1. Introduction
Key exchange (also known as key establishment) is defined to be any process whereby a shared high-entropy key (also known as a session key) becomes available to two or more parties for subsequent cryptographic use. Password-based authenticated key exchange (PAKE) protocols are a class of key exchange protocols, and enable two or more parties communicating over a public network to generate a session key from their low-entropy passwords which are easy for humans to remember. It is generally regarded that the design of secure key exchange protocols (including PAKE protocols) is notoriously hard [1][2][3][4], and conducting security analysis for such protocols is time-consuming and error-prone. One of the key challenges in designing a PAKE protocol, for example, is to prevent dictionary attacks, in which an attacker exhaustively enumerates all possible passwords to discover the correct password. Dictionary attacks have been used by both criminals as well as law enforcement officers and digital forensics practitioners to gain access to password-protected data (e.g. on smartphones and portable devices based on RIM BlackBerry and Apple iOS platforms - see Elcomsoft Phone Password Breaker http://www.elcomsoft.com/eppb.html). The difficulty of designing PAKE protocols secure against dictionary attacks is increased in the three-party setting. Unlike the two-party setting where each pair of parties is assumed to hold a shared password, the three-party setting assumes that each party (commonly known as a client) shares no password with other clients but holds their individual password shared only with a trusted server. Therefore in three-party PAKE protocols, protocol designers would have to consider the security of passwords against attacks by malicious clients who can set up normal protocol sessions with other clients (see [5][6][7][8][9]).
Dictionary attacks can be classified into two types, online and offline. Unlike offline dictionary attacks where password guesses can be verified offline, online dictionary attacks are the ones where the attacker verifies each password guess via a new online transaction with the server. However, detectable online dictionary attacks are considered as insignificant since the server may lock out the problematic client after a certain number of invalid transactions. Informally, a three-party PAKE protocol is secure if detectable online dictionary attacks are the best possible attacks that an adversary can mount against the protocol. In other words, three-party PAKE protocols should be able to resist undetectable online dictionary attacks as well as offline dictionary attacks.
In this work, we revisit three existing three-party PAKE protocols, namely, Guo et al.’s (2008) protocol [10], Huang’s (2009) protocol [11], and Lee and Hwang’s (2010) protocol [12]. We demonstrate that all three protocols are insecure against dictionary attacks in the presence of a malicious client. More specifically, we mount an offline dictionary attack against Guo et al.’s protocol, a combined offline and online dictionary attack against Huang’s protocol, and an undetectable online dictionary attack against Lee and Hwang’s protocol. The offline dictionary attack mounted against Guo et al.’s protocol also applies to Lee and Hwang’s protocol and the protocols of [13][14][6] (see Section 2.2). By identifying these vulnerabilities, we hope that similar security failures can be prevented in the future design of three-party PAKE protocols. We present simple countermeasures for Guo et al.’s protocol and Lee and Hwang’s protocol, but the existence of a security proof for the modified protocols remains an open question. We also suggest ways in which designers of three-party PAKE protocols can reduce the possibility of dictionary attacks.
2. Revisiting Guo et al.’s Protocol
This section revisits the three-party PAKE protocol proposed by Guo, Lia, Mu and Zhang in 2008 [10], and demonstrates that this protocol is susceptible to an offline dictionary attack in the presence of a malicious client.
2.1 Protocol Description
In the three-party setting, a trusted server S provides its registered clients with a central authentication service. Let A and B be two registered clients who wish to establish a session key, and pwA and pwB denote the passwords of A and B respectively shared with S via a secure channel. The protocol’s public parameters include:
The protocol depicted in Fig. 1 works as follows:
1. A (and B) and S establish a shared secret key kAS (kBS respectively) by running the two-party protocol 2PAKE.
2. A chooses a random x∈Zq, computes X=gx, X*= X·MpwA and δA= MackAS(X*), and send
3. B selects a random y∈Zq, computes Y=gy, Y*= Y·NpwB and δB= MackBS(Y*), and send
4. Using Ver, S verifies that δA and δB are both valid. If either verification fails, S aborts the protocol. Othereise, S recovers X=X*/MpwAand Y=Y*/Y·NpwB, selects a random z ∈ Zq, and compute
Then S sends to B.
