(IJCNS) International Journal of Computer and Network Security, 75

Vol. 2, No. 6, June 2010

Secure Password Authenticated Three Party

Key Agreement Protocol
Pritiranjan Bijayasingh1 and Debasish Jena2
1
Department of Computer Science and Engineering
International Institute of Information Technology, Bhubaneswar 751 013, India
pritiprbs@yahoo.com
2
Centre for IT Education
Biju Patnaik University of Technology
Orissa, India
jdebasishjena@gmail.com

passwords, which they call Client-to-Client Password-

Abstract: In the past, several key agreement protocols are
proposed on pre-shared password based mechanism. Due to
development of communication technology, it is necessary to
construct a secure end-to-end channel between clients. In this
paper, an improved version of J. Kim et al proposed password-
authenticated key exchange protocol has been proposed. The
proposed scheme is secure against Denial of Service Attack,
Perfect Forward Secrecy, Denning-Sacco Attack etc. Hence
proposed scheme is much more superior to the previous scheme.
Keywords: Trusted third party, Kerberos, Denial of Services,
and Key Exchange.
1. Introduction
Secure communication between two users on a computer
network is possible using either single key (conventional)
encryption or public key encryption. In both systems, key
establishment protocols are needed so the users can acquire
keys to establish a secure channel. In single key systems, the
users must acquire a shared communication key; in public-
key systems, the users must acquire each others' public keys.
In secure communications, one of the most important
security services is user authentication. Before the
communicating parties start a new connection, their
identities should be verified. In the client-server model,
password-based authentication is a favorable method for
user authentication because of its easy-to-memorize
property. As the passwords are easy to remember and
selected from a small space, it allows a cryptanalyst to
mount several attacks such as guessing attack, dictionary
attack against it. Based on different cryptographic
assumptions, various protocols have been proposed to
achieve secure password-authenticated key exchange [7,9-
12,19-20] for preventing these ever-present attacks.
In the literature, most password-authenticated key exchange
schemes assume that two parties share a common password.
Two parties use their shared password to generate a secure
common session key and perform key confirmation with
regard to the session key. Most of these schemes consider
authentication between a client and a server.
In 2002, Byun et al. proposed a new password-authenticated
key exchange protocol between two clients with different
Authenticated Key Exchange (C2C-PAKE) protocol. In this
protocol two clients pre-shared their passwords either with a
single server (called a single-server setting) or respectively
with two servers (called a cross-realm setting). However, in
[13] Chen have shown the C2C-PAKE protocol in the cross-
realm setting is not secure against dictionary attack from a
malicious server in a different realm. In 2004, J. Kim et al,
shown that the C2C-PAKE protocol is also vulnerable to the
Denning-Sacco attack by an insider adversary. They have
also modified the protocol to overcome the Denning-Sacco
inside adversary attack.
In this paper, the weaknesses of the modified C2C-PAKE
protocol are presented. Furthermore, the modified protocol,
which repairs the problem of the modified C2C-PAKE
protocol, is proposed.
The remaining of the paper is organized as follows. In
section 2, a brief overview of the modified C2C-PAKE
protocol is given along with its weaknesses. Then the
improved version of the modified C2C-PAKE protocol is
introduced in section 3. . Next, in Section 4, we briefly
discuss the formal security notions of the proposed
protocols. The paper concludes with the concluding remark
and some directions for future work in section 5.
2. Review of Modified C2C-PAKE protocol
In this section, the modified C2C-PAKE protocol in cross-
realm setting is described with its weakness.
2.1 Modified C2C-PAKE Protocol
2.1.1 Computational Assumptions
The scheme is based on numerical assumptions and
computational assumptions. Let p, q be sufficiently large
primes such that q|p − 1, and let G be a subgroup of Z∗ p of
order q. During initialization step, a generator g ∈ G and
hash function (H1, H2, H3, H4, H5) are published. All
protocols throughout the paper are based on the discrete
logarithm assumption (DLA) and Diffie-Hellman Protocol.
