Security Enhancement of an Improved Remote User Authentication Scheme with Key Agreement

In 2014, Kumari, Khan and Li proposed smart card based secure and robust remote user authentication scheme with key agreement and claimed that their scheme is suitable, secure and efficient for real life applications. But in this paper, we demonstrate that their proposed mechanism is completely insecure as an adversary can easily obtain not only the security parameters of the protocol but also obtains the common session key of future communication between user and the server. In addition, an adversary gets password of the registered user as well as secret key of the server. Thus collapses the entire system and authors claims are proven to be wrong. Hence, to remedy the identified security flaws and to ensure secure communication through an insecure channel, we propose an upgraded secure and efficient authentication protocol. Furthermore, we verify the security of our authentication protocol informally as well as formally via widely accepted OFMC and CL-AtSe back-ends of AVISPA tool against active and passive attacks.