Improvement of the more efficient and secure ID-based remote mutualauthentication with key agreement scheme for mobile devices on ECC

Toan-Thinh TRUONG∗, Minh-Triet TRAN† & Anh-Duc DUONG†∗Smart Digital Content, SDCEmail: ttthinh@sdcontent.org

†Faculty of Information Technology, University of Science, VNU-HCMEmail: {tmtriet,daduc}@fit.hcmus.edu.vn

Abstract—Mobile devices (e.g., PDA, mobile phone, andnotebook PC) become necessary for a convenient and modernlife. Users can use them to access many applications, forexample online shopping, mobile pay TV, internet banking,which have been deployed on internet or wireless networkseasily. Therefore, secure communications in such wirelessenvironments are more and more important because theyprotect transactions between users and servers from illegaladversaries. Especially, users are people vulnerable to attacksand there are many authentication schemes proposed toguarantee them. Recently, Islam and Biswas have proposeda more efficient and secure ID-based scheme for mobiledevices on ECC to enhance security for authentication. Theyclaimed that their scheme truly is more secure than previousones and it can resist various attacks. However, it isn’t truebecause their scheme’s vulnerable to known session-specifictemporary information attack, and denial of service resultingfrom leaking server’s database. In this paper, we presentan improvement to their scheme in order to isolate suchproblems.

Keywords-Authentication, Password, Dynamic ID, Smartcard, Impersonation, Session key, elliptic curve cryptosystem

I. INTRODUCTION

With the non-stop growth of wireless networks, such as

GSM, CDPD, 3G and 4G, remote authentication schemes

play an important role in communicating between parties.

To keep fairness and security, schemes not only must pro-

tect legal users and servers from illegitimate adversaries,

but they also prevent legal parties from impersonation to

trick each other.

There’re many ways of satisfying above requirements, and

one of the solutions that many schemes have employed

is password authentication which has many advantages

such as simplicity, efficiency, scalability, and convenience.

However, many schemes[1][2][3][4][5] based on password

use static identity, which is easy to leaking information

to attacker. One solution to identity theft is making it

vary for each login. Later, a number of papers[6][7][8][9]

have proposed many ideas to preserve user’s anonymity

by employing a random value or time-stamp to vary user

identity for each session. However, these schemes provide

a smart card for each user and assume that the contents of

smart card can’t be revealed. This is impractical because

users can lost or be stolen smart card. So, when attackers

have smart card, they completely have capability to fake

users or servers.

In 2009, Yang[10] proposed a scheme combining elliptic

curve and identity-based cryptosystems to enhance se-

curity. They claimed that their scheme’s secure against

various attacks, such as replay attack, impersonation at-

tack. But in the same year, Yoon[11] pointed out that

Yang’s scheme can’t withstand impersonation attack. Fur-

thermore, it doesn’t achieve perfect forward secrecy prop-

erty, which is a very important security in evaluating a

strong authentication and key agreement protocol. Then,

Yoon proposed another scheme to fix such problems.

In 2010, Chen[12] proposed an advanced ECC ID-based

remote mutual authentication scheme for mobile devices

to improve Yang’s scheme. And they also claimed that

their scheme’s more secured to authenticate users and

remote servers for mobile devices. However, Islam and

Biswas[13] in 2011 have proposed a more efficient and

secure ID-based remote mutual authentication with key

agreement scheme for mobile devices on elliptic curve

cryptosystem. And they pointed out many new problems

in 3 previous schemes, for example user’s anonymity,

many logged-in users, clock synchronization. Then, they

claimed that their scheme’s truly efficient and usable for

mobile users in many internet applications or wireless

networks. Nevertheless, in this paper, we prove that the

Islam’s scheme can’t resist known session-specific tem-

porary information and denial of service resulting from

leaking server’s database attacks. Afterward, we propose

a improvement of their scheme to overcome such en-

tanglements. Besides, our scheme possesses low power

consumption and computation cost than previous schemes.

Our main ideas aren’t using point addition operation

between a random point and user’s authentication key and

not letting random value be stored into server’s database

to fix recommended problems of Islam’s scheme[13].

