Qiong Pu,Jian Wang,Shuhua Wu,Ji Fu

DOI: https://doi.org/10.1007/s12083-012-0125-y

IF: 3.488

2012-01-01

Peer-to-Peer Networking and Applications

Abstract:In order to secure large-scale peer-to-peer communication system, Chien recently presented a three-party password authenticated key exchange protocol using verifiers to reduce the damages of server corruption. In this paper, we first show his protocol is still vulnerable to a partition attack (offline dictionary attack). Thereafter we propose an enhanced verifier-based protocol that can defeat the attacks described and yet is reasonably efficient. Furthermore, we can provide the rigorous proof of the security for it.

Chunbo Ma,Jun Ao,Jianhua Li

DOI: https://doi.org/10.1007/978-3-540-74282-1_117

2007-01-01

Abstract:Lee et al.'s presented a Verifier-based key agreement protocol in 2004. They claimed that their protocol was secure against Stolen-verifier attack in the case of server compromise. However, it is not really a secure protocol. In this paper, we briefly review this scheme and demonstrate the flaw, which once was pointed out by Shim and Seo. Subsequently, we propose a novel Verifier-based authenticated key agreement protocol and show that it withstands Stolen-verifier attack, Dictionary attack, and man-in-middle attack.

HM Sun,BC Chen,T Hwang

DOI: https://doi.org/10.1016/j.jss.2003.11.017

IF: 3.5

2004-01-01

Journal of Systems and Software

Abstract:Key exchange protocol is important for sending secret messages using the session key between two parties. In order to reach the objective, the premise is to generate a session key securely. Encryption key exchange was first proposed to generate a session key with a weak authenticated password against guessing attacks. Next, another authenticated key exchange protocols for three-party, two clients who request the session key and one server who authenticates the user's identity and assist in generating a session key, were proposed. In this paper, we focus on the three-party authenticated key exchange protocol. In addition to analyzing and improving a password-based authenticated key exchange protocol, a new verified-based protocol is also proposed.

Junhan Yang,Tianjie Cao

2011-01-01

Journal of Computational Information Systems

Abstract:With advances in elliptic curve cryptography, Li et al. and Yoon et al. proposed two password-authenticated key exchange protocols without server's public key. They claimed to be secure against several possible attacks, securely update user passwords without a complicated process, and also provide explicit key authentication in the case of a session key agreement. Unfortunately, Li et al.'s protocol is vulnerable to off-line dictionary attack and man-in-the-middle attack. Meanwhile Yoon et al.'s protocol is subject to off-line dictionary attack and fails to provide backward secrecy. In this paper, we conduct a detailed analysis on the flaws and also propose a verifier-based password-authenticated key exchange protocol via elliptic curves which is secure against various known attacks. Copyright © 2011 Binary Information Press.

Hu Xiong,Zhong Chen,Fagen Li

DOI: https://doi.org/10.1016/j.jnca.2012.10.001

IF: 7.574

2013-01-01

Journal of Network and Computer Applications

Abstract:Key agreement allows multi-parties exchanging public information to create a common secret key that is known only to those entities over an insecure network. In the recent years, several identity-based (ID-based) authenticated key agreement protocols have been proposed and most of them broken. In this paper, we formalize the security model of ID-based authenticated tripartite key agreement protocol and propose a provably secure ID-based authenticated key agreement protocol for three parties with formal security proof under the computational Diffie-Hellman assumption. Experimental results by using the AVISPA tool show that the proposed protocol is secure against various malicious attacks.

