An novel three-party authenticated key exchange protocol using one-time key

Journal of Network and Computer Applications 36 (2013) 498–503

Contents lists available at SciVerse ScienceDirect

Journal of Network and Computer Applications journal homepage: www.elsevier.com/locate/jnca

An novel three-party authenticated key exchange protocol using one-time key Chao Lv a, Maode Ma b,n, Hui Li a, Jianfeng Ma a, Yaoyu Zhang a a b

Key Laboratory of Computer Networks and Information Security, Xidian University, China School of Electrical and Electronic Engineering, Nanyang Technological University, Singapore

a r t i c l e i n f o

a b s t r a c t

Article history: Received 18 March 2011 Received in revised form 13 February 2012 Accepted 13 April 2012 Available online 26 April 2012

Three-party authenticated key exchange protocol (3PAKE) is an important cryptographic technique for secure communication which allows two parties to agree a new secure session key with the help of a trusted server. In this paper, we propose a new three-party authenticated key exchange protocol which aims to achieve more efficiency with the same security level of other existing 3PAKE protocols. Security analysis and formal verification using AVISPA tools show that the proposed protocol is secure against various known attacks. Comparing with other typical 3PAKE protocols, the proposed protocol is more efficient with less computation complexity. & 2012 Elsevier Ltd. All rights reserved.

Keywords: Key exchange Three-party Protocol Formal verification AVISPA

1. Introduction Encrypted key exchange authentication approaches are important and widely applied in communication networks. By the authentication approaches, two communication parties can share a secret key with a trusted server. When the communication parties exchange information confidentially with the authentication property over an insecure network, they must be in agreement with a new secret session key by the help of the server. This key exchange approach for security is named as the three-party authenticated key exchange (3PAKE). And the 3PAKE protocol can be employed for various applications for the purpose of mutual authentication and secure communication, e.g. a trusted server assists in transactions between buyer and seller in e-commerce, home location register helps caller’s dial with visited location register over telecommunication, etc. These 3PAKE protocols should meet various security requirements of the applications, which can be described as follows:

 Mutual authentication: The participants of protocols should be 

n

authenticated by the server and also they must authenticate each other by themselves. Secession key security: The agreed session key should only be known by the parties who participate in the communication process.

Corresponding author. Tel.: þ65 67904385; fax: þ 65 67933318. E-mail address: [email protected] (M. Ma).

1084-8045/$ - see front matter & 2012 Elsevier Ltd. All rights reserved. http://dx.doi.org/10.1016/j.jnca.2012.04.006

 Perfect forward secrecy: Perfect forward secrecy is the property that a session key derived from a set of long-term keys will not be compromised if one of the long-term key is compromised in the future. A good design of the 3PAKE protocol should be secure under various attacks which include common protocol attacks and cryptanalysis attacks. The common protocol attacks can be summarized as follows:

 Man-in-the-middle attacks: The attacker makes independent



connections with the victims and relays messages between them, making them believe that they are communicating directly to each other over a private connection whereas, in fact, the entire conversation is controlled by the attacker. A man-in-the-middle attack can only be successful when the attacker can impersonate each participant to the satisfaction of the other. Replay attacks: A valid data transmission is maliciously or fraudulently repeated or delayed by an attacker.

The cryptanalysis attacks can be classified into three types (Lin et al., 2001).

 Offline dictionary attacks: A guessed password is used by an



attacker to verify the correctness of the password in an offline manner. The attacker can freely guess a password and then check if it is correct without limitation in the number of guesses. Undetectable on-line dictionary attacks: An attacker tries to verify the password in an on-line manner without being

C. Lv et al. / Journal of Network and Computer Applications 36 (2013) 498–503



detected. That is, a failed guess is never noticed by the server and the client. And the attacker can legally and undetectably check the server and the client many times in order to get sufficient information of the password. Detectable on-line dictionary attacks: An attacker first guesses a password, and tries to verify the password using responses from a server in an on-line manner. However, a failure can be easily detected by counting access failures.

