Security Analysis and Improvements of a Password-Based Mutual Authentication Scheme with Session Key Agreement

Password-based authentication schemes have been widely adopted to protect resources from unauthorized access. In 2008, Chang-Lee proposed a friendly password-based mutual authentication scheme to avoid the security weaknesses of Wu-Chieu's scheme. In this paper, the authors demonstrate that Chang-Lee's scheme is vulnerable to user impersonation attack, server masquerading attack, password guessing attack, and insider attack. Also, they propose an improved scheme to overcome the security weaknesses of Chang-Lee's scheme, even if secret information stored in the smart card is revealed. As a result of security analysis, they prove that the proposed scheme is secure for the various attacks and provides session key agreement.