An Enhanced and Secure Three-Party Password-based Authenticated Key Exchange Protocol without Using Server's Public-Keys and Symmetric Cryptosystems

Password-based authenticated key exchange protocol is a type of authenticated key exchange protocols which enables two or more communication entities, who only share weak, low-entropy and easily memorable passwords, to authenticate each other and establish a high-entropy secret session key. In 2012, Tallapally proposed an enhanced three-party password-based authenticated key exchange protocol to overcome the weaknesses of Huang’s scheme. However, in this paper, we indicate that the Tallapally’s scheme not only is still vulnerable to undetectable online password guessing attack, but also is insecure against off-line password guessing attack. Therefore, we propose a more secure and efficient scheme to overcome the security flaws. DOI: http://dx.doi.org/10.5755/j01.itc.43.2.3790

[1]  Xiao Tan,et al.  Improvement of a Three-Party Password-Based Key Exchange Protocol with Formal Verification , 2013, Inf. Technol. Control..

[2]  Dawu Gu,et al.  Provably secure three-party password-based authenticated key exchange protocol , 2012, Inf. Sci..

[3]  Kefei Chen,et al.  Enhancements of a three-party password-based authenticated key exchange protocol , 2013, Int. Arab J. Inf. Technol..

[4]  Mahmoud Ahmadian-Attari,et al.  A new efficient authenticated multiple-key exchange protocol from bilinear pairings , 2013, Comput. Electr. Eng..

[5]  Mahmoud Ahmadian-Attari,et al.  A Certificateless Multiple-key Agreement Protocol Based on Bilinear Pairings , 2012, IACR Cryptol. ePrint Arch..

[6]  Hung-Yu Chien Secure Verifier-Based Three-Party Key Exchange in the Random Oracle Model , 2011, J. Inf. Sci. Eng..

[7]  Hung-Yu Chien,et al.  Provably Secure Password-Based Three-Party Key Exchange With Optimal Message Steps , 2009, Comput. J..

[8]  Chia-Mei Chen,et al.  Communication-efficient three-party protocols for authentication and key agreement , 2009, Comput. Math. Appl..

[9]  Yong Zhao,et al.  ECC-Based Password-Authenticated Key Exchange in the Three-Party Setting , 2013 .

[10]  Qiaoyan Wen,et al.  A Strongly Secure Pairing-free Certificateless Authenticated Key Agreement Protocol for Low-Power Devices , 2013, Information Technology and Control.

[11]  Jin-Young Choi,et al.  Enhanced password-based simple three-party key exchange protocol , 2009, Comput. Electr. Eng..

[12]  Der-Chyuan Lou,et al.  Efficient three-party password-based key exchange scheme , 2011, Int. J. Commun. Syst..

[13]  Mohammad Sabzinejad Farash,et al.  An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps , 2014, Nonlinear Dynamics.

[14]  Dongho Won,et al.  A security weakness in Abdalla et al.'s generic construction of a group key exchange protocol , 2011, Inf. Sci..

[15]  Wei-Pang Yang,et al.  A communication-efficient three-party password authenticated key exchange protocol , 2011, Inf. Sci..

[16]  Yuh-Min Tseng,et al.  Towards scalable key management for secure multicast communication , 2012, Inf. Technol. Control..

[17]  Raylin Tso Security analysis and improvements of a communication-efficient three-party password authenticated key exchange protocol , 2013, The Journal of Supercomputing.

[18]  Mahmoud Ahmadian-Attari,et al.  Vulnerability of two multiple-key agreement protocols , 2011, Comput. Electr. Eng..

[19]  Tzonelih Hwang,et al.  Simple password-based three-party authenticated key exchange without server public keys , 2010, Inf. Sci..

[20]  Hyun-Kyu Kang,et al.  An off-line dictionary attack on a simple three-party key exchange protocol , 2009, IEEE Commun. Lett..

[21]  Chin-Chen Chang,et al.  Security enhancement for a three-party encrypted key exchange protocol against undetectable on-line password guessing attacks , 2008, Comput. Stand. Interfaces.

[22]  Shirisha Tallapally,et al.  Security enhancement on Simple Three Party PAKE Protocol , 2012, Inf. Technol. Control..

[23]  Debiao He,et al.  Cryptanalysis of a communication-efficient three-party password authenticated key exchange protocol , 2012, Inf. Sci..

[24]  Jun-Han Yang,et al.  Provably secure three-party password authenticated key exchange protocol in the standard model , 2012, J. Syst. Softw..

[25]  Jianfeng Ma,et al.  An Improved Password-Based Remote User Authentication Protocol without Smart Cards , 2013, Inf. Technol. Control..

[26]  Jian Wang,et al.  Secure verifier-based three-party password-authenticated key exchange , 2013, Peer Peer Netw. Appl..

[27]  Zhi Guan,et al.  Finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys , 2013, Inf. Sci..

[28]  Wen Tang A simple three party password based key exchange protocol , 2010, 2010 International Conference on Mechanical and Electrical Technology.

[29]  Mohammad Sabzinejad Farash,et al.  A Novel Secure Bilinear Pairing Based Remote User Authentication Scheme with Smart Card , 2010, 2010 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing.

[30]  Mahmoud Ahmadian-Attari,et al.  An Enhanced Authenticated Key Agreement for Session Initiation Protocol , 2013, Inf. Technol. Control..

[31]  Mahmoud Ahmadian-Attari,et al.  A secure and efficient identity-based authenticated key exchange protocol for mobile client–server networks , 2014, The Journal of Supercomputing.

[32]  Mohammad Sabzinejad Farash,et al.  Cryptanalysis and improvement of a chaotic map-based key agreement protocol using Chebyshev sequence membership testing , 2014, Nonlinear Dynamics.

[33]  Eun-Jun Yoon,et al.  Cryptanalysis of a simple three-party password-based key exchange protocol , 2011, Int. J. Commun. Syst..

[34]  Mahmoud Ahmadian-Attari,et al.  Provably secure and efficient identity-based key agreement protocol for independent PKGs using ECC , 2013, ISC Int. J. Inf. Secur..

[35]  Tzonelih Hwang,et al.  On 'a simple three-party password-based key exchange protocol' , 2011, Int. J. Commun. Syst..

[36]  Chin-Chen Chang,et al.  A Pairing-free ID-based Key Agreement Protocol with Different PKGs , 2014 .

[37]  Lih-Chyau Wuu,et al.  A Secure Password-Based Remote User Authentication Scheme without Smart Cards , 2012, Inf. Technol. Control..