Abstract
A key exchange protocol allows more than two parties to communicate over the insecure channel to establish common shared secret key called session key. Due to the significance of this notion to establish secure communication among parties, in literature there have been numerous approach have been proposed and analyzed based on their merits and de-merits. Recently, Lo et al. proposed a 3-party Password based Authenticated Key Exchange protocol in which two or more users equipped with pre-shared secrets to the server and can able to generate the session key with the help of the server. They claimed that their approach is resist against any known attacks. However, we observe that their protocol is not secure against against off-line password guessing attack, long term secret compromise attack as well as compromise of previous session can lead to compromise all involving users for future communication. Therefore, in this this paper first we have analyzed these attacks and suggest the improve scheme that overcomes these attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bellovin SM, Merritt M (1992) Encrypted key exchange: password-based protocols secure against dictionary attacks. In: IEEE symposium on security and privacy, pp 72–84, IEEE Computer Society Press
Abdalla M, Pointcheval D (2005) Simple password-based encrypted key exchange protocols. In: Menezes A (ed) CT-RSA 2005. LNCS, vol 3376. Springer, Heidelberg, pp 191–208
Bellare M, Pointcheval D, Rogaway P (2000) Authenticated key exchange secure against dictionary attacks. In: Preneel B (ed) EUROCRYPT 2000. LNCS, vol 1807. Springer, Heidelberg, pp 139–155
Abdalla M, Chevalier C, Pointcheval D (2009) Smooth projective hashing for conditionally extractable commitments. In: Halevi S (ed) CRYPTO 2009. LNCS, vol 5677. Springer, Heidelberg, pp 671–689
Boyko V, MacKenzie PD, Patel S (2000) Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel B (ed) EUROCRYPT 2000. LNCS, vol 1807. Springer, Heidelberg, pp 156–171
Bresson E, Chevassut O, Pointcheval D () Security proofs for an efficient password-based key exchange. In: Jajodia S, Atluri V, Jaeger T (eds) Proceedings of the 10th conference on computer and communications security (ACM CCS 2003), ACM Press, pp 241–250
Bresson E, Chevassut O, Pointcheval D (2004) New security results on encrypted key exchange. In: Bao F, Deng R, Zhou J (eds) PKC 2004. LNCS, vol 2947. Springer, Heidelberg, pp 145–158
Canetti R, Halevi S, Katz J, Lindell Y, MacKenzie P (2005) Universally composable password-based key exchange. In: Cramer R (ed) EUROCRYPT 2005. LNCS, vol 3494. Springer, Heidelberg, pp 404–421
Gennaro R (2008) Faster and shorter password-authenticated key exchange. In: Canetti R (ed) TCC 2008. LNCS, vol 4948. Springer, Heidelberg, pp 589–606
Gennaro R, Lindell Y (2003) A framework for password-based authenticated key exchange. In: Biham E (ed) EUROCRYPT 2003. LNCS, vol 2656. Springer, Heidelberg, pp 524–543
Katz J, Ostrovsky R, Yung M (2001) Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann B (ed) EUROCRYPT 2001. LNCS, vol 2045. Springer, Heidelberg, pp 475–494
Katz J, Vaikuntanathan V (2009) Smooth projective hashing and password-based authenticated key exchange from lattices. In: Matsui M (ed) ASIACRYPT 2009. LNCS, vol 5912. Springer, Heidelberg, pp 636–652
Katz J, Vaikuntanathan V (2011) Round-optimal password-based authenticated key exchange. In: Ishai Y (ed) TCC 2011. LNCS, vol 6597. Springer, Heidelberg, pp 293–310
Pointcheval D (2012) Exchange password-based authenticated key. PUBLIC KEY CRYPTOGRAPHY - PKC-2012, Lecture notes in computer science, vol 7293. pp 390–397, doi:10.1007/978-3-642-30057-8_23
Kobara K, Imai H (2002) Pretty-simple password authenticated key-exchange under standard assumptions. IEICE Trans E85-A(10):2229–2237
Bresson E, Chevassut O, Pointcheval D (2004) New security results on encrypted key exchange. In: Proceedings of PKC 2004, LNCS, vol 2947, pp 145–158
Boyd C, Montague P, Nguyen K (2001) Elliptic curve based password authenticated key exchange protocols. In: Proceedings of 28th australasian conference on information security and privacy—ACISP 2001, LNCS, vol. 2119, pp 487–501
Abdalla M, Pointcheval D (2005) Simple password-based encrypted key exchange protocols. In: Proceedings of topics in cryptology—CT-RSA 2005. LNCS, vol. 3376, pp 191–208
