Recently, Zhu et al. proposed an password-based authenticated key exchange protocol based on RSA such that it is efficient enough to be implemented on most of the target low-power devices such as smart cards and low-power Personal Digital Assistants in wireless networks. They claimed that the proposed scheme is secure against dictionary attacks. In this paper, we show that the scheme proposed by Zhu et al. is insecure against undetectable on-line password guessing attacks. Furthermore, we examine Zhu et al.'s protocol and find that Zhu et al.'s protocol does not achieve explicit key authentication. An improved version is then proposed to defeat the undetectable on-line password guessing attacks and also provide explicit key authentication.
|Number of pages||5|
|Journal||IEICE Transactions on Communications|
|State||Published - 1 Jan 2003|
- Guessing attack
- Key exchange
- Wireless network