# Password Authenticated Key Exchange and Protected Password Change Protocols

^{1}

^{2}

^{3}

^{4}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

- Mutual authentication: the user and the server can authenticate each other.
- Session key security: no-one except the user and the server can agree to the common session key with a non-negligible probability.
- Forward secrecy: when the password is compromised, it does not reveal the earlier session keys.
- Know-key security: when the session key is lost, it does not reveal other session keys. This limits the damage caused by a compromised session key to that compromised session only.
- Withstanding an off-line password guessing attack: an adversary cannot find an equation to verify whether his/her guess password is correct.

## 2. The Proposed Scheme

- Step 1.
- Client ⟹ Server: $\langle id,{R}_{c}\oplus H(id,pw)\rangle $The user gives his/her $id$ and $pw$ to the client. The client computes the hash value $H(id,pw)$. Then the client chooses a random number $c\in [1,q-1]$ and computes ${R}_{c}={g}^{c}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$. Then the client sends $id$ and ${R}_{c}\oplus H(id,pw)$ to the server.
- Step 2.
- Server ⟹ Client: $\langle S,H(K,{R}_{c})\rangle $After receiving $id$ and ${R}_{c}\oplus H(id,pw)$, the server retrieves $Hpw$ from the verification table and recovers ${R}_{c}$ by computing $({R}_{c}\oplus H(id,pw))\oplus Hpw$. Then the server computes $K={\left({R}_{c}\right)}^{s}={g}^{cs}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$, where $s\in [1,q-1]$ is the server privacy key and ${R}_{s}={g}^{s}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$ is the server public key. Then the server sends $H(K,{R}_{c})$ to the client.
- Step 3.
- Client ⟹ Server: $\langle id,H(K,{R}_{s})\rangle $After receiving S and $H(K,{R}_{c})$, the client computes $K={\left({R}_{s}\right)}^{c}={g}^{sc}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$. Then the client computes $H(K,{R}_{c})$ and compares it with the received $H(K,{R}_{c})$. If these two values are equivalent, the client computes $H(K,{R}_{s})$ and sends it together with $id$ to the server. This check is used for authenticating the server.
- Step 4.
- Server: Access granted or Access deniedAfter receiving $id$ and $H(K,{R}_{s})$, the server uses its own copies K and his public key ${R}_{s}$ to compute $H(K,{R}_{s})$ and compares it with the received $H(K,{R}_{s})$. If these two values are equivalent, the server grants the client’s login request. Otherwise, the server denies the client’s login request.

- Step 1*.
- Client ⟹ Server: $\langle id,{R}_{c}\oplus H(id,pw),{R}_{c}\oplus Hnewpw\rangle $The messages $id$ and ${R}_{c}\oplus H(id,pw)$ are the same as those in Step 1 in the PAKE protocol. The client additionally sends ${R}_{c}\oplus Hnewpw$ to the server.
- Step 2*.
- Server ⟹ Client: $\langle S,H(Hnewpw,K,{R}_{c})\rangle $After receiving $id$, ${R}_{c}\oplus H(id,pw)$, and ${R}_{c}\oplus H(id,newpw)$, the server retrieves $Hpw$ from the verification table to recover ${R}_{c}$ by computing $({R}_{c}\oplus H(id,pw))\oplus Hpw$. Then the server uses the recovered ${R}_{c}$ to further obtain $Hnewpw$ by computing $({R}_{c}\oplus Hnewpw)\oplus {R}_{c}$. Then the server computes $K={\left({R}_{c}\right)}^{s}={g}^{cs}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$, and $H(Hnewpw,K,{R}_{c})$. Then the server sends $H(Hnewpw,K,{R}_{c})$ to the client.
- Step 3*.
- Client ⟹ Server: $\langle id,H(K,{R}_{s})\rangle $After receiving S and $H(Hnewpw,K,{R}_{c})$, the client computes $K={\left({R}_{s}\right)}^{c}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$ and $H(H(id,newpw),K,{R}_{c})$. Then the client checks whether the received $H(Hnewpw,K,{R}_{c})$ is equal to $H(H(id,newpw),K,{R}_{c})$. If the two values are equivalent, the client sends $id$ and $H(K,{R}_{s})$ to the server.
- Step 4*.
- Server: Access granted or Access deniedAfter receiving $id$ and $H(K,{R}_{s})$, the server uses it own copies K and public key ${R}_{s}$ to compute $H(K,{R}_{s})$ and compares it with the received $H(K,{R}_{s})$ in Step 3*. If these two values are equivalent, the server stores the recovered $Hnewpw$ in Step 1* into a verification table. Otherwise, the server denies the client’s password change request.

