A New Password Authentication Based On Secret Sharing

As the rapid development of Internet and the increasing number of application system,the network technology is penetrating into various fields of social life with amazing speed,which provides a lot of conveniences for people's life.Password-based authentication mechanism which is used to determine the user's identity has become nowadays systems most commonly used authentication mechanism for many online services and application,because it easy to management,simple to operation,and needn't to additional cost.Users only need to use their own preset password to authenticate with various servers,then they can log in to the service system after the successful authentication.However,users often frequently reuse the same password when setting their own password.Combined with the use of weak passwords or honeypot/phishing attacks,this brings high risks to the security of the user's account information.Based on analyzing the authentication schemes,such as SPA,2PASS and etc,we propose a single password third-party authentication protocol based on secret sharing between server and portable mobile device in this paper.The main contents are summarized as follows:(1)We propose the protocol that can allow a user to use a single password to authenticate to multiple services securely and remit the burden on the user memory.(2)No online service ever learns users' password,or any deterministic function of users' password.In particular,no online service ever learns enough information to impersonate a user with any other service.(3)Users' user experience is simple and similar to the typical password login experience they are already used to.(4)The PC needn't to store any secret information about the user,it can prevent the brute force for the ciphertext stored on PC.Furthermore,the user's secret information is shared between the mobile device and the server,no matter what the mobile device is lost or stolen,or the server is attacked,these will not affect the safety of information.(5)Even if the password has been obtained by the opponent,it will not affect the safety of information.Because separate password cannot complete authentication,it also need to help of the mobile device.Of course,everyone doesn't need to worry about the safety of the transmission channel,because a series of operation,such as the encoding mapping,selection of random strings,confusion and diffusion,makes the distribution more uniform and the randomness to be better of the authenticated information.(6)At last,security analysis and experimental result obtained under the Eclipse platform show that our scheme greatly improves the security of the user's secret information.In the meantime,our scheme can resist dictionary attacks,honeypot attacks,cross-site scripting attacks and phishing attacks.Moreover,it also easy to deploy.