1 Introduction

Password-based authenticated key exchange (PAKE) protocols allow two or more specified parties to authenticate each other and establish a high-entropy secret session key by using only the weak, low-entropy and easily memorable passwords. This authenticated key exchange scheme is the most widely used in practice because no additional devices such as smart cards or hardware tokens is needed, but just a human-memorable password for authenticating the parties.

Bellovin and Merritt [1] first proposed a two-party PAKE protocol in 1992. The protocol allowed two parties to authenticate each other via a public, insecure network and establish a secure session key which is to be used for protecting their subsequent communication. Then, many efficient and practical PAKE protocols [2,3,4,5,6] have been proposed. The above two-party protocols were not scalable in a large-scale peer-to-peer system, since every pair of communication parties needs to share a password, so that each party in an n-party system has to maintain n−1 passwords [7]. To solve this problem, Three-party password-based authenticated key exchange (3PAKE) protocols were introduced [8,9,10,11,12,13,14,15]. However, these 3PAKE protocols still existed some security problems such as on-line undetectable password guessing attack [16] and off-line password guessing attack [10].

In order to increase the efficiency and preventing various attacks, in 2005 Lee et al. [17] proposed an efficient verifier-based key agreement protocol for three parties without server’s public key. Lee et al. claimed the proposed protocol could resist various attacks and provide the perfect forward secrecy. Wang et al. [18] pointed out that it would be more dangerous when suffers from the impersonation attack in 2006. After the defects of Lee-3PAKE protocol are discovered, there are a lot of improved protocols, which are based on the three-party authenticated key exchange protocol. Kwon J O et al. [19] designed a secure three-party password authentication key agreement protocol, but the communication cost and computation cost of the protocol were larger than [17]. Li et al. [20] proposed an efficient three-party password-based authenticated key exchange protocol based on bilinear pairings. Recently, Xu et al. [21] proposed an efficient 3PAKE according to the Lee-3PAKA protocol, combined with symmetric encryption.

In this paper, we show that Xu et al.’s scheme is vulnerable to the stolen-verifier attack. In addition, we propose an improved scheme to solve this problem. The protocol also enjoys low computational complexity and is suitable for resource-constrained devices.

The rest of this paper is organized as follows. In Sect. 2, we review Xu et al.’s scheme. In Sect. 3, a stolen-verifier attack against their scheme is described in details. In Sect. 4, we propose an improved scheme and the security and performance analyses are discussed in Sect. 5. The paper is concluded in Sect. 6.

2 Review of Xu et al.’s Protocol

This section revisits the 3PAKE protocol proposed by Xu et al. [21].

2.1 Notations

The notations used throughout this paper are summarized in Table 1.

Table 1. Notations for the proposed protocols
Full size table

2.2 Protocol Description

For a detailed analysis, we review Xu et al.’s 3PAKE protocol [21]. The details of this protocol, shown in Fig. 1, are as follows:

Fig. 1.
figure 1

Authentication and key exchange phase of Xu et al.’s protocol

Full size image

Before the running of the protocol, Alice and Bob sends their verifiers \( {\text{h}}(pw_{A} ) \) and \( {\text{h}}(pw_{B} ) \) to S through a secure channel. S stores \( {\text{h}}(pw_{A} ) \) and \( {\text{h}}(pw_{B} ) \) in a password table.

Round 1: User A sends A and B to S.

$$ {\text{A}} \to {\text{S}}:A,B. $$

Round 2: After receiving the messages sent by A, S randomly chooses a and b, computes \( S_{A} = E_{{{\text{h}}(pw_{A} )}} (g^{a} ) \), \( S_{B} = E_{{{\text{h}}(pw_{B} )}} (g^{b} ) \) and then sends \( S_{A} \) and \( S_{B} \) to A and B, respectively.

$$ \begin{aligned} & {\text{S}}:{\text{a}},{\text{b}} \in_{R} \,Z_{p}^{*} \\ & {\text{S}}:S_{A} = E_{{{\text{h}}(pw_{A} )}} (g^{a} ). \\ & {\text{S}}:S_{B} = E_{{{\text{h}}(pw_{B} )}} (g^{b} ). \\ & {\text{S}} \to {\text{A}}:S_{A} . \\ & {\text{S}} \to {\text{ B}}:S_{B} . \\ \end{aligned} $$

