Your search keyword '"HMAC-based One-time Password Algorithm"' showing total 124 results

1. A novel secure and efficient hash function with extra padding against rainbow table attacks

Author

Sunghyuck Hong, Jungpil Shin, and Hyung-Jin Mun

Subjects

Zero-knowledge password proof, Computer Networks and Communications, Salt (cryptography), Computer science, computer.internet_protocol, Crypt, Hash function, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Padding, Password strength, S/KEY, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, Syskey, Key derivation function, Password psychology, Password, Authentication, Password policy, Cognitive password, Pass the hash, Password cracking, 020206 networking & telecommunications, Passphrase, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Hash chain, 020201 artificial intelligence & image processing, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer, Software

Abstract

User authentication is necessary to provide services on an application system and the Internet. Various authentication methods are used such as ID/PW, biometric, and OTP authentications. One of the popular authentications is ID/PW authentication. As an inputted password is transferred by one-way hash function and then stored in DB, it is difficult for the DB administrator to figure out the password inputted by the user. However, when DB is leaked, and there is the time to decode, the password can be hacked. The time and cost to decode the original message from the hash value corresponding a short password decrease. Therefore, if the password is short, then attacking cost is low, and password crack possibility is high. In the case where an attacker utilizes pre-computing rainbow tables, and the hash value of short passwords is leaked, the password that the user inputted can be cracked. In this research, to block rainbow table attacks, when the user generates a short password, by adding additional messages of identification information of a system or the user and extending the length of the password, we try to resolve the vulnerability of short passwords. By proposing a model to minimize the length of the password and the authority accordingly in mobile devices on which inputting passwords is not easy, we take security into consideration. Our proposal model is strong against rainbow table attack and provides efficient password system to users. It contributes to resolving password vulnerability and upgrades mobile users’ convenience in typing passwords.

Published

2017

2. Design and Implementation of a Two-Factor, One Time Password Authentication System

Author

TokulaUmaha I and EsiefarienrheBukohwo Michael

Subjects

Password, Password policy, Zero-knowledge password proof, Computer science, business.industry, computer.internet_protocol, One-time password, Password strength, S/KEY, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer, Computer network

Published

2015

3. Three Way Graphical Password Authentication

Author

Ashwini Waghmare and R S Yenape

Subjects

Password, Zero-knowledge password proof, computer.internet_protocol, Computer science, HMAC-based One-time Password Algorithm, Challenge–response authentication, Computer security, computer.software_genre, Password psychology, computer, One-time password, Password strength, S/KEY

Published

2017

4. Leakage-resilient password entry: Challenges, design, and evaluation

Author

Qiang Yan, Jianying Zhou, Yingjiu Li, Jin Han, and Robert H. Deng

Subjects

Password, User authentication, Zero-knowledge password proof, Authentication, Password policy, Cognitive password, General Computer Science, Salt (cryptography), computer.internet_protocol, Computer science, Passphrase, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Key stretching, Syskey, Microsoft Office password protection, HMAC-based One-time Password Algorithm, Challenge–response authentication, Law, computer

Abstract

Password leakage is one of the most serious threats for password-based user authentication. Although this problem has been extensively investigated over the last two decades, there is still no widely adopted solution. In this paper, we attempt to systematically understand the challenges behind this problem and investigate the feasibility of solving it. Since password leakage usually happens when a password is input during authentication, we focus on designing leakage-resilient password entry (LRPE) schemes in this study. We develop a broad set of design criteria and use them to construct a practical LRPE scheme named CoverPad, which not only improves leakage resilience but also retains most usability benefits of legacy passwords. Its practicability is further verified by an extended user study.

Published

2015

5. A Study on the OTP Generation Algorithm for User Authentication

Author

Dong-Ryool Kim

Subjects

Password, Authentication, computer.internet_protocol, Computer science, Value (computer science), Computer security, computer.software_genre, One-time password, S/KEY, Collision resistance, HMAC-based One-time Password Algorithm, Algorithm, computer, Personally identifiable information

Abstract

A disposable password is necessary to avoid any danger by the use of a static password and reinforce the user's authentication. In order to prevent personal information from being exposed, OTP generation algorithm is regarded as important. The OTP generation algorithm we suggest in this thesis generates 256-bit-size OTP Data by using Seed value and Time value. This value that the generated OTP Data are arranged with a matrix and a 32-bit-value is extracted on an irregular basis becomes the final value. We can find out that the more OTP generation frequency we have, the lower probability of clash tolerance we get in our suggested algorithm, compared to the previous algorithm.Key Words : Authentication, One Time Password, Random Number, Truncation Function, Collision Resistance * 본 논문은 2013년 동명대하교 교내 학술연구비에 의하여 지원되었음Received 22 October 2014, Revised 28 November 2014Accepted 20 January 2015Corresponding Author: Dong Ryool Kim(Dept. of Mechatronics Engineering, Tongmyong University)Email: drkim@tu.ac.kr Ⓒ The Society of Digital Policy & Management. All rights reserved. This is an open-access article distributed under the terms of the Creative Commons Attribution Non-Commercial License (http://creativecommons.org/licenses/by-nc/3.0), which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is ISSN: 1738-1916 properly cited.

