Cryptanalysis and security enhancement of a robust two-factor authentication and key agreement protocol

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalpeer-review

31 Scopus Citations
View graph of relations


  • Qi Xie
  • Na Dong
  • Duncan S. Wong
  • Bin Hu

Related Research Unit(s)


Original languageEnglish
Pages (from-to)478-487
Journal / PublicationInternational Journal of Communication Systems
Issue number3
Online published20 Oct 2014
Publication statusPublished - Feb 2016


Summary Two-factor user authentication scheme allows a user to use a smart card and a password to achieve mutual authentication and establish a session key between a server and a user. In 2012, Chen et al. showed that the scheme of Sood et al. does not achieve mutual authentication and is vulnerable to off-line password guessing and smart card stolen attacks. They also found that another scheme proposed by Song is vulnerable to similar off-line password guessing and smart card stolen attacks. They further proposed an improved scheme. In this paper, we first show that the improved scheme of Chen et al. still suffers from off-line password guessing and smart card stolen attacks, does not support perfect forward secrecy, and lacks the fairness of session key establishment. We then propose a new security-enhanced scheme and show its security and authentication using the formal verification tool ProVerif, which is based on applied pi calculus.

Research Area(s)

  • authentication protocol, key agreement, password, ProVerif, smart card