Effective Password Authentication by Key Exchange with Two-Servers
P.Suresh1, K.Guru Jyothsna Devi2
1
M.Tech Student, Department of CSE, Sri Venkateswara College of Engineering, Tirupati
2
Assistant Professor, Department of CSE, Sri Venkateswara College of Engineering, Tirupati
Abstract-- In most of the client-server communication,
percent of MySpace passwords would be crackable in 8
authentication is done by exchange of messages and
hours with a commercially available Password Recovery
establishes a cryptographic key based on the password.
Toolkit capable of testing 2,00,000 passwords per second in
Such configuration has a single server to store all the
2006. Modern research advances in password-based
passwords for authenticating the clients. The hacker can
authentication have allowed a client and a server mutually to
easily gather those passwords and client information by
authenticate with a password and in the meantime to
attacking or hacking that single server. In this paper, we
generate a cryptographic key for secure communications
propose a scenario where two servers cooperate to
after authentication. In general, present solutions for
authenticate a client, if one server is attacked, the
password based authentication follow two models.
attacker still cannot authenticate with the information
from that compromised server. Recent solutions for
password authenticated key exchange (PAKE) using two
servers are either symmetric or asymmetric. Our model
is a symmetric solution beneficial in parallel and
distributed systems. This protocol model is more
The first model, called PKI-based model, assumes that
the client retains the server’s public key in addition to share
a password with the server. In this setting, the client can
send the password to the server by public key encryption.
Gong et al., were the first to present this kind of
authentication protocols with heuristic resistant to offline
efficient than current two-server PAKE protocols.
dictionary attacks.
Keywords:
PAKE,
Diffie-Hellman
key
exchange,
The second model is known as password-only model.
ElGamal encryption, Dictionary attack.
Bellovin
and
Merritt
were
the
first
to
consider
authentication based on password only, and introduced a set
1. INTRODUCTION
of so-called “encrypted key exchange” protocols, where the
Nowadays, a computer user may need passwords for
various purposes: logging in to computer accounts, opening
e-mail, gain access to programs, catalogues, systems, and
websites, etc.
for key exchange purpose. Formal models of security for the
password
-only
authentication
were
first
given
independently by Bellare et al. and Boyko et al. Katz et al.
Earlier password-based authentication systems pass on a
cryptographic hash of the password through a public
channel which makes the hash value available to an
attacker. In such scenario, the hacker can work offline,
rapidly trying
password is used as a secret key to encrypt random numbers
possible
passwords
against
the
true
password’s hash value. For example, according to Bruce
Schneier, observing facts from a 2006 phishing attack, 55
were the first to give a password-only authentication
protocol which is both practical and provably secure under
standard cryptographic assumption.
Based on the identity-based encryption technique, Yi et
al. suggested an identity-based model where the client needs
to remember the password only while the server keeps the
password in addition to private keys related to its identity.
In this setting, the client can encrypt the password based on
the identity of the server. This model is between the PKI-
pwd1 and pwd2 conditional on pwd1 + pwd2 = pwd. In our
based and the password only models.
protocol, we provide two servers S1 and S2 with an
encryption of the password with their own encryption keys.
Typical protocols for password-based authentication
assume a single server stores all the passwords necessary to
authenticate clients. If the server is compromised, due to, for
example, hacking, or installing a “Trojan horse,” or even
In addition, two servers are provided random password
shares d1 and d2 subject to d1 ⨁ d2 = H (pwd), where H is a
hash function, the password pwd is secret unless the two
servers get together.
insider attack, user passwords stored in the server are
disclosed. To address this issue, two-server password-based
Although we use the concept of public key cryptosystem,
authentication protocols were introduced where two servers
our protocol follows the password-only model. The
cooperate to authenticate a client on the basis of password
encryption and decryption key pairs for the two servers are
and if one server is attacked, the attacker still cannot
generated by the client and delivered to the servers through
authenticate with the information from that compromised
different secure channels during the client registration, as
server.
the client in any two-server PAKE protocol sends two
halves of the password to the two servers in secret,
Current solutions for two-server PAKE are either
symmetric in the sense that two peer servers equally
contribute to the authentication, or asymmetric in the sense
that one server authenticates the client with the help of
respectively. In fact, a server should not know the
encryption key of another server and is restricted to operate
on the encryption of the password on the basis of the
homomorphic properties of ElGamal encryption scheme.
another server. A symmetric two server PAKE protocol, for
example, Katz et al.’s protocol, can run in parallel and
Studies on security have shown that our protocol is safe
establishes secret session keys between the client and two
against both passive and active attacks in case that one
servers, respectively. In case one of the two servers shuts
server is hacked. Performance analysis has shown that our
down due to the denial-of-service attack, another server can
protocol is more efficient than previous symmetric and
continue to provide services to authenticated clients. In
asymmetric two-server PAKE protocols in terms of parallel
terms of parallel computation and reliable service, a
computation.
symmetric protocol is superior to an asymmetric protocol.
So far, only Katz et al.’s two-server PAKE protocol has
Our protocol can be applied in distributed systems where
been symmetric. But their protocol is not efficient for
multiple servers exist. For example, Microsoft active
practical use. An asymmetric two-server PAKE protocol
directory domain service (AD DS) is the foundation for
runs in series and only the front-end server and the client
distributed networks built on Windows server operating
need to establish a secret session key. Current asymmetric
systems that use domain controllers. AD DS provides
protocols, for example, Yang et al.’s protocol and Jin et al.’s
structured and hierarchical data storage for objects in a
protocol, need two servers to exchange messages for several
network such as users, computers, printers, and services.
times in series. These asymmetric designs are less efficient
AD DS also provides support for locating and working with
than a symmetric design which allows two servers to
these objects. For a large enterprise running its own domain,
compute in parallel.
there must be two AD DS domain controllers, for faulttolerance purpose. To authenticate a user on a network, the
In this paper, we propose a different symmetric solution
user usually needs to provide his/her identification and
for two-server PAKE. In all existing two-server PAKE
password to one AD DS domain controller. Based on our
protocols, two servers are provided random password shares
two-server PAKE protocol, we can split the user’s password
into two parts and store them, respectively, on the two AD
Bob, attempting to determine the secret key solely based
DS domain controllers, which can then cooperate to
upon observed data. The security is built on the well-known
authenticate the user. Even if one domain controller is
computational Diffie-Hellman (CDH) and decisional Diffie-
compromised, the system can still work. In this way, we can
Hellman (DDH) assumptions.
achieve more secure AD DS.
2.2 ElGamal Encryption Scheme
2. KEY REQUIREMENTS
The ElGamal encryption scheme was invented by
2.1 Diffie-Hellman Key Exchange
ElGamal in 1985 on the basis of Diffie-Hellman key
exchange protocol. It consists of key generation, encryption,
It was the first practical method for two users to establish
and decryption algorithms as follows:
a shared secret key over an unprotected communications
channel. This key exchange protocol was invented by Diffie
1. Key generation. On input a security parameter k, it
and Hellman in 1976. Although it is a non authenticated key
publishes a cyclic group G of large prime order q with a
exchange protocol, it provides the basis for a variety of
generator g. Then it chooses a decryption key d randomly
authenticated protocols.
from
Consider two users Alice and Bob, who know nothing
about
each
other,
communications
but
between
want
to
them,
establish
secure
Diffie-Hellman
key
Z q* and computes an encryption key e= gd .
2. Encryption. On inputs a message m belongs to G and the
encryption key e, it chooses an integer r randomly from
Z q*
exchange protocol can be used as follows:
and outputs a cipher text C = E(m, e) = (A,B) = ( gr, m.er ).
1. Alice and Bob agree on a cyclic group G of large prime
3. Decryption. On inputs a cipher text (A,B), and the
order q with a generator g.
decryption key d, it outputs the plaintext m= D(C, x) =B/Ax.
2. Alice randomly chooses an integer a from
computes A = ga, while Bob randomly chooses an integer b
from
ElGamal encryption scheme is a probabilistic encryption
Z q* and
Z q* and computes B = gb. Then Alice and Bob
scheme. If encrypting the same message with ElGamal
encryption scheme several times, it will yield different
cipher texts.
exchange A and B .
3
a
ba
3. Alice computes the secret key sk1= B = g , while Bob
a
PASSWORD-ONLY
AUTHENTICATED
KEY
EXCHANGE WITH TW-SERVERS
ab
computes the secret key sk2= A = g .
3.1 Our Model
It is obvious that sk1 = sk2 and thus Alice and Bob have
agreed on the same secret key, by which the succeeding
communications between them can be protected.
