Publication Type

Journal Article

Version

publishedVersion

Publication Date

4-2006

Abstract

Most password-based user authentication systems place total trust on the authentication server where cleartext passwords or easily derived password verification data are stored in a central database. Such systems are, thus, by no means resilient against offline dictionary attacks initiated at the server side. Compromise of the authentication server by either outsiders or insiders subjects all user passwords to exposure and may have serious legal and financial repercussions to an organization. Recently, several multiserver password systems were proposed to circumvent the single point of vulnerability inherent in the single-server architecture. However, these multiserver systems are difficult to deploy and operate in practice since either a user has to communicate simultaneously with multiple servers or the protocols are quite expensive. In this paper, we present a practical password-based user authentication and key exchange system employing a novel two-server architecture. Our system has a number of appealing features. In our system, only a front-end service server engages directly with users while a control server stays behind the scene; therefore, it can be directly applied to strengthen existing single-server password systems. In addition, the system is secure against offline dictionary attacks mounted by either of the two servers.

Keywords

Password system, password verification data (PVD), user authentication, key exchange, offline dictionary attack

Discipline

Information Security

Research Areas

Information Security and Trust

Publication

IEEE Transactions on Dependable and Secure Computing

Volume

3

Issue

2

First Page

105

Last Page

114

ISSN

1545-5971

Identifier

10.1109/TDSC.2006.16

Publisher

IEEE

Additional URL

https://doi.org/10.1109/TDSC.2006.16

Download

Share

COinS