Abstract
Recently, Tso proposed a three-party password-based authenticated key exchange (3PAKE) protocol. This protocol allows two clients to authenticate each other and establish a secure session key through a server over an insecure channel. The main security goals of such protocols are authentication and privacy. However, we show that Tso’s protocol achieves neither authentication goal nor privacy goal. In this paper, we indicate that the privacy and authentication goals of Tso’s protocol will be broken by off-line password guessing attack and impersonation attack, respectively. To overcome the weaknesses, we propose an improved 3PAKE protocol to achieve more security and performance than related protocols. The security of the proposed improved protocol is proved in random oracle model.
Similar content being viewed by others
References
Farash MS, Bayat M, Attari MA (2011) Vulnerability of two multiple-key agreement protocols. Comput Electr Eng 37(2):199–204
Farash MS, Attari MA, Bayat M (2012) A certificateless multiple-key agreement protocol without one-way hash functions based on bilinear pairings. IACSIT Int J Eng Technol 4(3):321–325
Farash MS, Attari MA, Atani RE, Jami M (2013) A new efficient authenticated multiple-key exchange protocol from bilinear pairings. Comput Electr Eng 39(2):530–541
Farash MS, Attari MA (2013) Provably secure and efficient identity-based key agreement protocol for independent PKGs using ECC. ISC Int J Inf Secur 5(1):1–15
Farash MS, Attari MA (2014) A pairing-free ID-based key agreement protocol with different PKGs. Int J Netw Secur 16(2):143–148
Sakalauskas E, Katvickis A, Dosinas G (2010) Key agreement protocol over the ring of multivariate polynomials. Inf Technol Control 39(1):51–54
Lee CC, Lin TC, Hwang MS (2010) A key agreement scheme for satellite communications. Inf Technol Control 39(1):43–47
Hong JW, Yoon SY, Park DI, Choi MJ, Yoon EJ, Yoo KY (2011) An new efficient key agreement scheme for VSAT satellite communications based on elliptic curve cryptosystem. Inf Technol Control 40(3):252–259
Haiyan S, Qiaoyan W, Hua Z, Zhengping J (2013) A strongly secure pairing-free certificateless authenticated key agreement protocol for low-power devices. Inf Technol Control 42(2):105–112
Tseng YM, Yu CH, Wu TY (2012) Towards scalable key management for secure multicast communication. Inf Technol Control 41(2):173–182
Lo JW, Lin SC, Hwang MS (2010) A parallel password-authenticated key exchange protocol for wireless environments. Inf Technol Control 39(2):146–151
Chen BL, Kuo WC, Wuu LC (2012) A secure password-based remote user authentication scheme without smart cards. Inf Technol Control 41(1):53–59
Li CT (2011) Secure smart card based password authentication scheme with user anonymity. Inf Technol Control 40(2):157–162
Li CT, Lee CC (2011) A robust remote user authentication scheme using smart card. Inf Technol Control 40(3):236–245
Jiang Q, Ma J, Li G, Ma Z (2013) An improved password-based remote user authentication protocol without smart cards. Inf Technol Control 42(2):150–158
Bayat M, Farash MS, Movahed A (2010) A novel secure bilinear pairing based remote user authentication scheme with smart card. In: IEEE/IFIP International Conference on Embedded and ubiquitous computing (EUC), pp 578–582
Farash MS, Attari MA (2013) An enhanced authenticated key agreement for session initiation protocol. Inf Technol Control 42(4):333–342
Farash MS, Attari MA (2013) Cryptanalysis and improvement of a chaotic maps-based key agreement protocol using Chebyshev sequence membership testing. Nonlinear Dynam. doi:10.1007/s11071-013-1204-1
Lee CC, Chang YF (2008) On security of a practical three-party key exchange protocol with round efficiency. Inf Technol Control 37(4):333–335
