Recently, Kim and Chung proposed a more secure remote user authentication scheme, which is an improvement over Yoon-Yoo's scheme to remedy their security flaws, such as leak of password and vulnerabilities to the masquerading user attack, the masquerading server attack, and the stolen-verifier attack. In this paper, we will show that Kim-Chung's improved scheme is vulnerable to the offline password guessing attack. In addition, the scheme does not possess the feature of secret key forward secrecy as they claimed. Hence, Kim-Chung's scheme is also subject to the masquerading user attack and the masquerading server attack as well. Moreover, their scheme does not generate session keys for secure communications.
