Dragonfly is Password Authenticated Key Exchange protocol that uses a shared session key to authenticate parties based on pre-shared secret password. It was claimed that this protocol was secure against off-line dictionary attack, but a new research has proved its vulnerability to off-line dictionary attack and proving step was applied by using “Patched Protocol” which was based on public key validation. Unfortunately, this step caused a raise in the computation cost, which made this protocol less appealing than its competitors. We proposed an alternate enhancement to keep this protocol secure without any extra computation cost that was known as “Enhanced Dragonfly”. This solution based on two-pre-shared secret passwords instead of one and the rounds between parties had compressed into two rounds instead of four. We prove that the enhanced-Dragonfly protocol is secure against off-line dictionary attacks by analyzing its security properties using the Scyther tool. A simulation was developed to measure the execution time of the enhanced protocol, which was found to be much less than the execution time of patched Dragonfly. The off-line dictionary attack time is consumed for few days if the dictionary size is 10,000. According to this, the use of the enhanced Dragonfly is more efficient than the patched Dragonfly.
Bellovin, S.M. and Merritt, M. (1992) Encrypted Key Exchange: Password-Based Protocols Secure against Dictionary Attacks. Proceedings of IEEE Symposium on Security and Privacy, Oakland, 4-6 May 1992, 72-84. http://dx.doi.org/10.1109/RISP.1992.213269
Bellare, M., Pointcheval, D. and Rogaway, P. (2000) Authenticated Key Exchange Secure against Dictionary Attacks. Proceedings of the 2000 Advances in Cryptology (EUROCRYPT’2000). Springer-Verlag, Berlin, 139-155. http://dx.doi.org/10.1007/3-540-45539-6_11
Bresson, E., Chevassut, O. and Pointcheval, D. (2004) New Security Results on Encrypted Key Exchange. In: Proc. PKC 2004, Lecture Notes in Computer Science, Vol. 2947, Springer-Verlag, Berlin, 145-158.
Abdalla, M. and Pointcheval, D. (2005) Simple Password-Based Encrypted Key Exchange Protocols. Proceedings of Topics in Cryptology—CT-RSA, Lecture Notes in Computer Science, Vol. 3376, Springer-Verlag, Berlin, 191-208.
Saeed, M., Shahriar Shahhoseini, H. and Mackvandi, A. (2011) An Improved Two-Party Password Authenticated Key Exchange Protocol without Server’s Public Key. IEEE 3rd International Conference on Communication Software and Networks, Xi’an, 27-29 May 2011, 90-95.
Ma, C.G., Wei, F.S. and Gao, F.X. (2013) Efficient Client-to-Client Password Authenticated Key Exchange Based on RSA. IEEE 5th International Conference on Intelligent Networking and Collaborative Systems, Xi’an, 9-11 September 2013, 233-238.
Harkins, D. (2008) Simultaneous Authentication of Equals: A Secure, Password-Based Key Exchange for Mesh Networks. 2nd International Conference on Sensor Technologies and Applications (SENSORCOMM), Cap Esterel, 25-31 August 2008, 839-844.
Saeed, M., Mackvandi, A., Naddafiun, M. and Karimnejad, H. (2012) An Enhanced Password Authenticated Key Exchange Protocol without Server Public Keys. 2012 International Conference on ICT Convergence (ICTC), Jeju Island, 15-17 October 2012, 87-91.
Farouk, A., Fouad, M. and Abdelhafez, A. (2014) Analysis and Improvement of Pairing-Free Certificate-Less Two-Party Authenticated Key Agreement Protocol for Grid Computing. International Journal of Security, Privacy and Trust Management, IJSPTM, 3, 23-36.