middle attack without authentication. In other words, authenticated Diffie-Hellman mechanism helps to resist man-in-the-middle attack.(3)Any adversary could not impersonate the legal participants (client or remote server) to share the session key with the intended partner, because the adversary cannot forge the messages or without knowing the temporary key or the session key . The security of the temporary key is based on the assumption of DLP and CDHP. If the adversary could get , that is, the adversary can compute without or , which is infeasible under the assumptions. It is the same for the session key as that the adversary cannot compute without solving DLP or CDHP. Furthermore, the secret authentication information can also help to resist impersonation attack. is important for the adversary to forge the messages for authentication, because and are composed of . However, can be computed only by the legal client with the corrected , and the smart card or by the remote server with and .(4)The two-factor authentication with key agreement can resist the password compromise impersonation attack in the enhanced scheme. If the client’s password is compromised, the adversary cannot forge the correct authentication message without knowing and obtaining the smart card. Furthermore, the secret information cannot be computed by the adversary with only, because the security of depends on for user or for server.

5.1.2. Password Guessing Attack

In password-based schemes, the adversary can guess the password in a dictionary , which is defined in a finite space of size . The adversary can guess the correct password with the successful probability . However, the enhanced scheme with two factors can resist such attack due to the first defense of smart card, which can help to protect the information stored in its memory. Furthermore, the anonymity in the enhanced scheme can also resist password guessing attack with higher level, because the adversary must guess and at the same time. In other words, the success of the probability about guessing the correct password is , where is the size of the identity dictionary. In addition, online password guessing attack is out of our consideration, because the technologies of client puzzle and CAPTCHA and additional network equipment (e.g., IDS and firewall) can help the remote server to restrict the limitations of failed login attempts.

5.1.3. Secrecy of the Session Key

The secrecy of the fresh session key includes key privacy, forward secrecy, and key control. First, the challenge-response mechanism and can help to contribute the fresh of the session key and make the generation of the session key out of control. Secondly, the secure authentication information , which can be computed by and , decides that any one cannot break the key privacy without knowing . Furthermore, under the assumptions of DLP, CDHP, and DDHP, the forward secrecy of the session key can be protected even if the long term keys or is compromised. Finally, the authenticated Diffie-Hellman key exchange enhances the security of the scheme, because the compromise of the temporary random number cannot threat the security of the final session key without knowing .

5.1.4. Credentials Leakage Resistant

The credentials mentioned in the enhancement are , the smart card, and client tables. Credentials leakage means the adversary could get some of the credentials. In detail, the anonymous login request protects from leakage and meanwhile protects from guessing attack. Specifically, if the adversary could forge a server by phishing user’s identity , user anonymity cannot be preserved as usual. An additional mechanism should be provided to avoid this attack, while the other credentials are still protected as normal. Furthermore, secure one-way hash function helps to avoid the compromise of from and protect from being extracted in by the insider clients.

5.1.5. Denial of Service Resistance

The technologies of client puzzle and CAPTCHA are introduced to protect the system from being DoS attacks. In addition, the other network equipment (e.g., IDS and firewall) can be used in the system to avoid such attacks.

5.2. Comparisons and Comments

The comparisons and comments with related works [6, 10, 13] on security and functionality are shown to illustrate that our enhancement is more secure and robust. The comparisons of security features in Table 1 show that our enhancement satisfies more security features, including password guessing attack resistance (PGAR), verifier table attack resistance (VTAR), password compromise impersonation attack resistance (PCIAR), forward secrecy resistance (FSR), denial of service attack resistance (DoSAR), and known temporary information attack resistance (KTIAR). Moreover, the comparisons of functionalities in Table 2 show that our enhancement provides more functionalities mentioned in Section 1 to support user friendly property and system flexibility. In addition, our enhancement can be implemented in the environments of symmetric cryptosystem; that is, it is more practical without public key infrastructure (PKI). Finally, our enhancement of two-factor authentication with key agreement scheme using smart card is suitable for mobile wireless communication system while keeping low efficiency on elliptic curve cryptosystem without expensive computations, for example, modular exponentiation or bilinear pairings.

For computational comparison, we only consider the latest schemes, for example, [10, 13], and our proposal. Table 3 shows the computation cost in the login and authentication phase, which is the main procedure of the scheme. It illustrates that our proposal costs 3 (4) more hash function and one more symmetric decryption (encryption) operation for user (server), but we save more time cost operations, such as point-multiplication operation on elliptic curve, point-multiplication operation on finite field, addition operation, and bilinear paring computation on elliptic curve.

6. Conclusion

In this paper, the scheme of Hafizul Islam and Biswas is cryptanalyzed and improved. Password compromise impersonation attack is demonstrated and some security weaknesses are discussed about their scheme. Furthermore, an enhanced scheme in symmetric key environment is presented to overcome the existing weaknesses and provide more functionalities. In detail, the technologies of client puzzle and CAPTCHA are introduced to resist the common known attacks with proper challenge-response mechanism. The public key infrastructure is replaced by the second factor (smart card) to enhance the security and robustness of the scheme. In addition, the enhanced scheme can also be used in global mobility networks to provide secure authentication and private communication. Finally, the analysis and comments show that our improved scheme is more secure, practical, efficient, and suitable for smart card while providing more user friendly property and system flexibility.


:The client
:The server
:Identity of the client
:Secret password of the client
:Base point of the elliptic curve group
:Secret key of the server
:Public key of the server
:Password verifier of the client
:A large prime number
:Nonsingular elliptic curve over a finite field
:Collision-resistant one-way secure hash function
:Symmetric encryption/decryption algorithm with key
:Bilinear pairings mapping
:Symmetric session key.

Conflict of Interests

The author declares that there is no conflict of interests regarding the publication of this paper.