• KSII Transactions on Internet and Information Systems
    Monthly Online Journal (eISSN: 1976-7277)

Dictionary Attacks against Password-Based Authenticated Three-Party Key Exchange Protocols


Abstract

A three-party password-based authenticated key exchange (PAKE) protocol allows two clients registered with a trusted server to generate a common cryptographic key from their individual passwords shared only with the server. A key requirement for three-party PAKE protocols is to prevent an adversary from mounting a dictionary attack. This requirement must be met even when the adversary is a malicious (registered) client who can set up normal protocol sessions with other clients. This work revisits three existing three-party PAKE protocols, namely, Guo et al.’s (2008) protocol, Huang’s (2009) protocol, and Lee and Hwang’s (2010) protocol, and demonstrates that these protocols are not secure against offline and/or (undetectable) online dictionary attacks in the presence of a malicious client. The offline dictionary attack we present against Guo et al.’s protocol also applies to other similar protocols including Lee and Hwang’s protocol. We conclude with some suggestions on how to design a three-party PAKE protocol that is resistant against dictionary attacks


Statistics

Show / Hide Statistics

Statistics (Cumulative Counts from December 1st, 2015)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article

[IEEE Style]
Junghyun Nam, Kim-Kwang Raymond Choo, Moonseong Kim, Juryon Paik and Dongho Won, "Dictionary Attacks against Password-Based Authenticated Three-Party Key Exchange Protocols," KSII Transactions on Internet and Information Systems, vol. 7, no. 12, pp. 3244-3260, 2013. DOI: 10.3837/tiis.2013.12.016

[ACM Style]
Nam, J., Choo, K. R., Kim, M., Paik, J., and Won, D. 2013. Dictionary Attacks against Password-Based Authenticated Three-Party Key Exchange Protocols. KSII Transactions on Internet and Information Systems, 7, 12, (2013), 3244-3260. DOI: 10.3837/tiis.2013.12.016