Improvement of a Three-Party Password-Based Key Exchange Protocol with Formal Verification

Qi Xie, Na Dong, Xiao Tan, Duncan S. Wong, Guilin Wang


A Three-party Password-based Authenticated Key Exchange (3PAKE) protocol allows two users to establish a secure session key over an insecure communication channel with the help of a third party, which is a trusted server. Recently, Lou and Huang proposed a 3PAKE which is efficient and suitable for running on resource-constrained devices such as smart cards and mobile phones. In this paper, we show that their scheme is vulnerable to off-line password guessing attack and partition attack. We then propose an efficient method to fix these problems. Additionally, the mutual authentication and session key secrecy of the proposed protocol are verified using a formal verification tool.



Key Exchange; Password Based Authenticated Key Exchange (PAKE); Three-Party PAKE; ProVerif

Full Text: PDF

Print ISSN: 1392-124X 
Online ISSN: 2335-884X