Advanced
Dictionary Attacks against Password-Based Authenticated Three-Party Key Exchange Protocols
Dictionary Attacks against Password-Based Authenticated Three-Party Key Exchange Protocols
KSII Transactions on Internet and Information Systems (TIIS). 2013. Dec, 7(12): 3244-3260
Copyright © 2013, Korean Society For Internet Information
  • Received : October 07, 2013
  • Accepted : November 29, 2013
  • Published : December 30, 2013
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
TagCloud
About the Authors
Junghyun Nam
Department of Computer Engineering, Konkuk University, Korea
Kim-Kwang Raymond Choo
Information Assurance Research Group, Advanced Computing Research Centre, University of South Australia, Australia
Moonseong Kim
Information and Communications Examination Bureau, Korean Intellectual Property Office, Korea
Juryon Paik
Department of Computer Engineering, Sungkyunkwan University, Korea
Dongho Won
Department of Computer Engineering, Sungkyunkwan University, Korea

Abstract
A three-party password-based authenticated key exchange (PAKE) protocol allows two clients registered with a trusted server to generate a common cryptographic key from their individual passwords shared only with the server. A key requirement for three-party PAKE protocols is to prevent an adversary from mounting a dictionary attack. This requirement must be met even when the adversary is a malicious (registered) client who can set up normal protocol sessions with other clients. This work revisits three existing three-party PAKE protocols, namely, Guo et al.’s (2008) protocol, Huang’s (2009) protocol, and Lee and Hwang’s (2010) protocol, and demonstrates that these protocols are not secure against offline and/or (undetectable) online dictionary attacks in the presence of a malicious client. The offline dictionary attack we present against Guo et al.’s protocol also applies to other similar protocols including Lee and Hwang’s protocol. We conclude with some suggestions on how to design a three-party PAKE protocol that is resistant against dictionary attacks
Keywords
1. Introduction
K ey exchange (also known as key establishment) is defined to be any process whereby a shared high-entropy key (also known as a session key) becomes available to two or more parties for subsequent cryptographic use. Password-based authenticated key exchange (PAKE) protocols are a class of key exchange protocols, and enable two or more parties communicating over a public network to generate a session key from their low-entropy passwords which are easy for humans to remember. It is generally regarded that the design of secure key exchange protocols (including PAKE protocols) is notoriously hard [1] [2] [3] [4] , and conducting security analysis for such protocols is time-consuming and error-prone. One of the key challenges in designing a PAKE protocol, for example, is to prevent dictionary attacks, in which an attacker exhaustively enumerates all possible passwords to discover the correct password. Dictionary attacks have been used by both criminals as well as law enforcement officers and digital forensics practitioners to gain access to password-protected data (e.g. on smartphones and portable devices based on RIM BlackBerry and Apple iOS platforms - see Elcomsoft Phone Password Breaker http://www.elcomsoft.com/eppb.html ). The difficulty of designing PAKE protocols secure against dictionary attacks is increased in the three-party setting. Unlike the two-party setting where each pair of parties is assumed to hold a shared password, the three-party setting assumes that each party (commonly known as a client) shares no password with other clients but holds their individual password shared only with a trusted server. Therefore in three-party PAKE protocols, protocol designers would have to consider the security of passwords against attacks by malicious clients who can set up normal protocol sessions with other clients (see [5] [6] [7] [8] [9] ).
Dictionary attacks can be classified into two types, online and offline. Unlike offline dictionary attacks where password guesses can be verified offline, online dictionary attacks are the ones where the attacker verifies each password guess via a new online transaction with the server. However, detectable online dictionary attacks are considered as insignificant since the server may lock out the problematic client after a certain number of invalid transactions. Informally, a three-party PAKE protocol is secure if detectable online dictionary attacks are the best possible attacks that an adversary can mount against the protocol. In other words, three-party PAKE protocols should be able to resist undetectable online dictionary attacks as well as offline dictionary attacks.