76
2.1.2. Protocol Description
KDCA and KDCB are key distribution centers which store
(Alice’s identity, ID(A), and password, pwa), and (Bob’s
identity, ID(B), and password, pwb) respectively. K is a
symmetric key shared between KDCA and KDCB.
1. Alice chooses x ∈R Z∗ p randomly, computes and sends
Epwa(gx), ID(A) and ID(B) to KDCA.
2. KDCA obtains gx by decrypting Epwa(gx). KDCA selects r
∈R Z∗ p randomly and makes TicketB = EK(gx·r, gr, ID(A),
ID(B), L). L is a lifetime of TicketB. Then KDCA sends
TicketB, ID(A), ID(B) and L to Alice.
3. Upon receiving the message from KDCA, Alice forwards
TicketB to Bob with ID(A).
4. Bob chooses y ∈R Z∗ p randomly, and computes Epwb(gy).
Then he sends Epwb(gy), ID(A) and ID(B) to KDCB with
TicketB.
x·r r TTP with different passwords. The hosts and the TTP agree
5. KDCB obtains g and g by decrypting TicketB, selects r’
∈R Z∗ p randomly and computes gx·r·r’ and gr·r’. Next KDCB
sends gx·r·r’ and gr·r’ to Bob.
6. Bob makes cs = H1(gx·y·r·r’ ) using gx·r·r’ and y. Then Bob
chooses a random number a ∈R Z∗ p and computes Ecs(ga)
and gr·r’·y. Finally, Bob sends Ecs(ga) and gr·r’·y to Alice.
7. Alice also can compute cs using gr·r’·y and x. Next, Alice
selects b ∈R Z∗ p randomly and computes the session key sk
= H2(gab) and Ecs(gb). Finally she sends Esk(ga) and Ecs(gb)
for session key confirmation.
8. After receiving Esk(ga) and Ecs(gb), Bob gets gb by
decrypting Ecs(gb) with cs and computes sk with gb and a.
Bob verifies ga by decrypting Esk(ga) with sk. Bob sends
Esk(gb) to Alice to confirm the session key.
9. Alice verifies gb by decrypting Esk(gb) with sk.
2.2 Cryptanalysis of Modified C2C-PAKE Protocol
Let an outside attacker having knowledge of the whole
cross-realm architecture comes in between client A and
KDCA. In the first message transfer from A to KDCA, he
may snoop the message and modify the IDB with some ID
say, IDC which is a legitimate client in the other realm.
Upon receiving the message from A, KDCA makes TicketC =
EK(gx·r, gr, IDA, IDC, L) which is not the intended Ticket for
client B. When KDCA sends the message to A in step-2, the
attacker can again change the IDC to IDB. Hence, A doesn’t
know what happened in between as she can’t decrypt the
Ticket.
In the same way the attacker may snoop the message in the
step-4 and modify IDB to IDC. After decrypting the Ticket,
KDCB assumes that client A wants to communicate with
client C as he receives same IDC from both the message and
the Ticket. He may discard Epwb(gy) as an redundant
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 6, June 2010
message because, he can’t discard the TicketC as it is issued
by KDCA. In step-5 KDCB sends the message to client C and
the rest of the steps are executed normally. In this way,
client A establishes the intended session key with client C
not with the actual client B. In the, modified C2C-PAKE
protocol there is no verifiable message where both A and B
can verify their identities after step-4. In this way, the
attacker may trap client C and communicate with client A
pretending as client B. This causes identity mis-binding
attack
In step-2, the attacker may modify the Lifetime L of the
ticket with a higher value than the value specified by KDCA.
But, KDCB obtains the actual value of L. As client A has a
high L value, she may request KDCB for service within the
enhanced time period. But, KDCB is unable to provide the
service after the actual lifetime L. This causes a Denial of
Service (DOS) attack.
