International Association for Cryptologic Research (IACR)
Abstract
Authentication plays an important role in an open network environment in order to authenticate two communication parties among each other. Authentication protocols should protect the sensitive information against a malicious adversary by providing a variety of services, such as authentication, user credentials\u27 privacy, user revocation and re-registration, when the smart card is lost/stolen or the private key of a user or a server is revealed. Unfortunately, most of the existing multi-server authentication schemes proposed in the literature do not support the fundamental security property such as the revocation and re-registration with same identity. Recently, in 2014, He and Wang proposed a robust and efficient multi-server authentication scheme using biometrics-based smart card and elliptic curve cryptography (ECC). In this paper, we analyze the He-Wang\u27s scheme and show that He-Wang\u27s scheme is vulnerable to a known session-specific temporary information attack and impersonation attack. In addition, we show that their scheme does not provide strong user\u27s anonymity. Furthermore, He-Wang\u27s scheme cannot support the revocation and re-registration property. Apart from these, He-Wang\u27s scheme has some design flaws, such as wrong password login and its consequences, and wrong password update during password change phase
