Security analysis of a password authenticated key exchange protocol

Abstract

A password authenticated key exchange (PAKE) protocol allows two parties who share a memorable password to obtain a common shared cryptographic key. The central security requirement to such a protocol is that the password should not be subject to (offline) dictionary attack. Following the EKE proposed by Bellovin and Merritt in 1992 [1], many PAKE protocols have been proposed. In this paper we give a security analysis to an RSA-based PAKE protocol proposed in ISC'02 [12]. Our analysis shows that the protocol is subject to dictionary attack when the length of the ID of the second party is small; and therefore the security of the protocol is not related to the security parameters such as the size of the RSA modulo n or the length of the hash function. This violates the security definition of PAKE protocols. Previously well-designed PAKE protocols do not have this security flaw. © Springer-Verlag Berlin Heidelberg 2003.