Fig. 1.Guo et al.’s three-party PAKE protocol [10]
5. After receiving , B computes
B Then sends to A.
6. Upon receiving , A computes
A then checks if the equation α=F(A║B║K) holds. If it does not hold, A aborts the protocol. Otherwise, A computes the session key sk = H(A║B║K) and β =F(B║A║K), and sends<β> to B.
7. B checks if the equation β =F(B║A║K) holds. If it holds, B coputes the session key sk = H(A║B║K). Othrwise, B aborts the protocol.
The correctness of the protocol is straightforward to verify, as shown below.
and
2.2 A Previously Unpublished Offline Dictionary Attack, and a Simple Fix
Guo et al.’s protocol described above is vulnerable to the following dictionary attack where a malicious client A is able to verify all guesses on the password of client B in an offline manner.
Step 1. The attacker A initiates the protocol with the targeted client B , establishes a shared secret key kASwith S, and then sends the message
Step 2. A eavesdrops on the message
Step 3. When S sends the message to B, A replaces it with the forged message where
Since was replaced with , B will compute α as where
Step 4. Once the message is received from B , A aborts the protocol indicating that the session-key computation has failed due to an unexpected error, and then computes
Step 5. A makes a guess on the password pwB and computes
Step 6. A verifies the correctness of by checking that α is equal to α'. If they are equal, then is the correct password with an overwhelming probability.
Step 7. A repeats Steps 5 & 6 until the correct password is found.
This offline dictionary attack can have devastating implications for all clients registered with the server since the attack is likely to go undetected and the victim could be any of the clients. A possible countermeasure against the attack is to modify the server’s message from to where and
Guo et al.’s protocol was proposed as a fix to the flaws they found on the protocol of Lu and Cao (2007) [13]. We note that the offline dictionary attack above also applies to Lu and Cao’s protocol [13] - see Appendix A - as well as its successors [14] [6].
3. Revisiting Huang’s Protocol
In 2009, Huang [11] proposed a three-party PAKE protocol, claiming that the proposed protocol provides both security and efficiency without recourse to the use of server’s public keys. However in 2011, Yoon and Yoo [8] pointed out that Huang’s protocol is vulnerable not only to undetectable online dictionary attacks but also to offline dictionary attacks. In the same year, Lin and Hwang [9] also presented an undetectable online dictionary attack against Huang’s protocol. In this section, we present a different (previously unpublished) dictionary attack against Huang’s protocol, which is a combination of offline dictionary attacks and (undetectable) online dictionary attacks.
3.1 Protocol Description
Let A and B be two clients who wish to establish a session key, and pwA and pwB denote the passwords of A and B respectively shared with a trusted server S. Let p be a large prime number such that p-1 has a large prime factor q. Let G be a cyclic multiplicative subgroup of that has a prime order q, and g be a random generator of G (and the original protocol specification requires q≥2256).
The protocol depicted in Fig. 2 works as follows:
1. A chooses a random number x∈Zq and computes
where h is a cryptographic hash function and the symbol denotes the bitwise XOR operation. A sends
2. B selects a random number y ∈ Zq and computes
B then sends
3. After receiving
Next, S selects a random number y ∈ Zq and computes
S then
Fig. 2.Huang’s three-party PAKE protocol [11]
4. Upon receiving
Then B sends
5. After receiving
Then, A checks whether the equation σB=h(K║B) holds or not. If it does not hold, A aborts the protocol. Otherwise, A sets the session key sk equal to K, computes σA=h(K║A), and sends σA to B.
6. B checks whether the equation σA=h(K║A) holds or not. If it does not hold, B aborts the protocol. Otherwise, B sets the session key to sk=K.