Published

2015

6. Enhanced Password Based User Authentication Mechanism Using Mobile Storage Medium/Channel

Author

In-June Joe, Seon Young Kim, and Seon-Joo Kim

Subjects

Password, Computer science, business.industry, computer.internet_protocol, Multi-factor authentication, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, Authentication protocol, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer, Computer network

Published

2014

7. Image Based Password using RSA Algorithm

Author

P. L. Chithra and C. Vishnu Priya

Subjects

Password, computer.internet_protocol, Computer science, HMAC-based One-time Password Algorithm, computer, Algorithm, Image based

Published

2016

8. The TypTop System

Author

Joanne Woodage, Thomas Ristenpart, Yuval Pnueli, Anusha Chowdhury, and Rajdeep Mohan Chatterjee

Subjects

Zero-knowledge password proof, Dictionary attack, computer.internet_protocol, Salt (cryptography), Computer science, 02 engineering and technology, Encryption, Computer security, computer.software_genre, One-time password, Password strength, PBKDF2, S/KEY, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, Syskey, Microsoft Office password protection, 0501 psychology and cognitive sciences, Key derivation function, Password authentication protocol, Password psychology, 050107 human factors, Password, Password policy, Authentication, Cognitive password, business.industry, 05 social sciences, Password cracking, Passphrase, Rainbow table, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer

Abstract

Password checking systems traditionally allow login only if the correct password is submitted. Recent work on typo-tolerant password checking suggests that usability can be improved, with negligible security loss, by allowing a small number of typographical errors. Existing systems, however, can only correct a handful of errors, such as accidentally leaving caps lock on or incorrect capitalization of the first letter in a password. This leaves out numerous kinds of typos made by users, such as transposition errors, substitutions, or capitalization errors elsewhere in a password. Some users therefore receive no benefit from existing typo-tolerance mechanisms. We introduce personalized typo-tolerant password checking. In our approach, the authentication system learns over time the typos made by a specific user. In experiments using Mechanical Turk, we show that 45% of users would benefit from personalization. Therefore, we design a system, called TypTop, that securely implements personalized typo-tolerance. Underlying TypTop is a new stateful password-based encryption scheme that can be used to store recent failed login attempts. Our formal analysis shows that security in the face of an attacker that obtains the state of the system reduces to the difficulty of a brute-force dictionary attack against the real password. We implement TypTop for Linux and Mac OS login and report on a proof-of-concept deployment.

Published

2017

9. SPHINX: A Password Store that Perfectly Hides Passwords from Itself

Author

Maliheh Shirvanian, Stanislaw Jareckiy, Nitesh Saxena, and Hugo Krawczykz

Subjects

Zero-knowledge password proof, Dictionary attack, Salt (cryptography), Computer science, computer.internet_protocol, 0211 other engineering and technologies, Cryptography, 02 engineering and technology, Password management, Encryption, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, World Wide Web, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, Syskey, Password psychology, AKA, Password, 021110 strategic, defence & security studies, Password policy, Authentication, Cognitive password, business.industry, Password cracking, Plaintext, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, 020201 artificial intelligence & image processing, HMAC-based One-time Password Algorithm, business, computer

Abstract

Password managers (aka stores or vaults) allow a user to store and retrieve (usually high-entropy) passwords for her multiple password-protected services by interacting with a "device" serving the role of the manager (e.g., a smartphone or an online third-party service) on the basis of a single memorable (low-entropy) master password. Existing password managers work well to defeat offline dictionary attacks upon web service compromise, assuming the use of high-entropy passwords is enforced. However, they are vulnerable to leakage of all passwords in the event the device is compromised, due to the need to store the passwords encrypted under the master password and/or the need to input the master password to the device (as in smartphone managers). Evidence exists that password managers can be attractive attack targets. In this paper, we introduce a novel approach to password management, called SPHINX, which remains secure even when the password manager itself has been compromised. In SPHINX, the information stored on the device is information theoretically independent of the user's master password - an attacker breaking into the device learns no information about the master password or the user's site-specific passwords. Moreover, an attacker with full control of the device, even at the time the user interacts with it, learns nothing about the master password - the password is not entered into the device in plaintext form or in any other way that may leak information on it. Unlike existing managers, SPHINX produces strictly high-entropy passwords and makes it compulsory for the users to register these randomized passwords with the web services, hence fully defeating offline dictionary attack upon service compromise. The design and security of SPHINX is based on the device-enhanced PAKE model of Jarecki et al. that provides the theoretical basis for this construction and is backed by rigorous cryptographic proofs of security. While SPHINX is suitable for different device and online platforms, in this paper, we report on its concrete instantiation on smartphones given their popularity and trustworthiness as password managers (or even two-factor authentication). We present the design, implementation and performance evaluation of SPHINX, offering prototype browser plugins, smartphone apps and transparent device-client communication. Based on our inspection analysis, the overall user experience of SPHINX improves upon current managers. We also report on a lab-based usability study of SPHINX, which indicates that users' perception of SPHINX security and usability is high and satisfactory when compared to regular password-based authentication. Finally, we discuss how SPHINX may be extended to an online service for the purpose of back-up or as an independent password manager.

Published

2017

10. Color Scheme Authentication for Session Password

Author

Abirami A, Indhu D, and Surya G

Subjects

Password, computer.internet_protocol, Computer science, business.industry, One-time password, Password strength, S/KEY, Authentication protocol, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer, Data Authentication Algorithm, Computer network

Published

2017

11. A Text based Authentication Scheme for Improving Security of Textual Passwords

Author

Shah Zaman Nizamani, Tariq Jamil Saifullah Khanzada, Syed Raheel Hassan, and Mohd Zalisham Jali

Subjects

Zero-knowledge password proof, Software_OPERATINGSYSTEMS, Dictionary attack, General Computer Science, Computer science, computer.internet_protocol, Salt (cryptography), 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, Keystroke logging, Encryption, One-time password, Password strength, S/KEY, Shoulder surfing, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, Password psychology, Password, 021110 strategic, defence & security studies, User authentication, Password policy, Authentication, Cognitive password, business.industry, Password cracking, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer

Abstract

User authentication through textual passwords is very common in computer systems due to its ease of use. However textual passwords are vulnerable to different kinds of security attacks, such as spyware and dictionary attacks. In order to overcome the deficiencies of textual password scheme, many graphical password schemes have been proposed. The proposed schemes could not fully replace textual passwords, due to usability and security issues. In this paper a text based user authentication scheme is proposed which improves the security of textual password scheme by modifying the password input method and adding a password transformation layer. In the proposed scheme alphanumeric password characters are represented by random decimal numbers which resist online security attacks such as shoulder surfing and key logger attacks. In the registration process password string is converted into a completely new string of symbols or characters before encryption. This strategy improves password security against offline attacks such as brute-force and dictionary attacks. In the proposed scheme passwords consist of alphanumeric characters therefore users are not required to remember any new kind of passwords such as used in graphical authentication. Hence password memorability burden has been minimized. However mean authentication time of the proposed scheme is higher than the textual password scheme due to the security measures taken for the online attacks.

Published

2017

12. Threshold Single Password Authentication

Author

Devris Isler and Alptekin Küpçü

Subjects

Password, Authentication, Honeypot, Dictionary attack, computer.internet_protocol, Computer science, Salt (cryptography), 020206 networking & telecommunications, 02 engineering and technology, Adversary, Computer security, computer.software_genre, Login, One-time password, Phishing, Password strength, S/KEY, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, HMAC-based One-time Password Algorithm, Password authentication protocol, Challenge–response authentication, computer

Abstract

Passwords are the most widely used form of online user authentication. In a traditional setup, the user, who has a human-memorable low entropy password, wants to authenticate with a login server. Unfortunately, existing solutions in this setting are either non-portable or insecure against many attacks, including phishing, man-in-the-middle, honeypot, and offline dictionary attacks. Three previous studies (Acar et al. 2013, Bicakci et al. 2011, and Jarecki et al. 2016) provide solutions secure against offline dictionary attacks by additionally employing a storage provider (either a cloud storage or a mobile device for portability). These works provide solutions where offline dictionary attacks are impossible as long as the adversary does not corrupt both the login server and the storage provider.

Published

2017

13. Multifactor Authentication Using a QR Code and a One-Time Password

Author

Dhiraj Girdhar, Jyoti Malik, G. Sainarayanan, and Ratna Dahiya

Subjects

Password, Password policy, Zero-knowledge password proof, Computer science, computer.internet_protocol, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Operating system, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer, Software, Information Systems

Published

2014

14. Graphical Password Authentication Scheme for Embedded Platform

Author

Siva Janakirama, K. Thenmozhi, Rengarajan Amirtharaj, and John Bosco Balaguru Rayappan

Subjects

Password, Scheme (programming language), computer.internet_protocol, Computer science, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, Artificial Intelligence, HMAC-based One-time Password Algorithm, Password authentication protocol, Challenge–response authentication, computer, Software, computer.programming_language

Published

2014

15. An Improved Scheme of One-Time Password Identity Authentication Based on the S/KEY System

Author

Yu Guan, Jia Yu Li, Hui Shi, Yuan Qing Deng, and Jing Gong

Subjects

Password, Zero-knowledge password proof, Authentication, Password policy, computer.internet_protocol, Computer science, Hash function, General Medicine, Multi-factor authentication, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Hash chain, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer

Abstract

This paper analyzes several kinds of S/KEY One-time Password (OTP) identity authentication schemes, and designs a new OTP identity authentication scheme with the increasing hash chains. The new scheme overcomes the weakness of common OTP schemes which need to reset parameters when used, consequently reduces the sever burden, and does not need any kinds of assists provided by additional hardware or serves. Furthermore, it can realize the client - server authentication and resist the common network attacks.

Published

2014

16. A Robust and Efficient Password Authentication Scheme Using Smart Cards

Author

Hua Zhang, Ping Zhu, Zheng Ping Jin, and Wei Jing Li

Subjects

Zero-knowledge password proof, computer.internet_protocol, Salt (cryptography), Computer science, Cryptography, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Secure communication, Forward secrecy, Key stretching, Session key, Password authentication protocol, Elliptic curve cryptography, Password, Password policy, business.industry, General Medicine, Mutual authentication, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Authentication protocol, HMAC-based One-time Password Algorithm, Smart card, Challenge–response authentication, business, computer

Abstract

Password authentication scheme using smart cards is an important part of securely accessing the server program. In 2012, Chen et al. proposed a robust smart-card-based remote user password authentication scheme. Recently, Li et al. discovered the scheme of Chen et al. cannot really ensure forward secrecy, and it cannot achieve the goal of efficiency for wrong password login. Then, they proposed an enhanced remote user password authentication scheme based on smart cards. In this paper, we propose a novel authentication scheme by using elliptic curve cryptography. The new scheme can achieve both the user anonymity and the goal of efficiency of incorrect password detection, and can also establish a session key for the subsequent secure communication. Moreover, we show by a detailed analysis that it requires lower computation cost while improving the security of the scheme.

