Skip to Main Content
Password authentication is a popular approach used for user authentication in pervasive computing environments due to its simplicity and convenience. To secure the transmission between the communicants, an authenticated shared key should be established between the communicants as the encryption key or the MAC key. Recently, Chang, Yang, and Hwang presented a password-based authenticated key agreement scheme that was claimed to be superior to similar schemes with respect to security and efficiency. In this paper, we show that their scheme is vulnerable to a denial-of-service attack. In addition, we demonstrate that their protected password change mechanism fails to provide backward secrecy. Finally, we propose an improved password-based authenticated key agreement scheme that can resist our described denial-of-service attack and can provide backward secrecy.