In this work, we revisit three existing three-party PAKE protocols, namely, Guo et al.’s (2008) protocol [10] , Huang’s (2009) protocol [11] , and Lee and Hwang’s (2010) protocol [12] . We demonstrate that all three protocols are insecure against dictionary attacks in the presence of a malicious client. More specifically, we mount an offline dictionary attack against Guo et al.’s protocol, a combined offline and online dictionary attack against Huang’s protocol, and an undetectable online dictionary attack against Lee and Hwang’s protocol. The offline dictionary attack mounted against Guo et al.’s protocol also applies to Lee and Hwang’s protocol and the protocols of [13] [14] [6] (see Section 2.2). By identifying these vulnerabilities, we hope that similar security failures can be prevented in the future design of three-party PAKE protocols. We present simple countermeasures for Guo et al.’s protocol and Lee and Hwang’s protocol, but the existence of a security proof for the modified protocols remains an open question. We also suggest ways in which designers of three-party PAKE protocols can reduce the possibility of dictionary attacks.
2. Revisiting Guo et al.’s Protocol
This section revisits the three-party PAKE protocol proposed by Guo, Lia, Mu and Zhang in 2008 [10] , and demonstrates that this protocol is susceptible to an offline dictionary attack in the presence of a malicious client.
- 2.1 Protocol Description
In the three-party setting, a trusted server S provides its registered clients with a central authentication service. Let A and B be two registered clients who wish to establish a session key, and pwA and pwB denote the passwords of A and B respectively shared with S via a secure channel. The protocol’s public parameters include:
  • A finite cyclic groupGof prime orderq, and a generatorgofG.
  • Two elementsMandNof groupG.
  • A two-party PAKE protocol 2PAKE.
  • Two hash functionsF: {0,1}*→GandH: {0,1}*→{0,1}ℓ, whereℓrepresents the bit length of session keys.
  • A message authentication code (MAC) scheme consisting of two algorithms, namely a MAC generation algorithmMacand a MAC verification algorithmVer. Here,Veroutputs a bit, with 1 meaning accept and 0 meaning reject.
The protocol depicted in Fig. 1 works as follows:
1. A (and B ) and S establish a shared secret key kAS ( kBS respectively) by running the two-party protocol 2PAKE.
2. A chooses a random x Zq , computes X = gx , X * = X · MpwA and δA = Mac kAS ( X * ), and send < A , X * , δA > to B .
3. B selects a random y Zq , computes Y = gy , Y * = Y · NpwB and δB = Mac kBS ( Y * ), and send < A , X * , δA , B , Y * , δB > to S .
4. Using Ver , S verifies that δA and δB are both valid. If either verification fails, S aborts the protocol. Othereise, S recovers X = X * / MpwA and Y = Y * / Y · NpwB , selects a random z Zq , and compute
PPT Slide
Lager Image
Then S sends
PPT Slide
Lager Image
to B .
PPT Slide
Lager Image
Guo et al.’s three-party PAKE protocol [10]
5. After receiving
PPT Slide
Lager Image
, B computes
PPT Slide
Lager Image
B Then sends
PPT Slide
Lager Image
to A .
6. Upon receiving
PPT Slide
Lager Image
, A computes
PPT Slide
Lager Image
A then checks if the equation α = F ( A B K ) holds. If it does not hold, A aborts the protocol. Otherwise, A computes the session key sk = H ( A B K ) and β = F ( B A K ), and sends< β > to B .
7. B checks if the equation β = F ( B A K ) holds. If it holds, B coputes the session key sk = H ( A B K ). Othrwise, B aborts the protocol.
The correctness of the protocol is straightforward to verify, as shown below.
PPT Slide
Lager Image
and
PPT Slide
Lager Image
- 2.2 A Previously Unpublished Offline Dictionary Attack, and a Simple Fix
Guo et al.’s protocol described above is vulnerable to the following dictionary attack where a malicious client A is able to verify all guesses on the password of client B in an offline manner.
Step 1. The attacker A initiates the protocol with the targeted client B , establishes a shared secret key kAS with S , and then sends the message < A , X * , δA > to B .
Step 2. A eavesdrops on the message < A , X * , δA , B , Y * , δB > sent by B to S .
Step 3. When S sends the message
PPT Slide
Lager Image
to B , A replaces it with the forged message
PPT Slide
Lager Image
where
PPT Slide
Lager Image
Since
PPT Slide
Lager Image
was replaced with
PPT Slide
Lager Image
, B will compute α as
PPT Slide
Lager Image
where
PPT Slide
Lager Image
Step 4. Once the message
PPT Slide
Lager Image
is received from B , A aborts the protocol indicating that the session-key computation has failed due to an unexpected error, and then computes
PPT Slide
Lager Image
Step 5. A makes a guess
PPT Slide
Lager Image
on the password pwB and computes
PPT Slide
Lager Image
Step 6. A verifies the correctness of
PPT Slide
Lager Image
by checking that α is equal to α '. If they are equal, then
PPT Slide
Lager Image
is the correct password with an overwhelming probability.