Abdalla M, Chevassut O, Pointcheval D (2005) One-time verifier-based encrypted key exchange. In: Proceedings of PKC ’05, LNCS, vol. 3386 pp 47–64
K. Kobara, H. Imai (2002) Pretty-simple passwordauthenticated key exchange under standard assumptions. IEICE Trans E85-A(10):2229–2237
Bellare M, Pointcheval D, Rogaway P (2000) Authenticated key exchange secure against dictionary attacks. In: Proceedings of the advances in cryptology (EUROCRYPT’2000), Springer, Berlin, pp 139–155
Bresson E, Chevassut O, Pointcheval D (2004) New security results on encrypted key exchange. In: Proceedings of PKC 2004, LNCS, vol 2947. Springer, Heidelberg, pp 145–158
Abdalla M, Pointcheval D (2005) Simple password-based encrypted key exchange protocols. In: Proceedings of topics in cryptology—CT-RSA 2005, LNCS, vol 3376. Springer, Heidelberg, pp 191–208
Abdalla M, Chevassut O, Pointcheval D (2005) One-time verifier-based encrypted key exchange. Proceedings of PKC ’05, LNCS, vol 3386. Springer, Heidelberg, pp 47–64
Ding Y, Horster P (1995) Undetectable on-line password guessing attacks. ACM Oper Syst Rev 29(4):77–86
Lin CL, Sun HM, Hwang T (2000) Three party-encrypted key exchange: attacks and a solution. ACM Oper Syst Rev 34(4):12–20
Lee TF, Hwang T, Lin CL (2004) Enhanced three-party encrypted key exchange without server public keys. Comput Secur 23(7):571–577
Wen HA, Lee TF, Hwang T (2005) Provably secure three-party password-based authenticated key exchange protocol using Weil pairing. IEE Proc Commun 152(2):138–143
Nam J, Lee Y, Kim S, Won D (2007) Security weakness in a three-party pairing-based protocol for password authenticated key exchange. Inf Sci 177(6):1364–1375
Yeh HT, Sun HM (2004) Password-based user authentication and key distribution protocols for client-server applications. J Syst Softw 72(1):97–103
Yoon E-J, Yoo K-Y (2012) Cryptanalysis of an efficient three-party password-based key exchange scheme, In: Procedia Engineering, vol 29, pp 3972–3979, ISSN 1877–7058, doi:10.1016/j.proeng.2012.01.604
Steiner M, Tsudik G, Waidner M (1995) Refinement and extension of encrypted key exchange. ACM Oper Syst Rev 29:22–30
Lin CL, Sun HM, Hwang T (2000) Three-party encrypted key exchange: attacks and a solution. ACM Oper Syst Rev 34:12–20
Chang CC, Chang YF (2004) A novel three-party encrypted key exchange protocol. Comput Stand Interfaces 26(5):472–476
Lee TF, Hwang T, Lin CL (2004) Enhanced three-party encrypted key exchange without server public keys. Comput Secur 23(7):571–577
Lee SW, Kim HS, Yoo KY (2005) E?cient verifier-based key agreement protocol for three parties without server’s public key. Appl Math Comput 167(2):996–1003
Sun HM, Chen BC, Hwang T (2005) Secure key agreement protocols for three-party against guessing attacks. J Syst Softw 75:63–68
Lu RX, Cao ZF (2007) Simple three-party key exchange protocol. Comput Secur 26:94–97
Yoon EJ, Yoo KY (2008) Improving the novel three-party encrypted key exchange protocol. Comput Stand Interfaces 30(5):309–314
Phan RCW, Yau WC, Goi BM (2008) Cryptanalysis of simple three-party key exchange protocol (S-3PAKE). Inf Sci 178:2849–2856
Guo H, Li Z (2008) Cryptanalysis of simple three-party key exchange protocol. Comput Secur 27:16–21
Kim HS, Choi JY (2009) Enhanced password-based simple three-party key exchange protocol. Comput Electr Eng 35:107–114
Huang HF (2009) A simple three-party password-based key exchange protocol. Int J Commun Syst 22:857–862
Yang JH, Chang CC (2009) An e?cient three-party authenticated key exchange protocol using elliptic curve cryptography for mobile-commerce environments. J Syst Softw 82(9):1497–1502
Ding Y, Horster P (1995) Undetectable on-line password guessing attacks. ACM Oper Syst Rev 29(4):77–86
Lo NW, Yeh K-H (2010) A practical three-party authenticated key exchange protocol. Int J Innovative Comput Inf Control 6(6):2469–2483
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this paper
Cite this paper
Doshi, N., Patel, B. (2013). Cryptanalysis of Lo et al.’s Password Based Authentication Scheme. In: Chaki, N., Meghanathan, N., Nagamalai, D. (eds) Computer Networks & Communications (NetCom). Lecture Notes in Electrical Engineering, vol 131. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-6154-8_44
Download citation
DOI: https://doi.org/10.1007/978-1-4614-6154-8_44
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-6153-1
Online ISBN: 978-1-4614-6154-8
eBook Packages: EngineeringEngineering (R0)