Offline dictionary attack on a universally composable three-party password-based key exchange protocol

Abstract Key exchange protocols are fundamental for establishing secure communication channels over public networks. Password-based key exchange protocols allow parties to share a secret key in an authentic manner based on an easily memorizable password. Recently, Deng et al. proposed a three-party password-based key exchange protocol in the universal composable framework in China Communications, where two users, each one of whom shares a human-memorable password with a trusted server, can authenticate each other and compute a secure session key. In this letter, we show that Deng et al.’s protocol is insecure against offline dictionary attack by any other client. Hence, the protocol doesn’t achieve their aim.

[1]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[2]  Tzonelih Hwang,et al.  Provably secure three-party password-based authenticated key exchange protocol using Weil pairing , 2005 .

[3]  Hung-Min Sun,et al.  Provably Secure Three-Party Password-Authenticated Key Exchange , 2004 .

[4]  SeongHan Shin,et al.  Security Analysis of Two Augmented Password-Authenticated Key Exchange Protocols , 2010, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[5]  Yuefei Zhu,et al.  Universally Composable Three-Party Key Distribution , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[6]  Zhenfu Cao,et al.  Simple three-party key exchange protocol , 2007, Comput. Secur..

[7]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  SeongHan Shin,et al.  Anonymous Password-Authenticated Key Exchange: New Construction and Its Extensions , 2010, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[9]  David Pointcheval,et al.  Efficient Two-Party Password-Based Key Exchange Protocols in the UC Framework , 2008, CT-RSA.

[10]  Dongho Won,et al.  Security weakness in a three-party pairing-based protocol for password authenticated key exchange , 2007, Inf. Sci..

[11]  Zhoujun Li,et al.  Cryptanalysis of simple three-party key exchange protocol , 2008, Comput. Secur..

[12]  Taekyoung Kwon,et al.  Security analysis and improvement of the efficient password-based authentication protocol , 2005, IEEE Communications Letters.

[13]  Jun Li,et al.  Efficient and provably secure password-based group key agreement protocol , 2009, Comput. Stand. Interfaces.

[14]  Jeng-Ping Lin,et al.  A Secure DoS-resistant User Authenticated Key Agreement Scheme with Perfect Secrecies , 2010 .

[15]  Ma,et al.  Universally Composable Three Party Password-based Key Exchange Protocol , 2009 .