Yi, Xun (2010) Security Analysis of Yang et al.s' Practical Password-Based Two-Server Authentication and Key Exchange Systems. In: 2010 Fourth International Conference on Network and System Security (NSS 2010) : 1-3 September 2010, Melbourne, Australia, proceedings. Xiang, Yang, Samarati, Pierangela, Hu, Jiankun, Zhou, Wanlei and Sadeghi, Ahmad-Reza, eds. IEEE, Piscataway, NJ, pp. 574-578.

Abstract

Typical protocols for password-based authentication assumes a single server which stores all the passwords necessary to authenticate users. If the server is compromised, user passwords are disclosed. To address this issue, Yang et al. proposed a practical password-based two-server authentication and key exchange protocol, where a front-end server, keeping one share of a password, and a back-end server, holding another share of the password, cooperate in authenticating a user and, meanwhile, establishing a secret key with the user. In this paper, we present two ``half-online and half-offline'' attacks to Yang et al.'s protocol. By these attacks, user passwords can be determined once the back-end server is compromised. Therefore, Yang et al.'s protocol has no essential difference from a password-based single-server authentication protocol.

Search Google Scholar

Repository staff login