An integrated user authentication and access control scheme without public key cryptography

Abstract

Conventionally, user authentication and access control are two separate security mechanisms in many distributed systems. An integrated design of user authentication and access control may provide better performance in terms of security and computational complexity. We discuss the pros and cons of the separate approach and the integrated approach, and then propose a new integrated scheme without using public key cryptography. The new scheme has several practical merits - no user-sensitive data stored on the server, no storage for access list or capability list on the server, extreme low computational cost, the freedom of choosing users' passwords, and mutual authentication.