The remainder of this paper is organized as follows:

section 2 presents related works. And section 3 quickly

reviews Islam’s scheme & discusses its weaknesses. Then,

our proposed scheme’s presented in section 4, while sec-

tion 5 discusses the security & efficiency of the proposed

scheme. Our conclusions’re presented in section 6.

II. RELATED WORKS

In this session we review the basic concepts of elliptic

curve cryptosystem & introduces 3 computational prob-

lems.

2012 26th International Conference on Advanced Information Networking and Applications Workshops

978-0-7695-4652-0/12 $26.00 © 2012 IEEE

DOI 10.1109/WAINA.2012.125

698

A. Elliptic Curve Cryptosystem

An elliptic curve’s a cubic equation of the form y2 +

a1xy + a2y = x3 + a3x2 + a4x + a5, where a1, a2, a3, a4, a5are real numbers. In elliptic curve equation is defined as

the form of Ep(a, b): y2 = x3 + ax + b (mod p) over a prime

finite field Fp, where a, b ∈ Fp, p > 3, and 4a3+ 27b2 �= 0

(mod p) (Hankerson et al., 2004). Given an integer s ∈ F∗pand a point P ∈ Ep(a, b), the point multiplication s.P over

Ep(a, b) can be defined as s · P = P + P + ...+ P︸ ︷︷ ︸

s times

. More

details of ECC definitions can be found in Hankerson et

al. (2004)

B. Computational Problems

Generally, the security of ECC bases on the difficulties

of the following problems (Li et al., 2008).

1) Given two points P and Q over Ep(a, b), the elliptic

curve discrete logarithm problem (ECDLP) is to find

an integer s ∈ F∗p such that Q = s · P.

2) Given 3 points P, s · P, and t · P over Ep(a, b) for s,

t ∈ F∗p, the computational Diffie-Hellman problem

(CDHP) is to find the point (s · t) · P over Ep(a, b).

3) Given two points P and Q = s · P + t · P over

Ep(a, b) for s, t ∈ F∗p, the elliptic curve factorization

problem (ECFP) is to find two points s · P and t ·P over Ep(a, b).

Up to now, there’s no algorithm to be able to solve any

of the above problems (Li et al., 2008)

III. REVIEW & CRYPTANALYSIS OF ISLAM &

BISWAS’S SCHEME

In this section, we review Islam’s A more efficient

and secure ID-based remote mutual authentication with

key agreement scheme for mobile devices on ECC

cryptosystem[13] & show that their scheme’s vulnerable to

known session-specific temporary information attack and

denial of service resulting from leaking server’s database.

A. Review of Islam and Biswas’s Scheme

In this subsection, we review Islam’s scheme. Their

scheme includes four phases: system initialization phase,

user registration phase, mutual authentication with key

session agreement phase & leaked key revocation phase.

Some important notations in this scheme’re listed as

follow:

• S: The server.

• U: The user.

• IDU : Identity of U.

• AIDU : U’s authentication key.

• qS : The private key of server S.

• rU : A secret number chosen by U.

• rS : A secret number chosen by S.

• H(.): A one way secure hash function.

• kdf : A one way key derivation function.

• ⊕: Exclusive-or operation.

• ‖: Message concatenation operation.

1) System Initialization Phase: The system initializa-

tion phase of Islam includes four steps:

• Step 1: S selects a k-bit prime number p & base point

P with order n from the elliptic curve group Gp.

• Step 2: S chooses a random number qS (master key

of the S) from [1, n - 1] and computes the public key

QS = qS .P.

• Step 3: S chooses two one-way secure hash function

H1: {0, 1}∗ → Gp, H2: Gp x Gp → Z∗p and a one-

way key derivation function kdf : {0, 1}∗ x Gp x Gp

→ {0, 1}k.

• Step 4: S publishes (Ep(a, b), P, QS , H1, H2, kdf )

2) User Registration Phase: The user registration

phase’s performed only once when the user wants to take

part in the system. Islam’s scheme includes 3 steps &

figure 1 illustrates the steps in this phase.

Figure 1. Islam and Biswas’s registration phase

• Step 1: U chooses identity IDU = {0, 1}p and submits

it to S with some personal secret information via a

secure channel.

• Step 2: S checks U’s IDU . If IDU already exists

in the server’s database, S asks U for different ID.

Thereafer details of registration will be checked by

S and computes the authentication key AIDU = qS ·H1(IDU ‖ X), where X ∈ Z∗p is a random number

chosen by S. S stores the information (IDU , X, status-

bit) about U to the secure database. S sets the status-

bit to 1 if the user’s logged in, otherwise sets to 0.

• Step 3: S returns AIDU to U via secure channel.

In this phase, we see that Islam’s scheme stores random

value X into server’s database. And if information of

database leaks, attackers can modify these random values

of many users. Therefore, those users can’t login to Sat authentication phase & we’ll fix this problem in our

scheme.

3) Mutual Authentication With Key Session AgreementPhase: In this phase, authors assume the message com-

munication in this phase is over an open channel. Figure

2 illustrates the steps.

• Step 1. U keys identity IDU and AIDU into the mobile

device & randomly chooses a number rU from [1, n

- 1], and computes N = R + AIDU , M = rU · QS

where R = rU · P. U computes the dynamic identity

CIDU = IDU ⊕ H2(R ‖ AIDU ) and sends the message

(CIDU , N, M) to S.

• Step 2. On receiving (CIDU , N, M), S computes R∗

= q−1S · M and AIDU = N - R∗. Then, S extracts the

user’s identity by computing IDU = CIDU ⊕ H2(R∗

‖ AIDU ) and checks the validity of IDU . If IDU is

699

Figure 2. Islam and Biswas’s authentication phase

valid, S continues to next step, otherwise rejects U’s

login request.

• Step 3. Furthermore, S computes AID∗U = qS ·H1(IDU ‖ X) (IDU and X are taken from server’s

database) and checks AID∗U ?= AIDU . If it doesn’t

hold, the server S rejects U’s login request, otherwise

chooses a random number rS from [1, n - 1], then

computes T = R∗ + S and HS = H2(S ‖ AID∗U ),

where S = rS · P. Now S sends the message (T, HS)

to U.

• Step 4. On receiving (T, HS), U performs S∗ = T - Rand H∗S = H2(S ‖ AIDU ) and checks H∗S ?= HS . If

it holds, U authenticates S and sends (HRS), where

HRS = H2(R ‖ S∗). U computes the session key SK= kdf (IDU ‖ AIDU ‖ K), where K = rS · R = rS ·rU · P.

• Step 5. On receiving (HRS), S computes H∗RS =

H(R∗ ‖ S) and compares it with HRS . If it holds,

S authenticates U and computes the session key SK= kdf (IDU ‖ AIDU ‖ K), where K = rS · R = rS ·rU · P.

In this phase, we see that Islam’s scheme performs point

addition operation between random point R and AIDU .

It’s very dangerous because if information of any past

session’s random point R or S is revealed, AIDU will be

known by attackers. And we’ll fix this problem in our

scheme.

4) Leaked Key Revocation Phase: In this phase, authors

assume that AIDU is leaked to an adversary, so user Umakes a request to server S for fresh authentication key. Usubmits the old authentication key AIDU , the identity IDU

and personal secret information to S. Now S first checks

the validity of U. After validating user’s credential, server

S selects another random number X̄ ∈ Z∗p and issues

the fresh authentication key ¯AIDU = qS · H1(IDU ‖ X̄)

with old identity IDU . It’s to be noted that the revocation

of authentication key doesn’t need new identity, only Xwill be changed in each revocation. S returns the new

authentication key ¯AIDU to user U via secure channel. S

keeps the database same except that X is replaced by X̄ .

In their leaked key revocation phase, we see that infor-

mation of user U is vulnerable to attacks because it’s

transmitted through open channel. So, we propose that

a secure channel should be used to protect user U’s

information when it’s submitted in this phase.

B. Cryptanalysis of Islam and Biswas’s Scheme

In this subsection, we present our results on Islam’s

scheme. We’ll show that their scheme’s vulnerable to

known session-specific temporary information attack &

denial of service resulting from leaking server’s database.

1) Known Session-Specific Temporary Information At-tack: In paper, the authors mentioned that our scheme

can resist known session-specific temporary information

attack. In their opinion, when another adversary has the

session ephemeral secrets rU and rS , he or she still can’t

computes session key SK because of lacking of AIDU ’s

information. However, it isn’t true because with rU and

rS , we’ll prove that adversary still can know AIDU ’s

information of user U. For example, adversary A has rU ,

rS and past package (CIDU , N, M) of another user U, he

or she’ll perform following steps to obtain SK.

• Step 1: Computes R = rU · P and S = rS · P.

• Step 2: Computes AIDU = N - R.

• Step 3: Computes IDU = CIDU ⊕ H2(R ‖ AIDU ).

• Step 4: Computes SK = kdf (IDU ‖ AIDU ‖ K), where

K = rU · rS · P.

In Islam’s authentication phase, the authors performed

point addition operation between a random point R and

authentication key AIDU . This is a mistake because if R’s

information is leaked, user U’s AIDU will be easily com-

puted. Hence, in our scheme, we’ll isolate this problem.

2) Denial Of Service Resulting From Leaking Server’sDatabase: In the user registration phase of Islam’s

scheme, we see that server S store (IDU , X, status-bit)

of user U. This is dangerous because if information of

server’s database is leaked, another adversary can modify

X(s)’s value(s). This causes many users not to login to

the server S later. Following is the demonstration of this

problem.

• Step 1: User U sends login message (CIDU , N, M)

to server S.

• Step 2: On receiving (CIDU , N, M) from U, Scomputes R∗ = q−1

S · M, AIDU = N - R∗, IDU =

CIDU ⊕ H2(R∗ ‖ AIDU ) and AID∗U = qS · H1(IDU ‖X

′), where X

′is a modified random value of another

adversary.

• Step 3: S checks if AIDU ?= AIDU . Clearly it doesn’t

hold due to X′. So, S rejects user U.

Hence, Islam’s scheme’s vulnerable to denial of service

resulting from leaking server’s database. In our scheme,

we don’t store random value to database to resist this kind

of attack.

IV. PROPOSED SCHEME

In this section, we’ll propose an revised scheme that

removes the security problems described in the previous

700

section. Our improved scheme not only inherits the advan-

tages of their scheme, it also enhances the security. Before

entering into each phase, we’ll present general ideas in

our scheme more detailed. In registration phase, our main

goal is achieving AIDU . Random value X helps to resist re-

registration of attackers, with the same identity but various

authentication keys at different time. In authentication

phases, we use two random value rU and rS for server

& user to challenge each other. Furthermore, we don’t

store random value X into database & don’t perform point

addition operation for AIDU . Our scheme’s divided into

the four phases of system initialization, user registration,

mutual authentication with key agreement & leaked key

revocation phase.

A. System Initialization PhaseIn this phase, we use three one-way hash function. The

system initialization phase includes four steps:

• Step 1: S chooses k-bit prime number p & base point

P with order n from the elliptic curve group Gp

• Step 2: S chooses a random number qS from [1, n -

1]

• Step 3: S chooses three one-way hash function H1:

{0, 1}∗ → Gp, H2: Gp x Gp → {0, 1}k and H3: Gp

→ {0, 1}k• Step 4: The server publishes (Ep(a, b), P, H1, H2,

H3) as system parameters & keeps the master key qS

secret.

B. User Registration PhaseBefore we continue to present, we list 3 requirements

for a registration phase: secrecy for information trans-

mitted between user & server, difference between keys

provided for each time of registration by server & server

mustn’t store user’s information which can be a hazardous

risk. Easily, we see that Islam’s scheme achieved first two

requirements but not the last. So, we’ll recover this point to

accomplish a good registration phase. Our scheme consists

of 3 steps & figure 3 illustrates these ones.

1) Step 1: U chooses identity IDU = {0, 1}k and

submits it to S with some personal information via

secure channel.

2) Step 2: S checks U’s IDU . If IDU already exists in

the server’s database, S asks U for different identity.

Otherwise, S chooses a random value X ∈ Z∗p. Then,

S computes AIDU = qS · H1(IDU ‖ X). Finally, Sstores (IDU , status-bit) of that user U into database

(status-bit is similar to Islam’s scheme).

