# Password Authenticated Key Exchange and Protected Password Change Protocols

^{1}

^{2}

^{3}

^{4}

^{*}

^{†}

Next Article in Journal

Next Article in Special Issue

Next Article in Special Issue

Previous Article in Journal

Previous Article in Special Issue

Previous Article in Special Issue

Graduate Institute of E-Learning, National Changhua University of Education, Changhua 500, Taiwan

Department of Computer Science and Information Engineering, Asia University, Taichung 413, Taiwan

Department of Medical Research, China Medical University Hospital, China Medical University, Taichung 404, Taiwan

Department of Management Information Systems, National Chung Hsing University, Taichung 402, Taiwan

Author to whom correspondence should be addressed.

These authors contributed equally to this work.

Received: 26 April 2017 / Revised: 3 June 2017 / Accepted: 5 June 2017 / Published: 28 July 2017

(This article belongs to the Special Issue Symmetry in Secure Cyber World)

In this paper, we propose new password authenticated key exchange (PAKE) and protected password change (PPC) protocols without any symmetric or public-key cryptosystems. The security of the proposed protocols is based on the computational Diffie-Hellman assumption in the random oracle model. The proposed scheme can resist both forgery server and denial of service attacks.

The rapid progress of networks facilitates more and more computers being connected together to exchange large amounts of information and share system resources. Various resources distributed among hosts are shared across the networks in the form of network services provided by servers. Before providing the services, the servers should have the ability to authenticate users’ identities. A simple method uses a large, random secret (128-bit or 256-bit) that is secretly shared between the user and the server. Using the common secret, the server can easily authenticate the user. However, because the user may not remember it, she/he may need a device such as a smart card to store it [1,2,3,4,5,6]. Another method is to employ an easy-to-remember password instead of the large, random secret. The password approach offers a simple and practical solution for user identification to allow people to remember their passwords without any devices [7,8]. However, passwords narrow down the possibilities and make it easier for attackers to mount guessing attacks [3]. Most of these types of schemes [9,10,11] require symmetric cryptosystems, and others require public-key cryptosystems [12] to protect passwords which are transferred over an unsecured network.

To repair these security flaws, Tseng et al. employed the Diffie-Hellman key exchange scheme [13] and the one-way hash function [14]. Lee et al. employed the one-way hash function, and Hwang et al. employed a server’s public cryptosystem to solve the security flaws present in the Peyravian-Zunic scheme. Unfortunately, in 2003, Lin and Hwang [15] and Yang et al. [16] simultaneously pointed out that the Hwang-Yeh improved password change schemes suffered from denial of service (DOS) attack and repaired the security flaws. On the other hand, Yang et al. [17] pointed out that Tseng et al.’s improved password change scheme also suffered from DOS attack. DOS attack leads to an adversary who can intercept the request for a password change sent by a legal user and modify it with a wrong password. The user is under the impression that she/he has changed her/his password successfully. However, she/he cannot log in to the server the next time. Compare with Yang et al.’s scheme [16], the Lin-Hwang scheme [15] additionally allows the client and the server in the password-authenticated protocol to establish a session key. In this respect, it is similar to the password authenticated key exchange (PAKE) schemes [17,18]. In the PAKE schemes, two parties via pre-shared password technology agree to a common session key. To protect sensitive data from eavesdropping and modification between two parties, the authenticated key can be used for protecting sensitive data and ensuring data integrity. Because of their different motives, the related-PAKE schemes [19] do not provide two parties to change their shared password.

On the other hand, the public-key cryptosystem exists in the Lin-Hwang scheme and Yang et al.’s scheme. In particular, to avoid an adversary from replacing the original public keys of the server with her/his own keys, certificates (e.g., digital signatures) should be introduced into their scheme. A certificate from a trusted authority is what servers with public keys will ask for before providing service. This means that users need a large storage space for storing certificates. More bandwidth is also needed to verify the signatures.

In this paper, we propose new PAKE and protected password change (PPC) protocols which are based on the computational Diffie-Hellman assumption and the one-way hash function. The proposed PAKE scheme has the following four basic security requirements:

- Mutual authentication: the user and the server can authenticate each other.
- Session key security: no-one except the user and the server can agree to the common session key with a non-negligible probability.
- Forward secrecy: when the password is compromised, it does not reveal the earlier session keys.
- Know-key security: when the session key is lost, it does not reveal other session keys. This limits the damage caused by a compromised session key to that compromised session only.
- Withstanding an off-line password guessing attack: an adversary cannot find an equation to verify whether his/her guess password is correct.

The proposed PPC scheme not only satisfies the above requirements but also allows clients to arbitrarily change their own passwords.

The security of the schemes in [13,16] is evaluated by heuristic security analysis. In heuristic security analysis, any successful attack requires a resource level (e.g., time and space) greater than the fixed resources of a perceived adversary. If the protocol survives the analysis, such an analysis is said to have heuristic security (ad hoc security). Obviously, many schemes were often shown to be insecure (unforeseen attacks may occur) after they were first put forward. In view of this defect, we employ Bellare, Poincheval and Rogaway’s model (called the BPR model) [20], which provides the formal model for provable security in the complex-theoretic framework of modern cryptography, to prove the security of our PAKE and PPC protocols.

To get rid of the security flaws, we shall propose the PAKE and PPC protocols. In the system, two large prime numbers p and q are published such that $q|p-1$. Let g be a generator with order q in the Galois field $\mathbb{GF}\left(p\right)$, which is based on the Diffie-Hellman scheme. In this system, a user has the identity $id$ and the corresponding password $pw$. The password $pw$ is secretly shared only by the user and the server. The server employs a one-way hash function $H(\xb7)$ to store $Hpw=H(id,pw)$ in a verification table. Here, we give the identity of the server as S because the client may be involved in distinct, concurrent executions of the PAKE and PPC protocols with other servers. The two protocols are described as follows.

Password Authenticated Key Exchange Protocol:

- Step 1.
- Client ⟹ Server: $\langle id,{R}_{c}\oplus H(id,pw)\rangle $The user gives his/her $id$ and $pw$ to the client. The client computes the hash value $H(id,pw)$. Then the client chooses a random number $c\in [1,q-1]$ and computes ${R}_{c}={g}^{c}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$. Then the client sends $id$ and ${R}_{c}\oplus H(id,pw)$ to the server.
- Step 2.
- Server ⟹ Client: $\langle S,H(K,{R}_{c})\rangle $After receiving $id$ and ${R}_{c}\oplus H(id,pw)$, the server retrieves $Hpw$ from the verification table and recovers ${R}_{c}$ by computing $({R}_{c}\oplus H(id,pw))\oplus Hpw$. Then the server computes $K={\left({R}_{c}\right)}^{s}={g}^{cs}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$, where $s\in [1,q-1]$ is the server privacy key and ${R}_{s}={g}^{s}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$ is the server public key. Then the server sends $H(K,{R}_{c})$ to the client.
- Step 3.
- Client ⟹ Server: $\langle id,H(K,{R}_{s})\rangle $After receiving S and $H(K,{R}_{c})$, the client computes $K={\left({R}_{s}\right)}^{c}={g}^{sc}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$. Then the client computes $H(K,{R}_{c})$ and compares it with the received $H(K,{R}_{c})$. If these two values are equivalent, the client computes $H(K,{R}_{s})$ and sends it together with $id$ to the server. This check is used for authenticating the server.
- Step 4.
- Server: Access granted or Access deniedAfter receiving $id$ and $H(K,{R}_{s})$, the server uses its own copies K and his public key ${R}_{s}$ to compute $H(K,{R}_{s})$ and compares it with the received $H(K,{R}_{s})$. If these two values are equivalent, the server grants the client’s login request. Otherwise, the server denies the client’s login request.

The performance of the proposed protocol is analyzed as follows. The client needs 3 hashing operations, 1 exclusion operation, and 2 exponentiation operations in Steps 1 and 3. The server needs 2 hashing operations, 1 exclusion operation, and 1 exponentiation operation in Steps 2 and 4.

Protected Password Change Protocol:

Assume that the client wants to change his password from an old password $pw$ to a new password $newpw$. The steps are as follows.

- Step 1*.
- Client ⟹ Server: $\langle id,{R}_{c}\oplus H(id,pw),{R}_{c}\oplus Hnewpw\rangle $The messages $id$ and ${R}_{c}\oplus H(id,pw)$ are the same as those in Step 1 in the PAKE protocol. The client additionally sends ${R}_{c}\oplus Hnewpw$ to the server.
- Step 2*.
- Server ⟹ Client: $\langle S,H(Hnewpw,K,{R}_{c})\rangle $After receiving $id$, ${R}_{c}\oplus H(id,pw)$, and ${R}_{c}\oplus H(id,newpw)$, the server retrieves $Hpw$ from the verification table to recover ${R}_{c}$ by computing $({R}_{c}\oplus H(id,pw))\oplus Hpw$. Then the server uses the recovered ${R}_{c}$ to further obtain $Hnewpw$ by computing $({R}_{c}\oplus Hnewpw)\oplus {R}_{c}$. Then the server computes $K={\left({R}_{c}\right)}^{s}={g}^{cs}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$, and $H(Hnewpw,K,{R}_{c})$. Then the server sends $H(Hnewpw,K,{R}_{c})$ to the client.
- Step 3*.
- Client ⟹ Server: $\langle id,H(K,{R}_{s})\rangle $After receiving S and $H(Hnewpw,K,{R}_{c})$, the client computes $K={\left({R}_{s}\right)}^{c}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$ and $H(H(id,newpw),K,{R}_{c})$. Then the client checks whether the received $H(Hnewpw,K,{R}_{c})$ is equal to $H(H(id,newpw),K,{R}_{c})$. If the two values are equivalent, the client sends $id$ and $H(K,{R}_{s})$ to the server.
- Step 4*.
- Server: Access granted or Access deniedAfter receiving $id$ and $H(K,{R}_{s})$, the server uses it own copies K and public key ${R}_{s}$ to compute $H(K,{R}_{s})$ and compares it with the received $H(K,{R}_{s})$ in Step 3*. If these two values are equivalent, the server stores the recovered $Hnewpw$ in Step 1* into a verification table. Otherwise, the server denies the client’s password change request.

From the above descriptions of the two protocols, the client and the server can agree to a common session key $SK=H\left(K\right)=H\left({g}^{cs}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p\right)$ after mutual authentication. On the other hand, the proposed PAKE protocol is similar to the Yeh-Sun scheme [19]. The difference is in the messages $\langle S,{R}_{s}\oplus H(K,{R}_{c})\rangle $ and $\langle {R}_{s},pw,H(K,{R}_{c})\rangle $ that are sent by the server in Step 1 in our scheme and in the Yeh-Sun scheme, respectively. The computational complexity can be reduced to an exclusive-or operation in our scheme. Their scheme assumes that only two parties agree to a common session key. The two parties directly store the password without using the hash function. In fact, several password-authenticated key exchanges can be used for authentication between the client and the server. However, they do not allow users to arbitrarily change their own passwords.

Since a server in a distributed computer system provides service to many users, it does not only authenticate a single user. To avoid the stolen-verifier attack, the server stores $Hpw$ instead of $pw$ in a verification table. The stolen-verifier attack occurs when an adversary steals the verification table from the server and uses it directly to masquerade as a legal user. The main purpose for using user authentication against the stolen-verifier attack is to reduce the immediate danger to the user authentication [15]. On the other hand, Yang et al.’s employs a message authentication code replace a one-way hash function to store password in a verification table [16]. The keying material of the message authentication code is kept secret by the server and store apart from the verification table. For the same reason, we can employ Yang et al.’s method to store the password in our scheme.

In this section, we use the BPR model [20] to formally prove the PAKE protocol in the random oracle model (ideal hash model). The model can be reduced to breaking the security of the protocol and treated as difficult as solving the underlying primitives. After analyzing the security of the PAKE protocol, we can easily extend its result to the PPC protocol. Hence, we only give a complete analysis of the PAKE protocol. In the following, we will treat users (holding passwords) as clients to simplify the protocol.

The model is principally used to formally: (1) define the characteristics of participating entities; (2) define an adversary’s capabilities; and (3) describe the protocol. The details are described as follows.

We fix a nonempty set of CLIENT and a specific SERVER in the PAKE protocol. Either a client or a server may have many instances, called oracles, involved in distinct, concurrent executions of the PAKE protocol. We denote an instance i of a client as ${\prod}_{C}^{i}$ and an instance j of a server as ${\prod}_{S}^{j}$.

The session identity is used to uniquely name the ensuing session. $\mathbf{SID}({\prod}_{U}^{i})$ is the concatenation of all flows with the oracle ${\prod}_{U}^{i}$. $\mathbf{PID}({\prod}_{U}^{i})={U}^{\prime}$, denoted as ${\prod}_{U}^{i}$, is communication with an instance of participant ${U}^{\prime}$. For example, for the oracles ${\prod}_{C}^{i}$ and ${\prod}_{S}^{j}$, their own $\mathbf{SID}({\prod}_{C}^{i})$ and $\mathbf{SID}({\prod}_{S}^{j})$ equals $\langle id,{R}_{c}\oplus H(id,pw)|S,{R}_{s},H(K,{R}_{c})|id,H(K,{R}_{s})\rangle $, $\mathbf{PID}({\prod}_{C}^{i})$ equals S, and $\mathbf{PID}({\prod}_{S}^{j})$ equals $id$ in the PAKE protocol. The $\mathbf{SID}$ and $\mathbf{PID}$ are public, and an adversary can just listen in on the wire and construct it.

There are two states, accept $\mathbf{ACC}({\prod}_{U}^{i})$ and terminate $\mathbf{TERM}({\prod}_{U}^{i})$, for an oracle ${\prod}_{U}^{i}$. When an oracle has enough information to compute the session key $SK$, the state of $\mathbf{ACC}({\prod}_{U}^{i})$ is set to true. An oracle can accept at any time and it accepts at most once. When an oracle sends or receives the last message of the protocol, receives an invalid message, or misses an expected message, the state of $\mathbf{TERM}({\prod}_{U}^{i})$ is set to true. As soon as an oracle terminates, it will not send out any message.

An adversary has an endless supply of oracles and makes various queries to them. Each query models a capability of the adversary. The more types of query, the more security requirements, such as forward secrecy, known-key security, etc., that the protocol can satisfy. In the following, there are six types of queries that adversary can make.

**Send**(${\prod}_{U}^{i},m$): This query models an adversary sending a message m to the oracle ${\prod}_{U}^{i}$, and the oracle responds to what the protocol say to and updates $\mathbf{SID}$, $\mathbf{PID}$, and its states. The adversary query of the form**Send**(${\prod}_{U}^{i},\u201cstart\u201d$) initiates an execution of the protocol.**Execute**(${\prod}_{C}^{i},{\prod}_{S}^{j}$): This query models an adversary obtaining an honest execution of the protocol between two oracles ${\prod}_{C}^{i}$ and ${\prod}_{S}^{j}$, and outputs a completed transcript corresponding to them.**Reveal**(${\prod}_{U}^{i}$): This query models an adversary obtaining a session key $SK$ with an unconditional return by ${\prod}_{U}^{i}$. The**Reveal**query will let us deal with known-key security. The**Reveal**query is only available to an adversary if the state $\mathbf{ACC}({\prod}_{U}^{i})$ of ${\prod}_{U}^{i}$ is true.**Corrupt**(${\prod}_{U}^{i}$): This query models an adversary obtaining a password $pw$ with unconditional return by ${\prod}_{U}^{i}$. The**Corrupt**query will let us deal with forward secrecy.**Hash**(m): In the ideal hash model, an adversary gets hash results by making queries to a random oracle. After receiving this query, the random oracle will check whether m has been queried. If so, it returns the result previously generated by the adversary. Otherwise, it generates a random number r, returns r to the adversary, and stores $(m,r)$ in the**Hash**table, which is a record set used to record all previous**Hash**queries.**Test**(${\prod}_{U}^{i}$): This query models the semantic security of the session key $SK$. During an execution of the protocol, the adversary can ask any of the above queries and ask a**Test**query once. Then ${\prod}_{U}^{i}$ flips a coin b and returns $SK$ if $b=1$, or a random string if $b=0$. The**Test**query is asked only once and is only available if is fresh (see Section 4). This query only measures adversarial success. It does not correspond to any actual adversarial ability.

In the following, we describe how to initialize the PAKE protocol and how instances behave when an adversary makes queries.

Initialize(${1}^{l},{1}^{k}$), where l and k are security parameters $(l\langle k)$.

- (1)
- Select two prime numbers p with length $\left|p\right|=k$ and q with length $\left|q\right|=l$. Let g be a generator with order q in the Galois Field $\mathbb{GF}(p)$, which is based on the Diffie-Hellman scheme.
- (2)
- Select a hash function $H(\xb7)$: ${\{0,1\}}^{*}\to {\{0,1\}}^{k}$.
- (3)
- Each client sets up an identity $id$ and a password $pw$ from a set D of the dictionary. Let n be the number of passwords in D. The server stores $Hpw=H(id,pw)$ in a verification table.
- (4)
- Each oracle ${\prod}_{U}^{i}$ is set to:$\mathbf{ACC}({\prod}_{U}^{i})\leftarrow \mathbf{TERM}({\prod}_{U}^{i})\leftarrow false$and$\mathbf{SK}({\prod}_{U}^{i})\leftarrow \mathbf{SID}({\prod}_{U}^{i})\leftarrow \mathbf{PID}({\prod}_{U}^{i})\leftarrow null$.

