A novel three-party encrypted key exchange protocol
Introduction
In Ref. [1], Bellovin and Merritt proposed the encrypted key exchange (EKE) family of key exchange protocols in which users are allowed to use easy-to-remember passwords without being threatened by dictionary attacks [2]. In this protocol, a password is shared between two parties A and B, who want to communicate with each other, securely in advanced. After the two parties obtain a common ephemeral session key, the authentication is achieved.
In 1995, Steiner et al. [3] proposed a three-party EKE protocol based on the EKE protocols, in which each user shares an easy-to-remember password with a trusted server S, and S acts as a coordinator between two communication parties to complete the mutual authentication. In Ref. [4], Ding and Horster divided password-guessing attacks into three classes, detectable on-line password guessing attacks, undetectable on-line password guessing attacks, and off-line password guessing attacks. Among the three classes of password guessing attacks, off-line password guessing attacks are the most critical ones. Ding and Horster demonstrated that STW-3PEKE is vulnerable to undetectable on-line password guessing attacks.
In 2000, Lin et al. [5] showed that STW-3PEKE suffers not only undetectable on-line password guessing attacks but also off-line password guessing attacks. Moreover, they proposed a 3PEKE protocol (LSH-3PEKE), in which the trusted server holds a permanent and publicly known server's public key to prevent both of the password guessing attacks that STW-3PEKE suffers from. However, the approach of applying server's public keys puts a burden on the users because they have to verify the server's public keys. As a result, in 2001, Lin et al. [6] proposed a new 3PEKE protocol (LSSH-3PEKE), which is resistant to both of the attacks, without the use of server's public keys. They mentioned that their method overcomes the deficiencies of traditional three-party key distribution services, such as Kerberos [7] and KryptoKnight [8], which suffer from dictionary attacks with weak passwords and do not provide forward security.
However, the number of rounds needed in LSSH-3PEKE is two more than that in LSH-3PEKE. Taking round efficiency into consideration, we employ trapdoor functions to propose a brand-new 3PEKE protocol, which not only has the same properties as LSSH-3PEKE but also provides the same round efficiency as LSH-3PEKE. Bellare et al. [9] used Ref. [10] to state that poly-to-one trapdoor functions imply trapdoor predicates (equivalent to public key encryption schemes). On the other hand, the trapdoor functions can be constructed from one-way hash functions in Ref. [9]. Thus, Impagaliazzo and Rudich [11] distinguished between such super-poly-to-one trapdoor functions and trapdoor predicates. If we employ the poly-to-one trapdoor functions, it implies that an additional certificate will be needed. Hence, we use super-poly-to-one trapdoor functions in our proposed scheme.
The paper is organized as follows. In Section 2, we review LSH-3PEKE and LSSH-3PEKE. In Section 3, we present our proposed 3PEKE protocol. Then, the security and efficiency analyses are shown in Section 4. Finally, we draw some conclusions.
Section snippets
A review of LSSH-3PEKE
In Section 2.1, the notations used throughout the paper are listed. LSH-3PEKE and LSSH-3PEKE are reviewed respectively in 2.2 A review of LSH-3PEKE with server's public keys, 2.3 A review of LSSH-3PEKE.
A new efficient protocol—ECC-3PEKE
In this section, we first list the requirements of the brand-new protocol. Then, the protocol will be presented in Section 3.2.
Security and efficiency analyses
In this section, we show four properties that the proposed protocol achieves the requirements listed in Section 3.1 to demonstrate that it is not only secure but also efficient. Property 1 The protocol provides mutual authentication.
First, A/B uses the trapdoor function FS to hide the secret number rA/rB and PA/PB to encrypt NA/NB in Step 1/2 in Section 3.2. Since only S knows the trapdoor and PA/PB is secretly shared by A/B and S, only S and A/B know NA/NB, rA/rB, and KAS/KBS. As a result, S can
Conclusions
In this paper, we proposed a brand-new 3PEKE protocol. The proposed protocol possesses the advantages of LSH-3PEKE and LSSH-3PEKE. According to the analyses in Section 4, it is obvious that the proposed protocol is secure, efficient, and practical. Moreover, it provides another solution to 3PEKE, especially in an environment where users communicate with other users frequently but cannot be expected to validate the server's public keys correctly.
References (13)
- et al.
Encrypted key exchange: password-based protocols secure against dictionary attacks
- et al.
Password security: a case history
Communications of the ACM
(1979) - et al.
Refinement and extension of encrypted key exchange
ACM Operating Systems Review
(1995) - et al.
Undetectable on-line password guessing attacks
ACM Operating Systems Review
(1995) - et al.
Three-party encrypted key exchange: attacks and a solution
ACM Operating Systems Review
(2000) - et al.
Three-party encrypted key exchange without server public-keys
IEEE Communications Letters
(2001 (December))
Cited by (88)
An improved three party authenticated key exchange protocol using hash function and elliptic curve cryptography for mobile-commerce environments
2017, Journal of King Saud University - Computer and Information SciencesCitation Excerpt :However, most of these protocols are susceptible to undetectable off-line password guessing attack (Lin et al., 2000, 2001), on-line password guessing attack (Chen et al., 2008b; Yoon and Yoo, 2008; Sun et al., 2005; Nam et al., 2006; Phan et al., 2008), impersonation attack (Chung and Ku, 2008), unknown key-share attack (Phan et al., 2008; Guo et al., 2008), etc. In addition, the computation cost and communication load of these protocols are heavy because they have employed the modular exponentiation (Lin et al., 2001; Lee et al., 2004; Chang and Chang, 2004; Chen et al., 2008b; Sun et al., 2005), public/symmetric key encryption/decryption (Lin et al., 2000, 2001; Chang and Chang, 2004; Yoon and Yoo, 2008; Sun et al., 2005) and the transmitted message size is large in each round (Lin et al., 2000; Lee et al., 2004; Chang and Chang, 2004; Sun et al., 2005). Due to the limitations of bandwidth, computation ability and storage space of the low-power mobile devices, the above mentioned protocols are not suitable for mobile-commerce environments.
3AKEP: Triple-authenticated key exchange protocol for peer-to-peer VoIP applications
2016, Computer CommunicationsCitation Excerpt :In [18] a solution that does not take advantage of a trusted server is described; however, this is obtained at the expense of a greater amount of round trips. Other interesting approaches are those proposed in [19,20]. They are however vulnerable, as demonstrated in [21], to one of the following three guessing attacks [22]: i) Detectable on-line guessing attack, ii) Undetectable on-line guessing attack, iii) Off-line guessing attack.
Secure Sensitive Data Sharing Using RSA and ElGamal Cryptographic Algorithms with Hash Functions
2022, Information (Switzerland)Improved Verifier-based Three-party Password-authenticated Key Exchange Protocol
2020, Ruan Jian Xue Bao/Journal of SoftwareAttacks and solutions on a three-party password-based authenticated key exchange protocol for wireless communications
2019, Journal of Ambient Intelligence and Humanized ComputingComputation-efficient three-party encrypted key exchange for telecare medicine information systems
2019, ACM International Conference Proceeding Series