Cryptanalysis of a new protocol of wide use for email with perfect forward secrecy

This paper considers security analysis of a cross-realm client-to-client password-authenticated key exchange (C2C-PAKE) protocol with indirect communication structure that was proposed for secure email. The protocol does not need any public key infrastructure (PKI) and was designed to enable senders and recipients of emails to register at different mail servers. However, mail servers require sharing of secret keys in advance. Protocol designers claimed many security attributes including perfect forward secrecy and resilience to dictionary and replay attacks. However, in this paper, we show that the protocol does not provide forward secrecy and is vulnerable to offline dictionary attack, undetectable online dictionary attack, replay attack, and password-compromise impersonation attack. The protocol has also some other defects that are explained in the paper. Copyright © 2014 John Wiley & Sons, Ltd.