Search citation statements
Paper Sections
Citation Types
Year Published
Publication Types
Relationship
Authors
Journals
Password-based two-party authenticated key exchange (2PAKE) protocol enables two or more entities, who only share a low-entropy password between them, to authenticate each other and establish a high-entropy secret session key. Recently, Zheng et al. proposed a password-based 2PAKE protocol based on bilinear pairings and claimed that their protocol is secure against the known security attacks. However, in this paper, we indicate that the protocol of Zheng et al. is insecure against the off-line password guessing attack, which is a serious threat to such protocols. Consequently, we show that an attacker who obtained the users' password by applying the off-line password guessing attack can easily obtain the secret session key. In addition, the protocol of Zheng et al. does not provide the forward secrecy of the session key. As a remedy, we also improve the protocol of Zheng et al. and prove the security of our enhanced protocol in the random oracle model. The simulation result shows that the execution time of our 2PAKE protocol is less compared with other existing protocols. . 4898 M. S. FARASH, S. H. ISLAM AND M. S. OBAIDAT known-key secrecy and perfect forward secrecy [23-25]. To deal with the problems, Arshad et al. proposed an authentication scheme [25] based on the elliptic curve cryptography (ECC). But, Tang et al. [26] demonstrated the vulnerability of the scheme of Arshad et al. to the off-line password guessing attack and introduced an improved scheme to overcome the identified weakness.In 2010, Yoo et al. [27] also proposed an authentication scheme based on the ECC to deal with the problems in the scheme of Tsai et al. [22]. In 2012, Xie [28] pointed out that the scheme of Yoo et al. still suffers from the stolen-verifier and off-line password guessing attacks and proposed an improved scheme. However, Farash and Attari [29] showed that Xie's scheme is also insecure and then they designed an enhanced scheme. In 2013, Zhang et al. [30] proposed a new password-based authenticated protocol, but Tu et al. [31] found out that it is insecure against the impersonation attack. Tu et al. then proposed an improved scheme for session initiation protocol (SIP) using smart card to overcome the security flaws of the protocol of Zhang et al..In 1999, Seo and Sweeney [32] have designed a password-based 2PAKE protocol, however, Tseng [33] has shown that the replay attack is possible in the scheme [32] and then proposed an improved 2PAKE protocol. In 2000, Ku and Wang [34] analyzed that Tseng's 2PAKE protocol is still vulnerable to a kind of replay attack and then they designed an improved protocol to eliminate the attack found in [34]. In 2003, Chang et al. [35] demonstrated that Ku and Wang's protocol is still defenseless to the modification attacks and then proposed an enhanced 2PAKE protocol. However, in 2010, Cheng et al. [36] pointed out that the protocol of Chang et al. is vulnerable against the replay attack and the off-line password guessing attack. Recently, Zheng et al. [37] proposed a password-based 2PAKE protoc...
Password-based two-party authenticated key exchange (2PAKE) protocol enables two or more entities, who only share a low-entropy password between them, to authenticate each other and establish a high-entropy secret session key. Recently, Zheng et al. proposed a password-based 2PAKE protocol based on bilinear pairings and claimed that their protocol is secure against the known security attacks. However, in this paper, we indicate that the protocol of Zheng et al. is insecure against the off-line password guessing attack, which is a serious threat to such protocols. Consequently, we show that an attacker who obtained the users' password by applying the off-line password guessing attack can easily obtain the secret session key. In addition, the protocol of Zheng et al. does not provide the forward secrecy of the session key. As a remedy, we also improve the protocol of Zheng et al. and prove the security of our enhanced protocol in the random oracle model. The simulation result shows that the execution time of our 2PAKE protocol is less compared with other existing protocols. . 4898 M. S. FARASH, S. H. ISLAM AND M. S. OBAIDAT known-key secrecy and perfect forward secrecy [23-25]. To deal with the problems, Arshad et al. proposed an authentication scheme [25] based on the elliptic curve cryptography (ECC). But, Tang et al. [26] demonstrated the vulnerability of the scheme of Arshad et al. to the off-line password guessing attack and introduced an improved scheme to overcome the identified weakness.In 2010, Yoo et al. [27] also proposed an authentication scheme based on the ECC to deal with the problems in the scheme of Tsai et al. [22]. In 2012, Xie [28] pointed out that the scheme of Yoo et al. still suffers from the stolen-verifier and off-line password guessing attacks and proposed an improved scheme. However, Farash and Attari [29] showed that Xie's scheme is also insecure and then they designed an enhanced scheme. In 2013, Zhang et al. [30] proposed a new password-based authenticated protocol, but Tu et al. [31] found out that it is insecure against the impersonation attack. Tu et al. then proposed an improved scheme for session initiation protocol (SIP) using smart card to overcome the security flaws of the protocol of Zhang et al..In 1999, Seo and Sweeney [32] have designed a password-based 2PAKE protocol, however, Tseng [33] has shown that the replay attack is possible in the scheme [32] and then proposed an improved 2PAKE protocol. In 2000, Ku and Wang [34] analyzed that Tseng's 2PAKE protocol is still vulnerable to a kind of replay attack and then they designed an improved protocol to eliminate the attack found in [34]. In 2003, Chang et al. [35] demonstrated that Ku and Wang's protocol is still defenseless to the modification attacks and then proposed an enhanced 2PAKE protocol. However, in 2010, Cheng et al. [36] pointed out that the protocol of Chang et al. is vulnerable against the replay attack and the off-line password guessing attack. Recently, Zheng et al. [37] proposed a password-based 2PAKE protoc...
SUMMARYRecently, Zhang et al. proposed a password-based authenticated key agreement for session initiation protocol (Int J Commun Syst 2013, doi:10.1002/dac.2499. They claimed that their protocol is secure against known security attacks. However, in this paper, we indicate that the protocol by Zhang et al. is vulnerable to impersonation attack whereby an active adversary without knowing the user's password is able to introduce himself/herself as the user. In addition, we show that the protocol by Zhang et al. suffers from password changing attack. To overcome the weaknesses, we propose an improved authentication scheme for session initiation protocol. The rigorous analysis shows that our scheme achieves more security than the scheme by Zhang et al.
Authentication schemes have been widely deployed access control and mobility management in various communication networks. Especially, the schemes that are based on multifactor authentication such as on password and smart card come to be more practical. One of the standard authentication schemes that have been widely used for secure communication over the Internet is session initiation protocol (SIP). The original authentication scheme proposed for SIP was vulnerable to some crucial security weaknesses. To overcome the security problems, various improved authentication schemes have been developed, especially based on elliptic curve cryptography (ECC). Very recently, Zhang et al. proposed an improved authentication scheme for SIP based on ECC using smart cards to overcome the security flaws of the related protocols. Zhang et al. claimed that their protocol is secure against all known security attacks. However, this paper indicates that Zhang et al. protocol is still insecure against impersonation attack. We show that an active attacker can easily masquerade as a legal server to fool users. As a remedy, we also improve Zhang et al. protocol by imposing a little extra computation cost.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.