Académique Documents
Professionnel Documents
Culture Documents
A generates a random number
P
Z x e
, and calculates
) (
2
A
ID H
and
) ( 2
1
)). , ( || (
PW H
A
x x
M ID g H g X =
. Next A sends
X ID H
A
|| ) (
2
to B as a communication request.
Step 2:
Y ID H X ID H S B
B A
|| ) ( || || ) ( :
2 2
ISSN: 2089-3299
IJINS Vol. 1, No. 1, April 2012 : 38 40
38
Similarly B generates a random number
P
Z y e
, and calculates
) (
2
B
ID H
and
) ( 2
2
)). , ( || (
PW H
B
y y
N ID g H g Y =
.then B
sends
Y ID H X ID H
B A
|| ) ( || || ) (
2 2
to the trusted server S.
Step 3:
Y X B S ' ' || :
S calculates
) ( 2
1
/ )) , ( || (
PW H
A
x x
M X ID g H g
and verifies if
) , (
A
x
ID g H
holds or not. If it holds then
S selects a
random number
P
Z z e
, and finds
z x xz
g g ) (
. Similarly, S also calculates
) ( 2
2
/ )) , ( || (
PW H
B
y y
N Y ID g H g
and
verifies if
) , (
B
y
ID g H
holds or not. If it holds then S finds
z y yz
g g ) (
,
) (
1
2 2
) ), ( , ), ( ), ( ( .
A
ID H x
s B A
yz
g PW H ID ID H ID H H g X '
and
) (
2
2 2
) ), ( , ), ( ), ( ( .
B
ID H y
s A B
xz
g PW H ID ID H ID H H g Y '
.
Step 4:
o || : X A B '
Upon receiving
X'
and
Y'
, B utilizes its identity
B
ID
and password
2
PW
to retrieve
) (
2
2 2
) ), ( , ), ( ), ( ( /
B
ID H y
s A B
xz
g PW H ID ID H ID H H Y g '
. After that, B computes
y xz xyz
g g ) (
and
) ), ( ), ( (
2 2 xyz
B A
g ID H ID H H o
) , (
1
PW ID A
A
) , (
2
PW ID B
B
) , ), ( , , ), ( (
2
2
1
2
PW ID ID H PW ID ID H S
B B A A
) ( 2
1
)). , ( || (
PW H
A
x x
M ID g H g X =
X ID H
A
|| ) (
2
) ( 2
2
)). , ( || (
PW H
B
y y
N ID g H g Y =
Y ID H X ID H
B A
|| ) ( || || ) (
2 2
) ( 2
1
/ )) , ( || (
PW H
A
x x
M X ID g H g
verify
) , (
A
x
ID g H
if it holds, then compute
z x
z
x
g g ) (
and
) ( 2
2
/ )) , ( || (
PW H
B
y y
N Y ID g H g
verify
) , (
B
y
ID g H
if it holds, then compute
z y
z
y
g g ) (
and
) (
1
2 2
) ), ( , ), ( ), ( ( .
A
ID H x
s B A
yz
g PW H ID ID H ID H H g X '
) (
2
2 2
) ), ( , ), ( ), ( ( .
B
ID H y
s A B
xz
g PW H ID ID H ID H H g Y '
' ' Y X ,
) (
2
2 2
) ), ( , ), ( ), ( ( /
B
ID H y
s A B
xz
g PW H ID ID H ID H H Y g '
) ), ( ), ( (
2 2 xyz
B A
g ID H ID H H o
' o , X
) (
2
2 2
) ), ( , ), ( ), ( ( /
A
ID H x
s B A
yz
g PW H ID ID H ID H H X g '
Verify
o
) ), ( ), ( (
2 2 xyz
A B
g ID H ID H H |
) ), ( ), ( (
2 2 xyz
B A A
g ID H ID H H SK '
|
Verify
|
) ), ( ), ( (
2 2 xyz
B A B
g ID H ID H H SK '
Fig 1. Lo Yeh Chiang protocol
IJINS ISSN: 2089-3299
A Password attack on S-3 PAKE Protocol (Shirisha)
39
Step 5:
| : B A
Upon receiving
o || X'
, A utilizes its identity
A
ID
and password
1
PW
to retrieve
) (
1
2 2
) ), ( , ), ( ), ( ( /
A
ID H x
s B A
yz
g PW H ID ID H ID H H X g '
. After that, A computes
x yz xyz
g g ) (
and
verifies
) ), ( ), ( (
2 2 xyz
B A
g ID H ID H H o
, if the received
o
is equal to computed
o
then B is authenticated by A.
Now, A calculates
) ), ( ), ( (
2 2 xyz
A B
g ID H ID H H |
and sends
|
to B.
Now B calculates
) ), ( ), ( (
2 2 xyz
A B
g ID H ID H H |
, if the received
|
is equal to calculated
|
, then A is
authenticated by B. Finally A and B finds the key
) ), ( ), ( (
2 2 xyz
B A B A
g ID H ID H H SK SK ' = =
Fig 1 shows Lo et al protocol.
