An efficient client–client password-based authentication scheme with provable security

Recently, Tso proposed a three-party password-based authenticated key exchange (3PAKE) protocol. This protocol allows two clients to authenticate each other and establish a secure session key through a server over an insecure channel. The main security goals of such protocols are authentication and privacy. However, we show that Tso’s protocol achieves neither authentication goal nor privacy goal. In this paper, we indicate that the privacy and authentication goals of Tso’s protocol will be broken by off-line password guessing attack and impersonation attack, respectively. To overcome the weaknesses, we propose an improved 3PAKE protocol to achieve more security and performance than related protocols. The security of the proposed improved protocol is proved in random oracle model.

[1]  Jianfeng Ma,et al.  An Improved Password-Based Remote User Authentication Protocol without Smart Cards , 2013, Inf. Technol. Control..

[2]  Eun-Jun Yoon,et al.  Cryptanalysis of a simple three-party password-based key exchange protocol , 2011, Int. J. Commun. Syst..

[3]  Yuh-Min Tseng,et al.  Towards scalable key management for secure multicast communication , 2012, Inf. Technol. Control..

[4]  Dongho Won,et al.  A security weakness in Abdalla et al.'s generic construction of a group key exchange protocol , 2011, Inf. Sci..

[5]  Mahmoud Ahmadian-Attari,et al.  Vulnerability of two multiple-key agreement protocols , 2011, Comput. Electr. Eng..

[6]  Jian Wang,et al.  Secure verifier-based three-party password-authenticated key exchange , 2013, Peer Peer Netw. Appl..

[7]  Cheng-Chi Lee,et al.  A KEY AGREEMENT SCHEME FOR SATELLITE COMMUNICATIONS , 2015 .

[8]  Min-Shiang Hwang,et al.  A PARALLEL PASSWORD-AUTHENTICATED KEY EXCHANGE PROTOCOL FOR WIRELESS ENVIRONMENTS , 2010 .

[9]  Athanasios V. Vasilakos,et al.  Provably secure three-party authenticated key agreement protocol using smart cards , 2014, Comput. Networks.

[10]  Wei-Pang Yang,et al.  A communication-efficient three-party password authenticated key exchange protocol , 2011, Inf. Sci..

[11]  Debiao He,et al.  Cryptanalysis of a communication-efficient three-party password authenticated key exchange protocol , 2012, Inf. Sci..

[12]  Mahmoud Ahmadian-Attari,et al.  An Enhanced and Secure Three-Party Password-based Authenticated Key Exchange Protocol without Using Server's Public-Keys and Symmetric Cryptosystems , 2014, Inf. Technol. Control..

[13]  Mahmoud Ahmadian Attari,et al.  A Certificate less Multiple-key Agreement Protocol without Hash Functions Based on Bilinear Pairings , 2012 .

[14]  Chun-Ta Li Secure Smart Card Based Password Authentication Scheme with User Anonymity , 2011, Inf. Technol. Control..

[15]  Shirisha Tallapally,et al.  Security enhancement on Simple Three Party PAKE Protocol , 2012, Inf. Technol. Control..

[16]  Rimantas Butleris,et al.  An Approach for Extracting Business Vocabularies from Business Process Models , 2013, Inf. Technol. Control..

[17]  Raylin Tso Security analysis and improvements of a communication-efficient three-party password authenticated key exchange protocol , 2013, The Journal of Supercomputing.

[18]  Eligijus Sakalauskas,et al.  KEY AGREEMENT PROTOCOL OVER THE RING OF MULTIVARIATE POLYNOMIALS , 2010 .

[19]  Mahmoud Ahmadian-Attari,et al.  A new efficient authenticated multiple-key exchange protocol from bilinear pairings , 2013, Comput. Electr. Eng..

[20]  Mahmoud Ahmadian-Attari,et al.  A Certificateless Multiple-key Agreement Protocol Based on Bilinear Pairings , 2012, IACR Cryptol. ePrint Arch..

[21]  Hung-Yu Chien Secure Verifier-Based Three-Party Key Exchange in the Random Oracle Model , 2011, J. Inf. Sci. Eng..

