Skip to main content
SpringerLink
Log in
Book cover

Cryptographers’ Track at the RSA Conference

CT-RSA 2001: Topics in Cryptology — CT-RSA 2001 pp 344–360Cite as

Password Authentication Using Multiple Servers

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2020))

Abstract

Safe long-term storage of user private keys is a problem in client/server systems. The problem can be addressed with a roaming system that retrieves keys on demand from remote credential servers, using password authentication protocols that prevent password guessing attacks from the network. Ford and Kaliski’s methods [11] use multiple servers to further prevent guessing attacks by an enemy that compromises all but one server. Their methods use a previously authenticated channel which requires client-stored keys and certificates, and may be vulnerable to offiline guessing in server spoofing attacks when people must positively identify servers, but don’t. We present a multi-server roaming protocol in a simpler model without this need for a prior secure channel. This system requires fewer security assumptions, improves performance with comparable cryptographic assumptions, and better handles human errors in password entry.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. S. Bellovin and M. Merritt, Encrypted Key Exchange: Password-based Protocols Secure against Dictionary Attacks, Proc. IEEE Symposium on Research in Security and Privacy, May 1992.

    Google Scholar 

  2. V. Boyko, P. MacKenzie and S. Patel, Provably Secure Password Authenticated Key Exchange Using Die-Hellman, Advances in Cryptology — EUROCRYPT 2000, Lecture Notes in Computer Science, vol. 1807, Springer-Verlag, May 2000.

    Google Scholar 

  3. M. Bellare, D. Pointcheval and P. Rogaway, Authenticated Key Exchange Secure Against Dictionary Attack, Advances in Cryptology — EUROCRYPT 2000, Lecture Notes in Computer Science, vol. 1807, pp. 139–155, Springer-Verlag, May 2000.

    Chapter  Google Scholar 

  4. M. K. Boyarsky, Public-Key Cryptography and Password Protocols: The Multi-User Case, Proc. 6th ACMConference on Computer and Communications Security, November 1–4, 1999, Singapore.

    Google Scholar 

  5. D. Chaum, Security without Identification: Transaction Systems to Make Big Brother Obsolete, Communications of the ACM, 28 (1985), 1030–1044.

    Article  Google Scholar 

  6. Cohen, F., 50 Ways to Attack Your World Wide Web System, Computer Security Institute Annual Conference, Washington, DC, October 1995.

    Google Scholar 

  7. T. Dierks and C. Allen, The TLS Protocol Version 1.0, IETF RFC 2246, http://www.ietf.org/rfc/rfc2246.txt, Internet Activities Board, January 1999.

  8. E. Felton, D. Balfanz, D. Dean and D. Wallach, Web Spoofing: An Internet Con Game, 20th National Information Systems Security Conference, Oct. 7–10, 1997, Baltimore, Maryland, http://www.cs.princeton.edu/sip/pub/spoofing.html.

  9. FIPS 186, Digital Signature Standard (DSS), NIST, 19 May 1994.

    Google Scholar 

  10. FIPS 180-1, Secure Hash Standard (SHA), NIST, 11 July 1994.

    Google Scholar 

  11. W. Ford and B. Kaliski, Server-Assisted Generation of a Strong Secret from a Password, Proc. 9th InternationalWorkshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, IEEE, June 14–16, 2000.

    Google Scholar 

  12. A. Frier, P. Karlton, and P. Kocher, The SSL 3.0 Protocol, Netscape Communications Corp., Nov 18, 1996.

    Google Scholar 

  13. L. Gong, T.M.A. Lomas, R.M. Needham, and J.H. Saltzer, Protecting Poorly Chosen Secrets from Guessing Attacks, IEEE Journal on Selected Areas in Communications, vol.11, no.5, June 1993, pp. 648–656.

    Article  Google Scholar 

  14. L. Gong, Increasing Availability and Security of an Authentication Service, IEEE Journal on Selected Areas in Communications, vol. 11, no. 5, June 1993, pp. 657–662.

    Article  Google Scholar 

  15. L. Gong, Optimal Authentication Protocols Resistant to Password Guessing Attacks, Proc. 8th IEEE Computer Security Foundations Workshop, Ireland, June 13, 1995, pp. 24–29.

    Google Scholar 

  16. S. Halevi and H. Krawczyk, Public-Key Cryptography and Password Protocols, Proc. Fifth ACM Conference on Computer and Communications Security, 1998.

    Google Scholar 

  17. IEEE Std 1363-2000, IEEE Standard Specifications for Public-Key Cryptography, IEEE, August 29, 2000, A.11.1, p. 131.

    Google Scholar 

  18. D. Jablon, Strong Password-Only Authenticated Key Exchange, ACM Computer Communications Review, October 1996, http://www.IntegritySciences.com/links.html#Jab96.

  19. D. Jablon, Extended Password Protocols Immune to Dictionary Attack, Proc. 6th Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Enterprise Security Workshop, IEEE, June 1997, http://www.IntegritySciences.com/links.html#Jab97.

  20. C. Kaufman, R. Perlman, M. Speciner, Network Security: Private Communication in a Public World, Prentice-Hall, 1995, Chapter 8: Authentication of People, p. 205, 3rd paragraph.

    Google Scholar 

  21. S. Lucks, Open Key Exchange: How to Defeat Dictionary Attacks Without Encrypting Public Keys, The Security Protocol Workshop’ 97Ecole Normale Superieure, April 7–9, 1997.

    Google Scholar 

  22. P. MacKenzie and R. Swaminathan, Secure Network Authentication with Password Identification, submission to IEEE P1363 working group, http://grouper.ieee.org/groups/1363/, July 30, 1999.

  23. R. Perlman and C. Kaufman, Secure Password-Based Protocol for Downloading a Private Key, Proc. 1999 Network and Distributed System Security Symposium, Internet Society, January 1999.

    Google Scholar 

  24. J. Tardo and K. Alagappan, SPX: Global Authentication Using Public Key Certificates, Proc. 1991 IEEE Computer Society Symposium on Security and Privacy, 1991, pp. 232–244.

    Google Scholar 

  25. P. C. van Oorschot, M. J. Wiener, On Diffe-Hellman Key Agreement with Short Exponents, Proceedings of Eurocrypt 96, Springer-Verlag, May 1996.

    Google Scholar 

  26. T. Wu, The Secure Remote Password Protocol, Proc. 1998 Network and Distributed System Security Symposium, Internet Society, January 1998, pp. 97–111.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Integrity Sciences, Inc., Canada

    David P. Jablon

Authors
  1. David P. Jablon
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Gemplus Card International, 34 rue Guynemer, 92447, Issy les Moulineaux, France

    David Naccache

Rights and permissions

Reprints and permissions

Copyright information

© 2001 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Jablon, D.P. (2001). Password Authentication Using Multiple Servers. In: Naccache, D. (eds) Topics in Cryptology — CT-RSA 2001. CT-RSA 2001. Lecture Notes in Computer Science, vol 2020. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45353-9_26

Download citation

  • DOI: https://doi.org/10.1007/3-540-45353-9_26

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-41898-6

  • Online ISBN: 978-3-540-45353-6

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation