Three-party authenticated key exchange (3PAKE) protocol allows two communication users to authenticate each other and to establish a secure common session key with the help of a trusted remote server. Recently, Farash and Attari propose an efficient and secure 3PAKE protocol based on Chebyshev chaotic maps and their protocol is supported by the formal proof in the random oracle model. However, in this paper, we analyze the security of Farash–Attari’s protocol and show that it fails to resist password disclosure attack if the secret information stored in the server side is compromised. In addition, their protocol is insecure against user impersonation attack and the server is not aware of having caused problem. Moreover, the password change phase is insecure to identify the validity of request where insecurity in password change phase can cause offline password guessing attacks and is not easily reparable. To remove these security weaknesses, based on Chebyshev chaotic maps and quadratic residues, we further design an improved protocol for 3PAKE with user anonymity. In comparison with the existing chaotic map-based 3PAKE protocols, our proposed 3PAKE protocol is more secure with acceptable computation complexity and communication overhead.
