On the Security of ``an efficient and complete remote user authentication scheme

Recently, Liaw et al. proposed a remote user authentication scheme using smart cards. Their scheme has claimed a number of features e.g. mutual authentication, no clock synchronization, no verifier table, flexible user password change, etc. We show that Liaw et al.’s scheme is completely insecure. By intercepting a valid login message in Liaw et al.’s scheme, any unregistered user or adversary can easily login to the remote system and establish a session key.

💡 Research Summary

The paper presents a critical security analysis of the remote user authentication scheme proposed by Liaw, Lin, and Wu in 2006, which relies on smart cards. The original protocol consists of five phases: registration, login, verification, session key establishment, and password change. During registration, the server computes a secret value vi = h(ID, x) using a master secret x and stores ei = vi ⊕ PW on the smart card. In the login phase, the smart card generates a random nonce Ni and computes Ci = h(ei ⊕ PW, Ni), then sends <ID, Ci, Ni> to the server. The server validates the ID, recomputes vi′ = h(ID, x), and checks whether Ci equals h(vi′, Ni). If the check passes, the server generates its own nonce Ns, encrypts (Ni, Ns) with vi′, and returns the ciphertext. The smart card decrypts, verifies the nonces, and mutual authentication is considered complete. The session phase uses a Diffie‑Hellman exchange: the server sends Si = αNs mod q, the card replies with Wi = αNi mod q, and both compute the shared key K = (αNi)Ns = (αNs)Ni. Finally, the password change phase simply updates ei by XOR‑ing the old and new passwords without any verification.

The authors of the critique identify three fundamental weaknesses. First, the login and verification phases lack any mechanism to prevent replay attacks. Because the server does not store or track previously used nonces, an adversary who intercepts a legitimate login message <ID, Ci, Ni> can replay it later and be accepted as an authentic user. The server’s verification only checks that Ci matches h(vi′, Ni), which will succeed for any previously seen Ni, as there is no record of its prior use. Consequently, the protocol provides no true authentication of the user or the server.

Second, the session key establishment suffers from a classic man‑in‑the‑middle (MITM) vulnerability inherent to unauthenticated Diffie‑Hellman. All public parameters (α, q) and the exchanged values Si and Wi are transmitted in the clear. An attacker who has already passed the flawed authentication step can compute the same shared secret K as the legitimate parties, because K is solely a function of the public values and the nonces Ni and Ns, which are now known to the attacker. Thus, any eavesdropper can derive the session key and decrypt subsequent communications, rendering the encryption ineffective.

Third, the password change procedure omits any verification of the current password. If a user mistypes the password or if the smart card is stolen, the card will still update ei using the incorrect password, leading to a state where future logins inevitably fail. Moreover, this lack of verification makes the smart card vulnerable to denial‑of‑service attacks and to password‑guessing attacks, as an adversary can repeatedly trigger incorrect updates without detection.

Overall, the paper concludes that the Liaw et al. scheme is insecure on multiple fronts: it permits replay attacks, it fails to protect the session key from MITM interception, and it lacks robust password management. The authors recommend that any practical deployment must incorporate nonce freshness checks (e.g., timestamps or nonce tables), authenticated Diffie‑Hellman (such as using digital signatures or MACs), and proper password verification before allowing updates. Without these enhancements, the protocol cannot be considered safe for real‑world remote authentication scenarios.