Round 3: After receiving the message sent by S, A computes \( g^{a} = D_{{{\text{h}}(pw_{A} )}} (S_{A} ) \) and \( V_{AS} = E_{{{\text{h}}(pw_{A} )}} (g^{x} ,{\text{h}}(g^{ax} ,{\text{A}},{\text{B}},{\text{S}})) \) by choosing x \( \in_{R} \) \( Z_{p}^{*} \), and sends \( V_{AS} \) to S. Similarly, after receiving the message from S, B computes \( g^{b} = D_{{{\text{h}}(pw_{B} )}} (S_{B} ) \) and \( V_{BS} = E_{{{\text{h}}(pw_{B} )}} (g^{y} ,{\text{h}}(g^{by} ,{\text{A}},{\text{B}},{\text{S}})) \) by choosing y \( \in_{R} \) \( Z_{p}^{*} \), and sends \( V_{BS} \) to S.

$$ \begin{aligned} & {\text{A}}:g^{a} = D_{{{\text{h}}(pw_{A} )}} (S_{A} ). \\ & {\text{A}}:{\text{ x}} \in_{R} \,Z_{p}^{*} . \\ & {\text{A}}:V_{AS} = E_{{{\text{h}}(pw_{A} )}} \,(g^{x} ,{\text{ h(}}g^{ax} ,{\text{A}},{\text{B}},{\text{S}})). \\ & {\text{A}} \to {\text{S}}:V_{AS} \\ & {\text{B}}:g^{b} = D_{{{\text{h}}(pw_{B} )}} (S_{B} ). \\ & {\text{B}}:{\text{y}} \in_{R} \,Z_{p}^{*} . \\ & {\text{B}}:V_{BS} = E_{{{\text{h}}(pw_{B} )}} \,(g^{y} ,{\text{ h(}}g^{by} ,{\text{A}},{\text{B}},{\text{S}})). \\ & {\text{B}} \to {\text{S : }}V_{BS} \\ \end{aligned} $$

Round 4: After receiving the messages sent by A and B, S checks whether \( V_{AS} = E_{{{\text{h}}(pw_{A} )}} (g^{x} ,{\text{h}}(g^{ax} ,{\text{A}},{\text{B}},{\text{S}})) \) and \( V_{BS} = E_{{{\text{h}}(pw_{B} )}} (g^{y} ,{\text{h}}(g^{by} ,{\text{A}},{\text{B}},{\text{S}})) \) hold or not. If it holds, S computes \( V_{SA} = E_{{g^{ax} }} (g^{x} ,g^{y} ,{\text{A}},{\text{B}}) \) and \( V_{SB} = E_{{g^{by} }} (g^{x} ,g^{y} ,{\text{B}},{\text{A}}) \) and sends \( V_{SA} \) and \( V_{SB} \) to A and B, respectively. Otherwise S aborts the protocol.

$$ \begin{aligned} & {\text{S}}:{\text{Checks}} \\ & V_{AS} = E_{{{\text{h}}(pw_{A} )}} (g^{x} ,{\text{h}}(g^{ax} ,{\text{A}},{\text{B}},{\text{S}})). \\ & V_{BS} = E_{{{\text{h}}(pw_{B} )}} (g^{y} ,{\text{h}}(g^{ay} ,{\text{A}},{\text{B}},{\text{S}})). \\ & \text{S}:V_{SA} = E_{{g^{ax} }} (g^{x} ,g^{y} ,{\text{A}},{\text{B}}). \\ & \text{S}:V_{SB} = E_{{g^{by} }} (g^{x} ,g^{y} ,{\text{B}},{\text{A}}). \\ & {\text{S}} \to {\text{A}}:V_{SA} . \\ & {\text{S}} \to {\text{B}}:V_{SB} . \\ \end{aligned} $$

