Cryptanalysis and security enhancement of a robust two-factor authentication and key agreement protocol

Summary Two‐factor user authentication scheme allows a user to use a smart card and a password to achieve mutual authentication and establish a session key between a server and a user. In 2012, Chen et al. showed that the scheme of Sood et al. does not achieve mutual authentication and is vulnerable to off‐line password guessing and smart card stolen attacks. They also found that another scheme proposed by Song is vulnerable to similar off‐line password guessing and smart card stolen attacks. They further proposed an improved scheme. In this paper, we first show that the improved scheme of Chen et al. still suffers from off‐line password guessing and smart card stolen attacks, does not support perfect forward secrecy, and lacks the fairness of session key establishment. We then propose a new security‐enhanced scheme and show its security and authentication using the formal verification tool ProVerif, which is based on applied pi calculus. Copyright © 2014 John Wiley & Sons, Ltd. In this paper, we first show that Chen et al.'s two‐factor authentication and key agreement scheme suffers from off‐line password guessing and smart card stolen attacks and does not support perfect forward secrecy and lacks the fairness of session key establishment. We then propose a new security‐enhanced scheme and use the applied pi calculus‐based formal verification tool ProVerif to prove its security and authentication.