Comments on A Remote User Authentication Scheme Using Smart Cards with Forward Secrecy

Abstract

Hwang and Li proposed a new remote user authentication scheme, based on ElGamal‘s cryptosystem, using smart card in 2000. However, Chan and Chang and Shen, Lin and Hwang first and last pointed out different type of masquerade attacks on this scheme. In 2003, Awasthi and Lal (Shortly, A-L) presented a new scheme to overcome these attacks. In addition, they claimed that the scheme with the property of forward secrecy. Lee et al. showed that the A-L scheme is incorrect. However, their analysis was not complete. Kumar proposed an attack to A-L scheme via the previously registered ID or by creating a new ID. Unfortunately, his attack is meaningless since the A-L scheme cannot work. In this paper, we will discuss the later both. In addition, we will show that the A-L scheme is vulnerable to the online password guessing attack even if it can work. By increasing a verification mechanism to the login phase, a cardholder needn’t worry about the problem of masquerading usage by this attack if he loses his smart card by accident.