Browse > Article
http://dx.doi.org/10.13089/JKIISC.2012.22.3.473

On the Security of a New C2C-PAKA Protocol  

Byun, Jin-Wook (Pyeongtaek University, Department of Information and Communication)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.22, no.3, 2012 , pp. 473-483 More about this Journal
Abstract
To achieve an entire end-to-end security, the classical authentication setting such that all participants have a same password is not practical since a password is not a common secret but a personal secret depending on an individual. Thus, an efficient client to client different password-based authenticated key agreement protocol (for short, EC2C-PAKA) has been suggested in the cross-realm setting. Very recently, however, a security weakness of the EC2C-PAKA protocol has been analyzed by Feng and Xu. They have claimed that the EC2C-PAKA protocol is insecure against a password impersonation attack. They also have presented an improved version of the EC2C-PAKA protocol. In this paper, we demonstrate that their claim on the insecurity of EC2C-PAKA protocol against a password impersonation attack is not valid. We show that the EC2C-PAKA protocol is still secure against the password impersonation attack. In addition, ironically, we show that the improved protocol by Feng and Xu is insecure against an impersonation attack such that a server holding password of Alice in realm A can impersonate Bob in realm B. We also discuss a countermeasure to prevent the attack.
Keywords
Password authentication; Key exchange; Different Password; Security Analysis;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 D. Feng and J. Xu, "A new client-to-client password-authenticated key agreement protocol," IWCC'09, LNCS 5557, pp. 63-76, Jun. 2009.
2 J. W. Byun, D. H. Lee, J. I. Lim, "EC2C-PAKA: an efficient client-to-client password-authenticated key agreement," Information Science, vol 177, pp. 3995-4013, Oct. 2007.   DOI   ScienceOn
3 J. Black and P. Rogaway, "Ciphers with arbitrary finite domains," RSA Data Security Conference, Cryptographer's Track (RSACT '02), LNCS 2271, pp. 114-130, Feb. 2002.
4 H. Chung, W. Ku, M. Tsaur, "Weakness and improvement of Wang et al.'s remote user password authentication scheme for resource limited environments," Computer Standards and Interfaces, vol. 31 pp. 863-868, Jun. 2009.   DOI   ScienceOn
5 Han-Cheng Hsiang, Wei-Kuan Shih, "Weaknesses and improvements of the Yoon-Ryu-Yoo remote user authentication scheme using smart cards," Computer Communications, vol. 32, issue 4, pp. 649-652 Mar. 2009.   DOI   ScienceOn
6 P. Kocher, J. Jaffe, B. Jun, Differential power analysis, Proc. Advances in Cryptology, CRYPTO'99, pp. 388-397, Aug. 1999.
7 N. Y. Lee, Y. C. Chiu, "Improved remote authentication scheme with smart card," Computer Standards and Interfaces, vol. 27 issue. 2, pp. 177-180, Jan. 2005.   DOI   ScienceOn
8 J. Munilla, A. Peinado, "Off-line password-guessing attack to Peyravian-Jeffries's remote user authentication protocol," Computer Communications, vol. 30, issue 1, pp. 52-54, Dec. 2006.   DOI   ScienceOn
9 Binod Vaidya, Jong Hyuk Park, Sang-Soo Yeo, Joel J.P.C. Rodrigues, "Robust one-time password authentication scheme using smart card for home network environment," Computer Communications, vol. 34, issue 3, pp. 326-336, Mar. 2010.
10 Shengbao Wang, Zhenfu Cao, Maurizio Adriano Strangio, Lihua Wang, "Cryptanalysis and improvement of an elliptic curve Diffie-Hellman key agreement protocol," IEEE Communications Letters, Vol. 12, no. 2, pp. 149-151, Feb. 2008,   DOI
11 Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan, "A more efficient and secure dynamic ID-based remote user authentication scheme," Computer Communications, vol. 32, Issue 4, pp. 583-585, Mar. 2009.   DOI   ScienceOn
12 X.M. Wang, W.F. Zhang, J.S. Zhang, M.K. Khan, "Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards," Computer Standards and Interfaces vol. 29 no. 5, pp. 507-512, Jul. 2007.   DOI   ScienceOn
13 Jing Xu, Wen-Tao Zhu, and Deng-Guo Feng, "An improved smart card based password authentication scheme with provable security," Computer Standards and Interfaces, vol. 31, issue 4, pp. 723-728, Jun. 2009.   DOI   ScienceOn
14 Her-Tyan Yeh, Hung-Min Sun, Tzonelih Hwang, "Security analysis of the generalized key agreement and password authentication protocol," IEEE Communications Letters, Vol. 5, no. 11, pp. 462-463, Nov. 2001   DOI
15 Muxiang Zhang, Yuguang Fang, "Security analysis and enhancements of 3GPP authentication and key agreement protocol," IEEE Transactions on Wireless Communications, vol. 4, no. 2, pp. 734-742, Mar. 2005.   DOI
16 변진욱, 정익래, 이동훈, "서로 다른 패스워드워드를 가진 사용자간의 패스워드 인증 키 교환 프로토콜," 정보보호학회논문지, 13(1), pp. 27-38, 2003년 2월.
17 변진욱, "효율적이고 안전한 스마트카드 기반 사용자 인증 시스템 연구," 전자공학회논문지 48권 TC편 제 2호, pp. 105-115, 2011년 2월.