An Improvement on Remote User Authentication Schemes Using Smart Cards

: In 2010, Yeh et al. proposed two robust remote user authentication schemes using smart cards; their claims were such that their schemes defended against ID-theft attacks, reply attacks, undetectable on-line password guessing attacks, off-line password guessing attacks, user impersonation attack, server counterfeit attack and man-in-the-middle attack. In this paper, we show that Yeh et al.’s schemes are still vulnerable to ID-theft attack, off-line password guessing attacks, undetectable on-line password guessing attacks and user impersonation attack. Notably, problems remain in situations where the user lost a smart card or the malicious legal user. To remedy these ﬂaws, this paper proposes an improvement on Yeh et al.’s remote user authentication schemes using smart cards.


Introduction
With the rapid growth of network technologies, it is extremely important to pay close attention to any developing security concerns.As such, password-based authentication has become one of the best practically applied techniques used to problem-solve regarding various applications in wireless environments and other remote authentication systems.In 1981, Lamport [1] proposed the first password-based remote authentication scheme for identifying a legal user using a hash-chain technique through insecure communication.In our scheme, all secret passwords are stored in a verifier's table that is maintained by the remote server; in a situation such as this, there exists a potential threat such that all maintained records might be modified by attackers.In order to solve these problems, numerous undertakings in research  have been executed during recent years.
In 1990, Hwang et al. [12] proposed a non-interactive password authentication scheme without password tables using smart cards.Follow up research [3,6,16,18,23,24,[30][31][32][33][34][35][36][37][38][39] has also been proposed.Because these schemes suffered from a susceptibility to ID-theft attack, an attacker could forge a legal user using an eavesdropped users' identity documentation.Das et al. [6] proposed a dynamic ID-based remote user authentication scheme that has significant advantages; most notably, the remote server does not need to maintain a verifier's table.However, in 2009, Wang et al. [25] pointed out that Das et al.'s scheme still exhibited several weaknesses.For example, it is susceptible to server counterfeit attack and provides poor password authentication.In the same year, Hsiang and Shih [11] proposed a remote user authentication scheme using smart cards claiming that their scheme provided many security features, such as: mutual authentication, the ability to freely change passwords and protection from masquerade attack.
Next, Yeh et al. [27] proposed two robust remote user authentication schemes using smart cards.Their schemes illustrated how Wang et al.'s scheme and Hsiang and Shih's scheme were still susceptible to masquerade attack, off-line password guessing attacks and undetectable on-line password guessing attacks.Thus, Yeh et al. proposed two schemes to remedy these weaknesses that were more efficient than both Wang et al.'s scheme and Hsiang and Shih's scheme.Nevertheless, according to our cryptanalysis, Yeh et al.'s schemes still have notable weaknesses to ID-theft attack, off-line password guessing attacks, undetectable on-line password guessing attacks and user impersonation attack.Moreover, the smart-card-based schemes [6,9,11,19,25,28] suffered in contexts involving a lost smart card.In fact, some researches [15,21] reveal the stored parameters of smart card.Therefore, we propose an improved scheme to overcome all of the security weaknesses mentioned above.
The security requirements of a remote user authentication scheme based on smart cards are listed as follows: -

Mutual authentication
In the information transmission process, the message receiver must be able to verify the identity legitimacy of the sender.Thus, each party must be able to verify the identity legitimacy of the other parties in a remote user authentication environment.If the two parties have confirmed each other's identities, then mutual authentication is achieved. -

Lost smart card
If the user's smart card is stolen by an attacker, the attacker may use the smart card for future malicious communications, or use it to obtain previous messages.A secure remote user authentication environment should avoid these situations, when the smart card is stolen by an attacker. -

ID-theft attack
Malicious attacks may also attempt to get a person's identification by tracing their transmitted messages.Thus, a secure remote user authentication scheme must prevent such ID-theft attack.
-Server counterfeit attack and user impersonation attack Any information transferred in an unencrypted network environment is vulnerable to malicious attack in the form of modification, where the message delivered to the receiver is not the original message transmitted by the sender.The attacker may pretend a legal server or a legal user.The legality of the transmitted parties must therefore be ensured and protected against tampering in transit.

