A New Dynamic ID-based User Authentication Scheme to Resist Smart-Card-Theft Attack

Password-based remote authentication schemes provide users with convenient and secure mechanisms to access resources through networks. Such schemes can be further divided into static ID and dynamic ID schemes. The main drawback of the static ID scheme is that an adversary can intercept the fixed login ID and masquerade as a legal user to log into the system. On the other hand, dynamic ID schemes can eliminate the risk of ID-theft and protect user’s privacy. In 2004, Das et al. proposed a dynamic ID-based remote user authentication scheme. Their scheme allows users to select and update their passwords freely, and the server does not need to maintain a verifier table. In this paper, we first demonstrate that their scheme is not secure. We then propose an improved scheme for security enhancement. This improved scheme has a dynamic advantage such that an adversary cannot trace the users. Because the smart card generates a different random number for each authentication session, the forward messages are always different for each login. This causes the guessing attacks to fail, because the adversary has not enough information to verify his/her guess. Further, the adversary cannot successfully guess the correct password even if he/she obtains the smart card. Therefore, the proposed scheme can withstand smart-card-theft attack.