Security weakness in a three-party pairing-based protocol for password authenticated key exchange

Junghyun Nam, Youngsook Lee, Seung-Joo Kim, Dongho Won

Research output: Contribution to journalArticle

59 Citations (Scopus)

Abstract

Authentication and key exchange are fundamental for establishing secure communication channels over public insecure networks. Password-based protocols for authenticated key exchange are designed to work even when user authentication is done via the use of passwords drawn from a small known set of values. Recently, Wen et al. (H.-A. Wen, T.-F. Lee, T. Hwang, Provably secure three-party password-based authenticated key exchange protocol using Weil pairing, IEE Proceedings-Communications 152 (2) (2005) 138-143) proposed a new protocol for password-based authenticated key exchange in the three-party setting, where the clients trying to establish a common secret key do not share a password between themselves but only with a trusted server. Wen et al.'s protocol carries a claimed proof of security in a formal model of communication and adversarial capabilities. However, this work shows that the protocol for three-party key exchange is completely insecure and the claim of provable security is seriously incorrect. We conduct a detailed analysis of flaws in the protocol and its security proof, in the hope that no similar mistakes are made in the future.

Original languageEnglish
Pages (from-to)1364-1375
Number of pages12
JournalInformation Sciences
Volume177
Issue number6
DOIs
Publication statusPublished - 2007 Mar 15
Externally publishedYes

    Fingerprint

Keywords

  • Key exchange protocol
  • Man-in-the-middle attack
  • Password-based authentication
  • Provable security
  • Weil pairing

ASJC Scopus subject areas

  • Statistics and Probability
  • Electrical and Electronic Engineering
  • Statistics, Probability and Uncertainty
  • Information Systems and Management
  • Information Systems
  • Computer Science Applications
  • Artificial Intelligence

Cite this