Finally: After receiving the message sent by S, A checks whether \( g^{x} \) \( \in \) (\( g^{x} \), \( g^{y} \), A, B) hold or not, If it holds, A computes \( K_{AB} = (g^{y} )^{x} \). Otherwise A aborts the protocol. Similarly, after receiving the message sent by S, B checks whether \( g^{y} \) \( \in \) (\( g^{x} \), \( g^{y} \), B, A) hold or not, If it holds, B computes \( K_{BA} = (g^{x} )^{y} \). Otherwise B aborts the protocol. Finally, A and B compute a common session key K = h(A, B, S, \( K_{AB} \)) = h(A, B, S, \( K_{BA} \)) = h(A, B, S, \( g^{xy} \)), respectively.

$$ \begin{aligned} & {\text{A}}:{\text{Checks}} \\ & \quad \quad \quad \,\,g^{x} \in (g^{x} ,g^{y} ,{\text{A}},{\text{B}}). \\ & {\text{A}}:K_{AB} = (g^{y} )^{x} . \\ & {\text{A}}:{\text{K}} = {\text{h}}({\text{A}},{\text{B}},{\text{S}},K_{AB} ). \\ & {\text{B}}:{\text{Checks}} \\ & \quad \quad \quad \,\,g^{y} \in (g^{x} ,g^{y} ,{\text{B}},{\text{A}}). \\ & {\text{B}}:K_{BA} = (g^{x} )^{y} \\ & {\text{B}}:{\text{K}} = {\text{h}}({\text{A}},{\text{B}},{\text{S}},K_{BA} ) \\ \end{aligned} $$

3 Attacks on Xu et al.’s 3PAKE Protocol

In this section, we show that Xu et al.’s 3PAKE is vulnerable to stolen-verifier attack.

Through the security analysis of the Xu-3PAKE protocol, the author points out that the protocol provides forward security and resist man-in-the-middle attack, Denning-Sacco attack, password guessing attack, stolen-verifier attack and replay attack. Among them, the author claims that the protocol cannot be directly impersonate the user when the adversary obtains the authentication value of a user’s password on the server, but in fact it still cannot resist the attack of the stolen-verifier.

According to the security model proposed by Dolev and Yao [23], an active attacker can control the communication channels through intercepting the communication and inserting data into the channels. Below are the details of our attacks.

The attack of the stolen-verifier:

We assume that M is an attacker who has got A’s verifier \( V_{A} \). M can impersonate A to communicate with B by performing the following steps.

Round 1: Like the normal interaction, M sends S the message(A, B).

$$ {\text{M}} \to {\text{S}}:{\text{A}},{\text{B}}. $$

Round 2: After receiving the messages sent by M, S randomly chooses a and b, computes \( S_{A} = E_{{{\text{h}}(pw_{A} )}} (g^{a} ) \), \( S_{B} = E_{{{\text{h}}(pw_{B} )}} (g^{b} ) \) and then sends \( S_{A} \) and \( S_{B} \) to A and B, respectively. But \( S_{A} \) is intercepted by M.

$$ \begin{aligned} & {\text{S}}:{\text{a}},{\text{b}}\, \in_{R} Z_{p}^{*} . \\ & {\text{S}}:S_{A} = E_{{{\text{h}}(pw_{A} )}} (g^{a} ). \\ & {\text{S}}:S_{B} = E_{{{\text{h}}(pw_{B} )}} (g^{b} ). \\ & {\text{S}} \to {\text{M}}:S_{A} . \\ & {\text{S}} \to {\text{B}}:S_{B} . \\ \end{aligned} $$

Round 3: After intercepting the message in Round 2, M computes \( g^{a} = D_{{{\text{h}}(pw_{A} )}} (S_{A} ) \) and \( V_{AS} = E_{{{\text{h}}(pw_{A} )}} (g^{x} ,{\text{h}}(g^{ax} ,{\text{A}},{\text{B}},{\text{S}})) \) by choosing x \( \in_{R} \) \( Z_{p}^{*} \), and sends \( V_{AS} \) to S. After receiving the message from S, B computes \( g^{b} = D_{{{\text{h}}(pw_{B} )}} (S_{B} ) \) and \( V_{BS} = E_{{{\text{h}}(pw_{B} )}} (g^{y} ,{\text{h}}(g^{by} ,{\text{A}},{\text{B}},{\text{S}})) \) by choosing y \( \in_{R} \) \( Z_{p}^{*} \), and sends \( V_{BS} \) to S.

