Enhanced Biometrics-based Remote User Authentication Scheme Using Smart Cards
Secure and efficient authentication scheme has been a very important issue with the development of networking technologies. Li and Hwang proposed an efficient biometrics-based remote user authentication scheme using smart cards. However, recently, Li et al. pointed out that their scheme is vulnerable to the man-in-the-middle attack, and does not provide proper authentications, and Li et al. proposed an improved biometrics-based authentication scheme. These schemes are vulnerable to various attacks even if the schemes are based on tamper-resistant technologies. Tamper-resistant technologies have been developed with the various applications of smart cards. Therefore, we will assume that the user could use the tamper-resistant smart card in this paper. First of all, this paper shows that Li et al.’s scheme is vulnerable to the replay attack and has a weakness to the password changing scheme even if it is assumed that the scheme could use the tamper-resistant smart cards. Furthermore, we propose an enhanced authentication scheme to solve the security flaws in the two schemes.
Remote user authentication is a method to authenticate remote users to a server over insecure networks. To
authenticate remote users, the password-based authentication method has been widely used. Lamport in 
proposed an authentication scheme based on passwords, in which a password verification table was used in the
server. However, since the scheme needs to maintain a verification table in the server, it is very vulnerable to
the server compromise attack or the verification table modification attack.
. Review of Related Schemes
In this section, we briefly discuss the attributes of smart cards that qualify them for remote user authentication schemes and review Li and Hwang’s scheme in  and Li et al.’s scheme in  with the cryptanalysis of their schemes. 2.1. Attributes of Smart Cards These days, smart cards play an important role in our everyday life. We utilize them as credit cards, electronic purses, health cards, and secure tokens for authentication of individual identity. But, since smart cards have low computing capability, lots of authentication schemes using smart cards have been designed without public key cryptosystem technology for computation efficiency. Under the circumstances, if a smart card is lost or stolen, those schemes are usually weak from the offline password guessing attack, because human-memorable passwords are not long enough to resist the attack. Even if a smart card is lost or stolen, to protect important data in the smart card such as password and secret key information, proper tamper-resistant technologies in both hardware and software have been developed to counteract various attacks [20-24]. According to smart card alliance, today’s smart card technology is extremely difficult to duplicate or forge and has built-in tamper-resistance. Smart card chips include a variety of hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks. For example, the chips are manufactured with features such as extra metal layers, sensors to detect thermal and UV light attacks, and additional software and hardware circuitry to thwart differential power analysis . It is important to develop authentication schemes using general smart cards, but they are usually insecure for the stolen smart card attack. Considering the poor computing capability of smart cards, authentication schemes using smart cards are required to have low computation cost by performing of hash functions or symmetric key cryptosystems as their main operations. Therefore, to develop an efficient and secure authentication scheme which can resist the smart card stolen attack, temper-resistant smart cards can be used.
FREE IEEE PAPER