3. Proposed Protocol
In our proposed protocol every host is registered with the
upon a family of commutative one-way hash functions
which is used for host authentication. One-way hashes of the
passwords are being stored instead of storing the plaintext
version of the passwords. One-way function is a function F
such that for each x in the domain of F, it is easy to compute
y=F(x), but given F(x) it is computationally infeasible to
find any x.
3.1 Notations
The following notations are used in this paper.
Alice, Bob Honest Hosts
TTP Trusted Third Party
IDA, IDB Identities of Alice and Bob
pwa, pwb Passwords of Alice and Bob
EK(X) Encryption of plaintext X using key K
DK(X) Decryption of plaintext X using key K
SK Session Key between A and B
H(pwa) One way hash of password of A
g Generator of cyclic group
p, q Large prime numbers
A→B: M A sends message “M” to B
TicketB Kerberos Ticket issued to A for service
from B
sgnA( . ) Signature generated using the private
key of A
K Shared Secret Key between TTP1 and
TTP2
3.2 Proposed Protocol
Here we describe the steps involved in the protocol in detail.
g, p and q are global parameters shared by protocol
participants.
3.2.1 Single-Server Setting
 (IJCNS) International Journal of Computer and Network Security, 77
Alice and Bob choose password pwa, pwb respectively and
then transfer it to TTP through a secure channel. TTP stores
(IDA, H(pwa)) and (IDB, H(pwb)) in its database. The
following shows the steps:
i. Alice randomly chooses a number r, computes
gr (mod p). The computed value is encrypted
using the H(pwa) along with the IDs of the
participating hosts. Alice then sends the
calculated values to the server.
A → T : H ( pwa )[ IDA, IDB , g r (mod p)]
ii. Server T then decrypts the received packet
using the H(pwa) of host A stored in its
database to recover gr (mod p). Then server
randomly chooses a number t and computes grt
(mod p) and encrypts the computed value
concatenated with IDs of the two
communicating entities, using the H(pwb)
stored in its database. Then the computed
value is sent to Bob by the server.
T → B : H ( pwb )[ IDA, IDB , g r .t (mod p)]
iii. After receiving the packet Bob decrypts it
using H(pwb) to get grt (mod p). He chooses a
random number s, and computes an ephemeral
key (Ke) as Ke=grts (mod p). Then he computes
gs (mod p), concatenates it with IDA, encrypts
the resulting value using H(pwb) and sends to
the server T.
B → T : H ( pwb )[ IDB , g s (mod p )]
iv. After receiving the packet, server decrypts it
using H(pwb) to recover gs (mod p). Then he
computes gst(mod p), encrypts it using H(pwa)
and sends it to Alice.
T → A: H ( pwa )[ g s .t (mod p )]
v. Alice decrypts the received packet using
H(pwa) to get gst (mod p). Then she calculates
the ephemeral key (Ke) as Ke=gstr (mod p).
Alice chooses a random number a and
computes RA=ga(mod p), encrypts RA using the
ephemeral key Ke and sends it to Bob along
with her own ID.
A → B : IDA, EKe ( RA)
vi. Bob recovers RA by decrypting the received
packet using the ephemeral key Ke. He
randomly chooses a number b as his private
key, computes RB=gb (mod p) and encrypts RB
using the ephemeral key Ke. Then he calculates
the session key (SK) as SK=(RA)b (mod p)=gab
(mod p). Bob concatenates RA, RB and Alice’s
ID, creates a signature of the result using his
private key b to be verified by Alice. The
signature is encrypted using the session key SK
and sent to Alice along with the encrypted
value of RB.
Vol. 2, No. 6, June 2010
B → A : EKe ( RB ), ESK (sgn B ( IDA, RA, RB ))
vii. Alice finds RB after decrypting with Ke. She
computes the session key SK=(RB)a (mod
p)=gba (mod p). After calculating the session
key Alice verifies Bob’s signature. If the
signature is verified, Alice concatenates Bob’s
ID, RA and RB. Then she signs the result with
her own private key, encrypts the signature
with the session key SK and sends to Bob.
