Re-attack on a three-party password-based authenticated key exchange protocol

A password based authenticated key exchange protocol is of practical usefulness in the protection of sharing of urban rail train sensor monitoring data. However, many password-based protocols in the literature were not secure. Recently, Huang presented a simple and efficient three-party password-based authenticated key exchange protocol. However, Yoon et al. found it had some security weaknesses. In this paper, we further show it has another critical security weakness, which opens door to a partition attack (offline dictionary attack). Thereafter we propose an enhanced protocol that can defeat the attacks described (including Yoon et al.'s attacks) and yet is reasonably efficient. Furthermore, our protocol can resist against the stolen-verifier attacks and achieve the provable security.

[1]  Raphael C.-W. Phan,et al.  Cryptanalysis of simple three-party key exchange protocol (S-3PAKE) , 2008, Inf. Sci..

[2]  Olivier Chevassut,et al.  One-Time Verifier-Based Encrypted Key Exchange , 2005, Public Key Cryptography.

[3]  Chun-Li Lin,et al.  Enhanced three-party encrypted key exchange without server public keys , 2004, Comput. Secur..

[4]  Jin-Young Choi,et al.  Enhanced password-based simple three-party key exchange protocol , 2009, Comput. Electr. Eng..

[5]  Zhenfu Cao,et al.  Simple three-party key exchange protocol , 2007, Comput. Secur..

[6]  Zhoujun Li,et al.  Cryptanalysis of simple three-party key exchange protocol , 2008, Comput. Secur..

[7]  Jian Wang,et al.  Secure verifier-based three-party password-authenticated key exchange , 2013, Peer Peer Netw. Appl..

[8]  David Pointcheval,et al.  Interactive Diffie-Hellman Assumptions with Applications to Password-Based Authentication , 2005, Financial Cryptography.

[9]  Wei-Chi Ku,et al.  Three weaknesses in a simple three-party key exchange protocol , 2008, Inf. Sci..

[10]  David Pointcheval,et al.  Simple Password-Based Encrypted Key Exchange Protocols , 2005, CT-RSA.

[11]  Kefei Chen,et al.  Enhancements of a three-party password-based authenticated key exchange protocol , 2013, Int. Arab J. Inf. Technol..

[12]  Kazukuni Kobara,et al.  Pretty-Simple Password-Authenticated Key-Exchange Under Standard Assumptions , 2003, IACR Cryptol. ePrint Arch..

[13]  Colin Boyd,et al.  Elliptic Curve Based Password Authenticated Key Exchange Protocols , 2001, ACISP.

[14]  Kee-Young Yoo,et al.  Efficient verifier-based key agreement protocol for three parties without server's public key , 2005, Appl. Math. Comput..

[15]  Emmanuel Bresson,et al.  New Security Results on Encrypted Key Exchange , 2003, Public Key Cryptography.

[16]  Lei Hu,et al.  Efficient and Provably Secure Generic Construction of Three-Party Password-Based Authenticated Key Exchange Protocols , 2006, INDOCRYPT.

[17]  Hung-Min Sun,et al.  Three-party encrypted key exchange without server public-keys , 2001, IEEE Communications Letters.

[18]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[19]  Eun-Jun Yoon,et al.  Cryptanalysis of a simple three-party password-based key exchange protocol , 2011, Int. J. Commun. Syst..

[20]  Tzonelih Hwang,et al.  On 'a simple three-party password-based key exchange protocol' , 2011, Int. J. Commun. Syst..

[21]  Hung-Yu Chien Secure Verifier-Based Three-Party Key Exchange in the Random Oracle Model , 2011, J. Inf. Sci. Eng..

[22]  Colin Boyd,et al.  Examining Indistinguishability-Based Proof Models for Key Establishment Protocols , 2005, ASIACRYPT.

[23]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[24]  Junghyun Nam Infringing and Improving Password Security of a Three-Party Key Exchange Protocol , 2008, IACR Cryptol. ePrint Arch..

[25]  Hung-Min Sun,et al.  Three-party encrypted key exchange: attacks and a solution , 2000, OPSR.

[26]  Nai-Wei Lo,et al.  Cryptanalysis of two three-party encrypted key exchange protocols , 2009, Comput. Stand. Interfaces.

[27]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[28]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[29]  Hyun-Kyu Kang,et al.  An off-line dictionary attack on a simple three-party key exchange protocol , 2009, IEEE Commun. Lett..