Improvement of the Peyravian–Jeffries’s user authentication protocol and password change protocol

Abstract

Remote authentication of users supported by passwords is a broadly adopted method of authentication within insecure network environments. Such protocols typically rely on pre-established secure cryptographic keys or public key infrastructure. Recently, Peyravian and Jeffries [M. Peyravian, C. Jeffries, Secure remote user access over insecure networks, Computer Communications 29 (5–6) (2006) 660–667] proposed a protocol for secure remote user access over insecure networks. Shortly after the protocol was published Shim [K.A. Shim, Security flaws of remote user access over insecure networks, Computer Communications 30 (1) (2006) 117–121] and Munilla et al. [J. Munilla, A. Peinado, Off-line password-guessing attack to Peyravian–Jeffries’s remote user authentication protocol, Computer Communications 30 (1) (2006) 52–54] independently presented an off-line guessing attack on the protocol. Based on their findings we present an improved secure password-based protocol for remote user authentication, password change, and session key establishment over insecure networks, which is immune against the attack.