Off-line pas sword-guessing attack to Peyravian-Jeffries's remote user authentication protocol

Recently, Peyravian and Jeffries [M. Peyravian, C. Jeffries, Secure remote user access over insecure networks, Computer Communications 29 (2006) 660-667] have proposed two set of protocols to perform remote user authentication and password change in a secure manner. The first set of protocols is based on hash functions, where no symmetric or asymmetric encryption scheme is applied. As Peyravian and Jeffries claim, these protocols suffer from an off-line password-guessing attack. They propose a second set of protocols based on Diffie-Hellman key agreement scheme to overcome the mentioned weakness. However, we show in this paper that this second set of protocols suffers also from the off-line password-guessing attack when a server impersonation attack is performed. (c) 2006 Elsevier B.V. All rights reserved.