A Noble Remote User Authentication Protocol Based on Smart Card Using Hash Function

Transcription

1 A Noble Remote User Authentication Protocol Based on Smart Card Using Hash Function Deepchand Ahirwal 1, Prof. Sandeep Raghuwanshi 2 1 Scholar M.Tech, Information Technology, Samrat Ashok Technological Institute, Vidisha (M. P.), India 2 Assistant Professor, Information Technology, Samrat Ashok Technological Institute, Vidisha (M. P.), India Abstract- The security issues are always raised for remote authentication service. Smart card based authentication protocol is best suited for authenticate legitimate user. Developing secure authentication protocol is a strong challenge. There are many potential attacks that are targeted at authentication such as insider attack, offline password guessing attack, masquerade attack, server spoofing attack, and parallel session attack. Recently many previous proposed schemes are fail to resist these attacks. In this paper we introduce a remote authentication protocol that provides secure mutual authentication process and session key agreement. Our proposed protocol is providing better security to resist all possible attacks. In this protocol, we use low computing cost hash function and random nonce. We use random nonce to avoid complexity of time synchronization. The proposed protocol is efficient and practical. It is easy to adapt in low-weight devices like the subscriber identity module. Keywords: - Authentication, Network security, cryptanalysis, smart card, hash function. 1. INTRODUCTION Smart card based remote user authentication is a mechanism to authenticate the legitimate user. Smart card based remote user authentication is mechanism to authenticate the legitimate user by using of smart. In Smart card s memory, some secret information has stored such as identification or password related information of user. In 1986, Lamport [12] introduced first remote user authentication with using of password verification table. In Lamport scheme s [12] user has unique identification and password for verifying as legitimate user. This password table takes lot of maintenance cost and unsecure to insider attack. And verification table has risks of being modified by the adversary and the size of the password verification table is directly proportional to the number of user and management of huge table increase load in the server. To avoid storing the password in the server verification table and sends in the plain text form in the insecure network system. In 2000, Hwang and Li [14] proposed a remote user authentication using smart card is based on ElGamal s public key scheme. This proposed protocol withstands replay attack by using time stamp T in login massage. In 2000, Chi and Cheng [2] cryptanalysis Hwang and Li [14] scheme, and found this scheme does not to resist impersonate attack. A legitimate user can impersonate other valid user to use his ID and PW without knowing the secret key. So this scheme was not suitable for secure remote authentication. In 2004, M.L.Das [15] proposed a dynamic ID-based remote user authentication protocol. This protocol use one-way hash function to protect the secret information and symmetric encryption function to encrypt the messages. But D. Giri [4] has analyzed that Das s [15] protocol is vulnerable the offline/ online password guessing attack and weak password change phase. Later, Rafael M. [17] point out the Das s protocol is not secure against insider attack, masquerade attack, server spoofing attack. In Das s [15] protocol, if the attack is legal user. He can extract h (x) secret key from Ai in smart card. Once he obtains secret key h (x), he tries to get other legitimate user s PW and also act as masquerade as legal user. While in 2005 H.Y. Chien and Chen et al. [9] point out that in das et al. s protocol user Ui sends the data (Cid, Ni, Ci, T) to the remote server. In each login request, although the Cid dynamically changes every time, the value Ni is same and unique to each user. So that das et al protocol failed to protect the user antonymic. H. Y. Chien and Chen et al. [9] Also proposed a mutual authentication protocol to preserve user anonymity based on modular exponentiation. This efficient is low. In 2007 L. I. Hu [11] found the Chien and Chen s [9] protocol is vulnerable to strong masquerade user or server attack, insider attack, replay attack and denial of service attacks and improved it to avoid these weakness. In 2009, J. Xu et al. [10] presented an authentication protocol using such non-tamper resistant smart card based on costly modular exponentiation. However R. Song [18] point out J. Xu et al. [10] s protocol is vulnerable to the user impersonation attack. In 2010, he introduced a new and more secure authentication protocol based on symmetric key cryptosystem and modular exponentiation. However W. B. Horng -Cheng [21] demonstrates that R. Song et al. Volume 1, Issue 4 November - December 2012 Page 62

