Keywords

1 Introduction

After the emergence of Internet technology, the network-based information industry has developed rapidly and developed into multi-server ubiquitous network that starting as single point-to-point wired network. The network-based severs in our daily life, production and even military field show a broad application prospect [2]. Data has been the main part of people’s production and life. Now, the mobile terminal is pushing the application of network to another climax. However, more and more incidents of information leakage and virus spreading have also reached another climax [3]. It is for the reason that data security becomes indispensable. It’s why we need cryptography and effective encryption architecture to protect our data security.

When attacking a target, an attacker often interprets the user’s password as the beginning of the attack. As long as an attacker can guess or determine the user’s password, he can gain access to the machine or network and access any resources that the user can access. This is extremely dangerous if the user has domain administrator or root user privileges [12].

Password attack is the hacker’s favorite method of intruding into the network. Hackers obtain the passwords of system administrators or other special users, obtain the management rights of the system, steal system information, files on disk and even destroy the system.

Authentication is a process of providing access authorization verification for the person who want to access or a process of giving user the identification [13]. That is applied to mutual authentication between server and user to assure each other exclusively. Apart from traditional username - password authentication method, by means of biometric authentication to establish a key also began to blossom. This process of participating in certification through biometrics is called as mutually authenticated key agreement [1].

Multi-server authentication schemes ca be divided into two main parts: password-based multi-server authentication and smartcard-based multi-server authentication schemes [19]. We can store a large secret parameters for in smartcard-based authentication [20, 21]. Smartcard-based multi-server authentication schemes prevent an adversary from successfully implementing the password-guessing attack. However, it is very inconvenient for users to carry smart cards and smart cards must participate in every process in login authentication [8]. On the contrary, password-based multi-server authentication schemes are easy to use and convenient for practical applications because they do not require a smartcard and card reader [22, 23]. However, the emergence of biometric authentication has made up for the shortcomings of the above two authentication methods and so the biometric authentication began to flourish.

Since Lamport [15] first proposed a password-based authentication in 1981, a series of single-server password-based authentication schemes are proposed. But these schemes are greatly increased burden on users because of one-on-one authentication method [15]. In 2001, Tsaur [16] proposed the smartcard-based password authentication which initiated remote user identity authentication for multi-server environment. Yoon et al. [5] demonstrated an anonymous authenticated key agreement scheme for multi-server environment by using elliptic curve cryptography [5]. Soon afterwards, he and Kim [17] pointed out that Yoon et al.’s scheme cannot resist masquerade attack, inside attack, stolen smartcards attack and offline password guessing attack and then he proposed the improved scheme. Afterwards, Chuang and Chen [18] proposed scheme that recommended using hash to meet practical application. But Mishra et al. [4] proved several weaknesses.

In 2015, Jiang et al. [23] and Odelu et al. [24] proposed biometric key agreement protocol for multi-Server applications. But in the three schemes, RC participates in the authentication stage, the registry load is too high, which is easy to cause a node failure, which not applicable to the actual situation [27, 28]. In addition, they put forward in the password update phase which has security problems and is vulnerable to masquerade attack, inside attack. There are clock synchronization problems in the protocol. As a result, they have put forward improvement plans. In 2016, Wan et al. [25] pointed out Chuang et al. ‘s [18] schemes can’t resist the masquerade attack and proposed a improvement plans. At the same time, Amin et al. [26] also pointed out that the previous schemes have various shortcomings and gave an improved authentication protocol for remote users in multi-server environment [29].

Recently, to resistant to impersonation attack, Reedy et al. [1] proposed a design of mutually authenticated key agreement scheme resistant for multi-server environment. They claimed their scheme withstand all types of known attacks. Unfortunately, we find that their scheme cannot resist offline password guessing attack, user impersonation attack and lacks user anonymity protection. We present an improved fix to overcome these deficiencies at last.

We are organized this paper as follows: (i) Firstly, our preparations introduce the attack model and elliptic curve knowledge. (ii) Next, we review Reedy et al.’s scheme and point out the drawbacks of the scheme Reedy et al.’s. That is, cryptographic analysis. (iii) We present an improved fix to overcome these deficiencies at last.

2 Preliminaries

2.1 Discrete Logarithm Problem of Elliptic Curve

The security of the entire scheme is guaranteed based on the discrete logarithm of the elliptic curve. The discrete logarithm problem is also the basis of the Reedy’s scheme. We need briefly talk about the elliptic curve involved in the scheme.

Addition definition of elliptic curve: If we delimit an elliptic curve: \( E_{\text{p}} :y^{2} = x^{3} + ax + b \) and \( 4a^{3} + 27b \ne 0 \). Assuming P and Q are the point on the elliptic curve. We define \( P + Q = R \) where R satisfies the point R is the negative point of the only intersection where the line passing through the two points P and Q intersects the elliptic curve. Additionally, \( P = Q \), the tangent to the point P is crossed to the negative point where the elliptic curve is \( R \), \( R = 2P \). However \( 3P = P + P + P = 2P + P \), we can compute the by this way. Consequently, when a point P is known, the “the number N operate the point \( NP({\text{N}} \in {\text{Z}}) \)” is not difficult, because of the nature of the addition, the operation can be faster [10]. But in turn, “the problem of knowing the point \( NP({\text{N}} \in {\text{Z}}) \) for \( N \)” is very difficult, because only each \( N \) can be traversed. This is the “discrete logarithm problem on elliptic curves” used in elliptic curve cryptography [30].

  • Which is the following parameters are known:

    • an elliptic curve: \( E_{\text{p}} :y^{2} = x^{3} + ax + b \)

    • a point P on the elliptic curve (base point)

    • \( NP({\text{N}} \in {\text{Z}}) \) on the elliptic curve \( E_{\text{p}} :y^{2} = x^{3} + ax + b \)

We need solve:

  • N

Because of the difficulty, the security of the elliptic curve cipher is guaranteed.

2.2 Security Model

In recent years, the adversaries model of the remote password authentication scheme has always used the classic Dolev-Yao’s model [6], that is the adversaries can arbitrarily monitor, capture, insert and delete the information on the public channel [7]. In recent years, with the development of Internet technology, the ability of adversaries are increased. Adversaries can analyze the message on the smartcards and enhance ability to attack. This paper introduce Wang et al. [7] and Huang’s [9] adversaries model.

In this mode, there are enumerated six kinds adversaries model and increments them according to their capabilities [11]. But for Three-factor Mutually Authenticated Key Agreement schemes, an adversary have capabilities which could obtain two of the authentication factors but have no affects to another. The details are shown as following.

  1. (1)

    captures the smartcards and the password, but A can’t threaten the biological factors of user.

  2. (2)

    have abilities to obtain password and biological factors, but have inability to get smart card parameters.

  3. (3)

    get the smartcards and the biological factors, but the password is security.

In Huang et al.’s [9] schemes, the probability of success is rare in case 1 or 2. Because the biological factors are fuzzy and extremely difficult to recover. Security parameters of high information entropy are often stored in smart cards [14]. In summary, Scenario three poses a great threat because of the development of the low information entropy and dictionary attack technique.

3 Review of Reedy et al.’s Scheme

In this subsection, we will briefly review Reedy et al.’s scheme. Their scheme include six compositions: Registration Server Initialization phase, Application Server Registration phase, User Registration phase, Login phase, Mutually Authenticated Key Agreement phase, Password And Biometrics Change phase, Dynamic Addition Of Application Server phase, User Revocation/Re-Registration phase. In order to save time and space, we simply recall the central few parts.

Registration Server Initialization phase, we will not elaborate on this. This phase are ready for initialization which the registration server RS generates following parameters. RC (RC is registration server) generates an elliptic curve \( E_{p} :y^{2} = x^{3} + ax + b(\text{mod}\,{\text{p}}) \), where P is a larger prime number, private key USK, ASK and finally publishes the parameters \( \{ E_{p} ,\,{\text{p}},\,h( \cdot )\} \).

3.1 Application Server Registration Phase

  1. (1)

    \( S_{j} \) sends \( SID_{j} \) to RC securely.

