An efficient password authenticated key exchange ... - Semantic Scholar

Computer Standards & Interfaces 27 (2005) 313 – 322 www.elsevier.com/locate/csi

An efficient password authenticated key exchange protocol for imbalanced wireless networks Ya-Fen Chang, Chin-Chen Chang*, Jen-Ho Yang Department of Computer Science and Information Engineering, Chung Cheng University, 160 San-Hsing, Min-Hsiung, Chiayi 621 Taiwan, R.O.C. Received 26 April 2004; received in revised form 30 July 2004; accepted 21 August 2004 Available online 11 September 2004

Abstract Recently, Zhu et al. proposed a password authenticated key exchange protocol based on RSA. Then, Yeh et al. demonstrated that Zhu et al.’s protocol suffers from the undetectable password-guessing attacks and proposed an improved version. However, there are still some security flaws in Yeh et al.’s proposed protocol. Moreover, the computation load of the wireless device is not light enough. For lightening the computation load, a secure and practical protocol is presented in this paper. D 2004 Elsevier B.V. All rights reserved. Keywords: Password; Password-guessing attacks; Authenticated key exchange; Wireless networks

1. Introduction With the speedy growth of information science, both the wired networks and the wireless ones have developed very well. More and more people use wireless entities to communicate with other people. As we know, transmitting information through the air may result in some security damages since air is a public medium. How to communicate securely in an insecure communication channel becomes an important issue. As a result, the security service for user authentication and secret key distribution comes into * Corresponding author. Tel.: +886 5 2720411x33100; fax: +886 5 2720859. E-mail address: [email protected] (C.-C. Chang). 0920-5489/$ - see front matter D 2004 Elsevier B.V. All rights reserved. doi:10.1016/j.csi.2004.08.002

being for communication networks. Many authentication methods have been proposed for electronic commerce environments—Kerberos [1] for example. Among them, the password authentication scheme is the most commonly used mechanism. In the password authentication scheme, a client shares an easy-toremember password with a trusted server. The concepts are also applied in other usages [2–4]. However, protocols with easy-to-remember passwords are vulnerable to password-guessing attacks. In Ref. [5], Ding and Horster divided password-guessing attacks into three types: (1) detectable on-line password-guessing attacks, (2) undetectable on-line password-guessing attacks and (3) off-line passwordguessing attacks. It is known that only the legal user and the sever know the legal user’s password. If the

314

Y.-F. Chang et al. / Computer Standards & Interfaces 27 (2005) 313–322

malicious user Eve wants to guess the user’s password with on-line password-guessing attacks, he/she needs to send a request to the server and waits for the response from the server to determine whether the guessed password is valid or not. With deep insight into off-line password-guessing attacks, too meaningful information such as the identity of a party may result in damage. In 1992, Bellovin and Merrit [2] presented an encrypted key exchange protocol (EKE), which is the landmark of two-party authentication and other key exchange protocols [6,7]. Most schemes are based on Diffie-Hellman key exchange protocol [8]. However, the limitation of a low-power device makes these schemes not suitable for imbalanced wireless networks. It is because the modular exponential operations need to be executed by both communication parties and takes the low-power device a long time. Recently, Zhu et al. [9] proposed a password authenticated key exchange protocol based on RSA [10]. They claimed that the proposed protocol is efficient enough to be implemented for low-power devices. Later, Yeh et al. [11] demonstrated that Zhu et al.’s proposed protocol does not ensure explicit key authentication such that the proposed protocol suffers from the undetectable online password-guessing attacks. Then, they presented an improvement to overcome the found weakness. Yeh et al.’s protocol still employs the concepts of RSA public key cryptosystem. Hence, the client encrypts the secret information such that only the user owning the correct private key can get the secret information. Nevertheless, no certificate is applied for proving the legality of the received public key pair. What is more, there is only a simple interactive protocol used to prove the validity of the RSA public key pair. This approach results in serious security flaws in Yeh et al.’s proposed protocol. Because of the security flaws, any malicious user can impersonate the server to get the important information to perform offline password-guessing attacks. On the other hand, the computation load of the low-power device is not light enough. Owing to the above mentioned drawbacks, we propose a password authenticated key exchange protocol, which is not only secure but also efficient. The paper is organized as follows. In Section 2, we list the notations used in the reviewed protocols. In Section 3, we review Zhu et al.’s proposed protocol and the drawbacks of it. Then, Yeh et al.’s proposed protocol and the drawbacks of it are shown in Section

