30-05-2012, 03:23 PM
A Practical Password-Based Two-Server Authentication and Key Exchange System
[attachment=23563]
INTRODUCTION
PASSWORD-BASED user authentication systems are low cost
and easy to use. A user only needs to memorize a short
password and can be authenticated anywhere, anytime,
regardless of the types of access devices he/she employs.
By and large, password has been the most pervasive user
authentication means since the advent of computers and is
still gaining popularity even in the presence of several
alternative strong authentication approaches, e.g., digital
signature and biometrics [15]. The reasons are straightforward:
Password authentication requires no dedicated
device, which is of special importance as users are
becoming increasingly roaming nowadays. While smartcards
or similar handheld devices offer good portability for
storing secret signing keys in digital signature generation,
they inevitably require supporting infrastructure (software,
hardware, and PKI) to work upon; moreover, safety of the
physical token itself is a concern:
Related Work
It is a proven fact that public key techniques (e.g., exponentiations
in a multiplicative group) are absolutely necessary to
make password systems secure against offline dictionary
attacks, whereas the involvement of public key cryptosystems
under a PKI (e.g., public key encryption and digital
signature schemes) is not essential [13]. This observation
differentiates two separate approaches to the development
of secure password systems: combined use of a password
and public key cryptosystem under a PKI, and a passwordonly
approach. The former takes into account the asymmetry
of capabilities between users and servers, so a user
only uses a password while the server has a public/private
key pair at its disposal.
Our Contribution
We continue the line of research on the two-server
paradigm in [3], [24], whereas we extend the model by
imposing different levels of trust upon the two servers, and
adopt a very different method at the technical level in the
protocol design. As a result, we propose a practical twoserver
password authentication and key exchange system
that is secure against offline dictionary attacks by servers
when they are controlled by adversaries. Our system is a
password-only system in the sense that it requires no public
key cryptosystem and, thus, no PKI. This makes our system
very attractive considering PKIs are proven notoriously
expensive to deploy in real world.
Organization
In Section 2, we discuss different server models for
password systems and specify the two-server architecture
upon which ours is built. We then present our two-server
password authentication and key exchange protocols in
Section 3. In Section 4, we describe applications and
extension of the proposed system, followed by some
discussions in Section 5. Finally, we draw concluding
remarks and give future work in Section 6.
THE TWO-SERVER ARCHITECTURE
Password systems are normally built over the following
four types of architectures shown in Fig. 1.
The first type is the single-server model given in Fig. 1a,
where a single server is involved and it keeps a database of
user passwords. As mentioned earlier, most of the existing
password systems follow this single-server model, but the
single server results in a single point of vulnerability in
terms of offline dictionary attacks against the user password
database.
[attachment=23563]
INTRODUCTION
PASSWORD-BASED user authentication systems are low cost
and easy to use. A user only needs to memorize a short
password and can be authenticated anywhere, anytime,
regardless of the types of access devices he/she employs.
By and large, password has been the most pervasive user
authentication means since the advent of computers and is
still gaining popularity even in the presence of several
alternative strong authentication approaches, e.g., digital
signature and biometrics [15]. The reasons are straightforward:
Password authentication requires no dedicated
device, which is of special importance as users are
becoming increasingly roaming nowadays. While smartcards
or similar handheld devices offer good portability for
storing secret signing keys in digital signature generation,
they inevitably require supporting infrastructure (software,
hardware, and PKI) to work upon; moreover, safety of the
physical token itself is a concern:
Related Work
It is a proven fact that public key techniques (e.g., exponentiations
in a multiplicative group) are absolutely necessary to
make password systems secure against offline dictionary
attacks, whereas the involvement of public key cryptosystems
under a PKI (e.g., public key encryption and digital
signature schemes) is not essential [13]. This observation
differentiates two separate approaches to the development
of secure password systems: combined use of a password
and public key cryptosystem under a PKI, and a passwordonly
approach. The former takes into account the asymmetry
of capabilities between users and servers, so a user
only uses a password while the server has a public/private
key pair at its disposal.
Our Contribution
We continue the line of research on the two-server
paradigm in [3], [24], whereas we extend the model by
imposing different levels of trust upon the two servers, and
adopt a very different method at the technical level in the
protocol design. As a result, we propose a practical twoserver
password authentication and key exchange system
that is secure against offline dictionary attacks by servers
when they are controlled by adversaries. Our system is a
password-only system in the sense that it requires no public
key cryptosystem and, thus, no PKI. This makes our system
very attractive considering PKIs are proven notoriously
expensive to deploy in real world.
Organization
In Section 2, we discuss different server models for
password systems and specify the two-server architecture
upon which ours is built. We then present our two-server
password authentication and key exchange protocols in
Section 3. In Section 4, we describe applications and
extension of the proposed system, followed by some
discussions in Section 5. Finally, we draw concluding
remarks and give future work in Section 6.
THE TWO-SERVER ARCHITECTURE
Password systems are normally built over the following
four types of architectures shown in Fig. 1.
The first type is the single-server model given in Fig. 1a,
where a single server is involved and it keeps a database of
user passwords. As mentioned earlier, most of the existing
password systems follow this single-server model, but the
single server results in a single point of vulnerability in
terms of offline dictionary attacks against the user password
database.