## 3. Formal Security Proof

#### 3.1. The Model

#### Protocol Participants:

#### Session Identity (**SID**) and Partner Identity (**PID**):

#### Accepting and Terminating:

#### Oracle Queries (Adversary’s Capabilities):

**Send**(${\prod}_{U}^{i},m$): This query models an adversary sending a message m to the oracle ${\prod}_{U}^{i}$, and the oracle responds to what the protocol say to and updates $\mathbf{SID}$, $\mathbf{PID}$, and its states. The adversary query of the form**Send**(${\prod}_{U}^{i},\u201cstart\u201d$) initiates an execution of the protocol.**Execute**(${\prod}_{C}^{i},{\prod}_{S}^{j}$): This query models an adversary obtaining an honest execution of the protocol between two oracles ${\prod}_{C}^{i}$ and ${\prod}_{S}^{j}$, and outputs a completed transcript corresponding to them.**Reveal**(${\prod}_{U}^{i}$): This query models an adversary obtaining a session key $SK$ with an unconditional return by ${\prod}_{U}^{i}$. The**Reveal**query will let us deal with known-key security. The**Reveal**query is only available to an adversary if the state $\mathbf{ACC}({\prod}_{U}^{i})$ of ${\prod}_{U}^{i}$ is true.**Corrupt**(${\prod}_{U}^{i}$): This query models an adversary obtaining a password $pw$ with unconditional return by ${\prod}_{U}^{i}$. The**Corrupt**query will let us deal with forward secrecy.**Hash**(m): In the ideal hash model, an adversary gets hash results by making queries to a random oracle. After receiving this query, the random oracle will check whether m has been queried. If so, it returns the result previously generated by the adversary. Otherwise, it generates a random number r, returns r to the adversary, and stores $(m,r)$ in the**Hash**table, which is a record set used to record all previous**Hash**queries.**Test**(${\prod}_{U}^{i}$): This query models the semantic security of the session key $SK$. During an execution of the protocol, the adversary can ask any of the above queries and ask a**Test**query once. Then ${\prod}_{U}^{i}$ flips a coin b and returns $SK$ if $b=1$, or a random string if $b=0$. The**Test**query is asked only once and is only available if is fresh (see Section 4). This query only measures adversarial success. It does not correspond to any actual adversarial ability.

#### Description of the PAKE Protocol:

- (1)
- Select two prime numbers p with length $\left|p\right|=k$ and q with length $\left|q\right|=l$. Let g be a generator with order q in the Galois Field $\mathbb{GF}(p)$, which is based on the Diffie-Hellman scheme.
- (2)
- Select a hash function $H(\xb7)$: ${\{0,1\}}^{*}\to {\{0,1\}}^{k}$.
- (3)
- Each client sets up an identity $id$ and a password $pw$ from a set D of the dictionary. Let n be the number of passwords in D. The server stores $Hpw=H(id,pw)$ in a verification table.
- (4)
- Each oracle ${\prod}_{U}^{i}$ is set to:$\mathbf{ACC}({\prod}_{U}^{i})\leftarrow \mathbf{TERM}({\prod}_{U}^{i})\leftarrow false$and$\mathbf{SK}({\prod}_{U}^{i})\leftarrow \mathbf{SID}({\prod}_{U}^{i})\leftarrow \mathbf{PID}({\prod}_{U}^{i})\leftarrow null$.

**Execute**(${\prod}_{C}^{i}$, ${\prod}_{S}^{j}$)

- (1)
- ${\mathbf{Send}}_{1}({\prod}_{C}^{i},\u201cstart\u201d)$;$c\stackrel{\mathrm{R}}{\leftarrow}[1,q-1]$;${R}_{c}\leftarrow {g}^{c}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$;$msg-ou{t}_{1}\leftarrow \langle id|{R}_{c}\oplus H(id,pw)\rangle $;$return(msg-ou{t}_{1})$.
- (2)
- ${\mathbf{Send}}_{2}({\prod}_{S}^{j},m)$, where $m\ne \u201cstart\u201d$;$({m}_{1}^{S},{m}_{2}^{S})\leftarrow m$;${R}_{c}\leftarrow {m}_{2}^{S}\oplus Hpw$;$s\stackrel{\mathrm{R}}{\leftarrow}[1,q-1]$;${R}_{s}\leftarrow {g}^{s}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$;$K\leftarrow {R}_{c}^{s}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$;$msg-ou{t}_{2}\leftarrow \langle S|{R}_{s}|H(K,{R}_{c})\rangle $;$\mathbf{SK}({\prod}_{S}^{j})\leftarrow H(K)$; $\mathbf{SID}({\prod}_{S}^{j})\leftarrow \langle m|msg-ou{t}_{2}\rangle $;$\mathbf{PID}({\prod}_{S}^{j})\leftarrow {m}_{1}^{S}$;$\mathbf{ACC}({\prod}_{S}^{j})\leftarrow true$;$\mathbf{TERM}({\prod}_{S}^{j})\leftarrow false$;$return(msg-ou{t}_{2})$.
- (3)
- ${\mathbf{Send}}_{3}({\prod}_{C}^{i},m)$, where $m\ne \u201cstart\u201d$;$({m}_{1}^{C},{m}_{2}^{C},{m}_{3}^{C})\leftarrow m$;${R}_{s}\leftarrow {m}_{2}^{C}$;$K\leftarrow {R}_{s}^{c}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$;if $m=H(K,{R}_{c})$ then$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}msg-ou{t}_{3}\leftarrow \langle id|H(K,{R}_{s})\rangle $;$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{SK}({\prod}_{C}^{i})\leftarrow H(K)$;$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{SID}({\prod}_{C}^{i})\leftarrow \langle msg-ou{t}_{1}\left|m\right|msg-ou{t}_{3}\rangle $;$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{PID}({\prod}_{C}^{i})\leftarrow {m}_{1}^{C}$;$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{ACC}({\prod}_{C}^{i})\leftarrow \mathbf{TERM}({\prod}_{C}^{i})\leftarrow true$;else$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{ACC}({\prod}_{C}^{i})\leftarrow false$; $\mathbf{TERM}({\prod}_{C}^{i})\leftarrow true$;$return(msg-ou{t}_{3})$.
- (4)
- ${\mathbf{Send}}_{4}({\prod}_{S}^{j},m)$, where $m\ne \u201cstart\u201d$;$({m}_{3}^{S},{m}_{4}^{S})\leftarrow m$;if ${m}_{4}^{S}=H(K,{R}_{s})$ then // access granted$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{SID}({\prod}_{S}^{j})\leftarrow \langle \mathbf{SID}({\prod}_{S}^{j})|m\rangle $;$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{ACC}({\prod}_{S}^{j})\leftarrow \mathbf{TERM}({\prod}_{S}^{j})\leftarrow true$;else // access denied$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{ACC}({\prod}_{S}^{j})\leftarrow false$; $\mathbf{TERM}({\prod}_{S}^{j})\leftarrow true$;$return(null)$.

#### 3.2. Definitions of Security

#### Partnering:

- $\mathbf{SK}({\prod}_{C}^{i})=\mathbf{SK}({\prod}_{S}^{j})$,$\mathbf{SID}({\prod}_{C}^{i})=\mathbf{SID}({\prod}_{S}^{j})$,$\mathbf{PID}({\prod}_{C}^{i})=S$ and $\mathbf{PID}({\prod}_{S}^{j})=id$.
- $id\in $ CLIENT and S is the SERVER.
- No oracle besides and accepts with a session key $SK=\mathbf{SK}({\prod}_{C}^{i})=\mathbf{SK}({\prod}_{S}^{j})$.

