Abstract: Client and a server share a password using Password-authenticated key exchange (PAKE) to authenticate each other and establish a cryptographic key by exchanging previously generated shares. In this scenario, all the passwords are stored in a single server which will authenticate the client. If the server is hacked, for example, hacking or even insider attack, passwords stored in database will become publicly known. In this paper, we consider a setting where two servers are used to authenticate a client and if one server is compromised, the attacker still cannot be able to view the client’s information from the compromised server. In this paper we are going to provide the system which uses the El-gamal encryption and collectively AES (Advance encryption standard) algorithm. And also uses the Diffee-hellman for key exchange. In this paper, we are going to provide the solution for SQL_INJECTION attack which is commonly happens on the database. The proposed scheme is a password-only system in the sense that it requires no public key cryptosystem and, no PKI. In the given authentication schema we also use SMS integration API for two step verification like Gmail, it will provide the additional security to end user.

Keywords: Diffie-Hellman key exchange, El-gamal encryption, AES algorithm, SQL_INJECTION attack.