1
Symmetric Solution for Dual-ServerPAKE
Ch.SaiLavanya1, G.Srinivasulu2
1
M.Tech Student, Department of CSE, Chadalawada Ramanamma Engineering College, Tirupati
2
Assistant Professor, Department of CSE, Chadalawada Ramanamma Engineering College, Tirupati
Abstract-- In general, client and server authenticate
meantime to generate a cryptographic key for secure
with each other by using PAKE-Password Authenticated
communications after authentication. Present solutions for
Key Exchange. In such configuration, a single server is
password based authentication follow two models.
maintained to store all the passwords for authenticating
the clients. The attacker can easily gather authentication
information by hacking that single server. In this paper,
we propose a scenario where two servers cooperate to
authenticate a client, if one server is attacked, the
attacker still cannot authenticate with the information
from that hacked server. Recent solutions for dualserver PAKE are either symmetric or asymmetric. Our
model is a symmetric solution where two peer servers
equally
contribute
to
theauthentication,
usefulin
The first model, called PKI-based model, assumes that
the client retains the server’s public key in addition to share
a password with the server. In this setting, the client can
send the password to the server by public key encryption.
Gong et al., were the first to present this kind of
authentication protocols with heuristic resistant to offline
dictionary attacks.
The second model is known as password-only model.
Bellovin
and
Merritt
were
the
first
to
consider
distributed and parallel systems. This protocol model is
authentication based on password only, and introduced a set
more efficient than current two-server PAKE protocols.
of so-called “encrypted key exchange” protocols, where the
Keywords: Dual-Server PAKE, Diffie-Hellman Key
password is used as a secret key to encrypt random numbers
for key exchange purpose.
Exchange, ElGamalEncryption, Authentication.
Considering the identity-based encryption technique, Yi
1.INTRODUCTION
et al. suggested an identity-based model, in which the client
Most of the computer users may need passwords for
needs to recall the password only while the server keeps the
various purposes: logging into computer accounts, opening
password in addition to private keys related to its identity.
e-mail, social websites, catalogues, database systems, and
In this scenario, the client can encrypt the password based
networks, etc.
on the identity of the server. This model is between the PKIbased and the password only models.
Traditional password-based authentication systems pass
on a cryptographic hash of the password through a public
Most of the protocols for password-based authentication
channel which makes the hash value available to an
assume a single server stores all the passwords necessary to
attacker. In such scenario, the hacker can work offline,
authenticate clients. If the server is hacked, user passwords
rapidly trying
stored in the server are disclosed. To overcome this
possible
passwords
against
the
true
password’s hash value.Modern research advances in
problem,
password-based authentication have allowed a client and a
protocols were introduced, in which two servers work
server mutually to authenticate with a password and in the
together to authenticate a client on the basis of password
dual-server
password-based
authentication
and if one server is hacked, the hacker still cannot
authenticate with the information from that hacked server.
2
Current solutions for dual-server PAKE are either
insecret, respectively. In fact, a server should not know
symmetric in the sense that two peer servers equally
theencryption key of another server and is restricted
contribute to the authentication, or asymmetric in the sense
tooperate on the encryption of the password on the basis
that one server authenticates the client with the help of
ofthe
another server. A symmetric two server PAKE protocol, for
encryptionscheme.
homomorphic
properties
of
ElGamal
example, Katz et al.’s protocol, can run in parallel and
establishes secret session keys between the client and two
servers, respectively. In case one of the two servers shuts
down due to the denial-of-service attack, another server can
continue to provide services to authenticated clients. In
terms of parallel computation and reliable service, a
symmetric protocol is superior to an asymmetric protocol.
So far, only Katz et al.’s two-server PAKE protocol has
Studies on security have shown that our protocol is safe
against both passive and active attacks in case that one
server is hacked. Performance analysis has shown that our
protocol is more efficient than earlier symmetric and
asymmetric two-server PAKE protocols in terms of parallel
computation.
2. KEY REQUIREMENTS
been symmetric. But their protocol is not efficient for
practical use. An asymmetric dual-server PAKE protocol
Diffie-Hellman Key Exchange
runs in series and only the front-end server and the client
need to establish a secret session key. Current asymmetric
This is a specific method of exchanging cryptographic
