Server Public Keys Research Articles

A Provably Secure Three-Party Password Authenticated Key Exchange Protocol without Using Server's Public-Keys and Symmetric Cryptosystems

Three-party password authenticated key exchange (3PAKE) protocols allow two clients to establish a common secure session key via the help of an authentication server, in which each client only needs to share a single password with the server. Many researchers pay attention to 3PAKE protocols since they are well suited for large-scale communication in mobile environments. Recently, Farash et al. proposed an enhanced 3PAKE protocol without using server's public-keys and symmetric cryptosystems. They claimed that their protocol is secure against various attacks. However, we found that Farash et al.'s protocol is vulnerable to partition attacks and off-line dictionary attacks. Moreover, their protocol needs 5 rounds to work, so it is inefficient in terms of communication. To overcome these shortcomings, we improve their protocol and propose a provably secure 3PAKE protocol, which is more efficient and secure than other related protocols.DOI: http://dx.doi.org/10.5755/j01.itc.44.2.8197

Verifier-based three-party authentication schemes using extended chaotic maps for data exchange in telecare medicine information systems

Telecare medicine information systems provide a communicating platform for accessing remote medical resources through public networks, and help health care workers and medical personnel to rapidly making correct clinical decisions and treatments. An authentication scheme for data exchange in telecare medicine information systems enables legal users in hospitals and medical institutes to establish a secure channel and exchange electronic medical records or electronic health records securely and efficiently. This investigation develops an efficient and secure verified-based three-party authentication scheme by using extended chaotic maps for data exchange in telecare medicine information systems. The proposed scheme does not require server's public keys and avoids time-consuming modular exponential computations and scalar multiplications on elliptic curve used in previous related approaches. Additionally, the proposed scheme is proven secure in the random oracle model, and realizes the lower bounds of messages and rounds in communications. Compared to related verified-based approaches, the proposed scheme not only possesses higher security, but also has lower computational cost and fewer transmissions.

An Enhanced and Secure Three-Party Password-based Authenticated Key Exchange Protocol without Using Server's Public-Keys and Symmetric Cryptosystems

Password-based authenticated key exchange protocol is a type of authenticated key exchange protocols which enables two or more communication entities, who only share weak, low-entropy and easily memorable passwords, to authenticate each other and establish a high-entropy secret session key. In 2012, Tallapally proposed an enhanced three-party password-based authenticated key exchange protocol to overcome the weaknesses of Huang’s scheme. However, in this paper, we indicate that the Tallapally’s scheme not only is still vulnerable to undetectable online password guessing attack, but also is insecure against off-line password guessing attack. Therefore, we propose a more secure and efficient scheme to overcome the security flaws. DOI: http://dx.doi.org/10.5755/j01.itc.43.2.3790

Secure Verifier-Based Three-Party Authentication Schemes without Server Public Keys for Data Exchange in Telecare Medicine Information Systems

Secure verified-based three-party authentication scheme for data exchange in telecare medicine information systems enables two users only store their verifiers computed from their actual password in authentication server's database. Then the authentication server can verify the users' verifiers and help them to exchange electronic medical records or electronic health records securely and conveniently. This investigation presents an efficient and secure verified-based three-party authentication scheme for data exchange in telecare medicine information systems. The proposed scheme does not use server's public keys and includes the key confirmation without extra numbers of messages and rounds. Compared to related verified-based approaches, the proposed scheme possesses higher security, has lower computational cost and fewer transmissions, and thus is suitable for the telecare medicine information systems.

Finding and fixing vulnerabilities in several three-party password authenticated key exchange protocols without server public keys

Three-party password-based authenticated key exchange (3PAKE) protocols allow two users (clients) to establish a session key with the support from an authenticated server over an insecure channel. Several 3PAKE protocols, which do not require server public keys, have been proposed recently. In this paper, we use Chang et al.’s protocol as a case study and demonstrate that all of the 3PAKE protocols without server public keys are not secure against Key Compromise Impersonation (KCI) attack. A detailed analysis of flaw in these protocols has been conducted and we hope that by identifying this design flaw, similar structural mistakes can be avoided in future designs. Furthermore, we propose an improved protocol that remedies the weakness of these protocols and prove its security in a widely accepted model.

A Three-Party Password Authenticated Key Exchange Protocol with Key Confirmation

Three-party authenticated key exchange protocol is an important cryptographic technique in the secure communication areas, by which any two clients can verify the ability to use a server to establish communication. Recently, researchers have begun proposing new key exchange protocols that would not require the use of server public keys, but a human-memorable password. In this paper, we propose a new threeparty password authenticated key exchange protocol with key confirmation. The security of our proposed protocol relies on the hardness of the bilinear Diffie-Hellman problem and Diffie-Hellman problem in the random oracle model, and the proposed protocol achieves the security attributes: dictionary attack resilience, known session key security, perfect forward secrecy, no key compromise impersonation, no unknown key share and no key control.