In our system, there exist two servers S1 and S2 and a
group of clients. The two servers cooperate to authenticate
clients and provide services to authenticated clients. Prior to
Diffie-Hellman key exchange protocol is secure against
authentication, each client C chooses a password pwdC and
generates the password authentication information AuthC1
any passive adversary, who cannot interact with Alice and
and AuthC2 for S1 and S2, respectively, such that nobody can
determine the password pwdC from AuthC1 or AuthC2 unless
S1 and S2 collude. The client sends AuthC1 and AuthC2 to S1
two servers collude. It is well known that the discrete
and S2, respective, through different secure channels during
logarithm problem is hard, and our model assumes that the
the client registration. After that, the client remembers the
two servers never collude.
password only, and the two servers keep the password
authentication information.
3.2.2 Registration
Prior to authentication, each client C is required to register
both S1 and S2 through different secure channels. First of all,
the client C generates decryption and encryption key pairs
(di, ei) where
ei  g1di for the server Si (i = 1, 2) using the
public parameters published by the two servers. The client C
chooses a password pwdC and encrypts the password using
pwdC
the encryption key ei, i.e., E( g 2
, ei) = (Ai,Bi) =
( g1ai , g 2pwdC .eiai ) (i = 1, 2) where ai is randomly chosen
from
Z q* , according to ElGamal encryption. Then, the
client C randomly chooses b1 from
Z q* and lets
b2=H(pwdC)⨁b1. The client C delivers the password
pwd C
authentication information AuthC1 = {d1, a1, b1, E( g 2
3.2 Our Protocol
, e2)} to S1 through a secure channel, and the password
Our protocol runs in three phases: initialization,
registration, and authentication & key exchange.
The two peer servers S1 and S2 jointly choose a cyclic
group G of large prime order q with a generator g1 and a
secure hash function H. S1 randomly chooses an integer s1
Z q* and S randomly chooses an integer s2 from Z q* ,
and S1 and S2 exchange
g1s1 and g1s2 . After that, S1 and S2
jointly publish public system parameters G, q, g1, g2,H
where
,
e1)} to S2 through another secure channel. After that, the
client C remembers the password pwdC only.
3.2.1 Initialization
from
pwd C
authentication information AuthC2 = {d2, a2, b2, E( g 2
g 2  g1s1s2 .
The two secure channels are necessary for all two-server
PAKE protocols, where a password is split into two parts,
which are securely distributed to the two servers,
respectively, during registration. Although we refer to the
concept of public key cryptosystem, the encryption key of
one server should be unknown to another server and the
client needs to remember a password only after registration.
3.2.3 Authentication and Key Exchange
In most of existing two-server PAKE protocols, it is
Assume that the two servers S1 and S2 have received the
assumed or implied that the discrete logarithm of g2 to the
password authentication information of a client C during the
base g1 is unknown to anyone. Otherwise, their protocols are
registration, there are five steps for the two servers S1 and S2
insecure. Our initialization can ensure that nobody is able to
to authenticate the client C and establish secret session keys
know the discrete logarithm of g2 to the base g1 unless the
with the client C in terms of parallel computation.
 Step 1. The client C randomly chooses an integer r
g1r .g 2 pwdC and then
*
from Z q , computes R =
broadcasts a request message M1= ( C, Req, R) to
the two servers S1 and S2.
and checks if
'
'
H(K 1 ,0) ⨁ H(K 2 ,0) ⨁ h1⨁ h2 =H( pwdC)
If it is true, the two servers S1 and S2 are authentic.
 Step 2. On receiving M1, the server S1 randomly
The client C computes
'
'
'
A  A ,
B  ( R.B2 )
'
2
'
'
h 2 = H (K 2 , 1) ⨁ H (K 2 , 0) ⨁ h2
r1
2
'
2
'
h 1 = H (K 1 , 1) ⨁ H (K 1 , 0) ⨁ h1 ,
Z q* and computes
chooses an integer r1 from
'
r1
'
and then broadcasts M6={ h 1 , h 2 }. At last, the
.
client C sets the secret session keys with S1 and S2 as
The server S2 randomly chooses an integer r2 from
Z q* and computes
'
A1'  A1r2 ,
'
'
respectively.
B1'  ( R.B1 ) r2 .
 Step 5. On receiving M6, the server S1 checks if
'
'
Then, S1 and S2 exchange M2=( A2 , B2 ) and M3= (
'
1,
'
SK 1 = H (K 1 , 2) and SK 2 = H (K 2 , 2),
'
1 ).
