Even though user anonymity is an important issue in many e-commerce applications, most of smartcard-based remote authentication schemes did not considered user identities protection while authenticating the users. In 2004, Das et al. proposed a remote authentication scheme by preserving the users' anonymity. Their scheme adopted dynamic identification to achieve the property. In 2005, Chien and Chen pointed out that Das et al.'s scheme fails to protect the user's anonymity, and enhanced the scheme. However, Hu et al. in 2007 showed that their scheme also has some problems including masquerading attacks, insider attack, and replay attack and presented an improved scheme to conquer these problems. This paper shows that Hu et al.'s scheme still suffers from some attacks. The scheme could not only suffer from strong user/server masquerading attacks and denial of service attack but also not support the user anonymity. Additionally, this paper points out that the method to prevent the insider attack in the scheme is not applicable in reality.
Authentication, Password-based Authentication, Smartcard, User Anonymity