12-07-2013, 02:04 PM
Implementation of Secured password for Web applications using two server model
Implementation of Secured.pdf (Size: 831.13 KB / Downloads: 21)
Abstract
The secured password is the most commonly used
authentication mechanism in security applications [11]. There
may be chances of password hacking from the hackers, so that it
is very essential to protect password information while sending
request to the servers. Early Web Application used central
database as the password authentication scheme. It has been one
of the biggest challenges in deploying sharing password
authenticated key exchange solutions in practice using multiple
servers. Several multi server schemes have been proposed for
authentification. This work emphasis on shared secured
password for web application using the two server model. Here
this system will overcome all the previously proposed single and
multi server model authentication systems. This new system is
being developed as secured password for web application viz,
authentication in VoIP (voice over internet protocol) services,
PDA devices ete.
INTRODUCTION
Password systems are normally built over the following
three types of architectures
Single-server model.
Plain multiserver model.
Gateway augmented multiserver model.
The first type is the single-server model given in Fig. 1,
where a single server is involved and it keeps a database of user
passwords. Most of the existing password systems follow this
single-server model, but the single server results in a single
point of vulnerability in terms of offline dictionary attacks
against the user password database.
TWO-SERVER MODEL
Two-server model [7] comprises two servers at the
server side, one of which is a public server exposing itself to
users and the other of which is a back-end server staying
behind the scene. u sers contact only the public server,
but the two servers work together to authenticate users
Basic two-server model to an architecture where a
single control server supporting multiple service servers.
In such an architecture, the control server and the service
servers are managed in different administrative domains,
and the domain where the control server resides enforces
more stringent security measurements. The two server’s
model is as shown in Fig.4
MODEL DESCRIPTION
Three types of entities are involved in this system, i.e.,
users (U), a service server (SS) that is the public server in the
two server model, and a control server (CS) that is the back-end
server. In this setting, users only communicate with SS
and do not necessarily know CS. For the purpose of user
authentication, a user U has a password which is
transformed into two long secrets, which are held by SS and
CS, respectively. Based on their respective shares, SS and CS
together validate users during user login. We assume the
following security model: CS is controlled by a passive
adversary and SS is controlled by an active adversary in terms
of offline dictionary attacks to user passwords, but they do not
collude (otherwise, it equates the single- server model). By
definition a passive adversary follows honest-but-curious
behavior, that is, it honestly executes the protocol according to
the protocol specification and does not modify data, but it
eavesdrops on communication channels.
User Registration
In any password system, to enroll as a
legitimate user in a service, a user must
beforehand register with the service provider by
establishing a shared password with the provider. U
needs to register not only to the service provider SS but
also to the control server CS. Let us suppose U has
already successfully identified himself to SS, e.g., by
showing his identification card, U splits his password π
into two long random numbers π1 ЄR Zq and π2 ЄR
Zq such that π 1 + π 2 ═ π.(mod q), where q is defined
in Table 1. U then registers in a secure manner π1and
π2 to SS and CS, respectively. SS stores the account
(U, π1) to its secret database, and CS stores (U, π2) to
its secret Database. In case CS supports multiple
servers, it stores (U, π2, SS) to distinguish users
associated with different servers. This completes the
user registration phase. One may wonder how U
registers π 2 to CS as CS is supposed hidden from U.
This actually is not a problem in practice: U can reach
CS through out-of-band channels. Figure.5 shows the
flowchart for user registration procedure.
CONCLUSION
In contrast to existing multiserver password systems, our
system has great potential for practical applications. It can be
directly applied to fortify existing standard single-server
Password applications, e.g., FTP and Web applications. It can
also be applied in the federated enterprise setting, where a
single control server supports multiple service servers. also be
applied in the federated enterprise setting, where a single
control server supports multiple service servers.