2 [18] protocol is vulnerable to the offline password guessing, insider attack, denial-of service and proposed protocol does not provide perfect forward secrecy for session keys. In 2011, E.J Yoon and K.Y Yoo [5] demonstrated that Z. Jia s [25] remote authentication protocol is vulnerable to insider attack, forgery attack and server spoofing attack. They point out Jia s protocol does not provide mutual authentication between user and server. Moreover In 2011, Li and Cheng Lee [3] present a robust remote user authentication protocol using smart card. They claim that their proposed protocol is providing better authentication process and resistance to all possible attacks. But in this protocol is not provide security to the denial-of-service attack. In this article, we shall present a secure ID-based remote authentication protocol with mutual authentication and session key agreement. Moreover our protocol provides the user to choose and change their password by their own choice. In contrast, the propose protocol can resist parallel session attack, server spoofing attack, masquerade attack, insider attack, Further provides security analysis to compare with other published protocol. By performance analysis, the propose protocol is shown to be very efficient both in the storage and computation cost. The reminder of the article is organized as fallows. In section 2, we briefly discuss the Wang, Liu and Xiao s [20] protocol and its drawback. In Section 3 we Introduce our secure ID-based user authentication protocol, and we discuss the security analysis in session 4, compare the performance and efficiency of the propose protocol with other related protocol in session 5.and finally concludes the paper in Section REVIEW OF Y. WANG LIU AND XIAO S PROTOCOL Y. Wang, J. Liu and F. Xiao proposed a dynamic IDbased remote user authentication protocol in 2009 [20]. Wang et al. s authentication protocol is based on the security analysis of M. Das protocol. They point out that the authentication protocol proposed in M. Das s protocol [15] is vulnerable to masquerade attacks and lacks mutual authentication. Wang et al. s protocol can prevent these two vulnerabilities and is also very efficient [20]. Common notations Y.Wang, J. Liu, and F. Xiao denoted the user by U, the user s identity by ID, the user s password by PW, and server by S. Let h ( ) be a cryptographic one way hash function. Exclusive-or (XOR) operation on two binary strings is denoted by and the operation of binary string concatenation is denoted by. Finally, two types of channels are used. One of them is a common channel and other one is a secure channel. Wang s has used four phases in his protocol: registration phase, login Phase, verification phase and password change phase. The four phases of Wang et al. s protocol are described below. 1. Registration Phase In the registration phase, the user Ui chooses her own IDi and sends it to the remote server S. After S receives Ui s message, S performs the following Steps: Step1. S chooses a password PWi for Ui and computes Ni = h (PWi) h(x) IDi, in which x is the server s long term secret. Step2. S prepares a smart card for Ui by storing [h ( ), Ni, y] in it. y is the server s secret number which is stored in every user s smart card. Step3. S sends PWi and the smart card to Ui using the secure channel. S Ui: PWi and the smart card. 2. Login Phase: When Ui needs to access her data stored at the server, she invokes the login phase. Ui inserts her smart card into a card reader and enters her password PWi, and then the smart card performs the following steps: Step1. The smart card computes a dynamic IDi: CIDi = h (PWi) h (Ni y T) IDi, In which T is the current date and time. Step2. The smart card sends IDi, CIDi, Ni and T to the server. SCi S: IDi, CIDi, Ni, T. 3. Verification Phase When S receives the login message from Ui at time T, she parses it into the form {IDi, CIDi, Ni, T} and then performs the following steps: Step1. S checks whether T T ΔT. If it doesn t hold, then S directly rejects the user s login request. Step2. S computes h (PWi) = CIDi h (Ni y T) IDi. Step3. S computes IDi = Ni h(x) h (PWi) and checks whether IDi is equal to IDi. If IDi is not equal to IDi, then S rejects the user s login request; otherwise, S accepts the user s login request. Step4. S computes a = h (h (PWi) y T ) and sends (a, T ) to Ui. When Ui receives the message (a, T ) from S at time T, Ui verifies the identity of S, which contains the following step: 1. Ui checks whether T T ΔT. If it doesn t hold, then Ui recognizes the reply as invalid. Otherwise Ui, Volume 1, Issue 4 November - December 2012 Page 63

