A lightweight password-based authentication protocol using smart card

With its simplicity and feasibility, password-based remote user authentication becomes a popular way to control remote access to network. These years, numerous password-based authentication schemes have been proposed. Recently, Maitra et al proposed a smart card-based scheme which claims to be resistant to various attacks. Unfortunately, we found some important flaws in this scheme. Therefore, in this paper, we will demonstrate that the scheme of Maitra et al is not secure enough as claimed: neither resisting against off-line password guessing attack and insider attack nor preserve forward secrecy. To overcome those flaws, we put forward an improved new scheme which not only is resistant to all known attacks but also provides many attractive attributes, such as user revocation and re-register. Also, we compared the scheme with other related schemes, the result proved the superiority of our scheme. Particularly, we show a new way (beyond the conventional Deffie-Hellman approach) to achieve forward secrecy. Furthermore, we put some efforts into exploring the design principle of authentication schemes.