Password-based authentication has attracted a lot of attention due to its simplicity and convenience in key agreement. And many three-party authenticated key exchange protocols have been proposed (Yeh et al., 2003; Lu and Cao, 2007; Chen et al., 2008; Huang, 2009; Lee et al., 2009; Yang and Chang, 2009) in recent years. However, most of them are either weak in security or cost much for the implementation. In this paper, we propose a low cost threeparty authenticated key exchange protocol with one-time key (N-3PAKE) in order to further improve the security functionality of the scheme claimed in Huang (2009). The comparison with other existing four 3PAKE protocols shows that our solution is more efficient with less time consuming. And the proposed protocol has been formally verified with a systematic security analysis. Our work is outstanding from the designs of the existing 3PAKE protocols, which have not been formally validated on their correctness. The major works made in this paper can be summarized as follows:

 A low cost 3PAKE protocol has been designed to achieve more

 

efficiency with reduction of the protocol execution steps from five to four while keeping the same security functionality as the existing protocols without using server’s public key. The AVISPA formal verification tool has been employed to assistant the design of 3PAKE protocol for authentication and security verification. The quantified performance analysis on the proposed 3PAKE protocol has been conducted.

The rest of this paper is organized as follows. The related works have been presented in Section 2. In Section 3, we present our new three-party authenticated key exchange protocol. We provide the security analysis and formal verification in Section 4. And then the quantitative performance comparison is shown in Section 5. Finally, we draw our conclusions in Section 6.

2. Related works In this section, we describe some typical 3PAKE protocols and their disadvantages to motivate the design of our new protocol. Yeh et al. (2003) have proposed two 3PAKE protocols for secure communication over a public network. One is a plaintext-equivalent authentication protocol and the other is a verifierbased authentication protocol. Lee et al. (2009) have proposed an improved encrypted key exchange protocol for authentication and key agreement based on the protocol developed by Yeh et al. (2003). They have claimed that the proposed protocols have same computation complexity as the protocol in Yeh et al. (2003). For both schemes in Yeh et al. (2003) and Lee et al. (2009), the public key of the server is required. Lu and Cao (2007) have proposed a new simple three-party password-based authenticated key exchange (S3PAKE) protocol which does not require any server’s public key. Chung and Ku (2008) have found that the S-3PAKE protocol is vulnerable to one type of impersonation-of-initiator attacks, one type of impersonation-of-responder attacks, and one type of manin-the-middle attacks. And also Guo et al. (2008) have found that S-3PAKE is vulnerable to another type of man-in-the-middle attacks

499

that exploits an authentication flaw in the protocol and is subject to the undetectable on-line dictionary attacks. Then, they have provided an improvement proposal. Kim and Choi (2009) have proposed another improved version of S-3PAKE against the on-line password guessing attacks. And both these two improved version of protocols (Guo et al., 2008; Kim and Choi, 2009) have more computation cost than the original S-3PAKE protocol though they are more secure. Yoon and Yoo (2008) have proposed the ECC based 3PAKE protocol, this is another kind of construction method. We will compare our scheme with this typical scheme and others in the evaluation part of this paper. With efficiency and security in consideration, the number of protocol execution steps and the complexity of cryptographic operations have been used to measure the performance of the existing 3PAKE schemes. The higher computation cost required for the 3PAKE protocols implies that two communication parties have to spend a longer period to establish a secure channel with larger communication latency before further transactions or communications. And the latency incurred will constrict the application scope of a 3PAKE protocol. For instance, the 3PAKE protocols with large latency are unsuitable for the telecommunication environments, commercial transactions, etc., where realtime response for any required service is required (Chen et al., 2008). Thus, the development of a secure and low cost 3PAKE protocol needs great efforts to enhance the efficiency and to take all of the execution steps, computation complexity and secure properties into account. Different from the above existing 3PAKE protocols with less consideration of computation cost, Huang (2009) has proposed a 3PAKE protocol in five steps without using server’s public key. The author has compared the proposed scheme with Lu and Cao’s S-3PAKE protocol (Lu and Cao, 2007) on the computation complexity analysis and has shown that the proposed scheme is efficient and secure against various attacks. Without usage of server’s public key, it works with less computation cost. However, there are still some spaces to further improve Huang’s scheme. On one hand, there are five steps of execution in the protocol of (Huang, 2009). The number of execution steps can be further reduced to four and the computation complexity can also be decreased by less cryptographic operations used. On the other hand, the usage of XOR operations will exhibit vulnerability to the cryptanalysis attacks. The XOR operations can be replaced by the hash functions. And also Wu has shown that the protocol in Huang (2009) is still vulnerable to a partition attack, which is an offline dictionary attack, by which the adversary can easily determine the correct password (Wu, 2009).

3. Three-party key exchange protocol 3.1. Notations In this place, we use the following parameters for the design of our N-3PAKE protocol. S is the trusted server. A and B are the two clients who want to communicate with each other under the help of S. We construct the structure of this protocol based on the Diffie– Hellman key exchange. So a finite cyclic group (G, g, p) should be selected, which is generated by an element g of a prime order p. Nb is a nonce which is randomly selected by the client B for the guarantee of freshness. A nonce is an abbreviation of the number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused under the replay attacks (Anderson, 2008).

 (G, g, p): A finite cyclic group G generated by an element g of a prime order p.

500

C. Lv et al. / Journal of Network and Computer Applications 36 (2013) 498–503

Fig. 1. N-3PAKE protocol.

      

S: The server. A, B: Two clients which also represent their own identities. pwa: The symmetric key shared between A and S. pwb: The symmetric key shared between B and S. Nb: Nonce chosen by B. H(M): Secure one-way hash function. fMgk : Ciphertext which symmetric encrypt M with k.

3.2. The proposed protocol By this protocol, two participants A and B want to share a new secret session key K with the assistance of the server S for further communication. They cannot authenticate each other directly and have to resort to the trusted server S for a session key agreement. The steps of proposed protocol, as shown in Fig. 1, are described as follows: Step 1: A chooses a random number x A Z p , computes gx and one-time key HðA,g x ,pwa Þ, gets RQ A ¼ A,g x ,fA,g x gHðA,gx ,pwa Þ then sends RQA to B. Step 2: Upon receiving message from A, B first checks the freshness of gx, then B chooses a random number y A Z p and a nonce Nb, computes gy and one-time key HðB,g y ,pwb Þ, gets RQ B ¼ B,g y , fB,g y ,Nb gHðB,g y ,pwb Þ then sends RQ B , RQA to S. Step 3: Upon receiving RQ B ,RQ A , the authentication server S first checks the freshness of gx and gy, then S uses received gx, gy to compute HðA,g x ,pwa Þ, HðB,g y ,pwb Þ respectively then decrypts RQB, RQA for verification the validation of gx and gy. If the verification is failed then stop this session, otherwise S chooses a random number z A Z p , computes g xz ¼ ðg x Þz , g yz ¼ ðg y Þz and gets AK A ¼ fg x ,B,g yz ,Nb gHðA,gx ,pwa Þ , AK B ¼ fg y ,A,g xz gHðB,g y ,pwb Þ , at last sends AK A , AK B to A. Step 4: A decrypts AKA, gets gyz and Nb, computes K ¼ yz x ðg Þ ¼ g xyz , then gets fA,N b ,g x gK and sends AK B ,fA,Nb ,g x gK to B. Step 5: Upon receiving AK B ,fA,Nb ,g x gK , firstly B decrypts AKB to get gxz and verify gy, secondly B computes K ¼ ðg xz Þy ¼ g xyz then decrypts fA,Nb ,g x gK to verify Nb. Finally, both A and B know the new session key K for further communication.