Published

2014

17. M-Pass: Web Authentication Protocol Resistant to Malware and Phishing

Author

A. K. Gupta and Ajinkya S. Yadav

Subjects

Zero-knowledge password proof, Computer science, Salt (cryptography), computer.internet_protocol, Internet privacy, Keystroke logging, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, Key stretching, Syskey, Microsoft Office password protection, Password psychology, Password, User authentication, Password policy, Authentication, Cognitive password, business.industry, Password cracking, Passphrase, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer

Abstract

this digital world all information and data is kept safe by passwords. The simple and convenient format of password is in the form of text. But, text passwords are not always strong enough and under different vulnerabilities they are very easily stolen and changed. When a person creates a weak password or same password is reused in many sites it may be possible that others can acquire that password. If one password is stolen, then it is possible that it can be used for all the websites. This phenomenon is known as the Domino Effect. Another possible risky attacks are related to phishing, malware and key loggers etc. A protocol is designed which makes use of the user's customer's mobile i.e. cellular phone and SMS (short message service) to ensure protection against password stealing attacks. This user authentication protocol is named as m-Pass. The unique phone number is required which will be possessed by each participating website. The telecommunication service provider plays important role in the registration and the recovery phases. The main theme is to reduce the password reuse attack. It works with one time password technology, and results in reduction of the password validity time. The results show improvement in performance of the security. KeywordsSecurity, m-Pass, Phishing, authentication

Published

2014

18. Under the Cloud-Based ECC Dynamic Password Authentication Scheme Design

Author

Hong Gan and Dan Pan

Subjects

Scheme (programming language), Password, Computer science, computer.internet_protocol, business.industry, Cloud computing, One-time password, S/KEY, Password strength, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer, computer.programming_language, Computer network

Published

2016

19. An Improved Password Authentication Scheme for Smart Card

Author

Cheng-Yi Tsai, Chiu-Shu Pan, and Min-Shiang Hwang

Subjects

Password, Computer science, business.industry, computer.internet_protocol, Data_MISCELLANEOUS, Internet privacy, Password cracking, 020206 networking & telecommunications, 02 engineering and technology, Multi-factor authentication, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer

Abstract

In recent times, Wei et al. proposed a secure smart card based on remote user password authentication scheme. Their scheme is more secure than other schemes. In this article, we will prove their scheme is vulnerable to password guessing attack, privileged insider attack, and denial of service attack. Furthermore, we will propose an improved scheme to eliminate the security vulnerability.

Published

2016

20. Two-factor authentication system based on extended OTP mechanism

Author

Okkyung Choi, Yunlim Ku, Manpyo Hong, Jai-Hoon Kim, Taeshik Shon, Hongjin Yeh, and Kangseok Kim

Subjects

Password, Password policy, Authentication, computer.internet_protocol, Computer science, Applied Mathematics, Multi-factor authentication, Man-in-the-middle attack, Computer security, computer.software_genre, One-time password, Computer Science Applications, S/KEY, Computational Theory and Mathematics, HMAC-based One-time Password Algorithm, computer

Abstract

The recent increase in smartphone supply drives more users to utilize mobile financial services and it magnifies the importance of mobile security solutions. But it is not easy to defend cyber-attacks against financial services because the attacks get more diverse every year. The recent solution, OTP one time password, is the most commonly used financial security measure to defend session attacks, but the downside is that it is hard to implement differentiated OTP creation mechanism to it. This research intends to solve the problem by suggesting Two-Factor authentication mechanism that utilizes graphical OTP. It is an extension of OTP mechanism which implements the graphical one time password to mobile financial security to reinforce mobile's way of authenticating with only ID and Password or digital certificate from banks; and it will defend against more diverse mobile hackings.

Published

2013

21. Security using 3D Password

Author

Abhilash Shukla and Dhatri Raval

Subjects

Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, Computer science, Salt (cryptography), computer.internet_protocol, Computer security, computer.software_genre, Encryption, One-time password, S/KEY, Password strength, Syskey, Password psychology, Data Authentication Algorithm, Password, Password policy, Authentication, Cognitive password, business.industry, Password cracking, Multi-factor authentication, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Authentication protocol, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer

Abstract

Authentication of any system means providing a security to that system. There are number of authentication techniques like textual, biometrics etc. This type of textual password commonly follows an encryption algorithm to provide security. Each of these techniques has some limitations and drawbacks. To overcome the drawbacks, a new authenticate technique is now available. This new authentication technique, known as 3D Password, is multi-factor and multi-factor authentication technique. The most important part of 3D Password is virtual environment containing the user interface which looks like a real time environment, but is not actually a real time environment [3]. 3D password is more secure technique of authentication in comparison to other techniques because it is difficult to break and simple to use [1].

Published

2015

22. An enhanced smart card based remote user password authentication scheme

Author

Xiong Li, Muhammad Khurram Khan, Jianwei Niu, and Junguo Liao

Subjects

Zero-knowledge password proof, Computer Networks and Communications, computer.internet_protocol, Salt (cryptography), Computer science, Computer security, computer.software_genre, Login, One-time password, law.invention, Password strength, S/KEY, 3-D Secure, Secure communication, law, Forward secrecy, Key stretching, Session key, Syskey, Password authentication protocol, Password, Authentication, Password policy, Cognitive password, business.industry, Password cracking, Multi-factor authentication, Computer Science Applications, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Hardware and Architecture, HMAC-based One-time Password Algorithm, Smart card, Challenge–response authentication, Cryptanalysis, business, computer

Abstract

Smart card based password authentication is one of the simplest and efficient authentication mechanisms to ensure secure communication in insecure network environments. Recently, Chen et al. have pointed out the weaknesses of some password authentication schemes and proposed a robust smart card based remote user password authentication scheme to improve the security. As per their claims, their scheme is efficient and can ensure forward secrecy of the session key. However, we find that Chen et al.'s scheme cannot really ensure forward secrecy, and it cannot detect the wrong password in login phase. Besides, the password change phase of Chen et al.'s scheme is unfriendly and inefficient since the user has to communicate with the server to update his/her password. In this paper, we propose a modified smart card based remote user password authentication scheme to overcome the aforementioned weaknesses. The analysis shows that our proposed scheme is user friendly and more secure than other related schemes.