In the following, assume that a client ${\prod}_{C}^{i}$ and a server ${\prod}_{S}^{j}$ execute the protocol. The processes of the oracles are described as follows:

- (1)
- ${\mathbf{Send}}_{1}({\prod}_{C}^{i},\u201cstart\u201d)$;$c\stackrel{\mathrm{R}}{\leftarrow}[1,q-1]$;${R}_{c}\leftarrow {g}^{c}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$;$msg-ou{t}_{1}\leftarrow \langle id|{R}_{c}\oplus H(id,pw)\rangle $;$return(msg-ou{t}_{1})$.
- (2)
- ${\mathbf{Send}}_{2}({\prod}_{S}^{j},m)$, where $m\ne \u201cstart\u201d$;$({m}_{1}^{S},{m}_{2}^{S})\leftarrow m$;${R}_{c}\leftarrow {m}_{2}^{S}\oplus Hpw$;$s\stackrel{\mathrm{R}}{\leftarrow}[1,q-1]$;${R}_{s}\leftarrow {g}^{s}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$;$K\leftarrow {R}_{c}^{s}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$;$msg-ou{t}_{2}\leftarrow \langle S|{R}_{s}|H(K,{R}_{c})\rangle $;$\mathbf{SK}({\prod}_{S}^{j})\leftarrow H(K)$; $\mathbf{SID}({\prod}_{S}^{j})\leftarrow \langle m|msg-ou{t}_{2}\rangle $;$\mathbf{PID}({\prod}_{S}^{j})\leftarrow {m}_{1}^{S}$;$\mathbf{ACC}({\prod}_{S}^{j})\leftarrow true$;$\mathbf{TERM}({\prod}_{S}^{j})\leftarrow false$;$return(msg-ou{t}_{2})$.
- (3)
- ${\mathbf{Send}}_{3}({\prod}_{C}^{i},m)$, where $m\ne \u201cstart\u201d$;$({m}_{1}^{C},{m}_{2}^{C},{m}_{3}^{C})\leftarrow m$;${R}_{s}\leftarrow {m}_{2}^{C}$;$K\leftarrow {R}_{s}^{c}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$;if $m=H(K,{R}_{c})$ then$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}msg-ou{t}_{3}\leftarrow \langle id|H(K,{R}_{s})\rangle $;$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{SK}({\prod}_{C}^{i})\leftarrow H(K)$;$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{SID}({\prod}_{C}^{i})\leftarrow \langle msg-ou{t}_{1}\left|m\right|msg-ou{t}_{3}\rangle $;$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{PID}({\prod}_{C}^{i})\leftarrow {m}_{1}^{C}$;$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{ACC}({\prod}_{C}^{i})\leftarrow \mathbf{TERM}({\prod}_{C}^{i})\leftarrow true$;else$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{ACC}({\prod}_{C}^{i})\leftarrow false$; $\mathbf{TERM}({\prod}_{C}^{i})\leftarrow true$;$return(msg-ou{t}_{3})$.
- (4)
- ${\mathbf{Send}}_{4}({\prod}_{S}^{j},m)$, where $m\ne \u201cstart\u201d$;$({m}_{3}^{S},{m}_{4}^{S})\leftarrow m$;if ${m}_{4}^{S}=H(K,{R}_{s})$ then // access granted$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{SID}({\prod}_{S}^{j})\leftarrow \langle \mathbf{SID}({\prod}_{S}^{j})|m\rangle $;$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{ACC}({\prod}_{S}^{j})\leftarrow \mathbf{TERM}({\prod}_{S}^{j})\leftarrow true$;else // access denied$\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\phantom{\rule{3.33333pt}{0ex}}\mathbf{ACC}({\prod}_{S}^{j})\leftarrow false$; $\mathbf{TERM}({\prod}_{S}^{j})\leftarrow true$;$return(null)$.

This section defines what constitutes breaking the PAKE and what the formal notions of security of the underlying primitives are.

If two oracles ${\prod}_{C}^{i}$ and ${\prod}_{S}^{j}$ accept and separately hold ($\mathbf{SK}({\prod}_{C}^{i})$, $\mathbf{SID}({\prod}_{C}^{i})$, $\mathbf{PID}({\prod}_{C}^{i})$), and ($\mathbf{SK}({\prod}_{S}^{j})$, $\mathbf{SID}({\prod}_{S}^{j})$, $\mathbf{PID}({\prod}_{S}^{j})$), and the following conditions hold, we say the two oracles are partnered.

- $\mathbf{SK}({\prod}_{C}^{i})=\mathbf{SK}({\prod}_{S}^{j})$,$\mathbf{SID}({\prod}_{C}^{i})=\mathbf{SID}({\prod}_{S}^{j})$,$\mathbf{PID}({\prod}_{C}^{i})=S$ and $\mathbf{PID}({\prod}_{S}^{j})=id$.
- $id\in $ CLIENT and S is the SERVER.
- No oracle besides and accepts with a session key $SK=\mathbf{SK}({\prod}_{C}^{i})=\mathbf{SK}({\prod}_{S}^{j})$.

These definitions are to ensure that two oracles have directly exchanged messages ($\mathbf{SID}({\prod}_{C}^{i})\phantom{\rule{3.33333pt}{0ex}}=\phantom{\rule{3.33333pt}{0ex}}\mathbf{SID}({\prod}_{S}^{j})$), established the common session key ($\mathbf{SK}({\prod}_{C}^{i})=\mathbf{SK}({\prod}_{S}^{j})$), and have no other partners besides each other ($\mathbf{PID}({\prod}_{C}^{i})=S$ and $\mathbf{PID}({\prod}_{S}^{j})=id$).

An oracle ${\prod}_{U}^{i}$ is identified as fresh if the following conditions hold.

- ${\prod}_{U}^{i}$ has accepted ($\mathbf{ACC}({\prod}_{U}^{i})=true$).
- No oracle has been asked for a
**Corrupt**query before ${\prod}_{U}^{i}$ accepts. - Neither ${\prod}_{U}^{i}$ nor its partner has been asked for a
**Reveal**query.

Assume that two oracles ${\prod}_{C}^{i}$ and ${\prod}_{S}^{j}$ are partnered and establish a session key. The session key is fresh if and only if both oracles are fresh.

In an execution of the PAKE protocol, we say an adversary $\mathcal{A}$ wins (a game of breaking the AKE security) if $\mathcal{A}$ asks a single **Test** query to a fresh oracle ${\prod}_{U}^{i}$ and correctly guesses the bit b, which is selected by ${\prod}_{U}^{i}$ in the **Test** query. We denote the AKE advantage $\mathcal{A}$ has in attacking the PAKE protocol as $Ad{v}_{PAKE}^{AKE}(\mathcal{A})$; the advantage is taken over all bit tosses. The PAKE protocol is AKE-secure if $Ad{v}_{PAKE}^{AKE}(\mathcal{A})$ is negligible.