Replay attacks
Malicious attacks may also intercept the transmitted message between the user and the server and then impersonate a legitimate transmitter in order to send the same message to the intended receiver.This constitutes a serious breach of personal data security and must be prevented by a secure remote user authentication environment.
The rest of this paper is organized as follows.Section 2 provides a brief review of the weakness of Yeh et al.'s schemes.Section 3 provides details of the proposed scheme.Section 4 provides a security analysis of our scheme.Section 5 shows a security and performance comparison with related research.We provide conclusions in the last section.

Review of Yeh et al.'s Timestamp Based Scheme
In this subsection, we briefly describe Yeh et al.'s timestamp based scheme [27], which consists of four phases: the registration phase, the login phase, the authentication phase and the password-change phase.The overview is described in Figure 1 and the notation of this scheme is listed as follows:

Registration Phase
In this phase, U initially registers, or re-registers, to S and the steps are described as follows: 1. U selects a random number b and computes h(b ⊕ PW ⊕ IDu).He or she then securely send IDu, h(PW) and h(b ⊕ PW ⊕ IDu) to S. 2. S creates a new entry with a value m = 0 for U in the database or sets m = m + 1 in the existing entry.Here, m denotes the number of times of re-registering to S for each user U. Next, S computes EID, P, R and V: Then, S securely issues a smart card containing V, R, h(•) to U. = B: determine whether A is equal to B.

Registration Phase
In this phase, U initially registers, or re-registers, to S and the steps are described as follows: 1.
U selects a random number b and computes h(b ⊕ PW ⊕ ID u ).He or she then securely send ID u , h(PW) and h(b ⊕ PW ⊕ ID u ) to S.

2.
S creates a new entry with a value m = 0 for U in the database or sets m = m + 1 in the existing entry.
Here, m denotes the number of times of re-registering to S for each user U. Next, S computes EID, P, R and V: EID = (ID u ||m) Then, S securely issues a smart card containing V, R, h(•) to U.

3.
Finally, U enters a random number b into his or her smart card.

Login Phase
When U wants to login S, the following steps will be performed: 1.
U inserts his or her smart card into the card reader and then enters the ID u and PW.

2.
U's smart card computes C 1 , C 2 and sends the authentication request messages (h(ID u ), T u , C 2 ) to S: If the Equation ( 7) holds, S accepts U's login request and computes C 3 : otherwise, S rejects it.Continuously, S sends the response messages (T s , C 3 ) to U and generates a session key SK for later secure communication: 2.
According the received messages (T s , C 3 ), U's smart card checks the validity of T s > T u .If it does not hold, U terminates the session; otherwise, U computes h(C 1 ⊕ h(T s )) and compares it with C 3 : If the Equation ( 10) holds, U successfully authenticates S. Finally, U computes the same session key SK: and then, U and S can use the session key SK to securely communicate with each other.

Password Change Phase
In this phase, U intends to exchange his or her password PW with a new one PW new .The steps are described as follows: 1.
U inserts his or her smart card into the card reader, enters ID u and PW and then requests a password change.

2.
U's smart card computes P*, V* and compares V* with the stored V: If Equation ( 14) does not hold, the smart card rejects the request; if the number of login failures exceeds a predefined value, the smart card is locked immediately to prevent exhaustive password guessing attacks; otherwise, U inputs the new password PW new .Afterward, U's smart card computes R new and V new as follows: V new = h(P * ⊕h(PW)) then, replaces R, V with R new , V new , respectively.

Weakness of Yeh et al.'s Timestamp Based Scheme
Although Yeh et al.'s timestamp based scheme was an improved version of Hsiang-Shih's scheme [11], several security weaknesses still exist.These susceptibilities include: ID-theft attack, off-line password guessing attacks and undetectable on-line password guessing.We describe these attacks as follows.

ID-Theft Attack
In the login phase, an attacker A can intercept the login messages (h(ID u ), T u , C 2 ) to compute the user's identity ID u as follows: 1.
A guesses an identity ID A , computes a hashed value h(ID A ) and compares it with the intercepted h(ID u ).

2.
If the guessed hashed value is equal to h(ID u ), this indicates that A guessed the correct identity (i.e., h(ID A ) = h(ID u )); otherwise, A retries Steps 1 and 2.
Therefore, A can easily obtain U's identity; the relevant details will be discussed in the next subsection.

Off-Line Password Guessing Attacks
This involves a situation where a user's smart card was stolen by an attacker A and where A uses the stolen smart card to extract the secret parameters b and R [15,21].Continuously, A can use the previously eavesdropped messages (h(ID u ), T u , C 2 ) or (T s , C 3 ) to obtain U's password PW according to the following steps: Following Section 2.2.1, the attacker A can obtain the real identity of U. Afterward, A guesses a password PW A .

