A provably secure and efficient two-party password-based explicit authenticated key exchange protocol resistance to password guessing attacks

Password-based two-party authenticated key exchange (2PAKE) protocol enables two or more entities, who only share a low-entropy password between them, to authenticate each other and establish a high-entropy secret session key. Recently, Zheng et al. proposed a password-based 2PAKE protocol based on bilinear pairings and claimed that their protocol is secure against the known security attacks. However, in this paper, we indicate that the protocol of Zheng et al. is insecure against the off-line password guessing attack, which is a serious threat to such protocols. Consequently, we show that an attacker who obtained the users' password by applying the off-line password guessing attack can easily obtain the secret session key. In addition, the protocol of Zheng et al. does not provide the forward secrecy of the session key. As a remedy, we also improve the protocol of Zheng et al. and prove the security of our enhanced protocol in the random oracle model. The simulation result shows that the execution time of our 2PAKE protocol is less compared with other existing protocols. Copyright (c) 2015 John Wiley & Sons, Ltd.