Debiao He,Jianhua Chen,Jin Hu

DOI: https://doi.org/10.31449/inf.v34i3.308

2010-01-01

Informatica

Abstract:Key exchange protocols allow two or more parties communicating over a public network to establish a common secret key called a session key. Due to their significance in building a secure communication channel, a number of key exchange protocols have been suggested over the years for a variety of settings. Among these is the so-called S-3PAKE protocol proposed by Lu and Cao for passwordauthenticated key exchange in the three-party setting. In the current work, we are concerned with the password security of the S-3PAKE protocol. We first show that S-3PAKE is vulnerable to an off-line dictionary attack in which an attacker exhaustively enumerates all possible passwords in an off-line manner to determine the correct one. We then figure out how to eliminate the security vulnerability of S3PAKE.

LIAN Huanhuan,HOU Huiying,ZHAO Yunlei

DOI: https://doi.org/10.11959/j.issn.1000−436x.2022062

2022-01-01

Abstract:In view of the fact that server stored the passwords directly in plaintext, there was a risk of server compromise, and two-party PAKE protocol was not suitable for large-scale communication systems, a three-party verifier-based password authenticated key exchange protocol from lattices was proposed.Hashing scheme and zero-knowledge password policy check were combined to realize the generation of verifier and the password checking.A novel verifier-based 3PAKE protocol was constructed by using CCA-secure public-key encryption from lattices, which realized mutual authentication.Security and performance analysis shows that the proposed protocol has better advantages in communication efficiency and security.

Jun-Han Yang,Tian-Jie Cao

DOI: https://doi.org/10.1016/j.jss.2011.08.024

IF: 3.5

2012-01-01

Journal of Systems and Software

Abstract:Three-party password authenticated key exchange protocol is a very practical mechanism to establish secure session key through authenticating each other with the help of a trusted server. Most three-party password authenticated key exchange protocols only guarantee security in the random oracle model. However, a random oracle based cryptographic construction may be insecure when the oracle is replaced by real function. Moreover, some previous unknown attacks appear with the advance of the adversary capability. Therefore, a suitable standard model which can imitate a wider variety of attack scenarios for 3PAKE protocol is needed. Aim at resisting dictionary attack, unknown key-share attack and password-compromise impersonation attack, an expanded standard model for 3PAKE protocol is given. Meanwhile, through applying ElGamal encryption scheme and pseudorandom function, a specific three-party password authenticated key exchange protocol is proposed. The security of the proposed protocol is proven in the new standard model. The result shows that the present protocol has stronger security by comparing with other existing protocols, which covers the following security properties: (1) semantic security, (2) key privacy, (3) client-to-server authentication, (4) mutual authentication, (5) resistance to various known attacks, and (6) forward security.

Hu Xiong,Yanan Chen,Zhong Chen,Fagen Li

DOI: https://doi.org/10.2316/Journal.202.2013.1.202-3540

2015-01-01

International Journal of Computers and Applications

Abstract:Three-party password-based authenticated key exchange (3PAKE) protocols allow two users (clients) to establish a session key with the help of an authenticated server over an insecure channel. Owning to the significance in building a secure communication channel, a number of approaches have been suggested over the years. However, the lack of formal security proof is a major issue in the related literature. In this paper, we propose a simple 3PAKE protocol based upon elliptic curve cryptography along with formal security proof under the decisional Diffie-Hellman assumption. Experimental results by using the automated validation of Internet security protocols and applications tool also show that the proposed protocol is secure against various malicious attacks. Compared with previous work, the proposed protocol has lower computation costs and lighter communication loads.

XU Chun-xiang,HE Xiao-hu

DOI: https://doi.org/10.3969/j.issn.1001-0548.2012.04.023

2012-01-01

Abstract:Three-party password-based authenticated key exchange protocols allow two clients to authenticate each other and establish a shared session key through a trusted server who preserves clients’ passwords or verifiers about passwords.However,because of the low entropy of passwords,password-based authenticated key exchange protocols are vulnerable to dictionary attacks.Based on available protocols,a new efficient three-party password-based authenticated key exchange protocol is proposed by combining the symmetric encryption algorithm with the method of two-party key exchange protocol of Diffie-Hellman.Results indicate that and the proposed protocol can resist against various attacks and provide the perfect forward security.