The correctness of the protocol can be easily verified as shown below.
and
3.2 A Previously Unpublished Combined Offline and Online Dictionary Attack
Our dictionary attack against Huang’s protocol exploits two flaws in the design of the protocol: (1) the server does not authenticate any message from the clients and (2) the publicly transmitted keying materials ( i.e., RA, RB, RSA and RSB) are computed using the bitwise XOR operation when the multiplicative subgroup G is not closed under the XOR operation.
Let D be the set of all possible passwords. Assume that B is a malicious client who wants to discover the password of client A. The attack works as follows:
Step 1. The attacker B runs the protocol with client A and stores the first message
Step 2. For each , B computes
and checks whether X' is an element of G or not. If X'∉G, B deletes from the dictionary If X'∉G, then . If we assume that p is a safe prime (i.e., p=2q+1), this step would cut the size of D about in half.
Step 3. B generates RB as specified in the protocol and sends
Step 4. For each , B computes
and checks whether or not. If , B set D=D, .
The number of iterations of Steps 3 & 4 required to determine the correct password is bounded by log2 |D| in the p=2q+1. If p is much greater than q (e.g., log2 p=1024 and log2 q=512), performing Step 2 once will be sufficient to determine the correct password (with an overwhelming probability) and thus, no iterative pruning is needed.
It appears that there is no quick tweak we can apply to make Huang’s protocol resistant to dictionary attacks such as the above. Note that simply replacing the bitwise XOR operation with the multiplicative operation would make the protocol vulnerable to such an attack as the one we presented against Guo et al.’s protocol in Section 2.2.
4. Revisiting Lee and Hwang’s Protocol
We now revisit the last of the three protocols, namely Lee and Hwang’s three-party PAKE protocol [12]―S-IA-3PAKE.
4.1 Protocol Description
Let S be the trusted server, and A and B be two registered clients of S who wish to establish a shared session key. We denote the passwords of A and B by pwA and pwB respectively. The S-IA-3PAKE protocol uses the following public parameters: (1) a large prime p and a generator g of Zp, (2) two random elements M and N of Zp, (3) cryptographic hash function H used as a key derivation function, and (4) a pair of MAC generation/verification algorithms (Mac,Ver), where Ver outputs a bit, with 1 meaning accept and 0 meaning reject.
S-IA-3PAKE (see Fig. 3) works as follows:
Step 1. A chooses a random x∈Zp, computes X=gx and X*= X·MpwA, and sends
Step 2. B chooses a random y∈Zp, computes Y=gy and Y*=Y·MpwB, and sends
Step 3. S chooses a random w∈Zp and computes
S then sends and to A and B respectively.
Step 4. A computes the key derivation secret, , and the session key, skA=H(A║B║KA). Meanwhile, B computes and skB=H(A║B║KB).
Step 5. A and B perform key confirmation by exchanging σAB=MacskA(A║B) and σBA=MacskB(B║A) and verifying them in the straightforward way.
The correctness of S-IA-3PAKE can be easily verified from KA = KB =gxyw.
4.2 A Previously Unpublished Undetectable Online Dictionary Attack, and a Simple Fix
We now demonstrate that S-IA-3PAKE is susceptible to a previously unpublished undetectable online dictionary attack. Suppose that A is a malicious client who wants to discover the password of client B . The attack works as follows:
Step 1. The attacker A notifies the server S that she wants to establish a session key with B .
Step 2. A chooses a random x∈Zp, computes X=gx and X*= X·MpwA, sends S the message
Step 3. A makes a guess on the pwB, computes Y* as , and sends S the message
Fig. 3.S-IA-3PAKE: Lee and Hwang’s three-party PAKE protocol [12]
Step 4. After receiving U*=U·NpwA form S, A computes the secret key kAS = gxu as per the protocol specification.
Step 5. When S sends V*=V·NpwB to B , A intercepts it and computes and .
Step 6. If is the correct password, then the value computed by S would be equal to After receiving and intercepting , A computes
and verifies the correctness of by checking that is equal to . Note that if , then it must hold that .