2.
A computes counterfeit messages C A1 and C A2 for comparison with the intercepted messages C 2 or C 3 , as follows: or

3.
Since ID u is revealed following Section 2.2.1,A can guess the correct ID u and PW to change the user's password.Refer to the password change phase of Section 2.1.4.

On-line Password Guessing Attacks
This refers to Section 2.2.2, where an attacker A is able to extract the secret parameters b and R through the stolen smart card.As with the previously eavesdropped messages (h(ID u ), T u , C 2 ), A can guess the U's password as follows: 1.
A guesses a possible password PW A and computes a value following Equation ( 17) C A1 with a timestamp T A .A then computes counterfeit messages (h(ID A ), T A , C A1 ) to send to the server S.

2.
After receiving the messages, S first checks the timestamp T s > T u .Continuously, S computes h(h(EID ⊕ x) ⊕ T A ) to compare the received value C A1 .If both of them are equal, then PW A is U's correct password.

3.
Then, S accepts this login request and sends the messages (T s , C 3 ) to A.

4.
According to the received messages, A can recognize that the correct password has been guessed; otherwise, A retries the above attack procedures until obtaining the correct password.

Review of Yeh et al.'s Nonce Based Scheme
Yeh et al.'s nonce based scheme [27] consists of four phases: the registration phase, the login phase, the authentication phase and the password change phase.The overview is described in Figure 2.

Registration Phase
When a user U wants to register to the remote server S, he or she has to perform the following steps: 1.
The user U first selects a password PW and a random number r.Then, U submits ID u , h(PW) to the remote server S through a secure channel.

2.
When receiving the registration request messages from U, S first computes a hash value h(r||x).
With h(r||x), ID u and h(PW), S computes N and Y: Next, S initializes the smart card with r, N, Y, h(•) and sends it to U via a secure channel.

Login Phase
When U intends to login S, he or she first insert his or her own smart card into a card reader or the terminal.Next, U enters his or her identity ID u and password PW.The smart card then performs the following steps: 1.
First, the smart card uses PW and N to derive the value h(r||x).Next, the smart card computes Y : and compares Y with the stored Y; otherwise, the login request is rejected.

2.
Second, the smart card generates a nonce n and computes K, L and CID: Third, the smart card sends login request messages (r, K, L, CID) to S.
4. According to the received messages, A can recognize that the correct password has been guessed; otherwise, A retries the above attack procedures until obtaining the correct password.

Review of Yeh et al.'s Nonce Based Scheme
Yeh et al.'s nonce based scheme [27] consists of four phases: the registration phase, the login phase, the authentication phase and the password change phase.The overview is described in Figure 2.

Authentication Phase
After receiving the messages (r, K, L, CID), S performs the following steps to authenticate U: S uses the received value r and its secret x to compute the hashed value M: Next, S computes n , ID u and CID : After that, S checks whether CID is equal to CID or not.If it holds, S confirms that U is valid and replies a message a to U: otherwise, S rejects the login request.

2.
Upon receiving message a , U first calculates value a: and compares it with the received value a .If both of these two values are identical, U confirms that S is valid.Since they already possess the current secret values h(r||x) and n, the session key SK will be securely agreed upon by S and U:

Password Change Phase
If U wants to change his or her password, the procedures are as follows: 1.
U first inserts his or her smart card into a card reader or the terminal and keys in the identity ID u and the original password PW.

2.
Next, according to Equations ( 23) and ( 24), the smart card examines the validity of ID u and PW and checks to see if Y = Y.If the verification holds, U is allowed to enter a new password PW new ; otherwise, the smart card rejects the password change request.

3.
Finally, the smart card calculates N : and replaces the old value N with the new one N .Now, the password has been successfully changed without the participation of S.

Weakness of Yeh et al.'s Nonce Based Scheme
Within Yeh et al.'s nonce based scheme, a security flaw has presented.We will now describe the details of the weakness.

User Impersonation Attack
In this subsection, we assume that an attacker A, who is a malicious legal user, can use his or her smart card to extract their own secret parameters r, N and Y.A uses those parameters to impersonate the other user as follows: 1.
A uses his or her own PW and N to compute the hashed value h(r||x) (see Equation ( 23)).
Continuously, A selects a nonce n and the same format of identity ID i to compute the authentication message K, L and CID: and then A sends (r, K, L, CID) to S.

