In 2003, Shen, Lin and Hwang proposed a timestamp-based password authentication scheme using smart card. In the scheme the remote server does not need to store the passwords or verification tables for users' authentication, and the scheme also provides a timestamp-based mutual authentication method to prevent the forged login attack and the forged server attack. However, this authentication scheme has been found to be vulnerable to forged login attack; an attacker could impersonate legitimate users to login and access tile remote server. To solve this problem, an improved scheme will be proposed in this paper, which is based on nonce instead of timestamp and can withstand the existing forged attacks. The security analysis shows that the improved scheme still keeps tile features of the nonstorage data model authentication scheme, will not add additional computation cost to the smart card, and is more secure and more applicable than Shen's scheme.

• 出版日期2008-6-25
• 单位四川大学