Authors: Hae-Soon Ahn, Eun-Jun Yoon

Abstract:

Three-party password authenticated key exchange (3PAKE) protocols are widely deployed on lots of remote user authentication system due to its simplicity and convenience of maintaining a human-memorable password at client side to achieve secure communication within a hostile network. Recently, an improvement of 3PAKE protocol by processing a built-in data attached to other party for identity authentication to individual data was proposed by some researchers. However, this paper points out that the improved 3PAKE protocol is still vulnerable to undetectable on-line dictionary attack and off-line dictionary attack.

Keywords: Three-party key exchange, 3PAKE, Passwordauthenticated key exchange, Network security, Dictionary attack

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1088510

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 2076

References:

[1] S.-M. Bellovin, and M. Merrit, “Encrypted key exchange: password based protocols secure against dictionary attacks,” In: Proceedings of IEEE symposium on research in security and privacy. IEEE Computer Society Press, pp. 72-84, May 1992
[2] C.-L. Lin, H.-M. Sun, and T. Hwang, “Three party-encrypted key exchanges: attacks and a solution,” ACM Operating Systems Review, vol. 34, no. 4, pp. 12-20, 2000.
[3] C.-L. Lin, H.-M. Sun, M. Steiner, and T. Hwang, “Three-party encrypted key exchange without server public-keys,” IEEE Communication Letters, vol. 5, no. 12, pp. 497-499, 2001.
[4] L. Law, A. Menezes, M. Qu, J. Solinas and S.Vanstone, “An efficient protocol for authenticated key agreement,” Designs, Codes and Cryptography, vol. 28, no. 2, pp. 119-134, March 2003.
[5] C.-C. Chang, and Y.-F. Chang, “A novel three-party encrypted key exchange protocol,” Computer Standards and Interfaces, vol. 26, no. 5, pp. 471-476, 2004.
[6] T.-F. Lee, T. Hwang, and C.-L. Lin, “Enhanced three-party encrypted key exchange without server public keys, Computers & Security, vol. 23, no. 7, pp. 57-577, 2004
[7] Y. Ding and P. Horster, “Undetectable on-line password guessing attacks,” ACM Operating Systems Review, vol. 29, no. 4, pp. 77-86, 1995.
[8] H.-J. Kim and E.-J. Yoon, “Cryptanalysis of an enhanced simple threeparty key exchange protocol,” Communications in Computer and Information Science, vol. 259, pp. 167-176, 2011.
[9] H.-S Kim and J.-Y. Choi, “Enhanced password-based simple three-party key exchange protocol,” Computers & Electrical Engineering, vol. 35, pp. 107-114, 2009.
[10] R. Lu and Z. Cao, “Simple three-party key exchange protocol,” Computers & Security, vol. 26, no. 1, pp. 94-97, 2007.
[11] M. Abdalla and D. Pointcheval, “Simple password-based encrypted key exchange protocols,” in Proc. CT-RSA’05, LNCS vol. 3376, pp. 191-208, 2005.
[12] H.-R. Chung and W.-C. Ku, “Three weaknesses in a simple three-party key exchange protocol,” Inform. Sciences, vol. 178, no. 1, pp. 220.229, 2008.
[13] H. Guo, Z. Li, Y. Mu, and X. Zhang, “Cryptanalysis of simple threeparty key exchange protocol,” Computers & Security, vol. 27, no. 1, pp. 16-21, 2008.
[14] R. C.-W. Phan, W.-C. Yau, and B.-M. Goi, “Cryptanalysis of simple three-party key exchange protocol (S-3PAKE),” Inform. Sciences, vol. 178, no. 13, pp. 2849-2856, 2008.
[15] J. Nam, J. Paik, H.-K. Kang, U.-M. Kim, and D. Won, “An off-line dictionary attack on a simple three-party key exchange protocol,” IEEE Commun. Lett., vol. 13, no. 3, pp. 205-207, 2009.
[16] F.-Y. Yang, W.-H. Li, and C.-M. Liao, “An enhanced of simple threeparty key exchange protocol,” International Journal of Advanced Information Technologies (IJAIT), vol. 3, no. 2, pp. 121-134, 2009.