protocols, for example, Yang et al.’s protocol and Jin et al.’s
keys. It is one of the earliest practical examples of key
protocol, need two servers to exchange messages for several
exchange implemented within the field of cryptography.
times in series. These asymmetric designs are less efficient
The Diffie–Hellman key exchange method allows two
than a symmetric design which allows two servers to
parties that have no prior knowledge of each other to jointly
compute in parallel.
establish
a
shared
secret
key
over
an
insecure
communications channel. This key can then be used to
In this paper, we propose a different symmetric solution
for dual-server PAKE. In all existing two-server PAKE
encrypt subsequent communications using a symmetric key
cipher.
protocols, two servers are provided random password shares
pwd1 and pwd2 conditional on pwd1 + pwd2 = pwd. In our
The Diffie-Hellman key exchange protocol was invented
protocol, we provide two servers S1andS2 with an encryption
by Diffie and Hellman in 1976. Although Diffie–Hellman
of the password with their own encryption keys. In addition,
key agreement itself is an anonymous (non-authenticated)
two servers are provided random password shares d1 andd2
key-agreement protocol, it provides the basis for a variety of
subject to pwd1⨁pwd2= H (pwd), where His ahash function,
authenticated protocols.
the passwordpwdissecret unless the two servers collude.
Diffie-Hellman key agreement is
Although we use the concept of public key cryptosystem,
not limited
to
negotiating a key shared by only two participants. Any
model.
number of users can take part in an agreement by
Theencryption and decryption key pairs for the two servers
performing iterations of the agreement protocol and
aregenerated
the
exchanging intermediate data (which does not itself need to
serversthrough different secure channels during the client
be kept secret). For example, Alice, Bob, and Carol could
registration, as the client in any two-server PAKE
participate in a Diffie-Hellman agreement as follows, with
protocolsends two halves of the password to the two servers
all operations taken to be modulo p:
our
protocol
follows
by
the
the
client
password-only
and
delivered
to
3
1.
2.
The parties agree on a cyclic group G of largeprime
2. Encryption. On inputs a message m belongs to G and
order q with a generator g.
theencryption key e, it chooses an integer r randomlyfrom
The parties generate their private keys, named a, b,
Z q* and outputs a ciphertext C = E(m, e) = (A,B) = (gr,
and c respectively.
m.er).
3.
Alice computes gaand sends it to Bob.
4.
Bob computes (ga)b=gaband sends it to Carol.
5.
Carol computes
(gab)c= gabcand uses it as her
Bob computes gband sends it to Carol.
b c
7.
Carol computes (g
8.
Alice computes
ElGamal
bc
) = g and sends it to Alice.
(gbc)a= gabcand uses it as her
encryption
scheme
is
a
probabilistic
encryptionscheme. If encrypting the same message with
ElGamalencryption
scheme
several
times,
it
will
yielddifferent ciphertexts.
secret key.
9.
thedecryption key d, it outputs the plaintext m= D(C, x)
=B/Ax.
secret key.
6.
3. Decryption. On inputs a ciphertext (A,B), and
Carol computes gcand sends it to Alice.
c a
10. Alice computes (g
11. Bob computes
3. SYMMETRIC SOLUTION FOR DUAL-SERVER
ca
) = g and sends it to Bob.
PAKE
(gca)b= gabcand uses it as his secret
Our Model
key.
It is obvious that Alice, Bob and Carol haveagreed on the
same secret key, by which the succeedingcommunications
between them can be protected.
In our system, there exist two servers S1 and S2 and a
groupof clients. The two servers cooperate to authenticate
clientsand provide services to authenticated clients. Prior
toauthentication, each client C chooses a password pwdC
secure
andgenerates the password authentication information
againstany passive adversary, who cannot interact with all
AuthC1 and AuthC2 for S1 and S2, respectively, such that
communicating parties attempting to determine the secret
nobodycan determine the passwordpwdC from AuthC1 or
key solely basedupon observed data.
AuthC2 unless S1 and S2 collude. The client sends AuthC1 and
ElGamal Encryption Scheme
AuthC2
Diffie-Hellman
key
exchange
protocol
is
to S1 and S2, respective, through different
securechannels during the client registration. After that, the
The ElGamal encryption scheme was invented by
ElGamal in 1985 on the basis of Diffie-Hellman key
exchangeprotocol. It consists of key generation, encryption,
anddecryption algorithms as follows:
1. Key generation. On input a security parameter k,
itpublishes a cyclic group G of large prime order qwith a
generator g. Then it chooses a decryption key d randomly
from
Z q* and computes an encryptionkey e=gd.
clientremembers the password only, and the two servers
keep thepassword authentication information.
4
Assume that the two servers S1 and S2 have received
thepassword authentication information of a client C during
theregistration, there are five steps for the two servers S1
and S2to authenticate the client C and establish secret
session keyswith the client C in terms of parallel
computation.

