Attacks and improvement of “security enhancement for a dynamic id-based remote user authentication scheme”

In 2004, Das et al. proposed a ldquoDynamic ID-based Remote User Authentication Scheme using Smart Cardsrdquo. This scheme have the advantage that users can choose and change their password freely and the server does not maintain any verifier table, which avoid the risk of stolen/modifying this table. However, in 2005, Liao et al. demonstrated that Das et al.´s scheme suffers from guessing attacks, unilateral authentication and revealing of user password and propose improvements to prevent these shortcomings. However, in this paper, we demonstrate that Liao et al.´s scheme is not secure and it is vulnerable to stolen/lost smart card attack, impersonation (forgery) attack and password revealing attack. In fact, we prove that the scheme is equivalent to no password scheme. Then, we propose possible improvements to Liao et al.´s scheme. We demonstrate through comparison between the three schemes that the proposed one is more secure while maintaining the same computational overhead as Das et al.´s scheme.