An efficient client–client password-based authentication scheme with provable security (original) (raw)
Related papers
Password-based authenticated key exchange protocol is a type of authenticated key exchange protocols which enables two or more communication entities, who only share weak, low-entropy and easily memorable passwords, to authenticate each other and establish a high-entropy secret session key. In 2012, Tallapally proposed an enhanced three-party password-based authenticated key exchange protocol to overcome the weaknesses of Huang’s scheme. However, in this paper, we indicate that the Tallapally’s scheme not only is still vulnerable to undetectable online password guessing attack, but also is insecure against off-line password guessing attack. Therefore, we propose a more secure and efficient scheme to overcome the security flaws.
Cryptanalysis of a Three-party Password-based Authenticated Key Exchange Protocol
Key exchange protocols allow two or more parties communicating over a public network to establish a common secret key called a session key. Due to their significance in building a secure communication channel, a number of key exchange protocols have been suggested over the years for a variety of settings. Recently, Lo et al. proposed a three-party password-based authenticated key exchange (3PAKE) protocol, where two users, each shares a human-memorable password with a server, can generate a session key for future communication with the help of the server. They claimed that their scheme could resist various attacks. However, this work shows that Lo et al.'s protocol is vulnerable to an off-line password guessing attack. The analysis show Lo et al.'s protocols is not suitable for practical applications.
A Survey on Three-Party Password-Based Authenticated Key Exchange (3-PAKE) Protocols
2015
Cryptographic protocols for key exchange have an aim of secure exchange of secret keys over the public network. Password based authenticated key exchange (PAKE) protocols are popularly used for communication purposes due to their convenience. As the name suggests, it involves sharing of a human-memorable password by each entity with a trusted third party. Three party PAKE (3PAKE) protocols allow two parties to authenticate each other via the trusted third party and establish a session key between them for further communication. Various 3-PAKE protocols have been proposed over the years, each having its own weaknesses and strengths. This paper presents a review of few such 3-PAKE protocols and gives suggestions for future enhancements.
On the security of a password-only authenticated three-party key exchange protocol
This note reports major previously unpublished security vulnerabilities in the password-only authenticated three-party key exchange protocol due to Lee and Hwang (Information Sciences, 180, 1702-1714, 2010): (1) the Lee-Hwang protocol is susceptible to a man-in-the-middle attack and thus fails to achieve implicit key authentication; (2) the protocol cannot protect clients' passwords against an offline dictionary attack; and (3) the indistinguishability-based security of the protocol can be easily broken even in the presence of a passive adversary.
An enhanced password authenticated key exchange protocol without server public keys
2012 International Conference on ICT Convergence (ICTC), 2012
Password Authenticated Key Exchange (PAKE) protocols permit two entities to generate a large common session key and authenticate each other based on a pre-shared human memorable password. In 2006, Strangio proposed the DH-BPAKE protocol and claimed that the mentioned protocol is provably secure against several attacks. In this paper, it is shown that the DH-BPAKE protocol is vulnerable to password compromise impersonation attack and it is not efficient due to the number of running steps and its computational load. To overcome these weaknesses, an enhanced PAKE protocol is proposed which provides several security properties. In addition, it is proved that our proposed scheme is more sefficient 1 (Secure & Efficient) in comparison with DH-BPAKE protocol.
Cryptanalysis of an efficient three‐party password‐based key exchange scheme
2012
Three-party password-authenticated key exchange (3PAKE) protocols allow entities to negotiate a secret session key with the aid of a trusted server with whom they share a human-memorable password. Recently, Lou and Huang proposed a simple 3PAKE protocol based on elliptic curve cryptography, which is claimed to be secure and to provide superior efficiency when compared with similar-purpose solutions. In this paper, however, we show that the solution is vulnerable to key-compromise impersonation and offline password guessing attacks from system insiders or outsiders, which indicates that the empirical approach used to evaluate the scheme's security is flawed. These results highlight the need of employing provable security approaches when designing and analyzing PAKE schemes.
Pretty-simple password-authenticated key-exchange protocol proven to be secure in the standard model
IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences
In this paper, we propose pretty simple password-authenticated key-exchange protocol which is based on the difficulty of solving DDH problem. It has the following advantages: (1) Both y1 and y2 in our protocol are independent and thus they can be pre-computed and can be sent independently. This speeds up the protocol. (2) Clients and servers can use almost the same algorithm. This reduces the implementation costs without accepting replay attacks and abuse of entities as oracles.
A weakness in Sun-Chen-Hwang's three-party key agreement protocols using passwords
Recently, Sun, Chen and Hwang [J. Syst. Software, 75 (2005), 63-68] have proposed two new three-party protocols, one for password-based authenticated key agreement and one for verifier-based authenticated key agreement. In this paper, we show that both of Sun-Chen-Hwang's protocols are insecure against an active adversary who can intercept messages, start multiple sessions of a protocol, or otherwise control the communication in the network. Also, we present a simple solution to the security problem with the protocols.
A Novel Password Protected Key Exchange Protocol
— Exchanging messages are more common thing lately. More number of people connects with each other in the network and (verifies someone's identity) each other while sharing their data. So users following so many rules of conduct for providing security to their data and the servers which they are storing their data. Due to all data storing in the single server, there is a chance to hack server data to be told (to people). This paper presents a solution to this problem such as (verifying someone's identity) process has to share by two servers. Client has to (verify someone's identity) in two servers like two step checking (for truth). It also includes (related to secret computer codes) ways of doing things to provide security for the data stored in the servers.
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 2005
Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review the previous AKE protocols, all of which turn out to be insecure, under the following realistic assumptions: (1) High-entropy secrets that should be stored on devices may leak out due to accidents such as bugs or mis-configureations of the system; (2) The size of human-memorable secret, i.e. password, is short enough to memorize, but large enough to avoid on-line exhaustive search;