A password-based key establishment protocol with symmetric key cryptography

In 2005, Laih, Ding and Huang proposed a password-based key establishment protocol such that a user and a server can authenticate each other and generate a strong session key by their shared weak password within a symmetric cipher in an insecure channel. They claim that the proposed protocol is secure against offline dictionary attacks that are major threats for most of the weak password-based protocols and other some well known attacks. However Tang and Mitchell shows that the protocol suffers from an offline dictionary attack requiring a machine-based search of size 2²³ which takes only about 2.3 hours. So designing such a protocol with providing practical security against offline attack is still an open problem. In this study, we introduce two password-based authenticated key establishment protocols that provide practical security against offline dictionary attacks by only using symmetric cryptography.