Comments on a Secret-Key-Privacy-Preserving Authentication and Key Agreement Scheme

Lots applications need involved parties to share common session keys for specific requirements. For example, the shared key can be the seed to determine locations to hide secret data into an image. Wang et al. proposed an authentication scheme with key agreement based on the elliptic curve discrete logarithm problem in 2011. They claimed that their scheme had seven advantages. (1) A verification table is not required in the server. (2) The client´s password can be changed easily, and the server cannot obtain the client´s password. (3) Their scheme could resist all well-known security threats. (4) No time synchronization is needed. (5)The client and the server can share a common session key. (6) Their scheme is efficient and practical. (7) Their scheme can protect the privacy of the client´s secret information. After we analyze Wang et al.´s scheme thoroughly, we find that their scheme suffers from three threats. In this paper, we will show the perceived security threats of Wang et al.´s scheme in detail.