2.
S uses the received value r and its secret x to compute the hashed value M (Refer to Equation ( 28)): Next, S computes n (Refer to Equation ( 29), ID i and CID : After that, S checks whether CID is equal to CID or not.If it holds, S confirms that A is valid and replies a message a to A: 3.
After receiving message a , A can confirm that he or she pass the authentication to impersonate the User i.
For this reason, if A is a malicious legal user, he or she can impersonate any legal user to communicate with remote user.Yeh et al.'s nonce based scheme is similar to a no identity authentication.

The Improved Scheme
In the context of Yeh et al.'s two user authentication schemes, there are some security flaws remaining.Therefore, we have designed a scheme with two unknown factors to protect each parameter in the smart card.Our remediable scheme consists of four phases: the registration phase, the login phase, the authentication phase and the password change phase.We describe these phases in the following subsection and an overview of our improved scheme is presented in Figure 3.

1.
The user U chooses a password and selects a random number r, then submits the registration messages (ID u , h(PW), r) to the remote server S via a secure channel.

2.
When S receives the registration messages from U, S first generates a nonce N s and uses ID u and h(PW) to compute three values P, R and V: Afterward, S issues the smart card with parameters P, R, V and h(•) to U through a secure channel.

Login Phase
If U wants to login S, he or she first insert his or her own smart card into a card reader or the terminal.Then, U enters his or her ID u and PW.The smart card performs the following steps: 1.
The smart card uses random number r, PW and R to compute a value h(x||N s ) and calculate V to compare with V: If Equation (47) holds, the smart card generates a nonce N u and computes messages C 1 , SK and C 2 ; otherwise, the login request is rejected: Finally, the smart card sends login request messages (P, C 1 , C 2 ) to S.

The Improved Scheme
In the context of Yeh et al.'s two user authentication schemes, there are some security flaws remaining.Therefore, we have designed a scheme with two unknown factors to protect each parameter in the smart card.Our remediable scheme consists of four phases: the registration phase, the login phase, the authentication phase and the password change phase.We describe these phases in the following subsection and an overview of our improved scheme is presented in Figure 3.

Authentication Phase
Upon receiving the login request (P, C 1 , C 2 ), S has to perform the following steps to authenticate U: 1. S uses the received value P and its secret key x to obtain (ID u and N s ): Afterward, S computes N u and SK to check if the authentication message C 2 is valid or not: If Equation (54) holds, S confirms that U is a legal user and responds a message C 3 to U: Otherwise, S rejects the login request.

2.
When receiving the response C 3 , U first verifies whether the message is valid or not: If the Equation (56) holds, U confirms that S is valid.Afterward, U and S can use the same session key SK to securely communicate with each other.

Password Change Phase
In this phase, if a U wants to change his or her password, he or she will perform the following steps: 1.
First, U inserts his or her smart card into a card reader or the terminal and enters the ID u and the original PW.

2.
Second, according to Equations ( 46) and (47), the smart card examines the validity of ID u and PW and compares V with the stored V.If this holds, U is allowed to key in a new password PW new ; otherwise, the smart card rejects the password change request.

3.
Third, the smart card calculates R : and replaces the old value R with the new R .Thus, the password has been successfully changed without the participation of remote server S.

Security Analysis
In this section, we will discuss the security of our improved scheme and demonstrate how it is more secure than previous schemes.

Mutual Authentication
In the proposed scheme, when the personal reader wants to communicate with the medical reader, they must authenticate each other.In this subsection, we use the Burrows-Abadi-Needham (BAN) logic model [40] to proof the correctness of our improved scheme.Recently, many authentication schemes [41][42][43] have applied BAN logic to proof the correctness of an authentication and key establishment.The symbols N s and N u are nonces; h(x), h(x||N s ) and SK denotes the secret keys; the notation of Ban logic is described as follows: P|≡ X P believes X, or P would be entitled to believe X. P X P sees X. Someone has sent a message containing X to P, who can read and repeat X.
P| ∼ X P once said X. P at some time sent a message including X.
P|⇒ X P has jurisdiction over X. P is an authority on X and should be trusted on this matter.
The formula X is fresh, that is, X has not been sent in a message at any time before the current run of the protocol.

