Provably secure three-party password authenticated key exchange protocol in the standard model

Three-party password authenticated key exchange protocol is a very practical mechanism to establish secure session key through authenticating each other with the help of a trusted server. Most three-party password authenticated key exchange protocols only guarantee security in the random oracle model. However, a random oracle based cryptographic construction may be insecure when the oracle is replaced by real function. Moreover, some previous unknown attacks appear with the advance of the adversary capability. Therefore, a suitable standard model which can imitate a wider variety of attack scenarios for 3PAKE protocol is needed. Aim at resisting dictionary attack, unknown key-share attack and password-compromise impersonation attack, an expanded standard model for 3PAKE protocol is given. Meanwhile, through applying ElGamal encryption scheme and pseudorandom function, a specific three-party password authenticated key exchange protocol is proposed. The security of the proposed protocol is proven in the new standard model. The result shows that the present protocol has stronger security by comparing with other existing protocols, which covers the following security properties: (1) semantic security, (2) key privacy, (3) client-to-server authentication, (4) mutual authentication, (5) resistance to various known attacks, and (6) forward security.

[1]  Yehuda Lindell,et al.  Session-Key Generation Using Human Passwords Only , 2001, CRYPTO.

[2]  Olivier Chevassut,et al.  One-Time Verifier-Based Encrypted Key Exchange , 2005, Public Key Cryptography.

[3]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[4]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[6]  Li Gong,et al.  Optimal authentification protocols resistant to password guessing attacks , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[7]  Emmanuel Bresson,et al.  New Security Results on Encrypted Key Exchange , 2003, Public Key Cryptography.

[8]  Wu Shu Three-Party Password-Based Authenticated Key Exchange with Forward-Security , 2007 .

[9]  Lei Hu,et al.  Efficient and Provably Secure Generic Construction of Three-Party Password-Based Authenticated Key Exchange Protocols , 2006, INDOCRYPT.

[10]  Colin Boyd,et al.  The importance of proofs of security for key establishment protocols: Formal analysis of Jan-Chen, Yang-Shen-Shieh, Kim-Huh-Hwang-Lee, Lin-Sun-Hwang, and Yeh-Sun protocols , 2006, Comput. Commun..

[11]  Hung-Min Sun,et al.  Three-party encrypted key exchange: attacks and a solution , 2000, OPSR.

[12]  Dong Hoon Lee,et al.  Light-Weight Key Exchange with Different Passwords in the Standard Model , 2009, J. Univers. Comput. Sci..

[13]  Gene Tsudik,et al.  Refinement and extension of encrypted key exchange , 1995, OPSR.

[14]  Dong Hoon Lee,et al.  Password-Authenticated Key Exchange between Clients with Different Passwords , 2002, ICICS.

[15]  David Pointcheval,et al.  Simple Password-Based Encrypted Key Exchange Protocols , 2005, CT-RSA.

[16]  David Pointcheval,et al.  Interactive Diffie-Hellman Assumptions with Applications to Password-Based Authentication , 2005, Financial Cryptography.

[17]  Kim-Kwang Raymond Choo Refuting security proofs for tripartite key exchange with model checker in planning problem setting , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[18]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[19]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[20]  David Pointcheval,et al.  Encrypted Key Exchange Protocols , 2005 .

[21]  Colin Boyd,et al.  Examining Indistinguishability-Based Proof Models for Key Establishment Protocols , 2005, ASIACRYPT.

[22]  Yehuda Lindell,et al.  Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[23]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[24]  Colin Boyd,et al.  Errors in Computational Complexity Proofs for Protocols , 2005, ASIACRYPT.

[25]  Patrick Horster,et al.  Undetectable on-line password guessing attacks , 1995, OPSR.

[26]  Hung-Min Sun,et al.  Efficient Three-Party Authentication and Key Agreement Protocols Resistant to Password Guessing Attacks , 2003, J. Inf. Sci. Eng..