Abstract
Client-to-client password-authenticated key agreement (C2C-PAKA) protocol deals with the authenticated key agreement process between two clients of different realms, who only share their passwords with their own servers. Recently, Byun et al. [13] proposed an efficient C2C-PAKA protocol and carried a claimed proof of security in a formal model of communication and adversarial capabilities. In this paper, we show that the protocol is insecure against password-compromise impersonation attack and the claim of provable security is seriously incorrect. To draw lessons from these results, we revealed fatal flaws in Byun et al.’s security model and their proof of security. Then, we modify formal security model and corresponding security definitions. In addition, a new cross-realm C2C-PAKA protocol is presented with security proof.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)
Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)
Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using uuman-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475–494. Springer, Heidelberg (2001)
Bellovin, S., Merrit, M.: Encrypted key exchange: password based protocols secure against dictionary attacks. In: Proc. of the Symposium on Security and Privacy, IEE, pp. 72–84 (1992)
Byun, J.W., Lee, D.H., Lim, J.: Efficient and Provably Secure Client-to-Client Password-Based Key Exchange Protocol. In: Zhou, X., Li, J., Shen, H.T., Kitsuregawa, M., Zhang, Y. (eds.) APWeb 2006. LNCS, vol. 3841, pp. 830–836. Springer, Heidelberg (2006)
Yin, Y., Bao, L.: Secure Cross-Realm C2C-PAKE Protocol. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 395–406. Springer, Heidelberg (2006)
Byun, J.W., Jeong, I.R., Lee, D.H., Park, C.: Password-authenticated key exchange between clients with different passwords. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 134–146. Springer, Heidelberg (2002)
Chen, L.: A weakness of the password-authenticated key agreement between clients with different passwords scheme, ISO/IEC JTC 1/SC27 N3716
Wang, S., Wang, J., Xu, M.: Weakness of a password-authenticated key exchange protocol between clients with different passwords. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 414–425. Springer, Heidelberg (2004)
Kim, J., Kim, S., Kwak, J., Won, D.: Cryptoanalysis and improvements of password authenticated key exchange scheme between clients with different passwords. In: Laganá, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds.) ICCSA 2004. LNCS, vol. 3044, pp. 895–902. Springer, Heidelberg (2004)
Phan, R.C.-W., Goi, B.: Cryptanalysis of an improved client-to-client password-authenticated key exchange (C2C-PAKE) scheme. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 33–39. Springer, Heidelberg (2005)
Yoon, E.J., Yoo, K.Y.: A secure password-authenticated key exchange between clients with different passwords. In: Zhou, X., Li, J., Shen, H.T., Kitsuregawa, M., Zhang, Y. (eds.) APWeb 2006. LNCS, vol. 3841, pp. 659–663. Springer, Heidelberg (2006)
Byun, J.W., Lee, D.H., Lim, J.I.: EC2C-PAKA: An efficient client-to-client password-authenticated key agreement. Information Science 177, 3995–4013 (2007)
Abdalla, M., Fouque, P.A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005)
Goldreich, O.: Foundation of cryptography, vol. 2. Cambridge University Press, Cambridge (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Feng, DG., Xu, J. (2009). A New Client-to-Client Password-Authenticated Key Agreement Protocol. In: Chee, Y.M., Li, C., Ling, S., Wang, H., Xing, C. (eds) Coding and Cryptology. IWCC 2009. Lecture Notes in Computer Science, vol 5557. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-01877-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-01877-0_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-01813-8
Online ISBN: 978-3-642-01877-0
eBook Packages: Computer ScienceComputer Science (R0)