Robust Resilient Two Server Password Authentication Vs Single Server

Document Sample
Robust Resilient Two Server Password Authentication Vs Single Server Powered By Docstoc
					                                               (IJCSIS) International Journal of Computer Science and Information Security,
                                               Vol. 8, No. 2, May 2010




           Robust Resilient Two Server Password
             Authentication Vs Single Server
T.S.THANGAVEL                                                  Dr.A.KRISHNAN
Department of M.Sc (IT)                                        Department of Electronic and Communication Engg.
K.S.Rangasamy College of Technology                            K.S.Rangasamy College of Technology
Tiruchengode                                                   Tiruchengode
Tamilnadu                                                      Tamilnadu
India                                                          India



Abstract                                                        devices with different forms of connectivity and
                                                                different software platforms. Such users often find
                                                                it convenient to authenticate by means of
          The authentication system stores the                  passwords and short secrets, to recover lost
password in a Central Server, and the possibility for
                                                                passwords by answering questions, and to make
the intruder to obtain the password is very easy and
can gain access to the contents of the user. For the            similar use of relatively weak secrets.
purpose of authentication, the multi-server systems
we proposed to communicate with one or all of the                         Most password-based user authentication
servers. It requires high communication bandwidth at            systems place total trust on the authentication
the same time is not easy to maintain and also the              server where passwords or easily derived password
protocols are highly expensive. The Two Server
Authentication System avoids this problem, which
                                                                verification data are stored in a central database.
uses the passwords and the session keys, rather than            These systems could be easily compromised by
performing the cryptographic techniques. It consists            offline dictionary attacks initiated at the server
of two servers, the front end and the back end server.          side. Compromise of the authentication server by
The front end server communicates with the user,                either outsiders or insiders subjects all user
whereas the back end control server is only visible to          passwords to exposure and may have serious
the service server. These two servers are responsible           problems. To overcome these problems in the
for the authentication. The password is split into two          single server system many of the systems has been
words, which is one with the service server and the             proposed such as multi-server systems, public key
other with the control server. Both the servers are
validated during the form validation process. The
                                                                cryptography and password systems, threshold
system is suitable for both the computation and                 password authentication systems, two server
communication system. The servers are also used for             password authentication systems.
the multiple clients and also for the single server
systems.                                                                 The proposed work continues the line of
                                                                research on the two-server paradigm in [10], [11],
        Keywords:      Password-Authentication,                 extend the model by imposing different levels of
Two Servers password, Cryptosystem, single sever                trust upon the two servers, and adopt a very
Secure Password, Service sever, control server.                 different method at the technical level in the
                                                                protocol design. As a result, we propose a practical
                                                                two-server password authentication and key
           I. INTRODUCTION                                      exchange system that is secure against offline
          The multi-user systems require the users              dictionary attacks by servers when they are
to provide their passwords along with their user                controlled by adversaries. The proposed scheme is
identification. The password serves to authenticate             a password-only system in the sense that it requires
the ID of the individual logging on to the system.              no public key cryptosystem and, thus, no PKI. This
This is required to determine if the user is                    makes the system very attractive considering PKIs
authorized to gain access to the system. This ID                are proven notoriously expensive to deploy in real
also determines the privileges accorded to the user.            world. Moreover, the proposed system is
The short secrets are convenient, particularly for an           particularly suitable for resource constrained users
increasingly mobile user population. Many users                 due to its efficiency in terms of both computation
are interested in employing a variety of computing              and communication. The paper work, generalize