3) Step 3: S returns AIDU to U via a secure channel

Figure 3. Proposed registration phase

C. Mutual Authentication & Session Key AgreementPhase

Similarly, we also propose 3 requirements that help

authentication be more secure: firstly, user & server must

use random values to challenge each other. Secondly, user

& server share a secret session key. Finally, temporary

information mustn’t affect negatively to important infor-

mation such as authentication key. In Islam’s scheme,

we see that both user & server use random values to

challenge each other. However, their scheme’s easy to leak

authentication key AIDU if any random point’s known.

Thus, our phase’ll fix this weak point. In this phase, S and

Figure 4. Proposed authentication phase

U will have the same session key SK. Figure 4 illustrates

the steps that S authenticates U and vice versa.

1) Step 1: At first, U keys identity IDU & the authenti-

cation key AIDU into the mobile device & randomly

choose a number rU from [1, n - 1]. Then, mobile

device computes R = rU · H1(IDU ‖ X), R′

= rU· AIDU , M = H2(R

′ ‖ AIDU ) and CIDU = IDU ⊕H3(R

′). Mobile device sends (X, CIDU , M, R) to S.

2) Step 2: On receiving (X, CIDU , M, R) from U,

S computes R′∗ = qS · R. Then, S extracts user’s

identity by doing IDU = CIDU ⊕ H3(R′∗) and then

checks the validity of the identity IDU . If IDU is

valid, S continue to go next step, otherwise rejects

U’s login message request.

3) Step 3: S computes the authentication key AID∗U= qS · H1(IDU ‖ X) and checks M ?= H2(R

′∗

‖ AID∗U ). If it doesn’t hold, S rejects U’s login

request, otherwise chooses a random number rSfrom [1, n - 1]. Then, S computes point S = rS ·AID∗U , T = R

′∗ + S and HS = H2(S ‖ AID∗U ).

Now, S sends (T, HS) to U.

4) Step 4: On receiving (T, HS), U computes S∗ = T- R

′and checks HS ?= H2(S∗ ‖ AIDU ). If it holds,

U authenticates S and sends the message (HRS) to

S, where HRS = H2(R′ ‖ S∗). U computes session

key SK = H3(rU · S∗).

701

5) Step 5: On receiving (HRS), S checks HRS ?=

H2(R′∗ ‖ S). If it holds, S authenticates U. S

computes session key SK = H3(rS · R′∗).

D. Leaked Key Revocation Phase

This phase’s similar to Islam’s scheme. However, we

use a secure channel in two ways to protect secret in-

formation of user. And Islam’s scheme doesn’t mention

secure channel in this phase.

V. SECURITY AND EFFICIENCY ANALYSIS

In this section, we review our scheme & analyze it on

2 aspects: security & efficiency.

A. Security Analysis

In this subsection, we present these security analyses of

our scheme & show that proposed scheme can resist many

kinds of attack. Assume that wireless communications

are insecure amd that there exists an attacker. He/she

has capability to intercept all messages communicated

between server & user. In table 1, we list the comparisons

between our improved scheme & previous schemes for

withstanding various attacks. In here, we reuse some

comparisions of Yang, Yoon, and Chen from Islam’s paper.

Especially, denial of service resulting from leaking server’s

database in the schemes of Yang, Yoon, and Chen isn’t

problem because these schemes don’t store anything in

server’s database.

1) Stolen Verifier Attack: Because S doesn’t store any

table with information related to U, the proposed scheme

can withstand stolen-verifier attacks. In our scheme, Sgenerates a random value X for each user. Therefore, when

authenticating with S, U only needs to send X to S and Suses master key qS to re-construct AIDU of that user. So,

S doesn’t need to keep U’s password in the storage space

when a new user’s added in the system.

2) Known Session-Specific Temporary Information At-tack: Like definition of Islam’s scheme, our scheme can

resist this kind of attack. We assume that another adversary

A knows rU and rS of another past session. However, Astill can’t know session key SK. We see that SK = rU ·rS · AIDU and A can’t know AIDU . So, A can’t compute

random point R′

or S to know SK.

3) Session Key Perfect Forward Secrecy Attack: Ses-

sion key perfect forward security means, if the long-

term secret key of user & server are leaked but the

generated session key should be safe from the attacker.

In our scheme, if the authentication key AIDU and qS

are compromised to an adversary, then he can compute

two random points R′

= rU · AIDU and S = rS · AIDU .

