Information Technology Reference
In-Depth Information
Zero Knowledge Password Authentication Protocol
Nivedita Datta
Supercomputer Education & Research Centre
Indian Institute of Science, Bangalore
Bangalore, India
nivedita.mtech@gmail.com
Abstract.
In many applications, the password is sent as cleartext to the server to
be authenticated thus providing the eavesdropper with opportunity to steal
valuable data. This paper presents a simple protocol based on zero knowledge
proof by which the user can prove to the authentication server that he has the
password without having to send the password to the server as either cleartext
or in encrypted format. Thus the user can authenticate himself without having to
actually reveal the password to the server. Also, another version of this protocol
has been proposed which makes use of public key cryptography thus adding
one more level of security to the protocol and enabling mutual authentication
between the client & server.
Keywords:
computer network, computer security, authentication protocol,
zero-knowledge proof, password.
1
Introduction
1.1
Motivation
In today's world of Internet, most of the people have mail accounts or accounts with
social networking sites etc. where they need to authenticate themselves before logging
in and being able to access their resources. However, very few people are actually
aware of the fact that many of such applications make use of PAP(Password
Authentication Protocol) in order to authenticate the users which is not very secure.
In case of PAP, though the password is stored in hashed format on the server along
with its corresponding username making it less vulnerable to attacks, still the fact that the
username-password pair travels in clear on the wire makes it vulnerable to attacks like
eavesdropping & packet sniffing which will easily reveal the sensitive data to the intruder.
Here it is assumed that only the user knows the sensitive data(password) which is a
secret information for him.
1.2
Contribution
This paper presents a protocol using which the users can be authenticated by the
authentication server without having to reveal the password. This protocol, based on
