[KSCI] Korea Science Citation Index Service

http://dx.doi.org/10.3837/tiis.2013.12.016

Dictionary Attacks against Password-Based Authenticated Three-Party Key Exchange Protocols

Nam, Junghyun (Department of Computer Engineering, Konkuk University)
Choo, Kim-Kwang Raymond (Information Assurance Research Group, Advanced Computing Research Centre, University of South Australia)
Kim, Moonseong (Information and Communications Examination Bureau, Korean Intellectual Property Office)
Paik, Juryon (Department of Computer Engineering, Sungkyunkwan University)
Won, Dongho (Department of Computer Engineering, Sungkyunkwan University)

Publication Information

KSII Transactions on Internet and Information Systems (TIIS) / v.7, no.12, 2013 , pp. 3244-3260 More about this Journal

Abstract

A three-party password-based authenticated key exchange (PAKE) protocol allows two clients registered with a trusted server to generate a common cryptographic key from their individual passwords shared only with the server. A key requirement for three-party PAKE protocols is to prevent an adversary from mounting a dictionary attack. This requirement must be met even when the adversary is a malicious (registered) client who can set up normal protocol sessions with other clients. This work revisits three existing three-party PAKE protocols, namely, Guo et al.'s (2008) protocol, Huang's (2009) protocol, and Lee and Hwang's (2010) protocol, and demonstrates that these protocols are not secure against offline and/or (undetectable) online dictionary attacks in the presence of a malicious client. The offline dictionary attack we present against Guo et al.'s protocol also applies to other similar protocols including Lee and Hwang's protocol. We conclude with some suggestions on how to design a three-party PAKE protocol that is resistant against dictionary attacks.

Keywords

Password-based authenticated key exchange (PAKE); three-party key exchange; password security; offline dictionary attack; undetectable online dictionary attack;

Citations & Related Records

Reference

1	T. Lee and T. Hwang, "Simple Password-Based Three-Party Authenticated Key Exchange without Server Public Keys," Information Sciences, vol. 180, no. 9, pp.1702-1714, 2010. DOI ScienceOn
2	R. Lu and Z. Cao, "Simple Three-Party Key Exchange Protocol," Computers & Security, vol. 26, no. 1, pp. 94-97, 2007. DOI ScienceOn
3	H. Chung and W. Ku, "Three Weaknesses in a Simple Three-Party Key Exchange Protocol," Information Sciences, vol. 178, no. 1, pp. 220-229, 2008. DOI ScienceOn
4	C. Boyd and KKR. Choo, "Security of Two-Party Identity-Based Key Agreement," Progress in Cryptology - Mycrypt 2005, LNCS vol. 3715, pp. 229-243, 2005.
5	KKR. Choo, C. Boyd and Y. Hitchcock, "Errors in Computational Complexity Proofs for Protocols," Advances in Cryptology − Asiacrypt 2005, LNCS vol. 3788, pp. 624-643, 2005.
6	KKR. Choo, C. Boyd and Y. Hitchcock, "The Importance of Proofs of Security for Key Establishment Protocols: Formal Analysis of Jan-Chen, Yang-Shen-Shieh, Kim-Huh-Hwang-Lee, Lin-Sun-Hwang, and Yeh-Sun Protocols," Computer Communications, vol. 29, no. 15, pp. 2788-2797, 2006. DOI ScienceOn
7	M. Gorantla, C. Boyd, J. Nieto and M. Manulis. "Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols," ACM Transactions on Information and System Security, vol. 14, no. 4, Article 28, 2011.
8	H. Chen, T. Chen, W. Lee and C. Chang, "Security Enhancement for a Three-Party Encrypted Key Exchange Protocol against Undetectable On-Line Password Guessing Attacks," Computer Standards & Interfaces, vol. 30, no. 1-2, pp. 95-99, 2008. DOI ScienceOn
9	J. Nam, J. Paik, H. Kang, U. Kim and D. Won, "An Off-Line Dictionary Attack on a Simple Three-Party Key Exchange Protocol," IEEE Communications Letters, vol. 13, no. 3, pp. 205-207, 2009. DOI ScienceOn
10	N. Lo and K. Yeh, "Cryptanalysis of Two Three-Party Encrypted Key Exchange Protocols," Computer Standards & Interfaces, vol. 31, no. 6, pp. 1167-1174, 2009. DOI ScienceOn
11	H. Guo, Z. Li, Y. Mu and X. Zhang, "Cryptanalysis of Simple Three-Party Key Exchange Protocol," Computers & Security, vol. 27, no. 1, pp. 16-21, 2008. DOI ScienceOn
12	E. Yoon and K. Yoo, "Cryptanalysis of a Simple Three-Party Password-Based Key Exchange Protocol," International Journal of Communication Systems, vol. 24, no. 4, pp.532-542, 2011. DOI ScienceOn
13	C. Lin and T. Hwang, "On 'a Simple Three-Party Password-Based Key Exchange Protocol'," International Journal of Communication Systems, vol. 24, no. 11, pp. 1520-1532, 2011. DOI ScienceOn
14	H. Huang, "A Simple Three-Party Password-Based Key Exchange Protocol," International Journal of Communication Systems, vol. 22, no. 7, pp. 857-862, 2009. DOI ScienceOn

