Advanced
Multi-party Password-Authenticated Key Exchange Scheme with Privacy Preservation for Mobile Environment
Multi-party Password-Authenticated Key Exchange Scheme with Privacy Preservation for Mobile Environment
KSII Transactions on Internet and Information Systems (TIIS). 2015. Dec, 9(12): 5135-5149
Copyright © 2015, Korean Society For Internet Information
  • Received : April 17, 2014
  • Accepted : October 19, 2015
  • Published : December 31, 2015
Download
PDF
e-PUB
PubReader
PPT
Export by style
Share
Article
Author
Metrics
Cited by
About the Authors
Chung-Fu Lu

Abstract
Communications among multi-party must be fast, cost effective and secure. Today’s computing environments such as internet conference, multi-user games and many more applications involve multi-party. All participants together establish a common session key to enable multi-party and secure exchange of messages. Multi-party password-based authenticated key exchange scheme allows users to communicate securely over an insecure network by using easy-to-remember password. Kwon et al. proposed a practical three-party password-based authenticated key exchange (3-PAKE) scheme to allow two users to establish a session key through a server without pre-sharing a password between users. However, Kwon et al. 's scheme cannot meet the security requirements of key authentication, key confirmation and anonymity. In this paper, we present a novel, simple and efficient multi-party password-based authenticated key exchange ( M -PAKE) scheme based on the elliptic curve cryptography for mobile environment. Our proposed scheme only requires two round-messages. Furthermore, the proposed scheme not only satisfies security requirements for PAKE scheme but also achieves efficient computation and communication.
Keywords
1. Introduction
P assword authenticated key exchange (PAKE) studies how to establish secure communications between two or more parties solely based on their password. The key challenge with password-based schemes is that the memorable password, associated with each user, has low entropy. It is not easy to protect the password information against dictionary attacks whereby an adversary ends up with the correct password after exhaustively testing all possible passwords against known password verifiers. Therefore, the intrinsic problem in designing PAKE schemes is to preserve password security against dictionary attacks.
In 1992, Bellovin and Merritt first proposed the two-party PAKE protocol (2-PAKE) [1] , where two entities A and B share a human-memorable password to establish a common session key. Because 2-PAKE protocol is not suitable for the large peer-to-peer architecture, many researchers on the topic have concentrated on proposing schemes that either extend Bellovin and Merritt’s scheme into three-party applications or have better performance. Three-party password-based authenticated key exchange protocol (3-PAKE) is a simple and an important mechanism that allows each user to choose his own password and to share with the server. In a 3-PAKE scheme, it requires a trusted server which shares an easy-to-remember password with each user. However, as a result of limited ability of memory of human, people prefer natural language phrases as their own secret passwords. This will make 3-PAKE scheme becomes vulnerable to password guessing attacks [2] . Furthermore, the number of transmission rounds and computational complexities are two important criteria of 3-PAKE for describing the system performance [3 - 5] .
Based on Diffie-Hellman key exchange concept, Steiner et al. proposed a 3-PAKE protocol [6] in 1995. Thereafter, Ding et al. [2] and Sun et al. [7] pointed out that Steiner et al. ’s scheme is vulnerable to undetectable on-line password guessing attacks. Moreover, Lin et al. [8] further showed that Steiner et al. ’s scheme suffers not only undetectable on-line password guessing attacks but also off-line password guessing attacks. To eliminate these flaws, Sun et al. and Lin et al. separately utilized public key cryptographic technology to prevent undetectable on-line password guessing attacks and off-line password guessing attacks. However, the public key technologies need to take more computational complexities in current 3-PAKE protocol.
Chang and Chang proposed a robust and efficient 3-PAKE protocol by using trapdoor one-way function [9] in 2004. Later, Chen et al. [10] and Yoon et al. [11] pointed out that Chang and Chang’s scheme cannot resist undetectable on-line password guessing attacks and proposed an enhancement schemes to solve the security problem separately. However, Lo and Yeh [12] pointed out that both of these two schemes proposed by Chen et al. and Yoon et al. are still vulnerable against the undetectable on-line password guessing attacks.
In 2005, Abdalla et al. proposed a formal security model of 3-PAKE with different passwords [13] . From the viewpoint of the rounds/computational complexities, Abdalla et al. ’s scheme requires six rounds and more than 17 modular exponentiations per user in the standard model. To improve the efficiency of the above scheme, Abdalla et al. presented a tailor-made protocol [14] . But they fail to resist to undetectable on-line dictionary attack. The authors count this attack in the number of queries for message modifications which are limited to certain numbers.
In 2008, Kwon et al. proposed a password-based 3-PAKE scheme with different passwords that achieves forward secrecy in the standard model [15] . Their scheme requires four rounds to achieve authentication between users and the server. Besides, their scheme does not provide key authentication, key confirmation and user anonymity. In 2012, we proposed a PAKE scheme for multi-party setting to meet the above security requirements and the efficiency is greatly [16] . The latest survey of 3-PAKE issues is presented in [17 - 23] .
With the emergence of mobile environment, conventional 3-PAKE protocols face two common problems. The first problem is that the server and users are not in the same domain, and therefore, the shared authenticated keys may be unknowingly compromised. In addition, conventional 3-PAKE protocols require higher on-line communication cost and computational cost during session key agreement, which can create excessive overheads for user using device with low computational capacity.
Despite recent researches aimed at reducing the computation and energy costs of public key operations/protocols, which are successfully applied in traditional wired networks, are not suitable in low‐power devices, such as mobile networks/WSNs [24 , 25] . Although RSA is well established, the elliptic curve cryptography (ECC) is still more commercial importance and has attracted attention because of a smaller key size, reducing storage, low on CPU consumption, and transmission requirements [26] .
In this paper, we will propose a multi-party PAKE (M-PAKE) scheme based on the ECC for mobile environment. Our proposed scheme achieves better performance by requiring only two round-messages and meets security requirements. The proposed scheme is more efficient than previously proposed schemes in terms of the computational complexities and the communication costs. Furthermore, our proposed scheme provides security from entity authentication, confidentiality of private/session key, forward secrecy, user anonymity, key authentication, and key confirmation.
Organization of this paper is sketched as follows. Section 2, we revisit the password-based 3-PAKE scheme of Kwon et al. We then present our proposed scheme in Section 3. The security analysis and the performance evaluation will in Section 4. Finally, a conclusion is given in Section 5.
2. Revisiting Kwonet al.’s 3-PAKE scheme
In this section, we show that the 3-PAKE scheme [15] of Kwon et al. Their scheme requires four rounds to achieve authentication between users and the server.
  • Initialization.Each userUi∈Ufori∈{1,2} obtainspwiin the beginning of the scheme by using a password generation algorithmPG(1k). Based on the decisional Diffie-Hellman assumption, letp'andq'be safe primes such thatp'=2q'+1. Letg1andg2be generators of a finite cyclic groupGhaving orderq'. LetH( ) be a hash function,F( ) be a secure pseudorandom function family, andMACK(m) be a message authentication code function, wheremis a message andKis a key. Assume that each userUiand serverShave sharedmodp'the public information (G,p',q',g1,g2,H(),F()), and the identities of users exchanging a session key.
  • Round 1.Each userUichooses a random numbercomputesPWimodp'and sends (Ii,XiS) to the ServerS, whereIiis the identity information of the userUi. Then,Schooses random numbercomputesPWimodp'fori= {1,2}, and broadcasts (IS,XS1,XS2), whereISis the identity information of the serverS.
  • Round 2.Upon receiving (IS,XS1,XS2) from the serverS, the userUicomputesKiS= (XSi/PWi)ximodp'andaiS=MACKiS(Ii║IS║XiS║XSi). Then,Uisends (Ii,aiS) toS.
  • Round 3.Upon receiving (Ii,aiS),ScomparesaSi=MACKSi(Ii║IS║XiS║XSi), whereKSi= (XiS/PWi)yimodp'fori= {1,2}. IfaSiandaiSare identical,aiSis verified. If botha1Sanda2Sare verified,Schooses a random numbercomputesmodp'andaSi=MACKSi(Ii║Ii+1║YSi), and sends (IS║YSi║aSi) to each userUi.
  • Round 4.Upon receiving (IS║YSi║aSi), each userUicomparesaSiwithMACKiS(Ii║IS║XiS║XSi). IfaSiandaiSare identicalUicomputesKi= (YSi)ximodp'and the session keyski=FKi(I1,IS,I2), whereFKi() is a secure pseudorandom function andI1
Kwon et al. 's scheme does not provide key authentication, key confirmation and user’s anonymity. The identity Ii of user Ui is transmitted in plaintext. Accordingly, the user privacy can be intruded upon easily, especially in mobile environment. In terms of key confirmation, after the session key sk is distributed to each user Ui , Kwon et al. 's scheme is not convinced that Ui actually possesses the session key sk . In addition, for mobile environment the efficiency of authenticated key exchange should be one of the core considerations. Nevertheless, the modulus operation used in Kwon et al. 's scheme is expensive.
3. The Proposed Scheme
In this section, we present the proposed M -PAKE scheme with privacy preservation for mobile environment. The logical architecture for proposed M -PAKE scheme is shown in Fig. 1 . Without loss of generality, let U = { U 1 , U 1 ,..., Un } be a set of n users, S be a trusted server, and M = n + 1 be the total amount of the communication parties. Using users’ password PW 1 , PW 2 ,..., PWn secretly shared with server S , the users in the set U can cooperate to generate a valid session key. The notations used in the proposed M -PAKE scheme are listed in Table 1 . The proposed M -PAKE scheme consists of three phases: the system setup, the user registration, and the multi-party PAKE. We outline these phases shown in the proposed scheme, and detailed descriptions of these phases are given below sub-sessions.
PPT Slide
Lager Image
Logical architecture for proposed M-PAKE scheme
Notations
PPT Slide
Lager Image
Notations
  • Phase 1.System setup phase: The trusted server defines system parameters and generates his private/public key-pair. Finally, the trusted server publishes the system parameters and keeps private key secret.
  • Phase 2.User registration phase: Each user must register in trusted server before multi-party PAKE. The trusted server cooperates with the registering user to generate the shared password between the registering user and the trusted server.
  • Phase 3.Multi-party PAKE phase: Using only two round-messages, all participating users will cooperative with the trusted server to generate the secret session key.
  • ● Each participating user sends his authenticator and session key contribution to trusted server. The trusted server can authenticate the legitimacy of all participating users and generate the session key derivation information.
  • ● The trusted server sends his authenticator and session key information to each participating user. All participating users can authenticate the legitimacy of the server and explicitly verify the authenticity of the established session key.
- 3.1 System setup phase
Initially, the server S determines a large prime p and a non-supersingular elliptic curve ECp ( a,b ) as y 2 = x 3 + ax + b (mod p ), where a,b R Z * p and 4 a 3 + 27 b 2 mod p ≠ 0. The server S further determines a large prime q and a base point G of order q over ECp ( a,b ), where q is a divisor of the number of points on the elliptic curve ECp ( a,b ). Let O be a point at infinity over ECp ( a,b ) Qi,x / Qi,y be the x -coordinate/ y -coordinate of the point Qi , and H 1 , H 2 , H 3 , H 4 be secure one-way hash functions that accepts a variable length input and produces a fixed length output which is over GF( q ). The private and public keys for the server S are respectively defined as xs and YS , where xs R Zq and YS = xsG . Let E/D be the secure symmetric encryption/decryption function. Finally, the server S publishes ( p,qECp ( a,b ), O , H 1 , H 2 , H 3 , H 4 , G,YS,E,D ) while keeps xs secret.
- 3.2 User registration phase
When a user Ui wants to use the multi-party PAKE service, he has to register beforehand to the trusted server S . The user Ui obtains pwi at the start of the scheme by using a password generation algorithm PG (1 l ), where l is the bit length of password pwi When subscribing to the multi-party PAKE service, the user Ui will receive the pwi = H 1 ( Ii IS pwi ) G secretly shared between the user and the server, the identity Ii and the public information ( p,q,ECp ( a,b ), O , H 1 , H 2 , H 3 , H 4 , G,YS,E,D ).
- 3.3 Multi-party PAKE phase
The multi-party PAKE phase requires only two round-messages. Without loss of generality, let U = { U 1 , U 1 ,..., Un } be the set of n users that want to agree on a secret session key shared among them. All the users will cooperative with a trusted server S to generate the secret session key. The procedure for the M -PAKE phase is stated as follows (as depicted in Fig. 2 ).
PPT Slide
Lager Image
The multi-party PAKE phase
  • Step 1.Each userUichooses a random numberand computesRi=riG,Ai=riYS,maci=H2(Ai.x║PWi,x║Ii║ti),mi=maci║Ii,Ci=EAi.x(mi). Finally,Uisends his authenticator/session key contribution (Ri,Ci,ti) to trusted serverS, wheretiis the current timestamp.