Her-tyan Yeh,Hung-min Sun,Tzonelih Hwang

DOI: https://doi.org/10.6688/jise.2003.19.6.6

2003-01-01

Journal of information science and engineering

Abstract:Three-party EKE was proposed to establish a session key between two clients through a server. However, three-party EKE is insecure against undetectable on-line and off-line password guessing attacks. In this paper, we first propose an enhanced three-party EKE to withstand the security risk in three-party EKE. We also propose a verifier-based three-party EKE that is more secure than a plaintext-equivalent mechanism in which a compromise of the server's database will not result in success in directly impersonating clients.

Chao Liu,Zhongxiang Zheng,Keting Jia,Qidi You

DOI: https://doi.org/10.1007/978-3-030-34339-2_4

2019-01-01

Abstract:Three-party key exchange, where two clients aim to agree a session key with the help of a trusted server, is prevalent in present-day systems. In this paper, we present a practical and secure three-party password-based authenticated key exchange protocol over ideal lattices. Aside from hash functions our protocol does not rely on external primitives in the construction and the security of our protocol is directly relied on the Ring Learning with Errors (RLWE) assumption. Our protocol attains provable security. A proof-of-concept implementation shows our protocol is indeed practical.

Chun-Li Lin,Hung-Min Sun,Tzonelih Hwang

DOI: https://doi.org/10.1145/506106.506108

2000-01-01

ACM SIGOPS Operating Systems Review

Abstract:Password-based mechanism is the widely used method for authentication since it allows people to choose their own passwords without any assistant device to generate or store. However, people are used to choose easy-to-remember passwords such that guessing attacks could succeed. In 1992, Bellovin and Merritt proposed Encrypted Key Exchange (EKE) protocols for preventing guessing attacks, in which two communication parties A and B securely share a possibly weak password in advance. In large communication environments, it is inconvenient in key management that every two communication parties mutually share a secret. Three-party EKE protocols, in which all parties (clients) share their secrets with a trusted server only, are more suitable for large communication environments. In 1995, Steiner, Tsudik and Waidner proposed a realization of three-party EKE protocol which is later demonstrated that it is vulnerable to undetectable on-line guessing attacks. In this paper, We will show a new off-line guessing attack on Steiner, Tsudik and Waidners' protocol. Besides, we will also propose a new three-party EKE protocol which not only is secure against both the off-line guessing attack and undetectable on-line guessing attacks but also satisfies the security properties of perfect forward secrecy and known-key security.

Hu Xiong,Yanan Chen,Zhi Guan,Zhong Chen

DOI: https://doi.org/10.1016/j.ins.2013.02.004

IF: 8.1

2013-01-01

Information Sciences

Abstract:Three-party password-based authenticated key exchange (3PAKE) protocols allow two users (clients) to establish a session key with the support from an authenticated server over an insecure channel. Several 3PAKE protocols, which do not require server public keys, have been proposed recently. In this paper, we use Chang et al.’s protocol as a case study and demonstrate that all of the 3PAKE protocols without server public keys are not secure against Key Compromise Impersonation (KCI) attack. A detailed analysis of flaw in these protocols has been conducted and we hope that by identifying this design flaw, similar structural mistakes can be avoided in future designs. Furthermore, we propose an improved protocol that remedies the weakness of these protocols and prove its security in a widely accepted model.

Debiao He,Jianhua Chen

DOI: https://doi.org/10.1504/ijesdf.2012.049754

2014-01-01

Abstract:Recently, Zeng et al. proposed a three-party password-based authenticated key exchange protocol, in which two users could generate a common secret key with the help of the server. Although Zeng et al. claimed that their protocol could withstand various attacks, we point out that their protocol cannot resist impersonation attacks and undetectable online dictionary attacks. The analysis shows Zeng et al.'s protocol is insecure for practical applications.