$$ \begin{aligned} & {\text{M}}:g^{a} = D_{{{\text{h}}(pw_{A} )}} (S_{A} ). \\ & {\text{M}}:{\text{x}} \in_{R} \,Z_{p}^{*} . \\ & {\text{M}}:V_{AS} = E_{{{\text{h}}(pw_{A} )}} (g^{x} ,{\text{h}}(g^{ax} ,{\text{A}},{\text{B}},{\text{S}})). \\ & {\text{M}} \to {\text{S}}:V_{AS} . \\ & {\text{B}}:g^{b} = D_{{{\text{h}}(pw_{B} )}} (S_{B} ). \\ & {\text{B}}:{\text{y}}\, \in_{R} \,Z_{p}^{*} . \\ & {\text{B}}:V_{BS} = E_{{{\text{h}}(pw_{B} )}} (g^{y} ,{\text{h}}(g^{by} ,{\text{A}},{\text{B}},{\text{S}})). \\ & {\text{B}} \to {\text{ S}}:V_{BS} . \\ \end{aligned} $$

Round 4: After receiving the messages sent by M and B, S checks whether \( V_{AS} = E_{{{\text{h}}(pw_{A} )}} (g^{x} ,{\text{h}}(g^{ax} ,{\text{A}},{\text{B}},{\text{S}})) \) and \( V_{BS} = E_{{{\text{h}}(pw_{B} )}} (g^{y} ,{\text{h}}(g^{by} ,{\text{A}},{\text{B}},{\text{S}})) \) hold or not. If it holds, S computes \( V_{SA} = E_{{g^{ax} }} (g^{x} ,g^{y} ,{\text{A}},{\text{B}}) \) and \( V_{SB} = E_{{g^{by} }} (g^{x} ,g^{y} ,{\text{B}},{\text{A}}) \) and sends \( V_{SA} \) and \( V_{SB} \) to A and B, respectively, But \( V_{SA} \) is intercepted by M. Otherwise S aborts the protocol.

$$ \begin{aligned} & {\text{S}}:{\text{Checks}} \\ & \quad \quad \quad V_{AS} = E_{{{\text{h}}(pw_{A} )}} (g^{x} ,{\text{h}}(g^{ax} ,{\text{A}},{\text{B}},{\text{S}})). \\ & \quad \quad \quad V_{BS} = E_{{{\text{h}}(pw_{B} )}} (g^{y} ,{\text{h}}(g^{ay} ,{\text{A}},{\text{B}},{\text{S}})). \\ & \text{S}:V_{SA} = E_{{g^{ax} }} (g^{x} ,g^{y} ,{\text{A}},{\text{B}}). \\ & \text{S}:V_{SB} = E_{{g^{by} }} (g^{x} ,g^{y} ,{\text{B}},{\text{A}}). \\ & {\text{S}} \to {\text{M}}:V_{SA} . \\ & {\text{S}} \to {\text{B}}:V_{SB} . \\ \end{aligned} $$

Round 5: After intercepting the message in Round 4, M checks whether \( g^{x} \) \( \in \) (\( g^{x} \), \( g^{y} \), A, B) hold or not, If it holds, M computes \( K_{AB} = (g^{y} )^{x} \). Otherwise M aborts the protocol. After receiving the message sent by S, B checks whether \( g^{y} \) \( \in \) (\( g^{x} \), \( g^{y} \), B, A) hold or not, If it holds, B computes \( K_{BA} = (g^{x} )^{y} \). Otherwise B aborts the protocol. Then, M and B compute a common session key K = h(A, B, S, \( K_{AB} \)) = h(A, B, S, \( K_{BA} \)) = h(A, B, S, \( g^{xy} \)), respectively. Finally, B believes the common session key K = h(A, B, S, \( K_{AB} \)) is true. B also believes that he communicate with A. In fact, M gets the session key K = h(A, B, S, \( K_{AB} \)) and impersonates A to communicate with B.

