Cryptanalysis of Two Provably Secure Cross-Realm C2C-PAKE Protocols
Password-Authenticated Key Exchange (PAKE) protocols allow parties to share secret keys in an authentic manner based on an easily memorizable password. Byun et al. first proposed a cross realm client-to-client (C2C) PAKE for clients of different realms (with different trusted servers) to establish a key. Subsequent work includes some attacks and a few other variants either to resist existing attacks or to improve the efficiency. However, all these variants were designed with heuristic security analysis despite that well founded provable security models already exist for PAKEs, e.g. the Bellare-Pointcheval-Rogaway model. Recently, the first provably secure cross-realm C2C-PAKE protocols were independently proposed by Byun et al. and Yin-Bao, respectively; i.e. security is proven rigorously within a formally defined security model and based on the hardness of some computationally intractable assumptions. In this paper, we show that both protocols fall to undetectable online dictionary attacks by any adversary. Further we show that malicious servers can launch successful man-in-the-middle attacks on the variant by Byun et al., while the Yin-Bao variant inherits a weakness against unknown key-share attacks. Designing provably secure protocols is indeed the right approach, but our results show that such proofs should be interpreted with care.
KeywordsPassword-authenticated key exchange cross realm client-to-client cryptanalysis provable security security model
Unable to display preview. Download preview PDF.
- 4.Abdalla, M., Pointcheval, D.: Interactive Diffie-Hellman Assumptions with Applications to Password-Based Authentication. Full version of , Available online at: http://www.di.ens.fr/~pointche/pub.php?reference=AbPo05
- 5.Anderson, R.: Security Engineering − A Guide to Building Dependable Distributed Systems. Wiley, USA (2001)Google Scholar
- 6.Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
- 7.Bellare, M., Rogaway, P.: Provably Secure Session Key Distribution: the Three Party Case. In: Proc. ACM STOC 1995, pp. 57–66 (1995)Google Scholar
- 9.Bellovin, S., Merritt, M.: Encrypted Key Exchange: Passwords based Protocols Secure against Dictionary Attacks. In: Proc. IEEE Symposium on Security & Privacy 1992, pp. 72–84 (1992)Google Scholar
- 13.Chen, L.: A Weakness of the Password-Authenticated Key Agreement between Clients with Different Passwords Scheme. Circulated for consideration at the 27th SC27/WG2 meeting in Paris, France, ISO/IEC JTC 1/SC27 N3716, 2003-10-20.24 (2003)Google Scholar
- 22.Kim, J., Kim, S., Kwak, J., Won, D.: Cryptanalysis and Improvement of Password-Authenticated Key Exchange Scheme between Clients with Different Passwords. In: Laganá, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds.) ICCSA 2004. LNCS, vol. 3043, pp. 895–902. Springer, Heidelberg (2004)CrossRefGoogle Scholar