                                                         231                              http://sites.google.com/site/ijcsis/
                                                                                          ISSN 1947-5500
                                               (IJCSIS) International Journal of Computer Science and Information Security,
                                               Vol. 8, No. 2, May 2010




the basic two-server model to architecture of a                         The system in [6], believed to be the first
single back-end server supporting multiple front-              multiserver password system, splits a password
end servers and envision interesting applications in           among multiple servers. However, the servers in
federated enterprises.                                         [6] need to use public keys. An improved version
                                                               of [6] was proposed in [7], which eliminates the
II.     LITERATURE REVIEW                                      use of public keys by the servers. Further and more
                                                               rigorous extensions were due to [8], where the
          Public key techniques are absolutely                 former built a t-out-of-n threshold PAKE protocol
necessary to make password systems secure against              and provided a formal security proof under the
offline dictionary attacks, whereas the involvement            random oracle model [5] and the latter presented
of public key cryptosystems under a PKI (e.g.,                 two provably secure threshold PAKE protocols
public key encryption and digital signature                    under the standard model. While the protocols are
schemes) is not essential. There are two separate              theoretically significant, they have low efficiency
approaches to the development of secure password               and high operational overhead. In these multi-
systems one is a combined use of a password and                server password systems, either the servers are
public key cryptosystem under a PKI, and the other             equally exposed to the users and a user has to
is a password only approach. In these systems, the             communicate in parallel with several or all servers
use of public keys entails the deployment and                  for authentication, or a gateway is introduced
maintenance of a PKI for public key certification              between the users and the servers.
and adds to users the burden of checking key
validity. To eliminate this drawback, password-                           Recently, Brainard et al. [1] proposed a
only protocols (password authenticated key                     two-server password system in which one server
exchange or PAKE) have been extensively studied,               exposes itself to users and the other is hidden from
e.g., [2], [3], [4]. The PAKE protocols do not                 the public. While this two-server setting is
involve any public key cryptosystem under a PKI                interesting, it is not a password-only system: Both
and, therefore, are much more attractive for real-             servers need to have public keys to protect the
world applications. Any use of public key                      communication channels from users to servers. As
cryptosystem under a PKI in a password                         we have stressed earlier, this makes it difficult to
authentication system should be avoided since,                 fully enjoy the benefits of a password system. In
otherwise, the benefits brought by the use of                  addition, the system in [1] only performs unilateral
password would be counteracted to a great extent.              authentication and relies on the Secure Socket
                                                               Layer (SSL) to establish a session key between a
          Most of the existing password systems                user and the front-end server. Subsequently, Yang
were designed over a single server, where each user            et al. [9] extended and tailored this two-server
shares a password or some password verification                system to the context of federated enterprises,
data (PVD) with a single authentication server                 where the back-end server is managed by an
(e.g., [2], [3], [4] ). These systems are essentially          enterprise headquarters and each affiliating
intended to defeat offline dictionary attacks by               organization operates a front-end server. An
outside attackers and assume that the sever is                 improvement made in [9] is that only the back-end
completely trusted in protecting the user password             server holds a public key. Nevertheless, the system
database. Unfortunately, attackers in practice take            in [9] is still not a password-only system.
on a variety of forms, such as hackers, viruses,
worms,       accidents,    mis-configurations,     and         III. MODES OF SERVER PASSWORD
disgruntled system administrators. As a result, no             AUTHENTICATION MODELS
security measures and precautions can guarantee
that a system will never be penetrated. Once an                         In the single-server model as shown in
authentication server is compromised, all the user             fig1, where a single server is involved and it keeps
passwords or PVD fall in the hands of the                      a database of user passwords. Most of the existing
attackers, who are definitely effective in offline             password systems follow this single-server model,
dictionary attacks against the user passwords. To              but the single server results in a single point of
eliminate this single point of vulnerability inherent          vulnerability in terms of offline dictionary attacks
in the single-server systems, password systems                 against the user password database.
based on multiple servers were proposed. The
principle is distributing the password database as
well as the authentication function to multiple
servers so that an attacker is forced to compromise
several servers to be successful in offline dictionary
attacks.