3 computes a = h (h (PWi) y T ) and compares it with a'. If a = a, Ui confirms that S is valid. 4. Password Change Phase: In Wang et al. s protocol, the user doesn t need to send her new password to the remote server during the password change phase. When the user wants to change his/her password from PWi to PWnew, he/she inserts the smart card into the card reader and enters both PWi and PWnew. Then the smart card computes Ni*= Ni h (PWi) h (PWnew) and replaces Ni with Ni*. 3. SECURITY ANALYSIS OF WANG ET AL. S PROTOCOL In this section we point out that Wang et al. s [20] protocol is vulnerable to password guessing attack and server masquerade attack. In addition, the password change phase in Wang et al. s protocol is not securing either [10]. 1. Password Guessing Attack The login phase and verification phase of Wang et al. s protocol use a common channel. So the adversary can eaves-drop the common channel and obtain messages from it. Once the adversary gets a lost smart card, he can obtain y from it. y is the server s secret which is stored in every user s smart card. Now the adversary tries to eavesdrop the common channel between Ui and S. By eavesdropping, the adversary can get the login message from Ui to S, which contains IDi, CIDi, Ni and T, in which CIDi = h (PWi) h (Ni y T) IDi. Then the password guessing attack is carried out with the following steps: (1) The adversary computes Xi = h (Ni y T) from Ni, y and T. (2) The adversary computes Yi = CIDi Xi IDi = h (PWi). (3) The adversary picks a random PW*, computes h (PW*) and compares h (PW*) with h (PWi). If they are equal, then due to the collision resistance of one way hash function, the adversary concludes that PW* is Ui s password. If they are not equal, then the adversary picks another password candidate and performs the same operations, until he finds the correct password. Because most passwords are chosen to be easy to remember, these have low entropy. This attack can be played efficiently. 2. Server Masquerade Attack In the attack described below, the adversary is just a normal user who is very curious of the server s secret h(x). This attack can be carried out by any single user without interactions with the server. As we cannot ensure all the users are honest, this type of attack must be prevented. The user carries out the attack by the following steps: (1) The user Ui gets the contents from the smart card by power analysis. So Ui gets y and Ni = h (PWi) h(x) IDi. (2) Since Ui already knows his own IDi and PWi, he computes Z = Ni h (PWi) IDi = h(x). Once Ui gets y and h(x), he gets the ability to perform the verification phase with other users by masquerading as the server, because the verification phase performs secret operations using only h(x) and y. Ui can even pretend to be the server during the registration phase, because he knows the value of h(x) and y. So we can see the server masquerade attack is easy to carry out. 3. The password change phase of Wang et al. s protocol is not secure. It allows an adversary who gets a lost smart card to change the value of Ni to another one, which causes denial of service to the legal user. This is also a security hole of Wang et al. s protocol. From the above analysis, we know that Wang et al. s protocol is vulnerable to these attacks. In the following section, we propose a security enhanced protocol, which does not suffer these attacks. 4. PROPOSED PROTOCOL In this section, we present a smart card based secure remote user authentication protocol. In proposed protocol we use one-way hash function, bitwise exclusive OR operation and random generate nonce. This protocol has four phases: 1- Registration phase, 2-Login phase, 3- authentication phase and 4- password change phase. The notations use in proposed protocol and phases are described below. The notations used throughout this article are summarized as follows: Volume 1, Issue 4 November - December 2012 Page 64 U i ID i PW i S X s h ( ) N i, N j Registration phase A remote user Identity of U i Password chosen by U i Authentication server Permanent secret key of S One way hash function Bitwise XOR operation Concatenation Random nonce generated by U i and S respectively In this phase User Ui wants to submit his/her identity IDi and password PWi to server Si via a secure channel to register himself/herself. Before send these information registration authority computes PWi to h (PWi) and send IDi and h (PWi) as a registration request to the server Si. Upon receiving the registration request from user Ui, the server Si computes two parameters Ai, Bi related to his request. Step1-Server computes Ai = h (X) Bi = Ai h (IDi h (PWi))

