In 1995, a potential attack, called undetectable on-line password guessing attack, on three-party encrypted key exchange (3PEKE) protocol is highlighted by Ding and Horster. Since then, this attack has been one of the main concerns for developing a secure 3 PEKE protocol. Recently, Chang and Chang proposed a password-based three-party encrypted key exchange protocol that simultaneously possesses round and computation efficiencies. However, this paper shows that their protocol is potentially vulnerable toward undetectable on-line password guessing attacks. As their protocol is currently one of the most superior of all 3PEKE approaches; it seems worthwhile and valuable to remedy this potential security problem.
