On the Security of Liaw et al.'s Scheme

TL;DR

This paper critically examines Liaw et al.'s remote user authentication scheme, revealing significant security flaws that compromise its claimed features and overall security guarantees.

Contribution

It provides a security analysis demonstrating that Liaw et al.'s scheme is insecure, challenging its purported security features and highlighting vulnerabilities.

Findings

Liaw et al.'s scheme is insecure against various attacks.

The scheme fails to meet essential security requirements.

Claims of low cost and convenience are undermined by security flaws.

Abstract

Recently, Liaw et al. proposed a remote user authentication scheme using smartcards. They claimed a number of features of their scheme, e.g. a dictionary of verification tables is not required to authenticate users; users can choose their password freely; mutual authentication is provided between the user and the remote system; the communication cost and the computational cost are very low; users can update their password after the registration phase; a session key agreed by the user and the remote system is generated in every session; and the nonce-based scheme which does not require a timestamp (to solve the serious time synchronization problem) etc. In this paper We show that Liaw et al.'s scheme does not stand with various security requirements and is completely insecure. Keywords: Authentication, Smartcards, Remote system, Attack.