P K
↔ Q P and Q may use the shared key K to communicate.
The formula S is a secret known only to P and Q and possibly to principals trusted by them.
The main goal of our scheme is to authenticate the session key establishment between a user U and the remote server S.
According to our authentication phase, we use BAN logic to produce an idealized form as follows: To analyze our improved scheme, we make the following assumptions: According to those assumptions and the rules of BAN logic, we show the main proof of our authentication phase as follows: By (Statement 10), (Statement 11) and the message meaning rule, we can derive: By (Statement 12), A5 and the jurisdiction rule, we can derive: By (Statement 5) to (Statement 8), (Statement 12) and (Statement 13), we can proof our improved scheme such that user U and the remote server S authenticate each other.Moreover, we are also able to prove that the improved scheme can establish a session key between the user U and the remote server S.
In our improved scheme, the server authenticates the user by checking the message C 2 .If server's computed value h(h(ID u )||N u ||SK ) is equal to C 2 , the server proves that the user is valid.Then, server sends message C 3 to the user.The user also compares C 3 with his or her computation value h(ID u ||N u ||SK ).If both of them are equal, the user confirms that the server is legitimate.Since the secret value h(x||N s ) is shared between user and server, they can authenticate each other with the login messages (P, C 1 , C 2 ) and the reply message C 3 .Hence, mutual authentication obtains in our improved scheme.Scenario: A malicious attacker uses an illegal server to authenticate a legal user.Analysis: The attacker will not succeed because the legal user has not been registered to the illegal server and the illegal server cannot calculate the correct session key SK.Thus, it will fail when the legal user attempts to authenticate the illegal server.In the proposed scheme, the attacker cannot achieve their purpose using an illegal server.In the same scenario, the proposed scheme can also defend against a malicious attack using an illegal user to connect to a legal server.This is why the illegal user has not been registered to the legal server and the illegal user cannot calculate the correct session key SK.Thus, the attack will fail when the legal server attempts to authenticate the illegal user.

Lost Smart Card
According to our improved scheme, if an attacker A obtains a legal user U's smart card somehow, they cannot obtain any parameter without the user's password; even if A extracts the parameters P, R and V (see Equations ( 42)-( 44)) from the smart card, they still cannot obtain any sensitive information (such as ID u , PW, N s or the server's secret key x) with those parameters.Notably, A does not know U's correct password and each parameter is always protected by two unknown factors of the smart card.Therefore, no one can use the stolen smart card to obtain authentication without U's correct password and identity.

ID-Theft Attack
As regards the login and authentication phases of our improved scheme, U's ID u is always protected by P and C 2 ; it is impossible for an attacker A to acquire it from P and C 2 .Notably, it is difficult to reveal ID u from P without the server's secret key x and the nonce N s .Additionally, A cannot obtain ID u from C 2 without the nonce N u .Therefore, ID u cannot be known by the attacker.

Password Guessing Attacks
This situation involves an attacker A obtaining the U's smart card and intercepting previous messages.In this case, A intends to guess the U's PW from the stored parameter R of the smart card and must know the secret key x and the nonce N s to compute similar parameters for comparison with parameter R. On the other hand, A can use R and the intercepted P to compute similar messages (P, C 1 , C 2 ) and send it to S in an attempt to guess U's PW.As A has two unknown values, ID u and PW, it is difficult to successfully complete this password guessing attack.

Server Counterfeit Attack and User Impersonation Attack
Notably, Yeh et al.'s schemes will compromise the server's secret key x in the context of a malicious legal user, allowing forgery of another legal user and a remote server.Hence, in the registration phase of our improved scheme (see Equation ( 42)), the remote server S generates a nonce value N s to compute parameter P with U's identity ID u and its secret key x, where the nonce value N s is different for each user.So, the malicious legal user cannot guess x with an unknown value N s .As such, these two attacks will be prevented.

Replay Attack
In our improved scheme, we use a nonce mechanism to prevent the replay attack and to solve the synchronization problem.When an attacker intends to replay the previous messages (P, C 1 , C 2 ) to achieve authentication, they cannot as the nonce value N u is different in each session.For this reason, the attacker cannot achieve authentication using previous messages.Scenario: A malicious attacker intercepts the transmitted message between the user and the server and sends the same message again to the user or the server.Analysis: The attacker will not succeed because the legal user uses the nonce value N u in each session.
The attacker cannot get the correct nonce value N u .Thus, the attack will fail when the legal server authenticates the received message.In the proposed scheme, the attackers cannot achieve their purpose by sending the same message again to the user or to the server.Therefore, attackers cannot achieve their purpose by replay attack.

