Notes on weaknesses in a leakage-resilient authenticated key transport protocol

Tang et al., [1] have showed weaknesses in a leakage-resilient authenticated key transport (so-called RSA-AKE) protocol [2] and then proposed an enhanced protocol. The objective of this paper is two-fold. First, we clarify some ambiguities that may cause misunderstandings on the RSA-AKE protocol by [1]. Second, we show that Tang’s protocol is insecure against a weaker adversary who gets the client’s stored secret: the adversary can retrieve the password with off-line dictionary attacks after eavesdropping only one message. Note that the RSA-AKE protocol is secure against an adversary who gets the client’s stored secret and the server’s RSA private key. 1 Tang’s observations on the RSA-AKE protocol Here we clarify some ambiguities that may cause misunderstandings on the RSAAKE protocol by [1]. Please, refer to Section 2 of [1] or the conference paper [2] for the RSA-AKE protocol. For an easier discussion, we paste Section 3 of [1] here and explain about some ambiguities. Here are three observations Tang claimed in [1]. 1. Observe that pij is the only secret used for authentication in the j-th run of the RSA-AKE protocol. So, if the attacker has compromised Si and obtained pij , then he can successfully impersonate C to Si in the subsequent protocol executions without the need to have access to pw. If this occurs, the legitimate client will no longer be able to authenticate himself, because the password verifier held by Si will change. However, if the legitimate client authenticates himself before the attacker uses the stolen pij , then the attacker cannot launch the above attack because the stolen password verifier pij will no longer be valid. This attack means that leakage of pij from Si may enable an attacker to mount an impersonate attack. Hence the RSA-AKE protocol does not appear to be suitable for use in environments where the server is not securely protected.