Cryptanalysis of "A Robust Smart-Card-Based Remote User Password Authentication Scheme"

Smart card is a widely accepted user authentication tool to ensure only authorized access to resources available via open networks. In 2010, Sood et al. and Song independently examined a smart card based authentication scheme proposed by Xu et al. They showed that in Xu et al.´s scheme an internal user of the system could turn hostile to impersonate other users of the system. Sood et al. and Song also proposed schemes in order to improve scheme proposed by Xu et al.´s. Recently, Chen et al. identified some security problems in the improvements proposed by Sood et al. and Song. To fix these problems Chen et al. presented another scheme, which they claimed to provide mutual authentication and withstand, lost smart card attack. Undoubtedly, in their scheme user can also verify the legitimacy of server but we find that the scheme fails to resist impersonation attacks and privileged insider attack. We also show that the scheme does not provide user anonymity and confidentiality to air messages. In addition, an attacker can guess a user´s password from his lost/stolen smart card.