Improvement of a three-party password-based key exchange protocol with formal verification

Qi Xie; Na Dong; Xiao Tan; Duncan S. Wong; Guilin Wang

doi:10.5755/j01.itc.42.3.1905

Improvement of a three-party password-based key exchange protocol with formal verification

Qi Xie
, Na Dong
, Xiao Tan
, Duncan S. Wong
, Guilin Wang

Department of Computer Science

Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review

22 Citations (Scopus)

Abstract

A Three-Party Password-based Authenticated Key Exchange (3PAKE) protocol allows two users to establish a secure session key over an insecure communication channel with the help of a third party, which is a trusted server. Recently, Lou and Huang proposed a 3PAKE which is efficient and suitable for running on resource-constrained devices such as smart cards and mobile phones. In this paper, we show that their scheme is vulnerable to off-line password guessing attack and partition attack. We then propose an efficient method to fix these problems. Additionally, the mutual authentication and session key secrecy of the proposed protocol are verified using a formal verification tool.

Original language	English
Pages (from-to)	231-237
Journal	Information Technology and Control
Volume	42
Issue number	3
DOIs	https://doi.org/10.5755/j01.itc.42.3.1905
Publication status	Published - Sept 2013

Research Keywords

Key exchange
Password based authenticated key exchange (PAKE)
ProVerif
Three-party PAKE

Access Output

10.5755/j01.itc.42.3.1905

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@article{05bc6b48aa154d459a42d1a2f5027ba0,

title = "Improvement of a three-party password-based key exchange protocol with formal verification",

abstract = "A Three-Party Password-based Authenticated Key Exchange (3PAKE) protocol allows two users to establish a secure session key over an insecure communication channel with the help of a third party, which is a trusted server. Recently, Lou and Huang proposed a 3PAKE which is efficient and suitable for running on resource-constrained devices such as smart cards and mobile phones. In this paper, we show that their scheme is vulnerable to off-line password guessing attack and partition attack. We then propose an efficient method to fix these problems. Additionally, the mutual authentication and session key secrecy of the proposed protocol are verified using a formal verification tool.",

keywords = "Key exchange, Password based authenticated key exchange (PAKE), ProVerif, Three-party PAKE",

author = "Qi Xie and Na Dong and Xiao Tan and Wong, \{Duncan S.\} and Guilin Wang",

year = "2013",

month = sep,

doi = "10.5755/j01.itc.42.3.1905",

language = "English",

volume = "42",

pages = "231--237",

journal = "Information Technology and Control",

issn = "1392-124X",

publisher = "Kauno Technologijos Universitetas",

number = "3",

}

TY - JOUR

T1 - Improvement of a three-party password-based key exchange protocol with formal verification

AU - Xie, Qi

AU - Dong, Na

AU - Tan, Xiao

AU - Wong, Duncan S.

AU - Wang, Guilin

PY - 2013/9

Y1 - 2013/9

N2 - A Three-Party Password-based Authenticated Key Exchange (3PAKE) protocol allows two users to establish a secure session key over an insecure communication channel with the help of a third party, which is a trusted server. Recently, Lou and Huang proposed a 3PAKE which is efficient and suitable for running on resource-constrained devices such as smart cards and mobile phones. In this paper, we show that their scheme is vulnerable to off-line password guessing attack and partition attack. We then propose an efficient method to fix these problems. Additionally, the mutual authentication and session key secrecy of the proposed protocol are verified using a formal verification tool.

AB - A Three-Party Password-based Authenticated Key Exchange (3PAKE) protocol allows two users to establish a secure session key over an insecure communication channel with the help of a third party, which is a trusted server. Recently, Lou and Huang proposed a 3PAKE which is efficient and suitable for running on resource-constrained devices such as smart cards and mobile phones. In this paper, we show that their scheme is vulnerable to off-line password guessing attack and partition attack. We then propose an efficient method to fix these problems. Additionally, the mutual authentication and session key secrecy of the proposed protocol are verified using a formal verification tool.

KW - Key exchange

KW - Password based authenticated key exchange (PAKE)

KW - ProVerif

KW - Three-party PAKE

UR - https://www.scopus.com/pages/publications/84884222500

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-84884222500&origin=recordpage

U2 - 10.5755/j01.itc.42.3.1905

DO - 10.5755/j01.itc.42.3.1905

M3 - RGC 21 - Publication in refereed journal

SN - 1392-124X

VL - 42

SP - 231

EP - 237

JO - Information Technology and Control

JF - Information Technology and Control

IS - 3

ER -

Improvement of a three-party password-based key exchange protocol with formal verification

Abstract

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this