Skip to main content
SpringerLink
Log in

A security patch for a three-party key exchange protocol

  • Published:
Wuhan University Journal of Natural Sciences

Abstract

The CLC protocol (proposed by Tzung-Her Chen, Wei-Bin Lee and Hsing-Bai Chen, CLC, for short) is a new three-party password-authenticated key exchange (3PAKE) protocol. This CLC protocol provides a superior round efficiency (only three rounds), and its resources required for computation are relatively few. However, we find that the leakage of values A V and B V in the CLC protocol will make a man-in-the-middle attack feasible in practice, where A V and B V are the authentication information chosen by the server for the participants A and B. In this paper, we describe our attack on the CLC protocol and further present a modified 3PAKE protocol, which is essentially an improved CLC protocol. Our protocol can resist attacks available, including man-in-the-middle attack we mount on the initial CLC protocol. Meanwhile, we allow that the participants choose their own passwords by themselves, thus avoiding the danger that the server is controlled in the initialization phase. Also, the computational cost of our protocol is lower than that of the CLC protocol.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Katz J, Ostrovsky R, Yung M. Forward secrecy in password-only key-exchange protocols[C]// Proc of SCN 2002 (LNCS 2576). Berlin: Springer-Verlag, 2002:29–44.

    Google Scholar 

  2. Bellovin S, Merritt M. Encrypted key exchange: Password based protocols secure against dictionary attacks[C]// Proc of IEEE Symposium on Research in Security and Privacy’92. Oakland: IEEE Press, 1992: 72–84.

    Google Scholar 

  3. Sun H M, Chen B C, Hwang T. Secure key agreement protocols for three-party against guessing attacks[J]. Journal of Systems and Software, 2005, 75(1–2): 63–68.

    Article  Google Scholar 

  4. Katz J, Ostrovsky R, Yung M. Efficient password-authenticated key exchange using human-memorable passwords[C]//Proc of Eurocrypt 2001 (LNCS 2045). Berlin: Springer-Verlag, 2001:475–494.

    Google Scholar 

  5. Goldreich O, Lindell Y. Session key generation using human passwords only[C]// Proc of Crypto 2001 (LNCS 2139). Berlin: Springer-Verlag, 2001: 408–432.

    Google Scholar 

  6. Bellare M, Pointcheval D, Rogaway P. Authenticated key exchange secure against dictionary attacks[C]// Proc of Eurocrypt 2000 (LNCS 1807). Berlin: Springer-Verlag, 2000:139–155.

    Google Scholar 

  7. Lin C L, Sun H M, Hwang T. Three-party encrypted key exchange: Attacks and a solution[J]. ACM Operating Systems Review, 2000, 34(4): 12–20.

    Article  Google Scholar 

  8. Yeh H T, Sun H M, Hwang T. Efficient three-party authentication and key agreement protocols resistant to password guessing attacks[J]. Journal of Information and System Engineering, 2003, 19(6): 1059–1070.

    Google Scholar 

  9. Lee S W, Kim H S, Yoo K Y. Efficient verifier-based key agreement protocol for three parties without server’s public key[J]. Applied Mathematics and Computation, 2005, 167(2):996–1003.

    Article  MATH  MathSciNet  Google Scholar 

  10. Wang W, Hu L. Efficient and provably secure generic construction of three-party password-based authenticated key exchange protocols[C] // The 7th International Conference on Cryptology (LNCS 4329). Berlin: Springer-Verlag, 2006: 118–132.

    Google Scholar 

  11. Lu R X, Cao Z F. Simple three-party key exchange protocol[ J]. Computers & Security, 2007, 26(1): 94–97.

    Article  Google Scholar 

  12. Juang W S, Nien W K. Efficient password authenticated key agreement using bilinear pairings[J]. Mathematical and Computer Modelling, 2008, 47(11–12): 1238–1245.

    Article  MATH  MathSciNet  Google Scholar 

  13. Zhu H F, Liu T H, Liu J, et al. A method for making three-party password-based key exchange resilient to server compromise[C]//Proceedings of the Third International Conference on International Information Hiding and Multimedia Signal Processing (IIH-MSP 2007). Washington D C: IEEE Computer Society Press, 2007, 1: 546–549.

    Google Scholar 

  14. Chen T H, Lee W B, Chen H B. A round and computation-efficient three-party authenticated key exchange protocol[J]. Journal of Systems and Software, 2008, 81(9): 1581–1590.

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Information Security Engineering, Shanghai Jiao Tong University, Shanghai, 200240, China

    Jianjie Zhao

  2. Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, 200240, China

    Dawu Gu

Authors
  1. Jianjie Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dawu Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dawu Gu.

Additional information

Foundation item: Supported by the National High Technology Research and Development Program of China (863 Program) (2006AA01Z405)

Biography: ZHAO Jianjie, male, Ph.D. candidate, research direction: information security and cryptography.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Zhao, J., Gu, D. A security patch for a three-party key exchange protocol. Wuhan Univ. J. Nat. Sci. 15, 242–246 (2010). https://doi.org/10.1007/s11859-010-0312-8

Download citation

  • Received:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11859-010-0312-8

Key words

CLC number

Search

Navigation