  2. (2)

    RC computers \( K_{j} = h({\text{SID}}_{\text{j}} \parallel {\text{ASK}}) \) and stores them in its database.

  3. (3)

    RC responds to \( S_{j} \) the parameters and stores \( \{ K_{j} ,\,h({\text{ASK}}),\,{\text{P}}\} \).

3.2 User Registration Phase

A user must register with RC to become a legitimate user. \( {\text{U}}_{\text{i}} \) need do the according following steps to register with RC via a private channels.

  1. (1)

    \( U_{i} \) chooses \( ID_{i} \) and \( PW_{i} \) Meanwhile, users need generate a random number \( r_{i} \in Z_{p}^{*} \) and compute \( PID_{i} = h({\text{ID}}_{\text{i}} \parallel {\text{r}}_{\text{i}} ),{\text{PWD}}_{\text{i}} = h({\text{PW}}_{\text{i}} \parallel {\text{r}}_{\text{i}} ) \) and send a request messages \( \{ PID_{i} ,\,{\text{PWD}}_{\text{i}} \} \)

  2. (2)

    RC verifies the whether a registered user and computes \( {\text{Q}}_{\text{j}} = h({\text{PID}}_{\text{i}} \parallel {\text{K}}_{\text{j}} ) ,\,{\text{R}}_{\text{j}} = {\text{Q}}_{\text{j}} \oplus {\text{PWD}}_{\text{i}} \).

    Finally, RC reserves \( \{ {\text{SID}}_{\text{i}} ,\,{\text{R}}_{\text{j}} \} \) in \( {\text{T}}_{\text{i}} \) table and \( \{ PID_{i} ,\,{\text{C}}_{\text{i}} ,\,{\text{T}}_{\text{R}} \, = \, 1\} \) in \( T_{c} \) table where \( {\text{T}}_{\text{R}} = 1 \) means \( U_{i} \) registered initially and is in active state. RC computes \( W_{j} = h({\text{PID}}_{\text{i}} \parallel {\text{USK}}) \) and personalizes \( \{ W_{j} ,\,{\text{ T}}_{\text{i}} ,\,{\text{h}}({\text{ASK}})\} \) into the smartcards to be delivered to \( U_{i} \).

  3. (3)

    \( U_{i} \) scans his/her \( BIO_{i} \) at the provided sensor with card reading machine, and computes \( X_{j} = W_{j} \oplus PWD_{i} \), \( C_{i} = h({\text{ID}}_{\text{i}} \parallel {\text{W}}_{\text{j}} ) \), \( (\sigma_{i} ,\theta_{i} ) = {\text{Gen}}({\text{BIO}}_{\text{i}} ) \), \( {\text{V}}_{\text{i}} = {\text{r}}_{\text{i}} \oplus {\text{h}}(\upsigma_{\text{i}} )\,U_{i} \) replaces \( W_{j} \) with \( X_{j} \) and stores \( \{ C_{i} ,\,{\text{V}}_{\text{i}} ,\,\theta_{\text{i}} \} \) on smartcards. Therefore, the smartcards finally contains \( \{ X_{j} ,\,{\text{V}}_{\text{i}} ,\,C_{i} ,\,{\text{ T}}_{\text{i}} ,\,\theta_{\text{i}} ,\,P,\,h( \cdot ),\,h({\text{ASK}})\} \).

3.3 Login Phase

User can transmit the login request by inserting smartcards and enter \( ID_{i} \), \( PW_{i} \) and \( {\text{BIO}}_{i}^{'} \) to get login privileges.

Smartcards compute \( \sigma_{i}^{'} = {\text{Re}}\,p({\text{BIO}}_{i}^{'} ,\theta_{i} ),{\text{r}}_{\text{i}} = {\text{V}}_{\text{i}} \oplus {\text{h}}(\sigma_{i}^{'} ),{\text{PID}}_{\text{i}} = {\text{h}}({\text{ID}}_{\text{i}} \parallel {\text{r}}_{\text{i}} ) \), \( {\text{PWD}}_{\text{i}} = h({\text{PW}}_{\text{i}} \parallel {\text{r}}_{\text{i}} ) \), \( W_{j} = X_{j} \oplus PWD_{i} \). Finally, smartcards need verify whether the parameter \( C_{i} \mathop = \limits^{?} h({\text{ID}}_{\text{i}} \parallel {\text{W}}_{\text{j}} ) \) are correct. If the value doesn’t correspond, the login request is terminated.