A→ B : ESK (sgn A ( IDB , RA, RB ))
viii. If Bob verifies Alice’s signature correctly, then
he ensures that the same session key SK is
occupied by both of them.
3.2.2 Dual-Server Setting
Alice and Bob choose their distinct passwords pwa, pwb and
registers themselves with TTP1 and TTP2 respectively using
their passwords through a secure channel. TTP1 and TTP2
store (IDA, H(pwa)) and (IDB, H(pwb)) respectively in their
own databases. We assume that TTP1 and TTP2 share a
secret key K. The steps involved are described below:
i. A randomly chooses r and computes g (mod p) .
r
Then she encrypts the computed value concatenated
with IDs of the participating hosts using the
H(pwa) and sends the calculated value to TTP1.
A → TTP1 : H ( pwa )[ IDA, IDB , g r (mod p )]
ii. TTP1 obtains gr (mod p) after decrypting the
received packet by the H(pwa) of host A stored in
its database. Then TTP1 randomly chooses a
number t and computes grt (mod p) and gt (mod p).
It prepares TicketB=EK(grt (mod p), gt (mod p), IDA,
IDB, L). It concatenates IDs of the hosts with L and
encrypts the resulting value with H(pwa). TTP1
sends TicketB to A along with the encrypted values
of IDA, IDB and L. L is the lifetime of TicketB.
TTP1 → A: H ( pwa )[ IDA, IDB , L], Ticket B
Ticket B = EK [ g r .t (mod p ), g t (mod p), IDA, ID B , L]
iii. After receiving the message, A forwards IDA and
TicketB to TTP2.
A → TTP2 : IDA, Ticket B
iv. Upon receiving the message, TTP2 decrypts
TicketB using shared key K to recover grt (mod p)
and gt (mod p). It selects a random number t' and
computes grtt' (mod p) and gtt' (mod p). Next,
TTP2 concatenates the computed values with the
IDs of both the hosts and encrypts the resulting
value using H(pwb) and sends to B.
TTP2 → B : H ( pwb )[ ID A, IDB , g r .t .t ' (mod p ), g t .t ' (mod p )]
78
v. B obtains grtt' (mod p), gtt' (mod p) after
decrypting the message. He chooses s as random
and finds an ephemeral key Ke= grtt's (mod p). He
also randomly selects his private key as b and
calculates his public key as RB=gb(mod p). Next,
RB concatenated with the IDs of the hosts is
encrypted using the ephemeral key Ke. Then he
sends this encrypted value and gtt's (mod p) to A.
B → A : g t .t '.s (mod p ), EKe ( IDA, IDB , RB )
vi. After receiving the message A finds the
ephemeral key Ke using r and gtt's (mod p). She
also recovers RB from the message and chooses
her private and corresponding public key as a, RA
respectively, where RA= ga(mod p). She computes
the session key SK=(RB)a (mod p)=gba (mod p). A
concatenates RA, RB and IDB, creates a signature
of the result using his private key a. The
signature is encrypted using the session key SK
and sent to B along with the encrypted value of
RA.
A → B : EKe ( RA), ESK (sgn A( IDB , RA, RB ))
vii. Upon receiving the message B obtains RA by
decrypting the message, computes the intended
session key SK=(RA)b(mod p)=gab(mod p), and
verifies A’s signature. If the signature is verified,
B creates a signature exactly the same way as
done by A and encrypts it using the session key
SK. Then he sends the encrypted signature to A.
B → A : ESK (sgn B ( IDA, RA, RB ))
viii. Finally, A verifies the signature and if verified,
ensures that both of the hosts have the same
session key SK.
4. Security Analysis of Proposed Protocol
In this section, security of the proposed protocols is
analysed. Our proposed protocols are secure against the type
of attacks considered in [13,14] including Identity Mis-
binding Attack and Denial of Service attack.
