Security analysis and enhancement for three-party password-based authenticated key exchange protocol


Jianjie Zhao, School of Information Security Engineering, Shanghai Jiao Tong University, 800 Dong Chuan Road, Min Hang District, Shanghai 200240, China.



Recently, Tzung-Her Chen, Wei-Bin Lee, and Hsing-Bai Chen (CLC) proposed a new three-party password-based authenticated key exchange (3PAKE) protocol. This CLC protocol needs not store the security-sensitive table on the server side, which reduces the danger of the server being compromised; also, it has the advantage in terms of the round efficiency and computational cost. However, we find that the leakage of values VA and VB in the CLC protocol will make a man-in-the-middle attack feasible in practice. On the basis of this finding, we present a modified 3PAKE protocol called I-CLC protocol, which is essentially an improved CLC protocol. I-CLC can resist attacks available, including the man-in-the-middle attack that we mentioned on the initial CLC protocol. Meanwhile, the new protocol allows that the participants choose their own passwords by themselves; additionally, the computation cost of I-CLC is lower than that of CLC protocol. Copyright © 2011 John Wiley & Sons, Ltd.