  • Step 2.The trusted serverSauthenticates the legitimacy of all participating users and generates the session key derivation information by performing the following sub-steps.
  • Step 2-1.Upon receiving (Ri,Ci,ti) fromUiat the timeTi, (fori= 1,2,...n)Sverifies the validity of the time interval betweentiandTi. If (Ti-ti) ≥ ΔTthenSrejects the request, where ΔTdenotes the expected valid time interval for transmission delay.
  • Step 2-2.The serverScomputesAi=xsRi,mi=DAi,x(Ci) and verifies the legitimacy of the userUi. Ifmaci=H2(Ai.x║PWi,x║Ii║ti) does not hold,Srejects the request.
  • Step 2-3.The serverSchooses a random numberand computesYS,i=rsRi,K=H3(RS║Y(S,1).x║Y(S,2).x║…║Y(S,n).x║tS).δi=H4(Ai.x║K║IS). Finally,Ssends his authenticator/session key related informationts,(Ys,i,δi)|i=1,2,...,nto each userUi, wheretSis the current timestamp.
  • Step 3.Upon receivingts,(Ys,i,δi)|i=1,2,...,nat the timeTi', each userUiverifies the validity of the time interval between tS andTi'. If(Ti'-tS) ≥ΔT, whereΔTdenotes the expected valid time interval for transmission delay, thenUirejects the request. If it holds, userUicomputes),K=H3(RS║Y(S,1).x║Y(S,2).x║…║Y(S,n).x║tS), and verifies. If it holds,Uiaccepts the session keyK. Otherwise,Uirejects the request.
4. Security Analysis and Performance Evaluation
- 4.1 Security analysis
The security of the proposed scheme is based on the elliptic curve discrete logarithm problem (ECDLP) [27 - 29] and the one-way hash function (OWHF) assumption [30 , 31] .
Elliptic curve discrete logarithm problem (ECDLP):
We assume that the elliptic curve contains a large prime subgroup of order p (>=160 bits) which is large enough to make solving discrete logarithms in the finite field GF( p ) infeasible. Suppose we have two points P, Q of an elliptic curve and let Q = xP , where x is an integer. It is computationally infeasible to find an integer x from Q = xP .
One way hash function (OWHF) assumption:
If a hash function h is one-way, it must satisfy the following conditions:
  • It is computationally infeasible to find a messagemfrom its hash valueh(m).
  • For any messagem1, it is computationally infeasible to find another messagem2such thath(m2) =h(m1).
  • It is computationally infeasible to find a pair of different messagesm1andm2such thath(m1) =h(m2).
In the following, we present the analysis on the security of our proposed scheme. The proposed scheme can withstand possible attacks and satisfies the following security requirements:
- (1) Entity authentication
The proposed scheme provides mutual authentication for verifying the server S and user Ui with each other. To authenticate the legitimacy of user Ui , the server can check its legitimacy by
PPT Slide
Lager Image
The adversary can successfully generate a valid maci for cheating the server only if he knows the user’s password PWi . Security of PWi is based on the OWHF assumptions as analyzed above.
On the other hand, each user Ui can authenticate the legitimacy of the server by
PPT Slide
Lager Image
The adversary can successfully masquerade as the server for cheating any user Ui if he can correctly derive Ai and PWi . Security of Ai and PWi is protected under the ECDLP and the OWHF assumption as discussed above.
- (2) Confidentiality of private key
Consider the scenario of a compromising attack that an adversary attempts to derive server’s private key xS . With the knowledge of server’s public key YS = xSG , the adversary will face the ECDLP to derive xS .
- (3) Confidentiality of the established session key
In the proposed scheme, the session key K is generated by K = H 3 ( RS Y ( S, 2).x ║…║ Y (S,n).x tS ). Only one secret variable RS is contributed to key generation. The adversary can successfully compromise RS for deriving K only if he knows ri or rS due to
PPT Slide
Lager Image
Compromising ri from Ri or rS from YS,i is an ECDLP. On the other hand, if the adversary attempts to derive K from the intercepted message δi = H 4 ( Ai.x K IS ), he will face the intractability of reversing the one-way hash function (i.e. OWHF problem). Hence, the confidentiality of the session key is protected under the ECDLP or OWHF assumption.