Step 7. A repeats Steps 5 & 6 until the correct password is found.
This offline dictionary attack can have devastating implications for all clients registered with the server since the attack is likely to go undetected and the victim could be any of the clients. A possible countermeasure against the attack is to modify the server’s message from
PPT Slide
Lager Image
to
PPT Slide
Lager Image
where
PPT Slide
Lager Image
and
PPT Slide
Lager Image
Guo et al.’s protocol was proposed as a fix to the flaws they found on the protocol of Lu and Cao (2007) [13] . We note that the offline dictionary attack above also applies to Lu and Cao’s protocol [13] - see Appendix A - as well as its successors [14] [6] .
3. Revisiting Huang’s Protocol
In 2009, Huang [11] proposed a three-party PAKE protocol, claiming that the proposed protocol provides both security and efficiency without recourse to the use of server’s public keys. However in 2011, Yoon and Yoo [8] pointed out that Huang’s protocol is vulnerable not only to undetectable online dictionary attacks but also to offline dictionary attacks. In the same year, Lin and Hwang [9] also presented an undetectable online dictionary attack against Huang’s protocol. In this section, we present a different (previously unpublished) dictionary attack against Huang’s protocol, which is a combination of offline dictionary attacks and (undetectable) online dictionary attacks.
- 3.1 Protocol Description
Let A and B be two clients who wish to establish a session key, and pwA and pwB denote the passwords of A and B respectively shared with a trusted server S . Let p be a large prime number such that p -1 has a large prime factor q . Let G be a cyclic multiplicative subgroup of
PPT Slide
Lager Image
that has a prime order q , and g be a random generator of G (and the original protocol specification requires q ≥2 256 ).
The protocol depicted in Fig. 2 works as follows:
1. A chooses a random number x Zq and computes
PPT Slide
Lager Image
where h is a cryptographic hash function and the symbol
PPT Slide
Lager Image
denotes the bitwise XOR operation. A sends < A , RA > to B .
2. B selects a random number y Zq and computes
PPT Slide
Lager Image
B then sends < A , RA , B , RB > to S .
3. After receiving < A , RA , B , RB > from B , S recovers X and Y by computing
PPT Slide
Lager Image
Next, S selects a random number y Zq and computes
PPT Slide
Lager Image
PPT Slide
Lager Image
S then < RSA , RSB > to B .
PPT Slide
Lager Image
Huang’s three-party PAKE protocol [11]
4. Upon receiving < RSA , RSB > from S , B computes
PPT Slide
Lager Image
Then B sends < RSA , σB > to A
5. After receiving < RSA , σB > from B , A computes
PPT Slide
Lager Image
Then, A checks whether the equation σB = h ( K B ) holds or not. If it does not hold, A aborts the protocol. Otherwise, A sets the session key sk equal to K , computes σA = h ( K A ), and sends σA to B .
6. B checks whether the equation σA = h ( K A ) holds or not. If it does not hold, B aborts the protocol. Otherwise, B sets the session key to sk = K .
The correctness of the protocol can be easily verified as shown below.
PPT Slide
Lager Image
and
PPT Slide
Lager Image
- 3.2 A Previously Unpublished Combined Offline and Online Dictionary Attack
Our dictionary attack against Huang’s protocol exploits two flaws in the design of the protocol: (1) the server does not authenticate any message from the clients and (2) the publicly transmitted keying materials ( i.e., RA , RB , RSA and RSB ) are computed using the bitwise XOR operation when the multiplicative subgroup G is not closed under the XOR operation.
Let D be the set of all possible passwords. Assume that B is a malicious client who wants to discover the password of client A . The attack works as follows:
Step 1. The attacker B runs the protocol with client A and stores the first message < A , RA > received from A .
Step 2. For each
PPT Slide
Lager Image
, B computes
PPT Slide
Lager Image
and checks whether X' is an element of G or not. If X' G , B deletes
PPT Slide
Lager Image
from the dictionary
PPT Slide
Lager Image
If X' G , then
PPT Slide
Lager Image
. If we assume that p is a safe prime (i.e., p =2 q +1), this step would cut the size of D about in half.
Step 3. B generates RB as specified in the protocol and sends < A , RA , B , RB > to S , indicating that A and B want to establish a session key. After receiving < RSA , RSB > from S , B proceeds to step to Step 4.