A communication-efficient three-party password authenticated key exchange protocol

Three-party password authenticated key exchange (3PAKE) protocols allow two users (clients) to establish a session key through an authentication server over an insecure channel. Clients only share an easy-to-remember password with the trusted server. In the related literature, most schemes employ the server public keys to ensure the identities of both the servers and symmetric cryptosystems to encrypt the messages. This paper describes an efficient 3PAKE based on LHL-3PAKE proposed by Lee et al. Our 3PAKE requires neither the server public keys nor symmetric cryptosystems such as DES. The formal proof of security of our 3PAKE is based on the computational Diffie–Hellman assumption in the random oracle model along with a parallel version of the proposed 3PAKE. The comparisons have shown that our 3PAKE is more practical than other 3PAKEs.

Simple password-based three-party authenticated key exchange without server public keys

Password-based three-party authenticated key exchange protocols are extremely important to secure communications and are now extensively adopted in network communications. These protocols allow users to communicate securely over public networks simply by using easy-to-remember passwords. In considering authentication between a server and user, this study categorizes password-based three-party authenticated key exchange protocols into explicit server authentication and implicit server authentication. The former must achieve mutual authentication between a server and users while executing the protocol, while the latter only achieves authentication among users. This study presents two novel, simple and efficient three-party authenticated key exchange protocols. One protocol provides explicit server authentication, and the other provides implicit server authentication. The proposed protocols do not require server public keys. Additionally, both protocols have proven secure in the random oracle model. Compared with existing protocols, the proposed protocols are more efficient and provide greater security.

Improving the novel three-party encrypted key exchange protocol

In 2004, Chang and Chang proposed a three-party encrypted key exchange (ECC-3PEKE) protocol without using the server's public keys. They claimed that their proposed ECC-3PEKE protocol is secure, efficient, and practical. Unlike their claims, the ECC-3PEKE protocol, however, is still susceptible to undetectable on-line password guessing attacks. Accordingly, the current paper demonstrates the vulnerability of Chang–Chang's ECC-3PEKE protocol regarding undetectable on-line password guessing attacks and than presents an enhancement to resolve such security problems.

Enhanced three-party encrypted key exchange without server public keys

This investigation proposes a secure and efficient three-party encrypted key exchange (3PEKE) protocol based on the LSSH-3PEKE protocol proposed by Lin et al. [Lin, C.-L., Sun, H.-M., Steiner, M., Hwang, T., 2001. IEEE Commun. Lett. 5 (12), 497–499]. The computational cost of the proposed protocol is equal to that of the LSSH-3PEKE protocol. However, the number of steps in communication is one fewer. A round efficient version of the same protocol is also described.

A novel three-party encrypted key exchange protocol

The passwords people can remember are usually simple or meaningful. In three-party key exchange protocols with password authentication, clients are allowed to share an easy-to-remember password with a trusted server such that two clients can communicate with each other through a common secret key without the existence of redundant keys. Such protocols are quite suitable for application when light-weight clients need secure communications. Steiner, Tsudik, and Waidner proposed a three-party protocol based on the encrypted key exchange (EKE) protocols in 1995; however, the proposed protocol suffered from off-line and undetectable on-line guessing attacks. In 2000, Lin, Sun, and Hwang proposed a secure three-party protocol with server's public keys. Because certificates are needed to verify the server's public keys to avoid impersonation attacks, this protocol is not practical for some environments. In 2001, Lin, Sun, Steiner and Hwang proposed a brand-new three-party protocol without servers' public keys. Nevertheless, more rounds are needed by using this protocol. In this paper, we propose a secure three-party EKE protocol with round efficiency.

Three-party encrypted key exchange without server public-keys

Three-party key-exchange protocols with password authentication-clients share an easy-to-remember password with a trusted server only-are very suitable for applications requiring secure communications between many light-weight clients (end users); it is simply impractical that every two clients share a common secret. Steiner, Tsudik and Waidner (1995) proposed a realization of such a three-party protocol based on the encrypted key exchange (EKE) protocols. However, their protocol was later demonstrated to be vulnerable to off-line and undetectable on-line guessing attacks. Lin, Sun and Hwang (see ACM Operating Syst. Rev., vol.34, no. 4, p.12-20, 2000) proposed a secure three-party protocol with server public-keys. However, the approach of using server public-keys is not always a satisfactory solution and is impractical for some environments. We propose a secure three-party EKE protocol without server public-keys.