#### Freshness:

- ${\prod}_{U}^{i}$ has accepted ($\mathbf{ACC}({\prod}_{U}^{i})=true$).
- No oracle has been asked for a
**Corrupt**query before ${\prod}_{U}^{i}$ accepts. - Neither ${\prod}_{U}^{i}$ nor its partner has been asked for a
**Reveal**query.

#### Authenticated Key Exchange Security (AKE Security):

**Test**query to a fresh oracle ${\prod}_{U}^{i}$ and correctly guesses the bit b, which is selected by ${\prod}_{U}^{i}$ in the

**Test**query. We denote the AKE advantage $\mathcal{A}$ has in attacking the PAKE protocol as $Ad{v}_{PAKE}^{AKE}(\mathcal{A})$; the advantage is taken over all bit tosses. The PAKE protocol is AKE-secure if $Ad{v}_{PAKE}^{AKE}(\mathcal{A})$ is negligible.

#### Mutual Authentication (MA):

#### Computational Diffie-Hellman (CDH) Assumption:

#### Adversary’s Resources:

- t: the adversary $\mathcal{A}$ running time. By convention, this includes the amount of space it takes to describe the adversary.
- ${q}_{se},{q}_{ex},{q}_{re},{q}_{co},{q}_{h}$: these count the number of
**Send**,**Execute**,**Reveal**,**Corrupt**, and**Hash**queries separately asked by the adversary $\mathcal{A}$, i.e., the number of ${q}_{se}$ in the PAKE protocol is ${q}_{se}\phantom{\rule{3.33333pt}{0ex}}=\phantom{\rule{3.33333pt}{0ex}}{q}_{se1}+{q}_{se2}+{q}_{se3}+{q}_{se4}$ (${q}_{se1},{q}_{se2},{q}_{se3}$, and ${q}_{se4}$ are, respectively, the number of ${\mathbf{Send}}_{1}$, ${\mathbf{Send}}_{2}$, ${\mathbf{Send}}_{3}$, and ${\mathbf{Send}}_{4}$ queries asked by $\mathcal{A}$).

#### 3.3. Security Proofs of the Password Authenticated Key Exchange and Protected Password Change Protocols

**Theorem**

**1.**

**Send**queries ${q}_{se}$ and the number of

**Hash**queries ${q}_{h}$. Then we have:

**Proof.**

#### 3.3.1. Password Guessing Attack

**Hash**$(m=(id,p{w}^{\prime}))$ for guessing the password $p{w}^{\prime}$, there exists a record $\{(id,p{w}^{\prime}),r\}$ in the

**Hash**table. Because $c\in [1,q-1]$ is chosen at random (implying that ${R}_{c}$ is a random number), the adversary ${\mathcal{A}}_{1}$ observes that the message $\langle id,{R}_{c}\oplus H(id,pw)\rangle $ is returned from the ${\mathbf{Send}}_{1}$ query, which is independent of r. On the other hand, ${\mathcal{A}}_{1}$ can get all the transcripts by asking an

**Execute**query. However, the transcripts that the adversary gets are independent of the passwords. Therefore, the adversary gets no advantage for the off-line guessing attack. The probability $\lambda $ of the on-line password guessing attack is bounded by ${q}_{se}$ and n as follows:

