Analysis and enhancement of a password authentication and update scheme based on elliptic curve cryptography (Q2336256)

Summary: Recently, a password authentication and update scheme has been presented by Islam and Biswas to remove the security weaknesses in Lin and Huang's scheme. Unfortunately, \textit{D. He} [``Comments on a password authentication and update scheme based on elliptic curve cryptography'', Cryptology E-Print Archive Report 2011/411 (2011)], \textit{D. Wang} [``On the security of an improved password authentication scheme based on ECC'', Lect. Notes Comput. Sci. 7473, 181--188 (2012; \url{doi:10.1007/978-3-642-34062-8_24})] and \textit{C. T. Li} [``A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card'', IET Inf. Secur. 7, No. 1, 3--10 (2013; \url{doi:10.1049/iet-ifs.2012.0058})] have found out that Islam and Biswas' improvement was vulnerable to offline password guessing attack, stolen verifier attack, privilege insider attack, and denial of service attack. In this paper, we further analyze Islam and Biswas' scheme and demonstrate that their scheme cannot resist password compromise impersonation attack. In order to remedy the weaknesses mentioned above, we propose an improved anonymous remote authentication scheme using smart card without using bilinear paring computation. In addition, the verifier tables are no longer existent, and the privacy of users could be protected better. Furthermore, our proposal not only inherits the advantages in Islam and Biswas' scheme, but also provides more features, including preserving user anonymity, supporting offline password change, revocation, reregistration with the same identifier, and system update. Finally, we compare our enhancement with related works to illustrate that the improvement is more secure and robust, while maintaining low performance cost.