In an execution of the PAKE protocol, we say an adversary $\mathcal{A}$ violates the mutual authentication between the client and the server if some server or client accepts but has no partner oracle. We denote the AKE advantage $\mathcal{A}$ has in attacking the PAKE protocol as $Ad{v}_{PAKE}^{MA}(\mathcal{A})$. The PAKE protocol is MA-secure if $Ad{v}_{PAKE}^{MA}(\mathcal{A})$ is negligible.

Let p and q be large prime numbers such that $q|p-1$. Let g be a generator with order q in the $\mathbb{GF}(p)$. And let $\widehat{c}\in [1,q-1]$ and $\widehat{s}\in [1,q-1]$ be two random numbers. Assume that $\mathcal{B}$ is a CDH attacker whose probability of giving a challenge $\psi =({g}^{\widehat{c}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p,{g}^{\widehat{s}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p)$ to output $z={g}^{\widehat{c}\xb7\widehat{s}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$ is $\epsilon $. We denote this success probability as $Suc{c}_{\phi \to z}^{CDH}(\mathcal{B})$. The CDH problem is intractable if $Suc{c}_{\phi \to z}^{CDH}(\mathcal{B})$ is negligible.

The security is formulated as a function of the amount of resources an adversary $\mathcal{A}$ expends. The resources are:

- t: the adversary $\mathcal{A}$ running time. By convention, this includes the amount of space it takes to describe the adversary.
- ${q}_{se},{q}_{ex},{q}_{re},{q}_{co},{q}_{h}$: these count the number of
**Send**,**Execute**,**Reveal**,**Corrupt**, and**Hash**queries separately asked by the adversary $\mathcal{A}$, i.e., the number of ${q}_{se}$ in the PAKE protocol is ${q}_{se}\phantom{\rule{3.33333pt}{0ex}}=\phantom{\rule{3.33333pt}{0ex}}{q}_{se1}+{q}_{se2}+{q}_{se3}+{q}_{se4}$ (${q}_{se1},{q}_{se2},{q}_{se3}$, and ${q}_{se4}$ are, respectively, the number of ${\mathbf{Send}}_{1}$, ${\mathbf{Send}}_{2}$, ${\mathbf{Send}}_{3}$, and ${\mathbf{Send}}_{4}$ queries asked by $\mathcal{A}$).

Let ${\mathcal{A}}_{1}$ be an adversary attacking the AKE-security of the PAKE protocol within a time period t after the number of **Send** queries ${q}_{se}$ and the number of **Hash** queries ${q}_{h}$. Then we have:
where ${t}^{\prime}$ is the running time of a CDH attacker $\mathcal{B}$.

$$\begin{array}{c}\hfill Ad{v}_{PAKE}^{AKE}(t,{q}_{se},{q}_{h})\le \frac{{q}_{se}}{n}+{q}_{h}\times {q}_{se}\times Suc{c}_{\psi \to z}^{CDH}({t}^{\prime})+\frac{{q}_{h}}{{2}^{k}},\end{array}$$

We divide the process of proof in Theorem 1 into two parts as follows. (1) Password guessing attack: show that the transcripts that the adversary gets are independent of the password in the theoretical information sense; (2) Session key security: Let $\mathcal{B}$ play two roles with adversary ${\mathcal{A}}_{1}$ and the CDH problem. With adversary ${\mathcal{A}}_{1}$, $\mathcal{B}$ plays the role of a simulator, who provides indistinguishability to adversary ${\mathcal{A}}_{1}$ (${\mathcal{A}}_{1}$ has no ability to distinguish the real protocol and $\mathcal{B}$’s simulated protocol). With the CDH problem, $\mathcal{B}$ plays the role of an attacker to solve the challenge of the CDH problem. When ${\mathcal{A}}_{1}$ distinguishes the real protocol and $\mathcal{B}$’s simulated protocol that $\mathcal{B}$ is faced with the CDH problem.

Based on the random oracle model, for any query from **Hash**$(m=(id,p{w}^{\prime}))$ for guessing the password $p{w}^{\prime}$, there exists a record $\{(id,p{w}^{\prime}),r\}$ in the **Hash** table. Because $c\in [1,q-1]$ is chosen at random (implying that ${R}_{c}$ is a random number), the adversary ${\mathcal{A}}_{1}$ observes that the message $\langle id,{R}_{c}\oplus H(id,pw)\rangle $ is returned from the ${\mathbf{Send}}_{1}$ query, which is independent of r. On the other hand, ${\mathcal{A}}_{1}$ can get all the transcripts by asking an **Execute** query. However, the transcripts that the adversary gets are independent of the passwords. Therefore, the adversary gets no advantage for the off-line guessing attack. The probability $\lambda $ of the on-line password guessing attack is bounded by ${q}_{se}$ and n as follows:

$$\begin{array}{c}\hfill \lambda \le \frac{{q}_{se}}{n}.\end{array}$$

The on-line guessing attack can be prevented by letting the server take the appropriate intervals between trials.

To analyze the session key security, we assume that $\mathcal{B}$ has knowledge of the content of the verification table. Assume that ${\mathcal{A}}_{1}$ can get an advantage $\epsilon $ in breaking the AKE security of the PAKE protocol within time t, and $\mathcal{B}$ is given a challenge $\psi =({g}^{\widehat{c}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p,{g}^{\widehat{s}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p)$ to output $z={g}^{\widehat{c}\xb7\widehat{s}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$ with probability within time ${t}^{\prime}$. Initializing the PAKE protocol, $\mathcal{B}$ chooses a random number i from $[1,{q}_{se1}]$ and sets a counter $cnt$ to zero. After that, $\mathcal{B}$ starts running ${\mathcal{A}}_{1}$ and answers the queries made by ${\mathcal{A}}_{1}$ as explained below.

