Abstract:
In 2005, Laih, Ding and Huang proposed a password-based key establishment protocol such that a user and a server can authenticate each other and generate a strong session key by their shared weak password within a symmetric cipher in an insecure channel. In this protocol, a special function, which is a combination of a picture function and a distortion function, is combined to authenticate the user and protect the password from the dictionary attacks that are major threats
for most of the weak password-based protocols. They claim that the proposed protocol is secure against some well known attacks. However, Tang and Mitchell show that the protocol suffers from an offline dictionary attack requiring a machine based search of size 223 which takes only about 2.3 hours. So designing such a protocol with providing practical security against offline attack is still an open problem. In this study, a password-based authenticated key establishment protocol is proposed that provides practical security against offline dictionary attacks by only using symmetric cryptography.
