An Offline Dictionary Attack against Abdalla and Pointcheval's Key Exchange in the Password-Only Three-Party Setting

Junghyun NAM  Kim-Kwang Raymond CHOO  Juryon PAIK  Dongho WON  

IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E98-A   No.1   pp.424-427
Publication Date: 2015/01/01
Online ISSN: 1745-1337
DOI: 10.1587/transfun.E98.A.424
Type of Manuscript: LETTER
Category: Cryptography and Information Security
security,  three-party key exchange,  password-only authenticated key exchange (PAKE),  dictionary attack,  insider attack,  

Full Text: PDF(227KB)
>>Buy this Article

Although password-only authenticated key exchange (PAKE) in the three-party setting has been widely studied in recent years, it remains a challenging area of research. A key challenge in designing three-party PAKE protocols is to prevent insider dictionary attacks, as evidenced by the flaws discovered in many published protocols. In this letter, we revisit Abdalla and Pointcheval's three-party PAKE protocol from FC 2005 and demonstrate that this protocol, named 3PAKE, is vulnerable to a previously unpublished insider offline dictionary attack. Our attack is dependant on the composition of 3PAKE and the higher-level protocol that uses the established session key.