Cryptology ePrint Archive: Report 2011/527

Security Weaknesses of password-only authenticated key establishment protocol without public key cryptography

Mohsen Toorani and Maryam Saeed

Abstract: In 2005, Laih et al. proposed a password-based authentication key exchange protocol that is not based on public key cryptography but uses human ability to extract strings from distorted images. In this letter, it is shown that Laih et al.’s protocol is vulnerable to password compromise impersonation, malicious server, offline password guessing, undetectable online password guessing, stolen-verifier, and Unknown Key-Share (UKS) attacks and it does not provide forward secrecy and key confirmation.

Category / Keywords: Cryptographic protocols, PAKE, CAPTCHA, Security analysis, Attacks

Date: received 29 Aug 2011, last revised 6 Sep 2011, withdrawn 15 Oct 2011

Contact author: mohsen toorani at ii uib no

Available formats: (-- withdrawn --)

Version: 20111015:125330 (All versions of this report)

Discussion forum: Show discussion | Start new discussion