User choose the server \( S_{j} \) by assessing the list \( {\text{T}}_{\text{i}} \) and extract \( {\text{R}}_{\text{j}} \) at the same time. User compute \( {\text{Q}}_{\text{j}} = {\text{R}}_{\text{j}} \oplus {\text{PWD}}_{\text{i}} \). Smartcards generate random number \( {\text{N}}_{ 1} \in {\text{Z}}_{\text{p}}^{*} \) and compute \( B_{ij} = PID_{i} \oplus h({\text{SID}}_{\text{i}} \parallel \alpha \parallel {\text{h}}({\text{ASK}})) \), \( {\text{D}}_{\text{ij}} = {\text{h}}({\text{PID}}_{\text{i}} \parallel Q_{i} \parallel \alpha ) \), \( \alpha = N_{1} P \). Smartcard send out the login request include \( \{ B_{ij} ,\,{\text{D}}_{\text{ij}} ,\,\alpha \} \) by public channel.

3.4 Mutually Authenticated Key Agreement Phase

This phase mainly introduce the process which \( U_{i} \) and \( S_{j} \) authenticate each other and establish a secure long-term channel for further communication over public channel.

  1. (1)

    \( S_{j} \) computes \( PID_{i} = B_{ij} \oplus h({\text{SID}}_{\text{i}} \parallel \alpha \parallel {\text{h}}({\text{ASK}})) \) and \( {\text{Q}}_{\text{j}} = h({\text{PID}}_{\text{i}} \parallel {\text{K}}_{\text{j}} ) \) when receive the login request. Afterwards, \( S_{j} \) authenticates \( U_{i} \) only if \( {\text{D}}_{\text{ij}} \,\mathop = \limits^{?} \,{\text{h}}({\text{PID}}_{\text{i}} \parallel Q_{i} \parallel \alpha ) \) matching the condition. Otherwise, the process terminates.

  2. (2)

    \( S_{j} \) generates a random number \( {\text{N}}_{ 2} \in Z_{p}^{*} \) and computes \( \beta = {\text{N}}_{ 2} {\text{P}} \), \( {\text{K}}_{\text{ij}} \, = \,{\text{N}}_{ 2} \,\alpha \), \( {\text{SK}}\, = \,{\text{h}}({\text{Q}}_{\text{j}} \parallel {\text{K}}_{\text{ij}} \parallel {\text{PID}}_{\text{i}} ) \), \( {\text{E}}_{\text{ij}} \,\mathop = \limits^{{}} \,{\text{h}}({\text{SK}}\parallel {\text{SID}}_{\text{j}} \parallel \beta \parallel \alpha \parallel {\text{Q}}_{\text{j}} ) \). And then \( S_{j} \) send \( \{ {\text{E}}_{\text{ij}} ,\,\beta \} \) to smartcards by a public channel.

  3. (3)

    \( U_{i} \) computes \( {\text{K}}_{\text{ij}} = {\text{N}}_{ 1} \,\beta \), \( {\text{SK}}\, = \,{\text{h}}({\text{Q}}_{\text{j}} \parallel {\text{K}}_{\text{ij}} \parallel {\text{PID}}_{\text{i}} ) \) and verifies \( {\text{E}}_{\text{ij}} \,\mathop { = \,}\limits^{?} {\text{h}}({\text{SK}}\parallel {\text{SID}}_{\text{j}} \parallel \beta \parallel \alpha \parallel {\text{Q}}_{\text{j}} ) \). If the condition holds, \( U_{i} \) authenticates \( S_{j} \) and \( U_{i} \) computer \( {\text{F}}_{\text{ij}} = {\text{h}}({\text{SK}}\parallel {\text{SID}}_{\text{j}} \parallel \beta \parallel \alpha \parallel {\text{Q}}_{\text{j}} ) \) Otherwise, the process terminates. Smartcards launches \( {\text{F}}_{\text{ij}} \) to \( S_{j} \) via a public channel.

