[ieee 2012 ieee workshops of international conference on advanced information networking and...
TRANSCRIPT
Improvement of the more efficient and secure ID-based remote mutualauthentication with key agreement scheme for mobile devices on ECC
Toan-Thinh TRUONG∗, Minh-Triet TRAN† & Anh-Duc DUONG†∗Smart Digital Content, SDCEmail: [email protected]
†Faculty of Information Technology, University of Science, VNU-HCMEmail: {tmtriet,daduc}@fit.hcmus.edu.vn
Abstract—Mobile devices (e.g., PDA, mobile phone, andnotebook PC) become necessary for a convenient and modernlife. Users can use them to access many applications, forexample online shopping, mobile pay TV, internet banking,which have been deployed on internet or wireless networkseasily. Therefore, secure communications in such wirelessenvironments are more and more important because theyprotect transactions between users and servers from illegaladversaries. Especially, users are people vulnerable to attacksand there are many authentication schemes proposed toguarantee them. Recently, Islam and Biswas have proposeda more efficient and secure ID-based scheme for mobiledevices on ECC to enhance security for authentication. Theyclaimed that their scheme truly is more secure than previousones and it can resist various attacks. However, it isn’t truebecause their scheme’s vulnerable to known session-specifictemporary information attack, and denial of service resultingfrom leaking server’s database. In this paper, we presentan improvement to their scheme in order to isolate suchproblems.
Keywords-Authentication, Password, Dynamic ID, Smartcard, Impersonation, Session key, elliptic curve cryptosystem
I. INTRODUCTION
With the non-stop growth of wireless networks, such as
GSM, CDPD, 3G and 4G, remote authentication schemes
play an important role in communicating between parties.
To keep fairness and security, schemes not only must pro-
tect legal users and servers from illegitimate adversaries,
but they also prevent legal parties from impersonation to
trick each other.
There’re many ways of satisfying above requirements, and
one of the solutions that many schemes have employed
is password authentication which has many advantages
such as simplicity, efficiency, scalability, and convenience.
However, many schemes[1][2][3][4][5] based on password
use static identity, which is easy to leaking information
to attacker. One solution to identity theft is making it
vary for each login. Later, a number of papers[6][7][8][9]
have proposed many ideas to preserve user’s anonymity
by employing a random value or time-stamp to vary user
identity for each session. However, these schemes provide
a smart card for each user and assume that the contents of
smart card can’t be revealed. This is impractical because
users can lost or be stolen smart card. So, when attackers
have smart card, they completely have capability to fake
users or servers.
In 2009, Yang[10] proposed a scheme combining elliptic
curve and identity-based cryptosystems to enhance se-
curity. They claimed that their scheme’s secure against
various attacks, such as replay attack, impersonation at-
tack. But in the same year, Yoon[11] pointed out that
Yang’s scheme can’t withstand impersonation attack. Fur-
thermore, it doesn’t achieve perfect forward secrecy prop-
erty, which is a very important security in evaluating a
strong authentication and key agreement protocol. Then,
Yoon proposed another scheme to fix such problems.
In 2010, Chen[12] proposed an advanced ECC ID-based
remote mutual authentication scheme for mobile devices
to improve Yang’s scheme. And they also claimed that
their scheme’s more secured to authenticate users and
remote servers for mobile devices. However, Islam and
Biswas[13] in 2011 have proposed a more efficient and
secure ID-based remote mutual authentication with key
agreement scheme for mobile devices on elliptic curve
cryptosystem. And they pointed out many new problems
in 3 previous schemes, for example user’s anonymity,
many logged-in users, clock synchronization. Then, they
claimed that their scheme’s truly efficient and usable for
mobile users in many internet applications or wireless
networks. Nevertheless, in this paper, we prove that the
Islam’s scheme can’t resist known session-specific tem-
porary information and denial of service resulting from
leaking server’s database attacks. Afterward, we propose
a improvement of their scheme to overcome such en-
tanglements. Besides, our scheme possesses low power
consumption and computation cost than previous schemes.
Our main ideas aren’t using point addition operation
between a random point and user’s authentication key and
not letting random value be stored into server’s database
to fix recommended problems of Islam’s scheme[13].
