Abstract
Three-party password-authenticated key exchange (3PAKE) protocols allow two clients to establish secure communication channels over a public network merely by sharing a human-memorable (low-entropy) password with a trusted server. In this paper, we first show that the 3PAKE protocol introduced by Chang, Hwang, and Yang is insecure against even passive attackers. Thereafter, we propose two kinds of improvement that can remedy the security flaw in their protocol. Finally, we present simulations to measure the execution time to show the efficiency of our two improvements.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Bellare M, Rogaway P (1993) Entity authentication and key distribution. In: Advances in cryptology (CRYPTO ’93), pp 232–249
Bellovin SM, Merritt M (1992) Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings of the 1992 IEEE computer society conference on research in security and privacy, pp 72–84
Chang CC, Chang YF (2004) A novel three-party encrypted key exchange protocol. Comput Stand Interfaces 26(5):471–476
Chang TY, Hwang MS, Yang WP (2011) A communication-efficient three-party password authenticated key exchange protocol. Inf Sci 181:217–226
Chien HY, Wu TC (2009) Provably secure password-based three-party key exchange with optimal message steps. Comput J 52(6):646–655
Chung HR, Ku WC (2008) Three weaknesses in a simple three-party key exchange protocol. Inf Sci 178(1):220–229
Ding Y, Horster P (1995) Undetectable on-line password guessing attacks. Oper Syst Rev 29(3):22–30
Gong L (1995) Optimal authentication protocols resistant to password guessing attacks. In: Proceedings of 8th IEEE computer security foundation workshop, pp 24–29
Gong L, Lomas M, Needham R, Saltzer J (1993) Protecting poorly chosen secrets from guessing attacks. IEEE J Sel Areas Commun 11(5):648–656
Joux A (2000) A one round protocol for tripartite Diffie–Hellman. In: Proceedings of the 4th algorithmic number theory symposium (ANTS IV)
Kim HS, Choi JY (2009) Enhanced password-based simple three-party key exchange protocol. Comput Electr Eng 35(1):107–114
Kwon T, Kang M, Jung S, Song J (1999) An improvement of the password-based authentication protocol K1P on security against replay attacks. IEICE Trans Commun E82-B(7):991–997
Lee TF, Liu JL, Sung MJ, Yang SB, Chen CM (2009) Communication-efficient three-party protocols for authentication and key agreement. Comput Math Appl 58:641–648
Lin CL, Sun HM, Hwang T (2000) Three-party encrypted key exchange: attacks and a solution. Oper Syst Rev 34(4):12–20
Lin CL, Sun HM, Steiner M, Hwang T (2001) Three-party encrypted key exchange without server public-keys. IEEE Commun Lett 5(12):497–499
Nam J, Lee Y, Kim S, Won D (2007) Security weakness in a three-party pairing-based protocol for password authenticated key exchange. Inf Sci 177(6):1364–1375
Nam J, Paik J, Kang HK, Kim UM, Won D (2009) An off-line dictionary attack on a simple three-party key exchange protocol. IEEE Commun Lett 13(3):205–207
Steiner M, Tsudik G, Waidner M (1995) Refinement and extension of encrypted key exchange. Oper Syst Rev 29(3):22–30
Sun HM, Chen BC, Hwang T (2005) Secure key agreement protocols for three-party against guessing attacks. J Syst Softw 75(1–2):63–68
Wen HA, Lee TF, Hwang T (2005) Provably secure three-party password-based authenticated key exchange protocol using Weil pairing. IEE Proc, Commun 152(2):138–143
Yeh HT, Sun HM (2004) Password-based user authentication and key distribution protocols for client-server applications. J Syst Softw 72(1):97–103
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Tso, R. Security analysis and improvements of a communication-efficient three-party password authenticated key exchange protocol. J Supercomput 66, 863–874 (2013). https://doi.org/10.1007/s11227-013-0917-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-013-0917-8