Reference

None	(2013) The Scientific World Journal On the Security of a Simple Three-Party Key Exchange Protocol without Server's Public Keys / 2014 (None) , 479534
None	(2014) The Scientific World Journal Security Analysis and Improvement of an Anonymous Authentication Scheme for Roaming Services / 2014 (None) , 687879
None	(2013) The Scientific World Journal Password-Only Authenticated Three-Party Key Exchange Proven Secure against Insider Dictionary Attacks / 2014 (None) , 802359
None	(2014) The Scientific World Journal Password-Only Authenticated Three-Party Key Exchange with Provable Security in the Standard Model / 2014 (None) , 825072
8	(2014) KSII Transactions on internet and information systems : TIIS A Secure and Efficient Remote User Authentication Scheme for Multi-server Environments Using ECC / 8 (8) , 2930
6	(2013) 情報保護學會論文誌 효율적인 스마트카드 기반 원격 사용자 인증 스킴의 취약점 분석 및 개선 방안 / 24 (6) , 1027
1	(2015) IEICE transactions on fundamentals of electronics, communications and computer sciences An Offline Dictionary Attack against Abdalla and Pointcheval^\|^apos;s Key Exchange in the Password-Only Three-Party Setting / ea98 (1) , 424
7	(2013) International journal of information and education technology Cryptanalysis of Improved Biometric-Based User Authentication Scheme for C/S System / 5 (7) , 538
7	(2015) International journal of information and education technology Security Weaknesses of a Timestamp-Based User Authentication Scheme with Smart Card / 5 (7) , 553
4	(2015) The journal of the institute of internet, broadcasting and communication : JIIBC C/S 시스템에 적합한 보안성이 강화된 생체정보 기반의 사용자 인증 스킴 / 15 (4) , 43
11	(2013) PLoS ONE Cryptanalysis and Improvement of "A Secure Password Authentication Mechanism for Seamless Handover in Proxy Mobile IPv6 Networks" / 10 (11) , e0142716
3	(2016) Journal of Internet Computing and Services 보안성이 향상된 퍼지추출 기술 기반 사용자 인증 및 키 동의 스킴 / 17 (3) , 1
5	(2013) PLoS ONE Security enhanced multi-factor biometric authentication scheme using bio-hash function / 12 (5) , e0176250

1	A Secure and Efficient Remote User Authentication Scheme for Multi-server Environments Using ECC / [Zhang, Junsong;Ma, Jian;Li, Xiong;Wang, Wendong;] / KSII Transactions on Internet and Information Systems (TIIS)
2	Security Analysis and Enhancement on Smart card-based Remote User Authentication Scheme Using Hash Function / [Kim, Youngil;Won, Dongho;] / Journal of the Korea Institute of Information Security & Cryptology