Skip to main content
SpringerLink
Log in
Book cover

International Conference on Cryptology and Network Security

CANS 2011: Cryptology and Network Security pp 172–184Cite as

Cryptanalysis of a Provably Secure Cross-Realm Client-to-Client Password-Authenticated Key Agreement Protocol of CANS ’09

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7092))

Abstract

In this paper, we cryptanalyze the recent smart card based client-to-client password-authenticated key agreement (C2C-PAKA-SC) protocol for cross-realm settings proposed at CANS ’09. While client-to-client password-authenticated key exchange (C2C-PAKE) protocols exist in literature, what is interesting about this one is that it is the only such protocol claimed to offer security against password compromise impersonation without depending on public-key cryptography, and is one of the few C2C-PAKE protocols with provable security that has not been cryptanalyzed. We present three impersonation attacks on this protocol; the first two are easier to mount than the designer-considered password compromise impersonation. Our results are the first known cryptanalysis results on C2C-PAKA-SC.

Research partially funded by the Ministry of Science, Technology & Innovation (MOSTI) under grant no. MOSTI/BGM/R&D/500-2/8.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abadi, M.: Explicit Communication Revisited: Two New Attacks on Authentication Protocols. IEEE Transactions on Software Engineering 23(3), 185–186 (1997)

    Article  Google Scholar 

  2. Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-Based Authenticated Key Exchange in the Three-Party Setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  3. Abdalla, M., Pointcheval, D.: Interactive Diffie-Hellman Assumptions with Applications to Password-Based Authentication. In: S. Patrick, A., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, pp. 341–356. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  4. Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)

    Chapter  Google Scholar 

  5. Bellare, M., Rogaway, P.: Provably Secure Session Key Distribution: the Three Party Case. In: Proc. ACM STOC 1995, pp. 57–66 (1995)

    Google Scholar 

  6. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  7. Bellovin, S., Merritt, M.: Encrypted Key Exchange: Passwords based Protocols Secure against Dictionary Attacks. In: Proc. IEEE Symposium on Security & Privacy 1992, pp. 72–84 (1992)

    Google Scholar 

  8. Byun, J.W., Jeong, I.R., Lee, D.-H., Park, C.-S.: Password-Authenticated Key Exchange between Clients with Different Passwords. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 134–146. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  9. Byun, J.W., Lee, D.-H.: N-Party Encrypted Diffie-Hellman Key Exchange Using Different Passwords. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 75–90. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  10. Byun, J.W., Lee, D.-H., Lim, J.-I.: Efficient and Provably Secure Client-to-Client Password-Based Key Exchange Protocol. In: Zhou, X., Li, J., Shen, H.T., Kitsuregawa, M., Zhang, Y. (eds.) APWeb 2006. LNCS, vol. 3841, pp. 830–836. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  11. Byun, J.W., Lee, D.H., Lim, J.I.: EC2C-PAKA: An Efficient Client-to-Client Password Authenticated Key Agreement. Information Sciences 177, 3995–4013 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  12. Cao, T., Zhang, Y.: Cryptanalysis of Two Password-Authenticated Key Exchange Protocols between Clients with Different Passwords. International Mathematical Forum 2(11), 525–532 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  13. Chen, L.: A Weakness of the Password-Authenticated Key Agreement between Clients with Different Passwords Scheme. Circulated for consideration at the 27th SC27/WG2 meeting in Paris, France, ISO/IEC JTC 1/SC27 N3716, 2003-10-20.24 (2003)

    Google Scholar 

  14. Choo, K.-K.R., Boyd, C., Hitchcock, Y.: Examining Indistinguishability-Based Proof Models for Key Establishment Protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 585–604. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  15. Choo, K.-K.R., Boyd, C., Hitchcock, Y.: Errors in Computational Complexity Proofs for Protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 624–643. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  16. Di Crescenzo, G., Kornievskaia, O.: Efficient Kerberized Multicast in a Practical Distributed Setting. In: Davida, G.I., Frankel, Y. (eds.) ISC 2001. LNCS, vol. 2200, pp. 27–45. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  17. Diffie, W., van Oorschot, P.C., Wiener, M.J.: Authentication and Authenticated Key Exchanges. Design, Codes and Cryptography 2(2), 107–125 (1992)