The remainder of this paper is organized as follows:
section 2 presents related works. And section 3 quickly
reviews Islam’s scheme & discusses its weaknesses. Then,
our proposed scheme’s presented in section 4, while sec-
tion 5 discusses the security & efficiency of the proposed
scheme. Our conclusions’re presented in section 6.
II. RELATED WORKS
In this session we review the basic concepts of elliptic
curve cryptosystem & introduces 3 computational prob-
lems.
2012 26th International Conference on Advanced Information Networking and Applications Workshops
978-0-7695-4652-0/12 $26.00 © 2012 IEEE
DOI 10.1109/WAINA.2012.125
698
A. Elliptic Curve Cryptosystem
An elliptic curve’s a cubic equation of the form y2 +
a1xy + a2y = x3 + a3x2 + a4x + a5, where a1, a2, a3, a4, a5are real numbers. In elliptic curve equation is defined as
the form of Ep(a, b): y2 = x3 + ax + b (mod p) over a prime
finite field Fp, where a, b ∈ Fp, p > 3, and 4a3+ 27b2 �= 0
(mod p) (Hankerson et al., 2004). Given an integer s ∈ F∗pand a point P ∈ Ep(a, b), the point multiplication s.P over
Ep(a, b) can be defined as s · P = P + P + ...+ P︸ ︷︷ ︸
s times
. More
details of ECC definitions can be found in Hankerson et
al. (2004)
B. Computational Problems
Generally, the security of ECC bases on the difficulties
of the following problems (Li et al., 2008).
1) Given two points P and Q over Ep(a, b), the elliptic
curve discrete logarithm problem (ECDLP) is to find
an integer s ∈ F∗p such that Q = s · P.
2) Given 3 points P, s · P, and t · P over Ep(a, b) for s,
t ∈ F∗p, the computational Diffie-Hellman problem
(CDHP) is to find the point (s · t) · P over Ep(a, b).
3) Given two points P and Q = s · P + t · P over
Ep(a, b) for s, t ∈ F∗p, the elliptic curve factorization
problem (ECFP) is to find two points s · P and t ·P over Ep(a, b).
Up to now, there’s no algorithm to be able to solve any
of the above problems (Li et al., 2008)
III. REVIEW & CRYPTANALYSIS OF ISLAM &
BISWAS’S SCHEME
In this section, we review Islam’s A more efficient
and secure ID-based remote mutual authentication with
key agreement scheme for mobile devices on ECC
cryptosystem[13] & show that their scheme’s vulnerable to
known session-specific temporary information attack and
denial of service resulting from leaking server’s database.
A. Review of Islam and Biswas’s Scheme
In this subsection, we review Islam’s scheme. Their
scheme includes four phases: system initialization phase,
user registration phase, mutual authentication with key
session agreement phase & leaked key revocation phase.
Some important notations in this scheme’re listed as
follow:
• S: The server.
• U: The user.
• IDU : Identity of U.
• AIDU : U’s authentication key.
• qS : The private key of server S.
• rU : A secret number chosen by U.
• rS : A secret number chosen by S.
• H(.): A one way secure hash function.
• kdf : A one way key derivation function.
• ⊕: Exclusive-or operation.
• ‖: Message concatenation operation.
1) System Initialization Phase: The system initializa-
tion phase of Islam includes four steps:
• Step 1: S selects a k-bit prime number p & base point
P with order n from the elliptic curve group Gp.
• Step 2: S chooses a random number qS (master key
of the S) from [1, n - 1] and computes the public key
QS = qS .P.
• Step 3: S chooses two one-way secure hash function
H1: {0, 1}∗ → Gp, H2: Gp x Gp → Z∗p and a one-
way key derivation function kdf : {0, 1}∗ x Gp x Gp
→ {0, 1}k.
• Step 4: S publishes (Ep(a, b), P, QS , H1, H2, kdf )
2) User Registration Phase: The user registration
phase’s performed only once when the user wants to take
part in the system. Islam’s scheme includes 3 steps &
figure 1 illustrates the steps in this phase.
Figure 1. Islam and Biswas’s registration phase
• Step 1: U chooses identity IDU = {0, 1}p and submits
it to S with some personal secret information via a
secure channel.
