A Password-based Key Establishment Protocol with Symmetric Key Cryptography

In 2005, Laih, Ding and Huang proposed a password-based key establishment protocol such that a user and a server can authenticate each other and generate a strong session key by their shared weak password within a symmetric cipher in an insecure channel. In this protocol, a special function which is a combination of a picture function and a distortion function e. g. CAPTCHA, is combined to authenticate the user and protect the password from the dictionary attacks that are major threats for most of the weak password-based protocols. They claim that the proposed protocol is secure against some well known attacks. However Tang and Mitchell show that the protocol suffers from an offline dictionary attack requiring a machine-based search of size 2(23) which takes only about 2.3 hours. So designing such a protocol with providing practical security against offline attack is still an open problem. In this study, we introduce two password-based authenticated key establishment protocols that provide practical security against offline dictionary attacks by only using symmetric key cryptography.