4 Login phase The server S issues a smart card to user U i by storing {A i, B i, h ( )} into smart card memory. The smart card is delivered to user U i through a secure channel. The user Ui wants access some service on remote server Si. This phase provides the facility of a secure login request to server Si. User Ui inserts smart card into a card reader and submits in IDi* and PWi*. Step 2- Firstly, the card reader computes Bi* = Ai h (IDi* h (PWi*)) And checks whether B i (stored in the smart card memory) and B i ' are equal or not. If yes, user U i is a legitimate bearer of the smart card. Step3- Then the card reader generates a nonce N i and computes. Z i = Ni Ai, C i = h (PW i *) h (A i N i ), D i = h (PW i *) A i, E i = h (D i N i B i ) And send the login request message {ID i, C i, E i, Z i } to the server S. Authentication phase Upon receiving the login request message {ID i, C i, E i, Z i }; server S first checks the validity of ID i to accept/reject the login request. If it is true, Step 1- Then the server S computes A i = h (X s ), N i = Z i A i, h (PW i ') = C i h (A i N i ), D i ' = h (PW i ') A i, B i ' = A i h (ID i ' h (PW i ')), E i ' = h (D i ' N i B i ') And checks whether E i and E i ' are equal or not. If they are not equal then rejects the login request. If true, Step 2- Then the server S generates a nonce N j and computes Z j = N j A i, F i = h (A i B i ' N i N j ) And send the message {F i, Z j } to the user U i. After receiving the message {F i, Z j } from server S, the card reader performs following computations. Step 3- The card reader computes N j = Z j A i, F i ' = h (A i B i ' N i N j ) And checks whether F i and F i ' are equal or not. If yes, server S is authentic otherwise terminate the session. Step 4- Then the user U i computes G i = h (A i N j B i ') And send the message {G i } to the server S. After receiving the message {G i } from user U i, server S computes G i ' = h (A i N j B i ') and checks whether G i and G i ' are equal or not. If yes, Step 5- The user U i is authentic and mutual authentication is achieved otherwise terminate the session. After mutual authentication, both the parties compute the session key SK = h (D i N i N j B i '). Figure 1 Data Flow Diagram for proposed protocol Password change phase This phase is invoked whenever user U i wants to change the password PW i with a new password PW inew. User U i inserts the smart card to the card reader and keys in ID i ' and PW i ' and requests to change password. Volume 1, Issue 4 November - December 2012 Page 65

5 Step 1- The card reader computes B i ' = A i h (ID i ' h (PW i ')) and checks whether B i and B i ' are equal or not. If yes, user U i is a legitimate bearer of the smart card otherwise reject the request. Step 2- Then the reader asks the user U i to input new password PW inew. After entering the new password, the reader calculates B inew = A i h (ID i ' h (PW inew )) and replaces B i with B inew in the smart card memory. SECURITY ANALYSIS OF PROPOSED PROTOCOL 1. Resistance to Stolen smart card Attack- In case a legitimate user losses his/her smart card. The adversary cannot use this card without knowing the valid password, and if adversary extracts information in its memory {Ai, Bi}. He cannot retrieve ID and PW, because it is computationally infeasible to invert the one-way hash function h (.) and without knowing the Server secret key X. It is not possible to guess out two parameters (ID and PW) correctly at the same time. Therefore the proposed protocol is secure against stolen smart card attack. 2. Resistance to Denial-of- service- In the proposed protocol, an adversary can used to invalid ID and PW, and wants to send login request massage continuously to keep server busy. It leads to denial-of-service attack. But he cannot send login request massage because in login phase, smart card reader checks the verification of smart card and correct password. Bi* = Ai h (IDi* h (PWi*)) And check (Bi = Bi*) Bi stores in smart card. Therefore, it s also resistance to denial-of service. 3. Resistance to Insider Attack- If a privileged insider of the Server Si obtains the smart card s secret information {Ai, Bi} from user Ui. He cannot extract sensitive information like {ID, PW,} from Bi. Bi = Ai h (ID h (PW)), Because it is computationally infeasible to invert the oneway hash function h (.) and also he cannot extract Bi without the knowing of ID and PW. 4. Resistance to Parallel Session Attack- If the attacker can masquerade as legitimate user Ui by a replaying a login request massage { ID i, C i, E i, Z i } within the valid time frame window But attacker cannot compute the knowledge massage { F i, Z j } because knowledge massage does not contains any information to construct next process. C i = h (PW i ') h(a i N i ) (D i N i B i ') Z i = N i A i F i = h (A i B i ' N i N j ) E i = h Z j = N j A i Hence the proposed protocol is secure against parallel session attack. 