The Saeed-Liu-Tian-Gao-Li authenticated key agreement protocol is insecure

Chris J Mitchell

arxiv: 1906.09330 · v1 · pith:NPJZTW2Cnew · submitted 2019-06-21 · 💻 cs.CR

The Saeed-Liu-Tian-Gao-Li authenticated key agreement protocol is insecure

Chris J Mitchell This is my paper

Pith reviewed 2026-05-25 18:34 UTC · model grok-4.3

classification 💻 cs.CR

keywords authenticated key agreementreplay attackman-in-the-middleDiffie-Hellmanprotocol securityephemeral keysession key compromise

0 comments

The pith

The Saeed-Liu-Tian-Gao-Li authenticated key agreement protocol fails to authenticate one party, allowing replay attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that the protocol does not authenticate both parties in an authenticated Diffie-Hellman key agreement. An active attacker positioned between the parties can replay old messages and have them accepted, establishing a session without proper mutual authentication. If the ephemeral key used to generate a message is later compromised, the session key derived from the replayed exchange is also exposed. The analysis assumes the protocol runs exactly as specified by its proposers and that the network permits message interception and replay. Secure, standardized alternatives exist that match the efficiency of the flawed scheme.

Core claim

The protocol proposed by Saeed et al. does not authenticate one of the two parties, so an active man-in-the-middle attacker can replay previous messages and have them accepted in a fresh session. The scheme is an authenticated Diffie-Hellman construction; the missing authentication step allows the replay. In addition, compromise of any ephemeral key used to compute a protocol message immediately compromises the session key established by replaying that message.

What carries the argument

Authenticated Diffie-Hellman key agreement in which one party's messages lack sufficient freshness or binding checks to prevent replay by an active adversary.

If this is right

An attacker can impersonate one party to the other by replaying captured messages.
Any session key derived from a replayed message is vulnerable if the corresponding ephemeral key is ever disclosed.
The protocol does not meet the standard security goals of authenticated key agreement.
Replacing the scheme with any of several existing provably secure and standardised protocols eliminates the flaw without increasing communication cost.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Protocol designers should verify replay resistance explicitly rather than assuming authentication follows from the use of public-key operations.
Formal analysis tools that model active adversaries and message freshness would have detected the flaw before publication.
Efficiency comparisons alone are insufficient justification for new protocols when secure standards already exist at the same cost.

Load-bearing premise

The protocol under analysis is exactly the one written by Saeed et al. and the network allows an active attacker to intercept and replay messages.

What would settle it

An explicit attack trace in which an attacker records one valid exchange, later replays a message from it to one party, and both parties accept the resulting session key as fresh and authenticated.

read the original abstract

A recently proposed authenticated key agreement protocol is shown to be insecure. In particular, one of the two parties is not authenticated, allowing an active man in the middle opponent to replay old messages. The protocol is essentially an authenticated Diffie-Hellman key agreement scheme, and the lack of authentication allows an attacker to replay old messages and have them accepted. Moreover, if the ephemeral key used to compute a protocol message is ever compromised, then the key established using the replayed message will also be compromised. Fixing the problem is simple - there are many provably secure and standardised protocols which are just as efficient as the flawed scheme.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Mitchell correctly flags that the Saeed-Liu-Tian-Gao-Li protocol leaves one party unauthenticated, so an active attacker can replay messages and break forward secrecy if an ephemeral key leaks.

read the letter

The main takeaway is straightforward: this protocol does not authenticate one of the two parties, so a man-in-the-middle can replay old messages and the resulting session key will be accepted. If the ephemeral key used in the original run is later exposed, the replayed session key is also exposed. That is the entire contribution. The paper applies ordinary cryptanalysis to a specific Diffie-Hellman-based scheme and shows the missing check. It does this cleanly and without unnecessary formalism. The recommendation to use existing standardized protocols instead is also reasonable and does not require new invention. The soft spot is that the note stays at a high level. The abstract gives the attack idea but does not walk through the exact message formats or the precise verification steps that fail, so a reader must trust that the protocol description matches the original paper exactly. There is no circular reasoning or invented model; the adversary is the standard active one. The work is narrow in scope, but the claim is falsifiable once the messages are written out. For someone maintaining a list of broken key-agreement proposals or teaching authentication failures, the note is useful. It is not deep enough to change how people design new protocols. I would bring it to a reading group only if the group is specifically looking at authenticated Diffie-Hellman variants. I would not cite it in my own work unless I were already discussing this exact protocol. A serious editor should send it to peer review; the central observation is simple but worth recording so that implementers do not adopt the flawed scheme.

Referee Report

2 major / 0 minor

Summary. The manuscript claims that the Saeed-Liu-Tian-Gao-Li authenticated key agreement protocol is insecure. One party is not authenticated, permitting an active man-in-the-middle adversary to replay old messages and have them accepted. The protocol is an authenticated Diffie-Hellman scheme; the missing authentication also implies that compromise of an ephemeral key used in a message allows the session key derived from a replayed message to be compromised as well. The paper recommends adopting existing standardized, provably secure protocols as a fix.

