article

Free access

Three-party encrypted key exchange: attacks and a solution

Authors:

Chun-Li Lin,

Hung-Min Sun,

Tzonelih HwangAuthors Info & Claims

ACM SIGOPS Operating Systems Review, Volume 34, Issue 4

Pages 12 - 20

https://doi.org/10.1145/506106.506108

Published: 01 October 2000 Publication History

PDF eReader

Abstract

Password-based mechanism is the widely used method for authentication since it allows people to choose their own passwords without any assistant device to generate or store. However, people are used to choose easy-to-remember passwords such that guessing attacks could succeed. In 1992, Bellovin and Merritt proposed Encrypted Key Exchange (EKE) protocols for preventing guessing attacks, in which two communication parties A and B securely share a possibly weak password in advance. In large communication environments, it is inconvenient in key management that every two communication parties mutually share a secret. Three-party EKE protocols, in which all parties (clients) share their secrets with a trusted server only, are more suitable for large communication environments. In 1995, Steiner, Tsudik and Waidner proposed a realization of three-party EKE protocol which is later demonstrated that it is vulnerable to undetectable on-line guessing attacks. In this paper, We will show a new off-line guessing attack on Steiner, Tsudik and Waidners' protocol. Besides, we will also propose a new three-party EKE protocol which not only is secure against both the off-line guessing attack and undetectable on-line guessing attacks but also satisfies the security properties of perfect forward secrecy and known-key security.

References

[1]

W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Trans.,IT-22, pp. 644-654, 1976.

Google Scholar

[2]

R. Morris and K. Thompson, Password Security: A Case History, Communications of the ACM,22(11), pp. 594-597, 1979.

Digital Library

Google Scholar

[3]

S. M. Bellovin and M. Merritt, Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks, IEEE Symposium on Research in Security and Privacy, pp. 72-84, 1992.

Digital Library

Google Scholar

[4]

S. M. Bellovin and M. Merritt, Augmented Encrypted Key Exchange: a Password-Based Protocol Secure Against Dictionary Attacks and Password File Compromise, ACM Conf. Comp. and Comm. Security, pp. 244-250, 1993.

Digital Library

Google Scholar

[5]

L. Gong, M. Lomas, R. Needham and J. Saltzer, Protecting Poorly Chosen Secrets from Guessing Attacks, IEEE Journal on Selected Areas in Communications,11(5), pp. 648-656, 1993.

Digital Library

Google Scholar

[6]

Y. Ding and P. Horster, Undetectable On-line Password Guessing Attacks, ACM Operating Systems Review,29(4), pp. 77-86, 1995.

Digital Library

Google Scholar

[7]

L. Gong, Optimal Authentication Protocols Resistant to Password Guessing Attacks, Proceedings of the 8th IEEE Computer Security Foundation Workshop, pp. 24-29, 1995.

Digital Library

Google Scholar

[8]

M. Steiner, G. Tsudik and M. Waidner, Refinement and Extension of Encrypted Key Exchange, ACM Operating Systems Review,29(3), pp. 22-30, 1995.

Digital Library

Google Scholar

[9]

D. Jablon, Strong Password-Only Authenticated Key Exchange, ACM Computer Communications Review,20(5), pp. 5-26, 1996.

Digital Library

Google Scholar

[10]

B. Jaspan, Dual-workfactor Encrypted Key Exchange: Efficiently Preventing Password Chaining and Dictionary Attacks, Proceedings of the Sixth Annual USENIX Security Conference, pp. 43-50, 1996.

Digital Library

Google Scholar

[11]

T. Kwon, M. Kang and J. Song, An Adaptable and Reliable Authentication Protocol for Communication Networks, Proceedings of IEEE INFOCOM'97, pp. 737-744, 1997.

Digital Library

Google Scholar

[12]

T. Wu, The Secure Remote Password Protocol, Internet Society Symposium on Network and Distributed System Security, 1998.

Google Scholar

[13]

T. Kwon, M. Kang, S. Jung and J. Song, An Improvement of the Password-Based Authentication protocol (K1P) on Security against Replay Attacks, IEICE Trans. Commun.,E82-B(7), pp. 991-997, 1999.

Google Scholar

[14]

T. Kwon and J. Song, Secure Agreement Scheme for gxy via Password Authentication, Electronics Letters,35(11), pp. 892-893, 1999.

Google Scholar

Cited By

View all

Meng FChen J(2024)Research on HTTPS Service Identification Method, Device, Storage Medium and Electronic Equipment2024 4th Asia-Pacific Conference on Communications Technology and Computer Science (ACCTCS)10.1109/ACCTCS61748.2024.00071(369-374)Online publication date: 24-Feb-2024
https://doi.org/10.1109/ACCTCS61748.2024.00071
Guo SSong YGuo SYang YSong S(2023)Three-Party Password Authentication and Key Exchange Protocol Based on MLWESymmetry10.3390/sym1509175015:9(1750)Online publication date: 13-Sep-2023
https://doi.org/10.3390/sym15091750
Anitha Kumari KKamatchi TSenthil Prabha RSamanthula B(2021)Hyperelliptic Curve Diffie–Hellman-Based Two-Server Password-Only Authenticated Key Exchange Protocol for Edge Computing SystemsIETE Journal of Research10.1080/03772063.2021.195137169:7(4311-4322)Online publication date: 25-Jul-2021
https://doi.org/10.1080/03772063.2021.1951371
Show More Cited By

Index Terms

Three-party encrypted key exchange: attacks and a solution

Index terms have been assigned to the content through auto-classification.

