User privacy and robust system security have become essential requirements for a secure authentication scheme on mobile commerce applications. In order to reduce data transmission delay, and achieve computation efficiency on data encryption for communication parties during mobile commerce transaction, lightweight cryptosystem technology must be adopted in the design of next generation authentication protocol. In 2008, Lee et al. [9] developed two human-memorable password based authentication protocols to secure online transactions in mobile commerce systems. One of the proposed protocols replaces the time-consuming public key cryptosystem with symmetric key cryptosystem and simple hash functions to achieve better performance on encryption computation. The authors claimed that their schemes can defend against replay attack, denial of service attack and password guessing attacks. In this study, we first show that Lee et al.'s protocols are insecure against offline password guessing attacks and undetectable online password guessing attacks. A novel authentication scheme is then introduced to eliminate identified security weaknesses in their protocols. Based on. our performance analysis, our proposed protocol requires fewer transmission rounds and less computation cost than previously proposed schemes [8,9] while achieving stronger security properties at the same time.

• 出版日期2010-7