Key Laboratory of Cryptography and Network Security, Hangzhou Normal University, Hangzhou, China.
Tianjin Key Laboratory of Advanced Networking, School of Computer Science and Technology, Tianjin University, Tianjin, China.
PLoS One. 2018 Oct 5;13(10):e0203984. doi: 10.1371/journal.pone.0203984. eCollection 2018.
Recently, Lu et al. claimed that Xie et al.'s three-party password-authenticated key agreement protocol (3PAKA) using chaotic maps has three security vulnerabilities; in particular, it cannot resist offline password guessing attack, Bergamo et al.'s attack and impersonation attack, and then they proposed an improved protocol. However, we demonstrate that Lu et al.'s attacks on Xie et al.'s scheme are unworkable, and their improved protocol is insecure against stolen-verifier attack and off-line password guessing attack. Furthermore, we propose a novel scheme with enhanced security and efficiency. We use formal verification tool ProVerif, which is based on pi calculus, to prove security and authentication of our scheme. The efficiency of the proposed scheme is higher than other related schemes.
最近,Lu 等人声称 Xie 等人使用混沌映射的三方密码认证密钥协商协议(3PAKA)存在三个安全漏洞;特别是,它不能抵抗离线密码猜测攻击、Bergamo 等人的攻击和冒充攻击,然后他们提出了一个改进的协议。然而,我们证明了 Lu 等人对 Xie 等人方案的攻击是不可行的,他们的改进协议在面对窃取验证器攻击和离线密码猜测攻击时是不安全的。此外,我们提出了一种具有增强安全性和效率的新方案。我们使用基于 pi 演算的形式验证工具 ProVerif 来证明我们方案的安全性和认证性。所提出方案的效率高于其他相关方案。