Step 4. For each
PPT Slide
Lager Image
, B computes
PPT Slide
Lager Image
and checks whether
PPT Slide
Lager Image
or not. If
PPT Slide
Lager Image
, B set D = D ,
PPT Slide
Lager Image
.
The number of iterations of Steps 3 & 4 required to determine the correct password is bounded by log 2 |D| in the p =2 q +1. If p is much greater than q (e.g., log 2 p =1024 and log 2 q =512), performing Step 2 once will be sufficient to determine the correct password (with an overwhelming probability) and thus, no iterative pruning is needed.
It appears that there is no quick tweak we can apply to make Huang’s protocol resistant to dictionary attacks such as the above. Note that simply replacing the bitwise XOR operation with the multiplicative operation would make the protocol vulnerable to such an attack as the one we presented against Guo et al.’s protocol in Section 2.2.
4. Revisiting Lee and Hwang’s Protocol
We now revisit the last of the three protocols, namely Lee and Hwang’s three-party PAKE protocol [12] ―S-IA-3PAKE.
- 4.1 Protocol Description
Let S be the trusted server, and A and B be two registered clients of S who wish to establish a shared session key. We denote the passwords of A and B by pwA and pwB respectively. The S-IA-3PAKE protocol uses the following public parameters: (1) a large prime p and a generator g of Zp , (2) two random elements M and N of Zp , (3) cryptographic hash function H used as a key derivation function, and (4) a pair of MAC generation/verification algorithms ( Mac,Ver ), where Ver outputs a bit, with 1 meaning accept and 0 meaning reject.
S-IA-3PAKE (see Fig. 3 ) works as follows:
Step 1. A chooses a random x Zp , computes X = gx and X * = X · MpwA , and sends * > to S . At the same time, S chooses a random u Zp , computes U = gu and U * = U · NpwA , and sends < U * >to A . A and S then recover U and X respectively, and establish a shared secret key kAS = gxu .
Step 2. B chooses a random y Zp , computes Y = gy and Y * = Y · MpwB , and sends< Y * > to S . At the same time, S chooses a random v Zp , computes V = gv and V * = V · NpwB , and sends < V * > B . B and S recovr V and Y respectively, and cmpute the shared secret key kBS = gyv .
Step 3. S chooses a random w Zp and computes
PPT Slide
Lager Image
S then sends
PPT Slide
Lager Image
and
PPT Slide
Lager Image
to A and B respectively.
Step 4. A computes the key derivation secret,
PPT Slide
Lager Image
, and the session key, skA = H ( A B KA ). Meanwhile, B computes
PPT Slide
Lager Image
and skB = H ( A B KB ).
Step 5. A and B perform key confirmation by exchanging σAB = Mac skA ( A B ) and σBA = Mac skB ( B A ) and verifying them in the straightforward way.
The correctness of S-IA-3PAKE can be easily verified from KA = KB = gxyw .
- 4.2 A Previously Unpublished Undetectable Online Dictionary Attack, and a Simple Fix
We now demonstrate that S-IA-3PAKE is susceptible to a previously unpublished undetectable online dictionary attack. Suppose that A is a malicious client who wants to discover the password of client B . The attack works as follows:
Step 1. The attacker A notifies the server S that she wants to establish a session key with B .
Step 2. A chooses a random x Zp , computes X = gx and X * = X · MpwA , sends S the message < X * > with its true identity.
Step 3. A makes a guess
PPT Slide
Lager Image
on the pwB , computes Y * as
PPT Slide
Lager Image
, and sends S the message < Y * > as if is from B .
PPT Slide
Lager Image
S-IA-3PAKE: Lee and Hwang’s three-party PAKE protocol [12]
Step 4. After receiving U * = U · NpwA form S , A computes the secret key kAS = gxu as per the protocol specification.
Step 5. When S sends V * = V · NpwB to B , A intercepts it and computes
PPT Slide
Lager Image
and
PPT Slide
Lager Image
.
Step 6. If
PPT Slide
Lager Image
is the correct password, then the value
PPT Slide
Lager Image
computed by S would be equal to
PPT Slide
Lager Image
After receiving
PPT Slide
Lager Image
and intercepting
PPT Slide
Lager Image
, A computes
PPT Slide
Lager Image
and verifies the correctness of
PPT Slide
Lager Image
by checking that
PPT Slide
Lager Image
is equal to
PPT Slide
Lager Image
. Note that if
PPT Slide
Lager Image
, then it must hold that
PPT Slide
Lager Image
.
