Security analysis of Yang et al.'s practical password-based two-server authentication and key exchange system

Typical protocols for password-based authentication assumes a single server which stores all the passwords necessary to authenticate users. If the server is compromised, user passwords are disclosed. To address this issue, Yang et al. proposed a practical password-based two-server authentication and key exchange protocol, where a front-end server, keeping one share of a password, and a back-end server, holding another share of the password, cooperate in authenticating a user and, meanwhile, establishing a secret key with the user. In this paper, we present two "half-online and half-offline" attacks to Yang et al.'s protocol. By these attacks, user passwords can be determined once the backend server is compromised. Therefore, Yang et al.'s protocol has no essential difference from a password-based singleserver authentication protocol.