Abstract
Traditional password-based authentication and key-ex-change protocols suffer from the simple fact that a single server stores the sensitive user password. In practice, when such a server is compromised, a large number of user passwords, (usually password hashes) are exposed at once. A natural solution involves splitting password between two or more servers. This work formally models the basic security requirement for two-server password authentication protocols, and in this framework provides concrete security proofs for two protocols. The first protocol considered [7] appeared at USENIX’03, but contained no security proof. For this protocol, we provide a concrete reduction to the computational Diffie-Hellman problem in the random oracle model. Next we present a second protocol, based on the same hard problem, but which is simpler, and has an easier, tighter reduction proof.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM Press, New York (1993)
Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72–84. IEEE Press, Los Alamitos (1992)
Boudot, F., Schoenmakers, B., Traoré, J.: A fair and efficient solution to the socialist millionaires- problem. Discrete Applied Mathematics 111(1-2), 23–36 (2001)
Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 156. Springer, Heidelberg (2000)
Fagin, R., Naor, M., Winkler, P.: Comparing information without leaking it. CACM 39(5), 77–85 (1996)
Ford, W., Kaliski Jr., B.S.: Server-assisted generation of a strong secret from a password. In: Proceedings of the IEEE 9th International Workshop on Enabling Technologies (WETICE). IEEE Press, Los Alamitos (2000)
Kaliski, B., Szydlo, M., Brainard, J., Juels, A.: Nightingale: A new two-server approach for authentication with short secrets. In: Proceedings of the 12th USENIX Workshop on Security, pp. 1–2. IEEE Computer Society, Los Alamitos (2003)
Jablon, D.P.: Research papers on strong password authentication (2002), http://www.integritysciences.com/links.html
Jablon, D.P.: Password authentication using multiple servers. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 344–360. Springer, Heidelberg (2001)
Jakobsson, M., Juels, A.: Mix and match: Secure function evaluation via ciphertexts. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 162–177. Springer, Heidelberg (2000)
Jakobsson, M., Yung, M.: Proving without knowing: On oblivious, agnostic, and blindfolded provers. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 186–200. Springer, Heidelberg (1996)
MacKenzie, P., Patel, S., Swaminathan, R.: Password-authenticated key exchange based on rsa. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 599. Springer, Heidelberg (2000)
Mackenzie, P., Shrimpton, T., Jakobsson, M.: Threshold password-authenticated key exchange. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 385–400. Springer, Heidelberg (2002)
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 139. Springer, Heidelberg (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Szydlo, M., Kaliski, B. (2005). Proofs for Two-Server Password Authentication. In: Menezes, A. (eds) Topics in Cryptology – CT-RSA 2005. CT-RSA 2005. Lecture Notes in Computer Science, vol 3376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30574-3_16
Download citation
DOI: https://doi.org/10.1007/978-3-540-30574-3_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24399-1
Online ISBN: 978-3-540-30574-3
eBook Packages: Computer ScienceComputer Science (R0)