4. Security evaluation In this section, we show that our proposed N-3PAKE protocol is secure and can work correctly by security analysis and formal verification using the AVISPA tool. 4.1. Security analysis Firstly, the proposed protocol has the following properties. Mutual authentication: The mutual authentication refers to a client authenticating itself to a server or another client by proving its effective identity, and the server or the other client can also prove his own identity to the initiating client. By our protocol,

A can authenticate S and B can authenticate S respectively from the authentication request (RQA, RQB) and response (AKA, AKB). And also A and B authenticate each other identity through gx and Nb. In each exchanged message, the sender identity is included for the participant A and B. For the authentication server, all the clients’ identity are embedded in the distributed messages. The protocol has mutual authentication property to make the man-inthe-middle attacks necessarily unsuccessful. Perfect forward secrecy: We believe that a protocol has the property of perfect forward secrecy if in this protocol a session key cannot be compromised while one of the (long-term) private keys is compromised in the future. Our protocol addresses forward secrecy. An agreed key will not be compromised even if agreed keys derived from the same long-term keying material in a subsequent run are compromised. By the proposed protocol, the ephemeral exponents x, y and z are randomly selected and independent to each protocol execution. Therefore, the compromised password pwa, pwb and K cannot reveal any previous session keys. Secession key security: The new session key K, which has been agreed by A and B with the help of S is only known by the two participants A and B themselves. For the case that, S generates the nonce z and also knows gx and gy, while S still cannot get K ¼ g xyz with the unknown of x or y which is the secret information of A and B by themselves. Even if the attacker knows gxz, gxz calculating the session key K ¼ g xyz for user A and B is equivalent to a Computation of Diffie–Hellman problem (Bao et al., 2003), which is assumed to be computationally hard. Secondly, we analyze and find that the proposed protocol can resist the following kinds of attacks. Replay attack: By a replay attack, an attacker may want to pretend to be A by replaying RQA to B. However, as he does not know the password pwa if user A, and x, y and z are randomly chosen in each session, the attacker has no ability to derive gyz from decryption of fg x ,B,g yz ,Nb gHðA,g x ,pwa Þ . Therefore, he cannot produce a valid session key K ¼ g xyz and a valid fA,N b ,g x gK . Then, the attacker cannot achieve authentication. Similarly, the attacker also cannot pretend to be B. The replay attack will fail. Hence, without knowing the users’ password, it is very difficult for someone to impersonate the valid user. This kind of attack can also be checked out by the following model checking tools if it exists. Man-in-the-middle attack: Since all critical messages in the proposed protocol are encrypted to prevent eavesdropping, it is nearly impossible to modify the messages exchanged between entities. However, if an attacker I eavesdrops the communication channel between A and B, he can replace the authentication request RQA with RQI. The replaced RQI will be forwarded to the S together with RQB. The attacker can be successfully authenticated by S if he is a legitimate user in the system. However, the man-in-the-middle attack can still not be successful because the attacker cannot generate a correct AKA to respond to the RQA. Additionally if the man-in-the-middle attack exists in the proposed protocol, it can be detected by the AVISPA toolkit. Therefore, we conclude that a man-in-the-middle attack could not succeed against the proposed protocol. Cryptanalysis attacks: The proposed protocol can resist two kinds of on-line dictionary attacks claimed in Section 1. And the users’ identities, gx and gy are sent in plaintext, they may suffer from the offline dictionary attack. An attacker may guess pwa by dictionary guessing and comparing fA,g x gHðA,gx ,pwa Þ ¼ fA,g x gHðA,gx ,pw0a Þ . While from Table 4 in Huang et al. (2009) we can conclude that the shared symmetric keys should be restricted to lengths longer than 8 bytes and the frequency of changing the keys can be determined according to the selected hash function. And in this place a more symmetric encryption operation is needed for the guessing process, so the offline dictionary attack can be harder.

