In this paper, we consider the problem of mutually authenticated key exchanges between a low-power client and a powerful server. We show how the Jakobsson-Pointcheval scheme proposed recently [15] can be compromised using a variant of interleaving attacks. We also propose a new scheme for achieving mutually authenticated key exchanges. The protocol is proven correct within a variant of Bellare-Rogaway model [3,4]. This protocol gives the same scalability as other public-key based authenticated key exchange protocols but with much higher efficiency and fewer messages. It only takes 20 msec total computation time on a PalmPilot and has only three short messages exchanged during the protocol.
展开▼