Abstract
The CLC protocol (proposed by Tzung-Her Chen, Wei-Bin Lee and Hsing-Bai Chen, CLC, for short) is a new three-party password-authenticated key exchange (3PAKE) protocol. This CLC protocol provides a superior round efficiency (only three rounds), and its resources required for computation are relatively few. However, we find that the leakage of values A V and B V in the CLC protocol will make a man-in-the-middle attack feasible in practice, where A V and B V are the authentication information chosen by the server for the participants A and B. In this paper, we describe our attack on the CLC protocol and further present a modified 3PAKE protocol, which is essentially an improved CLC protocol. Our protocol can resist attacks available, including man-in-the-middle attack we mount on the initial CLC protocol. Meanwhile, we allow that the participants choose their own passwords by themselves, thus avoiding the danger that the server is controlled in the initialization phase. Also, the computational cost of our protocol is lower than that of the CLC protocol.
Similar content being viewed by others
References
Katz J, Ostrovsky R, Yung M. Forward secrecy in password-only key-exchange protocols[C]// Proc of SCN 2002 (LNCS 2576). Berlin: Springer-Verlag, 2002:29–44.
Bellovin S, Merritt M. Encrypted key exchange: Password based protocols secure against dictionary attacks[C]// Proc of IEEE Symposium on Research in Security and Privacy’92. Oakland: IEEE Press, 1992: 72–84.
Sun H M, Chen B C, Hwang T. Secure key agreement protocols for three-party against guessing attacks[J]. Journal of Systems and Software, 2005, 75(1–2): 63–68.
Katz J, Ostrovsky R, Yung M. Efficient password-authenticated key exchange using human-memorable passwords[C]//Proc of Eurocrypt 2001 (LNCS 2045). Berlin: Springer-Verlag, 2001:475–494.
Goldreich O, Lindell Y. Session key generation using human passwords only[C]// Proc of Crypto 2001 (LNCS 2139). Berlin: Springer-Verlag, 2001: 408–432.
Bellare M, Pointcheval D, Rogaway P. Authenticated key exchange secure against dictionary attacks[C]// Proc of Eurocrypt 2000 (LNCS 1807). Berlin: Springer-Verlag, 2000:139–155.
Lin C L, Sun H M, Hwang T. Three-party encrypted key exchange: Attacks and a solution[J]. ACM Operating Systems Review, 2000, 34(4): 12–20.
Yeh H T, Sun H M, Hwang T. Efficient three-party authentication and key agreement protocols resistant to password guessing attacks[J]. Journal of Information and System Engineering, 2003, 19(6): 1059–1070.
Lee S W, Kim H S, Yoo K Y. Efficient verifier-based key agreement protocol for three parties without server’s public key[J]. Applied Mathematics and Computation, 2005, 167(2):996–1003.
Wang W, Hu L. Efficient and provably secure generic construction of three-party password-based authenticated key exchange protocols[C] // The 7th International Conference on Cryptology (LNCS 4329). Berlin: Springer-Verlag, 2006: 118–132.
Lu R X, Cao Z F. Simple three-party key exchange protocol[ J]. Computers & Security, 2007, 26(1): 94–97.
Juang W S, Nien W K. Efficient password authenticated key agreement using bilinear pairings[J]. Mathematical and Computer Modelling, 2008, 47(11–12): 1238–1245.
Zhu H F, Liu T H, Liu J, et al. A method for making three-party password-based key exchange resilient to server compromise[C]//Proceedings of the Third International Conference on International Information Hiding and Multimedia Signal Processing (IIH-MSP 2007). Washington D C: IEEE Computer Society Press, 2007, 1: 546–549.
Chen T H, Lee W B, Chen H B. A round and computation-efficient three-party authenticated key exchange protocol[J]. Journal of Systems and Software, 2008, 81(9): 1581–1590.
Author information
Authors and Affiliations
Corresponding author
Additional information
Foundation item: Supported by the National High Technology Research and Development Program of China (863 Program) (2006AA01Z405)
Biography: ZHAO Jianjie, male, Ph.D. candidate, research direction: information security and cryptography.
Rights and permissions
About this article
Cite this article
Zhao, J., Gu, D. A security patch for a three-party key exchange protocol. Wuhan Univ. J. Nat. Sci. 15, 242–246 (2010). https://doi.org/10.1007/s11859-010-0312-8
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11859-010-0312-8