3. Undetectable online attack on Lo et al protocol
In this section, we demonstrate undetectable online attack on Lo et al protocol
If
A
ID
is exposed (since identities of clients are not generally secret), B can mount undetectable online password
guessing attack on Lo et al protocol
Step1:
X ID H B A
A
|| ) ( :
2
A generates a random number
P
Z x e
, and calculates
) (
2
A
ID H
and
) ( 2
1
)). , ( || (
PW H
A
x x
M ID g H g X =
. Next A sends
X ID H
A
|| ) (
2
to B as a communication request.
Step 2: B guesses a password
*
1
PW
and finds
) ( 2
*
1
PW H
M
Step 3: Now, B calculates
* ) ( 2 1
*
/
x PW H
g M X ~
[X is sent by A to B]
Step 4: Calculate
) , (
*
A
x
ID g H
Step 5: Let
y x
g g =
*
, now B finds
) ( 2
2
)). , ( || (
PW H
B
y y
N ID g H g Y =
Step 6: B sends Y ID H X ID H
B A
|| ) ( || || ) (
2 2
to S
Step 7: S calculates
) ( 2
1
/ )) , ( || (
PW H
A
x x
M X ID g H g
and verifies if
) , (
A
x
ID g H
holds or not. If it holds then
S selects
a random number
P
Z z e
, and finds
z x xz
g g ) (
.
Similarly, S also calculates
) ( 2
2
/ )) , ( || (
PW H
B
y y
N Y ID g H g
and
verifies if
) , (
B
y
ID g H
holds or not. If it holds then S finds
z y yz
g g ) (
,
) (
1
2 2
) ), ( , ), ( ), ( ( .
A
ID H x
s B A
yz
g PW H ID ID H ID H H g X '
and
) (
2
2 2
) ), ( , ), ( ), ( ( .
B
ID H y
s A B
xz
g PW H ID ID H ID H H g Y '
and
sends
Y X ' ',
to B.
Step 8: B finds
) (
2
2 2
) ), ( , ), ( ), ( ( /
B
ID H y
s A B
xz
g PW H ID ID H ID H H Y g '
and
) (
1
* 2 2
) ), ( , ), ( ), ( ( /
*
A
ID H x
s B A
yz
g PW H ID ID H ID H H X g '
. If
yz xz
g g =
, the the guesses password
*
1
PW
is correct.
Else, guess one more password and repeat step 2-step 6 and step 8.
Figure 2 shows undetectable online password guessing attack on Lo et al protocol.
ISSN: 2089-3299
IJINS Vol. 1, No. 1, April 2012 : 38 40
40
) , (
1
PW ID A
A
) , (
2
PW ID B
B
) , ), ( , , ), ( (
2
2
1
2
PW ID ID H PW ID ID H S
B B A A
) ( 2
1
)). , ( || (
PW H
A
x x
M ID g H g X =
X ID H
A
|| ) (
2
guess password
*
1
PW
find
) ( 2
*
1
PW H
M
Now find
| /
* ) ( 2 1
*
x PW H
g M X ~
Calculate
) , (
*
A
x
ID g H
let
y x
g g =
*
) ( 2
2
)). , ( || (
PW H
B
y y
N ID g H g Y =
Y ID H X ID H
B A
|| ) ( || || ) (
2 2
) ( 2
1
/ )) , ( || (
PW H
A
x x
M X ID g H g
verify
) , (
A
x
ID g H
if it holds, then compute
z x
z
x
g g ) (
and
) (
1
2 2
) ), ( , ), ( ), ( ( .
A
ID H x
s B A
yz
g PW H ID ID H ID H H g X '
) ( 2
2
/ )) , ( || (
PW H
B
y y
N Y ID g H g
verify
) , (
A
x
ID g H
if it holds, then compute
z y
z
y
g g ) (
and
) (
2
2 2
) ), ( , ), ( ), ( ( .
B
ID H y
s A B
xz
g PW H ID ID H ID H H g Y '
' ' Y X ,
) (
2
2 2
) ), ( , ), ( ), ( ( /
B
ID H y
s A B
xz
g PW H ID ID H ID H H Y g '
) (
1
* 2 2
) ), ( , ), ( ), ( ( /
*
A
ID H x
s B A
yz
g PW H ID ID H ID H H X g '
If
yz xz
g g =
then the guessed password is correct
Fig 2. Undetectable online password guessing attack on Lo Yeh Chiang protocol
4. Conclusion
Lo et al proposed security enhanced S-3 PAKE protocol. However, this paper had shown that their protocol suffers
from undetectable online password guessing attack.
References:
[1] Ding Y, Horster P., Undetectable on-line password guessing attacks ACM Operat Syst Rev, vol. 29, no. 4, pp. 77 86, 1995.
[2] R. Lu, Z. Cao, Simple three-party key exchange protocol, Computers and Security, vol. 26, pp. 94-97, 2007.
[3] H.Chung, W. Ku, Three Weaknesses in a simple three-party key exchange protocol, Information Sciences, vol. 178, pp.
220-229, 2008.
[4] N.W. Lo, Kuo-Hui Yeh and Meng-Chih Chiang, Cryptanalysis of a Simple Three-Party Key Exchange Protocol,
Joint
Workshop on Information Security,
http://jwis2009.nsysu.edu.tw/location/paper/Cryptanalysis%20of%20a%20Simple%20Three-
party%20Key%20Exchange%20Protocol.pdf, 2009