The techniques of secured socket layer (SSL) with client-side certificates for commercial web sites rely on a relatively weak form of password authentication. Browser sends a user’s plaintext password to a remote web server using SSL is vulnerable to attack. In common password attacks, hackers exploit the fact that web users often use the same password at many different sites. This has drawn attention on the need for new hash function designs. In addition the authentication systems which uses passwords stored in a central server is easily prone to attack. To overcome the problem of single server password attacks, the multi-server systems were proposed in which user communicates in parallel with several or all of the servers. Such system requires a large communication bandwidth, complex deployment, needs for synchronization at the user and quite expensive. Optimized two server system is proposed in our work.
The proposal of our work presents a user interface, browser extension password hash, strengthens web password in a two server authentication system. The hash is implemented using a Pseudo Random Function keyed by the password. Since the hash output is tailored to meet server password requirements, the resulting hashed password is handled normally at the server with no server modifications. The two server authentication system is interfaced with client supported hash passwords with server session keys. The two server system contains, the front end service server interacts directly to the user and the back end control server visible to the service server. The users contact only the service server but these two servers are responsible for the authentication of the user. The user has a password which is transformed into two long secrets which are held by service server and control server.