4. In Section 5, we present the proposed password authenticated key exchange protocol for imbalanced wireless networks followed with the analyses and more discussions in Section 6. Finally, we draw some conclusions in Section 7.

2. Notations The notations used in the reviewed protocols are listed as follows. A the server B the low-power client IDA/IDB the identity of A/B pw the password shared between A and B (e, n) the RSA public key pair of A d the RSA private key of A E K /D K a symmetric en/decryption algorithm, where K is the involved key H 1, H 2, H 3, H 4, H 5, H 6 distinct cryptographic hash functions

3. A review and cryptanalysis of Zhu et al.’s protocol In this section, we first review Zhu et al.’s proposed protocol. Then, the cryptanalysis of Zhu et al.’s protocol is shown in Section 3.2. 3.1. A review of Zhu et al.’s protocol Zhu et al.’s proposed protocol is shown as in Fig. 1. The details are presented as follows. Step 0. A and B share a password pw. Step 1. A uses a public key generator to get a RSA public key pair (n, e) and chooses a random number r AaR {0, 1}l. Then, A sends (n, e) and r A to B. Step 2. B checks whether (n, e) is a valid public key pair by an interactive protocol. If it does not hold, B just terminates the protocol; otherwise, B chooses r BaR {0, 1}l and s BaR Z n . Next, B computes a ¼ H2 ðpw; IDA ; IDB ; rA ; rB Þ and z ¼ seB þ a mod n:

Y.-F. Chang et al. / Computer Standards & Interfaces 27 (2005) 313–322

315

Fig. 1. Zhu et al.’s proposed password authentication key exchange based on RSA for imbalanced wireless networks.

Thereupon, B sends r B and z to A. Step 3. Upon receiving r B and z from B, A calculates

Then, A checks whether H 6(rV)=H 6(r) holds or not. If it does not hold, A just terminates the protocol; otherwise, A accepts the connection.

a ¼ H2 ðpw; IDA ; IDB ; rA ; rB Þ; 3.2. Cryptanalysis of Zhu et al.’s protocol d

sB ¼ ð z  aÞ mod n; and K ¼ H3 ðsB Þ: Then, A computes and sends E K (c A, IDB) to B, where c AaR {0, 1}l chosen by A himself/herself. Step 4. After receiving E K (c A, IDB) sent from A, B computes K ¼ H3 ðsB Þ and cB ¼ H4 ðsB Þ:

Yeh et al. showed that Zhu et al.’s proposed protocol suffers from undetectable on-line passwordguessing attacks. Yeh et al.’s undetectable on-line password-guessing attacks on Zhu et al.’s protocol is shown in Fig. 2. The details are shown as follows. Step 0. A and B share a password pw. A malicious user E impersonates B to guess B’s password. Step 1. A uses a public key generator to get a RSA public key pair (n, e) and chooses a random number r AaR {0, 1}l. Then, A sends (n, e) and r A to B. Step 2. E intercepts the transmitted data and checks whether (n, e) is a valid public key pair by an interactive protocol as B. If it does not hold, E just terminates the protocol; otherwise, E chooses r EaR {0, 1}l and s EaR Z n . Next, E computes

Then, B checks whether D K (E K (c A, IDB)) contains B’s identity IDB. If it holds, B uses the decrypted result c AV to compute the session key r, where r=H 5(c AV, c B, IDA, IDB) and H 6(r). Then, B sends H 6(r) back to A, and the connection is accepted. Step 5. Upon getting H 6(r), A computes

aV¼ H2 ðpw V; IDA ; IDB ; rA ; rE Þ and

cB ¼ H4 ðsB Þ and

z ¼ seE þ aVmod n;

rV ¼ H5 ðcA ; cB ; IDA ; IDB Þ:

where pwVis the guessed B’s password. Thereupon, E sends r E and z to A.