• Step 2: S checks U’s IDU . If IDU already exists
in the server’s database, S asks U for different ID.
Thereafer details of registration will be checked by
S and computes the authentication key AIDU = qS ·H1(IDU ‖ X), where X ∈ Z∗p is a random number
chosen by S. S stores the information (IDU , X, status-
bit) about U to the secure database. S sets the status-
bit to 1 if the user’s logged in, otherwise sets to 0.
• Step 3: S returns AIDU to U via secure channel.
In this phase, we see that Islam’s scheme stores random
value X into server’s database. And if information of
database leaks, attackers can modify these random values
of many users. Therefore, those users can’t login to Sat authentication phase & we’ll fix this problem in our
scheme.
3) Mutual Authentication With Key Session AgreementPhase: In this phase, authors assume the message com-
munication in this phase is over an open channel. Figure
2 illustrates the steps.
• Step 1. U keys identity IDU and AIDU into the mobile
device & randomly chooses a number rU from [1, n
- 1], and computes N = R + AIDU , M = rU · QS
where R = rU · P. U computes the dynamic identity
CIDU = IDU ⊕ H2(R ‖ AIDU ) and sends the message
(CIDU , N, M) to S.
• Step 2. On receiving (CIDU , N, M), S computes R∗
= q−1S · M and AIDU = N - R∗. Then, S extracts the
user’s identity by computing IDU = CIDU ⊕ H2(R∗
‖ AIDU ) and checks the validity of IDU . If IDU is
699
Figure 2. Islam and Biswas’s authentication phase
valid, S continues to next step, otherwise rejects U’s
login request.
• Step 3. Furthermore, S computes AID∗U = qS ·H1(IDU ‖ X) (IDU and X are taken from server’s
database) and checks AID∗U ?= AIDU . If it doesn’t
hold, the server S rejects U’s login request, otherwise
chooses a random number rS from [1, n - 1], then
computes T = R∗ + S and HS = H2(S ‖ AID∗U ),
where S = rS · P. Now S sends the message (T, HS)
to U.
• Step 4. On receiving (T, HS), U performs S∗ = T - Rand H∗S = H2(S ‖ AIDU ) and checks H∗S ?= HS . If
it holds, U authenticates S and sends (HRS), where
HRS = H2(R ‖ S∗). U computes the session key SK= kdf (IDU ‖ AIDU ‖ K), where K = rS · R = rS ·rU · P.
• Step 5. On receiving (HRS), S computes H∗RS =
H(R∗ ‖ S) and compares it with HRS . If it holds,
S authenticates U and computes the session key SK= kdf (IDU ‖ AIDU ‖ K), where K = rS · R = rS ·rU · P.
In this phase, we see that Islam’s scheme performs point
addition operation between random point R and AIDU .
It’s very dangerous because if information of any past
session’s random point R or S is revealed, AIDU will be
known by attackers. And we’ll fix this problem in our
scheme.
4) Leaked Key Revocation Phase: In this phase, authors
assume that AIDU is leaked to an adversary, so user Umakes a request to server S for fresh authentication key. Usubmits the old authentication key AIDU , the identity IDU
and personal secret information to S. Now S first checks
the validity of U. After validating user’s credential, server
S selects another random number X̄ ∈ Z∗p and issues
the fresh authentication key ¯AIDU = qS · H1(IDU ‖ X̄)
with old identity IDU . It’s to be noted that the revocation
of authentication key doesn’t need new identity, only Xwill be changed in each revocation. S returns the new
authentication key ¯AIDU to user U via secure channel. S
keeps the database same except that X is replaced by X̄ .
In their leaked key revocation phase, we see that infor-
mation of user U is vulnerable to attacks because it’s
transmitted through open channel. So, we propose that
a secure channel should be used to protect user U’s
information when it’s submitted in this phase.
B. Cryptanalysis of Islam and Biswas’s Scheme
In this subsection, we present our results on Islam’s
scheme. We’ll show that their scheme’s vulnerable to
known session-specific temporary information attack &
denial of service resulting from leaking server’s database.