However he can’t compute session key SK = rU · rS ·AIDU because he must face the Diffie-Hellman problem.

4) Known-key Attack: The known-key security means

that compromise of another past session key can’t derive

any further session key. In our scheme, the session key

SK is the result of one-way hash function, which isn’t

recomputed. Thus, the attacker can’t obtain any further

session key. At this point, Islam’s scheme also achieves

due to using one-way hash function.

5) Denial of Service Resulting From Leaking Server’sDatabase Attack: Denial-of-service attack means that an-

other adversary can update wrong verification information

of another legitimate user. Then, that legal user can’t login

to remote server successfully. In our scheme, we see that

there’s no verification table or dangerous risk information

stored in the remote server. So, our scheme can resist this

kind of attack successfully.6) Mutual Authentication: Like Islam’s scheme, our

scheme uses the three-way challenge-response handshake

technique to achieve mutual authentication. First, U sends

(X, CIDU , M, R) to S. Afterward, S checks M ?= H2(R′ ‖

AIDU ) and then resends (T, HS) to U. U will checks HS

?= H2(S ‖ AIDU ) to authenticate S. Then, U sends HRS to

S. Finally, S checks HRS ?= H2(R ‖ S) to re-authenticate

U7) Session-key Agreement: In our scheme, after finish-

ing mutual authentication successfully, both user & server

share a session key SK to encrypt message later. So, our

scheme not only satisfies mutual authentication but also

provides session key to partners.

Our scheme’s a revised version of Islam’s scheme, so

it can also have advantages that their scheme owns. For

example, our scheme can resist various attacks & problems

such as replay, insider, and impersonation attacks, clock

synchronization, many logged-in users, user’s anonymity

problems.

B. Efficiency Analysis

To compare efficiency between our scheme & the

previous schemes proposed by Yang, Yoon, Chen, and

Islam, we reuse approach used in that previous scheme

to analyze computational complexity. That is, we let

H be the hash function operation, PM be the elliptic

curve scalar point multiplication, PA be the elliptic curve

scalar point addition or subtraction. Furthermore, slight

difference with Islam’s scheme, we ignore exclusive-or(⊕)

and concatenation(‖) operation because it requires very

few computations. In table 2, Yang’s scheme needs 1PMand 1H in registration phase, and 8PM, 5PA and 8H in

mutual authentication phase. Yoon’s scheme needs 1PMand 1H in registration phase, and 7PM, 4PA, and 12H in

mutual authentication phase. Chen’s scheme needs 1PMand 4H in registration phase, and 8PM, 4PA, and 11H in

mutual authentication phase. Islam’s scheme needs 1PMand 1H in registration phase, and 7PM, 4PA, and 6Hin mutual authentication phase. Our scheme needs 1PMand 1H in registration phase, and 7PM, 2PA, and 10Hin mutual authentication phase. Clearly, proposed scheme

needs less computational amount than previous schemes.

VI. CONCLUSIONS

In this paper, we review ‘A more efficient and secure ID-

based remote mutual authentication with key agreement

scheme for mobile devices on elliptic curve cryptosystem’

of Islam & Biswas. Although their scheme can withstand

various attacks. However, we see that their scheme’s still

vulnerable to known session-specific temporary informa-

tion attack & denial of service resulting from leaking

702

Table ITHE COMPARISON BETWEEN OUR SCHEME AND THE PREVIOUS ONES FOR WITHSTANDING VARIOUS ATTACKS

Yang[10] Yoon[11] Chen[12] Islam[13] OursStolen-verifier attack Yes Yes Yes Yes YesImpersonation attack No Yes Yes Yes YesSession-key perfect forward secrecy No No No Yes YesInsider attack Yes Yes Yes Yes YesClock synchronization No No No Yes YesReplay attack No No No Yes YesMany logged-in users No No Yes Yes YesKnown session-specific temporary information No No No No YesKnown-key attack Yes Yes No Yes YesDenial-of-service attack Yes Yes Yes No YesMutual authentication No Yes Yes Yes YesSession key exchange Yes Yes Yes Yes YesNo verification table Yes Yes Yes No YesUser’s anonymity No Yes Yes Yes YesRevocation phase No No No Yes Yes

Table IIA COMPARISON OF COMPUTATION COSTS

Computational type Authentication RegistrationYang’s [10] 8PM + 5PA + 8H 1PM + 1HYoon’s[11] 7PM + 4PA + 12H 1PM + 1HChen.’s[12] 8PM + 4PA + 11H 1PM + 4HIslam’s[13] 7PM + 4PA + 6H 1PM + 1HOur’s 7PM + 2PA + 10H 1PM + 1H

server’s database attack. Consequently, we propose an

improved scheme to eliminate such problems.