A B
'
H(K1, 1) ⨁ b1= h 1 ,
If so, S1 concludes that the client C is authentic and
 Step 3. On receiving (
'
1,
'
1 ),
A B
the server S1
randomly chooses an integer
r1' from Z q* ,
sets the secret session key with the client C as
SK1=H (K1, 2).
computes
1 '
' a1 r1
R1 = A1
K1=
The serverS2 checks if
,
d1
'
( B1' / A1' ) r1
h1 =H(K1, 0) ⨁ b1
and replies M4 = (S1, R1, h1) to the client C.
'
2
'
H(K2, 1) ⨁ b2= h 2 ,
If so, S2 concludes that the client C is authentic and
sets the secret session key with the client C as
'
2
On receiving ( A , B ), the server S2 randomly
chooses an integer
r2' from Z q* , computes
In this authentication process, we can see that the two peer
1 '
' a2 r2
R2 = A2
K2=
SK2=H (K2, 2).
servers S1and S2 equally contribute to the authentication and
' d2
2
( B2' / A
)
r2'
h2 =H(K2, 0) ⨁ b2
key exchange. And so, our protocol is said to be symmetric.
4 CONCLUSION
and replies M5 = (S2, R2, h2) to the client C.
 Step 4. After receiving M4 and M5, the client C
computes
In this paper, we have presented a symmetric protocol for
two-server password-only authentication and key exchange.
'
r
K 1 =R 1
,
'
K2
=R
r
2
Our protocol is secured against passive and active attacks,
even though if one of the two servers is compromised. Our
solution is more efficient than current symmetric and
asymmetric two-server PAKE protocols. We can also use
this protocol model among clients for secure file sharing in
Author’s Profile:
a distributed environment.
P. Suresh received the B.Tech degree
in the Stream of Computer Science
5 REFERENCES
and Engineering from Madanapalle
[1] M. Abdalla, O. Chevassut, and D. Pointcheval, “One-
Institute of Technology and Science,
Time Verifier-Based Encrypted Key Exchange,”Proc.
Madanapalle, University of JNTUA
Eighth Int’l Conf. Theory and Practice in Public Key
in 2010. He is currently working
Cryptography (PKC ’05),pp. 47-64, 2005.
towards the Master’s Degree in the
Stream of Computer Science & Engineering, in Sri
[2] M. Bellare, D. Pointcheval, and P. Rogaway,
“Authenticated Key Exchange Secure against Dictionary
Attacks,”Proc. 19th Int’l Conf. Theory and Application of
Cryptographic Techniques (Eurocrypt ’00), pp. 139-155,
Venkateswara College of Engineering, Tirupati, University
of JNTUA. He interested in the areas of Computer
Networks, DBMS, Distributed Systems and Compiler
Design.
2000.
[3] S. Bellovin and M. Merritt, “Encrypted Key Exchange:
Password Based Protocol Secure against Dictionary
Attack,”Proc. IEEE Symp. Research in Security and
K. Guru Jyothsna Devi received
B.Tech in Computer Science and
Engineering from Alfa College of
Privacy,pp. 72-84, 1992.
Engineering
&
Technology,
[4] D. Boneh and M. Franklin, “Identity Based Encryption
Allagadda in 2009 & M.Tech in
from the Weil Pairing,”Proc. 21st Ann. Int’l Cryptology
Computer Science and Engineering
Conf. (Crypto ’01), pp. 213-229, 2001.
from
Vaagdevi
Institute
of
Engineering & Technology, Proddatur in 2011 respectively.
[5] J. Brainard, A. Jueles, B.S. Kaliski, and M. Szydlo, “A
Currently she is an Assistant Professor in the Department of
New Two Server Approach for Authentication with Short
Computer Science and Engineering at SV College of
Secret,”Proc. 12 Conf. USENIX Security Symp.,pp. 201-
Engineering-Tirupati. She has published a paper titled
214, 2003.
“HSV Color Histogram and Directional Binary Wavelet
th
[6] D. Jablon, “Password Authentication Using Multiple
Servers,”
Proc.
Conf.
Topics
in
Cryptology:
The
Cryptographer’s Track at RSA (RSA-CT ’01), pp. 344-360,
2001.
Patterns for CBIR” in journals. Her current interests include
Image Processing, and Computer Networks.