Cryptanalysis of Lo et al.’s Password Based Authentication Scheme

Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 131)

Abstract

A key exchange protocol allows more than two parties to communicate over the insecure channel to establish common shared secret key called session key. Due to the significance of this notion to establish secure communication among parties, in literature there have been numerous approach have been proposed and analyzed based on their merits and de-merits. Recently, Lo et al. proposed a 3-party Password based Authenticated Key Exchange protocol in which two or more users equipped with pre-shared secrets to the server and can able to generate the session key with the help of the server. They claimed that their approach is resist against any known attacks. However, we observe that their protocol is not secure against against off-line password guessing attack, long term secret compromise attack as well as compromise of previous session can lead to compromise all involving users for future communication. Therefore, in this this paper first we have analyzed these attacks and suggest the improve scheme that overcomes these attacks.

Keywords

Attack Cryptanalysis Offline password Key exchange  Authendication 

References

  1. 1.
    Bellovin SM, Merritt M (1992) Encrypted key exchange: password-based protocols secure against dictionary attacks. In: IEEE symposium on security and privacy, pp 72–84, IEEE Computer Society PressGoogle Scholar
  2. 2.
    Abdalla M, Pointcheval D (2005) Simple password-based encrypted key exchange protocols. In: Menezes A (ed) CT-RSA 2005. LNCS, vol 3376. Springer, Heidelberg, pp 191–208Google Scholar
  3. 3.
    Bellare M, Pointcheval D, Rogaway P (2000) Authenticated key exchange secure against dictionary attacks. In: Preneel B (ed) EUROCRYPT 2000. LNCS, vol 1807. Springer, Heidelberg, pp 139–155Google Scholar
  4. 4.
    Abdalla M, Chevalier C, Pointcheval D (2009) Smooth projective hashing for conditionally extractable commitments. In: Halevi S (ed) CRYPTO 2009. LNCS, vol 5677. Springer, Heidelberg, pp 671–689Google Scholar
  5. 5.
    Boyko V, MacKenzie PD, Patel S (2000) Provably secure password-authenticated key exchange using Diffie-Hellman. In: Preneel B (ed) EUROCRYPT 2000. LNCS, vol 1807. Springer, Heidelberg, pp 156–171Google Scholar
  6. 6.
    Bresson E, Chevassut O, Pointcheval D () Security proofs for an efficient password-based key exchange. In: Jajodia S, Atluri V, Jaeger T (eds) Proceedings of the 10th conference on computer and communications security (ACM CCS 2003), ACM Press, pp 241–250Google Scholar
  7. 7.
    Bresson E, Chevassut O, Pointcheval D (2004) New security results on encrypted key exchange. In: Bao F, Deng R, Zhou J (eds) PKC 2004. LNCS, vol 2947. Springer, Heidelberg, pp 145–158Google Scholar
  8. 8.
    Canetti R, Halevi S, Katz J, Lindell Y, MacKenzie P (2005) Universally composable password-based key exchange. In: Cramer R (ed) EUROCRYPT 2005. LNCS, vol 3494. Springer, Heidelberg, pp 404–421Google Scholar
  9. 9.
    Gennaro R (2008) Faster and shorter password-authenticated key exchange. In: Canetti R (ed) TCC 2008. LNCS, vol 4948. Springer, Heidelberg, pp 589–606Google Scholar
  10. 10.
    Gennaro R, Lindell Y (2003) A framework for password-based authenticated key exchange. In: Biham E (ed) EUROCRYPT 2003. LNCS, vol 2656. Springer, Heidelberg, pp 524–543Google Scholar
  11. 11.
    Katz J, Ostrovsky R, Yung M (2001) Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann B (ed) EUROCRYPT 2001. LNCS, vol 2045. Springer, Heidelberg, pp 475–494Google Scholar
  12. 12.
    Katz J, Vaikuntanathan V (2009) Smooth projective hashing and password-based authenticated key exchange from lattices. In: Matsui M (ed) ASIACRYPT 2009. LNCS, vol 5912. Springer, Heidelberg, pp 636–652Google Scholar
  13. 13.
    Katz J, Vaikuntanathan V (2011) Round-optimal password-based authenticated key exchange. In: Ishai Y (ed) TCC 2011. LNCS, vol 6597. Springer, Heidelberg, pp 293–310Google Scholar
  14. 14.
    Pointcheval D (2012) Exchange password-based authenticated key. PUBLIC KEY CRYPTOGRAPHY - PKC-2012, Lecture notes in computer science, vol 7293. pp 390–397, doi:10.1007/978-3-642-30057-8_23Google Scholar
  15. 15.
    Kobara K, Imai H (2002) Pretty-simple password authenticated key-exchange under standard assumptions. IEICE Trans E85-A(10):2229–2237Google Scholar
  16. 16.
    Bresson E, Chevassut O, Pointcheval D (2004) New security results on encrypted key exchange. In: Proceedings of PKC 2004, LNCS, vol 2947, pp 145–158Google Scholar
  17. 17.
    Boyd C, Montague P, Nguyen K (2001) Elliptic curve based password authenticated key exchange protocols. In: Proceedings of 28th australasian conference on information security and privacy—ACISP 2001, LNCS, vol. 2119, pp 487–501Google Scholar
  18. 18.
