Cryptanalysis of a more efficient and secure dynamic id-based remote user authentication scheme

In 2004, Das, Saxena and Gulati proposed a dynamic ID-based remote user authentication scheme which has many advantage such as no verifier table, user freedom to choose and change password and so on. However the subsequent papers have shown that this scheme is completely insecure and vulnerable to many attacks. Since then many schemes with improvements to Das et al’s scheme has been proposed but each has its pros and cons. Recently Yan-yan Wang et al. have proposed a scheme to overcome security weaknesses of Das et al.’s scheme. However this scheme too is vulnerable to various security attacks such as password guessing attack, masquerading attack, denial of service attack.

💡 Research Summary

The paper conducts a thorough cryptanalysis of the dynamic ID‑based remote user authentication scheme proposed by Yan‑yan Wang et al. in 2009, which was claimed to be a more efficient and secure improvement over the earlier Das‑Saxena‑Gulati protocol. The authors first recap the evolution of dynamic ID schemes, emphasizing that while the original 2004 proposal introduced attractive features such as the elimination of a verifier table and user‑controlled password changes, it suffered from numerous attacks that were later exposed in the literature. Several subsequent proposals attempted to patch these weaknesses, and Wang’s scheme was presented as a “more efficient and secure” version.

The paper then details the four phases of Wang’s protocol: registration, login, verification, and password‑change. In registration, the server computes Ni = h(PW_i) ⊕ h(x) ⊕ ID_i, where x is a server‑side secret, and stores the hash function h(.), Ni, and a global secret y on the user’s smart card. During login, the smart card computes a dynamic identifier CID_i = h(PW_i) ⊕ h(Ni ⊕ y ⊕ T) ⊕ ID_i and sends (ID_i, CID_i, Ni, T) to the server. The server validates the timestamp, reconstructs h(PW_i) from the received values, and checks that ID_i matches the recomputed ID_i’. If successful, it replies with a token a′ = h(h(PW_i) ⊕ y ⊕ T′). The user verifies this token to authenticate the server. The password‑change phase simply updates Ni to Ni* = Ni ⊕ h(PW_i) ⊕ h(PW_new) without any further verification.

The core contribution of the paper is a systematic exposition of four attack vectors that exploit structural flaws in this design, assuming that an adversary can extract the secret y stored on the smart card—a realistic assumption given the extensive literature on side‑channel and power‑analysis attacks against smart‑card hardware (e.g., Kocher 1999; Messerges et al. 2002).

1. Password‑guessing attack – By intercepting a login message and using the known y, the attacker can compute h(PW_i) = CID_i ⊕ h(Ni ⊕ y ⊕ T) ⊕ ID_i. Once the hash of the password is known, an offline dictionary or brute‑force search can recover the actual password, rendering the scheme vulnerable despite the use of a one‑way hash function.

2. User masquerade attack – From the registration equation, the attacker can derive the server secret h(x) = h(PW_i) ⊕ Ni ⊕ ID_i. With h(x) in hand, the adversary can fabricate a new Ni* for any chosen password PW* (Ni* = h(PW*) ⊕ h(x) ⊕ ID_i) and compute a corresponding CID* that will be accepted by the server, effectively logging in as the victim without knowing the original password.

3. Server masquerade attack – Because the server’s response token a′ depends only on the shared secret y and the recovered h(PW_i), an attacker who already knows these values can generate a valid token a* = h(h(PW_i) ⊕ y ⊕ T”) and send it to the user. The user, unable to distinguish a forged token from a legitimate one, will accept the attacker as the authentic server.

4. Denial‑of‑service (DoS) attack – The password‑change phase lacks any verification of the old password. An adversary who obtains the smart card (or temporarily gains physical access) can supply an arbitrary “old” password PW′ together with a new password PW_new, causing the smart card to update Ni to an arbitrary value Ni* = Ni ⊕ h(PW′) ⊕ h(PW_new). After this manipulation, the legitimate user’s subsequent login attempts will fail because the server’s recomputed values will no longer match, effectively locking the user out of the service.

All four attacks rely on the same fundamental weakness: the protocol stores a long‑term secret (y) on the client side and never re‑authenticates the user’s old password during the change operation. The authors argue that the assumption of an “tamper‑resistant” smart card is unrealistic; side‑channel attacks can recover stored secrets, and once y or h(x) is known, the entire authentication process collapses.

The paper concludes that, despite being marketed as a more efficient and secure improvement, Wang’s scheme remains vulnerable to realistic attacks. It calls for a redesign that eliminates client‑side long‑term secrets, incorporates multi‑factor verification for password changes, and possibly adopts public‑key or challenge‑response mechanisms that do not expose hash values of passwords. The authors suggest that future work should focus on balancing efficiency with robust resistance to both offline and online attacks, acknowledging that the convenience features of dynamic ID schemes must not compromise fundamental security guarantees.