Portal de Periódicos da CAPES

Proofs for Two-Server Password Authentication

2005; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-540-30574-3_16

1611-3349

Michael Szydlo, Burton S. Kaliski,

User Authentication and Security Systems

Traditional password-based authentication and key-ex-change protocols suffer from the simple fact that a single server stores the sensitive user password. In practice, when such a server is compromised, a large number of user passwords, (usually password hashes) are exposed at once. A natural solution involves splitting password between two or more servers. This work formally models the basic security requirement for two-server password authentication protocols, and in this framework provides concrete security proofs for two protocols. The first protocol considered [7] appeared at USENIX'03, but contained no security proof. For this protocol, we provide a concrete reduction to the computational Diffie-Hellman problem in the random oracle model. Next we present a second protocol, based on the same hard problem, but which is simpler, and has an easier, tighter reduction proof.