# Introduction n 1981, a remote password authentication scheme was proposed by L. Lamport [4] over an insecure channel. Since then, several schemes [5], [6], [7], [8], [9], [10] have been proposed to address this problem for achieving more functionality and efficiency. In a traditional password scheme, each user has an identity and a secret password. If a person wants to log into a network system, they must submit their identity and the corresponding password. To avoid storing a plain password table in a public network system, several scheme [4], [11], [12] have proposed a dictionary of verification tables to store each user ID and the corresponding one-way hash value of passwords in the remote system. In 2005, Chien et al. [9] pointed out that Das et al. [8] scheme cannot achieve user anonymity because an attacker can trace user with the static value. In 2010, Lee et al. [13] have analyzed the security of the smart card based user authentication scheme proposed by Lee and Chiu [14]. Their security analysis showed that scheme [9] does not achieve its main security goal of the two-factor security. To demonstrate this, they have shown that the scheme is vulnerable to an o_-line dictionary attack in which an attacker, who has obtained the secret values stored in the users smart card can easily find out its password. Besides reporting the security problem, they showed what really is causing the problem and how to fix it and they proposed a new and improved scheme than Lee and Chius scheme. In 2012, Francisco et al. have shown security vulnerabilities like Denial of service, server spoong, impersonation in Wang et al. [2] scheme. We propose a scheme that can withstand the above mentioned attacks, we implemented and demonstrated the stated scheme using MATLAB. The paper is organized as follows. In Section 2, we give a brief review on Wang et al.s scheme. We demon-strate the vulnerabilities of the scheme in Section 3. The proposed scheme and its security analysis are presented in section 4 and 5. Section 6 com-pares the performance of our proposed scheme with other related schemes. Finally, we conclude this paper in Section 7. [ID i ,CID i ,A i ,T] of User U i H(PW i )=A i ?H(x)?ID i CID i *=H(PW i )?H(A i ?y?T*)?ID i Send M i =[ID i ,CID i ,A i ,T*] to S # Verification Phase Verify T*-T? ?T, if time interval is incorrect then reject login request otherwise accept M i and perform: H(PW i )*=CID i ?H(A i ?y?T*)?ID i Compute ID i *=H(PW i )*?H(x)?A i Here ID i * and ID i are equals so login request accepted by the server and S performs: CID i =H(PW i )?H(A i ?y?T)?ID i Send M i =[ID i ,CID i ,A i ,T] to S. Intercept message M i of User U i M i =[ID i ,CID i ,A i ,T] Compute H(x)=H(PW a )?A a ?ID a Compute H(PW i )=A i ?H(x)?ID i # Proposed Scheme This section proposes a strong, secure authentication scheme which will with-stand the security vulnerabilities which leads to the aforementioned attacks. # a) Registration phase In this phase, the user registers with the remote server S through a secure channel to be a authentic user. Step 1: chooses his/her identity and password and computes . Then sends the registration request Step 2: Upon receiving from , S veri_es the validity of and computes Step 3: computes then captures current date and time in T and create a record in its database. Step 4: stores into the smart card of and sends the smart card through a secure channel to the user Step 5: Upon receiving the smart card from stores into smart card and does not need to remember after _nishing registration phase. Finally, smart card contains b) Login phase In this phase, when an authentic user want to login to the remote server S, he/she must perform the following steps: Step 1: inserts his/her smart card into the card reader and inputs the identity and password The smart card computes where is retrieved from its memory space. Step 2: The Step 1: reveals M 1 by using the Chinese Remainder Theorem (CRT) with p and q to obtain and . Then veri_es the revealed with the stored corresponding to ID . If _ T, S replaces with new time variable T in its database. Otherwise, rejects login request. Step 2: If Step 1 holds, S computes and checks if computed equals received . If it holds, would successfully authenticate and computes the session key shared with . Step 3: computes and send it to . Step 4: Ui computes M *=H(VIDikRx) and check if computed M * equals received . If it does not hold, i U i U i U i U i U i U