Abstract
Recently, Hsiang et al. proposed a remote user authentication scheme suited for multi-server environment, in which users can be authenticated anonymously using a smart card. This work reviews Hsiang et al.'s scheme and provides a security analysis on the scheme. Our analysis shows that Hsiang et al.'s scheme does not achieve its fundamental goal of not only any kind of authentication, either server-touser authentication or user-to-server authentication but also password security. The contribution of the current work is to demonstrate these by mounting two attacks, a server impersonation attack and a user impersonation attack, on Hsiang et al.'s scheme. In addition, we demonstrate that their scheme is vulnerable to two-factor security which guarantees the security of the scheme when either the user's smart card or its password is stolen, but not both by employing the off-line dictionary attack.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