[22]  Debiao He,et al.  Security Analysis and Improvements of a Three-Party Password-Based Key Exchange Protocol , 2014, Inf. Technol. Control..

[23]  Mahmoud Ahmadian-Attari,et al.  Provably secure and efficient identity-based key agreement protocol for independent PKGs using ECC , 2013, ISC Int. J. Inf. Secur..

[24]  Jin-Won Chung,et al.  Risk factors for laboratory-confirmed household transmission of pandemic H1N1 2009 infection. , 2010, American journal of infection control.

[25]  Mohammad Sabzinejad Farash,et al.  A Novel Secure Bilinear Pairing Based Remote User Authentication Scheme with Smart Card , 2010, 2010 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing.

[26]  Qiaoyan Wen,et al.  A Strongly Secure Pairing-free Certificateless Authenticated Key Agreement Protocol for Low-Power Devices , 2013, Information Technology and Control.

[27]  Mohammad Sabzinejad Farash,et al.  An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps , 2014, Nonlinear Dynamics.

[28]  Cheng-Chi Lee,et al.  A Robust Remote User Authentication Scheme Using Smart Card , 2011, Inf. Technol. Control..

[29]  Chin-Chen Chang,et al.  A Pairing-free ID-based Key Agreement Protocol with Different PKGs , 2014 .

[30]  Lih-Chyau Wuu,et al.  A Secure Password-Based Remote User Authentication Scheme without Smart Cards , 2012, Inf. Technol. Control..

[31]  Zhi Guan,et al.  Finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys , 2013, Inf. Sci..

[32]  Xiao Tan,et al.  Improvement of a Three-Party Password-Based Key Exchange Protocol with Formal Verification , 2013, Inf. Technol. Control..

[33]  Wen Tang A simple three party password based key exchange protocol , 2010, 2010 International Conference on Mechanical and Electrical Technology.

[34]  Changhoon Lee,et al.  Efficient three-party key exchange protocols with round efficiency , 2013, Telecommun. Syst..

[35]  Yong Zhao,et al.  ECC-Based Password-Authenticated Key Exchange in the Three-Party Setting , 2013 .

[36]  Mahmoud Ahmadian-Attari,et al.  An Enhanced Authenticated Key Agreement for Session Initiation Protocol , 2013, Inf. Technol. Control..

[37]  Mohammad Sabzinejad Farash,et al.  Cryptanalysis and improvement of a chaotic map-based key agreement protocol using Chebyshev sequence membership testing , 2014, Nonlinear Dynamics.

[38]  Der-Chyuan Lou,et al.  Efficient three-party password-based key exchange scheme , 2011, Int. J. Commun. Syst..

[39]  Debiao He,et al.  Cryptanalysis and Improvement of a Password-Based Remote User Authentication Scheme without Smart Cards , 2013, Inf. Technol. Control..

[40]  Eun-Jun Yoon,et al.  A New Efficient Key Agreement Scheme for VSAT Satellite Communications Based on Elliptic Curve Cryptosystem , 2011, Inf. Technol. Control..

[41]  Cheng-Chi Lee,et al.  ON SECURITY OF A PRACTICAL THREE-PARTY KEY EXCHANGE PROTOCOL WITH ROUND EFfiCIENCY , 2015 .

[42]  Tzonelih Hwang,et al.  Simple password-based three-party authenticated key exchange without server public keys , 2010, Inf. Sci..

[43]  Dawu Gu,et al.  Provably secure three-party password-based authenticated key exchange protocol , 2012, Inf. Sci..

[44]  Kefei Chen,et al.  Enhancements of a three-party password-based authenticated key exchange protocol , 2013, Int. Arab J. Inf. Technol..

[45]  Tzonelih Hwang,et al.  On 'a simple three-party password-based key exchange protocol' , 2011, Int. J. Commun. Syst..

[46]  David Pointcheval,et al.  Interactive Diffie-Hellman Assumptions with Applications to Password-Based Authentication , 2005, Financial Cryptography.

[47]  Jun-Han Yang,et al.  Provably secure three-party password authenticated key exchange protocol in the standard model , 2012, J. Syst. Softw..