Journal of Computer Technology & Applications

ABSTRACT
In 2007, Lu and Cao proposed a simple 3-party authenticated key exchange (S-3PAKE) protocol. Kim and Koi found that this protocol cannot resist undetectable online password guessing attacks and gave fixed STPKE’ protocol as a countermeasure using exclusive-or operation. Recently, Tallapally and Padmavathy found that STPKE’ is still vulnerable to undetectable online password guessing attack and gave a modified STPKE’ protocol. In this article, we show that the improvement that they claim is still vulnerable to man in the middle attack.

Keywords: Password based key exchange protocol, password guessing attacks, man in the middle attack