1) Known Session-Specific Temporary Information At-tack: In paper, the authors mentioned that our scheme
can resist known session-specific temporary information
attack. In their opinion, when another adversary has the
session ephemeral secrets rU and rS , he or she still can’t
computes session key SK because of lacking of AIDU ’s
information. However, it isn’t true because with rU and
rS , we’ll prove that adversary still can know AIDU ’s
information of user U. For example, adversary A has rU ,
rS and past package (CIDU , N, M) of another user U, he
or she’ll perform following steps to obtain SK.
• Step 1: Computes R = rU · P and S = rS · P.
• Step 2: Computes AIDU = N - R.
• Step 3: Computes IDU = CIDU ⊕ H2(R ‖ AIDU ).
• Step 4: Computes SK = kdf (IDU ‖ AIDU ‖ K), where
K = rU · rS · P.
In Islam’s authentication phase, the authors performed
point addition operation between a random point R and
authentication key AIDU . This is a mistake because if R’s
information is leaked, user U’s AIDU will be easily com-
puted. Hence, in our scheme, we’ll isolate this problem.
2) Denial Of Service Resulting From Leaking Server’sDatabase: In the user registration phase of Islam’s
scheme, we see that server S store (IDU , X, status-bit)
of user U. This is dangerous because if information of
server’s database is leaked, another adversary can modify
X(s)’s value(s). This causes many users not to login to
the server S later. Following is the demonstration of this
problem.
• Step 1: User U sends login message (CIDU , N, M)
to server S.
• Step 2: On receiving (CIDU , N, M) from U, Scomputes R∗ = q−1
S · M, AIDU = N - R∗, IDU =
CIDU ⊕ H2(R∗ ‖ AIDU ) and AID∗U = qS · H1(IDU ‖X
′), where X
′is a modified random value of another
adversary.
• Step 3: S checks if AIDU ?= AIDU . Clearly it doesn’t
hold due to X′. So, S rejects user U.
Hence, Islam’s scheme’s vulnerable to denial of service
resulting from leaking server’s database. In our scheme,
we don’t store random value to database to resist this kind
of attack.
IV. PROPOSED SCHEME
In this section, we’ll propose an revised scheme that
removes the security problems described in the previous
700
section. Our improved scheme not only inherits the advan-
tages of their scheme, it also enhances the security. Before
entering into each phase, we’ll present general ideas in
our scheme more detailed. In registration phase, our main
goal is achieving AIDU . Random value X helps to resist re-
registration of attackers, with the same identity but various
authentication keys at different time. In authentication
phases, we use two random value rU and rS for server
& user to challenge each other. Furthermore, we don’t
store random value X into database & don’t perform point
addition operation for AIDU . Our scheme’s divided into
the four phases of system initialization, user registration,
mutual authentication with key agreement & leaked key
revocation phase.
A. System Initialization PhaseIn this phase, we use three one-way hash function. The
system initialization phase includes four steps:
• Step 1: S chooses k-bit prime number p & base point
P with order n from the elliptic curve group Gp
• Step 2: S chooses a random number qS from [1, n -
1]
• Step 3: S chooses three one-way hash function H1:
{0, 1}∗ → Gp, H2: Gp x Gp → {0, 1}k and H3: Gp
→ {0, 1}k• Step 4: The server publishes (Ep(a, b), P, H1, H2,
H3) as system parameters & keeps the master key qS
secret.
B. User Registration PhaseBefore we continue to present, we list 3 requirements
for a registration phase: secrecy for information trans-
mitted between user & server, difference between keys
provided for each time of registration by server & server
mustn’t store user’s information which can be a hazardous
risk. Easily, we see that Islam’s scheme achieved first two
requirements but not the last. So, we’ll recover this point to
accomplish a good registration phase. Our scheme consists
of 3 steps & figure 3 illustrates these ones.
1) Step 1: U chooses identity IDU = {0, 1}k and
submits it to S with some personal information via
secure channel.
2) Step 2: S checks U’s IDU . If IDU already exists in
the server’s database, S asks U for different identity.
Otherwise, S chooses a random value X ∈ Z∗p. Then,
S computes AIDU = qS · H1(IDU ‖ X). Finally, Sstores (IDU , status-bit) of that user U into database
(status-bit is similar to Islam’s scheme).
