Design Of Password-based Authenticated Key Agreement Protocols

Distributed system needs protection as the normal networks. It is necessary to keepthe communication secret when a client wants to communicate with the server. One ofthe most important attributions of the remote communication is authentication. Theclient can identify the identity of the server by authentication protocol, and vice versa.Password-based authentication protocol has been widely used in real-life and is animportant research area. It allows two or more parties which hold low-entropy passwordor high-entropy secret key to establish secret key securely in the presence of activeadversary. The secret key would ensure the subsequent secure communication amongthe parties. There are two important requirements for these protocols: efficiency andsecurity. Efficiency is evaluated by the computational overhead and the communicationoverhead to execute a session. The security must satisfy the safe targets ofpassword-based authenticated key agreement protocol. Password-based authenticationprotocol suffers from attacks due to the low entropy password, thus designing a moresecure and efficient password-based authentication protocol is in urgent need. Thispaper makes comparatively deep research for password-based authenticated keyagreement protocols. The main researches in the paper are as follows:1. One-factor password-based authentication protocols are studied. Arshad et al.'sand Islam et al.'s schemes are analyzed. The author points out weaknesses of these twoprotocols and proposes two improvements to eliminate the flaws respectively. Theproposed schemes get rid of the offline dictionary attacks and are proved to be moresecure and efficient than Arshad et al.'s and Islam et al.'s, respectively.2. Two-factor password-based authentication protocols are studied. Firstly, Chenet al.'s and Wen et al.'s schemes are analyzed. The author points out weaknesses ofthese two protocols and proposes two enhancements to eliminate the flaws respectively.The proposed schemes eliminate the lost smart card and offline dictionary attacks andare proved to be more secure than original schemes. Secondly, anonymouspassword-based authentication protocols under global mobile networks (GLOMONET) circumstance are analyzed. The author shows that they are vulnerable to the lost smartcard attacks. The author proposes a two-factor password-based anonymousauthenticated key agreement protocol using mobile device. This scheme is more securethan previous schemes and can resist the lost mobile device attacks. Moreover, itprovides anonymity and perfect forward secrecy (PFS). The protocol is more efficientthan the related works.3. Three-factor password-based authentication protocols are studied. A three-factorauthentication scheme can be more secure than one-factor or two-factor ones. However,Yoon et al.'s three-factor authenticated key agreement protocol for session initiationprotocol (SIP), namely TAKASIP, and Das et al.'s three-factor authentication protocolare both under attacks. The author proposes an elliptic curve cryptography (ECC)based authentication scheme, i.e. ETAKASIP,to eliminate the security flaws in TAKASIP.The security and performance analyses show that ETAKASIPis more secure andefficient than TAKASIP. Meanwhile, the author proposes a three-factor authenticationscheme to remove secure problems in Das et al.'s. The proposed protocol can resist thelost smart card attack and be adopted in three-factor mobile device basedauthentication protocols.