i U i U 's, S S S S S S S S S i U i U i U ID i PW i H(IDi PW i R where x Rx number generated by random PW i R x )] to S. i ID H(ID [ PW i R x i ID H(ID [ ] VID i =H(K?ID i ) i =VID i ?H(ID i PW i R x N T , ] R x [H(.),N i T] S , i U [H(.),N i T ] R x , i ID i ID PW i VID i VID i *=N i ?H(ID i PW i R x ), Rx T=T+1 and M 1 =(ID i VID i * R x T) 2 Rx T i Ti Ti T T VID i i U 's, VID i * =H(K?ID i VID i ), k =H(VID i R x S T) . i U 2 =H(VID R x M 1 M2 2 2 M Cryptanalysis andID PW i PW i * k =H(VID i R x T) S S . i U R x * R x # Global Journal of Computer Science and Technology Volume XVI Issue IV Version I ( ) number generated by Then, the smart card V. # Security Analysis In this section, we analyzed the security of the proposed scheme and shown that our scheme is secure against the following well-known attacks. The security of our proposed authentication scheme is based on the secure hash function and the In the following steps, we analyzed the security of the proposed scheme to verify that the specified security requirements [3] are fulfilled. a) Resistance to user anonymity attack Suppose that the attacker intercepted authentication messages. Then, the adversary cannot retrieve any static parameter from these messages, due to the . Hence, the proposed scheme can preserve user anonymity. # b) Resistance to offine password guessing attack Suppose that a malicious legitimate attacker user has got smart card, and the secret information and can also be revealed under our assumption of the non-tamper resistant smart card. Even after gathering this information, the attacker has to at least guess both and correctly at the same time, because it has been demonstrated that our scheme can provide identity protection. It is impossible to guess these two parameters correctly at the same time, and thus the proposed scheme can resist offine password guessing attack with smart card security breach. # c) Resistance to stolen verifier attack In the proposed scheme no sensitive verifiers corresponding to the users are maintained by . Therefore, the proposed scheme is free from the stolen verifier attack. Based on the dificulty of the one-way hash algorithm, any previously generated session keys cannot be revealed without knowledge of the and . As a result our scheme provides the property of forward secrecy. # VI. # Computational Cost Analysis In this scheme we have taken 1.0 unit average run time for a single one-way secure hash function operation. The proposed scheme requires lower computation overhead with comparison to other schemes, which is shown in the Table 6 and the Figure 1. Wang et al.s scheme was proposed for resolving security issues presented in pre-vious work of [8]. However, we have discovered some security aws in their scheme making it vulnerable to various attacks such as impersonation, server spoofing and denial of service attack. Moreover, the scheme cannot withstand password change aws. As a remedy to the aforementioned weaknesses, we have presented an enhanced scheme, which overcome the vulnerabilities of [15] i ID i ID VID i VID i i U 's, i U 's, i U 's, . i U . i U M 1 . i U CRT. CRT. R x R x R x PW i . i U , PW i N i N i [H(.),N i T Ua S T . i U H(ID i PW i R x ). 1 =(ID i VID i R x T) 2 M 2 *=H(VID i R x M 2 M . i U S k =H(VID i R x T © 2016 # B*=H(ID i PW i * R x B=H(ID i PW i R x ), *) A i =A i ?B?B*. i A R x i U 's, x * PW i * PW i . i U PW i![B=H(H(PWi )*?y?T**) Sends [B,T**] to U a Legitimate User (Attacker) U a Server S Server Verification Verify T**-T*? ?T, now time interval is correct and U a perform: B*=H(H(PW i )?y?T**) Now session will successfully start between the legitimate attacker U a and server S.](image-2.png "") 5![Computes B=H(H(PWi )?y?T**) Sends [B,T**] to U i Server Verification Verify T**-T*? ?T, if time interval is correct then U i perform: B*= H(H(PW i )?y?T**) Now the session will successfully start between legitimate user U i and attacker user U a . d) Password Change Phase Flaws In the password change phase of Wang et al. scheme, we observe that an attacker user can change password of any other legitimate user which is shown in Table 5. Password change flaws of Wang et al scheme IV.](image-3.png "Table 5 :") 1NotationII 2Cryptanalysis and Further Improvement of a Dynamic ID and Smart Card based Remote userAuthentication SchemeSymbol DescriptionU iThe UserSThe Remote ServerID iUnique identity of U iPW iUnique password of U iYear 2016S kThe common session key