finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys

ISCAS OpenIR

	finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys
	Xiong Hu; Chen Yanan; Guan Zhi; Chen Zhong
	2013
发表期刊	Information Sciences
ISSN	0020-0255
页码	-
摘要	Three-party password-based authenticated key exchange (3PAKE) protocols allow two users (clients) to establish a session key with the support from an authenticated server over an insecure channel. Several 3PAKE protocols, which do not require server public keys, have been proposed recently. In this paper, we use Chang et al.'s protocol as a case study and demonstrate that all of the 3PAKE protocols without server public keys are not secure against Key Compromise Impersonation (KCI) attack. A detailed analysis of flaw in these protocols has been conducted and we hope that by identifying this design flaw, similar structural mistakes can be avoided in future designs. Furthermore, we propose an improved protocol that remedies the weakness of these protocols and prove its security in a widely accepted model. © 2013 Elsevier Inc. All rights reserved.; Three-party password-based authenticated key exchange (3PAKE) protocols allow two users (clients) to establish a session key with the support from an authenticated server over an insecure channel. Several 3PAKE protocols, which do not require server public keys, have been proposed recently. In this paper, we use Chang et al.'s protocol as a case study and demonstrate that all of the 3PAKE protocols without server public keys are not secure against Key Compromise Impersonation (KCI) attack. A detailed analysis of flaw in these protocols has been conducted and we hope that by identifying this design flaw, similar structural mistakes can be avoided in future designs. Furthermore, we propose an improved protocol that remedies the weakness of these protocols and prove its security in a widely accepted model. © 2013 Elsevier Inc. All rights reserved.
收录类别	EI
关键词	Artificial Intelligence Software Engineering
部门归属	(1) School of Computer Science and Engineering The University of Electronic Science and Technology of China Chengdu PR China; (2) State Key Laboratory of Rail Traffic Control and Safety Beijing Jiao Tong University Beijing PR China; (3) Institute of Software School of Electronics Engineering and Computer Science Peking University Beijing PR China; (4) State Key Laboratory of Information Security Institute of Software Chinese Academy of Sciences Beijing PR China
语种	英语
WOS记录号	WOS:000317887100023
引用统计	被引频次：19[WOS] [WOS记录] [WOS相关记录]
内容类型	期刊论文
URI标识	http://ir.iscas.ac.cn/handle/311060/15214
专题	中国科学院软件研究所
推荐引用方式 GB/T 7714	Xiong Hu,Chen Yanan,Guan Zhi,et al. finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys[J]. Information Sciences,2013:-.
APA	Xiong Hu,Chen Yanan,Guan Zhi,&Chen Zhong.(2013).finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys.Information Sciences,-.
MLA	Xiong Hu,et al."finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys".Information Sciences (2013):-.