Abstract:

For mobilecommerce environments, a novel passwordbased authenticated key exchange protocol is proposed to solve that the technology to effectively prevent legitimate users’ abuse, named as completely automatic public Turing test to tell computer and human apart (CAPTCHA), is vulnerable to analytical attacks. The protocol elaborately combines the CAPTCHA challenge/response progress with the authenticated key exchange interaction. It introduces symmetric encryption scheme to make CAPTCHA secure without additional communication rounds. And it is based on smartcards to obtain stronger security and adopts elliptic curve cryptosystem which is suitable for the environments. In random oracle model it is provably secure. Compared with the other related protocols, it requires only three communication rounds, protects CAPTCHA against analytical attacks, needs no validation tables storing on the server and provides perfect forward secrecy.

Key words: passwordbased authenticated key exchange, completely automatic public Turing test to tell computer and human apart, elliptic curve cryptosystem, smart card