期刊名称:International Journal of Security and Its Applications
印刷版ISSN:1738-9976
出版年度:2013
卷号:7
期号:2
出版社:SERSC
摘要:Protocols for password-based authenticated key exchange (PAKE) enable two or more parties communicating over a public network to build a secure communication channel using their easy-to-remember passwords. However, off-line dictionary attacks have always been a major security concern in designing such password-based protocols. Compared with the two- party setting, the concern is significantly increased in the three-party setting where insider attacks may be mounted. In this paper, we identified an inherent flaw in the design of Nam et al.’s three-party PAKE protocol (IEEE Communications Letters, 13(3), 2009) and Lu and Cao’s protocol (Computers & Security, 26(1), 2007) and demonstrated that both protocols are susceptible to a previously unpublished off-line dictionary attack. We hope that by identifying this design flaw, similar structural mistakes can be avoided in future design. We conclude the paper with a simple countermeasure.