Recommendations

Cryptanalysis of two three-party encrypted key exchange protocols

Due to the simplicity of maintaining human memorable passwords without any assistant storage device, password-based three-party encrypted key exchange (3PEKE) protocol has become one of the most promising research fields on user authentication and ...
Provably secure three party encrypted key exchange scheme with explicit authentication

In 2007, Lu and Cao proposed a simple, three-party, password-based, authenticated key exchange (S-3PEKE) protocol based on the chosen-basis computational Diffie-Hellman assumption. Although the authors claimed that their protocol was superior to similar ...
Simple three-party key exchange protocol

Three-party authenticated key exchange protocol is an important cryptographic technique in the secure communication areas, by which two clients, each shares a human-memorable password with a trusted server, can agree a secure session key. Over the past ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGOPS Operating Systems Review

ACM SIGOPS Operating Systems Review Volume 34, Issue 4

October 2000

90 pages

ISSN:0163-5980

DOI:10.1145/506106

Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2000

Published in SIGOPS Volume 34, Issue 4

Check for updates

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

133
Total Citations
View Citations
1,711
Total Downloads

Downloads (Last 12 months)60
Downloads (Last 6 weeks)6

Reflects downloads up to 14 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Meng FChen J(2024)Research on HTTPS Service Identification Method, Device, Storage Medium and Electronic Equipment2024 4th Asia-Pacific Conference on Communications Technology and Computer Science (ACCTCS)10.1109/ACCTCS61748.2024.00071(369-374)Online publication date: 24-Feb-2024
https://doi.org/10.1109/ACCTCS61748.2024.00071
Guo SSong YGuo SYang YSong S(2023)Three-Party Password Authentication and Key Exchange Protocol Based on MLWESymmetry10.3390/sym1509175015:9(1750)Online publication date: 13-Sep-2023
https://doi.org/10.3390/sym15091750
Anitha Kumari KKamatchi TSenthil Prabha RSamanthula B(2021)Hyperelliptic Curve Diffie–Hellman-Based Two-Server Password-Only Authenticated Key Exchange Protocol for Edge Computing SystemsIETE Journal of Research10.1080/03772063.2021.195137169:7(4311-4322)Online publication date: 25-Jul-2021
https://doi.org/10.1080/03772063.2021.1951371
Paladi NTiloca MNikbakht Bideh PHell M(2021)Flowrider: Fast On-Demand Key Provisioning for Cloud NetworksSecurity and Privacy in Communication Networks10.1007/978-3-030-90022-9_11(207-228)Online publication date: 4-Nov-2021
https://doi.org/10.1007/978-3-030-90022-9_11
Ogundoyin S(2019)A privacy-preserving certificateless two-party authenticated key exchange protocol without bilinear pairing for mobile-commerce applicationsJournal of Cyber Security Technology10.1080/23742917.2019.15953573:3(137-162)Online publication date: 3-Apr-2019
https://doi.org/10.1080/23742917.2019.1595357
Anitha Kumari KSudha Sadasivam G(2019)Two-Server 3D ElGamal Diffie-Hellman Password Authenticated and Key Exchange Protocol Using Geometrical PropertiesMobile Networks and Applications10.1007/s11036-018-1104-124:3(1104-1119)Online publication date: 1-Jun-2019
https://dl.acm.org/doi/10.1007/s11036-018-1104-1
Liu CZheng ZJia KYou Q(2019)Provably Secure Three-Party Password-Based Authenticated Key Exchange from RLWEInformation Security Practice and Experience10.1007/978-3-030-34339-2_4(56-72)Online publication date: 6-Nov-2019
https://doi.org/10.1007/978-3-030-34339-2_4
Xie QLu YTan XTang ZHu B(2018)Security and efficiency enhancement of an anonymous three-party password-authenticated key agreement using extended chaotic mapsPLOS ONE10.1371/journal.pone.020398413:10(e0203984)Online publication date: 5-Oct-2018
https://doi.org/10.1371/journal.pone.0203984
Lee THwang T(2017)Three-party authenticated key agreements for optimal communicationPLOS ONE10.1371/journal.pone.017447312:3(e0174473)Online publication date: 29-Mar-2017
https://doi.org/10.1371/journal.pone.0174473
Vollala SS IBegum BRamasubramanian NHamdan HBoubiche DKlett F(2017)Evaluation of password encrypted key exchange authentication techniques: design approach perspectiveProceedings of the 1st International Conference on Internet of Things and Machine Learning10.1145/3109761.3109777(1-9)Online publication date: 17-Oct-2017
https://dl.acm.org/doi/10.1145/3109761.3109777
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations

Cryptanalysis of two three-party encrypted key exchange protocols

Provably secure three party encrypted key exchange scheme with explicit authentication

Simple three-party key exchange protocol

Comments

Information

Published In

Publisher

Publication History

Check for updates

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations