Abstract:

We find some security flaws in Sonwanshi’s remote user authentication scheme, such as poor session key security and incapability to resist impersonation attacks and offline password guessing attacks. We propose an improvement scheme, which mainly enhances the security of Sonwanshi’s scheme in the registration and login phase. In the registration phase, users’ passwords are directly stored in the local smart cards rather than be submitted to the server, which not only reduces the costs of servers for password storage and maintenance, but also improves the security performance. In the login phase, the original time stamp mode is replaced by a random number challenge response mode to avoid authentication failure caused by clock asynchronization. The analysis on security performance and efficiency shows that the proposed scheme not only eliminates the defects of Sonwanshi’s scheme, but also reduces the time complexity in comparison with similar schemes. It, therefore, is suitable for those devices with low processing power and high security requirements.

Key words: smart card;identity authentication;anonymous;impersonation attack;session key