Weaknesses of a Password-Authenticated Key Exchange Protocol between Clients with Different Passwords

  • Shuhong Wang
  • Jie Wang
  • Maozhi Xu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3089)


A password-authenticated key exchange scheme allows two entities, who only share a memorable password, to authenticate each other and to agree on a cryptographic session key. Instead of considering it in the classic client and server scenarios, Byun et al. recently proposed a password-authenticated key exchange protocol in a cross-realm setting where two clients in different realms obtain a secret session key as well as mutual authentication, with the help of respective servers. In this paper, we first point out that the proposed protocol is not secure, due to the choice of invalid parameters (say, subgroup generator). Furthermore, we show in detail that, even with properly chosen parameters, the protocol has still some secure flaws. We provide three attacks to illustrate the insecurity of the protocol. Finally, countermeasures are also given, which are believed able to withstand our attacks.


Password-authenticated key exchange Cross-realm setting Security Dictionary attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R., Vaudenay, S.: Minding Your p’s and q’s. In: Kim, K.-c., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 236–247. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  2. 2.
    Bao, F.: Security Analysis of a Password Authenticated Key Exchange Protocol. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 208–217. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Bellovin, S., Merritt, M.: Encrypted Key Exchange: Password-based Protocols Secure Against Dictionary Attacks. In: Proceedings of IEEE Security and Privacy, pp. 72–84 (1992)Google Scholar
  5. 5.
    Bellovin, S., Merritt, M.: Augumented Encrypted Key Exchange: A Passwordbased Protocol Secure Against Dictionary Attacks and Password File Compromise. In: ACM Secrity 1993, pp. 244–250 (1993)Google Scholar
  6. 6.
    Boyko, V., MacKenzie, P., Patel, S.: Provably-secure Password Anthentiation and Key Exchange Using Diffie-Hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Byun, J.W., Jeong, I.R., Lee, D.H., Park, C.-S.: Password-Authenticated Key Exchange Between Clients with Different Passwords. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 134–146. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Crescenzo, G.D., Kornievskaia, O.: Efficient Kerberized multicast in Practical distributed setting. In: ISC 2001. LNCS, vol. 2000, Springer, Heidelberg (2001)Google Scholar
  9. 9.
    Diffie, W., Van Oorschot, P., Wiener, M.: Authentication and Authenticated Key Exchange. Designs, Codes and Cryptography 2, 107–125 (1992)CrossRefGoogle Scholar
  10. 10.
    Gong, L.: Optimal Authentication Protocols Resistant to Password Guessing Attacks. In: 8th IEEE Computer Security Foundations Workshop, pp. 24–29 (1995)Google Scholar
  11. 11.
    Gong, L., Lomas, M., Needham, R., Saltzer, J.: Protecting Poorly Chosen Secrets from Guessing Attacks. IEEE Journal on Selected Areas in Communications 11(5), 648–656 (1993)CrossRefGoogle Scholar
  12. 12.
    Hwang, Y.H., Yum, D.H., Lee, P.J.: EPA: An Efficient Password-Based Protocol for Authenticated Key Exchange. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 452–463. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Jablon, D.: Strong Password-Only Authenticated Key Exchange. ACM Computer Communications Review 26(5), 5–20 (1996)CrossRefGoogle Scholar
  14. 14.
    Jaspan, B.: Dual-workfactor Encrypted Key Exchange: Efficiently Preventing Password Chaining and Dictionary Attacks. In: Proceedings of the 6th Annual USENIX Security Conference, pp. 43–50 (July 1996)Google Scholar
  15. 15.
    Kwon, T.: Authentication and Key Agreement via Memorable Password. In: Proceedings of the ISOC Symposium - NDSS 2001 (2001)Google Scholar
  16. 16.
    Kwon, T., Kang, M., Jung, S., Song, J.: An Improvment of the Password-Based Authentication Protocol (K1P) on Security against Replay Attacks. IEICE Trans. Commun. E82-B(7), 991–997 (1999)Google Scholar
  17. 17.
    Kwon, T., Kang, M., Song, J.: An Adaptable and Reliable Authentication Protocol for Communication Networks. In: Proceedings of IEEE INFOCOM 1997, pp. 737–744 (1997)Google Scholar
  18. 18.
    Lim, C.H., Lee, P.J.: Several Practical Protocols for Authentication to Threshold Cryptosystems. Information Processing Letters 53, 91–96 (1995)MATHCrossRefGoogle Scholar
  19. 19.
    Lin, C.-L., Sun, H.-M., Hwang, T.: Three-party Encrypted Key Exchange: Attacks and A Solution. ACM Operating Systems Review 34(4), 12–20 (2000)CrossRefGoogle Scholar
  20. 20.
    Lin, C.-L., Sun, H.-M., Hwang, T.: Three-party Encrypted Key Exchange Without Server Public-Keys. IEEE Communications Letters 5(12), 497–499 (2001)CrossRefGoogle Scholar
  21. 21.
    Lucks, S.: Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 79–90. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  22. 22.
    MacKenzie, P., Patel, S., Swaminathan, R.: Password-Authenticated Key Exchange Based on RSA. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 599–613. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  23. 23.
    MacKenzie, P.: The PAK suite: Protocols for Password-Authenticated Key Exchange. Submission to IEEE P1363.2 (April 2002)Google Scholar
  24. 24.
    MacKenzie, P.: More Efficient Password-Authenticated Key Exchange. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 361–377. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  25. 25.
    Mao, W., Lim, C.H.: Cryptanalysis in Prime Order Subgroups of Z∗n. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 214–226. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  26. 26.
    Patel, S.: Number Theoretic Attacks on Secure Password Schemes. In: Proceedings of IEEE Symposium on Research in Security and Privacy, pp. 236–247 (1997)Google Scholar
  27. 27.
    Steiner, J.G., Newman, B.C., Schiller, J.I.: Kerberos: An Authentication Service for Open Network Systems. In: USENIX Conference Proceedings, February 1988, pp. 191–202 (1988)Google Scholar
  28. 28.
    Steiner, M., Tsudik, G., Waidner, M.: Refinement and Extension of Encrypted Key Exchange. ACM SIGOPS Operating Systems Review 29(3), 22–30 (1995)CrossRefGoogle Scholar
  29. 29.
    Wan, Z., Wang, S.: Cryptanalysis of Two Password-Authenticated Key Exchange Protocols. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 164–175. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  30. 30.
    Wu, T.: Secure Remote Password Protocol. In: ISOC Network and Distributed System Security Symposium (1998)Google Scholar
  31. 31.
    Zhu, F., Wong, D.S., Chan, A.H., Ye, R.: Password authenticated key exchange based on RSA for imbalanced wireless networks. In: Chan, A.H., Gligor, V.D. (eds.) ISC 2002. LNCS, vol. 2433, pp. 150–161. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Shuhong Wang
    • 1
  • Jie Wang
    • 1
  • Maozhi Xu
    • 1
  1. 1.School of Mathematical SciencesPeking UniversityChina

Personalised recommendations