316

Y.-F. Chang et al. / Computer Standards & Interfaces 27 (2005) 313–322

Fig. 2. Undetectable on-line password-guessing attacks on Zhu et al.’s protocol.

Step 3. Upon receiving r E and z from E, A calculates

4.1. A review of Yeh et al.’s protocol

aW ¼ H2 ðpw; IDA ; IDB ; rA ; rE Þ;

Yeh et al.’s proposed protocol is shown as in Fig. 3. The details are presented as follows.

sE V ¼ ð z  aWÞd mod n; and K ¼ H3 ðsE VÞ: Then, A computes and sends E K (c A, IDB) to B, where c AaR {0, 1}l chosen by A himself/herself. Step 4. E still intercepts the transmitted message sent from A. Then, he/she computes

Step 0. A and B share a password pw. Step 1. A uses a public key generator to get a RSA public key pair (n, e) and chooses a random number r AaR {0, 1}l. Then, A sends (n, e) and r A to B. Step 2. B checks whether (n, e) is a valid public key pair by an interactive protocol. If it does not hold, B just terminates the protocol; otherwise, B chooses s BaR Z n . Thereupon, B computes

KV ¼ H3 ðsE Þ and a ¼ Epw ðIDA ; IDB ; rA ; sB Þ and DKV ðEK ðcA ; IDB ÞÞ ¼ ðcAV; IDBVÞ: Then, E checks whether IDBV is equal to IDB. If it holds, E has successfully guessed B’s password. Otherwise, E just needs to run the protocol repeatedly.

z ¼ ae mod n: Thereupon, B sends z to A. Step 3. After getting z, A computes ðIDA ; IDB ; rA ; sB Þ ¼ Dpw zd mod n

4. A review and cryptanalysis of Yeh et al.’s protocol In the following, we first review Yeh et al.’s proposed protocol in Section 4.1. Then, the cryptanalysis of Yeh et al.’s protocol is presented in Section 4.2.




and checks whether the computation result contains IDA, IDB and r A. If it does not hold, A just terminates the protocol; otherwise, A computes cB ¼ H3 ðsB Þ and r ¼ H4 ðrA ; cB ; IDA ; IDB Þ and Er ðIDB Þ;

Y.-F. Chang et al. / Computer Standards & Interfaces 27 (2005) 313–322

317

Fig. 3. Yeh et al.’s proposed password authentication key exchange based on RSA for imbalanced wireless networks.

where r is the session key. Then, A sends E r (IDB) to B. Step 4. After receiving E r (IDB) sent from A, B computes cB ¼ H3 ðsB Þ and rV ¼ H4 ðrA ; cB ; IDA ; IDB Þ: Then, B checks whether D rV(E r (IDB)) is equal to IDB. If it does not hold, B just terminates the protocol; otherwise, B computes and sends H 6(rV) to A. Step 5. Upon getting H 6(rV), A checks whether H 6(rV)=H 6(r) holds or not. If it does not hold, A just terminates the protocol; otherwise, A accepts the connection. 4.2. Cryptanalysis of Yeh et al.’s protocol Yeh et al.’s proposed protocol employs the concepts of RSA public key cryptosystem. Therefore, the client B can encrypt the secret information such that only the user owning the correct private key can get the secret information. However, no certificate is used for proving the legality of the received public key pair. On the other hand, there is only a simple interactive protocol used to prove (n, e) is a valid RSA public key pair. This approach results in fatal security flaws in Yeh et al.’s proposed protocol. Due to the security flaws, any malicious user E can impersonate