Published

2013

23. Mitigating Vulnerabilities in 3-Factor based Authentication

Author

Irfan Siddavatam and Yogita Borse

Subjects

Password, Challenge-Handshake Authentication Protocol, Password policy, User authentication, Authentication, Cognitive password, computer.internet_protocol, Computer science, business.industry, Multi-factor authentication, Computer security, computer.software_genre, One-time password, Chip Authentication Program, Password strength, S/KEY, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 3-D Secure, Authentication protocol, HMAC-based One-time Password Algorithm, Smart card, Challenge–response authentication, business, computer, Data Authentication Algorithm

Abstract

Remote user authentication schemes are use to identify a user in the distributed environment. There are three different factors commonly use for authentication purpose named as password, smart card and biometric. It is been observed that authentication protocols designed till date are based on password. Normally, password is used as a first authentication factor, where as other two factors are included according to the level of security requirements. In this paper, analysis of 3-factor based protocols is done on the basis of wrong password input and stolen smart card vulnerabilities. Paper also suggest the improvements to control these vulnerabilities.

Published

2013

24. Two Factor Authentication Using Smartphone Generated One Time Password

Author

Sagar Acharya Sagar Acharya

Subjects

Authentication, Computer science, computer.internet_protocol, business.industry, Cryptography, Multi-factor authentication, Security token, Computer security, computer.software_genre, One-time password, Mobile phone, HMAC-based One-time Password Algorithm, Android (operating system), business, computer, Computer network

Abstract

This paper explains a method of how the two factor authentication implemented using SMS OTP or OTP generated by Smartphone- One Time Password to secure user accounts. The proposed method guarantees authenticating online banking features are secured also this method can be useful for e-shopping & ATM machines. The proposed system involves generating and delivering a One Time Password to mobile phone. Smartphone can be used as token for creating OTP or OTP can be send to mobile phone in form of SMS. The generated OTP is valid for only for short period of time and it is generated and verified using Secured Cryptographic Algorithm. The proposed system has been implemented and tested successfully. Keywords - OTP, Authentication, SHA-1, Cloud, token, Android

Published

2013

25. A New Password-Based Multi-server Authentication Scheme Robust to Password Guessing Attacks

Author

Nai-Wei Lo, Jia-Lun Tsai, and Tzong-Chen Wu

Subjects

Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, computer.internet_protocol, Salt (cryptography), Computer science, Data_MISCELLANEOUS, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, Key stretching, Syskey, Key derivation function, Electrical and Electronic Engineering, Password, Password policy, Authentication, Cognitive password, Password cracking, Multi-factor authentication, Computer Science Applications, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Authentication protocol, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer, Digest access authentication, Cryptographic nonce

Abstract

A multi-server authentication scheme is a useful authentication mechanism in which a remote user can access the services of multiple servers after registering with the registration center (RC). This study shows that the password-based multi-server authentication scheme proposed by Yeh and Lo is vulnerable to undetectable password-guessing attack and offline password-guessing attack. This study proposes a new password-based multi-server authentication scheme to overcome these vulnerabilities. The proposed protocol introduces a new mechanism for protecting user password. The RC sends an alternative key to help the server verify the legitimacy of user instead of the user's password. The values of these keys are changed with a random large nonce in each session. Therefore, the password-guessing attack cannot work successfully on the proposed scheme.

Published

2012

26. OTP bidirectional authentication scheme based on MAC address

Author

Jiang Qi, Xi Ye, and Jingai Xu

Subjects

Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, Computer science, computer.internet_protocol, 02 engineering and technology, 010402 general chemistry, 01 natural sciences, One-time password, S/KEY, Password strength, Lightweight Extensible Authentication Protocol, 0202 electrical engineering, electronic engineering, information engineering, Data Authentication Algorithm, Password, Password policy, Authentication, business.industry, Software token, 020206 networking & telecommunications, Mutual authentication, Multi-factor authentication, Chip Authentication Program, 0104 chemical sciences, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Authentication protocol, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer, Computer network

Abstract

With the development of Internet technology, the traditional static password based authentication solutions are no longer an adequate protection scheme to various enterprise applications. In this article, the principle of dynamic password technology is described, and the pros and cons of implementing dynamic password technology by software and hardware are analyzed as well. In addition, a dynamic password mutual authentication protocol base on MAC/IMEI of client is designed. The system architecture, authentication processes and safety measures are described and its security is also analyzed, which proves the high security features and wide application of such system. The new OTP scheme can be conveniently used and implemented with significant cost efficiency. It is mutual authentication and resistant to phishing attacks.