This online dictionary attack is undetectable and can be mounted repeatedly until the correct password is found. An obvious fix is to add client-to-server authentication, where both clients A and B send the authenticators σAS=MackAS(A║B║S) and σBS=MackBS(B║A║S) to the server S respectively
The S-IA-3PAKE protocol is also vulnerable to an offline dictionary attack similar to the one we presented against Guo et al.’s protocol in Section 2.2. Due to similarity, we omit the details of the attack scenario. To address this vulnerability, we recommend to modify the server’s messages and respectively to and , where and .
5. Concluding Remarks
We have examined several existing three-party PAKE protocols, including Guo et al.’s (2008) protocol [10], Huang’s (2009) protocol [11], and and Hwang’s (2010) protocol [12], and demonstrated that they are vulnerable to previously unpublished offline and/or online dictionary attacks by a malicious client. This research confirms that achieving password security in the presence of a malicious client remains a challenging task in designing an efficient three-party PAKE protocol. Based on our findings, we propose that designers of three-party PAKE protocols should consider the following principles to mitigate dictionary attacks:
Guo et al.’s protocol and Huang’s protocol do not have accompanying proofs of security. Although Lee and Hwang’s protocol carries a proof of security, the proof model used does not allow the adversary to corrupt protocol participants and thus cannot capture any kind of insider attacks, in particular, offline and online dictionary attacks by a malicious client. In other words, our dictionary attacks do not invalidate the existing proof of security for Lee and Hwang’s protocol. As such, we recommend that protocol designers choose an appropriate proof model that adequately captures all the security requirements, so that protocol implementers can be assured of the security properties of protocols.
References
- C. Boyd and KKR. Choo, "Security of Two-Party Identity-Based Key Agreement," Progress in Cryptology - Mycrypt 2005, LNCS vol. 3715, pp. 229-243, 2005.
- KKR. Choo, C. Boyd and Y. Hitchcock, "Errors in Computational Complexity Proofs for Protocols," Advances in Cryptology − Asiacrypt 2005, LNCS vol. 3788, pp. 624-643, 2005.
- KKR. Choo, C. Boyd and Y. Hitchcock, "The Importance of Proofs of Security for Key Establishment Protocols: Formal Analysis of Jan-Chen, Yang-Shen-Shieh, Kim-Huh-Hwang-Lee, Lin-Sun-Hwang, and Yeh-Sun Protocols," Computer Communications, vol. 29, no. 15, pp. 2788-2797, 2006. https://doi.org/10.1016/j.comcom.2005.10.030
- M. Gorantla, C. Boyd, J. Nieto and M. Manulis. "Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols," ACM Transactions on Information and System Security, vol. 14, no. 4, Article 28, 2011.
- H. Chen, T. Chen, W. Lee and C. Chang, "Security Enhancement for a Three-Party Encrypted Key Exchange Protocol against Undetectable On-Line Password Guessing Attacks," Computer Standards & Interfaces, vol. 30, no. 1-2, pp. 95-99, 2008. https://doi.org/10.1016/j.csi.2007.08.010
- J. Nam, J. Paik, H. Kang, U. Kim and D. Won, "An Off-Line Dictionary Attack on a Simple Three-Party Key Exchange Protocol," IEEE Communications Letters, vol. 13, no. 3, pp. 205-207, 2009. https://doi.org/10.1109/LCOMM.2009.081609
