Smart card-based applications have been widely used in e-commerce for years. Therefore, many authentication schemes have been proposed to improve security over insecure networks. In 2006, Wang and Li pointed out that Yoon et al.'s remote user authentication scheme with smart cards does not provide the property of perfect forward secrecy; i.e., all previous session keys will be broken if the secret key of the remote server is compromised. They then proposed a new remote user authentication scheme based on the Diffie-Hellman algorithm to provide session key exchange capability with the perfect forward secrecy property. However, in this paper, we will first show that their new scheme is vulnerable to the offline password guessing attack, the parallel session attack, the reflection attack, and the insider attack. Then, we will present an improvement to overcome these weaknesses, while preserving all their merits.
Proceedings of the 8th International Conference on Intelligent System Design and Applications, pp.297-302