                                                                     Fig 1: Single Server Password model



                                                         232                              http://sites.google.com/site/ijcsis/
                                                                                          ISSN 1947-5500
                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                              Vol. 8, No. 2, May 2010




                                                                       a) In the two-server model, a user ends up
         In the multi-server model, the server side           establishing a session key only with the public
comprises multiple servers for the purpose of                 server, and the role of the back-end server is
removing the single point of vulnerability, the               merely to assist the public server in user
servers are equally exposed to users and a user has           authentication, while in the multi-server models, a
to communicate in parallel with several or all                user establishes a session key (either different or
servers for authentication. The main problem with             the same) with each of the servers.
the plain multi-server model is the demand on                          b) From a security point of view, servers
communication bandwidth and the need for                      in the multi-server models are equally exposed to
synchronization at the user side since a user has to          outside attackers (recall that the gateway in the
engage in simultaneous communications with                    gateway augmented multi-server model does not
multiple servers. This may cause problems to                  enforce security), while in the two-server model,
resource-constrained mobile devices such as hand              only the public server faces such a problem. This
phones and PDAs.                                              improves the server side security and the overall
                                                              system security in the two-server model.

                                                                        In two server model, different levels of
                                                              trust upon the two servers with respect to outside
                                                              attackers can be made. The back-end server is more
                                                              trustworthy than the public server. This is logical
                                                              since the back-end server is located in the back-end
                                                              and is hidden from the public, and it is thus less
                                                              likely to be attacked. Two-server model has
                                                              successfully eliminated drawbacks in the plain
                                                              multi-server      model       (i.e.,    simultaneous
Fig 2: Gateway Augmented Multi-server model
                                                              communications between a user and multiple
                                                              servers) and the gateway augmented multi-server
         In the gateway augmented multi-server
                                                              model (i.e., redundancy) while allowing us to
model as shown fig2, gateway is positioned as a
                                                              distribute user passwords and the authentication
relaying point between users and servers and a user
                                                              functionality to two servers in order to eliminate a
only needs to contact the gateway. Apparently, the
                                                              single point of vulnerability in the single-server
introduction of the gateway removes the demand of
                                                              model. As a result, the two-server model appears to
simultaneous communications by a user with
                                                              be a sound model for practical applications.
multiple servers as in the plain multi-server model.
However, the gateway introduces an additional
                                                                       The existing systems upon the two-server
layer in the architecture, which appears
                                                              model are not suffice, in turn motivated to present a
“redundant” since the purpose of the gateway is
                                                              password-only system over the two-server model.
simply to relay messages between users and
                                                              In the proposed system, the public server acts as a
servers, and it does not in any way involve in
                                                              service server that provides application services,
service provision, authentication, and other security
                                                              while the back-end server is a control server whose
enforcements. From security perspective, more
                                                              sole purpose is to assist the service server in user
components generally imply more points of
                                                              authentication (the service server, of course, also
vulnerabilities.
                                                              participates in user authentication). In the plain
                                                              multi-server model and the gateway augmented
                                                              multi-server model, several or all servers equally
                                                              participate in service provision as well as user
                                                              authentication, which is implied by the fact that a
                                                              user negotiates a session key with each server. The
                                                              two-server model is generalized to architecture that
             Fig 3: Two server model
                                                              a control server supports multiple service servers.
          The two-server model comprises two
servers at the server side, one of which is a public          IV. FUNCTIONAL ARCHITECTURE
server exposing itself to users and the other of              OF TWO SERVER PASSWORD
which is a back-end server staying behind the                 AUTHENTICATION SYSTEM
scene; users contact only the public server, but the
two servers work together to authenticate users.                        Three types of entities are involved in our
The differences between the two-server model and              system, i.e., users, a service server (SS) that is the
the earlier multi-server models are                           public server in the two server model, and a control
                                                              server (CS) that is the back-end server. In this
                                                              setting, users only communicate with SS and do not