$$ \begin{aligned} & {\text{M}}:{\text{Checks}} \\ & \quad \quad \quad \quad g^{x} \in (g^{x} ,g^{y} ,{\text{A}},{\text{B}}). \\ & {\text{M}}:K_{AB} = (g^{y} )^{x} . \\ & {\text{M}}:{\text{K}} = {\text{h}}({\text{A}},{\text{B}},{\text{S}},K_{AB} ) \\ & {\text{B}}:{\text{Checks}} \\ & \quad \quad \quad \quad g^{y} \in (g^{x} ,g^{y} ,{\text{B}},{\text{A}}). \\ & {\text{B}}:K_{BA} = (g^{x} )^{y} \\ & {\text{B}}:{\text{K}} = {\text{h}}({\text{A}},{\text{B}},{\text{S}},K_{BA} ) \\ \end{aligned} $$

4 Improved Scheme

In this section, we present an enhanced protocol to remedy the security loopholes existing in Xu et al.’s protocol. The protocol depicted in Fig. 2 works as follows:

Fig. 2.
figure 2

The proposed protocol

Full size image

Before the running of the protocol, Alice and Bob sends their verifiers \( V_{A} \) and \( V_{B} \) to S through a secure channel. S stores \( V_{A} \) and \( V_{B} \) in a password table.

Step 1: User A sends A and B to S.

$$ {\text{A}} \to {\text{S}}:{\text{A}},{\text{B}}. $$

Step 2: After receiving the messages sent by A, S randomly chooses z and c, computes \( S_{A} = V_{A}^{c} \), \( S_{B} = V_{B}^{c} \), \( K_{S} = E_{{g^{c} }} (g^{z} ) \) and then sends (\( S_{A} \), \( K_{S} \)) and (\( S_{B} \), \( K_{S} \)) to A and B, respectively.

$$ \begin{aligned} & {\text{S}}:{\text{z}},\,{\text{c}} \in_{R} \,Z_{p}^{*} . \\ & {\text{S}}:S_{A} = V_{A}^{c} . \\ & {\text{S}}:S_{B} = V_{B}^{c} . \\ & {\text{S}}:K_{S} = E_{{g^{c} }} (g^{z} ). \\ & {\text{S}} \to {\text{A}}:S_{A} ,K_{S} . \\ & {\text{S}} \to {\text{B}}:S_{B} ,K_{S} . \\ \end{aligned} $$

Step 3: After receiving the message sent by S, A computes \( g^{c} \) = \( (S_{A} )^{{t_{A}^{ - 1} }} \), \( g^{z} \) = \( D_{{g^{c} }} (K_{S} \)), \( g^{xz} = (g^{z} )^{x} \), and \( V_{AS} = E_{{g^{c} }} (g^{x} ,{\text{h}}(g^{xz} ,{\text{A}},{\text{B}},{\text{S}})) \) by choosing x \( \in_{R} \) \( Z_{p}^{*} \), and sends \( V_{AS} \) to S. Similarly, after receiving the message from S, B computes \( g^{c} = (S_{B} )^{{t_{B}^{ - 1} }} \), \( g^{z} = D_{{g^{c} }} (K_{S} ) \), \( g^{yz} = (g^{z} )^{y } \) and \( V_{BS} = E_{{g^{c} }} (g^{y} ,{\text{h}}(g^{yz} ,{\text{A}},{\text{B}},{\text{S}})) \) by choosing y \( \in_{R} \) \( Z_{p}^{*} \), and sends \( V_{BS} \) to S. Note that \( t_{A} \) = h(A, S, \( pw_{A} \)) and \( t_{B} \) = h(B, S, \( pw_{B} \)).

$$ \begin{aligned} & {\text{A}}:g^{c} = (S_{A} )^{{t_{A}^{ - 1} }} . \\ & {\text{A}}:g^{z} = D_{{g^{c} }} (K_{S} ). \\ & {\text{A}}:g^{xz} = (g^{z} )^{x} \,x\, \in_{R} \,Z_{p}^{*} . \\ & {\text{A}}:V_{AS} = E_{{g^{c} }} (g^{x} ,{\text{h}}(g^{xz} ,{\text{A}},{\text{B}},{\text{S}})) \\ & {\text{A}} \to {\text{S}}:V_{AS} . \\ & {\text{B}}:g^{c} = (S_{B} )^{{t_{B}^{ - 1} }} . \\ & {\text{B}}:g^{z} = D_{{g^{c} }} (K_{S} ). \\ & {\text{B}}:g^{yz} = (g^{z} )^{y} \,y\, \in_{R} \,Z_{p}^{*} . \\ & {\text{B}}:V_{BS} = E_{{g^{c} }} (g^{y} ,{\text{h}}(g^{yz} ,{\text{A}},{\text{B}},{\text{S}})) \\ & {\text{B}} \to {\text{S}}:V_{BS} . \\ \end{aligned} $$