  4. (4)

    \( S_{j} \) verifies condition \( {\text{F}}_{\text{ij}} \,\mathop = \limits^{?} \,{\text{h}}({\text{SK}}\parallel {\text{SID}}_{\text{j}} \parallel \beta \parallel \alpha \parallel {\text{Q}}_{\text{j}} ) \) and reconfirms the authenticity of \( U_{i} \). They complete each other certification and rebuild communication channel.

4 Cryptanalysis of Reedy et al.’s Proposed Scheme

After we analyzed the Reedy et al.’s scheme and established the basic attack model, we begin to analyze the security of the scheme. We show that the scheme is not resistant to offline password guessing attack and impersonation attack. The following is a description of the Reedy et al.’s scheme.

  1. (1)

    We have established an adversary model in the previous section, that is, two factors are known to determine whether it can threaten the third factor. The proof of the impersonation attack is given in the scheme including user and application. In the proof a, assume wants to impersonate a legitimate user, he/she can performs guessing the username and the password. Apart from this, need build the message \( \{ {\text{B}}_{\text{ij}} ,{\text{D}}_{\text{ij}} ,\alpha \} \). And then compute the parameters \( \sigma_{i}^{'} \), \( {\text{r}}_{\text{i}} \) \( {\text{PID}}_{\text{i}} \), \( {\text{PWD}}_{\text{i}} \), \( W_{j} \) and test \( C_{i} \). Reedy deems the adversaries can’t correct credentials. In the proof b, Reedy consider that \( {\text{Q}}_{\text{j}} \) is unique for each \( S_{j} \). Therefore, can’t have the session key. The scheme is considered security.

But in the scheme, store the long-term private key \( {\text{h(ASK)}} \) of the RC in every user’s smartcard. If A can obtain \( {\text{h(ASK)}} \), he/she will initiating an impersonation attack.

Firstly, can capture \( \{ {\text{B}}_{\text{ij}} ,{\text{D}}_{\text{ij}} ,\alpha \} \) and \( PID_{i} = B_{ij} \oplus h({\text{SID}}_{\text{i}} \parallel \alpha \parallel {\text{h(ASK}})) \). Then he/she computes \( Q_{j} = R_{j} \oplus PWD_{k} \) which the \( R_{j} \) is extracted from \( T_{k} \) and compute \( \alpha^{*} = N_{1}^{*} P \), \( B_{ij}^{*} = PID_{i} \oplus h({\text{SID}}_{\text{j}} \parallel \alpha^{*} \parallel {\text{h}}({\text{ASK}})) \), \( {\text{D}}_{ij}^{*} = h({\text{PID}}_{\text{i}} \parallel {\text{Q}}_{\text{j}} \parallel \alpha^{*} ) \) to \( S_{j} \), \( \text{D}_{ij}^{*} \) is successful verification.

  1. (2)

    Guessing attack means that as long as the adversaries can guess or determine the user’s password, he can gain access to the machine or network and access any resources that the user can access. The key point is the vulnerability of the user’s choice of password. If can obtain the message on the smartcards like \( \{ X_{j} ,{\text{V}}_{\text{i}} ,C_{i} ,{\text{ T}}_{\text{i}} ,\theta_{\text{i}} ,P,h( \cdot ),h({\text{ASK}})\} \), then he/she get the biological factors \( {\text{BIO}}_{{{\text{i}}^{{\prime }} }} \) of user. can initiate a password guessing attack:

    Firstly, can compute \( \sigma_{i'} = {\text{Re}}\,p({\text{BIO}}_{{{\text{i}}^{{\prime }} }} ,\theta_{i} ) \), \( {\text{r}}_{\text{i}} = {\text{V}}_{\text{i}} \oplus {\text{h}}(\sigma_{i'} ) \). And then can guessing the \( {\text{ID}},{\text{PW}} \). Follow the steps to continue calculating the formula \( PWD^{*} = h({\text{PW}}\parallel {\text{r}}_{\text{i}} ) \), \( {\text{W}}_{j}^{*} = X_{j} \oplus PWD^{*} \). We can verify the \( {\text{C}}_{i}^{*} = h({\text{ID}}\parallel W_{j}^{*} )\mathop = \limits^{?} C_{i} \).