the server A to get the important information to perform off-line password-guessing attacks. In the following, we show how E mounts off-line passwordguessing attacks on Yeh et al.’s proposed protocol. Step 0. A and B share a password pw. Step 1. E generates a RSA public key pair (nV, eV) by using a public key generator and chooses a random number r EaR {0, 1}l. Then, E sends (nV, eV) and r E to B, where dV is the corresponding RSA private key. Step 2. B checks whether (nV, eV) is a valid public key pair by an interactive protocol. It is obvious that B will be convinced that E owns the valid public key pair since E indeed knows dV, which is the corresponding private key of (nV, eV). As a result, B chooses s BaR Z nV and computes a ¼ Epw ðIDA ; IDB ; rE ; sB Þ and z ¼ ae Vmod nV: Thereupon, B sends z to E. Step 3. After getting z, E computes
a ¼ zd Vmod nV : Step 4. Then, E guesses B’s password to be pwV and checks whether D pwV(z dV mod nV) contains IDA, IDB and r A. If it holds, E has gotten B’s password; otherwise, E repeats step 4.

318

Y.-F. Chang et al. / Computer Standards & Interfaces 27 (2005) 313–322

5. The proposed scheme As stated in the reviewed schemes, A denotes the system and B denotes the low-power client, where IDA and IDB are the identities of A and B, respectively. And pw is the password shared between A and B. The system A publishes the following public system parameters: (1) E1P/D1P: a symmetric en/decryption algorithm, where P is the involved password; (2) F 1, F 2, F 3: distinct cryptographic hash functions; and (3) n=p*q, where pu3 (mod 4) and qu3 (mod 4) are two large primes kept secretly by the system A. The proposed scheme is shown in Fig. 4 and the details are presented as follows. Step 0. A and B share a password pw. Step 1. A chooses a random number r AaR {0, 1}l and computes E1pw(r A). Then, A sends the computation result to B. Step 2. After getting the transmitted data, B computes
rA ¼ D1pw E1pw ðrA Þ : Then, B chooses s BaR Z n and calculates r ¼ F1 ðrA ; sB ; IDA ; IDB Þ; a ¼ F2 ðrA ; sB ; rÞ and z ¼ s2B mod n; where r is the session key. Thereupon, B sends a and z to A.

Step 3. After getting a and z, A computes c1 ¼ zð pþ1Þ=4 mod p;   c2 ¼ p  zð pþ1Þ=4 mod p; c3 ¼ zðqþ1Þ=4 mod q;   c4 ¼ q  zðqþ1Þ=4 mod q;

x ¼ q q1 mod p ; y ¼ p p1 mod q ; b1 ¼ ð xc1 þ yc3 Þ mod n; b2 ¼ ð xc1 þ yc4 Þ mod n; b3 ¼ ð xc2 þ yc3 Þ mod n and b4 ¼ ð xc2 þ yc4 Þ mod n: For i=1, 2, 3, 4, let s BV=b i . A computes rV ¼ F1 ðrA ; sB V; IDA ; IDB Þ and aV ¼ F2 ðrA ; sB V; rVÞ: Then, A checks whether aV and a are equivalent. If it does not hold, A just terminates the protocol. Otherwise, A accepts the connection and is convinced that B actually knows pw and has already computed the correct session key r. Then, A computes and sends F 3(rV) to B. Step 4. After receiving F 3(rV) sent from A, B checks whether F 3(rV)=F 3(r) holds or not. If it holds, B accepts the connection.

6. Security analyses and more discussions In this section, we are going to demonstrate that our proposed protocol is not only secure but also efficient. And the properties achieved by the proposed protocol are also given. 6.1. Security analyses

Fig. 4. The proposed password authentication key exchange for wireless networks.

In the following, our proposed protocol is demonstrated that it is secure enough to be resistant to any possible password-guessing attacks and some other common attacks.

