An Improved Dynamic ID-Based Remote User Authentication with Key Agreement Scheme

In recent years, several dynamic ID-based remote user authentication schemes have been proposed. In 2012, Wen and Li proposed a dynamic ID-based remote user authentication with key agreement scheme. They claimed that their scheme can resist impersonation attack and insider attack and provide anonymity for the users. However, we will show that Wen and Li's scheme cannot withstand insider attack and forward secrecy, does not provide anonymity for the users, and inefficiency for error password login. In this paper, we propose a novel ECC-based remote user authentication scheme which is immune to various known types of attack and is more secure and practical for mobile clients. 1. Introduction Smart card authentication is that the most commonly used authentication method that legal users can access the resources provided by remote servers. Due to its simplicity and convenience, it is used in many areas such as E-banks or remote host login. Over the past few years, considerable authentication protocols [1–7] have been proposed. However, most of these schemes are based on static ID and have some flaws such as server spoofing attack, insider attack, and impersonation attack. Based on previous research, an ideal password authentication scheme should achieve the following goals. First, the server should not maintain any verifier table and the user can choose and change his/her password freely. Second, the remote user authentication scheme should meet all the security requirements and achieve all the goals. Third, the remote user authentication scheme has low communication and computation cost. In 2004, Das et al. [8] presented a dynamic ID-based remote user authentication scheme using smart cards. They pointed out that their scheme does not maintain any verifier table and can resist the replay attack, forgery attacks, guessing attacks, and insider attacks. However, in 2009, Wang et al. [9] pointed out that Das et al.’s scheme does not achieve mutual authentication and could not resist impersonation attack. Then, Wang et al. proposed an enhanced password authentication scheme which keeps the merits of Das et al.’s scheme. After that, Tsai et al. [10] showed that Wang et al.’s scheme cannot achieve user anonymity since both and its dynamic are presented in the login message. In the following, Tsai et al. demonstrate that Wang et al.’s scheme is also vulnerable to the impersonation attack. In the same year, Yeh et al. [11] showed that Wang et al.’s scheme is insecure against replay attack, user impersonation attack, server counterfeit attack, man-in-the-middle