Authentication schemes with no verification table

Applied Mathematics and Computation 167 (2005) 820–832

www.elsevier.com/locate/amc

Authentication schemes with no verification table Ya-Fen Chang, Chin-Chen Chang

*

Department of Computer Science and Information Engineering, National Chung Cheng University, 160 San-Hsing, Min-Hsiung, Chiayi 621, Taiwan, ROC

Abstract In 2000, Hwang and Yeh presented an improved version of Peyravian and ZunicÕs scheme by using the serverÕs public key. In 2003, Lin and Hwang indicated that Hwang and YehÕs scheme suffers from the denial-of-service attack and proposed a password authentication scheme with secure password updating. However, the verification table needed in both Hwang and YehÕs and Lin and HwangÕs schemes makes these schemes vulnerable to the stolen-verifier attack. To overcome their drawback, we propose two authentication schemes with no verification table in this paper. Ó 2004 Elsevier Inc. All rights reserved. Keywords: Password authentication; Public key; Denial-of-service attack; Stolen-verifier attack

1. Introduction Many authentication methods have been proposed for electronic commerce environments—Kerberos [7] for example. Among them, the password authentication scheme is the most commonly used approach, where each client is *

Corresponding author. E-mail addresses: [email protected] (Y.-F. Chang), [email protected] (C.-C. Chang).

0096-3003/$ - see front matter Ó 2004 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2004.06.118

Y.-F. Chang, C.-C. Chang / Appl. Math. Comput. 167 (2005) 820–832

821

allowed to share an easy-to-remember password with a trusted server. The concepts are applied in other applications [1,5,6] as well. However, these schemes may be broken with a little effort because of the property of the passwords. In 2000, Peyravian and Zunic [8] proposed a scheme to protect the transmission of the password over an insecure network by only using a collision-resistant hash function. In their scheme, no symmetric-key or public-key based authentication system is used. And only the hash value of the password is transmitted, and random numbers are used to avoid eavesdropping and the replay attack. In [4], Hwang and Yeh pointed out that the security of Peyravian and ZunicÕs password authentication schemes is only based on the user password. Since user passwords are easy-to-remember and no additional authentication approach is used, Peyravian and ZunicÕs password authentication schemes suffer from password guessing attacks, sever spoofing attack, and sever data eavesdropping. Thus, Hwang and Yeh proposed an improved version to withstand the flaws, which Peyravian and ZunicÕs schemes suffer from, by using the serverÕs public key [2]. In 2003, Lin and Hwang indicated that Hwang and YehÕs scheme is vulnerable to the denial-of-service attack and proposed a password authentication scheme with secure password updating [10]. After analyzing Hwang and YehÕs and Lin and HwangÕs schemes, it is observed that the verification table is still needed. This property makes these schemes suffer from the stolen-verifier attack. Thus, we propose two schemes with no verification table in this paper. The rest of the paper is organized as follows. In Section 2, a review and the security flaws of Hwang and YehÕs scheme are shown. In Section 3, we present a review and the security flaw of Lin and HwangÕs scheme. Then our proposed schemes are given in Section 4. Then security analyses of our proposed schemes are presented in Section 5, followed by more discussions in Section 6. Finally, we draw some conclusions in Section 7.

2. A review and the security flaws of Hwang and YehÕs password authentication scheme In this section, we will present the improvement of Hwang and YehÕs password authentication scheme, which consists of two phases: (1) the password authentication phase and (2) the password updating phase, described in Sections 2.1 and 2.2, respectively. The initiation of this scheme is shown as follows. Each client Ui with the identity IDi shares a secret password PWi with the trusted server S, whose server public key is KS. S stores H(PWi) for Ui, where H( ) is a collision-resistant hash function. EK( ) is an asymmetric encryption scheme with a public key K. The weaknesses, proposed by Lin and Hwang, of Hwang and YehÕs password authentication scheme are shown in Section