#### 3.3.2. Simulator/Computational Diffie-Hellman Attacker: $\mathcal{B}$

- When ${\mathcal{A}}_{1}$ makes a ${\mathbf{Send}}_{1}$ query, $\mathcal{B}$ increases the counter $cnt$ by 1. If $cnt\ne i$, $\mathcal{B}$ answers according to the PAKE protocol (return $\langle id,{R}_{c}\oplus H(id,pw)\rangle $). If $cnt=i$, $\mathcal{B}$ answers by using the element ${g}^{\widehat{c}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$ from the challenge $\psi $ (return $\langle id,({g}^{\widehat{c}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p)\oplus H(id,pw)\rangle $). When ${\mathcal{A}}_{1}$ makes a ${\mathbf{Send}}_{2}$ query, if the input is not equal to the message $\langle id,({g}^{\widehat{c}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p)\oplus H(id,pw)\rangle $, $\mathcal{B}$ answers according to the PAKE protocol (return $\langle S,{R}_{s},H(K,{R}_{c})\rangle $). If the input is the flow corresponding to the challenge $\psi $, $\mathcal{B}$ answers by using the element ${g}^{\widehat{s}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$ from the challenge $\psi $ (return $\langle S,{g}^{\widehat{s}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p,random\rangle $, where $random$ is a random element with length k). Here, it is difficult for $\mathcal{B}$ to simulate an indistinguishable answer without the ability to solve the challenge $\psi $.
- When ${\mathcal{A}}_{1}$ makes a
**Reveal**query, $\mathcal{B}$ checks whether the oracle has accepted and is fresh. If so, $\mathcal{B}$ answers by using the session key $SK$. However, if the session key has to be constructed from the challenge $\psi $, $\mathcal{B}$ halts and output fail. - When ${\mathcal{A}}_{1}$ makes a
**Corrupt**or**Execute**query, $\mathcal{B}$ answers in a straightforward way. - When ${\mathcal{A}}_{1}$ makes a
**Hash**(m) query, $\mathcal{B}$ checks whether m is in the**Hash**table. If so, $\mathcal{B}$ returns the previous result. Otherwise, $\mathcal{B}$ returns a random number r from ${\{0,1\}}^{k}$ and appends $(m,r)$ to the**Hash**table. - When ${\mathcal{A}}_{1}$ makes a single
**Test**query, $\mathcal{B}$ answers in a straightforward way. If the session key has to be constructed from the challenge $\psi $, $\mathcal{B}$ answers with a random string for the**Test**query on an oracle.

**Test**query is the probability of $cnt$ being equal to i (the probability that $\mathcal{B}$ has to output z). We denote it by ${\mathcal{A}}_{1}$. Then we have:

**Test**query and wins), then at least one of the

**Hash**queries must equal $SK$ stored in the

**Hash**table. We denote $\beta $ as the probability that $\mathcal{B}$ correctly chooses among the possible

**Hash**queries. Then we have:

**Hash**queries:

**Hash**queries with just the right session key by pure chance. The concrete security of the PAKE protocol is as follows:

**Theorem**

**2.**

**Send**queries ${q}_{se}$ and the number of

**Hash**queries ${q}_{h}$. Then we have:

**Proof.**

**Hash**queries with just the right, mutually authenticated messages ($H(K,{R}_{c})$ or $H(K,{R}_{s})$) by pure chance. Because we have given

**Hash**queries with just the right session key by pure chance in Theorem 1, it may just be one of the right authenticated messages. The advantage of ${\mathcal{A}}_{2}$ attacking MA-secure is ${\mathcal{A}}_{1}$ attacking AKE-secure added to ${\mathcal{A}}_{2}$ making