Step 4: After receiving the messages sent by A and B, S computes \( g^{xz} = (g^{x} )^{z} \), \( g^{yz} = (g^{y} )^{z} \) by \( D_{{g^{c} }} (V_{AS} ) \) and \( D_{{g^{c} }} (V_{BS} ) \) and verifies whether h(\( g^{zx} \), A, B, S) = h(\( g^{xz} \), A, B, S), h(\( g^{zy} \), A, B, S) = h(\( g^{yz} \), A, B, S) or not. If they hold, S computes and sends \( V_{SA} {\text{ = h}}(g^{xz} ,g^{yz} ,{\text{A}},{\text{B}},{\text{S}}),\,K_{SA} = g^{yz} \oplus V_{A} . \) and \( V_{SB} {\text{ = h}}(g^{yz} ,g^{xz} ,{\text{B}},{\text{A}},{\text{S}}),\,K_{SB} = g^{xz} \oplus V_{B} . \) to A and B, respectively. Otherwise, S terminates the protocol.

$$ \begin{aligned} & {\text{S}}:D_{{g^{c} }} (V_{AS} ),\,D_{{g^{c} }} (V_{BS} ). \\ & {\text{S}}:g^{xz} = (g^{x} )^{z} \,g^{yz} = (g^{y} )^{z} \\ & {\text{S}}:{\text{Check}} \\ & \quad \quad \quad \,{\text{h}}(g^{zx} ,{\text{A}},{\text{B}},{\text{S}}) = {\text{h}}(g^{xz} ,{\text{A}},{\text{B}},{\text{S}}) \\ & \quad \quad \quad \,{\text{h}}(g^{zy} ,{\text{A}},{\text{B}},{\text{S}}) = {\text{h}}(g^{yz} ,{\text{A}},{\text{B}},{\text{S}}) \\ & {\text{True}}. \\ & {\text{S}}:V_{SA} {\text{ = h}}(g^{xz} ,g^{yz} ,{\text{A}},{\text{B}},{\text{S}}),\,K_{SA} = g^{yz} \oplus V_{A} . \\ & {\text{S}}:V_{SB} {\text{ = h}}(g^{yz} ,g^{xz} ,{\text{B}},{\text{A}},{\text{S}}),\,K_{SB} = g^{xz} \oplus V_{B} . \\ & {\text{S}} \to {\text{A}}:V_{SA} ,K_{SA} . \\ & {\text{S}} \to {\text{B}}:V_{SB} ,K_{SB} . \\ \end{aligned} $$

Finally: After receiving the message sent by S, A computes \( g^{yz} = K_{SA} \oplus V_{A} \), than verifies whether h(\( g^{xz} \), \( g^{yz} \), A, B, S) = \( V_{SA} \) or not. If it holds A computes \( K_{AB} = (K_{SA} \oplus V_{A} ) = g^{xyz} \) and K = h(A, B, S, \( K_{AB} \)). Otherwise, A terminates the protocol. Similarly, After receiving the message sent by S, B computes \( g^{xz} = K_{SB} \oplus V_{B} \), than verifies whether h(\( g^{yz} \), \( g^{xz} \), B, A, S) = \( V_{SB} \) or not. If it holds B computes \( K_{BA} = (K_{SB} \oplus V_{B} )^{y} = g^{xyz} \) and K = h(A, B, S, \( K_{BA} \)). Otherwise, B terminates the protocol. Finally, Alice and Bob negotiate a common session key K = h(A, B, S, \( K_{AB} \)) = h(A, B, S, \( K_{BA} \)).

5 Security Analysis and Performance Comparison

5.1 Security Analysis

In this section, we prove the security of 3PAKE using those definitions in [22].

