The Scientific World Journal (Jan 2014)

Password-Only Authenticated Three-Party Key Exchange with Provable Security in the Standard Model

  • Junghyun Nam,
  • Kim-Kwang Raymond Choo,
  • Junghwan Kim,
  • Hyun-Kyu Kang,
  • Jinsoo Kim,
  • Juryon Paik,
  • Dongho Won

DOI
https://doi.org/10.1155/2014/825072
Journal volume & issue
Vol. 2014

Abstract

Read online

Protocols for password-only authenticated key exchange (PAKE) in the three-party setting allow two clients registered with the same authentication server to derive a common secret key from their individual password shared with the server. Existing three-party PAKE protocols were proven secure under the assumption of the existence of random oracles or in a model that does not consider insider attacks. Therefore, these protocols may turn out to be insecure when the random oracle is instantiated with a particular hash function or an insider attack is mounted against the partner client. The contribution of this paper is to present the first three-party PAKE protocol whose security is proven without any idealized assumptions in a model that captures insider attacks. The proof model we use is a variant of the indistinguishability-based model of Bellare, Pointcheval, and Rogaway (2000), which is one of the most widely accepted models for security analysis of password-based key exchange protocols. We demonstrated that our protocol achieves not only the typical indistinguishability-based security of session keys but also the password security against undetectable online dictionary attacks.