Skip to main content
SpringerLink
Log in

Outsider Key Compromise Impersonation Attack on a Multi-factor Authenticated Key Exchange Protocol

  • Conference paper
  • First Online:
Applied Cryptography and Network Security Workshops (ACNS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13285))

Included in the following conference series:

Abstract

Authenticated key exchange (AKE) protocol is a security mechanism that ensures two parties communicate securely on a public channel and keeps the legal client interacting with the honest server. Recently, Zhang et al. proposed a multi-factor authenticated key exchange (MFAKE) scheme for mobile communications. In this paper, we present the cryptoanalysis of their MFAKE scheme. We find out their MFAKE scheme has a security flaw that renders it insecure against man-in-the-middle (MITM) attacks and outsider key compromise impersonation (KCI) attacks. We present a simple case of MITM attacks and illustrate how an adversary impersonates the client to the server if just compromising the key of the server. And an improved MFAKE scheme is proposed to overcome the weakness of Zhang’s MFAKE scheme with minimum changes. We give the formal security proof of the improved MFAKE scheme in the random oracle model.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_6

    Chapter  MATH  Google Scholar 

  2. Agrawal, S., Miao, P., Mohassel, P., Mukherjee, P.: PASTA: password-based threshold authentication. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 2042–2059. ACM, New York (2018)

    Google Scholar 

  3. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_11

    Chapter  Google Scholar 

  4. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21

    Chapter  Google Scholar 

  5. Bellovin, S., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72–84. IEEE Computer Society, Los Alamitos (1992)

    Google Scholar 

  6. Bellovin, S.M., Merritt, M.: Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 244–250. ACM, New York (1993)

    Google Scholar 

  7. Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_12

    Chapter  Google Scholar 

  8. Far, H.A.N., Bayat, M., Das, A.K., Fotouhi, M., Pournaghi, S.M., Doostari, M.: LAPTAS: lightweight anonymous privacy-preserving three-factor authentication scheme for WSN-based IIoT. Wirel. Netw. 27(2), 1389–1412 (2021)

    Article  Google Scholar 

  9. Fleischhacker, N., Manulis, M., Azodi, A.: A modular framework for multi-factor authentication and key exchange. In: Chen, L., Mitchell, C. (eds.) SSR 2014. LNCS, vol. 8893, pp. 190–214. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-14054-4_12

    Chapter  Google Scholar 

  10. Groce, A., Katz, J.: A new framework for efficient password-based authenticated key exchange. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 516–525. ACM, New York (2010)

    Google Scholar 

  11. Gu, Y., Jarecki, S., Krawczyk, H.: KHAPE: asymmetric PAKE from key-hiding key exchange. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 701–730. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_24

    Chapter  Google Scholar 

  12. Hao, F., Clarke, D.: Security analysis of a multi-factor authenticated key exchange protocol. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 1–11. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31284-7_1

    Chapter  Google Scholar 

  13. Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: Generic compilers for authenticated key exchange. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 232–249. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_14

    Chapter  Google Scholar 

  14. Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_15

    Chapter  Google Scholar 

  15. Li, Z., Yang, Z., Szalachowski, P., Zhou, J.: Building low-interactivity multifactor authenticated key exchange for industrial internet of things. IEEE Internet Things J. 8(2), 844–859 (2021)

    Article  Google Scholar 

  16. Liu, Y., Wei, F., Ma, C.: Multi-factor authenticated key exchange protocol in the three-party setting. In: Lai, X., Yung, M., Lin, D. (eds.) Inscrypt 2010. LNCS, vol. 6584, pp. 255–267. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21518-6_18

    Chapter  Google Scholar 

  17. Nam, J., et al.: Password-only authenticated three-party key exchange with provable security in the standard model. Sci. World J. 2014 (2014)

    Google Scholar 

  18. Ometov, A., Bezzateev, S., Mäkitalo, N., Andreev, S., Mikkonen, T., Koucheryavy, Y.: Multi-factor authentication: a survey. Cryptography 2(1) (2018)

    Google Scholar 

  19. Pointcheval, D., Zimmer, S.: Multi-factor authenticated key exchange. In: Bellovin, S.M., Gennaro, R., Keromytis, A., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 277–295. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68914-0_17

    Chapter  Google Scholar 

  20. Wu, L., Wang, J., Choo, K.R., He, D.: Secure key agreement and key protection for mobile device user authentication. IEEE Trans. Inf. Forensics Secur. 14(2), 319–330 (2019)

    Article  Google Scholar 

  21. Xie, Q., Tang, Z., Chen, K.: Cryptanalysis and improvement on anonymous three-factor authentication scheme for mobile networks. Comput. Electr. Eng. 59, 218–230 (2017)

    Article  Google Scholar 

  22. Yang, Z., Li, S.: On security analysis of an after-the-fact leakage resilient key exchange protocol. Inf. Process. Lett. 116(1), 33–40 (2016)

    Article  MathSciNet  Google Scholar 

  23. Zhang, R., Xiao, Y., Sun, S., Ma, H.: Efficient multi-factor authenticated key exchange scheme for mobile communications. IEEE Trans. Dependable Secur. Comput. 16(4), 625–634 (2019)

    Article  Google Scholar 

Download references

Acknowledgments

We would like to thank Zengpeng Li for insightful comments and discussions. This work was supported by the Natural Science Foundation of China (Grant No. 61872051) and the Action Plan for high-quality Development of Graduate Education of Chongqing University of Technology (No. gzlcx20223226).

Author information

Authors and Affiliations

  1. Chongqing University of Technology, Chongqiang, 400054, China

    Zhiqiang Ma & Jun He

Authors
  1. Zhiqiang Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jun He
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jun He .

Editor information

Editors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Jianying Zhou

  2. University of Bristol, Bristol, UK

    Sridhar Adepu

  3. University of Malaga, Malaga, Spain

    Cristina Alcaraz

  4. Radboud University Nijmegen, Málaga, The Netherlands

    Lejla Batina

  5. Sapienza University of Rome, Rome, Roma, Italy

    Emiliano Casalicchio

  6. Singapore University of Technology and Design, Singapore, Singapore

    Sudipta Chattopadhyay

  7. Centrum Wiskunde & Informatica, Amsterdam, The Netherlands

    Chenglu Jin

  8. University of Science and Technology of China, Hefei, China

    Jingqiang Lin

  9. University of Padua, Padua, Italy

    Eleonora Losiouk

  10. Concordia University, Montreal, QC, Canada

    Suryadipta Majumdar

  11. Technical University Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  12. Delft University of Technology, Delft, The Netherlands

    Stjepan Picek

  13. Zhejiang Gongshang University, Hangzhou, China

    Jun Shao

  14. University of Aizu, Aizu-Wakamatsu, Japan

    Chunhua Su

  15. City University of Hong Kong, Hong Kong, Hong Kong

    Cong Wang

  16. Delft University of Technology, Delft, The Netherlands

    Yury Zhauniarovich

  17. Rutgers University, Piscataway, NJ, USA

    Saman Zonouz

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ma, Z., He, J. (2022). Outsider Key Compromise Impersonation Attack on a Multi-factor Authenticated Key Exchange Protocol. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2022. Lecture Notes in Computer Science, vol 13285. Springer, Cham. https://doi.org/10.1007/978-3-031-16815-4_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-16815-4_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-16814-7

  • Online ISBN: 978-3-031-16815-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation