An undetectable on-line password guessing attack on Nam et al.'s three-party key exchange protocol

Three-party key exchange protocol is one of the most essential cryptographic technique in the secure communication areas. In this protocol, two clients, each shares a human-memorable password, working with a trusted server, can agree a secure session key. Recently, Lu and Cao proposed a new simple three-party key exchange (S-3PAKE) protocol and claimed that it is not only very simple and efficient, but also can survive against various known attacks. However, Nam et al. pointed out that S-3PAKE is vulnerable to both off-line password guessing attack and undetectable on-line password guessing attack. Based on their finding, Nam et al. proposed an improved method to resolve this weakness. They further claimed that so far no off-line password guessing attack has been successful against their proposed protocol. In this paper, we demonstrate that Nam et al.'s improved protocol, unfortunately, is still vulnerable to an undetectable on-line password guessing attack. We therefore propose a simple and powerful method to address this issue. Which results in an improved three-party key exchange protocol that can protect against an undetectable on-line password guessing attack.