                                                        233                              http://sites.google.com/site/ijcsis/
                                                                                         ISSN 1947-5500
                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                              Vol. 8, No. 2, May 2010




necessarily know CS. For the purpose of user                          The user contacts only the service server
authentication, a user U has a password which is               but both the control and service servers are
transformed into two long secrets, which are held              responsible for the authentication of the user. The
by SS and CS, respectively. Based on their                     user has a password which is transformed into
respective shares, SS and CS together validate                 two long secrets which are held by service server
users during user login. CS is controlled by a                 and control server. Both the system using their
passive adversary and SS is controlled by an active            respective shares validate user during the login.
adversary in terms of offline dictionary attacks to            The servers compute function to verify the user
user passwords, but they do not collude (otherwise,            and finally a session key is being established
it equates the single-server model).                           between the user and service server for the
                                                               confirmation of the user and the server. The
          A passive adversary follows honest-but-              service server (Fig 5) which is an active
curious behavior, that is, it honestly executes the            adversary acts arbitrarily to uncover the
protocol according to the protocol specification and           passwords and could control the corruption of the
does not modify data, but it eavesdrops on                     password.
communication channels, collects protocol
transcripts and tries to derive user passwords from                    The user can use the same password to
the transcripts, moreover, when an passive                     register to different servers, the service server
adversary controls a server, it knows all internal             connect either to distinct control servers or to the
states of knowledge known to the server, including             same control server. It makes the system user
its private key (if any) and the shares of user                friendly. The system could be adapted to any
passwords. In contrast, an active adversary can act            existing FTP and web applications that are
arbitrarily in order to uncover user passwords.                available today by adding a control server.
Besides, we assume a secret communication
channel between SS and CS for this basic protocol.                     In our experimental implementation, a
This security model exploits the different levels of           password is split into two random numbers.
trust upon the two servers. This holds with respect            Therefore, a user can use the same password to
to outside attackers. As far as inside attackers are           register to different service servers; they connect
concerned, justifications come from our application            either to distinct control servers or to the same
and generalization of the system to the architecture           control server.
of a single control server supporting multiple
service servers, where the control server affords                     This is a highly desirable feature since it
and deserves enforcing more stringent security                 makes the system user friendly. A big
measurements against inside attackers. The back-               inconvenience in the traditional password
end server is strictly passive and is not allowed to           systems is that a user has to memorize different
eavesdrop on communication channels, while CS in               passwords for different applications. The system
our setting is allowed for eavesdropping.                      has no compatibility problem with the single-
                                                               server model. This is of importance, as most of
                                                               the existing password systems use a single server.




Fig 4: Generalized Two Server Architecture of a
single control server with multiple service server

V EXPERIMENTAL PERFORMANCE                                      Fig 5: Service Server Key generation for user
EVALUATION                                                                  password (bifurcated)




                                                       234                               http://sites.google.com/site/ijcsis/
                                                                                         ISSN 1947-5500
                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                              Vol. 8, No. 2, May 2010