Since the actual identity and password space is very limited space (\( \left| {D_{id} } \right| \le \left| {D_{pw} } \right| \le 10^{6} \)), attacks can be completed within a limited time. Through the establishment of the attack model and the analysis of the above scheme, we show that \( C_{i} \) is the key for adversaries. The \( C_{i} \) parameter is the correctness parameter for the login verification in the smartcard. If adversaries gets the password, they can choose a random number and calculate the \( {\text{B}}_{\text{ij}} ,{\text{D}}_{\text{ij}} \) for login the \( S_{j} \). The scheme does not involve the complexity of the time space for offline guessing attack. So the solution is not safe for offline guessing attack.

The user is completely unaware of the circumstances which adversaries get messages from the channel. only need derive \( Q_{j} \) with \( {\text{h}}({\text{ASK}}) \). It is not difficult to find that the above attack is caused by the same security parameters from RC and \( S_{j} \) stored in the user’s smartcards. It can be seen that the analysis of this agreement proves to be incomplete.

The user is completely unaware of the circumstances which adversary gets messages from the channel. only need derive \( Q_{j} \) with \( {\text{h}}({\text{ASK}}) \). It is not difficult to find that the above attack is caused by the same security parameters from RC and \( S_{j} \) stored in the user’s smartcards. It can be seen that the analysis of this agreement proved to be incomplete.

5 Possible Fix

We put forward a solution that may figure out this problem in the light of the problems above. The critical points that the basis of the analysis above is whether the third factor of the first two factors is known to be reliability. Three factors synthesize into parameter to ensure the security of verification. We mainly modify the registration phase and the login phase. The login phase can be executed as following.

\( U_{i} \) chooses \( ID_{i} \) and \( PW_{i} \). Meanwhile, users need generate random number \( r_{i} \in Z_{p}^{*} \) and compute \( PID_{i} = h({\text{ID}}_{\text{i}} \parallel {\text{r}}_{\text{i}} ),{\text{PWD}}_{\text{i}} = h({\text{PW}}_{\text{i}} \parallel {\text{r}}_{\text{i}} ) \) and send a request messages \( \{ PID_{i} ,\,{\text{PWD}}_{\text{i}} \} \)

RC verifies the whether a registered user and computes \( {\text{Q}}_{\text{j}} = h({\text{PID}}_{\text{i}} \parallel {\text{K}}_{\text{j}} ) ,\,{\text{R}}_{\text{j}} = {\text{Q}}_{\text{j}} \oplus {\text{PWD}}_{\text{i}} \).

Finally, RC compute a random number \( IDR_{\text{i}} \) reserves \( \{ {\text{SID}}_{\text{i}} ,\,{\text{R}}_{\text{j}} ,\,IDR_{\text{i}} \} \) in \( {\text{T}}_{\text{i}} \) table and \( \{ PID_{i} ,\,{\text{C}}_{\text{i}} ,\,{\text{T}}_{\text{R}} { = 1}\} \) in \( T_{c} \) table where \( {\text{T}}_{\text{R}} \, = \, 1 \) means \( U_{i} \) registered initially and is in active state. RC computes \( W_{j} = h({\text{PID}}_{\text{i}} \parallel {\text{USK}}) \) and personalizes \( \{ W_{j} ,{\text{ T}}_{\text{i}} ,{\text{h}}({\text{ASK}}) \oplus IDR_{\text{i}} \} \) into the smartcards to be delivered to \( U_{i} \).

