Two Server Password Only Authentication Key Exchange through Web Service

Authors: Mrunal R Nikam, Prof. Chhaya Nayak

Certificate: View Certificate

Abstract

Abstract: A PAKE protocol is a cryptographic protocol that allows two parties one as client and second as server, to mutually authenticate each other by sharing the knowledge of password and establish cryptographic keys BY exchanging messages and without explicitly revealing the password. In General the practice is to store the password or authentication information on single server belonging to client. If such a server gets compromised then there is a risk factor associated, which causes a large number of client’s passwords to get exposed. In such scenarios, the solution to verify a password is to split it among two or more servers even if one of the server gets compromised still there is chance for recovery. In this proposed work, we will be implementing a symmetric solution for two-server PAKE, where a registered user i.e. client and its related information i.e. username & password will be given to web server using web services where it will be encrypted using Diffie-Hellman key exchange and ElGamal encryption algorithm and a public key is generated which will be given to client for decryption process. The encrypted data is broken & distributed among no. of active servers of system which will be united if & only if trusted user is accessing the account. The system is integrated with two step mobile based verification system based on random number for authenticating user\'s mobile. Keywords: Diffie-Hellman, ElGamal Encryption, Web Service, PAKE, SOAP.

Introduction

Passwords are the most common way to prove identity of user when accessing protected data, accounts and your computer itself (via User Accounts). The use of strong passwords is therefore essential in order to protect your security and identity. Now-a-day every important transaction requires the password. So it is required to keep track of password in the database. So, the security of password is important concern. Therefore it is highly required to preserve the password from every attacker. Previously password-based authentication systems transmitted a cryptographic hash of the password over a public channel so when attacker hacks the database with the help of public key he may get required passwords otherwise the attacker can work offline, rapidly testing possible passwords against the true password’s hash value. Studies have consistently shown that a large fraction of user-chosen passwords are readily guessed automatically. Recent research advances in password-based authentication have allowed a client and a server mutually to authenticate with a password and meanwhile to establish a cryptographic key for secure communications after authentication. The current solutions for password based authentication follow two strategies. In first strategy, assumes that the client keeps the server’s public key in addition to share a password with the server. In this setting, the client can send the password to the server by public key encryption. The second strategy is called password-only strategy which introduces a set of socalled “encrypted key exchange” protocols, where the password is used as a secret key to encrypt random numbers for key exchange purpose. Previous protocols for passwordbased authentication assume a single server stores all the passwords necessary to authenticate clients. So, when the attacker attacks the server, the whole meaningful information regarding password will be available to attacker in encrypted form and with the use of some encryption tool & guessing ,the attacker can decode the required password and can access the system information. So to avoid such a problem we are giving solution of “Efficient Two Server Password Only Authentication Key Exchange through Web Service”. In this system, user is secured by using two server’s password authentication process along with proper mobile verification. Proposed System will involve the use of Updated Diffie Hellman, Updated ElGamal Encryption and web-service

Conclusion

? In this system, we have presented a symmetric protocol for two-server password-only authentication and key exchange. ? Security analysis has shown that our protocol is secure against passive and active attacks in case that one of the two servers is compromised. ? Performance analysis has shown that our protocol is more efficient than existing system.