4.1. Identity Mis-binding Attack:
Unlike the modified C2C-PAKE protocol, the IDs of the
communicating entities are encrypted using the one-way
hash value of the passwords in the proposed protocol. So,
the adversary can’t change any of the IDs of the hosts. As a
result, the proposed protocols are secure against identity
mis-binding attack.
4.2. Denial of Service Attack:
In the Dual-Server Setting of the proposed protocol, the
lifetime L of the ticket issued by TTP1 is encrypted using
key K in the TicketB as well as using H(pwa) to be
transmitted to entity A. Hence, the value of L remains the
same with A and TTP2 as specified by TTP1. As a result, the
proposed protocol averts Denial of Service attack.
4.3. Perfect Forward Secrecy:
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 6, June 2010
An adversary with pwa (or pwb) can easily compute gr by
decrypting H(pwa)(gr). But these values do not help to
compute Ke or SK in old sessions because session key
generation is based on the Diffie-Hellman problem.
Therefore the proposed protocol provides perfect forward
secrecy.
4.4. Denning-Sacco Attack:
Now we can show that our protocol is secure against
Denning-Sacco attack. Like the original C2C-PAKE
protocol, we also classify an adversary into two types. One is
an Insider adversary and the other is an Outsider adversary.
4.4.1. In case of Outsider Adversary:
Outsider adversary, with session keys Ke and SK can
compute ga, gb and all conversations in the protocol. But he
can not verify a candidate password pwa'(or pwb') of pwa
(or pwb) since he can not get r (or s) which is a random
secret value of A (or B).
4.4.2. In case of Insider Adversary with pwa:
We are going to show that an adversary cannot mount a
dictionary attack on pwb. To verify a candidate password
pwb' of pwb, he must get gs. Since the value of s is a random
number of B, he cannot compute valid gs.
4.4.3. In case of Insider Adversary with pwb:
Similar to the case of insider adversary with pwa, he must
get gr to verify a candidate password pwa' of pwa. Since the
value of r is a random number of A, he cannot compute
valid gr.
4.5 Dictionary Attack:
In case of compromise of pwa or pwb, adversary can mount
a dictionary attack if he gets gr or gs. However, he can not
mount a dictionary attack as analyzed in Denning-Sacco
attack.
4.6 On-line guessing attack, man in the middle attack
and replay attack:
It is the same as analyzed in the original C2C-PAKE
protocol with regard to on-line guessing attack, man in the
middle attack and replay attack.
4.7 Chen’s attack:
Regarding Chen’s attack, there is no verifiable cipher text
based on password in TicketB. So it is secure against the
dictionary attack by a malicious TTP2.
5. CONCLUSION
From the security analysis, we conclude that the proposed
protocol meets all the security requirements defined in [13].
Furthermore, the protocol is secure against dictionary attack
from a malicious server in a different realm.
References
[1] Menezes A.,Oorschot P. van and Vanstone S.,
Handbook of Applied Cryptography, CRC Press, 1996
[2] Schneier Bruce., Applied Cryptography: Protocols and
Algorithms, John Wiley and Sons, 1994
 (IJCNS) International Journal of Computer and Network Security, 79
Vol. 2, No. 6, June 2010

[3] Stallings Williams., Cryptography and Network [19] S. Jiang and G. Gong, “Password-based Key exchange
Security, 3rd Edition, Pearson Education, 2004 With mutual authentication,” in SAC 2004, LNCS
[4] B. A. Forouzan, Cryptography and Network Security, 3006, pp. 291-306, Springer-Verlag, 2004.
Tata McGraw Hill, Special Indian Edition, 2007 [20] S. Kulkarni, D. Jena, and S. K. Jena., “A novel secure
[5] W. Diffie and M. Hellman, “New Directions In key agreement protocol using trusted third party”.
Cryptography”. IEEE Transactions on Information International Journal of Computer Science and
Theory IT-11, pp. 644–654, November 1976 Security, Volume (1): Issue (1), pp. 11–18, 2007.