3) Step 3: S returns AIDU to U via a secure channel
Figure 3. Proposed registration phase
C. Mutual Authentication & Session Key AgreementPhase
Similarly, we also propose 3 requirements that help
authentication be more secure: firstly, user & server must
use random values to challenge each other. Secondly, user
& server share a secret session key. Finally, temporary
information mustn’t affect negatively to important infor-
mation such as authentication key. In Islam’s scheme,
we see that both user & server use random values to
challenge each other. However, their scheme’s easy to leak
authentication key AIDU if any random point’s known.
Thus, our phase’ll fix this weak point. In this phase, S and
Figure 4. Proposed authentication phase
U will have the same session key SK. Figure 4 illustrates
the steps that S authenticates U and vice versa.
1) Step 1: At first, U keys identity IDU & the authenti-
cation key AIDU into the mobile device & randomly
choose a number rU from [1, n - 1]. Then, mobile
device computes R = rU · H1(IDU ‖ X), R′
= rU· AIDU , M = H2(R
′ ‖ AIDU ) and CIDU = IDU ⊕H3(R
′). Mobile device sends (X, CIDU , M, R) to S.
2) Step 2: On receiving (X, CIDU , M, R) from U,
S computes R′∗ = qS · R. Then, S extracts user’s
identity by doing IDU = CIDU ⊕ H3(R′∗) and then
checks the validity of the identity IDU . If IDU is
valid, S continue to go next step, otherwise rejects
U’s login message request.
3) Step 3: S computes the authentication key AID∗U= qS · H1(IDU ‖ X) and checks M ?= H2(R
′∗
‖ AID∗U ). If it doesn’t hold, S rejects U’s login
request, otherwise chooses a random number rSfrom [1, n - 1]. Then, S computes point S = rS ·AID∗U , T = R
′∗ + S and HS = H2(S ‖ AID∗U ).
Now, S sends (T, HS) to U.
4) Step 4: On receiving (T, HS), U computes S∗ = T- R
′and checks HS ?= H2(S∗ ‖ AIDU ). If it holds,
U authenticates S and sends the message (HRS) to
S, where HRS = H2(R′ ‖ S∗). U computes session
key SK = H3(rU · S∗).
701
5) Step 5: On receiving (HRS), S checks HRS ?=
H2(R′∗ ‖ S). If it holds, S authenticates U. S
computes session key SK = H3(rS · R′∗).
D. Leaked Key Revocation Phase
This phase’s similar to Islam’s scheme. However, we
use a secure channel in two ways to protect secret in-
formation of user. And Islam’s scheme doesn’t mention
secure channel in this phase.
V. SECURITY AND EFFICIENCY ANALYSIS
In this section, we review our scheme & analyze it on
2 aspects: security & efficiency.
A. Security Analysis
In this subsection, we present these security analyses of
our scheme & show that proposed scheme can resist many
kinds of attack. Assume that wireless communications
are insecure amd that there exists an attacker. He/she
has capability to intercept all messages communicated
between server & user. In table 1, we list the comparisons
between our improved scheme & previous schemes for
withstanding various attacks. In here, we reuse some
comparisions of Yang, Yoon, and Chen from Islam’s paper.
Especially, denial of service resulting from leaking server’s
database in the schemes of Yang, Yoon, and Chen isn’t
problem because these schemes don’t store anything in
server’s database.
1) Stolen Verifier Attack: Because S doesn’t store any
table with information related to U, the proposed scheme
can withstand stolen-verifier attacks. In our scheme, Sgenerates a random value X for each user. Therefore, when
authenticating with S, U only needs to send X to S and Suses master key qS to re-construct AIDU of that user. So,
S doesn’t need to keep U’s password in the storage space
when a new user’s added in the system.
2) Known Session-Specific Temporary Information At-tack: Like definition of Islam’s scheme, our scheme can
resist this kind of attack. We assume that another adversary
A knows rU and rS of another past session. However, Astill can’t know session key SK. We see that SK = rU ·rS · AIDU and A can’t know AIDU . So, A can’t compute
random point R′
or S to know SK.
3) Session Key Perfect Forward Secrecy Attack: Ses-
sion key perfect forward security means, if the long-
term secret key of user & server are leaked but the
generated session key should be safe from the attacker.
In our scheme, if the authentication key AIDU and qS
are compromised to an adversary, then he can compute
two random points R′
= rU · AIDU and S = rS · AIDU .
