Handbook of Applied Cryptography
Handbook of Applied Cryptography
Robustness Principles for Public Key Protocols
CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
Protocols for Key Establishment and Authentication
Protocols for Key Establishment and Authentication
Reusable cryptographic fuzzy extractors
Proceedings of the 11th ACM conference on Computer and communications security
A password authentication scheme over insecure networks
Journal of Computer and System Sciences
Combining Crypto with Biometrics Effectively
IEEE Transactions on Computers
Security Engineering: A Guide to Building Dependable Distributed Systems
Security Engineering: A Guide to Building Dependable Distributed Systems
Cryptanalysis of a password authentication scheme over insecure networks
Journal of Computer and System Sciences
An improved smart card based password authentication scheme with provable security
Computer Standards & Interfaces
An efficient biometrics-based remote user authentication scheme using smart cards
Journal of Network and Computer Applications
Enhancement of two-factor authenticated key exchange protocols in public wireless LANs
Computers and Electrical Engineering
Multi-factor authenticated key exchange
ACNS'08 Proceedings of the 6th international conference on Applied cryptography and network security
Advanced smart card based password authentication protocol
Computer Standards & Interfaces
Journal of Network and Computer Applications
Multi-factor authenticated key exchange protocol in the three-party setting
Inscrypt'10 Proceedings of the 6th international conference on Information security and cryptology
On the importance of public-key validation in the MQV and HMQV key agreement protocols
INDOCRYPT'06 Proceedings of the 7th international conference on Cryptology in India
HMQV: a high-performance secure diffie-hellman protocol
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Secure remote authentication using biometric data
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
On robust key agreement based on public key authentication
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
| Hi-index | 0.00 |
This paper shows several security weaknesses of a Multi-Factor Authenticated Key Exchange (MK-AKE) protocol, proposed by Pointcheval and Zimmer at ACNS'08. The Pointcheval-Zimmer scheme was designed to combine three authentication factors in one system, including a password, a secure token (that stores a private key) and biometrics. In a formal model, Pointcheval and Zimmer formally proved that an attacker had to break all three factors to win. However, the formal model only considers the threat that an attacker may impersonate the client; it however does not discuss what will happen if the attacker impersonates the server. We fill the gap by analyzing the case of the server impersonation, which is a realistic threat in practice. We assume that an attacker has already compromised the password, and we then present two further attacks: in the first attack, an attacker is able to steal a fresh biometric sample from the victim without being noticed; in the second attack, he can discover the victim's private key based on the Chinese Remainder theorem. Both attacks have been experimentally verified. In summary, an attacker actually only needs to compromise a single password factor in order to break the entire system. We also discuss the deficiencies in the Pointcheval-Zimmer formal model and countermeasures to our attacks.