Strengthened PAKE Protocols Secure Against Malicious Private Key Generator

Abstract

At WISA 2015, Choi et al. [9] proposed an identity-based password-authenticated key exchange (iPAKE) protocol using the Boneh-Franklin IBE scheme. In this paper, we revisit the iPAKE protocol [9] (and its generic construction) that has been standardized in the international standard committee ISO/IEC JTC 1/SC 27. First, we show that the iPAKE protocol is insecure against passive/active attacks by a malicious PKG (Private Key Generator) where the malicious PKG can find out all clients’ passwords by just eavesdropping the communications, and the PKG can share a session key with any client by impersonating the server. Then, we propose two strengthened PAKE (SPI and SPI-S) protocols that prevents such malicious PKG’s passive/active attacks. Also, we discuss security of the SPI and SPI-S protocols, and compare relevant protocols in terms of efficiency and security.