This online dictionary attack is undetectable and can be mounted repeatedly until the correct password is found. An obvious fix is to add client-to-server authentication, where both clients A and B send the authenticators σAS = Mac kAS ( A B S ) and σBS = Mac kBS ( B A S ) to the server S respectively
The S-IA-3PAKE protocol is also vulnerable to an offline dictionary attack similar to the one we presented against Guo et al.’s protocol in Section 2.2. Due to similarity, we omit the details of the attack scenario. To address this vulnerability, we recommend to modify the server’s messages
PPT Slide
Lager Image
and
PPT Slide
Lager Image
respectively to
PPT Slide
Lager Image
and
PPT Slide
Lager Image
, where
PPT Slide
Lager Image
and
PPT Slide
Lager Image
.
5. Concluding Remarks
We have examined several existing three-party PAKE protocols, including Guo et al.’s (2008) protocol [10] , Huang’s (2009) protocol [11] , and and Hwang’s (2010) protocol [12] , and demonstrated that they are vulnerable to previously unpublished offline and/or online dictionary attacks by a malicious client. This research confirms that achieving password security in the presence of a malicious client remains a challenging task in designing an efficient three-party PAKE protocol. Based on our findings, we propose that designers of three-party PAKE protocols should consider the following principles to mitigate dictionary attacks:
  • Authenticate all the keying materials sent from the server to the clients, as this measure will increase the protocol’s resilience against offline dictionary attacks.
  • Do not use an operation under which the underlying group is not closed, when generating a password-entangled protocol message; the use of such an operation may result in the protocol being vulnerable to a combined offline and online dictionary attack similar to our attack against Huang’s protocol (see Section 3).
  • Ensure that all clients send at least one message to the server in an authenticated manner. Otherwise, the protocol is likely to be susceptible to an undetectable online dictionary attack.
Guo et al.’s protocol and Huang’s protocol do not have accompanying proofs of security. Although Lee and Hwang’s protocol carries a proof of security, the proof model used does not allow the adversary to corrupt protocol participants and thus cannot capture any kind of insider attacks, in particular, offline and online dictionary attacks by a malicious client. In other words, our dictionary attacks do not invalidate the existing proof of security for Lee and Hwang’s protocol. As such, we recommend that protocol designers choose an appropriate proof model that adequately captures all the security requirements, so that protocol implementers can be assured of the security properties of protocols.
BIO
Junghyun Nam received the B.E. degree in Information Engineering from Sungkyunkwan University, Korea, in 1997. He received his M.S. degree in Computer Science from University of Louisiana, Lafayette, in 2002, and the Ph.D. degree in Computer Engineering from Sungkyunkwan University, Korea, in 2006. He is now an associate professor in Konkuk University, Korea. His research interests include cryptography and computer security.
Kim-Kwang Raymond Choo received the PhD in Information Security from Queensland University of Technology in 2006. He has (co-)authored a number of publications including a book published in Springer’s “Advances in Information Security” book series, a book published by Elsevier (Forewords written by Australia’s Chief Defence Scientist and Chair of the Electronic Evidence Specialist Advisory Group, Senior Managers of Australian and New Zealand Forensic Laboratories), and six refereed monographs; and is the recipient of the 2010 ACT Pearcey Award, 2009 Fulbright Scholarship, 2008 Australia Day Achievement Medallion, British Computer Society’s Wilkes Award for the best paper published in the 2007 volume of The Computer Journal, 2007 Queensland University of Technology Faculty of Information Technology Executive Dean’s outstanding Ph.D. thesis commendation, and the 2005 Australasian Conference on Information Security and Privacy’s Best Student Paper Award.
Moonseong Kim received the M.S. degree in Mathematics, August 2002 and the Ph.D. degree in Electrical and Computer Engineering, February 2007 both from Sungkyunkwan University, Korea. He was a research professor at Sungkyunkwan University in 2007. From December 2007 to October 2009, he was a visiting scholar in ECE and CSE, Michigan State University, USA. Since October 2009, he has been a patent examiner in Information and Communication Examination Bureau, Korean Intellectual Property Office (KIPO), Korea. His research interests include wired/wireless networking, sensor networking, mobile computing, network security protocols, and simulations/numerical analysis.
Juryon Paik received the B.E. degree in Information Engineering from Sungkyunkwan University, Korea, in 1997. She received her M.E. and Ph.D. degrees in Computer Engineering from Sungkyunkwan University in 2005 and 2008, respectively. Currently, she is a research professor at the Department of Computer Engineering, Sungkyunkwan University. Her research interests include XML mining, semantic mining, and web search engines.
Dongho Won received his B.E., M.E., and Ph.D. degrees from Sungkyunkwan University in 1976, 1978, and 1988, respectively. After working at ETRI (Electronics & Telecommunications Research Institute) from 1978 to 1980, he joined Sungkyunkwan University in 1982, where he is currently Professor of School of Information and Communication Engineering. In the year 2002, he served as the President of KIISC (Korea Institute of Information Security & Cryptology). He was the Program Committee Chairman of the 8th International Conference on Information Security and Cryptology (ICISC 2005). His research interests are on cryptology and information security.
References
Boyd C. , Choo KKR. 2005 “Security of Two-Party Identity-Based Key Agreement” Progress in Cryptology – Mycrypt 2005 LNCS Article (CrossRef Link) 3715 229 - 243
Choo KKR. , Boyd C. , Hitchcock Y. 2005 “Errors in Computational Complexity Proofs for Protocols” Advances in Cryptology − Asiacrypt 2005 LNCS Article (CrossRef Link) 3788 624 - 643
Choo KKR. , Boyd C. , Hitchcock Y. 2006 “TheImportance of Proofs of Security for Key Establishment Protocols: Formal Analysis of Jan-Chen, Yang-Shen-Shieh, Kim-Huh-Hwang-Lee, Lin-Sun-Hwang, and Yeh-Sun Protocols” Computer Communications Article (CrossRef Link) 29 (15) 2788 - 2797    DOI : 10.1016/j.comcom.2005.10.030
Gorantla M. , Boyd C. , Nieto J. , Manulis M. 2011 “Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols” ACM Transactions on Information and System Security Article 28, Article (CrossRef Link) 14 (4)    DOI : 10.1145/2043628.2043629
Chen H. , Chen T. , Lee W. , Chang C. 2008 “Security Enhancement for a Three-Party Encrypted Key Exchange Protocol against Undetectable On-Line Password Guessing Attacks” Computer Standards&Interfaces Article (CrossRef Link) 30 (1-2) 95 - 99
Nam J. , Paik J. , Kang H. , Kim U. , Won D. 2009 “An Off-Line Dictionary Attack on a Simple Three-Party Key Exchange Protocol” IEEE Communications Letters Article (CrossRef Link) 13 (3) 205 - 207    DOI : 10.1109/LCOMM.2009.081609
Lo N. , Yeh K. 2009 “Cryptanalysis of Two Three-Party Encrypted Key Exchange Protocols” Computer Standards&Interfaces Article (CrossRef Link) 31 (6) 1167 - 1174
Yoon E. , Yoo K. 2011 “Cryptanalysis of a Simple Three-Party Password-Based Key Exchange Protocol” International Journal of Communication Systems Article (CrossRef Link) 24 (4) 532 - 542    DOI : 10.1002/dac.1168
Lin C. , Hwang T. 2011 “On ‘a Simple Three-Party Password-Based Key Exchange Protocol’” International Journal of Communication Systems Article (CrossRef Link) 24 (11) 1520 - 1532    DOI : 10.1002/dac.1304
Guo H. , Li Z. , Mu Y. , Zhang X. 2008 “Cryptanalysis of Simple Three-Party Key Exchange Protocol” Computers&Security Article (CrossRef Link) 27 (1) 16 - 21
Huang H. 2009 “A Simple Three-Party Password-Based Key Exchange Protocol” International Journal of Communication Systems Article (CrossRef Link) 22 (7) 857 - 862    DOI : 10.1002/dac.1002
Lee T. , Hwang T. 2010 “Simple Password-Based Three-Party Authenticated Key Exchange without Server Public Keys” Information Sciences Article (CrossRef Link) 180 (9) 1702 - 1714    DOI : 10.1016/j.ins.2010.01.005
Lu R. , Cao Z. 2007 “Simple Three-Party Key Exchange Protocol” Computers&Security Article (CrossRef Link) 26 (1) 94 - 97
Chung H. , Ku W. 2008 “Three Weaknesses in a Simple Three-Party Key Exchange Protocol” Information Sciences Article (CrossRef Link) 178 (1) 220 - 229    DOI : 10.1016/j.ins.2007.08.004