Xie Q, Dong N, Tan X, Wong DS, Wang G (2013) Improvement of a three-party password-based key exchange protocol with formal verification. Inf Technol Control 42(3):231–237
Liu T, Pu Q, Zhao Y, Wu S (2013) ECC-based password-authenticated key exchange in the three-party setting. Arab J Sci Eng 68(8):2069–2077
Tu H, Shen H, He D, Chen J (2014) Security analysis and improvements of a three-party password-based key exchange protocol. Inf Technol Control 43(1):57–63
Zhao J, Gu D (2012) Provably secure three-party password-based authenticated key. Inf Sci 184(1):310–323
Yang JH, Cao TJ (2012) Provably secure three-party password authenticated key exchange protocol in the standard model. J Systems Softw 85(2):340–350
Xiong H, Chen Y, Guan Z, Chen Z (2013) Finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys. Inf Sci 235(1):329–340
Nam J, Paik J, Won D (2011) A security weakness in Abdalla et al’.s generic construction of a group key exchange protocol. Inf Sci 181(1):234–238
Zhao J, Gu D (2012) Provably secure three-party password-based authenticated key exchange protocol. Inf Sci 184(1):310–323
Lee TF, Hwang T (2010) Simple password-based three-party authenticated key exchange without server public keys. Inf Sci 180(9):1702–1714
Lou DC, Huang HF (2010) Efficient three-party password-based key exchange scheme. Int J Commun Systems 24(4):504–512
Wu S, Pu Q, Wang S, He D (2012) Cryptanalysis of a communication-efficient three-party password authenticated key exchange protocol. Inf Sci 215(1):83–96
Chien H (2011) Secure verifier-based three-party key exchange in the random oracle model. J Inf Sci Eng 27(4):1487–1501
Pu Q, Wang J, Wu S, Fu J (2013) Secure verifier-based three-party password-authenticated key exchange. Peer-to-peer networking and applications 6(1):15–25
Tallapally S (2012) Security enhancement on simple three party PAKE protocol. Inf Technol Control 41(1):15–22
Farash MS, Attari MA (2014) An enhanced and secure three-party password-based authenticated key exchange protocol without using server’s public-keys and symmetric cryptosystems. Inf Technol Control 43(2):143–150
Farash MS, Attari MA (2014) An efficient and provably secure three-party password-based authenticated key exchange protocol based on Chebyshev chaotic maps. Nonlinear Dynam. doi:10.1007/s11071-014-1304-6
Yang H, Zhang Y, Zhou Y, Fu X, Liu H, Vasilakos AV (2014) Provably secure three-party authenticated key agreement protocol using smart cards. Comput Netw 58:29–38
Youn TY, Kang ES, Lee C (2013) Efficient three-party key exchange protocols with round efficiency. Telecommun Systems 52(2):1367–1376
Huang HF (2009) A simple three-party password-based key exchange protocol. Int J Commun Systems 22(7):857–862
Yoon EJ, Yoo KY (2011) Cryptanalysis of a simple three-party password-based key exchange protocol. Int J Commun Systems 24(4):532–542
Wu S, Chen K, Zhu Y (2013) Enhancements of a three-party password-based authenticated key exchange protocol. Int Arab J Inf Technol (IAJIT) 10(3):215
Chang TY, Hwang MS, Yang WP (2011) A communication-efficient three-party password authenticated key exchange protocol. Inf Sci 181(1):217–226
Tso R (2013) Security analysis and improvements of a communication-efficient three-party password authenticated key exchange protocol. J Supercomput. doi:10.1007/s11227-013-0917-8
Abdalla M, Pointcheval D (2005) Interactive Diffie–Hellman assumptions with applications to password-based authentication. In: Proceedings of FC’05, LNCS 3570, pp 341–356
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Farash, M.S., Attari, M.A. An efficient client–client password-based authentication scheme with provable security. J Supercomput 70, 1002–1022 (2014). https://doi.org/10.1007/s11227-014-1273-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-014-1273-z