The present invention relates generally to password-based authentication in server systems, and more specifically to password-based authentication in plural-server systems whereby access to a resource is controlled in dependence on authentication of user passwords by the server system.
Passwords are still the most prevalent mechanism for user authentication in data processing systems. In conventional password-based authentication systems, users connect to a server which controls access to the protected resource and maintains a database of user IDs, e.g. user names, with their associated user passwords stored in simple hashed form. If the access control server is compromised, however, user passwords are vulnerable to offline attacks using dictionaries or brute-forcing of the message space. As current graphical processors can test many billions of combinations per second, security should be considered lost as soon as an offline attack can be mounted against the password data.
To reduce exposure to offline attack through server compromise, password-based authentication can be performed by a plurality of servers. The authentication data can be split between multiple servers, and the user then interacts with all servers in the authentication protocol since information of all servers is required for authentication. This improves security as more than one server must be hacked for user passwords to be compromised. An example of a multi-server authentication system is described in “Round-optimal password-protected secret sharing and T-PAKE in the password-only model”, Jarecki et al., ASIACRYPT 2014, Part II.
Resistance against server compromise is one thing, but knowing how to recover from such an event is another. Without secure recovery, all one can do in case of a detected breach is to re-initialize all servers with fresh cryptographic keys for the authentication protocol and request all users to reset their passwords. In cryptographic literature, recovery from compromise is known as proactive security or security against transient corruptions. Proactive security can be realized by letting the servers engage in an interactive refresh protocol to re-compute their keys.