A New Cross-Realm Client-to-Client Password-Authentication Key Exchange Protocol

A cross-realm client-to-client password-authenticated key exchange (CR-C2C-PAKE) protocol provides a method of key exchange based on password-authenticated between clients registered in different servers. Our proposed CR-C2C-PAKE protocol can be implemented in secret-key setting. It can resist all types of known attacks including the password-compromise impersonation attack. We use common storage devices to complete mutual authentication between client and server in the same realm instead of the expensive smart cards. After the client-server's authentication process, we also use Kerberos system to support cross-realm secure authentication between servers in different realms. At last, the clients with different passwords can establish a secure session key under the help of their respective servers. Our new practical and secure protocol reserves all the advantages of the protocol using smart cards, including that the server only need to keep a secret number instead of the traditional password-tables to authenticate their clients with lower risk and cost. Furthermore, the clients in our protocol could change their passwords off-line anytime and anywhere. Security analysis will be given under the discrete logarithm and Diffie-Hellman assumptions.