Efficient provably secure password-based explicit authenticated key agreement

A password-based authenticated key agreement enables several parties to establish a shared cryptographically strong key over a public unreliable and insecure network using short low-entropy passwords. This authenticated key agreement is definitely required even in Internet of Things (IoT) environments, since no additional device is required. There are only few proposals reported in literature for password-based explicit authenticated key agreement (EAKA). Recently, Zheng et al. proposed a 3-round password-based EAKA protocol. In this paper, we reveal that their protocol is vulnerable to impersonation attack, and the used security definition is not formally treated. We then formalize the security definition of two-party password-based EAKA protocol and improve the construction of Zheng et al. to eliminate its security vulnerabilities. The security of the proposal is formally proved using a new security model.