中文摘要：

设计安全高效的基于RSA的口令认证密钥交换协议是密码学领域的公开难题.2011年Wei等学者首次提出了一个基于RSA的可证明安全的网关口令认证密钥交换协议,并声称在随机预言模型下基于大整数的素因子分解困难性证明了协议的安全性.利用该协议中服务器端提供的预言机服务,提出一种分离攻击,攻击者只需发起几十次假冒会话便可恢复出用户的口令.攻击结果表明,该协议无法实现所声称的口令保护这一基本安全目标,突出显示了分离攻击是针对基于RSA的口令认证密钥交换协议的一种严重安全威胁.进一步指出了协议形式化安全证明中的失误,给出一个改进方案.分析结果表明,改进方案在提高安全性的同时保持了较高效率,更适于移动通信环境.

英文摘要：

It remains an open problem to design a secure and efficient RSA-based passw ord-authenticated key exchange（ PAKE） protocol in the areas of cryptography. In 2011,Wei proposed the first provably secure gatew ay-oriented PAKE protocol using RSA,and claimed that the protocol is provably secure in the random oracle model based on the intractability of the integer factorization problem. How ever,in this short paper,w e point out that an adversary can launch the separation attack on their protocol by exploiting the oracle service unw ittingly provided by the server,and a user＇s passw ord can thus be guessed just after tens of malicious sessions. Our cryptanalysis result invalidates Wei＇s claim that their protocol can achieve the security goal of passw ord protection,and highlights the damaging threat that separation attack poses to RSA-based PAKE protocols. Furthermore,w e uncover the flaw s in their formal security proof and put forw ard an enhancement to overcome the identified defect. The analysis results show that the improved protocol eliminates the vulnerability of Wei＇s protocol w hile keeping the merit of high performance,suitable for mobile application scenarios.