- When ${\mathcal{A}}_{1}$ makes a ${\mathbf{Send}}_{1}$ query, $\mathcal{B}$ increases the counter $cnt$ by 1. If $cnt\ne i$, $\mathcal{B}$ answers according to the PAKE protocol (return $\langle id,{R}_{c}\oplus H(id,pw)\rangle $). If $cnt=i$, $\mathcal{B}$ answers by using the element ${g}^{\widehat{c}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$ from the challenge $\psi $ (return $\langle id,({g}^{\widehat{c}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p)\oplus H(id,pw)\rangle $). When ${\mathcal{A}}_{1}$ makes a ${\mathbf{Send}}_{2}$ query, if the input is not equal to the message $\langle id,({g}^{\widehat{c}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p)\oplus H(id,pw)\rangle $, $\mathcal{B}$ answers according to the PAKE protocol (return $\langle S,{R}_{s},H(K,{R}_{c})\rangle $). If the input is the flow corresponding to the challenge $\psi $, $\mathcal{B}$ answers by using the element ${g}^{\widehat{s}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p$ from the challenge $\psi $ (return $\langle S,{g}^{\widehat{s}}\phantom{\rule{0.277778em}{0ex}}\mathrm{mod}\phantom{\rule{0.277778em}{0ex}}p,random\rangle $, where $random$ is a random element with length k). Here, it is difficult for $\mathcal{B}$ to simulate an indistinguishable answer without the ability to solve the challenge $\psi $.
- When ${\mathcal{A}}_{1}$ makes a
**Reveal**query, $\mathcal{B}$ checks whether the oracle has accepted and is fresh. If so, $\mathcal{B}$ answers by using the session key $SK$. However, if the session key has to be constructed from the challenge $\psi $, $\mathcal{B}$ halts and output fail. - When ${\mathcal{A}}_{1}$ makes a
**Corrupt**or**Execute**query, $\mathcal{B}$ answers in a straightforward way. - When ${\mathcal{A}}_{1}$ makes a
**Hash**(m) query, $\mathcal{B}$ checks whether m is in the**Hash**table. If so, $\mathcal{B}$ returns the previous result. Otherwise, $\mathcal{B}$ returns a random number r from ${\{0,1\}}^{k}$ and appends $(m,r)$ to the**Hash**table. - When ${\mathcal{A}}_{1}$ makes a single
**Test**query, $\mathcal{B}$ answers in a straightforward way. If the session key has to be constructed from the challenge $\psi $, $\mathcal{B}$ answers with a random string for the**Test**query on an oracle.

Obviously, ${\mathcal{A}}_{1}$ cannot distinguish the real protocol and $\mathcal{B}$’s simulated protocol unless the challenge $\psi $ is involved. The probability of $\mathcal{B}$ correctly guessing which session key ${\mathcal{A}}_{1}$ will use for the **Test** query is the probability of $cnt$ being equal to i (the probability that $\mathcal{B}$ has to output z). We denote it by ${\mathcal{A}}_{1}$. Then we have:

$$\begin{array}{c}\hfill \alpha =\frac{1}{{q}_{se1}}\ge \frac{1}{{q}_{se}}.\end{array}$$

If it is assumed that ${\mathcal{A}}_{1}$ has broken the AKE security of the PAKE protocol (${\mathcal{A}}_{1}$ outputs a bit ${b}^{\prime}$ after the **Test** query and wins), then at least one of the **Hash** queries must equal $SK$ stored in the **Hash** table. We denote $\beta $ as the probability that $\mathcal{B}$ correctly chooses among the possible **Hash** queries. Then we have:

$$\begin{array}{c}\hfill \beta \ge \frac{1}{{q}_{h}}.\end{array}$$

From the above, the probability of $\mathcal{B}$ outputting z from the challenge $\psi $ is the probability $\epsilon $ that ${\mathcal{A}}_{1}$ breaking the AKE security of the PAKE protocol multiplied by the probability $\alpha $ that $\mathcal{B}$ outputting z multiplied by the probability $\beta $ that $\mathcal{B}$ correctly choosing among the possible **Hash** queries:

$$\begin{array}{c}\hfill Suc{c}_{\psi \to z}^{CDH}(\mathcal{B})=\epsilon \times \alpha \times \beta \ge \epsilon \times \frac{1}{{q}_{se}}\times \frac{1}{{q}_{h}}.\end{array}$$

We can rewrite the above equation as:

$$\begin{array}{c}\hfill \epsilon \le Suc{c}_{\psi \to z}^{CDH}(\mathcal{B})\times {q}_{se}\times {q}_{h}.\end{array}$$

From the above analysis, the advantage of ${\mathcal{A}}_{1}$ in attacking the PAKE protocol is the probability $\lambda $ that the on-line password guessing attack added to the probability $\epsilon $ of breaking the AKE security of the PAKE protocol added to ${\mathcal{A}}_{1}$ making **Hash** queries with just the right session key by pure chance. The concrete security of the PAKE protocol is as follows:
☐

$$\begin{array}{c}\hfill Ad{v}_{PAKE}^{AKE}({\mathcal{A}}_{1})=\lambda +\epsilon +pure\phantom{\rule{3.33333pt}{0ex}}chance\le \frac{{q}_{se}}{n}+{q}_{h}\times {q}_{se}\times Suc{c}_{\psi \to z}^{CDH}(\mathcal{B})+\frac{{q}_{h}}{{2}^{k}}.\end{array}$$

Let ${\mathcal{A}}_{2}$ be an adversary attacking the MA-security of the PAKE protocol within a time period t after the number of **Send** queries ${q}_{se}$ and the number of **Hash** queries ${q}_{h}$. Then we have:
where ${t}^{\prime}$ is the running time of the adversary ${\mathcal{A}}_{1}$ attacking the AKE security of the PAKE protocol.

$$\begin{array}{c}\hfill Ad{v}_{PAKE}^{MA}(t,{q}_{se},{q}_{h})\le Ad{v}_{PAKE}^{AKE}({t}^{\prime},{q}_{se},{q}_{h})+\frac{{q}_{h}}{{2}^{k}},\end{array}$$

The probability is ${\mathcal{A}}_{1}$ breaking the AKE-security added to ${\mathcal{A}}_{2}$ making **Hash** queries with just the right, mutually authenticated messages ($H(K,{R}_{c})$ or $H(K,{R}_{s})$) by pure chance. Because we have given **Hash** queries with just the right session key by pure chance in Theorem 1, it may just be one of the right authenticated messages. The advantage of ${\mathcal{A}}_{2}$ attacking MA-secure is ${\mathcal{A}}_{1}$ attacking AKE-secure added to ${\mathcal{A}}_{2}$ making **Hash** queries with just the right authenticated messages by pure chance (one includes ${\mathcal{A}}_{1}$ making **Hash** queries with just the right session key):
☐

$$\begin{array}{c}\hfill Ad{v}_{PAKE}^{MA}({\mathcal{A}}_{2})\le Ad{v}_{PAKE}^{AKE}({\mathcal{A}}_{1})+\frac{{q}_{h}}{{2}^{k}}=\frac{{q}_{se}}{n}+{q}_{h}\times {q}_{se}\times Suc{c}_{\psi \to z}^{CDH}(\mathcal{B})+\frac{{q}_{h}}{{2}^{k-1}}.\end{array}$$

From Theorems 1 and 2, we can easily extend its result to the PPC protocol. The AKE-security and MA-security are shown in Theorems 3 and 4, respectively.

