Improvement of a Three-Party Password-Based Key Exchange Protocol with Formal Verification

A Three-party Password-based Authenticated Key Exchange (3PAKE) protocol allows two users to establish a secure session key over an insecure communication channel with the help of a third party, which is a trusted server. Recently, Lou and Huang proposed a 3PAKE which is efficient and suitable for running on resource-constrained devices such as smart cards and mobile phones. In this paper, we show that their scheme is vulnerable to off-line password guessing attack and partition attack. We then propose an efficient method to fix these problems. Additionally, the mutual authentication and session key secrecy of the proposed protocol are verified using a formal verification tool. DOI: http://dx.doi.org/10.5755/j01.itc.42.3.1905

[1]  Patrick Horster,et al.  Undetectable on-line password guessing attacks , 1995, OPSR.

[2]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Wei-Chi Ku,et al.  Three weaknesses in a simple three-party key exchange protocol , 2008, Inf. Sci..

[4]  Der-Chyuan Lou,et al.  Efficient three-party password-based key exchange scheme , 2011, Int. J. Commun. Syst..

[5]  Chun-Ta Li Secure Smart Card Based Password Authentication Scheme with User Anonymity , 2011, Inf. Technol. Control..

[6]  Shirisha Tallapally,et al.  Security enhancement on Simple Three Party PAKE Protocol , 2012, Inf. Technol. Control..

[7]  Zhoujun Li,et al.  Cryptanalysis of simple three-party key exchange protocol , 2008, Comput. Secur..

[8]  Eun-Jun Yoon,et al.  Cryptanalysis of a simple three-party password-based key exchange protocol , 2011, Int. J. Commun. Syst..

[9]  Raphael C.-W. Phan,et al.  Cryptanalysis of simple three-party key exchange protocol (S-3PAKE) , 2008, Inf. Sci..

[10]  Hyun-Kyu Kang,et al.  An off-line dictionary attack on a simple three-party key exchange protocol , 2009, IEEE Commun. Lett..

[11]  Wen Tang A simple three party password based key exchange protocol , 2010, 2010 International Conference on Mechanical and Electrical Technology.

[12]  Chun-Ta Li,et al.  A More Secure and Efficient Authentication Scheme with Roaming Service and User Anonymity for Mobile Communications , 2012, Inf. Technol. Control..

[13]  Cheng-Chi Lee,et al.  ON SECURITY OF A PRACTICAL THREE-PARTY KEY EXCHANGE PROTOCOL WITH ROUND EFfiCIENCY , 2015 .

[14]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[15]  Cheng-Chi Lee,et al.  Extension of an Efficient 3GPP Authentication and Key Agreement Protocol , 2013, Wirel. Pers. Commun..

[16]  Hung-Min Sun,et al.  Three-party encrypted key exchange without server public-keys , 2001, IEEE Communications Letters.

[17]  Cheng-Chi Lee,et al.  A Robust Remote User Authentication Scheme Using Smart Card , 2011, Inf. Technol. Control..

[18]  Zhenfu Cao,et al.  Simple three-party key exchange protocol , 2007, Comput. Secur..

[19]  Lih-Chyau Wuu,et al.  A Secure Password-Based Remote User Authentication Scheme without Smart Cards , 2012, Inf. Technol. Control..

[20]  Bruno Blanchet,et al.  Models and Proofs of Protocol Security: A Progress Report , 2009, CAV.

[21]  Jin-Young Choi,et al.  Enhanced password-based simple three-party key exchange protocol , 2009, Comput. Electr. Eng..