C. Lv et al. / Journal of Network and Computer Applications 36 (2013) 498–503

4.2. Formal verification

501

Table 1 Meanings of symbols in role of S.

4.2.1. AVISPA We have modeled the proposed protocol using Automated Validation of Internet Security Protocols and Applications (AVISPAs) toolkit (AVISPA, 2006) to validate different security properties that N-3PAKE has been designed to own. The AVISPA is a push-button tool for the automated validation of Internet security-sensitive protocols and applications. It provides a modular and expressive formal language for specifying protocols and their security properties, and integrates different back-ends that implement a variety of sate-of-the-art automatic analysis techniques (AVISPA, 2006). The security protocols specifications written in the AVISPA’s High-Level Protocol Specification Language (HLPSL) (HLPSL, 2001). Protocol specifications in HLPSL are divided into roles. Some roles which is called basic roles serve to describe the actions of one single agent in a run of a protocol or sub-protocol. Others which is called composed roles instantiate these basic roles to model an entire protocol run, a session of the protocol between multiple agents, or the protocol model itself. This latter role is often defined as the Environment role (HLPSL, 2006). Given a set of roles describing the protocol and an Environment role in which we define the concrete sessions whose execution we wish to consider, we then define our security goals.

Symbol

Meaning

A(B) Gx’(Gy’) Nb’(Nz’) PWa(PWb) Hash() new() exp(p,q) Rcv(M) Snd(M)

Identity of A(B) gx(gy) Random number generated by B(S) The symmetric key pwa(pwb) Hash function Create a new nonce Compute pq Receive message M Send message M

Fig. 3. Role of session.

4.2.2. Specifying the protocol In our protocol model described in HLPSL, there are three basic roles peke_A, peke_B and peke_S which represent the participant A, B and S respectively. In this place, we only present one of the basic role S shown in Fig. 2 as an example. S waits to receive RQ B ,RQ A from B and then sends AK A ,AK B to A. At the same time the state St of S will be changed from 0 to 1. The meaning of the symbols used in the basic role S can be found in Table 1. Firstly, S receives message B.Gy’.{B.Gy’.Nb’}_Hash(B.Gy’.PWb).A.Gx’.{A.Gx’}_Hash(A.Gx’.PWa) from the Rcv() action. Secondly, S chooses his own random number Nz’(z) and computes Gxz’: ¼ exp(Gx’,Nz’)(g xz ¼ ðg x Þz ) and Gyz’. At last, the server sends the message {Gx’.B.Gyz’.Nb’}_Hash(A.Gx’.PWa).{Gy’.A.Gxz’}_Hash (B.Gy’.PWb) with the Snd() operation. Here, the type declaration channel (dy) stands for the Dolev–Yao intruder model (Dolev Fig. 4. Role of Environment.

Fig. 2. Role of S.

and Yao, 1983). Under this model, the intruder has full control over network, such that all messages sent by agents will go to the intruder. The intruder may intercept, analyze, and/or modify messages as far as he knows the required keys, and send any message he composes to whoever he pleases, posing as any other agent. As a consequence, the agents can send and receive on whichever channel they want; the intended connection between certain channel variables (e.g. S sends on S_SND some messages to A who receives them on A_RCV as shown in Fig. 3) is irrelevant because the intruder is the network. Once the basic roles have been defined, we need to define composed roles which describe sessions of the protocol as shown in Fig. 3. In this session segment, all the basic roles such as peke_A, peke_B and peke_S are instanced with concrete arguments. Finally, a top-level role (Environment) is always defined. This role contains global constants and a composition of one or more sessions, where the intruder may play some roles as legitimate user. Our protocol’s Environment role is shown in Fig. 4. Note that the constant i is used to refer to the intruder. The intruder also participate the execution of protocol as a concrete session. This is used to detect the man-in-the-middle attack.

