To link to full-text access for this article, visit this link: http://dx.doi.org/10.1016/j.cose.2008.03.001 Byline: Hua Guo (a), Zhoujun Li (a), Yi Mu (b), Xiyong Zhang (c) Abstract: Recently, Lu and Cao published a novel protocol for password-based authenticated key exchanges (PAKE) in a three-party setting in Journal of Computers and Security, where two clients, each shares a human-memorable password with a trusted server, can construct a secure session key. They argued that their simple three-party PAKE (3-PAKE) protocol can resist against various known attacks. In this paper, we show that this protocol is vulnerable to a kind of man-in-the-middle attack that exploits an authentication flaw in their protocol and is subject to the undetectable on-line dictionary attack. We also conduct a detailed analysis on the flaws in the protocol and provide an improved protocol. Author Affiliation: (a) School of Computer Science & Engineering, Beihang University, 37 Xueyuan Road, Beijing 100083, People's Republic of China (b) Centre for Computer and Information Security Research, School of Computer Science Software Engineering, University of Wollongong, NSW 2522, Australia (c) Department of Applied Mathematics, Information Engineering University Zhengzhou 450002, People's Republic of China Article History: Received 18 May 2007; Accepted 5 March 2008