• information security;
  • authentication;
  • key agreement;
  • man-in-the-middle attack


Recently, Tzung-Her Chen, Wei-Bin Lee, and Hsing-Bai Chen (CLC) proposed a new three-party password-based authenticated key exchange (3PAKE) protocol. This CLC protocol needs not store the security-sensitive table on the server side, which reduces the danger of the server being compromised; also, it has the advantage in terms of the round efficiency and computational cost. However, we find that the leakage of values VA and VB in the CLC protocol will make a man-in-the-middle attack feasible in practice. On the basis of this finding, we present a modified 3PAKE protocol called I-CLC protocol, which is essentially an improved CLC protocol. I-CLC can resist attacks available, including the man-in-the-middle attack that we mentioned on the initial CLC protocol. Meanwhile, the new protocol allows that the participants choose their own passwords by themselves; additionally, the computation cost of I-CLC is lower than that of CLC protocol. Copyright © 2011 John Wiley & Sons, Ltd.