          The generalization as well as the                       •    Password is split into two random
applications of the two-server password system                         numbers.
well support the underlying security model, in the                •    User use the same password to register to
sense that the enterprise headquarter naturally                        different service servers
assume adequate funds and strong security                         •    They connect either to distinct control
expertise and, therefore, affords and is capable of                    servers or to the same control server.
maintaining a highly trustworthy control server                   •    The service server, an active adversary,
against both inside attackers and outside attackers.                   acts arbitrarily to uncover the passwords
Without the concern of a single point of                               and control the corruption of the
vulnerability, affiliating organizations that operate                  password,
service servers are offloaded to some extent from                 •    Control server, a passive adversary, acts
strict security management, so they can dedicate                       according to the authentic function.
their limited expertise and resources to their core               •    To initiate a request for service, User U
competencies and to enhancing service provision to                     sends his identity together with a service
the users. From the perspective of users, they are                     request to SS in M1.
able to assume the higher creditability of the
                                                                  •    SS first relays the request to CS by
enterprise while engaging in business with
                                                                       sending the user ID in M2.,
individual affiliating organizations.
                                                                  •    Then selects a random number b1 and
                                                                       computes B1 using his password share 1.
A. Performance Measure
                                                                  •    Upon receiving M2, CS chooses a random
                                                                       number b2 and computesB2 using his
         The exponentiations dominate each
                                                                       password share 2.
party’s computation overhead, the two server
password authentication system only count the                     •    CS then sends B2 in M3 to SS.
number of exponentiations as the computation                      •    Upon reception of B2, SS computes and
performance. The digits before “/” denote the total                    sends B to U in M4.
number of exponentiations performed by each                       •    After receiving M4, U selects and
party, and the digits following “/” denote the                         computes A and Su.
number of exponentiations that can be computed                    •    U then sends A and Su to SS in M5.
offline. One round is a one-way transmission of                   •    Getting the message, SS computes S1 and
messages. The proposed two protocols demonstrate                       sends S1, A and Su to CS in M6.
performance quite efficient in terms of both                      •    Upon receipt of M6, CS computes S2 and
computation and communication to all parties.                          checks whether Su.
Take U, for example, it needs to calculate 3 and 4                •    If it holds, CS is assured of the
exponentiations in the two protocols, respectively,                    authenticity of U, and continues the
and 2 of them can be performed offline. This                           protocol by sending S2 to SS in M7
means U only computes 1 and 2 exponentiations in                       otherwise, CS aborts the protocol.
real time in the respective protocols, the                        •    Assuming SS receives S2 in M7, it checks
communication overhead for U is particularly low                       whether Su.
in terms of both bits and rounds. The table 1 listed              •    If it holds, SS is convinced of the
below indicates the computation performance in                         authenticity of U.
terms of time and success rate (number of rounds)                 •    At this stage, both servers have
of the two server password authentication and                          authenticated U.
single server authentication                                      •    SS then computes and sends Ss to U in
                                                                       M8 and afterward computes a session key
Table 1: Performance measure on Two server and                         K otherwise, SS aborts the protocol.
Single server password authentication scheme                      •    Upon receiving M8, U checks if h(0, Sou)
                                                                       = Ss.
      Scheme              Time of      Success rate               •    If it holds, U has validated the servers and
                        Authenticity                                   then computes a session key K otherwise,
                        (milliseconds)      %                          U aborts the protocol.
Two server                   10            96
password                                                      C.Discussions
authentication
Single server                8               87                        With two-server password system, single
                                                              point of vulnerability, is totally eliminated. Without
B. Implementation                                             compromising both servers, no attacker can find
                                                              user passwords through offline dictionary attacks.
The implementation procedure is discussed below:              The control server being isolated from the public,
                                                              the chance for it being attacked is substantially



                                                        235                              http://sites.google.com/site/ijcsis/
                                                                                         ISSN 1947-5500
                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                              Vol. 8, No. 2, May 2010




