Recently, Liaw et al. proposed a remote user authentication scheme using smartcards. They claimed a number of features of their scheme, e.g. a dictionary of verification tables is not required to authenticate users; users can choose their password freely; mutual authentication is provided between the user and the remote system; the communication cost and the computational cost are very low; users can update their password after the registration phase; a session key agreed by the user and the remote system is generated in every session; and the nonce-based scheme which does not require a timestamp (to solve the serious time synchronization problem) etc. In this paper We show that Liaw et al.'s scheme does not stand with various security requirements and is completely insecure. Keywords: Authentication, Smartcards, Remote system, Attack.
View on arXiv