    Article  MathSciNet  Google Scholar 

  18. Ding, Y., Horster, P.: Undetectable On-line Password Guessing Attacks. ACM Operating Systems Review 29(4), 77–86 (1995)

    Article  Google Scholar 

  19. Feng, D.-G., Xu, J.: A New Client-to-Client Password-Authenticated Key Agreement Protocol. In: Chee, Y.M., Li, C., Ling, S., Wang, H., Xing, C. (eds.) IWCC 2009. LNCS, vol. 5557, pp. 63–76. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  20. Jin, W., Xu, J.: An Efficient and Provably Secure Cross-Realm Client-to-Client Password-Authenticated Key Agreement Protocol with Smart Cards. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 299–314. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  21. Kaliski Jr., B.S.: An Unknown Key-Share Attack on the MQV Key Agreement Protocol. ACM TISSEC 4(3), 275–288 (2001)

    Article  Google Scholar 

  22. Kim, J., Kim, S., Kwak, J., Won, D.H.: Cryptanalysis and Improvement of Password Authenticated Key Exchange Scheme between Clients with Different Passwords. In: Laganá, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds.) ICCSA 2004. LNCS, vol. 3043, pp. 895–902. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  23. Needham, R., Schroeder, M.: Using Encryption for Authentication in Large Networks of Computers. Communications of the ACM 21(12), 993–999 (1978)

    Article  MATH  Google Scholar 

  24. Phan, R.C.-W., Goi, B.-M.: Cryptanalysis of an Improved Client-to-Client Password-Authenticated Key Exchange (C2C-PAKE) Scheme. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 33–39. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  25. Phan, R.C.-W., Goi, B.-M.: Cryptanalysis of the N-Party Encrypted Diffie-Hellman Key Exchange Using Different Passwords. In: Zhou, J., Yung, M., Bao, F. (eds.) ACNS 2006. LNCS, vol. 3989, pp. 226–238. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  26. Phan, R.C.-W., Goi, B.-M.: Cryptanalysis of Two Provably Secure Cross-Realm C2C-PAKE Protocols. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 104–117. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  27. Rogaway, P.: On the Role Definitions in and Beyond Cryptography. In: Maher, M.J. (ed.) ASIAN 2004. LNCS, vol. 3321, pp. 13–32. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  28. Stern, J.: Why Provable Security Matters? In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 449–461. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  29. Wang, S., Wang, J., Xu, M.: Weaknesses of a Password-Authenticated Key Exchange Protocol between Clients with Different Passwords. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 414–425. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  30. Yin, Y., Bao, L.: Secure Cross-Realm C2C-PAKE Protocol. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 395–406. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  31. Yoon, E.-J., Yoo, K.-Y.: A Secure Password-Authenticated Key Exchange between Clients with Different Passwords. In: Zhou, X., Li, J., Shen, H.T., Kitsuregawa, M., Zhang, Y. (eds.) APWeb 2006. LNCS, vol. 3841, pp. 659–663. Springer, Heidelberg (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Engineering, Multimedia University, 63100, Cyberjaya, Malaysia

    Wei-Chuen Yau

  2. Electronic, Electrical & Systems Engineering, Loughborough University, LE11 3TU, Leicestershire, UK

    Raphael C. -W. Phan

  3. Faculty of Engineering & Science, Universiti Tunku Abdul Rahman, 53300 KL, Malaysia

    Bok-Min Goi

  4. Faculty of Information Science & Technology, Multimedia University, 75450, Melaka, Malaysia

    Swee-Huay Heng

Authors
  1. Wei-Chuen Yau
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Raphael C. -W. Phan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bok-Min Goi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Swee-Huay Heng
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. The State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, 100190, Beijing, China

    Dongdai Lin

  2. Computer Science Department, University of California, 92697-3435, Irvine, CA, USA

    Gene Tsudik

  3. Shandong University, China

    Xiaoyun Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Yau, WC., Phan, R.C.W., Goi, BM., Heng, SH. (2011). Cryptanalysis of a Provably Secure Cross-Realm Client-to-Client Password-Authenticated Key Agreement Protocol of CANS ’09. In: Lin, D., Tsudik, G., Wang, X. (eds) Cryptology and Network Security. CANS 2011. Lecture Notes in Computer Science, vol 7092. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25513-7_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-25513-7_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-25512-0

  • Online ISBN: 978-3-642-25513-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation