earticle

영어

Protocols for password-based authenticated key exchange (PAKE) enable two or more parties communicating over a public network to build a secure communication channel using their easy-to-remember passwords. However, off-line dictionary attacks have always been a major security concern in designing such password-based protocols. Compared with the two-party setting, the concern is significantly increased in the three-party setting where insider attacks may be mounted. In this paper, we identified an inherent flaw in the design of Nam et al.’s three-party PAKE protocol (IEEE Communications Letters, 13(3), 2009) and Lu and Cao’s protocol (Computers & Security, 26(1), 2007) and demonstrated that both protocols are susceptible to a previously unpublished off-line dictionary attack. We hope that by identifying this design flaw, similar structural mistakes can be avoided in future design. We conclude the paper with a simple countermeasure.