Step1: The client C broadcastsa request message
M1to the twoservers S1 and S2.

Step2: On receiving M1, the server S1and S2
generates
Our Protocol
protocol
M2,
M3respectively
and
exchange them with each other.

Our
messages
runs
in
the
following
phases:
Step3: On receiving M3from server S2, the server
S1generates a reply message M4and sends it to the
registration,authentication& key exchange. Initially the two
client C. At the same time, on receiving M2 from
servers jointly publish their public parameters.
server S1, the server S2 generates a reply message
M5 and sends it to the client.
Registration

Step4: After receiving M4 and M5, the client
Prior to authentication, each client C is required to
Cchecks ifthe two servers S1 and S2 are authentic or
registerboth S1 and S2 through different secure channels.
not. If so, it broadcastsmessage M6to both servers.
First ofall, the client C generates decryption and encryption
At last, the clientC sets the secret session keys with
keypairs (di,ei) where
ei  g1di for the server Si (i = 1, 2)
usingthe public parameters published by the two servers.
The client C chooses a password pwdC and encrypts
thepassword using the encryption key ei, according to
ElGamal encryption. Then,the client C randomly chooses b 1
from
Z q* and letsb2=H(pwdC)⨁b1.The client C delivers the
passwordauthentication information AuthC1 to S1through a
secure channel, and the passwordauthentication information
'
'
S1 and S2 asSK 1 and SK 2 , respectively.

Step5: On receiving M6, the server S1and S2 checks
if the client C is authentic or not. If so,S1and S2
conclude that the clientCis authentic andsets the
secret session keys with the client CasSK1, SK2,
respectively.
In this authentication process,we can see that the two peer
servers S1and S2 equally contribute to the authentication and
key exchange. And so, our protocol is said to be symmetric.
2
C
Auth to S2 through another secure channel. After that, the
clientC remembers the password pwdC only.
Although werefer to the concept of public key
cryptosystem, theencryption key of one server should be
unknown toanother server and the client needs to remember
apassword only after registration.
4. CONCLUSION
In this paper, we have presented a symmetric protocol for
dual-server PAKE. Our protocol is secured against passive
and active attacks,even thoughif one of the two servers is
hacked. Our solution is more efficient than current
symmetric and asymmetric dual-server PAKE protocols. We
Authentication and Key Exchange
can also use this protocol model among clients for secure
file sharing in a distributed environment.
5
5. REFERENCES
[1] M.Abdalla and D. Pointcheval, “Simple Password-Based
Encrypted Key Exchange Protocols,” Proc. Int’l Conf.
Topics inCryptology (CT-RSA),pp. 191-208, 2005.
[2] J. Katz, R. Ostrovsky, and M. Yung, “Efficient
Password Authenticated Key Exchange Using HumanMemorable Passwords,” Proc. Int’l Conf. Theory and
Application of Cryptographic Techniques: Advances in
Cryptology (Eurocrypt ’01), pp. 457-494, 2001.
[3] D. Jablon, “Password Authentication Using Multiple
Servers,”
Proc.
Conf.
Topics
in
Cryptology:
The
Cryptographer’s Track at RSA (RSA-CT ’01), pp. 344-360,
2001.
[4] D. Boneh and M. Franklin, “Identity Based Encryption
from the Weil Pairing,”Proc. 21st Ann. Int’l Cryptology
Conf. (Crypto ’01), pp. 213-229, 2001.
[5] J. Brainard, A. Jueles, B.S. Kaliski, and M. Szydlo, “A
New TwoServer Approach for Authentication with Short
Secret,”Proc. 12th Conf. USENIX Security Symp.,pp. 201214, 2003.
Author’s Profile:
Ch. SaiLavanya,
M.Tech Student,
Department of CSE,
Chadalawada Ramanamma
Engineering College, Tirupati.
G. SrinivasuluM.Tech,
Assistant Professor,
Department of CSE,
Chadalawada Ramanamma
Engineering College, Tirupati.