822

Y.-F. Chang, C.-C. Chang / Appl. Math. Comput. 167 (2005) 820–832

2.3. The stolen-verifier attack threatening Hwang and YehÕs scheme is shown in Section 2.4. 2.1. The password authentication phase When Ui wants to access S, the password authentication phase performs as in Fig. 1. The details are shown as follows: Step 1: Ui computes and sends EKS(rC, PWi) with IDi to S as a login request, where rC is a random number. Step 2: After receiving the login request sent by Ui, S uses his/her own private key to retrieve r0C and PW0i and computes H ðPW0i Þ. Then S compares the computation result with the corresponding item stored in the database. If they are not equal, S terminates the scheme; otherwise, S computes r0C
rS and H(rS), where rS is a random number generated by S and
denotes XOR. Then S sends the computation results to Ui. Step 3: Upon getting the transmitted data, Ui retrieves r0S by computing rC
(rC
rS) and checks whether the hash value of r0S and H(rS) are equivalent. If it does not hold, Ui terminates the scheme; otherwise, Ui computes and sends H ðrC ; r0S Þ with IDi to S. Step 4: Then, S computes and compares H ðr0C ; rS Þ with H ðrC ; r0S Þ: If it does not hold, S rejects UiÕs request; otherwise, S grants Ui the access right.

2.2. The password updating phase When Ui wants to update his/her password PWi, the steps of the password updating phase are almost the same as those in the password authentication

Fig. 1. The password authentication phase of Huang and YehÕs scheme.

Y.-F. Chang, C.-C. Chang / Appl. Math. Comput. 167 (2005) 820–832

823

phase, except for an additional password updating request in Step 3. In Step 3 of the password updating phase, Ui sends IDi ; H ðrC ; r0S Þ, H ðPW00i Þ
H ðrC þ 1; r0S Þ to S, where PW00i is the new password chosen by Ui. Then, S computes H ðr0C þ 1; rS Þ and XORs it with H ðPW00i Þ
H ðrC þ 1; r0S Þ to get UiÕs new verifier H ðPW00i Þ. 2.3. The weaknesses Lin and Hwang indicated that Hwang and YehÕs scheme is vulnerable to the denial-of-service attack and lacks of forward secrecy. How to mount the denial-of-service attack and why forward secrecy is absent are shown in Sections 2.3.1 and 2.3.2, respectively. 2.3.1. The denial-of-service attack In the following, we show how to mount the denial-of-service attack on Hwang and YehÕs scheme. As mentioned in Section 2.2, Ui computes and sends H ðrC ; r0S Þ and H ðPW00i Þ
H ðrC þ 1; r0S Þ, and then he/she sends the computation results with IDi as a password updating request in Step 3. If an attacker intercepts the password updating request, he/she randomly chooses a number R and computes H(R). Then the attacker sends IDi, H ðrC ; r0S Þ and H(R) to S. Finally, S will update H(PWi) with H ðRÞ
H ðr0C þ 1; rS Þ instead of H ðPW00i Þ. As a result, the legal user Ui cannot access S successfully since then. 2.3.2. Lack of forward secrecy Lin and Hwang claimed that (1) forward secrecy is a highly desirable feature in the password authentication scheme with key distribution, and (2) Hwang and YehÕs scheme, compared with Peyravian and ZunicÕs, can also provide key distribution. However, UiÕs password PWi and SÕs public key are long-term secrets in Hwang and YehÕs scheme. As a result, if SÕs private key is compromised, both rc and rs for each session will be known. That is, the corresponding session key can be gotten. 2.4. The stolen-verifier attack As mentioned in Sections 2.1 and 2.2, S stores H(PWi) for authenticating Ui, where PWi is UiÕs latest password chosen by himself/herself. If an attacker successfully mounts the stolen-verifier attack on Hwang and YehÕs scheme, H(PWi) is known by the attacker. Since PWi is easy-to-remember, the attacker can easily get UiÕs password by checking whether the hash value of the possible password and H(PWi) are equal. The above approach can be treated as the

824

Y.-F. Chang, C.-C. Chang / Appl. Math. Comput. 167 (2005) 820–832

off-line password guessing attack [3]. After getting UiÕs password PWi, he/she can impersonate Ui at will. 3. A review and the security flaw in Lin and HwangÕs scheme In order to overcome the observed weaknesses mentioned in Section 2.3, Lin and Hwang proposed an authentication scheme with secure password updating and showed how their scheme provides key distribution with forward secrecy. However, we find that Lin and HwangÕs proposed scheme is still vulnerable to the stolen-verifier attack. Lin and HwangÕs password authentication scheme is also composed of two phases: (1) the password authentication phase and (2) the password updating phase, described in Sections 3.1 and 3.2, respectively. The initiation of their scheme is the same as that of Hwang and YehÕs scheme. The key distribution provided in Lin and HwangÕs password authentication scheme is presented in Section 3.3. Finally, the stolen-verifier attack mounted on Lin and HwangÕs password authentication scheme is shown in Section 3.4. 3.1. The password authentication phase The password authentication phase of Lin and HwangÕs password authentication scheme is the same as that of Hwang and YehÕs. As a result, the details are as shown in Section 3.1. 3.2. The password updating phase When Ui wants to update his/her password PWi, the details are shown as follows: Step 1: Ui computes EK S ðrC ; PWi Þ and sends the computation result with IDi to S as a login request, where rC is a random number. Step 2: After receiving the login request, S retrieves r0C and PW0i and computes H ðPW0i Þ. Then S compares the computation result with the corresponding item stored in the database. If it does not hold, S terminates the scheme; otherwise, S computes and sends r0C
rS and H(rS) to Ui, where rS is a random number generated by S. Step 3: Upon getting the transmitted data sent by S, Ui computes H(rC
(rC
rS)) and checks whether the computation result and H(rS) are equivalent. If they are not equivalent, Ui terminates the scheme; otherwise, Ui computes H ðrC ; r0S Þ, H ðPW00i Þ
H ðrC þ 1; r0S Þ and H ðH ðPW00i Þ; r0S Þ. Then Ui sends the computation results with IDi to S as the password updating request, where PW00i is the new password chosen by Ui.

Y.-F. Chang, C.-C. Chang / Appl. Math. Comput. 167 (2005) 820–832

825

Step 4: Then, S computes and compares H ðr0C ; rS Þ with H ðrC ; r0S Þ. If it does not hold, S terminates the phase; otherwise, S computes H ððH ðPW00i Þ
H ðrC þ 1; r0S ÞÞ
H ðr0C þ 1; rS Þ; rS Þ and checks whether the computation result and H ðH ðPW00i Þ; rS Þ are equivalent. If they are equal, S is convinced that H ðPW00i Þ is indeed the valid verifier for Ui. 3.3. The key distribution The details of the key distribution in Lin and HwangÕs scheme are shown as follows: Step 1: Ui computes and sends EK S ðgx ; PWi Þ with IDi to S, where x is a number chosen randomly by Ui. Step 2: After receiving the data sent by Ui, S uses his/her own private key to retrieve gx and PW0i and computes H(PW0i ). Then S compares the computation result with the corresponding item stored in the database. If they are not equal, S terminates the scheme; otherwise, S computes and sends gx
gy and H(gy) to Ui, where y is a number chosen randomly by S. Step 3: Upon getting the transmitted data, Ui retrieves rS by computing gx
(gx
gy) and checks whether the hash value of gy and H(gy) are equivalent. If it does not hold, Ui terminates the scheme; otherwise, Ui computes and sends H(gx, gy) with IDi to S. Step 4: Then, S computes and compares H(gx, gy) with the received one. If it does not hold, S denies UiÕs request; otherwise, S will grant Ui the access right. After the above procedures, the session key of S and Ui is gxy. 3.4. The stolen-verifier attack As mentioned in Sections 3.1 and 3.2, S still stores H(PWi) for authenticating Ui in Lin and HwangÕs password authentication scheme. As a result, an attacker can successfully get UiÕs password PWi as shown in Section 2.4. That is, Lin and HwangÕs scheme still suffers from the stolen-verifier attack.

4. The proposed schemes As mentioned in Sections 2.4 and 3.4, the verifier H(PWi) stored by S makes Hwang and YehÕs scheme and Lin and HwangÕs scheme vulnerable to the stolen-verifier attack since PWi is easy-to-remember. Consequently, we propose

826

Y.-F. Chang, C.-C. Chang / Appl. Math. Comput. 167 (2005) 820–832

two authentication schemes with no verification table in Sections 4.1 and 4.2, respectively. 4.1. The proposed authentication scheme by employing the public-key cryptoscheme In this subsection, we propose an authentication scheme with public keys involved. Unlike the schemes mentioned in Sections 2 and 3, public keys instead of the user passwords are needed for authentication in our first proposed scheme. The initiation of our first scheme is shown as follows. Each client Ui with the identity IDi owns the public key Ki. The trusted server S owns the serverÕs public key KS. H( ) is a collision-resistant hash function, and EK( ) is an asymmetric encryption scheme with a public key K. When Ui wants to access S, our first scheme performs as follows: Step 1: Ui computes and sends EK S ðrC Þ with IDi to S as a login request, where rC is a random number. Step 2: After receiving the login request sent by Ui, S uses his/her own private key to retrieve rC. Then S computes and sends EK i ðrC
rS ; H ðrS ÞÞ to Ui, where rS is a random number generated by S and
denotes XOR. Step 3: Upon getting the transmitted data, Ui uses his/her own private key to retrieve rC
rS and H(rS). Then Ui computes H((rC
rS)
rC) and checks whether the computation result is equal to H(rS). If they are equal, Ui computes and sends EK S ðrS ; H ðrC
rS ÞÞ to S; otherwise, Ui terminates the scheme. Step 4: S retrieves rS and H(rC
rS). Then S computes H(rC
rS) and compares the computation result with the retrieved one. If they are equal, S grants Ui the access right; otherwise, S rejects UiÕs request.

4.2. The proposed authentication scheme by using smart cards Here, an authentication scheme employing the smart cards is proposed. No public-key cryptosystem is needed in our second proposed scheme. The second proposed scheme consists of two phases: (1) the registration phase and (2) the login phase, which are described in Sections 4.2.1 and 4.2.2. The initialization of the second scheme is shown as follows: (1) H( ) is a collision-resistant hash function, (2) g is a primitive element in GF(p), and (3) p is a large prime, where g and p are two system parameters kept concealed by S. 4.2.1. The registration phase Whenever Ui wants to be authorized to gain the access right by S, the registration phase performs as shown in Fig. 2. The details are shown as follows:

Y.-F. Chang, C.-C. Chang / Appl. Math. Comput. 167 (2005) 820–832

827

Fig. 2. The registration phase of the second proposed scheme.

Step 1: Ui chooses the password PWi at will. Then Ui sends his/her identity IDi, PWi and the registration request to S through the secure channel. Step 2: After getting the information sent by Ui, S computes K ¼ H ðPWi Þ
1 ðgID mod pÞ. Then S issues the smart card, containing K and H( ), to U i.

4.2.2. The login phase When Ui wants to access S, he/she first inserts the smart card into the input devise and then keys in IDi and PWi. Then the login phase performs as in Fig. 3. The details are shown as follows: 1

Step 1: The smart card computes C1 ¼ H ðPWi Þ
K ¼ gID mod p and C2 = R1
C1, where R1 is a random number used only once. Then C2 and IDi are sent to S as the login request.

Fig. 3. The login phase of the second proposed scheme.

828

Y.-F. Chang, C.-C. Chang / Appl. Math. Comput. 167 (2005) 820–832 1

Step 2: After getting the login request, S first computes C10 ¼ gID mod p and R1 0 = C2
C1 0 . Then S randomly chooses a number R2 used only once and computes C4 = H(C1 0 kR1 0 kR2) and C5 = H(C1 0 kR1 0 )
R2. Then S sends IDi, C4 and C5 to Ui. Step 3: After receiving IDi, C4 and C5 sent by S, the smart card computes R2 0 = H(C1kR1)
C5 and C4 0 = H(C1kR1kR2 0 ). If C4 0 = C4, the smart card computes and sends C6 = H(C1kR2 0 ) with IDi to S; otherwise, Ui terminates the phase. Step 4: Upon C6 and IDi are received, S computes C6 0 = H(C1 0 kR2) and checks whether C6 0 = C6. If it holds, S grants Ui the access right; otherwise, S rejects the login request.

5. The security analyses The security analyses of our two proposed schemes are shown in Sections 5.1 and 5.2, respectively. 5.1. The security analyses of the first proposed scheme Here, we are going to demonstrate that our first proposed scheme is secure by giving the following attack scenarios. 5.1.1. The replay attack When an attacker wants to mount the replay attack, he/she may impersonate S or Ui by retransmitting the information sent by S or Ui. However, the attacker cannot succeed because of the following two reasons. (1) If the attacker impersonates Ui, he/she just sends EK S ðrC Þ with IDi to S as a login request in Step 1, where EK S ðrC Þ is eavesdropped by the attacker in one iteration of the scheme. However, the attacker cannot computes EK S ðr0S ; H ðrC
r0S ÞÞ to have himself/herself authenticated successfully in Step 3. Because the random number is chosen to be used only once, r0s must differ from rs, where rs is the random number chosen by S in the eavesdropped iteration and r0s is that in the present iteration. (2) If the attacker impersonates S, he/she just sends EK i ðrC
rS ; H ðrS ÞÞ to Ui in Step 2, where EK i ðrC
rS ; H ðrS ÞÞ is eavesdropped by the attacker in one iteration of the scheme. However, the attacker cannot cheats Ui since r0C must differ from rC, where rC is the random number chosen by Ui in the eavesdropped iteration and r0C is that in the present iteration. As a result, Ui will detect the attack in Step 3. 5.1.2. The server spoofing attack When an attacker wants to impersonate S, he/she cannot succeed at all. First, he/she does not know SÕs private key to get the essential information