\( U_{i} \) scans his/her \( BIO_{i} \) at the provided sensor with card reading machine, and computes, \( (\sigma_{\text{i}} ,\theta_{\text{i}} ) = {\text{Gen}}({\text{BIO}}_{\text{i}} ) \), \( {\text{V}}_{\text{i}} = {\text{r}}_{\text{i}} \oplus {\text{h}}(\sigma_{\text{i}} ) \), \( C_{i} = {\text{h(PID}}_{\text{i}} \parallel PWD_{i} \parallel \sigma_{i} \parallel \theta_{i} ) \), \( U_{i} \) stores \( \{ C_{i} ,{\text{V}}_{\text{i}} ,\theta_{\text{i}} \} \) on smartcards. Therefore, the smartcards finally contains \( \{ W_{j} ,{\text{V}}_{\text{i}} ,C_{i} ,{\text{ T}}_{\text{i}} ,\theta_{\text{i}} ,P,h( \cdot ),h({\text{ASK}})\} \).

Next, login phase is executing as following.

Smartcards compute \( \sigma_{i}^{'} = {\text{Re}}\,p({\text{BIO}}_{i}^{'} ,\theta_{i} ),{\text{r}}_{\text{i}} = {\text{V}}_{\text{i}} \oplus {\text{h}}(\sigma_{i}^{'} ),{\text{PID}}_{\text{i}} = {\text{h}}({\text{ID}}_{\text{i}} \parallel {\text{r}}_{\text{i}} ) \), \( {\text{PWD}}_{\text{i}} = h({\text{PW}}_{\text{i}} \parallel {\text{r}}_{\text{i}} ) \). In particularity, we need proving the parameters \( C_{i} \mathop { = }\limits^{?} {\text{h(PID}}_{\text{i}} \parallel PWD_{i} \parallel \sigma_{i} \parallel \theta_{i} ) \). Finally, smartcards need verify whether the parameter are correct. If the value doesn’t correspond, the login request is terminated.

User chooses the server \( S_{j} \) by assessing the list \( {\text{T}}_{\text{i}} \) and extract \( {\text{R}}_{\text{j}} \) and \( IDR_{\text{i}} \) at the same time. User compute \( {\text{Q}}_{\text{j}} = {\text{R}}_{\text{j}} \oplus {\text{PWD}}_{\text{i}} \). Smartcards generate random number \( {\text{N}}_{1} \in Z_{p}^{*} \) and compute \( B_{ij} = PID_{i} \parallel IDR_{\text{i}} \oplus h({\text{SID}}_{\text{i}} \parallel \alpha \parallel ({\text{h}}({\text{ASK}}) \oplus IDR_{\text{i}} )) \), \( {\text{D}}_{\text{ij}} = {\text{h}}({\text{PID}}_{\text{i}} \parallel Q_{i} \parallel \alpha ) \), \( \alpha = N_{1} P \). Smartcard send out the login request include \( \{ B_{ij} ,{\text{D}}_{\text{ij}} ,\alpha \} \) by public channel.

In Mutually Authenticated Key Agreement phase, \( S_{j} \) inquiry the number \( IDR_{\text{i}} \), and then compute \( PID_{i} \parallel IDR_{\text{i}} = B_{ij} \oplus h({\text{SID}}_{\text{i}} \parallel \alpha \parallel {\text{h}}({\text{ASK}}) \oplus IDR_{\text{i}} ) \) and compute the parameter \( PID_{\text{i}} \), \( {\text{Q}}_{\text{j}} = h({\text{PID}}_{\text{i}} \parallel {\text{K}}_{\text{j}} ) \) when receive the login request. Afterwards, \( S_{j} \) authenticates \( U_{i} \) only if \( {\text{D}}_{\text{ij}} \mathop = \limits^{?} {\text{h}}({\text{PID}}_{\text{i}} \parallel Q_{i} \parallel \alpha ) \) matching the condition. Otherwise the process terminates.

6 Conclusions

In this paper, we demonstrate that Reedy et al.’s scheme can’t withstand some common attacks. More concretely, we analysis the Reedy’s proof on the basis of the Wang et al. and Huang et al.’s [9] rigorous security model. Unfortunately, we find that Reedy et al.’s scheme can’t be secure against guessing attack and impersonation attack with limited domain offline passwords. Next, we propose the improved scheme to overcome their scheme’s flaws. The proposed improved scheme can overcome the flaws of the Reedy et al.’s schemes and be more practically and secure.