A Novel Two-Server Password Authentication Scheme with Provable Security

Traditional protocols for password-based authentication assume a single server which stores all the information (e.g., the password) necessary to authenticate a user. Unfortunately, there is a fatal limitation of this approach (assuming low-entropy passwords are used), which the users password exposed if this server is compromised by an adversary. When an attacker obtains the information stored on the server, he can obtain all the passwords which were stored in the server via launching an off-line dictionary attack. To address this issue, a number of schemes have been proposed in which a user´s password information is shared among multiple servers, and these servers cooperate in a threshold manner the user wants to authenticate. In this paper, a new efficient two-server password-only authenticated key exchange scheme is proposed. Comparing with the schemes in literature, our scheme has lower computational complexity than the previous schemes in, while in same communication rounds in the schemes in literature. This proposed scheme is particularly suitable for implementation of computational resource-restrained environment such as mobile and smart card applications etc.