- (4) Confirmation of the established session key
In addition, the proposed scheme provides explicit key authentication (also called key confirmation) in such a way that all users can explicitly verify the authenticity of the established session key. It can see that the message δi is regarded as an authenticator by δi = H 4 ( Ai.x K IS ) for this purpose. If the session key K is not correctly computed by K = H 3 ( RS Y (S,1).x Y (S,2).x ║...║ Y (S,n).x tS ), it will fail to the verification of δi by
PPT Slide
Lager Image
And if it holds, K is the session key shared among all participating users. All participating users can explicitly verify the authenticity of the established session key.
- (5) Session key contribution
We will show that the proposed scheme is a contributory key agreement one which allows every participating users to contribute their shares to the session key generation. It can be seen that the session key is computed by K = H 3 ( RS Y (S,1).x Y (S,2).x ║...║ Y (S,n).x tS ). The secret random number ri is secretly determined by user Ui , and hence contributed to the session key generation. This means that each user equally contributes to the session key and guarantees its freshness in each session key construction, that is to say, no participant user can predetermine the session key. Hence, the proposed scheme is a contributory key agreement one.
- (6) Forward secrecy
The forward secrecy guarantees that an adversary who compromises a private key or one session key must not reveal previously established session keys. As mentioned of the proposed scheme, the session key K is generated by K = H 3 ( RS Y (S,1).x Y (S,2).x ║...║ Y (S,n).x tS ). The session key is protected by the secret RS . It is easy to see that compromising rs from YS,i = rsRi is an ECDLP. Although the server’s private key xs is disclosed for some reason, the proposed scheme can withstand the attack that any adversary with the knowledge of xs attempts to derive one current session key. The adversary cannot compute K without knowing RS . Hence, the adversary cannot derive any one session key with the compromised private key xs .
Consider the scenario that the adversary with compromised one session key attempts to derive any one previously established session key. Since the proposed scheme is a contributory one as mentioned above, the session key for distinct session will be refreshed by the random secret values. The session keys can be regarded as a random number generated by all participating users. Hence, the adversary knowing one session key cannot derive previously established one, which implies the forward secrecy is achieved.
- (7) User anonymity
The user sends the request ( Ri , Ci , ti ) to the server in each login. The adversary may analyze the login message. It is infeasible to derive the identity of the user from the login message, where maci = H 2 ( Ai.x PWi,x Ii ti ). Since the timestamp ti is different for sessions and the identity Ii is protected by the one-way hash function. Therefore, the adversary cannot identify the person who wants to login.
The identity information Ii of the user Ui is encrypted with Ci . In encrypted message Ci of the proposed scheme, the identity Ii is encrypted so that no identity-related information is leaked. The server can decrypt Ii on the receipt of message Ci and then recognize the identity of the participating user Ui . Any adversary who eavesdrops on the communication channel and wants to recover the identity of the user Ui faces the intractability of the OWHF assumption. Therefore, user anonymity is achieved through using an encrypted message Ci .
- (8) Replay attack and impersonation attack
This kind of replay attack, the attacker listens to communication between the sender and the receiver and then replays the same message of the user or the server. Our proposed scheme uses the timestamp to withstand replay attacks. Since the timestamp ti or tS is included in maci or K , the adversary cannot replay the intercepted messages to masquerade as a valid user or server. The attacker cannot work because he will fail the validity of the time interval ( Ti - ti ) ≥ Δ T or ( T'i - ts ) ≥ Δ T . This also implies the proposed scheme can withstand the impersonation attacks.
On the other hand, the adversary impersonates as the legitimate user and forges the message using the information obtained from the scheme. The adversary needs to guess ( Ai , maci , mi ) to masquerades as a legitimate user to forge a valid login. The adversary cannot obtain ( Ai , maci , mi ) from intercepted communication information Ri , Ci and ti . Therefore, our proposed scheme is secure against impersonation attack.
- (9) Off-line dictionary attack
It is hard for any adversary to derive the user password pwi or server private key xs from recorded messages, because the adversary will face the OWHF assumption and the ECDLP.
- 4.2 Performance Evaluation
In this subsection, we will evaluate the performance of the proposed scheme and make comparison with related researches in Table 2 . The computational complexities represent how many (or how heavy) cryptographic operations such as symmetric encryption or one-way hash function are adopted in the communication protocol. For simplicity, we denote the following notation to evaluate the performance of our proposed scheme and related researches:
Performance comparisons of 3-PAKE scheme
PPT Slide
Lager Image
Performance comparisons of 3-PAKE scheme
TMac : the time for performing a strongly unforgeable MAC algorithm computation,
TF : the time for performing a secure pseudorandom function computation,
TH : the time for performing a one-way hash function computation ( TH ≈ 4 TMUL ),
TEM/EA : the time for computing a point multiplication/addition operation over an elliptic curve ( TEM ≈ 29 TMUL , TEA ≈ 0.12 TMUL );
TMUL/EXP/INV : the time for computing a modular multiplication/exponentiation/inversion ( TEXP ≈ 240 TMUL , TINV ≈ 10 TMUL );
TSE/SD : the time for performing a symmetric encryption (SE)/decryption (SD) algorithm computation ( TSE TH ≈ 4 TMUL , TSD TH ≈ 4 TMUL );
n : the number of participating users that want to agree on a secret session key shared among them;
| a |: the bit-length of a variable a .
Table 2 compares the total computation costs required by user and the server in the proposed protocol and that proposed by related researches. Note that the time for computing a modular addition and that for XOR function are ignored here for that they are negligible as compared to the other complexities measures. From [32 - 35] , the time complexities can be respectively regarded as T EM ≈ 29 TMUL , T EA ≈ 0.12 TMUL , T EXP ≈ 240 TMUL , T INV ≈ 10 TMUL , and T H ≈ 4 TMUL . To facilitate the comparisons in Fig. 3 , we converted the costs of all operations into cost of TMUL . The results of the comparisons indicate that the proposed scheme imposes significantly lower computational costs than previously proposed schemes.
PPT Slide
Lager Image
Comparison of computational costs
Considering the communication overheads, we let the adopted one-way hash function be SHA-1 [36] (the bit length of the output is 160 bits), | p’ | = 1024 bits, | q’ | = 160 bits, | p | = | q | = 163 bits, respectively. The timestamp t , the identity, and the Mac value are all assumed to be 160 bits. We thus compared the size of messages transmitted using the proposed scheme and that proposed by related researches. Fig. 4 presents the results. In the communication overheads of user i , the cost of the proposed scheme is 2*163+2*160+160 bits, whereas in the communication overheads of server S , the cost is 4*163+2*160+160 bits. The results of the comparisons indicate that the proposed scheme imposes significantly lower communication costs than previously proposed schemes.
PPT Slide
Lager Image
Size comparison of messages transmitted
From Table 2 , Fig. 3 and Fig. 4 , they obviously show that our proposed scheme is more efficient than previously proposed schemes in term of computational complexities and communication overheads.
We also summarize the functionalities of the proposed scheme and make comparison with related researches in Table 3 . It demonstrates that our scheme can achieve key authentication, key confirmation and user anonymity. The transmission rounds include all independent steps that can be sent and received in parallel. Moreover, our proposed scheme rearranges all independent messages as a round. Our proposed scheme only requires two round-messages, which is less than required by previously proposed schemes.
Comparisons of main functionalities
PPT Slide
Lager Image
Comparisons of main functionalities
5. Conclusion
Recently, several researchers have proposed many 3-PAKE protocols. However, we have scrutinized carefully recently published Kwon et al. ’s protocol, and it has been observed that the same protocol suffers from several security weaknesses such as key authentication, key confirmation and anonymity. To improve the efficiency and solve the security problem of the above 3-PAKE scheme, we proposed a multi-party PAKE scheme with privacy preservation based on the ECC.
The ECC is more commercial importance and has attracted attention because of a smaller key size, reducing storage, low on CPU consumption, and transmission requirements. The proposed scheme is to use ECC which provides striking advantage of shorter key size compared to conventional algorithm (e.g., RSA algorithm), while preserving the equivalent security level. Additionally, the proposed scheme requires only two round-messages and achieves better performance efficiency. Accordingly, the proposed scheme is suitable for applied in mobile environment.
Furthermore, our proposed scheme provides security from entity authentication, confidentiality of private/session key, forward secrecy, user anonymity, key authentication, and key confirmation. The proposed scheme is more efficient than previously proposed schemes and meets security requirements.
The proposed scheme assumes that the server is honest and follows the required security service agreement. However, malicious servers are still possible, and we therefore plan to develop a M-PAKE scheme for multi-server mobile networks capable of withstanding malicious attacks even from the servers themselves.