However he can’t compute session key SK = rU · rS ·AIDU because he must face the Diffie-Hellman problem.
4) Known-key Attack: The known-key security means
that compromise of another past session key can’t derive
any further session key. In our scheme, the session key
SK is the result of one-way hash function, which isn’t
recomputed. Thus, the attacker can’t obtain any further
session key. At this point, Islam’s scheme also achieves
due to using one-way hash function.
5) Denial of Service Resulting From Leaking Server’sDatabase Attack: Denial-of-service attack means that an-
other adversary can update wrong verification information
of another legitimate user. Then, that legal user can’t login
to remote server successfully. In our scheme, we see that
there’s no verification table or dangerous risk information
stored in the remote server. So, our scheme can resist this
kind of attack successfully.6) Mutual Authentication: Like Islam’s scheme, our
scheme uses the three-way challenge-response handshake
technique to achieve mutual authentication. First, U sends
(X, CIDU , M, R) to S. Afterward, S checks M ?= H2(R′ ‖
AIDU ) and then resends (T, HS) to U. U will checks HS
?= H2(S ‖ AIDU ) to authenticate S. Then, U sends HRS to
S. Finally, S checks HRS ?= H2(R ‖ S) to re-authenticate
U7) Session-key Agreement: In our scheme, after finish-
ing mutual authentication successfully, both user & server
share a session key SK to encrypt message later. So, our
scheme not only satisfies mutual authentication but also
provides session key to partners.
Our scheme’s a revised version of Islam’s scheme, so
it can also have advantages that their scheme owns. For
example, our scheme can resist various attacks & problems
such as replay, insider, and impersonation attacks, clock
synchronization, many logged-in users, user’s anonymity
problems.
B. Efficiency Analysis
To compare efficiency between our scheme & the
previous schemes proposed by Yang, Yoon, Chen, and
Islam, we reuse approach used in that previous scheme
to analyze computational complexity. That is, we let
H be the hash function operation, PM be the elliptic
curve scalar point multiplication, PA be the elliptic curve
scalar point addition or subtraction. Furthermore, slight
difference with Islam’s scheme, we ignore exclusive-or(⊕)
and concatenation(‖) operation because it requires very
few computations. In table 2, Yang’s scheme needs 1PMand 1H in registration phase, and 8PM, 5PA and 8H in
mutual authentication phase. Yoon’s scheme needs 1PMand 1H in registration phase, and 7PM, 4PA, and 12H in
mutual authentication phase. Chen’s scheme needs 1PMand 4H in registration phase, and 8PM, 4PA, and 11H in
mutual authentication phase. Islam’s scheme needs 1PMand 1H in registration phase, and 7PM, 4PA, and 6Hin mutual authentication phase. Our scheme needs 1PMand 1H in registration phase, and 7PM, 2PA, and 10Hin mutual authentication phase. Clearly, proposed scheme
needs less computational amount than previous schemes.
VI. CONCLUSIONS
In this paper, we review ‘A more efficient and secure ID-
based remote mutual authentication with key agreement
scheme for mobile devices on elliptic curve cryptosystem’
of Islam & Biswas. Although their scheme can withstand
various attacks. However, we see that their scheme’s still
vulnerable to known session-specific temporary informa-
tion attack & denial of service resulting from leaking
702
Table ITHE COMPARISON BETWEEN OUR SCHEME AND THE PREVIOUS ONES FOR WITHSTANDING VARIOUS ATTACKS
Yang[10] Yoon[11] Chen[12] Islam[13] OursStolen-verifier attack Yes Yes Yes Yes YesImpersonation attack No Yes Yes Yes YesSession-key perfect forward secrecy No No No Yes YesInsider attack Yes Yes Yes Yes YesClock synchronization No No No Yes YesReplay attack No No No Yes YesMany logged-in users No No Yes Yes YesKnown session-specific temporary information No No No No YesKnown-key attack Yes Yes No Yes YesDenial-of-service attack Yes Yes Yes No YesMutual authentication No Yes Yes Yes YesSession key exchange Yes Yes Yes Yes YesNo verification table Yes Yes Yes No YesUser’s anonymity No Yes Yes Yes YesRevocation phase No No No Yes Yes
Table IIA COMPARISON OF COMPUTATION COSTS
Computational type Authentication RegistrationYang’s [10] 8PM + 5PA + 8H 1PM + 1HYoon’s[11] 7PM + 4PA + 12H 1PM + 1HChen.’s[12] 8PM + 4PA + 11H 1PM + 4HIslam’s[13] 7PM + 4PA + 6H 1PM + 1HOur’s 7PM + 2PA + 10H 1PM + 1H
server’s database attack. Consequently, we propose an
improved scheme to eliminate such problems.
