Article ID | Journal | Published Year | Pages | File Type |
---|---|---|---|---|
456184 | Computers & Security | 2008 | 6 Pages |
Abstract
Recently, Lu and Cao published a novel protocol for password-based authenticated key exchanges (PAKE) in a three-party setting in Journal of Computers and Security, where two clients, each shares a human-memorable password with a trusted server, can construct a secure session key. They argued that their simple three-party PAKE (3-PAKE) protocol can resist against various known attacks. In this paper, we show that this protocol is vulnerable to a kind of man-in-the-middle attack that exploits an authentication flaw in their protocol and is subject to the undetectable on-line dictionary attack. We also conduct a detailed analysis on the flaws in the protocol and provide an improved protocol.
Related Topics
Physical Sciences and Engineering
Computer Science
Computer Networks and Communications
Authors
Hua Guo, Zhoujun Li, Yi Mu, Xiyong Zhang,