Y.-F. Chang, C.-C. Chang / Appl. Math. Comput. 167 (2005) 820–832

829

in Step 2. As a result, Ui will detect the attack in Step 3. Moreover, as mentioned in Section 5.1.1, even if the attacker retransmits the eavesdropped information sent by S, he/she still fails. It is ensured that our first proposed scheme can withstand the server spoofing attack. 5.1.3. Impersonating Ui When an attacker wants to impersonate Ui, he/she cannot succeed at all. It is because he/she does not know UiÕs private key to get the essential information to have himself/herself authenticated in Step 3. Moreover, as mentioned in Section 5.1.1, even if the attacker retransmits the eavesdropped information sent by Ui, he/she still fails. 5.1.4. The denial-of-service attack As shown in Section 4.1, no verification pattern is needed in the first proposed scheme. Thereupon, no information to update the stored verifier is needed. Hence, the denial-of-service attack cannot work in the first proposed scheme. 5.1.5. The stolen-verifier attack As shown in Section 4.1, no verification table is stored in the first proposed scheme. On the contrary, only the public keys are employed to have the communication applicants authenticated by each other. Thus the intruder cannot perform the stolen-verifier attack in our first scheme. 5.2. The security analyses of the second proposed scheme Here, we are going to demonstrate that our second proposed scheme is secure by giving the following attack scenarios. 5.2.1. The replay attack If an attacker retransmits the eavesdropped information sent by S/Ui to Ui/ S, Ui/S will detect the replay attack in Step 3/4. It is because the smart card and S choose R1 and R2 in Steps 1 and 2, respectively. 5.2.2. The server spoofing attack Suppose that an attacker wants to impersonate S. First of all, he/she does 1 not know g and p to compute gID mod p. Thus the attacker cannot retrieve R1 in Step 2 and computes correct C4 and C5. As a result, Ui will detect the attack in Step 3. Moreover, as mentioned in Section 5.2.1, even if the attacker retransmits the eavesdropped information sent by S, he/she still fails. It is ensured that our second proposed scheme can withstand the server spoofing attack.

830

Y.-F. Chang, C.-C. Chang / Appl. Math. Comput. 167 (2005) 820–832

5.2.3. The denial-of-service attack As shown in Section 4.2, no verification table is needed in the second proposed scheme. And g and p are kept secret by S. Thereupon no information to update the stored verifier is needed. Hence, the denial-of-service attack cannot work in our second scheme. 5.2.4. The stolen-verifier attack As shown in Section 4.2, no verification table is stored in the second pro1 posed scheme. The secret gID mod p shared between S and Ui is only stored in UiÕs smart card. As we know, the smart card is a temporary-resistant device; 1 1 moreover, K ¼ H ðPWi Þ
ðgID mod pÞ, instead of gID mod p, is stored in the smart card. As a result, only S, who knows p and q, and Ui, who knows PWi, 1 1 can get gID mod p. In other words, no attacker can get the secret gID mod p to have himself/herself authenticated successfully. It is confirmed that the proposed scheme can resist the stolen-verifier attack. 5.2.5. Impersonating Ui When an attacker wants to impersonate Ui, he/she cannot succeed. It is be1 cause gID mod p is not available and because retransmitting the eavesdropped data is not workable as mentioned in Section 5.2.1.

6. More discussions In this section, we compare our proposed schemes with the reviewed ones. The properties of the compared schemes are shown in Table 1. In Table 1, ‘‘Y’’ denotes the corresponding scheme achieves the corresponding property or needs the corresponding item. For example, in Hwang and YehÕs scheme,

Table 1 The achieved properties of Hwang and YehÕs scheme (Hwang–Yeh), Lin and HwangÕs scheme (Lin–Hwang), our first proposed scheme (first scheme), and our second proposed scheme (second scheme) Property

Mutual authentication Public-key cryptosystem Stolen-verifier attack Denial-of-service attack Extra device Verification table

Scheme Hwang–Yeh

Lin–Hwang

First

Second

Y Y N N N Y

Y Y N Y N Y

Y Y Y Y N N

Y N Y Y Y N

Y.-F. Chang, C.-C. Chang / Appl. Math. Comput. 167 (2005) 820–832

831

the verification table is needed, and their proposed scheme ensures mutual authentication. On the contrary, ‘‘N’’ denotes the corresponding scheme does not achieve the corresponding property or does not need the corresponding item. According to the comparisons among Hwang and YehÕs scheme (Hwang–Yeh), Lin and HwangÕs scheme (Lin–Hwang), our first proposed scheme (first scheme), and our second proposed scheme (second scheme), it demonstrates that no verification table is needed in our proposed schemes. And our schemes can defend against the fatal stolen-verifier attack, which the other two schemes suffer from. As we know, applications without public keys are quite often superior in practice to PKIÕs [9]. This denotes that Hwang and YehÕs scheme, Lin and HwangÕs scheme and our first scheme may be impractical since the publickey cryptosystem is employed. On the other hand, there are extra devices, such as the card reader and the smart card, needed in our second proposed scheme. However, employing the public-key cryptosystem or the extra devices is the essential approach to let the proposed scheme be safe and sound with no verification table. As a result, our first scheme and the second one can be treated as the alternatives. As mentioned in Section 2.3.2, Lin and Hwang indicated that forward secrecy is an essential feature in the password authentication scheme with key distribution. They also claimed that UiÕs password PWi and SÕs public key are long-term secrets in Hwang and YehÕs scheme such that both rc and rs for each session will be known if SÕs private key is compromised. As we know, a scheme ensures forward secrecy if it owns the following property: the previous session keys are still secret if one session key is known. However, the supposition of Lin and HwangÕs claim is too strong since the public-key cryptosystem is not secure anymore. Thus, in our opinion, the statements in Section 2.3.2 are inaccurate.

7. Conclusions As mentioned above, the verification table needed in both Hwang and YehÕs and Lin and HwangÕs schemes makes these schemes vulnerable to the stolenverifier attack. Thus, we propose two schemes with no verification table in this paper. According to the analyses in Section 5, it is sure that our proposed schemes overcome the security drawbacks of both Hwang and YehÕs and Lin and HwangÕs schemes. As shown in Section 6, our first scheme and the second one can be treated as the alternatives since employing the public-key cryptosystem or the extra devices is the essential approach to make the proposed scheme secure with no verification table. Moreover, it is also indicated that Lin and HwangÕs claim, shown in Section 2.3.2, is inaccurate.

832

Y.-F. Chang, C.-C. Chang / Appl. Math. Comput. 167 (2005) 820–832

References [1] S.M. Bellovin, M. Merrit, Encrypted key exchange: Password-based protocols secure against dictionary attacks, in: Proceedings of 1992 IEEE Computer Society Symposium on Research in Security and Privacy, 1992, pp. 72–84. [2] R. Cramer, V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen cipher attack, in: Proceedings of Advanced in Cryptology-CryptoÕ98, USA, 1998, pp. 13–25. [3] Y. Ding, P. Horster, Undetectable on-line password guessing attacks, ACM Operating Systems Review 29 (4) (1995) 77–86. [4] J.J. Hwang, T.C. Yeh, Improvement on Peyravian–ZunicÕs password authentication schemes, IEICE Transactions on Communications E85-B (4) (2002) 823–825, April. [5] C.L. Lin, H.M. Sun, T. Hwang, Three-party encrypted key exchange: Attacks and a solution, ACM Operating Systems Review 34 (4) (2000) 12–20. [6] C.L. Lin, H.M. Sun, M. Steiner, T. Hwang, Three-party encrypted key exchange without server public-keys, IEEE Communications Letters 5 (12) (2001) 497–499, December. [7] B.C. Neuman, T. TsÕoÕ, Kerberos: An authentication service for computer networks, IEEE Communications Magazine 32 (9) (1994) 33–38. [8] M. Peyravian, N. Zunic, Methods for protecting password transmission, Computers and Security 19 (5) (2000) 466–469. [9] P. Sutherland, Applied Cryptography, Protocols, Algorithms, and Source Code in C. Bruce Schneier, second ed., John Wiley and Sons Inc., U.S.A., 1996, pp. 15. [10] C.L. Lin, T.H. Hwang, A password authentication scheme with secure password updating, Computers and Security 22 (1) (2003) 68–72.