Finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys

Three-party password-based authenticated key exchange (3PAKE) protocols allow two users (clients) to establish a session key with the support from an authenticated server over an insecure channel. Several 3PAKE protocols, which do not require server public keys, have been proposed recently. In this paper, we use Chang et al.'s protocol as a case study and demonstrate that all of the 3PAKE protocols without server public keys are not secure against Key Compromise Impersonation (KCI) attack. A detailed analysis of flaw in these protocols has been conducted and we hope that by identifying this design flaw, similar structural mistakes can be avoided in future designs. Furthermore, we propose an improved protocol that remedies the weakness of these protocols and prove its security in a widely accepted model.

[1]  Debiao He,et al.  Cryptanalysis of a communication-efficient three-party password authenticated key exchange protocol , 2012, Inf. Sci..

[2]  Tzonelih Hwang,et al.  On 'a simple three-party password-based key exchange protocol' , 2011, Int. J. Commun. Syst..

[3]  Zhoujun Li,et al.  Cryptanalysis of simple three-party key exchange protocol , 2008, Comput. Secur..

[4]  Jianfeng Ma,et al.  An Efficient Three-Party Authenticated Key Exchange Protocol with One-Time Key , 2010, 2010 INFOCOM IEEE Conference on Computer Communications Workshops.

[5]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[6]  Zuowen Tan An Enhanced Three-Party Authentication Key Exchange Protocol for Mobile Commerce Environments , 2010, J. Commun..

[7]  M. Hwang,et al.  Simple authenticated key agreement and protected password change protocol , 2005 .

[8]  Chun-Li Lin,et al.  Enhanced three-party encrypted key exchange without server public keys , 2004, Comput. Secur..

[9]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[10]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[11]  Ting-Yi Chang,et al.  A Personalized Rhythm Click-Based Authentication System , 2010, Inf. Manag. Comput. Secur..

[12]  Zhenfu Cao,et al.  Simple three-party key exchange protocol , 2007, Comput. Secur..

[13]  Wen Tang A simple three party password based key exchange protocol , 2010, 2010 International Conference on Mechanical and Electrical Technology.

[14]  Manoj Kumar A New Secure Remote User Authentication Scheme with Smart Cards , 2010, Int. J. Netw. Secur..

[15]  Olivier Chevassut,et al.  One-Time Verifier-Based Encrypted Key Exchange , 2005, Public Key Cryptography.

[16]  Tzonelih Hwang,et al.  Simple password-based three-party authenticated key exchange without server public keys , 2010, Inf. Sci..

[17]  Qiang Tang,et al.  Extended KCI attack against two-party key establishment protocols , 2011, Inf. Process. Lett..

[18]  Der-Chyuan Lou,et al.  Efficient three-party password-based key exchange scheme , 2011, Int. J. Commun. Syst..

[19]  Dongho Won,et al.  Security weakness in a three-party pairing-based protocol for password authenticated key exchange , 2007, Inf. Sci..

[20]  Wei-Pang Yang,et al.  A communication-efficient three-party password authenticated key exchange protocol , 2011, Inf. Sci..

[21]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[22]  Dawu Gu,et al.  Provably secure three-party password-based authenticated key exchange protocol , 2012, Inf. Sci..

[23]  Chin-Chen Chang,et al.  An efficient three-party authenticated key exchange protocol using elliptic curve cryptography for mobile-commerce environments , 2009, J. Syst. Softw..

[24]  David Pointcheval,et al.  Simple Password-Based Encrypted Key Exchange Protocols , 2005, CT-RSA.

[25]  Yasser Kamal Hassan,et al.  Performance Evaluation of Mobility Speed over MANET Routing Protocols , 2010, Int. J. Netw. Secur..

[26]  Hung-Min Sun,et al.  Three-party encrypted key exchange without server public-keys , 2001, IEEE Communications Letters.

[27]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[28]  Wei-Bin Lee,et al.  A round- and computation-efficient three-party authenticated key exchange protocol , 2008, J. Syst. Softw..

[29]  Raphael C.-W. Phan,et al.  Cryptanalysis of simple three-party key exchange protocol (S-3PAKE) , 2008, Inf. Sci..