Efficient Password Scheme Without Trusted Server

Efficient Password Scheme Without Trusted Server

Sattar J. Aboud (Iraqi Council of Representatives, Iraq), Mohamed Alnuaimi (Middle East University for Graduate Studies, Jordan) and Haidar S. Jabbar (Mansour University College, Iraq)
DOI: 10.4018/ijatem.2011010105
OnDemand PDF Download:
List Price: $37.50


In 2005, Lee suggested a password scheme for three participants without trusted server. Lee claimed that the scheme can withstand different attacks and give the perfect secrecy. In this paper, the authors demonstrate what the Lee scheme undergoes from the imitation attack. Simultaneously, the authors suggest an enhanced algorithm to resist the mentioned attacks.
Article Preview

Since the innovative method that withstands the password guessing attacks was presented by Lomas, Gong, Saltzer, and Needham (1989), there have been several password-typed authenticated key agreement schemes introduced. For example Jablon (1996) proposed a scheme were security relied on heuristic arguments. Also Halevi and Krawczyk (1999) introduced another scheme, the scheme considered as inflexible for security of password-typed authenticated scheme.

However, Boyarsky (1999) improved this scheme by making it secure in multi-user environment, but, this scheme is inappropriate for situation where communication has to be established between entities those sharing a common limited-entropy password. Another password-typed key exchange scheme has been suggested by Boyko, MacKenzie, and Patel (2000). This scheme is relied on two-party password-typed scheme. An enhancement for this scheme was made to multi-party setting by Bresson, Chevassut, and Pointcheval (2004). The security of Bresson, Chevassut, and Pointcheval scheme is based on the arbitrary oracle approach and in the ideal cipher approach.

Another scheme by Lee, Kim, Kim, and Yoo (2004) suggested a verifiable-typed key agreement scheme. In this scheme, the entity employs a document of the password, while the server keeps as a verifier for the password. Thus the scheme cannot let an opponent who able to exchange information with the server to impersonate any entity without running the dictionary attack in the password file. But, the scheme is not protected against stolen-verifier attack as Kwon (2004) has claimed. Also, Yoon and Yoo (2005) proposed a two-party key agreement scheme relied on Diffie and Hellman scheme.

Also Strangio (2006) presented another two-party key agreement protocol relied also on Diffie and Hellman scheme. Both schemes are not appropriate for large networks since they cannot assume each party shares a secret password with other entity. However, the first work that copes with off-line dictionary attacks is introduced by Bellovin and Merritt (2007). They presented a family of encrypted key exchange to resist dictionary attack. This protocol is very important and become the foundation for future work in this area.

Complete Article List

Search this Journal:
Volume 1: 2 Issues (2011)
View Complete Journal Contents Listing