A novel three-party encrypted key exchange protocol

https://doi.org/10.1016/j.csi.2003.12.001Get rights and content

Abstract

The passwords people can remember are usually simple or meaningful. In three-party key exchange protocols with password authentication, clients are allowed to share an easy-to-remember password with a trusted server such that two clients can communicate with each other through a common secret key without the existence of redundant keys. Such protocols are quite suitable for application when light-weight clients need secure communications. Steiner, Tsudik, and Waidner proposed a three-party protocol based on the encrypted key exchange (EKE) protocols in 1995; however, the proposed protocol suffered from off-line and undetectable on-line guessing attacks. In 2000, Lin, Sun, and Hwang proposed a secure three-party protocol with server's public keys. Because certificates are needed to verify the server's public keys to avoid impersonation attacks, this protocol is not practical for some environments. In 2001, Lin, Sun, Steiner and Hwang proposed a brand-new three-party protocol without servers' public keys. Nevertheless, more rounds are needed by using this protocol. In this paper, we propose a secure three-party EKE protocol with round efficiency.

Introduction

In Ref. [1], Bellovin and Merritt proposed the encrypted key exchange (EKE) family of key exchange protocols in which users are allowed to use easy-to-remember passwords without being threatened by dictionary attacks [2]. In this protocol, a password is shared between two parties A and B, who want to communicate with each other, securely in advanced. After the two parties obtain a common ephemeral session key, the authentication is achieved.

In 1995, Steiner et al. [3] proposed a three-party EKE protocol based on the EKE protocols, in which each user shares an easy-to-remember password with a trusted server S, and S acts as a coordinator between two communication parties to complete the mutual authentication. In Ref. [4], Ding and Horster divided password-guessing attacks into three classes, detectable on-line password guessing attacks, undetectable on-line password guessing attacks, and off-line password guessing attacks. Among the three classes of password guessing attacks, off-line password guessing attacks are the most critical ones. Ding and Horster demonstrated that STW-3PEKE is vulnerable to undetectable on-line password guessing attacks.

In 2000, Lin et al. [5] showed that STW-3PEKE suffers not only undetectable on-line password guessing attacks but also off-line password guessing attacks. Moreover, they proposed a 3PEKE protocol (LSH-3PEKE), in which the trusted server holds a permanent and publicly known server's public key to prevent both of the password guessing attacks that STW-3PEKE suffers from. However, the approach of applying server's public keys puts a burden on the users because they have to verify the server's public keys. As a result, in 2001, Lin et al. [6] proposed a new 3PEKE protocol (LSSH-3PEKE), which is resistant to both of the attacks, without the use of server's public keys. They mentioned that their method overcomes the deficiencies of traditional three-party key distribution services, such as Kerberos [7] and KryptoKnight [8], which suffer from dictionary attacks with weak passwords and do not provide forward security.

However, the number of rounds needed in LSSH-3PEKE is two more than that in LSH-3PEKE. Taking round efficiency into consideration, we employ trapdoor functions to propose a brand-new 3PEKE protocol, which not only has the same properties as LSSH-3PEKE but also provides the same round efficiency as LSH-3PEKE. Bellare et al. [9] used Ref. [10] to state that poly-to-one trapdoor functions imply trapdoor predicates (equivalent to public key encryption schemes). On the other hand, the trapdoor functions can be constructed from one-way hash functions in Ref. [9]. Thus, Impagaliazzo and Rudich [11] distinguished between such super-poly-to-one trapdoor functions and trapdoor predicates. If we employ the poly-to-one trapdoor functions, it implies that an additional certificate will be needed. Hence, we use super-poly-to-one trapdoor functions in our proposed scheme.

The paper is organized as follows. In Section 2, we review LSH-3PEKE and LSSH-3PEKE. In Section 3, we present our proposed 3PEKE protocol. Then, the security and efficiency analyses are shown in Section 4. Finally, we draw some conclusions.

