A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

There are many remote user authentication schemes proposed in literature for preventing unauthorized parties from accessing resources in an insecure environment. Due to inherent tamper-resistance, most of them are based on smart card authentication schemes. Unfortunately, the cost of cards and readers makes these schemes costly. In the real world, common storage devices, such as universal serial bus (USB) thumb drives, portable HDDs, mobile phones, Laptop or Desktop PCs, are widely used, and they are much cheaper or more convenient for storing user authentication information. However, since these devices do not provide tamper-resistance, it is a challenge to design a secure authentication scheme using these kinds of memory devices. In this paper, we will propose a secure password-based remote user authentication and key agreement scheme without using smart cards. According to our analysis, the proposed scheme guarantees mutual authentication and also resists off-line dictionary, replay, forgery, and impersonation attacks. Compared to related scheme, the proposed scheme's computation cost is lower and the total message length is shorter. Therefore, our scheme is suitable even for applications in limited power computing environments.