Science & Engineering Research Support soCiety (SERSC)
Protocols for Password-based Authenticated Key Exchange (PAKE) enable two or more parties communicating over a public network to build a secure communication channel using their easy-to-remember passwords. However, offline dictionary attacks have always been a major security concern in designing such password-based protocols. Compared with the two-party setting, the concern is significantly increased in the three-party setting where insider attacks may be mounted. In this paper, the authors identified an inherent flaw in the design of the researcher's three-party PAKE protocol (IEEE communications letters) and Lu and Cao's protocol and demonstrated that both protocols are susceptible to a previously unpublished offline dictionary attack.