Portal de Periódicos da CAPES

Password Authentication Using Multiple Servers

2001; Springer Science+Business Media; Linguagem: Inglês

10.1007/3-540-45353-9_26

1611-3349

David P. Jablon,

Cryptography and Data Security

Safe long-term storage of user private keys is a problem in client/server systems. The problem can be addressed with a roaming system that retrieves keys on demand from remote credential servers, using password authentication protocols that prevent password guessing attacks from the network. Ford and Kaliski’s methods [11] use multiple servers to further prevent guessing attacks by an enemy that compromises all but one server. Their methods use a previously authenticated channel which requires client-stored keys and certificates, and may be vulnerable to offiline guessing in server spoofing attacks when people must positively identify servers, but don’t. We present a multi-server roaming protocol in a simpler model without this need for a prior secure channel. This system requires fewer security assumptions, improves performance with comparable cryptographic assumptions, and better handles human errors in password entry.