Security Analysis and Improvements of a Three-Party Password-Based Key Exchange Protocol
Keywords: Key exchange protocol, Three-party, Password guessing attack, Key compromise impersonation attack, Denning-Sacco attack
AbstractRecently Xie et al. [Q. Xie, N. Dong, X. Tan. D. Wong, G. Wang. Improvement of a three-party password-based key exchange protocol with formal verification. Information Technology and Control, 2013, Vol. 42, No. 3, 231-237] proposed an efficient three-party password-based key exchange protocol and used a formal verification tool to verify its security. In this paper, we demonstrate that their protocol is vulnerable to the off-line password guessing attack and the key compromise impersonation attack. The analysis shows that their protocol is not secure for practical applications. To overcome weaknesses in Xie et al.’s protocol, we also propose an improved 3PAKE protocol. Analysis shows that our protocol not only overcomes those weaknesses, but also has better performance. Therefore, our protocol is more suitable for practical applications.
Copyright terms are indicated in the Republic of Lithuania Law on Copyright and Related Rights, Articles 4-37.