A new mutual authentication scheme based on nonce and smart cards

In 2003, Shen, Lin and Hwang proposed a timestamp-based password authentication scheme using smart card. In the scheme the remote server does not need to store the passwords or verification tables for users’ authentication, and the scheme also provides a timestamp-based mutual authentication method to prevent the forged login attack and the forged server attack. However, this authentication scheme has been found to be vulnerable to forged login attack; an attacker could impersonate legitimate users to login and access the remote server. To solve this problem, an improved scheme will be proposed in this paper, which is based on nonce instead of timestamp and can withstand the existing forged attacks. The security analysis shows that the improved scheme still keeps the features of the non-storage data model authentication scheme, will not add additional computation cost to the smart card, and is more secure and more applicable than Shen’s scheme.