As people can easily choose and memorize simple or meaningful vocabulary as their own secret, passwords, a password based three-party authenticated key exchange (3PAKE) protocol has been extensively investigated by scholars in the history of secure communication research area. However, it, is very hard for most of the published schemes to meet the requirements of security and efficiency at the same time. Based on this observation. Lu and Cao [12] proposed a simple 3PAKE mechanism to achieve security criteria and system efficiency simultaneously. However, in 2008, Chang [19] demonstrated that Lu and Cao's 3PAKE scheme is vulnerable to undetectable on-line pass-word guessing attacks, and developed an improved protocol to eliminate the identified security weakness. Nevertheless, Chang's protocol fails to fulfill their security claims. Based on our analyses, Chang's protocol suffers from man-in-the-middle attack, undetectable online password guessing attacks, and off-line password guessing attacks. Accordingly, we propose an enhanced protocol, which inherits the efficiency of Chang's 3PAKE protocol and eliminates its authentication flaws, to accomplish security robustness and system efficiency at the same time.

• 出版日期2010-6