Compared with related schemes, the proposed scheme has
the following main advantages: It needs less computational
cost. It provides secure user’s anonymity. It doesn’t hold
any verification table. It provides mutual authentication
with session key agreement. As a result, the proposed
scheme’s able to provide greater security & be practical in
wireless communication systems. In the future, however,
we’ll research a remote biometric-based mutual authenti-
cation scheme on ECC which is very suitable for limited
energy device[13] to enhance security more & apply to
more applications in electronic transactions.
REFERENCES
[1] L. Lamport, “Password authentication with inse-
cure communication,” Communications of the ACM,
vol. 24, pp. 770–772, 1981.
[2] L. H. Li, I. C. Lin, and M. S. Hwang, “A remote
password authentication scheme for multi-server ar-
chitecture using neural networks,” IEEE Transactionson Neural Network, vol. 12, no. 6, pp. 1498–1504,
2001.
[3] J. J. Shen, C. W. Lin, and M. S. Hwang, “A modi-
fied remote user authentication scheme using smart
cards,” IEEE Transactions on Consumer Electronics,
vol. 49, no. 2, pp. 414–416, 2003.
[4] M. S. Hwang, C. C. Lee, and Y. L. Tang, “A simple
remote user authentication scheme,” Mathematicaland Computer Modelling, vol. 36, pp. 103–107,
2002.
[5] C. C. Lee, M. S. Hwang, and W. P. Yang, “Flexi-
ble remote user authentication scheme using smart
cards,” IEEE Transactions on Neural Network,
vol. 36, no. 3, pp. 46–52, 2002.
[6] I.-E. Liao, C.-C. Lee, and M.-S. Hwang, “Security
enhancement for a dynamic id-based remote user
authentication scheme,” IEEE Transactions on Con-sumer Electronics, vol. 50, pp. 629–631, 2004.
[7] E. J. Yoon and K. Y. Yoo, “Improving the dynamic
id-based remote mutual authentication scheme,” FirstInternational Workshop on Information Security, vol.
4277, pp. 499–507, 2006.
[8] Y. Y. Wang, J. Y. Kiu, F. X. Xiao, and J. Dan, “A
more efficient and secure dynamic id-based remote
user authentication scheme,” Computer Communica-tions, vol. 32, pp. 583–585, 2009.
[9] C.-C. Lee, T.-H. Lin, and R.-X. Chang, “A secure
dynamic id based remote user authentication scheme
for multi-server environment using smart cards,” Ex-pert Syst. Appl., vol. 38, no. 11, pp. 13 863–13 870,
2011.
[10] J.-H. Yang and C.-C. Chang, “An id-based remote
mutual authentication with key agreement scheme
for mobile devices on elliptic curve cryptosystem,”
Computers & Security, vol. 28, no. 3-4, pp. 138–143,
2009.
[11] E.-J. Yoon and K.-Y. Yoo, “Robust id-based remote
mutual authentication with key agreement scheme
for mobile devices on ecc,” Computational Scienceand Engineering, IEEE International Conference on,
vol. 2, pp. 633–640, 2009.
[12] T.-H. Chen, Y.-C. Chen, and W.-K. Shih, “An ad-
vanced ecc id-based remote mutual authentication
scheme for mobile devices,” 2010 Symposia andWorkshops on Ubiquitous, Autonomic and TrustedComputing, pp. 116–120, 2010.
[13] S. H. Islam and G. P. Biswas, “A more efficient
and secure id-based remote mutual authentication
with key agreement scheme for mobile devices on
elliptic curve cryptosystem,” Journal of Systems andSoftware, vol. 84, no. 11, pp. 1892–1898, 2011.
703