Proofs for Two-Server Password Authentication

Szydlo, Michael; Kaliski, Burton

doi:10.1007/978-3-540-30574-3_16

Michael Szydlo¹⁷ &
Burton Kaliski¹⁷

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3376))

Included in the following conference series:

Cryptographers’ Track at the RSA Conference

1627 Accesses
18 Citations

Abstract

Traditional password-based authentication and key-ex-change protocols suffer from the simple fact that a single server stores the sensitive user password. In practice, when such a server is compromised, a large number of user passwords, (usually password hashes) are exposed at once. A natural solution involves splitting password between two or more servers. This work formally models the basic security requirement for two-server password authentication protocols, and in this framework provides concrete security proofs for two protocols. The first protocol considered [7] appeared at USENIX’03, but contained no security proof. For this protocol, we provide a concrete reduction to the computational Diffie-Hellman problem in the random oracle model. Next we present a second protocol, based on the same hard problem, but which is simpler, and has an easier, tighter reduction proof.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM Press, New York (1993)
Chapter Google Scholar
Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72–84. IEEE Press, Los Alamitos (1992)
Chapter Google Scholar
Boudot, F., Schoenmakers, B., Traoré, J.: A fair and efficient solution to the socialist millionaires- problem. Discrete Applied Mathematics 111(1-2), 23–36 (2001)
Article MATH MathSciNet Google Scholar
Boyko, V., MacKenzie, P., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 156. Springer, Heidelberg (2000)
Chapter Google Scholar
Fagin, R., Naor, M., Winkler, P.: Comparing information without leaking it. CACM 39(5), 77–85 (1996)
Google Scholar
Ford, W., Kaliski Jr., B.S.: Server-assisted generation of a strong secret from a password. In: Proceedings of the IEEE 9th International Workshop on Enabling Technologies (WETICE). IEEE Press, Los Alamitos (2000)
Google Scholar
Kaliski, B., Szydlo, M., Brainard, J., Juels, A.: Nightingale: A new two-server approach for authentication with short secrets. In: Proceedings of the 12th USENIX Workshop on Security, pp. 1–2. IEEE Computer Society, Los Alamitos (2003)
Google Scholar
Jablon, D.P.: Research papers on strong password authentication (2002), http://www.integritysciences.com/links.html
Jablon, D.P.: Password authentication using multiple servers. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 344–360. Springer, Heidelberg (2001)
Chapter Google Scholar
Jakobsson, M., Juels, A.: Mix and match: Secure function evaluation via ciphertexts. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 162–177. Springer, Heidelberg (2000)
Chapter Google Scholar
Jakobsson, M., Yung, M.: Proving without knowing: On oblivious, agnostic, and blindfolded provers. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 186–200. Springer, Heidelberg (1996)
Google Scholar
MacKenzie, P., Patel, S., Swaminathan, R.: Password-authenticated key exchange based on rsa. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 599. Springer, Heidelberg (2000)
Chapter Google Scholar
Mackenzie, P., Shrimpton, T., Jakobsson, M.: Threshold password-authenticated key exchange. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 385–400. Springer, Heidelberg (2002)
Chapter Google Scholar
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 139. Springer, Heidelberg (2000)
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

RSA Laboratories, Bedford, MA, 01730, USA
Michael Szydlo & Burton Kaliski

Authors

Michael Szydlo
View author publications
You can also search for this author in PubMed Google Scholar
Burton Kaliski
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Combinatorics & Optimization, University of Waterloo,
Alfred Menezes

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Szydlo, M., Kaliski, B. (2005). Proofs for Two-Server Password Authentication. In: Menezes, A. (eds) Topics in Cryptology – CT-RSA 2005. CT-RSA 2005. Lecture Notes in Computer Science, vol 3376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30574-3_16

Download citation

DOI: https://doi.org/10.1007/978-3-540-30574-3_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24399-1
Online ISBN: 978-3-540-30574-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics