Zographou: World Scientific and Engineering Academy and Society (W S E A S)
Anonymity is one of the important properties of remote authentication schemes to preserve user privacy. Besides, it can avoid unauthorized entities from using the user ID and other intercepted information to forge legal login messages. In 2004, Das et al. first proposed a remote user authentication scheme with smart cards using dynamic ID to protect user anonymity. Later, in 2005, Chien and Chen demonstrated that Das et al.'s scheme fails to preserve user anonymity and then presented a new scheme to remedy this problem. In 2007, Hu et al. pointed out that Chien-Chen's scheme cannot preserve user anonymity if the smart card is nontamper resistant; i.e., the secret information stored in the smart card can be revealed. They then proposed an improved scheme to cope with this problem. In this paper, however, we will show that Hu et al.'s scheme still cannot preserve user anonymity under their assumption. In addition, their scheme is also vulnerable to the offline password guessing attack. We then present an improvement to overcome these weaknesses, while preserving all the merits of their scheme.
WSEAS Transactions on Information Science and Applications 7(5), pp.619-628