The bitwise XOR operation26H(.)A collision free one-way hash function such as SHA-256x,ySecret Keys of SUser U iServer SRegistration PhaseSelect ID i Send ID i to Server SChoose PW Sends PW i and Smart Card to U ithrough secure channeli Compute A i =H(PW i )?H(x)?ID i Store [A i ,y,H(.)] into Smart Card 2 2User U iServer SLogin PhaseU i keys in his/her ID i and PW i intoVerification Phasesmart card terminal and perform:Verify T*-T ? ? T, if time intervalCID i =H(PW i )?H(A i ?y?T)?ID iis incorrect then reject login requestSend M i =[ ID i , CID i , A i ,T ] to S.otherwise accept M i and perform:H(PW i )*=CID i ?H(A i ?y?T)?ID iCompute ID i *=H(PW i )*?H(x)?A iIf ID i *and ID i are not equals,then reject login request otherwiseS performs:Computes B= H(H(PW i )*?y?T 2 )Sends [B, T 2 ] to U iServer Verification PhaseVerify T 2 -T? ?T, if the time intervalis incorrect then U i terminate phase,otherwise perform:Computes B*=H(H(PW i ) y T 2 )If B*=B holds U i confirmsthe identity of S.User U iServer SPassword Change PhaseU i insert smart card intocard reader and keys in his/her PW i ,new password NPW i and performs:A i *=A i ?H(PW i )?H(NPW i )Store A i * into smart cardwith replacing A i . 3Legitimate User (Attacker) U aServer SUsing smart cardCompute H(x)=H(PW a )?A a ?ID a Intercept previous message 3i ID * *ID * iUii * A H(x)yH(x)© 2016 Global Journals Inc. (US) 1 4Legitimate User U iLegitimate User (Attacker) U a as SLogin PhaseU i keys in his/her ID i and PW iinto smart card terminal and per-form: Legitimate User U lAttacker User U aLogin PhaseU l keys his/her ID l and PW l intosmart card terminal and perform:ComputesCID l =H(PW l )?H(A l ?y?T)?ID lIntercept message M 1 of User U lM1=[ID l ,CID l ,A l ,T]Compute H(x)=H(PW a )?A a ?ID aChange passwordCompute H(PW l )=A l ?H(x)?IDsmart card computesmod nand sends a login requesttoc) Authentication phaseUpon receiving the login request M1 from ,performs the following steps:lAttacker user U a computes:A a *=A l ?H(PW l )?H(NPW l )Store A l * into smart card replacing with A l . Year 201630Ui stops the session. Otherwise, Ui now successfullyauthenticate S and usesharedsession key with for securing future communications.d) Password change phaseIn this phase, the userinserts the smart cardinto device and inputs, original password i, newpasswordand*, whereis a new random© 2016 Global Journals Inc. (US) 1 © 2016 Global Journals Inc. (US) 1 * A more eficient and secure dynamic ID-based remote user authentication scheme JD Y YWang JYLiu FXXiao Computer Communications 32 2009 * Password authentication schemes: Current status and key issues CSTsai CCLee MSHwang doi:10.1109/ ICM2CS. 2009.5397977 International Journal of Network Security 3 2006 IEEE * Password authentication with insecure communication LLamport 10.1145/358790.358797 Communications of the ACM 24 11 1981 * Authentication : A Concise Survey PG M J JVan Leeuwen Computers & Security 5 1986 * An eficient remote use authentication scheme using smart cards H.-MSun 10.1109/30.920446 2000 * New remote user authentication scheme using smart cards MKumar 10.1109/TCE.2004.1309433 IEEE Transactions on Consumer Electronics 50 2004 * A dynamic id-based remote user authentication scheme MDas VGulati ASaxena 10.1109/TCE.2004.1309441 IEEE Transactions on Consumer Electronics 50 2 2004 * Improvement of Chien et al.'s remote user authentication scheme using smart cards S.-WLee H.-SKim K.-YYoo 10.1016/j.csi.2004.02.002.URL Computer Standards & 27 2 2005 * A Password-Based User Authentication Scheme for the Integrated EPR Information System Z.-YWu YChung FLai T.-SChen 10.1007/s10916-010-9527-7 Journal of Medical Systems 36 2 2012 * Cryptographic authentication of passwords, in: Security Technology CCChang SJHwang 10.1109/CCST.1991.202203 Proceedings. 25th Annual 1991 IEEE International Carnahan Conference on 25th Annual 1991 IEEE International Carnahan Conference on 1991. 1991 * Security of a one-time signature S.-MYen 10.1049/el:19970460 Electronics Letters 33 8 1997 * Attacking and Improving on Lee and Chiu ' s Authentication Scheme Using Smart Cards YLee HYang DWon 2010 Springer Berlin Heidelberg; Berlin, Heidelberg * Y.-CLee Narn-Yih * Improved remote authentication scheme with smart card Chiu Computer Standards and Interfaces 27 2 2005 * A secure dynamic ID based remote user authentication scheme for multi-server environment Y.-PLiao S.-SWang 10.1016/j.csi.2007.10.007 Computer Standards & Interfaces 31 1 2009