502

C. Lv et al. / Journal of Network and Computer Applications 36 (2013) 498–503

Fig. 5. Analysis goals of the model.

We analyze following properties which are in the goal section as shown in Fig. 5. The symbol auth_a_s_gx means A authenticates S on gx. The other symbols about authentication property are the same as above. sec_a_b_gxyz represents that gxyz is the secret between A and B. The current version of HLPSL supports the standard authentication and secrecy goals. This is, however, sufficient to specify a large number of problems (HLPSL, 2001). The default HLPSL authentication goals take two forms, corresponding respectively to Lowe’s definitions of strong and weak authentication (Lowe, 1997). For our protocol, we verify four authentications and one secrecy goals as follows:

 A authenticates S on gx: A generates x which is only known by    

herself. If S gets gx which come with A’s identity, A authenticates S. B authenticates S on gy: B generates y which is only known by him. If S gets gy which comes with B’s identity, B authenticates S. A authenticates B on Nb: B chooses Nb randomly. When A gets AKA from S, she can get Nb which comes with B’s identity and A authenticates B. B authenticates A on gx: A generates x which is only known by herself. If B gets gx from the decryption of the message fA,N b ,g x gK , B authenticates A. Secrecy of gxyz: S generates gyz, gxz and send them as an encrypted message to A and B. A and B will know x and y by themselves. So K ¼ g xyz is a secret between A and B.

4.2.3. Analysis of results We choose the back-end OFMC (Basin et al., 2005) for an execution test and a bounded number of sessions model checking. Executability check for non-trivial HLPSL specifications: It is often the case that, due to some modeling mistakes, the protocol model cannot execute to completion. The back-ends might not find any attack if the protocol model cannot reach the state where the attack can happen. Therefore, an executability check is very important (HLPSL, 2006). And our executability check has shown that the protocol description is well matched with the designed goals. And the result of executability checks if omitted here for conciseness. Replay attack check: When using the sessco option, OFMC will first check whether the honest agents can execute the protocol by performing a search of a passive intruder, and then give the intruder the knowledge of some ‘‘normal’’ sessions between honest agents (AVISPA, 2006). The test results show that our N-3PAKE protocol can resist against replay attack. Delov–Yao model check: At last, we choose the depth for the search is seven and output of model checking results are shown in Fig. 6. As shown in the figure, there are totally 66 283 nodes have been searched in 310.53 s. From the results, we can conclude that the proposed protocol can fulfill the design properties and it is secure under the test of AVISPA using the OFMC back-end with bounded number of sessions.

Fig. 6. Results reported by the OFMC back-end.

5. Performance evaluation In this section, we will show that our proposed N-3PAKE protocol is low cost under the complexity analysis and computation cost test. And our major contribution is to design the proposed protocol to be less time consuming, lower computation cost and also communication-efficient for fewer number of transmissions used. 5.1. Complexity analysis Table 2 shows the performance comparison between our proposed protocol and other typical 3PAKE protocols. From the two schemes proposed by Lee et al. (2009), the verifier-based protocol has been selected for the test. Yoon and Yoo (2008) is a kind of ECCbased scheme. This is a typical kind of construction method. So we also choose (Yoon and Yoo, 2008) as a sample. In the table, we focus on the following operations carried out for each protocol: Modular computation, Hash function, Pseudo-random, Public key en/decryption, and Secret key en/decryption. These operations are the most common operations for the construction of 3PAKE protocols. And the XOR operation has been ignored due to its expeditious execution. In the column of ‘‘Modular computation’’, there are the numbers of modular computation operations used in the five schemes. For each protocol, such as g x mod p, g RA mod p and N RAA mod p are marked as the modular computations. By the scheme in Lu and Cao (2007), client A, client B and authentication server S need 3, 3 and 6 modular operations, respectively. By the scheme in Yoon and Yoo (2008), server S computes K AS ’NrAA mod p, K BS ’NrBB mod p, NRAS mod p and NRBS mod p. So for server S, four modular computations are needed. The other numbers of modular computations have been counted as the same. By the proposed protocol, A needs to calculate gx and gxyz. B also needs to get gy and gxyz. For the server, S needs to execute gxz and gyz. So by our N-3PAKE protocol, A, B and S will need two modular computations, respectively. In the column of ‘‘Hash function’’, there are the numbers of Hash functions used by each participant. By our protocol, A and B only need Hash function computation once for the encryption key HðA,g x ,pwa Þ and HðB,g y ,pwb Þ generation. While S needs two Hash function computations to generate these two keys. In the column of ‘‘Pseudo-random’’, there are the numbers of nonces generated by each protocol. A nonce Nb in our protocol is a kind of pseudo-random number. The exponents x, y and z are also random numbers. In the columns of ‘‘Public key en/decryption’’ and ‘‘Secret key en/ decryption’’, two kinds of encryption and decryption operations used in the protocols for the secrecy of the messages exchanged among communication participants have been presented. The numbers of different kinds of en/decryption algorithms used in each protocol can indirectly indicate the computation complexity of the protocols.