Y.-F. Chang et al. / Computer Standards & Interfaces 27 (2005) 313–322

6.1.1. Attack scenario 1: a malicious user E wants to mount on-line password-guessing attacks on the proposed protocol As shown in the previous section, E impersonates B and guesses pw to be pwV. After getting the transmitted data, B computes
rA V ¼ D1pwV E1pw ðrA Þ : Since E has no knowledge of r A, E cannot determine whether pwV is the correct password of B for the moment. Then, E chooses s EaR Z n and calculates r ¼ F1 ðrAV; sE ; IDA ; IDB Þ; a ¼ F2 ðrAV; sE ; rÞ and z ¼ s2E mod n: Thereupon, E sends a and z to A. Upon receiving a and z, A performs as in step 3 of our proposed protocol. Because E does not know pw, E cannot retrieve the correct r A to compute the correct session key r and z. When A verifies the received data, he/she can easily detect that there is an attacker trying to guess B’s password. On the other hand, it is impossible for E to mount undetectable on-line password-guessing attacks on the proposed protocol due to the following two reasons: (1) E cannot determine whether pwV is B’s password in step 2; (2) A will discover the on-line password-guessing attacks in step 3. According to the above analyses, it is ensured that our proposed scheme can resist the on-line password-guessing attacks. 6.1.2. Attack scenario 2: a malicious user E wants to mount off-line password-guessing attacks on the proposed protocol There are two possible cases for E to get the important information. Case 1: E eavesdrops and records the transmitted data E1pw(r A), a, z and F 3(rV). E guesses pw to be pwV and computes r AV= D1pwV(E1pw (r A)). Since E has no knowledge of n and r A, E cannot determine whether pwV is the correct password of B. Therefore, he/she needs to obtain s B for affirmation. However, n=p*q, where p and q are two large prime numbers kept concealed by A. Thus, it is impossible for E to get s B because of the uncertainty of n and the difficulty of solving the

319

factoring problems. As a result, E cannot obtain pw by analyses the eavesdropped data. Case 2: E impersonates A to get the essential information. E chooses a random number r EaR {0, 1}l and computes E1pwV(r E), where pwV is the guessed password. Then, E sends the computation result to B. Upon getting the transmitted data, B computes r EV=D1pw(E1pwV(r E)). Then, B chooses s BaR Z n and calculates r=F 1(r EV, s B, IDA, IDB), a=F 2(r EV, s B, r) and z=s B2 mod n, where r is the session key. Thereupon, B sends a and z to E. Then, E just terminates the protocol and analyzes the received data. He/she first performs as in step 3 of the proposed protocol. However, E cannot get s B for determining the correctness of the guessed password since pwVppw. Then, E may guess pw to be pwU and computes r EU=D1pwU(E1pwV(r E)). Nevertheless, E will encounter the same difficulties mentioned in case 1. According to the above two cases, it is obvious that E cannot obtain B’s password pw by analyzing the received or eavesdropped data. 6.1.3. Attack scenario 3: E wants to get the session key r First, E may want to get the session key r according to F 3(rV). However, this approach cannot work since it is very hard to retrieve a number according to the hashed value of the number. Second, E still cannot get the session key r by impersonating the A/B or analyzing the transmitted data because of the same reasons mentioned previously. 6.1.4. Attack scenario 4: E guesses B’s password by impersonating A E chooses a random number r EaR {0, 1}l and computes E1pwV(r E), where pwV is the guessed password. Then, E sends the computation result to B. Upon getting the transmitted data, B computes r EV=D1pw(E1pwV(r E)). Then, B chooses s BaR Z n and calculates r=F 1(r EV, s B, IDA, IDB), a=F 2(r EV, s B, r) and z=s B2 mod n, where r is the session key. Thereupon, B sends a and z to E. Then E just terminates the protocol and performs as in step 3 of the proposed protocol. If E finds that pwV is not correct, he/she repeats the above procedures when B sends the request again. However, it is hard for such attacks to succeed due to the following

