Nam Junghyun, Choo Kim-Kwang Raymond, Park Minkyu, Paik Juryon, Won Dongho
Department of Computer Engineering, Konkuk University, 268 Chungwondaero, Chungju, Chungcheongbuk-do 380-701, Republic of Korea.
Information Assurance Research Group, Advanced Computing Research Centre, University of South Australia, Mawson Lakes, SA 5095, Australia.
ScientificWorldJournal. 2014;2014:479534. doi: 10.1155/2014/479534. Epub 2014 Sep 1.
Authenticated key exchange protocols are of fundamental importance in securing communications and are now extensively deployed for use in various real-world network applications. In this work, we reveal major previously unpublished security vulnerabilities in the password-based authenticated three-party key exchange protocol according to Lee and Hwang (2010): (1) the Lee-Hwang protocol is susceptible to a man-in-the-middle attack and thus fails to achieve implicit key authentication; (2) the protocol cannot protect clients' passwords against an offline dictionary attack; and (3) the indistinguishability-based security of the protocol can be easily broken even in the presence of a passive adversary. We also propose an improved password-based authenticated three-party key exchange protocol that addresses the security vulnerabilities identified in the Lee-Hwang protocol.
认证密钥交换协议对于保障通信安全至关重要,目前已广泛应用于各种实际网络应用中。在这项工作中,我们揭示了Lee和Hwang(2010)提出的基于密码的认证三方密钥交换协议中以前未公开的主要安全漏洞:(1)Lee-Hwang协议容易受到中间人攻击,因此无法实现隐式密钥认证;(2)该协议无法保护客户端密码免受离线字典攻击;(3)即使在存在被动对手的情况下,该协议基于不可区分性的安全性也很容易被破解。我们还提出了一种改进的基于密码的认证三方密钥交换协议,该协议解决了Lee-Hwang协议中发现的安全漏洞。