Theorem 1.

The proposed protocol provides the property of the perfect forward secrecy.

Proof.

Perfect forward secrecy is provided in the situation that even though a password is compromised M cannot derive previous session keys. To analyze this, suppose that M knows the password pw Then M tries to find previous session keys from the information collected by passive attack in past communication sessions, i.e., \( K_{S} = E_{{g^{c} }} (g^{z} ) \), \( g^{x} \), \( g^{y} \), \( g^{yz} \), \( g^{xz} \). However, she cannot do these using them without solving DLP and DHP. Therefore, the proposed protocol provides the property of perfect forward secrecy.

Theorem 2.

The proposed protocol is secure against the Denning-Sacco attack.

Proof.

To be secure against the Denning-Sacco attack, the protocol should be designed such that even though a session key is compromised, M cannot compute the password and confirm the correctness of the guessed password. To analyze this, suppose that M knows a session key K = h(A, B, S, \( K_{AB} \)). Then M tries to compute the password or confirm the correctness of the guessed password from it and the information collected by passive attack in past communication sessions, i.e., \( g^{x} \), \( g^{y} \), \( g^{yz} \), \( g^{xz} \), h(A, B, S, \( K_{AB} \)). However, M cannot do these using them without solving DLP and DHP. Therefore, PAKE is secure against the Denning Sacco attack.

Theorem 3.

The proposed protocol is secure against stolen-verifier attack.

Proof.

The protocol being secure against stolen-verifier attack means an attacker not being able to pose as a client after compromising the server. In the proposed protocol, if M gains password file, M may know two client’s verifiers \( V_{A} \) = \( g^{{{\text{h}}(A, S, pw_{A} )}} \) and \( V_{B} \) = \( g^{{{\text{h}}(A, S, pw_{B} )}} \). However, M cannot pose as the clients because of not knowing \( t_{A} \) = h(A, S, \( pw_{A} \)) and \( t_{B} \) = h(A, S, \( pw_{B} \)) used in step 3. Therefore, the proposed protocol is secure against server compromise.

Theorem 4.

The proposed protocol is secure against man-in-the-middle attack.

Proof.

We analyze if a malicious insider M can succeed in launching man-in-the-middle attack. Suppose that M tries to masquerade A or B. However, S can detect this attack when verifying \( V_{AS} \) = \( E_{{g^{c} }} \)(\( g^{x} \), h(\( g^{xz} \), A, B, S)) and \( V_{BS} \) = \( E_{{g^{c} }} \)(\( g^{y} \), h(\( g^{yz} \), A, B, S)). M cannot compute the valid \( g^{xz} \) or \( g^{yz} \) due to not knowing their correct passwords. Therefore, the improved scheme can resist man-in the-middle attack.

5.2 Efficiency Analysis

Performance of key agreement protocols can be approximated in terms of communication and computation loads. We compare our improved 3PAKE with the protocol of Xu et al. Table 2 shows the comparison regarding with several efficiency factors such as the number of rounds, random numbers, exponentiations, symmetric encryption/decryption, hash functions.

Table 2. The performance comparison
Full size table

As shown in Table 2, for user A and B, our scheme has one more exponentiation operation and one more hash operation than Xu et al.’s scheme, but our scheme has one less symmetric encryption/decryption computations than Xu et al.’s scheme. For server S our scheme has two more exponentiation operations and two more hash operation than Xu et al.’s scheme, but our scheme has three less symmetric encryption/decryption computations than Xu et al.’s scheme. Usually the cost of symmetric encryption/decryption is much larger than the cost of exponentiation operation (160bit) and hash operation. Thus, our protocol has better performance than Xu et al.’s protocol. Moreover, Xu et al.’s protocol is vulnerable to the stolen-verifier attack and our protocol could overcome such weakness. Therefore, our protocol is more suitable for the practical applications.

6 Conclusion

In this paper, we show that Xu et al.’s 3PAKE protocol is vulnerable to the stolen-verifier attack and propose a new 3PAKE protocol to solve this problem. Security and performance analysis show our protocol overcome the weakness in Xu et al.’s protocol and has better performance. One of our future works is to extend our new scheme to multi-server architecture for the distributed systems.