minimized, thereby increasing the security of the             against Dictionary Attacks,” Proc. IEEE Symp.
overall system. The system is also resilient to               Research in Security and Privacy, pp. 72-84, 1992.
offline dictionary attacks by outside attackers. This
allows users to use easy to remember passwords                [3] S. Bellovin and M. Merritt, “Augmented
and still have strong authentication and key                  Encrypted Key Exchange: A Password-Based
exchange. The system has no compatibility                     Protocol Secure against Dictionary Attacks and
problem with the single-server model. The                     Password File Compromise,” Proc. ACM Conf.
generalization of the two-server password system              Computer and Comm. Security, pp. 244-250, 1993.
well supports the underlying security model. In
reality, adversaries take on a variety of forms and           [4] M. Bellare, D. Pointcheval, and P. Rogaway,
no security measures and precautions can guarantee            “Authenticated Key Exchange Secure Against
that a system will never be penetrated. By avoiding           Dictionary Attacks,” Advances in Cryptology
a single point of vulnerability, it gives a system            (Eurocrypt ’00), pp. 139-155, 2000.
more time to react to attacks. The password-based
authentication and key exchange system that is                [5] M. Bellare and P. Rogaway, “Random Oracles
built upon a novel two-server model, where only               are Practical: A Paradigm for Designing Efficient
one server communicates to users while the other              Protocols,” Proc. ACM Computer and Comm.
server stays transparent to the public. Compared              Security, pp. 62-73, 1993.
with previous solutions, our system possesses many
advantages, such as the elimination of a single               [6] W. Ford and B.S. Kaliski Jr., “Server-Assisted
point of vulnerability, avoidance of PKI, and high            Generation of a Strong Secret from a Password,”
efficiency.                                                   Proc. IEEE Ninth Int’l Workshop Enabling
                                                              Technologies, 2000.
             VI. CONCLUSION
                                                              [7] D.P. Jablon, “Password Authentication Using
          The Two-Server password authentication              Multiple Servers,” RSA Security Conf., pp. 344-
architecture consists of two servers, namely control          360, 2001.
server and service server. The control server is
controlled by a passive adversary whereas the                 [8] P. Mackenzie, T. Shrimpton, and M. Jakobsson,
service server is controlled by an active adversary.          “Threshold       Password-Authenticated      Key
The factor, vulnerability is eliminated in this               Exchange,” Proc. Advances in Cryptology
process. Both servers are required without which              (Eurocrypt ’02), pp. 385-400, 2002.
the attacker cannot find the user passwords. The
control server is isolated from the public. So the            [9] Y.J. Yang, F. Bao, and R.H. Deng, “A New
possibility of being it attacked is minimized hence           Architecture for Authentication and Key Exchange
the overall system is protected. The password is              Using Password for Federated Enterprises,” Proc.
split into two random numbers. The user can use               20th Int’l Federation for Information Processing
the same password for both the servers. Hence the             Int’l Information Security Conf. (SEC ’05), 2005.
overall system is user friendly. Both the inside
attackers and the outside attackers cannot easily             [10] Yanjiang Yang, Robert H. Deng, and Feng
enter into the system. The two server system is               Bao, “A Practical Password-Based Two Server
highly used for practical applications.                       Authentication and Key Exchange System,” IEEE
                                                              Transaction    on   Secure    and   Dependable
         In contrast to existing multi-server                 Computing,Vol.3, No.2,April-June 2006
password systems, the two server system has great
potential for practical applications. It can be               [11] C. Ellison, C. Hall, R. Milbert, and B.
directly applied to fortify existing standard single-         Schneier. Protecting secret keys with personal
server password applications, e.g., FTP and Web               entropy. Journal of Future Generation Computer
applications.                                                 Systems, 16(4):311-318, February 2000.

References                                                    [12] N. Frykholm and A. Juels. Error-tolerant
                                                              password recovery. In P. Samarati, editor, 8th
[1] J. Brainard, A. Juels, B. Kaliski, and M. Szydlo,         ACM      Conference    on     Computer     and
“A New Two Server Approach for Authentication                 Communications Security, pages 1-9. ACM Press,
with Short Secrets,” Proc. USENIX Security                    2001.
Symp., 2003.

[2] S. Bellovin and M. Merritt, “Encrypted Key
Exchange: Password Based Protocols Secure




                                                        236                              http://sites.google.com/site/ijcsis/
                                                                                         ISSN 1947-5500
                                             (IJCSIS) International Journal of Computer Science and Information Security,
                                             Vol. 8, No. 2, May 2010




Author’s Profile




                 1
                  T.S.Thangavel received the Bsc
degree in Computer Science (Bharathiyar
University) in 1991 and the Msc degree in
computer science(Bharathidasan University ) in
1993 and the Mphil degree in Computer Science
(Bharathidasan university) in 2003. He is pursuing
the PhD degree in department of science and
humanities (Anna university). He is working as an
assistant professor in MCA department at
K.S.Rangasamy      College      of    Technology,
Tiruchengode
                  2
                   Dr. A. Krishnan received his
                  Ph.D degree in Electrical
                  Engineering from IIT, Kanpur.
                  He is now working as an
                  Academic          Dean         at
                  K.S.Rangasamy       College    of
Technology, Tiruchengode and research guide at
Anna University Chennai. His research interest
includes Control system, Digital Filters, Power
Electronics,     Digital    Signal      processing,
Communication Networks. He has been published
more than 165 technical papers at various National/
International Conference and journals.




                                                      237                               http://sites.google.com/site/ijcsis/
                                                                                        ISSN 1947-5500