Let ${\mathcal{A}}_{1}$ be an adversary attacking the AKE-security of the PPC protocol within a time period t after ${q}_{se}$ interactions with the parties and ${q}_{h}^{*}$ **Hash** queries. Then we have:
where ${t}^{\prime}$ is the running time of a CDH attacker $\mathcal{B}$.

$$\begin{array}{c}\hfill Ad{v}_{PPC}^{AKE}(t,{q}_{se}^{*},{q}_{h}^{*})\le \frac{{q}_{se}^{*}}{n}+{q}_{h}^{*}\times {q}_{se}^{*}\times Suc{c}_{\psi \to z}^{CDH}({t}^{\prime})+\frac{{q}_{h}^{*}}{{2}^{k}},\end{array}$$

Let ${\mathcal{A}}_{2}$ be an adversary attacking the AKE-security of the PPC protocol within a time period t after ${q}_{se}^{*}$ interactions with the parties and ${q}_{h}^{*}$ **Hash** queries. Then we have:
where ${t}^{\prime}$ is the running time of the adversary ${\mathcal{A}}_{1}$ attacking the AKE security of the PPC protocol.

$$\begin{array}{c}\hfill Ad{v}_{PAKE}^{MA}(t,{q}_{se}^{*},{q}_{h}^{*})\le Ad{v}_{PAKE}^{AKE}({t}^{\prime},{q}_{se}^{*},{q}_{h}^{*})+\frac{{q}_{h}^{*}}{{2}^{k}},\end{array}$$

${q}_{se}^{*}$ and ${q}_{h}^{*}$ are separately the number of **Send** query and **Hash** query made by the adversary in the PPC protocol.

In this section, we compare our scheme with Zhang et al.’s scheme [21], Ahmed et al.’s scheme [22], Liu et al.’s scheme [23], Lee et al.’s scheme [9], Wei et al.’s scheme [24], and Yang et al.’s scheme [16], which provide a password authentication protocol and a PPC protocol. In the Key Compromise Impersonation attack [25], an attacker who is in possession of a client’s password installed at a victim, can impersonate any server. In the proposed scheme, even if the attacker knows the client’s password, he/she is unable to compute the $H(K,{R}_{c})$ in Step 2 of the proposed PAKE Protocol because the attacker does not know the server’s privacy key. In 2016, Ahmed et al. proposed a dynamic ID-based user authentication scheme for multi-server environment [22]. Their scheme is vulnerable to off-line identity guessing and off-line password guessing with smart card stolen attacks [26]. In 2016, Wei et al. proposed a smart card-based user authentication scheme [24]. Their scheme is vulnerable to password guessing attack and denial of service attack [27]. In 2017, Liu et al. proposed a user password authentication scheme with a smart card [23]. Their scheme is simple and efficient. However, their scheme is vulnerable to the replaying attack [28].

From Table 1, it is obvious that only the security of our scheme is proven in the standard model.

In this paper, we have proposed a new scheme to resist the security flaws of the forgery server attack and denial of service attack. The proposed scheme can successfully solve these security flaws with less computation and, in addition, establish the session key. The provable security is given a thorough analysis in our scheme. In terms of security analysis, it is more convincing than heuristic security. Although the proposed scheme used less calculation, it still needed the exponential operation. In the future, researchers should develop a secure scheme without the use of exponential operation, so that it can be applied to the Internet of Things devices.

This study was supported by the National Science Council of Taiwan under grant MOST 104-2221-E-468-004 and MOST 105-2410-H-468-009.

Ting-Yi Chang, Min-Shiang Hwang, and Chou-Chen Yang conceived and designed the experiments; Ting-Yi Chang performed the experiments; Min-Shiang Hwang and Chou-Chen Yang analyzed the data; Min-Shiang Hwang and Chou-Chen Yang contributed analysis tools; Ting-Yi Chang wrote the paper.

The authors declare no conflict of interest.