[6] Y. Her-Tyan and S. Hung-Min, “Simple Authenticated
Key Agreement Protocol Resistant To Password
Guessing Attacks”, ACM SIGOPS Operating Systems Authors Profile
Review, vol. 36, no. 4, pp.14–22, October 2002
[7] M. Steiner, G. Tsudik, and M. Waidner, “Refinement
And Extension Of Encrypted Key Exchange”. ACM Pritiranjan Bijayasingh received the
Operating System Review, vol. 29, no. 3, pp. 22–30, B.E. degree in Computer Science and
1995 Engineering from Balasore College of
[8] Y. Ding and P. Horster, “Undetectable On-Line Engineering and Technology in 2005.
He has joined Balasore College of
Password Guessing Attacks”. ACM Operating System
Engineering and Technology as
Review, vol. 29, no. 4, pp. 77–86, October1995 Lecturer since 26.08.2005. Now, he is
[9] C. L. Lin, H. M. Sun, and Hwang, “Three-Party persuing his M.Tech degree at
Encrypted Key Exchange: Attacks And A Solution”. International Institute of Information Technology-Bhubaneswar,
ACM Operating System Review, vol. 34, no. 4, pp. 12– Orissa, India. His research area of interest is Information Security
20, October 2000
[10] M. Bellare, D. Pointcheval and P. Rogaway, Debasish Jena was born in 18th
“Authenticated key exchange secure against dictionary December, 1968. He received his B
attacks,” in Eurocrypt 2000, LNCS 1807, pp. 139–155, Tech degree in Computer Science and
Springer-Verlag, 2000. Engineering, his Management Degree
and his MTech Degree in 1991, 1997
[11] E. Bresson, O. Chevassut and D. Pointcheval, “New
and 2002 respectively. He has joined
security results on encrypted key exchange,” in PKC Centre for IT Education as Assistant
2004, LNCS 2947, pp. 145–158, Springer-Verlag, Professor since 01.02.2006. He has
Mar. 2004. submitted his thesis for Ph.D. at NIT,
[12] V. Boyko, P. MacKenzie and S. Patel, “Provably secure Rourkela on 5th April 2010. In addition to his responsibility, he
password-authenticated key exchange using Diffie- was also IT, Consultant to Health Society, Govt. of Orissa for a
Hellman,” in Eurocrypt 2000, LNCS 1807, pp. 156– period of 2 years from 2004 to 2006.His research areas of interest
171, Springer-Verlag, May 2000. are Information Security, Web Engineering, Bio-Informatics and
[13] J. W. Byun, I. R. Jeong, D. H. Lee and C. S. Park, Database Engineering.
“Password-authenticated key exchange between clients
with different passwords,” in ICICS’02, LNCS 2513,
pp. 134–146, Springer-Verlag, Dec. 2002.
[14] L. Chen, “A Weakness of the Password-Autenticated
Key Agreement between Clients with Different
Passwords Scheme”. The document was being
circulated for consideration at the 27th the SC27/WG2
meeting in Paris, France, 2003-10-20/24, 2003
[15] J. Kim, S. Kim, J. Kwak and D. Won, “Crypt-analysis
and improvement of password authenticated key
exchange scheme between clients with different
passwords,” in ICCSA’04, LNCS 3043, pp. 895–902,
Springer-Verlag, May 2004.
[16] D. Denning, G. Sacco, “Timestamps in key distribution
protocols”. Communications of the ACM, Vol.24,
No.8, pp. 533-536, 1981
[17] O. Goldreich and Y. Lindell, “Session-key generation
using human memorable passwords only,” in Crypto
2001, LNCS 2139, pp. 408–432, Springer-Verlag,
Aug. 2001.
[18] J. Katz, R. Ostrovsky and M. Yung, “Efficient
password-authenticated key exchange using human-
memorable passwords,” in Eurocrypt 2001, LNCS
2045, pp. 475–494, Springer-Verlag, May 2001.