A practical password-based two-server authentication and key exchange system

Most password-based user authentication systems place total trust on the authentication server where cleartext passwords or easily derived password verification data are stored in a central database. Such systems are, thus, by no means resilient against offline dictionary attacks initiated at the se...

Full description

Saved in:
Bibliographic Details
Main Authors: YANG, Yanjiang, DENG, Robert H., Bao, Feng
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2006
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/1190
https://ink.library.smu.edu.sg/context/sis_research/article/2189/viewcontent/A_practical_password_based_two_server_authentication_and_key_exchange_system.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-2189
record_format dspace
spelling sg-smu-ink.sis_research-21892019-04-02T02:07:22Z A practical password-based two-server authentication and key exchange system YANG, Yanjiang DENG, Robert H. Bao, Feng Most password-based user authentication systems place total trust on the authentication server where cleartext passwords or easily derived password verification data are stored in a central database. Such systems are, thus, by no means resilient against offline dictionary attacks initiated at the server side. Compromise of the authentication server by either outsiders or insiders subjects all user passwords to exposure and may have serious legal and financial repercussions to an organization. Recently, several multiserver password systems were proposed to circumvent the single point of vulnerability inherent in the single-server architecture. However, these multiserver systems are difficult to deploy and operate in practice since either a user has to communicate simultaneously with multiple servers or the protocols are quite expensive. In this paper, we present a practical password-based user authentication and key exchange system employing a novel two-server architecture. Our system has a number of appealing features. In our system, only a front-end service server engages directly with users while a control server stays behind the scene; therefore, it can be directly applied to strengthen existing single-server password systems. In addition, the system is secure against offline dictionary attacks mounted by either of the two servers. 2006-04-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/1190 info:doi/10.1109/TDSC.2006.16 https://ink.library.smu.edu.sg/context/sis_research/article/2189/viewcontent/A_practical_password_based_two_server_authentication_and_key_exchange_system.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Password system password verification data (PVD) user authentication key exchange offline dictionary attack Information Security
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Password system
password verification data (PVD)
user authentication
key exchange
offline dictionary attack
Information Security
spellingShingle Password system
password verification data (PVD)
user authentication
key exchange
offline dictionary attack
Information Security
YANG, Yanjiang
DENG, Robert H.
Bao, Feng
A practical password-based two-server authentication and key exchange system
description Most password-based user authentication systems place total trust on the authentication server where cleartext passwords or easily derived password verification data are stored in a central database. Such systems are, thus, by no means resilient against offline dictionary attacks initiated at the server side. Compromise of the authentication server by either outsiders or insiders subjects all user passwords to exposure and may have serious legal and financial repercussions to an organization. Recently, several multiserver password systems were proposed to circumvent the single point of vulnerability inherent in the single-server architecture. However, these multiserver systems are difficult to deploy and operate in practice since either a user has to communicate simultaneously with multiple servers or the protocols are quite expensive. In this paper, we present a practical password-based user authentication and key exchange system employing a novel two-server architecture. Our system has a number of appealing features. In our system, only a front-end service server engages directly with users while a control server stays behind the scene; therefore, it can be directly applied to strengthen existing single-server password systems. In addition, the system is secure against offline dictionary attacks mounted by either of the two servers.
format text
author YANG, Yanjiang
DENG, Robert H.
Bao, Feng
author_facet YANG, Yanjiang
DENG, Robert H.
Bao, Feng
author_sort YANG, Yanjiang
title A practical password-based two-server authentication and key exchange system
title_short A practical password-based two-server authentication and key exchange system
title_full A practical password-based two-server authentication and key exchange system
title_fullStr A practical password-based two-server authentication and key exchange system
title_full_unstemmed A practical password-based two-server authentication and key exchange system
title_sort practical password-based two-server authentication and key exchange system
publisher Institutional Knowledge at Singapore Management University
publishDate 2006
url https://ink.library.smu.edu.sg/sis_research/1190
https://ink.library.smu.edu.sg/context/sis_research/article/2189/viewcontent/A_practical_password_based_two_server_authentication_and_key_exchange_system.pdf
_version_ 1770570892692160512