- Anwar, N.; Riadi, I.; Luthfi, A. Forensic SIM card cloning using authentication algorithm. Int. J. Electron. Inf. Eng.
**2016**, 4, 71–81. [Google Scholar] - Huang, H.-F.; Chang, H.-W. Enhancement of timestamp-based user authentication scheme with smart card. Int. J. Netw. Secur.
**2014**, 16, 463–467. [Google Scholar] - Lee, C.-C.; Chiu, S.-T.; Li, C.-T. Improving Security of A Communication-efficient Three-party Password Authentication Key Exchange Protocol. Int. J. Netw. Secur.
**2015**, 17, 1–6. [Google Scholar] - Zhu, H.; Zhang, Y.; Xia, Y.; Li, H. Password-Authenticated Key Exchange Scheme Using Chaotic Maps towards a New Architecture in Standard Model. Int. J. Netw. Secur.
**2016**, 18, 326–334. [Google Scholar] - Zhu, H.; Zhang, Y. An Improved Two-party Password-Authenticated Key Agreement Protocol with Privacy Protection Based on Chaotic Maps. Int. J. Netw. Secur.
**2017**, 19, 487–497. [Google Scholar] - Moon, J.; Lee, D.; Jung, J.; Won, D. Improvement of Efficient and Secure Smart Card Based Password Authentication Scheme. Int. J. Netw. Secur.
**2017**, 19, 1053–1061. [Google Scholar] - Wu, M.; Chen, J.; Wang, R. An Enhanced Anonymous Password-based Authenticated Key Agreement Scheme with Formal Proof. Int. J. Netw. Secur.
**2017**, 19, 785–793. [Google Scholar] - Ling, C.-H.; Lee, C.-C.; Yang, C.-C.; Hwang, M.-S. A Secure and Efficient One-time Password Authentication Scheme for WSN. Int. J. Netw. Secur.
**2017**, 19, 177–181. [Google Scholar] - Lee, C.-C.; Hwang, M.-S.; Yang, W.-P. A flexible remote user authentication scheme using smart cards. ACM Oper. Syst. Rev.
**2002**, 36, 46–52. [Google Scholar] [CrossRef] - Li, L.-H.; Lin, I.-C.; Hwang, M.-S. A remote password authentication scheme for multi-server architecture using neural networks. IEEE Trans. Neural Netw.
**2001**, 12, 1498–1504. [Google Scholar] [PubMed] - Pecori, R.; Veltri, L. 3AKEP: Triple-authenticated key exchange protocol for peer-to-peer VoIP applications. Comput. Commun.
**2016**, 85, 28–40. [Google Scholar] [CrossRef] - Hwang, M.-S. A new redundancy reducing cipher. Int. J. Inform.
**2000**, 11, 435–440. [Google Scholar] - Tseng, Y.-M.; Jan, J.-Y.; Chien, H.-Y. On the security of methods for protecting password transmission. Int. J. Inform.
**2001**, 12, 469–476. [Google Scholar] - Ghanem, W.R.; Shokir, M.; Dessoky, M. Defense Against Selfish PUEA in Cognitive Radio Networks Based on Hash Message Authentication Code. Int. J. Electron. Inf. Eng.
**2016**, 4, 12–21. [Google Scholar] - Lin, C.-L.; Hwang, T. Authentication scheme with secure password updating. Comput. Secur.
**2003**, 22, 68–72. [Google Scholar] [CrossRef] - Yang, C.-C.; Chang, T.-Y.; Li, J.W.; Hwang, M.-S. Security enhancement for protecting password transmission. IEICE Trans. Commun.
**2003**, E86-B, 2178–2181. [Google Scholar] - Yang, C.-C.; Yang, Y.-W.; Chang, T.-Y. Cryptanalysis of an authentication key exchange protocol. J. Appl. Sci.
**2005**, 5, 281–283. [Google Scholar] - Chang, T.-Y.; Hwang, M.-S.; Yang, W.-P. A communication-efficient three-party password authenticated key exchange protocol. Inf. Sci.
**2011**, 181, 217–226. [Google Scholar] [CrossRef] - Yeh, H.-Y.; Sun, H.-M. Simple authenticated key agreement protocol resisant to password guessing attacks. ACM SIGOPS Oper. Syst. Rev.
**2002**, 36, 14–22. [Google Scholar] [CrossRef] - Bellare, M.; Pointcheval, D.; Rogaway, P. Authenticated key exchange secure against dictionary attack. In Proceedings of the 19th International Conference on Theory and Application of Cryptographic Techniques—EUROCRYPT’00, Bruges, Belgium, 14–18 May 2000; pp. 122–138. [Google Scholar]
- Zhang, G.; Fan, D.; Zhang, Y.; Li, X. A Provably Secure General Construction for Key Exchange Protocols Using Smart Card and Password. Chin. J. Electron.
**2017**, 26, 271–278. [Google Scholar] [CrossRef] - Ahmed, A.; Younes, A.; Abdellah, A.; Sadqi, Y. Strong Zero-knowledge Authentication Based on Virtual Passwords. Int. J. Netw. Secur.
**2016**, 18, 601–616. [Google Scholar] - Liu, Y.; Chang, C.-C.; Chang, S.-C. An Efficient and Secure Smart Card Based Password Authentication Scheme. Int. J. Netw. Secur.
**2017**, 19, 1–10. [Google Scholar] [CrossRef] - Wei, J.; Liu, W.; Hu, X. Secure and Efficient Smart Card Based Remote User Password Authentication Scheme. Int. J. Netw. Secur.
**2016**, 18, 782–792. [Google Scholar] - Bayat, M.; Aref, M. An attribute based key agreement protocol resilient to KCI attack. Int. J. Electron. Inf. Eng.
**2015**, 2, 10–20. [Google Scholar] - Pan, H.-T.; Pan, C.-S.; Tsaur, S.-C.; Hwang, M.-S. Cryptanalysis of Efficient Dynamic ID Based Remote User Authentication Scheme in Multi-server Environment Using Smart Card. In Proceedings of the 12th International Conference on Computational Intelligence and Security, Wuxi, China, 16–19 December 2016; pp. 590–593. [Google Scholar]
- Tsai, C.-Y.; Pan, C.-S.; Hwang, M.-S. An Improved Password Authentication Scheme for Smart Card. In Proceedings of the Advances in Intelligent Systems and Computing, Recent Developments in Intelligent Systems and Interactive Applications, Shanghai, China, 25–26 June 2016; Volume 541, pp. 194–199. [Google Scholar]
- Liu, C.-W.; Tsai, C.-Y.; Hwang, M.-S. Cryptanalysis of an Efficient and Secure Smart Card Based Password Authentication Scheme. In Proceedings of the Advances in Intelligent Systems and Computing, Recent Developments in Intelligent Systems and Interactive Applications, Shanghai, China, 25–26 June 2016; Volume 541, pp. 188–193. [Google Scholar]

Title | [21] | [22] | [23] | [9] | [24] | [16] | Our Scheme |
---|---|---|---|---|---|---|---|

Off-line guessing attack | No | Yes | No | No | No | Yes | No |

Stolen-verifier attack | No | Yes | No | No | No | No | No |

Replay attack | No | No | Yes | Yes | No | No | No |

DOS attack | No | No | No | Yes | No | Yes | No |

Key Compromise Impersonation Attack | No | No | No | No | No | No | No |

Mutual Authentication | Yes | Yes | Yes | No | Yes | Yes | Yes |

Session key establishment | Yes | Yes | Yes | No | Yes | No | Yes |

Forward Secrecy | No | No | No | - | Yes | - | Yes |

Provable security | Yes | No | Yes | No | No | No | Yes |

Known-password by Server | Yes | No | No | No | No | No | No |

© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).