- N. Lo and K. Yeh, "Cryptanalysis of Two Three-Party Encrypted Key Exchange Protocols," Computer Standards & Interfaces, vol. 31, no. 6, pp. 1167-1174, 2009. https://doi.org/10.1016/j.csi.2009.03.002
- E. Yoon and K. Yoo, "Cryptanalysis of a Simple Three-Party Password-Based Key Exchange Protocol," International Journal of Communication Systems, vol. 24, no. 4, pp.532-542, 2011. https://doi.org/10.1002/dac.1168
- C. Lin and T. Hwang, "On 'a Simple Three-Party Password-Based Key Exchange Protocol'," International Journal of Communication Systems, vol. 24, no. 11, pp. 1520-1532, 2011. https://doi.org/10.1002/dac.1304
- H. Guo, Z. Li, Y. Mu and X. Zhang, "Cryptanalysis of Simple Three-Party Key Exchange Protocol," Computers & Security, vol. 27, no. 1, pp. 16-21, 2008. https://doi.org/10.1016/j.cose.2008.03.001
- H. Huang, "A Simple Three-Party Password-Based Key Exchange Protocol," International Journal of Communication Systems, vol. 22, no. 7, pp. 857-862, 2009. https://doi.org/10.1002/dac.1002
- T. Lee and T. Hwang, "Simple Password-Based Three-Party Authenticated Key Exchange without Server Public Keys," Information Sciences, vol. 180, no. 9, pp.1702-1714, 2010. https://doi.org/10.1016/j.ins.2010.01.005
- R. Lu and Z. Cao, "Simple Three-Party Key Exchange Protocol," Computers & Security, vol. 26, no. 1, pp. 94-97, 2007. https://doi.org/10.1016/j.cose.2006.08.005
- H. Chung and W. Ku, "Three Weaknesses in a Simple Three-Party Key Exchange Protocol," Information Sciences, vol. 178, no. 1, pp. 220-229, 2008. https://doi.org/10.1016/j.ins.2007.08.004
Cited by
- On the Security of a Simple Three-Party Key Exchange Protocol without Server's Public Keys vol.2014, pp.None, 2013, https://doi.org/10.1155/2014/479534
- Security Analysis and Improvement of an Anonymous Authentication Scheme for Roaming Services vol.2014, pp.None, 2014, https://doi.org/10.1155/2014/687879
- Password-Only Authenticated Three-Party Key Exchange Proven Secure against Insider Dictionary Attacks vol.2014, pp.None, 2013, https://doi.org/10.1155/2014/802359
- Password-Only Authenticated Three-Party Key Exchange with Provable Security in the Standard Model vol.2014, pp.None, 2014, https://doi.org/10.1155/2014/825072
- A Secure and Efficient Remote User Authentication Scheme for Multi-server Environments Using ECC vol.8, pp.8, 2014, https://doi.org/10.3837/tiis.2014.08.021
- 효율적인 스마트카드 기반 원격 사용자 인증 스킴의 취약점 분석 및 개선 방안 vol.24, pp.6, 2013, https://doi.org/10.13089/jkiisc.2014.24.6.1027
- An Offline Dictionary Attack against Abdalla and Pointcheval^|^apos;s Key Exchange in the Password-Only Three-Party Setting vol.ea98, pp.1, 2015, https://doi.org/10.1587/transfun.e98.a.424
- Cryptanalysis of Improved Biometric-Based User Authentication Scheme for C/S System vol.5, pp.7, 2013, https://doi.org/10.7763/ijiet.2015.v5.564
- Security Weaknesses of a Timestamp-Based User Authentication Scheme with Smart Card vol.5, pp.7, 2015, https://doi.org/10.7763/ijiet.2015.v5.567
- C/S 시스템에 적합한 보안성이 강화된 생체정보 기반의 사용자 인증 스킴 vol.15, pp.4, 2015, https://doi.org/10.7236/jiibc.2015.15.4.43
- Cryptanalysis and Improvement of "A Secure Password Authentication Mechanism for Seamless Handover in Proxy Mobile IPv6 Networks" vol.10, pp.11, 2013, https://doi.org/10.1371/journal.pone.0142716
- 보안성이 향상된 퍼지추출 기술 기반 사용자 인증 및 키 동의 스킴 vol.17, pp.3, 2016, https://doi.org/10.7472/jksii.2016.17.3.01
- Security enhanced multi-factor biometric authentication scheme using bio-hash function vol.12, pp.5, 2013, https://doi.org/10.1371/journal.pone.0176250