5. Resistance to Replay Attack- Suppose attacker intercepts the login request massage {ID i, C i, E i, Z i } from User U, and can replay the same massage to server, it is useless because the card reader used the random nonce value Ni in each new login request, Z i = N i A i Zi makes the dynamic and different login massage for same user for different login request. Hence the proposed protocol is secure against massage replay attack 6. Resistance to Offline password guessing Attack - In the proposed protocol, if an adversary wants to guess the password. It can be prove to be impossible. The adversary can guess ID and PW correctly at the same time. It is not possible to guess out two parameters correctly at the same time. An adversary cannot guess valid ID and PW for computes Ai = h (Xs) and Bi* = Ai h (IDi h (PWi)) Because it is impossible to guess right ID and PW in same time. Server Secret Key Xs protect with one-way function h (.), which computationally infeasible to invert. If attacker know user s ID, it s cannot extract h (ID h (PW)) without knowing server secret key. 7. Leak of Server secret key - Unfortunately, if Server secret key X is prevail from Server S. The attacker cannot retrieve ID and PW from Ai = h (Xs) Bi* = Ai h (IDi h (PWi)) Because of using one-way function h ( ), Server can easily change and modify its secret key X, and restore again in smart card. 5. THE PERFORMANCE AND EFFICIENCY COMPARISON In this section, we compare performance analysis of the proposed protocol with related protocol in terms of storage capacity and computation cost. The computation costs are focus on the registration, login and Volume 1, Issue 4 November - December 2012 Page 66

6 authentication phases. In our proposed protocol, we use the lightweight hash function and exclusive OR operation. It is usually take very low computation cost. We use SHA-1 to implement our protocol. The output sizes of each hash value of secret information is 160 bits long, time stamps are 40 bits length, and identity is 32 bits length. So the user s smart card memory needs 320(2*160) bits and server require only 160 bits to store the secret key X. Table 1 shows the storage capacity of our proposed protocol with other related protocol. Storage capacity (Bits) Smart Card Table 1.Comparision of storage capacity Our protocol R.Song et al. [18] Wang et al. [20] In terms of computation cost, it is defined as the total time of various operation executed in registration, login, and authentication phases. We denote the execution time for one-way hash function HT, and exclusive OR operation require very low execution time as compare to one-way hash function. So it is does consider its computation cost. Same related protocol use the modular exponential operation denotes as MT. the time complexity associated. This takes more execution time to perform modular operations. Table 2. Comparsion of computation cost. Yoon. Yoo et al. [6] Server comparison of our proposed protocol with related protocol. Our protocol takes little more computation in authentication phase to compare to R.Song et al. [18], Wang et al. [20], and Yoon. Yoo et al [6]. Because our proposed provides more security against parallel session attack, server spoofing attack, replay attack. Moreover, the security comparison of the proposed protocol with the relevant authentication protocol is summarized in Table 3. Resistance to / Protocol Our Protoc ol R.Song et al. [18] Wang et al. [20] Yoon Yoo et. al [6] Insider attack Yes No Yes No Masquerade attack Yes Yes No No Parallel session attack Yes No Yes No Replay attack Yes No Yes Yes Offline password attack Yes No No No Secure password Yes Yes No Yes change process Denial of service Yes No No No Session key generation and Yes Yes No No agreement Mutual Authentication Yes Yes weak Yes Computatio n cost in phases Registration Login Authenticati on Mutual authenticati on Session key Our protocol R.Song et al. [18] Wang et al. [20] Yoon. Yoo et al[6] 2 HT 1HT +1MT 1 HT 2 HT 4 HT 3 HT 1 HT 2 HT 5 HT 3 HT +1MT 3 HT 3 HT 1 HT 1 HT 1 HT 1 HT 1 HT 1 HT No No The proposed protocol requires little more and same computation cost to comparison other related protocol. Because of our protocol is resistance to various attacks and same security enhancement. Most related protocols do not satisfy various requirements such as denial-of service, mutual authentication, secure session key agreement. Table 2 shows the computation cost 6. CONCLUSION This paper point out that the protocols proposed by Yoon and Yoo [6], H.T. Liaw [7], M.S. Hwang and Lee [13], M.K. Das [15], R. Song [18], Y. Wang [20], Zhuo Hao [26] are not secure enough against some weaknesses. We showed that their protocols are vulnerable to denial-of service attacks, forgery attacks, insider attacks, password guessing, parallel session attacks, server spoofing, forward Security, replay attacks, and stolen verifier attacks. All necessary requirements and withstands the various aforementioned attacks, we present our proposed smart card based secure remote authentication protocol in section 3. Our proposed protocol resists most current possible attacks that show on security analysis in section 4. In section 5, the performance analysis of our protocol is shown in terms of computation cost and storage capacity. We use one-way hash function in our research. This is most suitable to use in cryptography, because it is low cost, not reversible and two different parameters cannot have same hash value. Because it provides better authentication mechanisms. In future, we suggest more secure and efficient authentication protocol using smart Volume 1, Issue 4 November - December 2012 Page 67

