Breaking two remote user authentication systems for mobile devices

Smart-card-based user authentication is a significant security mechanism that allows remote users to be granted access to services and resources in distributed computing environments like clouds. In this paper, we revisit two password authentication schemes with smart cards proposed by Mishra et al. and Wu et al. in 2015, respectively. We demonstrate that: (1) Despite being armed with a formal security proof in both schemes, Mishra et al.'s scheme actually cannot achieve the claimed feature of user anonymity and is vulnerable to insider attack; and (2) Wu et al.'s scheme remains being susceptible to de-synchronization attack as they stated to overcome the weaknesses of Kumar et al.'s scheme. Furthermore, with the cryptanalysis of these two schemes and our previous protocol design and analysis experience, we figure out two principles to design more robust smart-card-based user authentication schemes. The proposed principles would be helpful to protocol designers for proposing schemes with desirable user friendliness and security.