C. Lv et al. / Journal of Network and Computer Applications 36 (2013) 498–503

503

Table 2 Performance comparison. Schemes

Modular computation A/B/S

Hash function A/B/S

Pseudo-random A/B/S

Public key en/decryption A/B/S

Secret key en/decryption A/B/S

Lu and Cao (2007) Yoon and Yoo (2008) Lee et al. (2009) Huang (2009) N-3PAKE

3/3/6 3/3/4 2/2/0 2/2/2 2/2/2

3/3/2 5/5/6 1/1/0 3/3/2 1/1/2

1/1/1 2/2/1 2/3/0 1/1/1 1/2/1

0/0/0 0/0/0 1/2/1 0/0/0 0/0/0

0/0/0 1/1/2 4/4/4 0/0/0 3/4/3

Table 3 Computation cost. Schemes

Communication steps

Computation cost (s/104)

Lu and Cao (2007) Yoon and Yoo (2008) Lee et al. (2009) Huang (2009) N-3PAKE

5 5 4 5 4

10.46 13.76 68.34 8.34 8.24

perfect forward secrecy. The proposed protocol has been shown to be more efficient than the existing protocols by an accurate performance analysis and to have same security functionality as the existing advanced protocols by a formal verification using the AVISPA toolkit. The proposed secure and low cost 3PAKE protocol is suitable for various applications, especially in the resource-limited environments and real-time systems.

Acknowledgment In our protocol, A needs two secret key en/decryptions. One is by using hash key, while the other is by using a new session key K. Client B has the same operations as A. S only needs to do two en/ decryptions with hash values as its keys. 5.2. Computation cost test In this subsection, we will evaluate the performance of the designed protocol and compare it with those of other protocols in terms of the computation cost by experiments. All the experiments have been conducted on a Core 2 Duo PC with 2.66 GHz CPU speed and 2 GB memory. And the performance evaluation has been constructed by using Cryptoþþ library. For each protocol, AES has been selected as the secret key encryption scheme, SHA256 for Hash function, and RSA for public key encryption. In Table 3, in the columns of ‘‘Execution steps’’, the number of the communication steps of each protocol has been presented. The ‘‘Computation cost’’ is the total time consuming for the executions of each protocol up to 104 times. From the table, we can find that the scheme of (Lee et al., 2009) is the most time consuming protocol due to its public key encrypted by the RSA scheme. To reduce time consuming, during the execution of RSA algorithm, the selection of two distinct prime numbers p and q can be pre-calculated before the protocol is carried out. And another choice is to use elliptic curve cryptography (Yang and Chang, 2009). Our proposed protocol has exhibited the least time consuming due to less modular computations performed and less Hash functions calculated. From the experiments, we can find that the public key en/ decryption is the most time consuming operation. And the modular exponentiation will also cost much. It is clear that a good design of a 3PAKE protocol should adopt suitable cryptographic operations with less computation cost in order to achieve better performance and efficiency. The proposed protocol’s computation cost is less compared with Huang’s scheme, while the number of transmissions has been reduced from 5 to 4. And communication cost has also been reduced by 20% approximately and it is communication-efficient.