320

Y.-F. Chang et al. / Computer Standards & Interfaces 27 (2005) 313–322

reasons: (1) B will not keep on sending the request all the time; (2) if the server terminates the protocol several times in a short time, it occurs to B that he/she may be attacked. On the other hand, E may mount the attacks intermittently. But this approach is still unworkable since A may ask B to change his/her password after a long period or numerous amounts of requests. Moreover, E has to perform the approaches quite many times. Suppose that pw contains eight characters. It denotes that |pw| is 64 bits. That is, E has to try to guess B’s password 264 times. Due to the above analyses, it is shown that it is very hard for E to get B’s password pw by impersonating A. 6.1.5. Replay attacks Suppose that E records a and z to cheat A that he/ she is the legal user B. However, this approach cannot work since A chooses a random number r AaR {0, 1}l whenever A and B want to perform the key agreement protocol. If E just sends a and z back, A will easily detect since r A’s are different all the time. Consequently, E cannot perform replay attacks successfully. 6.1.6. Preplay attacks E may impersonate A to cheat B to get the essential information for making A convinced that E is B. However, E cannot succeed since he/she will encounter the same difficulties mentioned in case 2 of Section 6.1.2 since pw is unknown. 6.2. Performance analyses The comparisons of performance among Zhu et al.’s protocol, Yeh et al’s protocol and our proposed protocol are shown in Table 1. Since Zhu et al.’s and Table 1 The numbers of operations for different computation types

Zhu et al.’s protocol Yeh et al.’s protocol Our proposed protocol

Participants

A

B

Computation type Exponential computation Symmetric en(de)cryption Hash Exponential computation Symmetric en(de)cryption Hash Exponential computation Symmetric En(de)cryption Hash

N+1 1 N+5 N+1 2 N+3 2 1 8/4/2

N+1 1 N+5 N+1 2 N+3 0 1 3

Table 2 The numbers of transmissions of the participants Participants

A

B

Protocol Zhu et al.’s protocol Yeh et al.’s protocol Our proposed protocol

3 3 2

3 3 1

Yeh et al.’s protocols are both based on RSA, the public key en/decryption operations are exponential. As a result, we use bexponential computationQ to represent both the RSA en/decryption operations and other ordinary exponential operations. In our proposed protocol, B computes z=s B2 mod n in step 2. The computation operation can be easily obtained by one multiplication operation and one modulo operation. As a result, the needed number of exponentiation operations executed by B can be regarded as zero in Table 1. Moreover, because both Zhu et al.’s and Yeh et al.’s protocols employ the interactive protocol to prove the validity of the public key, the needed number of the challenges is not decided. As a result, N is used to denote the needed number of the challenges. As we know, A uses the Rabin’s cryptology to decrypt the received information. That is, there are three possibilities of the decrypted results: (1) four distinct values, (2) two distinct values and (3) only one value. Therefore, A performs the hash operations eight, four or two times in our protocol. According to Table 2, the number of interactive transmissions of our proposed protocol is less than others by three. Most important of all, the client B needs to send information only once. This property makes the wireless device save more energy since the demanded power for sending signals is more than that for receiving signals. According to Table 1 and the above analyses, it is obvious that our proposed protocol is suitable for the imbalanced wireless network since the computation load and the required power of B is far less than those in other proposed protocols. 6.3. The achieved properties In the following, we are going to show the properties of our proposed protocol.

