Password-authenticated key exchange between clients in a cross-realm setting

Abstract

The area of password-based authenticated key exchange protocols has been the subject of a vast amount of work in the last few years due to its practical aspects. AuthA is an example of such a technology considered for standardization by the IEEE P1363.2 working group. Unfortunately in its current form AuthA, including some variants, only considered the classic client and server (2-party) scenarios. In this paper, based on a variant of AuthA, we consider a quite different paradigm from the existing ones and propose a provably secure password-authenticated key exchange protocol in a cross-realm setting where two clients in different realms obtain a secret session key as well as mutual authentication, with the help of respective servers. In our protocol, any honest server is unable to gain any information on the value of that session key. Moreover, our protocol is reasonably efficient and has a per-user computational cost that is comparable to that of the underlying 2-party encrypted key exchange. © 2008 Springer Berlin Heidelberg.