Abstract
In 2010, Lee et al proposed two simple and efficient three-party password-authenticated key exchange protocols that had been proven secure in the random oracle model. They argued that the two protocols could resist offline dictionary attacks. Indeed, the provable approach did not provide protection against off-line dictionary attacks. This paper shows that the two protocols are vulnerable to off-line dictionary attacks in the presence of an inside attacker because of an authentication flaw. This study conducts a detailed analysis on the flaw in the protocols and also shows how to eliminate the security flaw.
Similar content being viewed by others
References
Bellovin S, Merritt M. Encrypted key exchange: Passwords based protocols secure against dictionary attacks [C]// Proceedings of the IEEE Symposium on Security and Privacy. Washington D C: IEEE Press, 1992: 72–84.
Deng S, Li Y, Deng Y. An efficient two-party key exchange protocol with strong security [J]. Wuhan University Journal of Natural Sciences, 2010, 15(3): 267–271.
Wen H A, Lin C L, Hwang T. Provably secure authenticated key exchange protocols for low power computing clients [J]. Computers Security, 2006, 25(2): 106–113.
Abdalla M, Pointcheval D. Interactive Diffie-Hellman assumptions with applications to password-based authentication [C]//Proc of Financial Cryptography and Data Security 2005(LNCS 3570). Berlin: Springer-Verlag, 2005: 341–356.
Abdalla M, Fouque P A, Pointcheval D. Password-based authenticated key exchange in the three-party setting [C]// Proc of the PKC’05(LNCS 3386). Berlin: Springer-Verlag, 2005: 65–84.
Bellare M, Pointcheval D, Rogaway P. Authenticated key exchange secure against dictionary attacks [C]//Advances in Cryptology-Eurocrypt. Berlin: Springer-Verlag, 2000: 139–155.
Bellare M, Rogaway P. Provably secure session key distribution—the three party case [C]// Proc of 27th ACM Symposium on Theory of Computing (STOC’95). New York: ACM Press, 1995: 57–66.
Nam J, Lee Y, Kim S et al. Security weakness in a three-party pairing-based protocol for password authenticated key exchange [J]. Information Sciences, 2007, 177(6): 1364–1375.
Lu R, Cao Z. Simple three-party key exchange protocol [J]. Computers and Security, 2007, 26(1): 94–97.
Abdalla M, Pointcheval D. Simple password-based encrypted key exchange protocols [C]//Proceedings of the CT-RSA’05, (LNCS 3376). Berlin: Springer-Verlag, 2005: 191–208.
Chung H R, Ku W C. Three weaknesses in a simple three-party key exchange protocol [J]. Information Sciences, 2008, 178(1): 220–229.
Phan R CH, Yau W H, Goi B M. Cryptanalysis of simple three-party key exchange protocol [J]. Information Sciences, 2008, 178(13): 2849–2856.
Guo H, Li Z, Mu Y, et al. Cryptanalysis of simple three-party key exchange protocol [J]. Computers and Security, 2008, 27: 16–21.
Kim H S, Choi J Y. Enhanced password-based simple three-party key exchange protocol [J]. Computers and Electrical Engineering, 2009, 35(1): 107–114.
Xu Chungen, Yang Yanjiong. Password guessing attack on a key exchange protocol based on ECDLP [C]//Proc of 2010 IEEE International Conference on Progress in Informatics and Computing. Shanghai: IEEE Press, 2010: 499–452.
Lee T F, Hwang T. Simple password-based three-party authenticated key exchange without server public keys [J]. Information Sciences, 2010, 180(9): 1702–1714.
Baudet M. Deciding security of protocols against off-line guessing attacks [C]//Proc of 12th ACM Conference on Computer and Communications Security. Alexandria: ACM Press, 2005: 16–25.
Corin R, Doumen J, Etalle S. Analyzing password protocol security against off-line dictionary attacks [C]// Proc of 2nd International Workshop on Security Issues with Petri Nets and other Computational Models(ENTCS 121). Berlin: Springer-Verlag, 2005: 47–63.
Author information
Authors and Affiliations
Corresponding author
Additional information
Foundation item: Supported by the Natural Science Foundation of Jiangsu Province (Key Program) (BK2011023)
Biography: XU Chungen, male, Ph.D., Professor, research direction: cryptography and information security.
Rights and permissions
About this article
Cite this article
Xu, C., Yang, Y. Off-line dictionary attack on password-based authenticated key exchange protocols. Wuhan Univ. J. Nat. Sci. 17, 468–472 (2012). https://doi.org/10.1007/s11859-012-0872-x
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11859-012-0872-x