BIO
Chung-Fu Lu received the B.S. and M.S. degree in Electrical Engineering from National Taiwan University of Science and Technology in 1991 and 1993 respectively. He received the Ph.D degree in information management from the National Taiwan University of Science and Technology, Taiwan in 2011. Since August 2011, he has been the Associate Professor in the Department of Information Management, Chihlee University of Technology, Taiwan. His current research includes cryptography, information security, network security, and mobile commerce.
References
Bellovin S.M. , Merritt M. “Encrypted key exchange: Password-based protocols secure against dictionary attacks,” in Proc. of 1992 IEEE Computer Society Conference on Research in Security and Privacy May 4-6, 1992 72 - 84
Ding Y. , Horster P. 1995 “Undetectable on-line password guessing attack,” ACM SIGOPS Operating Systems Review 29 (4) 77 - 86    DOI : 10.1145/219282.219298
Chen H. B. , Chen T. H. , Lee W. B. , Chang C. C. 2008 “Security enhancement for a three-party encrypted key exchange protocol against undetectable online password guessing attacks,” Computer Standards & Interfaces 30 (1-2) 95 - 99    DOI : 10.1016/j.csi.2007.08.010
Lee T. F. , Hwang T. , Lin C. L. 2004 “Enhanced three-party encrypted key exchange without server public keys,” Computers and Security 23 (7) 571 - 577    DOI : 10.1016/j.cose.2004.06.007
Simon B.W. , Alfred M. “Authenticated Diffie-Hellman key agreement protocols,” in Proc. of the 5th Annual Workshop on Selected Areas in Cryptography (SAC'98) August 17-18, 1998 339 - 361
Steiner M. , Tsudik G. , Waidner M. 1995 “Refinement and extension of encrypted key exchange,” ACM SIGOPS Operating Systems Review 29 (3) 22 - 30    DOI : 10.1145/206826.206834
Sun H. M. , Chen B. C. , Hwang T. 2005 “Secure key agreement protocols for three-party against guessing attacks,” Journal of Systems and Software 75 (1-2) 63 - 68    DOI : 10.1016/j.jss.2003.11.017
Lin C. L. , Sun H.M. , Hwang T. 2000 “Three-party encrypted key exchange: attacks and a solution,” ACM SIGOPS Operating Systems Review 34 (4) 12 - 20    DOI : 10.1145/506106.506108
Chang C. C. , Chang Y. F. 2004 “A novel three-party encrypted key exchange protocol,” Computer Standards & Interfaces 26 (5) 471 - 476    DOI : 10.1016/j.csi.2003.12.001
Chen T. H. , Lee W. B. , Chen H. B. 2008 “A round- and computation- efficient three-party authenticated key exchange protocol,” Journal of Systems and Software 81 (9) 1581 - 1590    DOI : 10.1016/j.jss.2007.11.720
Yoon E. J. , Yoo K. Y. 2008 “Improving the novel three-party encrypted key exchange protocol,” Computer Standards & Interfaces 30 (5) 309 - 314    DOI : 10.1016/j.csi.2007.08.018
Lo N. W. , Yeh K. H. 2009 “Cryptanalysis of two three-party encrypted key exchange protocols,” Computer Standards & Interfaces 31 (6) 1167 - 1174    DOI : 10.1016/j.csi.2009.03.002
Abdalla M. , Fouque P. A. , Pointcheval D. “Password-based Authenticated Key Exchange in the Three-Party Setting,” Public Key Cryptography - PKC 2005 January 23-26, 2005 65 - 84
Abdalla M. , Pointcheval D. “Interactive Diffie-Hellman assumptions with applications to password-based authentication,” in Proc. of 9th International Conference on Financial Cryptography - FC 2005 February 28-March 3, 2005 341 - 356
Kwon J. O. , Jeong I. R. , Lee D. H. 2008 “Practical Password-Authenticated Three-Party Key Exchange,” KSII Transactions on Internet and Information Systems 2 (6) 312 - 332    DOI : 10.3837/tiis.2008.06.003
Lu C. F. , Lin Y. L. , Hsu C. L. “Password-based Authenticated Multi-party Key Exchange Scheme with Privacy Preservation,” in Proc. of 2012 International Conference on e-Commerce, e-Administration, e-Society,e-Education, and e-Technology (e-CASE & e-Tech 2012) March 30-April 1, 2012
Wu S. , Chen K. , Zhu Y. 2013 “Enhancements of a three-party password-based authenticated key exchange protocol,” The International Arab Journal of Information Technology 10 (3) 215 - 221
Hsu C. L. , Lin T. W. “Password authenticated key exchange protocol for multi-server mobile networks based on chebyshev chaotic map,” in Proc. of 2013 IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops) March 18-22, 2013 90 - 95
Farash M. S. , Attari M. A. 2014 “An enhanced and secure three-party password-based authenticated key exchange protocol without using server's public-keys and symmetric cryptosystems,” Information Technology And Control 43 (2) 143 - 150    DOI : 10.5755/j01.itc.43.2.3790
Lee Y. 2014 “Cryptanalysis and Improvement of a Password-Based Authenticated Three-Party Key Exchange Protocol,” International Journal of Security and Its Applications 8 (4) 151 - 160    DOI : 10.14257/ijsia.2014.8.4.14
Amin R. , Biswas G. P. 2015 “Cryptanalysis and Design of a Three-Party Authenticated Key Exchange Protocol Using Smart Card,” Arabian Journal for Science and Engineering 1 - 15
Nam J. , Choo K. -K. R. , Han S. , Paik J. , Won D. 2015 “Two-round password-only authenticated key exchange in the three-party setting,” Symmetry 7 (1) 105 - 124    DOI : 10.3390/sym7010105
Wei F. , Ma J. , Ge A. , Li G. , Ma C. 2015 “A Provably Secure Three-Party Password Authenticated Key Exchange Protocol without Using Server's Public-Keys and Symmetric Cryptosystems,” Information Technology And Control 44 (2) 195 - 205
Nguyen H. T. T. , Guizani M. , Minho J. , Huh E. N. 2009 “An Efficient Signal-Range-Based Probabilistic Key Predistribution Scheme in a Wireless Sensor Network,” IEEE Transactions on Vehicular Technology 58 (5) 2482 - 2497    DOI : 10.1109/TVT.2008.2008191
Nguyen H. T. T. , Minho J. , Nguyen T. D. , Huh E. N. 2012 “A beneficial analysis of deployment knowledge for key distribution in wireless sensor networks,” Security and Communication Networks 5 (5) 485 - 495    DOI : 10.1002/sec.337
Huang L. C. , Hwang M. S. 2013 “Two-party authenticated multiple-key agreement based on elliptic curve discrete logarithm problem,” International Journal of Smart Home 7 (1) 9 - 18
Menezes A. J. , Oorschot P. C. , Vanstone S. A. 1997 “Handbook of Applied Cryptography,” CRC Press Inc. Boca Raton, Florida
IEEE Std 1363-2000 Working Group 2000 “IEEE Standard Specifications for Public Key Cryptography,” The Institute of Electrical and Electronics Engineers, Inc. New York
Menezes A. 1993 “Elliptic curve public key cryptosystems,” Kluwer Academic Publishers Norwell, Massachusetts
Blake I. , Seroussi G. , Smart N. 1999 “Elliptic curves in cryptography,” Cambridge University Press Cambridge, United Kingdom
Diffie W. , Hellman M. 1976 “New directions in cryptography,” IEEE Transactions on Information Theory 22 (6) 644 - 654    DOI : 10.1109/TIT.1976.1055638
Koblitz N. , Menezes A. , Vanstone S. 2000 “The state of elliptic curve cryptography,” Designs, Codes and Cryptography 19 (2) 173 - 193    DOI : 10.1023/A:1008354106356
Chen T. S. , Hsu E. T. , Yu Y. L. 2006 “A New Elliptic Curve Undeniable Signature Scheme,” International mathematical forum 1 (31) 1529 - 1536
Hankerson D. , Hernandez J. L. , Menezes A. “Software Implementation of Elliptic Curve Cryptography over Binary Fields,” in Proc. of Workshop on Cryptographic Hardware and Embedded Systems - CHES 2000 August 17-18, 2000 1 - 24
Contini S. , Lenstra A. K. , Steinfeld R. “VSH, an Efficient and Provable Collision-Resistant Hash Function,” in Proc. of 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology - EUROCRYPT 2006 May 28-June 1, 2006 165 - 182
2015 FIPS PUB 180-4, “Secure Hash Standard (SHS),” Information Technology Laboratory, National Institute of Standards and Technology (NIST) Gaithersburg, Maryland