Y.-F. Chang et al. / Computer Standards & Interfaces 27 (2005) 313–322

6.3.1. Mutual authentication: A and B authenticate each other As shown in Section 5, A authenticates B in step 3 by checking whether aV and a are equivalent. If it holds, A accepts the connection and is convinced that B knows pw. Then, A computes and sends F 3(rV) to B. In step 4, B checks whether F 3(rV)=F 3(r) holds or not after receiving F 3(rV) sent from A. If it holds, B accepts the connection and makes sure that A indeed knows the shared password pw. As a result, A and B can authenticate each other in our proposed protocol. 6.3.2. Explicit key authentication: A is assured B has computed the exchanged key As shown in step 3 of the proposed protocol, after getting a and z, A computes c1 ¼ zð pþ1Þ=4 mod p;   c2 ¼ p  zð pþ1Þ=4 mod p; c3 ¼ zðqþ1Þ=4 mod q;   c4 ¼ q  zðqþ1Þ=4 mod q;

x ¼ q q1 mod p ; y ¼ p p1 mod q ; b1 ¼ ð xc1 þ yc3 Þ mod n; b2 ¼ ð xc1 þ yc4 Þ mod n; b3 ¼ ð xc2 þ yc3 Þ mod n and b4 ¼ ð xc2 þ yc4 Þ mod n: For i=1, 2, 3, 4, let s BV=b i . A computes rV ¼ F1 ðrA ; sB V; IDA ; IDB Þ and aV ¼ F2 ðrA ; sB V; rVÞ: Next, A checks whether aV and a are equal. If it holds, A accepts the connection and is convinced that B actually knows pw and has already computed the correct session key r. According to the approach, it is obvious that A ensures B has actually computed the exchanged key r. As a result, this property is confirmed in our proposed protocol.

321

6.3.3. Computation efficiency: the computation load of the wireless device is light As shown in Table 1, it is obvious that the wireless client B only needs to execute one symmetric decryption and three hash operations. As we have known, the overhead of the exponential operations is quite large. Moreover, unlike Zhu et al.’s or Yeh et al.’s protocol, no exponential operation is executed by B. Consequently, the computation load of the wireless device is far less than that in other protocols proposed previously. Hence, computation efficiency is ensured in our protocol. 6.3.4. Power saving: the power consumption of the wireless device in our protocol is few First, as mentioned previously, the client B needs to send information only once. It is well known that the demanded power for sending signals is more than that for receiving signals. Second, the computation load of the wireless device is quite light. According to the above characteristics of our proposed protocol, the wireless device can save more energy than in Zhu et al.’s and Yeh et al.’s protocols. That is, our protocol achieves the property. 6.3.5. Confirmation and completeness: the proposed protocol with easy-to-remember passwords employed can withstand any password-guessing attacks, and the transmitted data will not reveal any secret The security of the proposed protocol is based on the shared password, the difficulties of solving the discrete logarithms, and the hash functions. As for the shared password, the password-guessing attacks are the essential issues. In Ref. [5], Ding and Horster divided password-guessing attacks into three types: (1) detectable on-line password-guessing attacks; (2) undetectable on-line password-guessing attacks; (3) off-line password-guessing attacks. As shown in Sections 6.1.1, 6.1.2, 6.1.4 and 6.1.5, our proposed protocol can defend against the password-guessing attacks. As shown in Sections 6.1.2–6.1.6, it is confirmed that no malicious user can retrieve any secret from all the transmitted messages because of the discrete logarithms and the hash functions. Thus, the security of our proposed scheme can be ensured. We can sum up that our proposed protocol ensures confirmation and completeness.

322

Y.-F. Chang et al. / Computer Standards & Interfaces 27 (2005) 313–322

7. Conclusions Due to the drawbacks of Zhu et al.’s and Yeh et al.’s protocols, we propose a brand-new protocol for imbalanced wireless networks. According to the security analyses, it is obvious that our proposed protocol is secure enough to withstand all possible attacks including those Zhu et al.’s and Yeh et al.’s protocols suffer from. What is more, our proposed protocol provides both power saving and computation efficiency, which makes the proposed protocol suitable for the imbalanced wireless networks. In a word, our proposed protocol is not only secure but also practical.

