Cryptology ePrint Archive: Report 2010/393

A Privacy-Flexible Password Authentication Scheme for Multi-Server Environment

Jue-Sam Chou 1*, Yalin Chen 2, Chun-Hui Huang 3

Abstract: Since Kerberos suffers from KDC (Key Distribution Center) compromise and impersonation attack, a multi-server password authentication protocol which highlights no verification table in the server end could therefore be an alternative. Typically, there are three roles in a multi-server password authentication protocol: clients, servers, and a register center which plays the role like KDC in Kerberos. In this paper, we exploit the theoretical basis for implementing a multi-server password authentication system under two constraints: no verification table and user privacy protection. We found that if a system succeeds in privacy protection, it should be implemented either by using a public key cryptosystem or by a register center having a table to record the information shared with corresponding users. Based on this finding, we propose a privacy-flexible system to let a user can employ a random-looking dynamic identity or employ a pseudonym with the register center online or offline to login a server respectively according to his privacy requirement. Compared with other related work, our scheme is not only efficient but also the most conformable to the requirements that previous work suggest.

Category / Keywords: cryptographic protocols / password authentication, impersonation attack, user privacy protection, Kerberos, password guessing attack, smart card lost attack

Date: received 11 Jul 2010

Contact author: jschou at mail nhu edu tw

Available format(s): PDF | BibTeX Citation

Version: 20100713:042803 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]