6. Conclusions In this paper, we have proposed a new low cost three-party authenticated key exchange protocol, which can fulfill the following security requirements: confidentiality of the secret key and the session key, mutual authentication between any two parties, and the freshness of the transmitted messages and the session key with

This work is supported by the following projects: National Natural Science Foundation of China Grant nos. 60772136 and 61003300, 111 Development Program of China no. B08038, Doctoral Fund of Ministry of Education of China 20100203110002, Fundamental Research Funds for the Central Universities nos. JY10000901018, JY10000901021, JY10000901032 and JY10000901034. References Anderson RJ. Security engineering: a guide to building dependable distributed systems.Wiley; 2008. AVISPA v1.1 User Manual, 2006. Bao F, Deng RH, Zhu H. Variations of Diffie–Hellman problem. In: Qing S, Gollmann D, Zhou J, editors. ICICS, vol. 2836. Springer; 2003. p. 301–12. ¨ Basin DA, Modersheim S, Vigano L. OFMC: a symbolic model checker for security protocols. International Journal of Information Security 2005;4:181–208. Chen T, Lee W-B, Chen H-B. A round- and computation-efficient three-party authenticated key exchange protocol. Journal of Systems and Software 2008;81:1581–90. Chung H-R, Ku W-C. Three weaknesses in a simple three-party key exchange protocol. Information Sciences 2008;178:220–9. Dolev D, Yao A. On the security of public-key protocols. IEEE Transactions on Information Theory 1983;2. Guo H, Li Z, Mu Y, Zhang X. Cryptanalysis of simple three-party key exchange protocol. Computers & Security 2008;27:16–21. The High Level Protocol Specification Language, 2001. HLPSL Tutorial, 2006. Huang H-F. A simple three-party password-based key exchange protocol. International Journal of Communication Systems 2009;22:857–62. Huang YL, Lu PH, Tygar JD, Joseph AD. OSNP: secure wireless authentication protocol using one-time key. Computers & Security 2009. Kim H-S, Choi J-Y. Enhanced password-based simple three-party key exchange protocol. Computers & Electrical Engineering 2009;35:107–14. Lee T-F, Liu J-L, Sung M-J, Yang S-B, Chen C-M. Communication-efficient threeparty protocols for authentication and key agreement. Computers & Mathematics with Applications 2009;58:641–8. Lin C-L, Sun H-M, Steiner M, Hwang T. Three-party encrypted key exchange without server public-keys. IEEE Communications Letters 2001;5:497–9. Lowe G. A hierarchy of authentication specifications. In: PCSFW: proceedings of the 10th computer security foundations workshop. IEEE Computer Society Press, 1997. Lu R, Cao Z. Simple three-party key exchange protocol. Computers & Security 2007;26:94–7. Wu, S., 2009. Weakness of a three-party password-based authenticated key exchange protocol /http://eprint.iacr.org/2009/535.pdfS. Yang J-H, Chang C-C. An efficient three-party authenticated key exchange protocol using elliptic curve cryptography for mobile-commerce environments. Journal of Systems and Software 2009;82:1497–502. Yeh H-T, Sun H-M, Hwang T. Efficient three-party authentication and key agreement protocols resistant to password guessing attacks. Journal of Information Science and Engineering 2003;19:1059–70. Yoon E-J, Yoo K-Y. Improving the novel three-party encrypted key exchange protocol. Computers Standards & Interfaces 2008;30:309–14.