References [1] B.C. Neuman, T. Ts’o’, Kerberos: an authentication service for computer networks, IEEE Communications Magazine 32 (9) (1994) 33 – 38. [2] S.M. Bellovin, M. Merrit, Encrypted Key Exchange: Password-based Protocols Secure against Dictionary Attacks, Proceedings of 1992 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, 1992 (May), pp. 72 – 84. [3] C.L. Lin, H.M. Sun, T. Hwang, Three-party encrypted key exchange: attacks and a solution, ACM SIGOPS Operating Systems Review 34 (4) (2000 October) 12 – 20. [4] C.L. Lin, H.M. Sun, M. Steiner, T. Hwang, Three-party encrypted key exchange without server public-keys, IEEE Communications Letters 5 (12) (2001 December) 497 – 499. [5] Y. Ding, P. Horster, Undetectable on-line password guessing attacks, ACM SIGOPS Operating Systems Review 29 (4) (1995 October) 77 – 86. [6] D. Jablon, Strong password-only authenticated key exchange, ACM Computer Communications Review 20 (5) (1996 September) 5 – 26. [7] T. Kwon, J. Song, Efficient key exchange and authentication protocol protecting weak secrets, IEICE Transactions on Fundamentals E81-A (1) (1998 January) 97 – 111. [8] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory IT-22 (1976 November) 644 – 654. [9] F. Zhu, D.S. Wong, A.H. Chan, R. Ye, Password authenticated key exchange based on RSA for imbalanced wireless networks, Proceedings of ISC 2002, LNCS 2433, Tsukuba, Japan, 2002 (January), pp. 150 – 161.

[10] R.L. Rivest, A. Shamir, L. Adelman, A method for obtaining digital signature and public key cryptosystem, Communications of the ACM 21 (2) (1978 February) 120 – 126. [11] H.T. Yeh, H.M. Sun, C.T. Yang, B.C. Chen, S.M. Tseng, Improvement of password authenticated key exchange based on RSA for imbalanced wireless networks, IEICE Transactions on Communications E86-B (11) (2003 November) 3278 – 3282. Ya-Fen Chang received the BS degree in computer science and information engineering from National Chiao Tung University, Hsinchu, Taiwan in 2000. She is currently pursuing her Ph.D. degree in computer science and information engineering from National Chung Cheng University, Chiayi, Taiwan. Her current research interests include electronic commerce, information security, cryptography, and mobile communications. Chin-Chen Chang received the BS degree in applied mathematics in 1977 and the MS degree in computer and decision sciences in 1979, both from National Tsing Hua University, Hsinchu, Taiwan. He received his Ph.D. in computer engineering in 1982 from National Chiao Tung University, Hsinchu, Taiwan. During the academic years of 1980–1983, he was on the faculty of the Department of Computer Engineering at National Chiao Tung University. From 1983 to 1989, he was among the faculty of the Institute of Applied Mathematics, National Chung Hsing University, Taichung, Taiwan. Since August 1989, he has worked as a professor of the Institute of Computer Science and Information Engineering at National Chung Cheng University, Chiayi, Taiwan. Since 2002, he has been a Chair Professor of National Chung Cheng University. His current research interests include database design, computer cryptography, image compression and data structure. Dr. Chang is a fellow of the IEEE, a fellow of the IEE, a research fellow of National Science Council of ROC, and a member of the Chinese Language Computer Society, the Chinese Institute of Engineers of the Republic of China, the International Association for Cryptologic Research, the Computer Society of the Republic of China, and the Phi Tau Phi Honorary Society of the Republic of China. Dr. Chang was the chair and is the honorary chair of the executive committee of the Chinese Cryptography and Information Security Association of the Republic of China. Jen-Ho Yang received the BS degree and the MS degree in information engineering from I-Shou University, Kaohsiung, Taiwan in 1998 and 2002, respectively. He is currently pursuing his Ph.D. degree in computer science and information engineering from National Chung Cheng University, Chiayi, Taiwan. His current research interests include information security and cryptography.