An Enhanced Dragonfly Key Exchange Protocol against Offline Dictionary Attack


Dragonfly is Password Authenticated Key Exchange protocol that uses a shared session key to authenticate parties based on pre-shared secret password. It was claimed that this protocol was secure against off-line dictionary attack, but a new research has proved its vulnerability to off-line dictionary attack and proving step was applied by using “Patched Protocol” which was based on public key validation. Unfortunately, this step caused a raise in the computation cost, which made this protocol less appealing than its competitors. We proposed an alternate enhancement to keep this protocol secure without any extra computation cost that was known as “Enhanced Dragonfly”. This solution based on two-pre-shared secret passwords instead of one and the rounds between parties had compressed into two rounds instead of four. We prove that the enhanced-Dragonfly protocol is secure against off-line dictionary attacks by analyzing its security properties using the Scyther tool. A simulation was developed to measure the execution time of the enhanced protocol, which was found to be much less than the execution time of patched Dragonfly. The off-line dictionary attack time is consumed for few days if the dictionary size is 10,000. According to this, the use of the enhanced Dragonfly is more efficient than the patched Dragonfly.

Share and Cite:

Alharbi, E. , Alsulami, N. and Batarfi, O. (2015) An Enhanced Dragonfly Key Exchange Protocol against Offline Dictionary Attack. Journal of Information Security, 6, 69-81. doi: 10.4236/jis.2015.62008.

Conflicts of Interest

The authors declare no conflicts of interest.


[1] Stamp, M. (2007) Classic Ciphers in Applied Cryptanalysis: Breaking Ciphers in the Real World. Wiley-IEEE Press, Canada, 25.
[2] Kendhe, A.K. and Agrawal, H. (2013) A Survey Report on Various Cryptanalysis Techniques. International Journal of Soft Computing and Engineering (IJSCE), 3, 287-293.
[3] Lauter, K. and Mityagin, A. (2006) Security Analysis of KEA Authenticated Key Exchange Protocol. International Association for Cryptologic Research.
[4] Saeedetal, M. (2012) An Enhanced Password Authenticated Key Exchange Protocol without Server Public Keys. ICTC, 2012.
[5] Ali, R., Kumar, A. and Narayan, E. (2013) Encryptioan/Decryption Tool with Cryptanalysis. International Journal of Computer Science & Engineering Technology (IJCSET), 4, 1043-1050.
[6] Goyal, V., et al. (2005) CompChall: Addressing Password Guessing Attacks. ITCC 1, IEEE Computer Society.
[7] Bellovin, S.M. and Merritt, M. (1992) Encrypted Key Exchange: Password-Based Protocols Secure against Dictionary Attacks. Proceedings of IEEE Symposium on Security and Privacy, Oakland, 4-6 May 1992, 72-84.
[8] Kobara, K. and Imai, H. (2002) Pretty-Simple Password-Authenticated Key Exchange under Standard Assumptions. IEICE Transactions, E85-A(10), 2229-2237.
[9] Bellare, M., Pointcheval, D. and Rogaway, P. (2000) Authenticated Key Exchange Secure against Dictionary Attacks. Proceedings of the 2000 Advances in Cryptology (EUROCRYPT’2000). Springer-Verlag, Berlin, 139-155.
[10] Bresson, E., Chevassut, O. and Pointcheval, D. (2004) New Security Results on Encrypted Key Exchange. In: Proc. PKC 2004, Lecture Notes in Computer Science, Vol. 2947, Springer-Verlag, Berlin, 145-158.
[11] Abdalla, M. and Pointcheval, D. (2005) Simple Password-Based Encrypted Key Exchange Protocols. Proceedings of Topics in Cryptology—CT-RSA, Lecture Notes in Computer Science, Vol. 3376, Springer-Verlag, Berlin, 191-208.
[12] Clarke, D. and Hao, F. (2013) Cryptanalysis of the Dragonfly Key Exchange Protocol.
[13] Saeed, M., Shahriar Shahhoseini, H. and Mackvandi, A. (2011) An Improved Two-Party Password Authenticated Key Exchange Protocol without Server’s Public Key. IEEE 3rd International Conference on Communication Software and Networks, Xi’an, 27-29 May 2011, 90-95.
[14] Hitchcock, Y., Tin, Y.S.T., Boyd, C., Nieto, J.M.G. and Montague, P. (2003) A Password-Based Authenticator: Security Proof and Applications. INDOCRYPT’03, Lecture Notes in Computer Science, Vol. 2904, Springer-Verlag, Berlin, 388-401.
[15] Hao, F. and Ryan, P. (2010) J-PAKE: Authenticated Key Exchange without PKI. In: Transactions on Computational Science XI, Springer, Berlin, 192-206.
[16] Ma, C.G., Wei, F.S. and Gao, F.X. (2013) Efficient Client-to-Client Password Authenticated Key Exchange Based on RSA. IEEE 5th International Conference on Intelligent Networking and Collaborative Systems, Xi’an, 9-11 September 2013, 233-238.
[17] Harkins, D. (2008) Simultaneous Authentication of Equals: A Secure, Password-Based Key Exchange for Mesh Networks. 2nd International Conference on Sensor Technologies and Applications (SENSORCOMM), Cap Esterel, 25-31 August 2008, 839-844.
[19] Stalling, W. (2006) Chapter 4: Finite Fields. In: Cryptography and Network Security, 4th Edition, Pearson Education International, Upper Saddle River, 97-109.
[20] Saeed, M., Mackvandi, A., Naddafiun, M. and Karimnejad, H. (2012) An Enhanced Password Authenticated Key Exchange Protocol without Server Public Keys. 2012 International Conference on ICT Convergence (ICTC), Jeju Island, 15-17 October 2012, 87-91.
[21] Harkins, D. (2012) Dragonfly Key Exchange. Internet Research Taskforce Internet Draft Version 00.
[22] Basin, D., Cremers, C. and Meadows, C. (2009) LTL Model Checking Security Protocols. Journal of Applied Non-Classical Logics, 194, 403-429.
[24] Cremers, C.J.F., Lafourcade, P. and Nadeau, P. (2009) Comparing State Spaces in Automatic Security Protocol Analysis.
[25] Franciscus, C.J. (2006) Scyther—Semantics and Verification of Security Protocols. Eindhoven University of Technology, Eindhoven.
[26] Dalal, N., Shah, J., Hisaria, K. and Jinwala, D. (2010) A Comparative Analysis of Tools for Verification of Security Protocols.
[27] Farouk, A., Fouad, M. and Abdelhafez, A. (2014) Analysis and Improvement of Pairing-Free Certificate-Less Two-Party Authenticated Key Agreement Protocol for Grid Computing. International Journal of Security, Privacy and Trust Management, IJSPTM, 3, 23-36.
[28] Cremers, C. and Mauw, S. (2012) Chapter 4: Security Properties. In: Operational Semantics and Verification of Security Protocols, Information Security and Cryptography, Springer-Verlag, Berlin, 37-65.
[29] Cremers, C. (2014) Scyther User Manual. 18 February 2014.

Copyright © 2022 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.