Integrated key exchange protocol capable of revealing spoofing and resisting dictionary attacks

Abstract

[Abstract]: In this paper we propose a new verifier-based password authentication protocol using Dynamic Passwords. The protocol features mutual authentication, integrated session key exchange and is resistant to both dictionary attacks and replay attacks. It also reveals any successful spoofing. The protocol achieves these features by using one-way hash functions, symmetric encryption and two-part Dynamic Passwords. Dynamic Passwords break user passwords into two parts: a dynamic part and a static part. The dynamic part is similar to a one-time password, which can reveal to a legitimate user if any spoofing has occurred and makes the protocol more resistant to social engineering. The static part adds entropy to the password and makes the password more resistant to dictionary attacks. Due to the fact that verifiers are not plain-text equivalent to passwords and from which no meaningful information about passwords can be extracted, verifiers in contrast to passwords are stored in authentication servers. The protocol is most suitable for mobile users because no persistent data is stored on the user side.