Compared with related schemes, the proposed scheme has

the following main advantages: It needs less computational

cost. It provides secure user’s anonymity. It doesn’t hold

any verification table. It provides mutual authentication

with session key agreement. As a result, the proposed

scheme’s able to provide greater security & be practical in

wireless communication systems. In the future, however,

we’ll research a remote biometric-based mutual authenti-

cation scheme on ECC which is very suitable for limited

energy device[13] to enhance security more & apply to

more applications in electronic transactions.

REFERENCES

[1] L. Lamport, “Password authentication with inse-

cure communication,” Communications of the ACM,

vol. 24, pp. 770–772, 1981.

[2] L. H. Li, I. C. Lin, and M. S. Hwang, “A remote

password authentication scheme for multi-server ar-

chitecture using neural networks,” IEEE Transactionson Neural Network, vol. 12, no. 6, pp. 1498–1504,

2001.

[3] J. J. Shen, C. W. Lin, and M. S. Hwang, “A modi-

fied remote user authentication scheme using smart

cards,” IEEE Transactions on Consumer Electronics,

vol. 49, no. 2, pp. 414–416, 2003.

[4] M. S. Hwang, C. C. Lee, and Y. L. Tang, “A simple

remote user authentication scheme,” Mathematicaland Computer Modelling, vol. 36, pp. 103–107,

2002.

[5] C. C. Lee, M. S. Hwang, and W. P. Yang, “Flexi-

ble remote user authentication scheme using smart

cards,” IEEE Transactions on Neural Network,

vol. 36, no. 3, pp. 46–52, 2002.

[6] I.-E. Liao, C.-C. Lee, and M.-S. Hwang, “Security

enhancement for a dynamic id-based remote user

authentication scheme,” IEEE Transactions on Con-sumer Electronics, vol. 50, pp. 629–631, 2004.

[7] E. J. Yoon and K. Y. Yoo, “Improving the dynamic

id-based remote mutual authentication scheme,” FirstInternational Workshop on Information Security, vol.

4277, pp. 499–507, 2006.

[8] Y. Y. Wang, J. Y. Kiu, F. X. Xiao, and J. Dan, “A

more efficient and secure dynamic id-based remote

user authentication scheme,” Computer Communica-tions, vol. 32, pp. 583–585, 2009.

[9] C.-C. Lee, T.-H. Lin, and R.-X. Chang, “A secure

dynamic id based remote user authentication scheme

for multi-server environment using smart cards,” Ex-pert Syst. Appl., vol. 38, no. 11, pp. 13 863–13 870,

2011.

[10] J.-H. Yang and C.-C. Chang, “An id-based remote

mutual authentication with key agreement scheme

for mobile devices on elliptic curve cryptosystem,”

Computers & Security, vol. 28, no. 3-4, pp. 138–143,

2009.

[11] E.-J. Yoon and K.-Y. Yoo, “Robust id-based remote

mutual authentication with key agreement scheme

for mobile devices on ecc,” Computational Scienceand Engineering, IEEE International Conference on,

vol. 2, pp. 633–640, 2009.

[12] T.-H. Chen, Y.-C. Chen, and W.-K. Shih, “An ad-

vanced ecc id-based remote mutual authentication

scheme for mobile devices,” 2010 Symposia andWorkshops on Ubiquitous, Autonomic and TrustedComputing, pp. 116–120, 2010.

[13] S. H. Islam and G. P. Biswas, “A more efficient

and secure id-based remote mutual authentication

with key agreement scheme for mobile devices on

elliptic curve cryptosystem,” Journal of Systems andSoftware, vol. 84, no. 11, pp. 1892–1898, 2011.

703