**Hash**queries with just the right authenticated messages by pure chance (one includes ${\mathcal{A}}_{1}$ making

**Hash**queries with just the right session key):

**Theorem**

**3.**

**Hash**queries. Then we have:

**Theorem**

**4.**

**Hash**queries. Then we have:

**Send**query and

**Hash**query made by the adversary in the PPC protocol.

## 4. Comparisons

## 5. Conclusions

## Acknowledgments

## Author Contributions

## Conflicts of Interest

## References

- Anwar, N.; Riadi, I.; Luthfi, A. Forensic SIM card cloning using authentication algorithm. Int. J. Electron. Inf. Eng.
**2016**, 4, 71–81. [Google Scholar] - Huang, H.-F.; Chang, H.-W. Enhancement of timestamp-based user authentication scheme with smart card. Int. J. Netw. Secur.
**2014**, 16, 463–467. [Google Scholar] - Lee, C.-C.; Chiu, S.-T.; Li, C.-T. Improving Security of A Communication-efficient Three-party Password Authentication Key Exchange Protocol. Int. J. Netw. Secur.
**2015**, 17, 1–6. [Google Scholar] - Zhu, H.; Zhang, Y.; Xia, Y.; Li, H. Password-Authenticated Key Exchange Scheme Using Chaotic Maps towards a New Architecture in Standard Model. Int. J. Netw. Secur.
**2016**, 18, 326–334. [Google Scholar] - Zhu, H.; Zhang, Y. An Improved Two-party Password-Authenticated Key Agreement Protocol with Privacy Protection Based on Chaotic Maps. Int. J. Netw. Secur.
**2017**, 19, 487–497. [Google Scholar] - Moon, J.; Lee, D.; Jung, J.; Won, D. Improvement of Efficient and Secure Smart Card Based Password Authentication Scheme. Int. J. Netw. Secur.
**2017**, 19, 1053–1061. [Google Scholar] - Wu, M.; Chen, J.; Wang, R. An Enhanced Anonymous Password-based Authenticated Key Agreement Scheme with Formal Proof. Int. J. Netw. Secur.
**2017**, 19, 785–793. [Google Scholar] - Ling, C.-H.; Lee, C.-C.; Yang, C.-C.; Hwang, M.-S. A Secure and Efficient One-time Password Authentication Scheme for WSN. Int. J. Netw. Secur.
**2017**, 19, 177–181. [Google Scholar] - Lee, C.-C.; Hwang, M.-S.; Yang, W.-P. A flexible remote user authentication scheme using smart cards. ACM Oper. Syst. Rev.
**2002**, 36, 46–52. [Google Scholar] [CrossRef] - Li, L.-H.; Lin, I.-C.; Hwang, M.-S. A remote password authentication scheme for multi-server architecture using neural networks. IEEE Trans. Neural Netw.
**2001**, 12, 1498–1504. [Google Scholar] [PubMed] - Pecori, R.; Veltri, L. 3AKEP: Triple-authenticated key exchange protocol for peer-to-peer VoIP applications. Comput. Commun.
**2016**, 85, 28–40. [Google Scholar] [CrossRef] - Hwang, M.-S. A new redundancy reducing cipher. Int. J. Inform.
**2000**, 11, 435–440. [Google Scholar] - Tseng, Y.-M.; Jan, J.-Y.; Chien, H.-Y. On the security of methods for protecting password transmission. Int. J. Inform.
**2001**, 12, 469–476. [Google Scholar] - Ghanem, W.R.; Shokir, M.; Dessoky, M. Defense Against Selfish PUEA in Cognitive Radio Networks Based on Hash Message Authentication Code. Int. J. Electron. Inf. Eng.
**2016**, 4, 12–21. [Google Scholar] - Lin, C.-L.; Hwang, T. Authentication scheme with secure password updating. Comput. Secur.
**2003**, 22, 68–72. [Google Scholar] [CrossRef] - Yang, C.-C.; Chang, T.-Y.; Li, J.W.; Hwang, M.-S. Security enhancement for protecting password transmission. IEICE Trans. Commun.
**2003**, E86-B, 2178–2181. [Google Scholar] - Yang, C.-C.; Yang, Y.-W.; Chang, T.-Y. Cryptanalysis of an authentication key exchange protocol. J. Appl. Sci.
**2005**, 5, 281–283. [Google Scholar] - Chang, T.-Y.; Hwang, M.-S.; Yang, W.-P. A communication-efficient three-party password authenticated key exchange protocol. Inf. Sci.
**2011**, 181, 217–226. [Google Scholar] [CrossRef] - Yeh, H.-Y.; Sun, H.-M. Simple authenticated key agreement protocol resisant to password guessing attacks. ACM SIGOPS Oper. Syst. Rev.
**2002**, 36, 14–22. [Google Scholar] [CrossRef] - Bellare, M.; Pointcheval, D.; Rogaway, P. Authenticated key exchange secure against dictionary attack. In Proceedings of the 19th International Conference on Theory and Application of Cryptographic Techniques—EUROCRYPT’00, Bruges, Belgium, 14–18 May 2000; pp. 122–138. [Google Scholar]
- Zhang, G.; Fan, D.; Zhang, Y.; Li, X. A Provably Secure General Construction for Key Exchange Protocols Using Smart Card and Password. Chin. J. Electron.
**2017**, 26, 271–278. [Google Scholar] [CrossRef] - Ahmed, A.; Younes, A.; Abdellah, A.; Sadqi, Y. Strong Zero-knowledge Authentication Based on Virtual Passwords. Int. J. Netw. Secur.
**2016**, 18, 601–616. [Google Scholar] - Liu, Y.; Chang, C.-C.; Chang, S.-C. An Efficient and Secure Smart Card Based Password Authentication Scheme. Int. J. Netw. Secur.
**2017**, 19, 1–10. [Google Scholar] [CrossRef] - Wei, J.; Liu, W.; Hu, X. Secure and Efficient Smart Card Based Remote User Password Authentication Scheme. Int. J. Netw. Secur.
**2016**, 18, 782–792. [Google Scholar] - Bayat, M.; Aref, M. An attribute based key agreement protocol resilient to KCI attack. Int. J. Electron. Inf. Eng.
**2015**, 2, 10–20. [Google Scholar] - Pan, H.-T.; Pan, C.-S.; Tsaur, S.-C.; Hwang, M.-S. Cryptanalysis of Efficient Dynamic ID Based Remote User Authentication Scheme in Multi-server Environment Using Smart Card. In Proceedings of the 12th International Conference on Computational Intelligence and Security, Wuxi, China, 16–19 December 2016; pp. 590–593. [Google Scholar]
- Tsai, C.-Y.; Pan, C.-S.; Hwang, M.-S. An Improved Password Authentication Scheme for Smart Card. In Proceedings of the Advances in Intelligent Systems and Computing, Recent Developments in Intelligent Systems and Interactive Applications, Shanghai, China, 25–26 June 2016; Volume 541, pp. 194–199. [Google Scholar]
- Liu, C.-W.; Tsai, C.-Y.; Hwang, M.-S. Cryptanalysis of an Efficient and Secure Smart Card Based Password Authentication Scheme. In Proceedings of the Advances in Intelligent Systems and Computing, Recent Developments in Intelligent Systems and Interactive Applications, Shanghai, China, 25–26 June 2016; Volume 541, pp. 188–193. [Google Scholar]

