Outsider Key Compromise Impersonation Attack on a Multi-factor Authenticated Key Exchange Protocol

Authenticated key exchange (AKE) protocol is a security mechanism that ensures two parties communicate securely on a public channel and keeps the legal client interacting with the honest server. Recently, Zhang et al. proposed a multi-factor authenticated key exchange (MFAKE) scheme for mobile communications. In this paper, we present the cryptoanalysis of their MFAKE scheme. We find out their MFAKE scheme has a security flaw that renders it insecure against manin-the-middle (MITM) attacks and outsider key compromise impersonation (KCI) attacks. We present a simple case of MITM attacks and illustrate how an adversary impersonates the client to the server if just compromising the key of the server. And an improved MFAKE scheme is proposed to overcome the weakness of Zhang's MFAKE scheme with minimum changes. We give the formal security proof of the improved MFAKE scheme in the random oracle model.