Hui Cui,Tianjie Cao

DOI: https://doi.org/10.4304/jnw.4.10.985-992

2009-01-01

Journal of Networks

Abstract:Because of the growing importance in the fields of computer networks, how to keep user's privacy has drawn more and more concerns in recent years. In this paper, we first point out that the two given anonymous password-based authenticated and key exchange protocols are vulnerable to the anonymity attack. Then based on a ring signature scheme, we propose a new secure anonymous authenticated and key exchange protocol, which inherits all the good virtues of the previous protocols. Furthermore, we discuss the security attributes of our new scheme. Finally, we give an extension of our new scheme's application and make a conclusion of this paper.

XIANG Yong-qian,CHEN Jian-hua

DOI: https://doi.org/10.3969/j.issn.1671-1122.2012.11.009

2012-01-01

Abstract:In order to ensure the security of communications in the public network environment,a tripartite authenticated key exchange protocol has been widespread concern.In 2009,Yang et al proposed a tripartite authenticated key exchange protocol based on elliptic curve cryptography in mobile e-commerce environment.However,Tan pointed out that the protocol of Yang et al.was suffered a counterfeit attack.In order to improve security,Tan proposed an improved agreement.However,Nose pointed out that Tan's protocol can not resist counterfeit attacks and man-in-the-middle attack.In order to improve security,Author propose a new tripartite authenticated key exchange protocol.

Hua Guo,Chen,Ya Gao,Xiong Li,Jiongchao Jin

DOI: https://doi.org/10.1155/2018/3284324

2018-01-01

Wireless Communications and Mobile Computing

Abstract:Three-factor multiserver authentication protocols become a prevalence in recent years. Among these protocols, almost all of them do not involve the registration center into the authentication process. To improve the protocol's efficiency, a common secret key is shared among all severs, which leads to a serious weakness; i.e., we find that these protocols cannot resist the passive attack from the honest-but-curious servers. This paper takes Wang et al.'s protocol as an example, to exhibit how an honest-but-curious server attacks their protocol. To remedy this weakness, a novel three-factor multiserver authentication protocol is presented. By introducing the registration center into the authentication process, the new protocol can resist the passive attack from the honestbut-curious servers. Security analyses including formal and informal analyses are given, demonstrating the correctness and validity of the new protocol. Compared with related protocols, the new protocol possesses more secure properties and more practical functionalities than others at a relatively low computation cost and communication cost.

CL Lin,HA Wen,T Hwang,HM Sun

2004-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:We will propose a key-agreement-type three-party password-authenticated key exchange protocol. The proposed protocol is quite efficient and, among the same type of protocols, is the first to be formally proven to be secure. A three-party formal model for security proof is proposed based on [25] and [26]. We construct a simulator in this model to show that our proposed protocol is secure under reasonable and well-defined cryptographic primitives.

Jianjie Zhao,Dawu Gu

DOI: https://doi.org/10.1007/s11859-010-0312-8

2010-01-01

Wuhan University Journal of Natural Sciences

Abstract:The CLC protocol (proposed by Tzung-Her Chen, Wei-Bin Lee and Hsing-Bai Chen, CLC, for short) is a new three-party password-authenticated key exchange (3PAKE) protocol. This CLC protocol provides a superior round efficiency (only three rounds), and its resources required for computation are relatively few. However, we find that the leakage of values A V and B V in the CLC protocol will make a man-in-the-middle attack feasible in practice, where A V and B V are the authentication information chosen by the server for the participants A and B. In this paper, we describe our attack on the CLC protocol and further present a modified 3PAKE protocol, which is essentially an improved CLC protocol. Our protocol can resist attacks available, including man-in-the-middle attack we mount on the initial CLC protocol. Meanwhile, we allow that the participants choose their own passwords by themselves, thus avoiding the danger that the server is controlled in the initialization phase. Also, the computational cost of our protocol is lower than that of the CLC protocol.