Title | [21] | [22] | [23] | [9] | [24] | [16] | Our Scheme |
---|---|---|---|---|---|---|---|

Off-line guessing attack | No | Yes | No | No | No | Yes | No |

Stolen-verifier attack | No | Yes | No | No | No | No | No |

Replay attack | No | No | Yes | Yes | No | No | No |

DOS attack | No | No | No | Yes | No | Yes | No |

Key Compromise Impersonation Attack | No | No | No | No | No | No | No |

Mutual Authentication | Yes | Yes | Yes | No | Yes | Yes | Yes |

Session key establishment | Yes | Yes | Yes | No | Yes | No | Yes |

Forward Secrecy | No | No | No | - | Yes | - | Yes |

Provable security | Yes | No | Yes | No | No | No | Yes |

Known-password by Server | Yes | No | No | No | No | No | No |

© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Chang, T.-Y.; Hwang, M.-S.; Yang, C.-C. Password Authenticated Key Exchange and Protected Password Change Protocols. *Symmetry* **2017**, *9*, 134.
https://doi.org/10.3390/sym9080134

**AMA Style**

Chang T-Y, Hwang M-S, Yang C-C. Password Authenticated Key Exchange and Protected Password Change Protocols. *Symmetry*. 2017; 9(8):134.
https://doi.org/10.3390/sym9080134

**Chicago/Turabian Style**

Chang, Ting-Yi, Min-Shiang Hwang, and Chou-Chen Yang. 2017. "Password Authenticated Key Exchange and Protected Password Change Protocols" *Symmetry* 9, no. 8: 134.
https://doi.org/10.3390/sym9080134