Significance. If the identified flaw is accurate, the result is significant for the cryptographic protocol design community. It provides a concrete illustration of how insufficient authentication in a Diffie-Hellman-based key agreement scheme enables replay attacks and destroys forward secrecy upon ephemeral-key exposure. The explicit recommendation to use standardized alternatives supplies a practical takeaway.

major comments (2)

[Abstract] Abstract: the central claim that one party is unauthenticated and that replay succeeds is stated at a high level, but the manuscript provides neither the protocol message formats, the precise computation steps, nor a step-by-step verification that the replayed messages are accepted by the unauthenticated party. Without these details the attack cannot be independently checked against the original Saeed et al. specification.
[Abstract] Abstract: the forward-secrecy claim (ephemeral-key compromise implies session-key compromise on replay) is asserted but not accompanied by an explicit reduction or attack trace showing how the long-term keys and the replayed transcript interact to recover the session key.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for the constructive comments. We will revise the manuscript to address the concerns regarding the level of detail in the abstract and the presentation of the attacks.

read point-by-point responses

Referee: [Abstract] Abstract: the central claim that one party is unauthenticated and that replay succeeds is stated at a high level, but the manuscript provides neither the protocol message formats, the precise computation steps, nor a step-by-step verification that the replayed messages are accepted by the unauthenticated party. Without these details the attack cannot be independently checked against the original Saeed et al. specification.

Authors: We agree with this observation. The original manuscript is a brief note and presents the attack at a high level. In the revised version, we will include the relevant protocol message formats and computations from the Saeed et al. paper, followed by a detailed step-by-step description of the replay attack demonstrating that the messages are accepted. revision: yes
Referee: [Abstract] Abstract: the forward-secrecy claim (ephemeral-key compromise implies session-key compromise on replay) is asserted but not accompanied by an explicit reduction or attack trace showing how the long-term keys and the replayed transcript interact to recover the session key.

Authors: We acknowledge that an explicit attack trace would strengthen the presentation. The revised manuscript will include a concrete attack trace illustrating how compromise of an ephemeral key allows recovery of the session key from a replayed transcript, taking into account the long-term keys involved. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper is a direct cryptanalysis exhibiting an explicit replay attack on the Saeed et al. protocol arising from missing authentication of one party. No equations, fitted parameters, or derivations are present that could reduce to the paper's own inputs. The argument relies on the standard adversary model and the protocol description as given by the original authors; no self-citations are load-bearing and no uniqueness theorems or ansatzes are invoked. The result is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The analysis rests on standard domain assumptions in cryptography regarding adversary capabilities and protocol structure.

axioms (2)

domain assumption The network allows active man-in-the-middle attacks where messages can be replayed.
This is a standard assumption in authenticated key agreement security models.
domain assumption The protocol is an authenticated version of Diffie-Hellman as described.
The analysis depends on the protocol matching the description in the original paper.

pith-pipeline@v0.9.0 · 5623 in / 1242 out tokens · 39981 ms · 2026-05-25T18:34:00.274031+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

3 extracted references · 3 canonical work pages

[1]

C. A. Boyd and A. Mathuria. Protocols for key establishment and au- thentication. Springer-Verlag, 2003

work page 2003
[2]

ISO/IEC 11770-3:2015, Information technology — Security tech niques — Key management — Part 3: Mechanisms using asymmetric tech- niques, 3rd edition, August 2015

International Organization for Standardization, Gen` eve, Switzerland. ISO/IEC 11770-3:2015, Information technology — Security tech niques — Key management — Part 3: Mechanisms using asymmetric tech- niques, 3rd edition, August 2015

work page 2015
[3]

M. E. S. Saeed, Q.-Y. Liu, G. Y. Tian, B. Gao, and F. Li. AKAI oTs: authenticated key agreement for Internet of Things. Wireless Networks, 25:3081–3101, 2019. 5

work page 2019

[1] [1]

C. A. Boyd and A. Mathuria. Protocols for key establishment and au- thentication. Springer-Verlag, 2003

work page 2003

[2] [2]

ISO/IEC 11770-3:2015, Information technology — Security tech niques — Key management — Part 3: Mechanisms using asymmetric tech- niques, 3rd edition, August 2015

International Organization for Standardization, Gen` eve, Switzerland. ISO/IEC 11770-3:2015, Information technology — Security tech niques — Key management — Part 3: Mechanisms using asymmetric tech- niques, 3rd edition, August 2015

work page 2015

[3] [3]

M. E. S. Saeed, Q.-Y. Liu, G. Y. Tian, B. Gao, and F. Li. AKAI oTs: authenticated key agreement for Internet of Things. Wireless Networks, 25:3081–3101, 2019. 5

work page 2019