    Abdalla M, Pointcheval D (2005) Simple password-based encrypted key exchange protocols. In: Proceedings of topics in cryptology—CT-RSA 2005. LNCS, vol. 3376, pp 191–208Google Scholar
  19. 19.
    Abdalla M, Chevassut O, Pointcheval D (2005) One-time verifier-based encrypted key exchange. In: Proceedings of PKC ’05, LNCS, vol. 3386 pp 47–64Google Scholar
  20. 20.
    K. Kobara, H. Imai (2002) Pretty-simple passwordauthenticated key exchange under standard assumptions. IEICE Trans E85-A(10):2229–2237Google Scholar
  21. 21.
    Bellare M, Pointcheval D, Rogaway P (2000) Authenticated key exchange secure against dictionary attacks. In: Proceedings of the advances in cryptology (EUROCRYPT’2000), Springer, Berlin, pp 139–155Google Scholar
  22. 22.
    Bresson E, Chevassut O, Pointcheval D (2004) New security results on encrypted key exchange. In: Proceedings of PKC 2004, LNCS, vol 2947. Springer, Heidelberg, pp 145–158Google Scholar
  23. 23.
    Abdalla M, Pointcheval D (2005) Simple password-based encrypted key exchange protocols. In: Proceedings of topics in cryptology—CT-RSA 2005, LNCS, vol 3376. Springer, Heidelberg, pp 191–208Google Scholar
  24. 24.
    Abdalla M, Chevassut O, Pointcheval D (2005) One-time verifier-based encrypted key exchange. Proceedings of PKC ’05, LNCS, vol 3386. Springer, Heidelberg, pp 47–64Google Scholar
  25. 25.
    Ding Y, Horster P (1995) Undetectable on-line password guessing attacks. ACM Oper Syst Rev 29(4):77–86Google Scholar
  26. 26.
    Lin CL, Sun HM, Hwang T (2000) Three party-encrypted key exchange: attacks and a solution. ACM Oper Syst Rev 34(4):12–20Google Scholar
  27. 27.
    Lee TF, Hwang T, Lin CL (2004) Enhanced three-party encrypted key exchange without server public keys. Comput Secur 23(7):571–577Google Scholar
  28. 28.
    Wen HA, Lee TF, Hwang T (2005) Provably secure three-party password-based authenticated key exchange protocol using Weil pairing. IEE Proc Commun 152(2):138–143Google Scholar
  29. 29.
    Nam J, Lee Y, Kim S, Won D (2007) Security weakness in a three-party pairing-based protocol for password authenticated key exchange. Inf Sci 177(6):1364–1375Google Scholar
  30. 30.
    Yeh HT, Sun HM (2004) Password-based user authentication and key distribution protocols for client-server applications. J Syst Softw 72(1):97–103Google Scholar
  31. 31.
    Yoon E-J, Yoo K-Y (2012) Cryptanalysis of an efficient three-party password-based key exchange scheme, In: Procedia Engineering, vol 29, pp 3972–3979, ISSN 1877–7058, doi: 10.1016/j.proeng.2012.01.604
  32. 32.
    Steiner M, Tsudik G, Waidner M (1995) Refinement and extension of encrypted key exchange. ACM Oper Syst Rev 29:22–30Google Scholar
  33. 33.
    Lin CL, Sun HM, Hwang T (2000) Three-party encrypted key exchange: attacks and a solution. ACM Oper Syst Rev 34:12–20Google Scholar
  34. 34.
    Chang CC, Chang YF (2004) A novel three-party encrypted key exchange protocol. Comput Stand Interfaces 26(5):472–476Google Scholar
  35. 35.
    Lee TF, Hwang T, Lin CL (2004) Enhanced three-party encrypted key exchange without server public keys. Comput Secur 23(7):571–577Google Scholar
  36. 36.
    Lee SW, Kim HS, Yoo KY (2005) E?cient verifier-based key agreement protocol for three parties without server’s public key. Appl Math Comput 167(2):996–1003Google Scholar
  37. 37.
    Sun HM, Chen BC, Hwang T (2005) Secure key agreement protocols for three-party against guessing attacks. J Syst Softw 75:63–68Google Scholar
  38. 38.
    Lu RX, Cao ZF (2007) Simple three-party key exchange protocol. Comput Secur 26:94–97Google Scholar
  39. 39.
    Yoon EJ, Yoo KY (2008) Improving the novel three-party encrypted key exchange protocol. Comput Stand Interfaces 30(5):309–314Google Scholar
  40. 40.
    Phan RCW, Yau WC, Goi BM (2008) Cryptanalysis of simple three-party key exchange protocol (S-3PAKE). Inf Sci 178:2849–2856Google Scholar
  41. 41.
    Guo H, Li Z (2008) Cryptanalysis of simple three-party key exchange protocol. Comput Secur 27:16–21Google Scholar
  42. 42.
    Kim HS, Choi JY (2009) Enhanced password-based simple three-party key exchange protocol. Comput Electr Eng 35:107–114Google Scholar
  43. 43.
    Huang HF (2009) A simple three-party password-based key exchange protocol. Int J Commun Syst 22:857–862Google Scholar
  44. 44.
    Yang JH, Chang CC (2009) An e?cient three-party authenticated key exchange protocol using elliptic curve cryptography for mobile-commerce environments. J Syst Softw 82(9):1497–1502Google Scholar
  45. 45.
    Ding Y, Horster P (1995) Undetectable on-line password guessing attacks. ACM Oper Syst Rev 29(4):77–86Google Scholar
  46. 46.
    Lo NW, Yeh K-H (2010) A practical three-party authenticated key exchange protocol. Int J Innovative Comput Inf Control 6(6):2469–2483Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.National Institute of TechnologySuratIndia
  2. 2.S N P I T & R CVidyabharti CampusUmrakhIndia

Personalised recommendations