Performance Analysis
In this section, we compare the security requirements and computation costs with other related proposals in the literature [9,11,27] in Tables 1 and 2, respectively.Recent research [6,9,11,19,25,27,28] has generally only considered one unknown factor for each parameter; this is why their schemes were compromised and have become susceptible to various attacks.However, our improved scheme always consists of two unknown factors within each communication to meet more stringent security requirements.It can be clearly observed that our scheme is more secure than those proposed by others.From Table 2, the proposed scheme's computation costs for our scheme and previous researchers' schemes in each phase are analyzed.For the highest computation cost in the login & authentication phase, Hsiang and Shih's scheme needs eight hash function operations and seven exclusive-or operations.Wang et al.'s scheme needs six hash function operations and thirteen exclusive-or operations.Yeh et al.'s timestamp-based scheme needs eleven hash function operations and fourteen exclusive-or operations.Yeh et al.'s nonce-based scheme needs fifteen hash function operations and five exclusive-or operations.Our scheme needs twelve hash function operations and four exclusive-or operations.Generally speaking, the computation cost of our scheme is comparable to Yeh et al.'s scheme and inferior to Hsiang and Shih's scheme.However, our scheme can defend against all of the attacks discussed herein more effectively than all previous attempts.H denotes one way hash operation; Xor denotes bitwise exclusive operation.

Conclusions
In this paper, we first reviewed Yeh et al.'s two remote user authentication schemes using smart cards.They claimed that their schemes could defend against known attacks more effectively and more efficiently than previous related research.However, in our cryptanalysis, we find that Yeh et al.'s claims allow for further improvements and that their proposals exhibit serious security flaws, i.e., susceptibility to ID-theft attacks, off-line password guessing attacks, undetectable on-line password guessing attacks and user impersonation attacks.Moreover, based on other related researches [15,21], if an attacker can obtain a legal user's smart card, they can extract the secret parameters from the smart card to successfully complete password guessing attacks.Additionally, in cases where an attacker is a malicious legal user, the attacker can use their smart card to impersonate any legal user.This factor results in the security flaws we discussed above; hence, many schemes will be insecure.
To remedy the specific security problems detailed in this paper, we have proposed an improved scheme.The proposed scheme consistently protects each secret parameter with two unknown factors in the smart card; thus, an attacker cannot obtain any sensitive information, even if he or she is a malicious legal user.Most notably, our scheme not only addresses more stringent security requirements and protects against known types of attacks, it also reduces computation costs more effectively than Yeh et al.'s scheme.Therefore, our scheme holds substantial value in the context of numerous applications in various network environments.

Figure 1 .
Figure 1.Overview of Yeh et al.'s first scheme.U: the user; S: the remote server; Tu, Ts: the timestamps generated by user and remote server respectively; IDX: the identity of X; PW: the user's password; x: the permanent secret key of remote server; m: the times of registration; the initial value is m = 0; b, r: random numbers; n, Nu, Ns: nonces; h(•): a one-way hash function; ⊕: bitwise exclusion operation; ||: concatenation operation; A ? = B: determine whether A is equal to B.

Figure 1 .
Figure 1.Overview of Yeh et al.'s first scheme.U: the user; S: the remote server; T u , T s : the timestamps generated by user and remote server respectively; ID X : the identity of X; PW: the user's password; x: the permanent secret key of remote server; m: the times of registration; the initial value is m = 0; b, r: random numbers; n, N u , N s : nonces; h(•): a one-way hash function; ⊕: bitwise exclusion operation; ||: concatenation operation; A ? = B: determine whether A is equal to B.

Figure 2 .
Figure 2. Overview of Yeh et al.'s second scheme.Figure 2. Overview of Yeh et al.'s second scheme.

Figure 2 .
Figure 2. Overview of Yeh et al.'s second scheme.Figure 2. Overview of Yeh et al.'s second scheme.

Figure 3 .
Figure 3. Overview of our improved scheme

Figure 3 .
Figure 3. Overview of our improved scheme.
) and T s > T u .If it does not hold, S rejects U's login request; otherwise, S computes h(h(EID ⊕ x) ⊕ T u ) and compares it with C 2 :

Table 1 .
Security comparison between other related researches and ours.

Table 2 .
Performance comparison between other related researches and ours.