Section snippets

A review of LSSH-3PEKE

In Section 2.1, the notations used throughout the paper are listed. LSH-3PEKE and LSSH-3PEKE are reviewed respectively in 2.2 A review of LSH-3PEKE with server's public keys, 2.3 A review of LSSH-3PEKE.

A new efficient protocol—ECC-3PEKE

In this section, we first list the requirements of the brand-new protocol. Then, the protocol will be presented in Section 3.2.

Security and efficiency analyses

In this section, we show four properties that the proposed protocol achieves the requirements listed in Section 3.1 to demonstrate that it is not only secure but also efficient.

Property 1

The protocol provides mutual authentication.

First, A/B uses the trapdoor function FS to hide the secret number rA/rB and PA/PB to encrypt NA/NB in Step 1/2 in Section 3.2. Since only S knows the trapdoor and PA/PB is secretly shared by A/B and S, only S and A/B know NA/NB, rA/rB, and KAS/KBS. As a result, S can

Conclusions

In this paper, we proposed a brand-new 3PEKE protocol. The proposed protocol possesses the advantages of LSH-3PEKE and LSSH-3PEKE. According to the analyses in Section 4, it is obvious that the proposed protocol is secure, efficient, and practical. Moreover, it provides another solution to 3PEKE, especially in an environment where users communicate with other users frequently but cannot be expected to validate the server's public keys correctly.

References (13)

  • S.M Bellovin et al.

    Encrypted key exchange: password-based protocols secure against dictionary attacks

  • R Morris et al.

    Password security: a case history

    Communications of the ACM

    (1979)
  • M Steiner et al.

    Refinement and extension of encrypted key exchange

    ACM Operating Systems Review

    (1995)
  • Y Ding et al.

    Undetectable on-line password guessing attacks

    ACM Operating Systems Review

    (1995)
  • C.L Lin et al.

    Three-party encrypted key exchange: attacks and a solution

    ACM Operating Systems Review

    (2000)
  • C.L Lin et al.

    Three-party encrypted key exchange without server public-keys

    IEEE Communications Letters

    (2001 (December))
There are more references available in the full text version of this article.

Cited by (88)

  • An improved three party authenticated key exchange protocol using hash function and elliptic curve cryptography for mobile-commerce environments

    2017, Journal of King Saud University - Computer and Information Sciences
    Citation Excerpt :

    However, most of these protocols are susceptible to undetectable off-line password guessing attack (Lin et al., 2000, 2001), on-line password guessing attack (Chen et al., 2008b; Yoon and Yoo, 2008; Sun et al., 2005; Nam et al., 2006; Phan et al., 2008), impersonation attack (Chung and Ku, 2008), unknown key-share attack (Phan et al., 2008; Guo et al., 2008), etc. In addition, the computation cost and communication load of these protocols are heavy because they have employed the modular exponentiation (Lin et al., 2001; Lee et al., 2004; Chang and Chang, 2004; Chen et al., 2008b; Sun et al., 2005), public/symmetric key encryption/decryption (Lin et al., 2000, 2001; Chang and Chang, 2004; Yoon and Yoo, 2008; Sun et al., 2005) and the transmitted message size is large in each round (Lin et al., 2000; Lee et al., 2004; Chang and Chang, 2004; Sun et al., 2005). Due to the limitations of bandwidth, computation ability and storage space of the low-power mobile devices, the above mentioned protocols are not suitable for mobile-commerce environments.

  • 3AKEP: Triple-authenticated key exchange protocol for peer-to-peer VoIP applications

    2016, Computer Communications
    Citation Excerpt :

    In [18] a solution that does not take advantage of a trusted server is described; however, this is obtained at the expense of a greater amount of round trips. Other interesting approaches are those proposed in [19,20]. They are however vulnerable, as demonstrated in [21], to one of the following three guessing attacks [22]: i) Detectable on-line guessing attack, ii) Undetectable on-line guessing attack, iii) Off-line guessing attack.

View all citing articles on Scopus
View full text