7 card whose computational cost is very low and resists to all possible attacks. REFERENCES [1] B. Schneier, Applied cryptography protocols, algorithms and source code in C: second edition, John Wiley & Sons Inc, 1995 [2] Chi - Kwong and Cheng, cryptanalysis of a remote user authentication scheme using smart card, IEEE Transaction on Consumer Electronic Vol.46, No.4, 11, [3] Chun-Ta Li and Cheng-Chi Lee, 2011 a robust remote user authentication scheme using smart card, Information Technology and Control,Vol.40,No.3 [4] Debasis Giri and P.D.Srivastava, Crpytoanalysis and Improvement of a remote user authentication scheme using smart card, ISECS 2008, IEEE /08, 2008 [5] Eun-Jun Yoon, and Kee-Young Yoo, 2011, Three Attacks on Jia et al. s Remote User Authentication Scheme using Bilinear Pairings and ECC, World Academy of Science, Engineering and Technology 60 (JULY 2011). [6] E.Yoon and Yoo, More efficient and secure remote user authentication scheme using smart card, in proceeding of 11th international conference on Parallel and Distributed System,2005,pp [7] H. T. Liaw, F. Lin, and W. C. Wu, "An efficient and complete remote user authentication scheme using smart cards, Math. Computer Model, Elsevier vol. 44, no. 1-2, pp , [8] Huang Kai, Ou Qingyu, Cryptanalysis of a remote user authentication scheme IEEE /09, 2009 [9] H.Y. Chien and C.H. Chen, 2005 A remote authentication scheme preserving user anonymity, proc. advanced information networking and application, vol.2.pp , march. [10] J. Xu, W.-T. Zhu and D.G. Feng, An improved smart card based password authentication scheme with provable security, Computer Standards & Interfaces, vol. 31, no. 4, pp , [11] L. I. Hu, X.X. Niu, and Y.X. Yang, 2007 Weaknesses and improvements of a remote user authentication scheme using smart cards, The Journal of China Universities of Posts and Telecommunications, vol. 14, pp [12] L. Lamport, 1981 Password authentication with insecure communication. Communications of the ACM, vol.24, no.11,, pp [13] M. S. Hwang, C. C. Lee, and Y. L. Tang, A simple remote user Authentication scheme, Mathematical and Computer Modeling, 36, pp , [14] M. S. Hwang and L.H.Li. A new remote user authentication scheme using smart card, In IEEE Transaction on consumer Eleclronic, vol.40, no 1, 2000, pp [15] M.L. Das, A.Saxena and V.P. Gulati, A Dynamic ID-based remote user authentication scheme, IEEE Transaction on consumer Eleectronice, vol. 50,2004, pp [16] Ou Qingyu Huang Kai, Cryptanalysis and improvement of a remote user authentication scheme IEEE /09, 2009 [17] Rafael M., F. Rico-Novella, Improvement of the Dynamic ID-based Remote User authentication scheme IEEE /03, 2010 [18] R. Song. Advanced smart card based password authentication Protocoll. Computer Standards & Interfaces, Volume 32, Issue 4, June 2010, Pages [19] Sandeep K. Sood, Anil K.Sarje and Kuldip Singh, "Secure dynamic identity-based remote user authentication scheme", Distributed Computing and Internet Technology, Lecture Notes in Computer Science, vol. 5966,2010, pp [20] Y. Wang, J. Liu, F. Xiao, and J. Dan, A more efficient and secure dynamic id-based remote user authentication scheme, Comput. Commun., vol. 32, no. 4, pp , [21] W.B. Horng and Cheng p Lee, Security weaknesses of song s Advanced smart card based Password authentication Protocol. IEEE trans. Computer, vol /10, 2010 [22] William Stallings. Cryptography and Network Security, 4/E Prentice Hall. [23] X. Duan, J. Liu, and Q. Zhang, Security improvement on chien et al. s remote user authentication scheme using smart cards, in Computational Intelligence and Security, 2006 International Conference on, vol. 2, pp , Nov [24] Y. Lee, J. Nam, and D. Won, Vulnerabilities in a remote agent authentication scheme using smart cards, N. T. Nguyen et al. (eds.) KES AMSTA 2008, LNAI 4953, pp , Springer Verlag Berlin Heidelberg [25] Z. Jia, Y. Zhang, H. Shao, Y. Lin and J. Wang 2006, A remote user authentication scheme using bilinear pairings and ECC, Proceeding Of 6th International Conference on Intelligent Systems Volume 1, Issue 4 November - December 2012 Page 68

8 Design and Applications (ISDA 06), Vol.2, Oct., pp [26] Zhuo Hao, Nenghai Yu, A Security Enhanced remote user authentication scheme using smart card International Symp. On Data, privacy, and E- commerce ISDPE, IEEE /10, 2010 Volume 1, Issue 4 November - December 2012 Page 69