Three weaknesses in a simple three-party key exchange protocol

In 2005, Wen et al. proposed a three-party password-based authenticated key exchange protocol using Weil pairing and showed that their protocol is provably secure. Unfortunately, Nam et al. demonstrated that Wen et al.’s protocol cannot resist a man-in-the-middle attack, and then interpreted their attack in the context of the formal proof model. Recently, Lu and Cao proposed a simple three-party password-based authenticated key exchange (S-3PAKE) protocol based on the CCDH assumption. They claimed that their protocol is superior to similar protocols with respect to security and efficiency. However, we find that the S-3PAKE protocol is still vulnerable to an impersonation-of-initiator attack, an impersonation-of-responder attack, and a man-in-the-middle attack. In this paper, we first briefly review the S-3PAKE protocol, and then demonstrate its weaknesses by using traditional informal description and formal description, respectively. To enhance the security of the S-3PAKE protocol, we suggest a countermeasure against our impersonation-of-initiator attack, impersonation-of-responder attack, and man-in-the-middle attack.