Published

2016

27. A Two-Factor Single Use Password Scheme

Author

Narayan Murthy, R. Rajesh, and B. Mathivanan

Subjects

Password, Zero-knowledge password proof, Salt (cryptography), computer.internet_protocol, Computer science, Syskey, HMAC-based One-time Password Algorithm, Algorithm, computer, One-time password, Password strength, S/KEY

Published

2016

28. Amnesia: A Bilateral Generative Password Manager

Author

Kun Sun, Yue Li, and Luren Wang

Subjects

Zero-knowledge password proof, Software_OPERATINGSYSTEMS, Computer science, computer.internet_protocol, Salt (cryptography), 02 engineering and technology, Encryption, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, World Wide Web, Password fatigue, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, Microsoft Office password protection, Syskey, Android (operating system), Password psychology, Password, Password policy, Authentication, Cognitive password, business.industry, Password cracking, Passphrase, Possession (law), ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 020201 artificial intelligence & image processing, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer

Abstract

While numerous flaws have been recognized in using passwords as a method of authentication, passwords still remain the de-facto authentication standard in use today. Though password managers can ameliorate password fatigue, the vast majority of password managers require the user to choose and maintain a strong master password while offering little to no recourse in the event that the master password is compromised. The wide-application of cloud-based password managers congregate passwords in an encrypted database, which becomes an attractive target for attackers and also represents a single point of failure. In this paper, we propose Amnesia, a bilateral generative password manager that requires both the knowledge of the master password and the possession of the user's smartphone to generate website passwords for the user. Our generative password manager is not vulnerable to the password database leakage, since it generates the requested password on demand using both the master password and the secret information on the smartphone. An attacker wishing to steal the user's website passwords has to compromise both the user's smartphone and the master password. Amnesia also has strong recovery capability when either the master password is compromised or the smartphone is lost/stolen. By using an Amnesia server, a user can have the access to the password manager on multiple computers without installing any software on those computers. We implemented an Amnesia system prototype using Android and Cherrypy web framework and evaluated it in terms of security, usability, and overhead. A user study of 31 testers shows that Amnesia increases password security while maintaining reasonable user convenience.

Published

2016

29. UC-secure Two-Server Password-Based Authentication Protocol and Its Applications

Author

Xuexian Hu, Zhenfeng Zhang, and Lin Zhang

Subjects

0301 basic medicine, Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, computer.internet_protocol, Salt (cryptography), Computer science, 0211 other engineering and technologies, 02 engineering and technology, Login, Computer security, computer.software_genre, One-time password, Secret sharing, S/KEY, Password strength, 03 medical and health sciences, Universal composability, Key stretching, Syskey, Key derivation function, Key exchange, Password, 021110 strategic, defence & security studies, Authentication, Password policy, Cognitive password, Password cracking, Cryptographic protocol, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 030104 developmental biology, Authentication protocol, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer

Abstract

A two-server password-based authentication (2PA) protocol is a special kind of authentication primitive that provides additional protection for the user's password. Through a 2PA protocol, a user can distribute his low-entropy password between two authentication servers in the initialization phase and authenticate himself merely via a matching password in the login phase. No single server can learn any information about the user's password, nor impersonate the legitimate user to authenticate to the honest server. In this paper, we first formulate and realize the security definition of two-server password-based authentication in the well-known universal composability (UC) framework, which thus provides desirable properties such as composable security. We show that our construction is suitable for the asymmetric communication model in which one server acts as the front-end server interacting directly with the user and the other stays backstage.Then, we show that our protocol could be easily extended to more complicate password-based cryptographic protocols such as two-server password-authenticated key exchange (2PAKE) and two-server password-authenticated secret sharing (2PASS), which enjoy stronger security guarantees and better efficiency performances in comparison with the existing schemes.

Published

2016

30. A Shoulder-Surfing Resistant Graphical Password Authentication Scheme

Author

M. Kameswara Rao, Mani Kumar, Ch. Vidya Pravallika, and G. Priyanka

Subjects

Password, Salt (cryptography), business.industry, Computer science, computer.internet_protocol, Internet privacy, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Shoulder surfing, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer

Abstract

Many Internet-based applications authenticate the users before they are allowed to access the services provided by them. The traditional text-based password system is vulnerable to brute force attack, peeping attack, and reverse engineering attacks. The pitfalls of text-based passwords are addressed by employing graphical passwords. To create a password the graphical password systems make use of custom images, icons, or faces. Using images will decrease the tendency to choose insecure passwords. In this paper, we present a shoulder-surfing resistant pair based graphical password scheme to authenticate a user. Further enhancement of the proposed scheme is briefly discussed. Security analysis of the method is also evaluated.

Published

2016

31. An Improved Password Security Scheme

Author

Nidhi Sharma, Amit Sharma, and Ankit Kumar

Subjects

Password, Password policy, Zero-knowledge password proof, computer.internet_protocol, Computer science, Microsoft Office password protection, HMAC-based One-time Password Algorithm, Computer security, computer.software_genre, computer, One-time password, S/KEY, Password strength

Published

2016

32. A Study on Parallel AES Cipher Algorithm based on Multi Processor

Author

Jung-Oh Park and Gi-Oug Oh

Subjects

Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, computer.internet_protocol, Computer science, Salt (cryptography), Syskey, HMAC-based One-time Password Algorithm, Key derivation function, computer, Algorithm, One-time password, Password strength, S/KEY

Abstract

This paper defines the AES password algorithm used as a symmetric-key-based password algorithm, and proposes the design of parallel password algorithm to utilize the resources of multi-core processor as much as possible. The proposed parallel password algorithm was confirmed for parallel execution of password computation by allocating the password algorithm according to the number of cores, and about 30% of performance increase compared to AES password algorithm. The encryption/decryption performance of the password algorithm was confirmed through binary comparative analysis tool, which confirmed that the binary results were the same for AES password algorithm and proposed parallel password algorithm, and the decrypted binary were also the same. The parallel password algorithm for multi-core environment proposed in this paper can be applied to authentication/payment of financial service in PC, laptop, server, and mobile environment, and can be utilized in the area that required high-speed encryption operation of large-sized data.

Published

2012

33. Enhanced Virtual Password Authentication Scheme Resistant to Shoulder Surfing

Author

P. W. C. Prasad, Abeer Alsadoon, Biswas Gurung, and Amr Elchouemi

Subjects

Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, Salt (cryptography), computer.internet_protocol, Computer science, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Shoulder surfing, Key stretching, Syskey, Key derivation function, Password authentication protocol, Password psychology, Password, Authentication, Password policy, Cognitive password, Password cracking, Multi-factor authentication, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer

Abstract

A username and password based login mechanism is commonly used for authenticating a user in online environments. It is a popular scheme because it helps to balance the usability and security traits of the system. However, online environments and pervasive computing may bring many risks through adversaries. Shoulder-surfing attack is one of the risks where attacker observes the authentication process and captures the password of victims. This paper proposes a hybrid-based authentication scheme termed "Enhanced Virtual Password Authentication (EVPA)". EVPA is designed to implement a virtual password mechanism to resist the shoulder surfing attacks. The virtual password mechanism requires a string part of password and a mathematical functional value to secure user passwords. The mathematical functional value keeps changing for each login session. This method uses a system generated random value and secret mathematical operation against the pre-selected secret number to obtain a mathematical functional value. Several experiments were conducted and the results demonstrate that systems are resilient to password attacks and usable for day to day purposes.

Published

2015

34. A Efficient Approach for Password Attacks

Author

T. Prem Jacob and I. Naga Geethika

Subjects

Password, Salt (cryptography), computer.internet_protocol, Computer science, General Engineering, Password cracking, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, Key stretching, HMAC-based One-time Password Algorithm, computer

Published

2014

35. An Improved Kerberos Scheme Based on Dynamic Password

Author

Xingjian Liang, Hai Cao, Wen Lei, and Hong Zhang

Subjects

Password, Zero-knowledge password proof, Computer science, business.industry, computer.internet_protocol, Generic Security Service Algorithm for Secret Key Transaction, Data_MISCELLANEOUS, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer, Computer network

Abstract

By studying the Kerberos authentication scheme, an improved authentication scheme is raised, which is based on Dynamic Password Method. In the improved scheme, user's password can be effectively protected, and the authentication is double between users and severs. Also, the scheme can resist jacking connection attack. The improved scheme is more secure and more practical than the original one. Index Terms—identity authentication; dynamic password; security; improvement

Published

2010

36. Design on a Single Sign-On Scheme

Author

Hong Zhang, Xing Jian Liang, and Wen Lei

Subjects

Password, Zero-knowledge password proof, Authentication, Password policy, Cognitive password, computer.internet_protocol, Computer science, General Medicine, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Authentication protocol, HMAC-based One-time Password Algorithm, Password authentication protocol, Single sign-on, Challenge–response authentication, computer, Replay attack

Abstract

In practice, the single sign-on system is likely to suffer password attack and replay attack, etc. For the purpose of resolving these problems, a new single sign-on scheme is raised, which is based on dynamic password method. In the new scheme, a specific design is given, and the security of this scheme is analyzed in details. In this scheme, through the universal dynamic password authentication, the user can visit all the services in the visiting range. At the same time, the scheme implements the connect authentication between the client and application servers.

Published

2010

37. A New Threshold Password Authentication Scheme

Author

Yung Cheng Lee

Subjects

Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, computer.internet_protocol, Computer science, Computer security, computer.software_genre, One-time password, Secret sharing, S/KEY, Password strength, Lightweight Extensible Authentication Protocol, Password authentication protocol, Data Authentication Algorithm, Password, Password policy, Authentication, business.industry, General Engineering, Mutual authentication, Multi-factor authentication, Chip Authentication Program, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Authentication protocol, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer, Mobile device, Computer network

Abstract

The well-known password authentication mechanisms are widely used in networks to protect resources from unauthorized access. The ad hoc networks, due to their dynamic and lack of network infrastructure features, require authentication schemes to ensure security. In this paper, we propose a new threshold password authentication scheme for ad hoc networks. Our scheme can be efficiently implemented in mobile devices, and can achieve mutual authentication with registered users.

Published

2010

38. Generalized Elliptic Curve Digital Signature Chain Based Authentication and Key Agreement Scheme

Author

Li Ping Zhang, Li Hua Zhang, and Er Fei Bai

Subjects

Zero-knowledge password proof, Dictionary attack, Salt (cryptography), Computer science, computer.internet_protocol, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, Digital signature, Forward secrecy, Key stretching, Syskey, Key derivation function, Password authentication protocol, Replay attack, AKA, Password, Authentication, General Engineering, Mutual authentication, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Elliptic curve, Rainbow table, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer

Abstract

Recently, several one time password authentication schemes have been proposed. However, most one-time password authentication schemes have security flaws. In this paper, a novel one-time password authentication and key agreement scheme (EAKAS) based on elliptic curve digital signature chain is developed. The proposed scheme has the following merits password or verification table is not required in the server; users can choose or change password; it can resist off-line dictionary attacks and achieves mutual authentication; it has no system clock synchronization and no constraint of transmission delay; it can resist replay attacks, man-in-the-middle attack and insider attack; it is sensitive to password error and strong in security restoration; the session keys in proposed scheme have the feature of freshness, confidentiality, known key security and forward security. Compared with the related schemes, our proposed scheme has better security and well suited to scenarios requiring a high level security.

Published

2010

39. User Authentication by Secured Graphical Password Implementation

Author

Shashank K. Singh, Niraj Satnalika, and Ankesh Khandelwal

Subjects

Challenge-Handshake Authentication Protocol, Password, Password policy, User authentication, Authentication, computer.internet_protocol, Computer science, Password cracking, Multi-factor authentication, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, World Wide Web, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Authentication protocol, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer

Abstract

For the vast majority of computer systems, passwords are the method of choice for authenticating users. The most widely and commonly used authentication is traditional “Username” and “Password”. For such authentication generally text (alphanumeric) is used. It is wellknown, however, that passwords are susceptible to attack: users tend to choose passwords that are easy to remember, and often this means that they are also easy for an attacker to obtain by searching for candidate passwords. On the other hand, if a password is hard, then it is often hard to remember. Keeping these things in mind we propose a novel, innovative and more secure way of selecting passwords: Graphical Passwords. In this paper we explore an approach to user authentication that generalizes the notion of a textual password and that, in many cases, improves the security of user authentication over that provided by textual passwords. We design and analyze graphical passwords, which can be input by the user to any device with a graphical input interface. We also try to answer two most important questions: “Are graphical passwords as secure and easy to use as text-based passwords”? “Major design and implementation issues for graphical passwords”? Ankesh Khandelwal Department of Information Technology and Engineering Heritage Institute of Technology, Anandapur, Kolkata -700107, India Shashank Singh Department of Computer Science and Engineering Heritage Institute of Technology, Anandapur, Kolkata -700107, India Niraj Satnalika Department of Instrumentation and Engineering Heritage Institute of Technology, Anandapur, Kolkata -700107, India The full text of the article is not available in the cache. Kindly refer the IJCA digital library at www.ijcaonline.org for the complete article. In case, you face problems while downloading the full-text, please send a mail to editor at editor@ijcaonline.org

Published

2010

40. HMAC-based 3-factor Authentication using OTP

Author

Kun-Hee Han and Seung-Soo Shin

Subjects

Password, Authentication, computer.internet_protocol, Computer science, Information system, HMAC-based One-time Password Algorithm, Computer security, computer.software_genre, Hash-based message authentication code, Security token, computer, One-time password, S/KEY

Abstract

Recently, most of information services are provided by the computer network, since the technology of computer communication is developing rapidly, and the worth of information over the network is also increasing with expensive cost. But various attacks to quietly intercept the informations is invoked with the technology of communication developed, and then most of the financial agency currently have used OTP, which is generated by a token at a number whenever a user authenticates to a server, rather than general static password for some services. A 2-factor OTP generating method using the OTP token is mostly used by the financial agency. However, the method is vulnerable to real attacks and therefore the OTP token could be robbed and disappeared. In this paper, we propose a 3-factor OTP way using HMAC to conquer the problems and analyze the security of the proposed scheme.

Published

2009

41. A Non-Exchanged Password Scheme for Password-Based Authentication in Client-Server Systems

Author

Shakir M. Hussain and Hussein Al-Bahadili

Subjects

Password, Zero-knowledge password proof, Multidisciplinary, computer.internet_protocol, Computer science, Salt (cryptography), business.industry, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer, Computer network

Abstract

The password-based authentication is widely used in client-server systems. This research presents a non-exchanged password scheme for password-based authentication. This scheme constructs a Digital Signature (DS) that is derived from the user password. The digital signature is then exchanged instead of the password itself for the purpose of authentication. Therefore, we refer to it as a Password-Based Digital Signature (PBDS) scheme. It consists of three phases, in the first phase a password-based Permutation (P) is computed using the Key-Based Random Permutation (KBRP) method. The second phase utilizes P to derive a Key (K) using the Password-Based Key Derivation (PBKD) algorithm. The third phase uses P and K to generate the exchanged DS. The scheme has a number of features that shows its advantages over other password authentication approaches.

Published

2008

42. Password-Based Key Authentication Model-A New Approach

Author

Yasir Khalil Ibrahim

Subjects

Password, Zero-knowledge password proof, Computer science, computer.internet_protocol, Key stretching, HMAC-based One-time Password Algorithm, Challenge–response authentication, Computer security, computer.software_genre, One-time password, computer, S/KEY, Password strength

Published

2007

43. POSTER

Author

Jung-Seung Lee, GyeongYong Bang, JooSeok Song, and Han Park

Subjects

Password, User authentication, Zero-knowledge password proof, Authentication, Password policy, Cognitive password, computer.internet_protocol, Salt (cryptography), Computer science, Plaintext, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer

Abstract

Conventional password-based authentication has been widely used due to its simplicity, familiarity, and cost effectiveness. However, the conventional password-based authentication has a fundamental weak-point that cleartext passwords are kept on client-side devices and networks. In order to acquire a user's password securely, we suggest a novel method that splits the roles of user interface onto two devices. With our method, cleartext passwords are neither stored on any devices nor transmitted over communication channels. Finally, we implement a demo application and analyze our method in the aspects of usability, deployability, and security.

Published

2015

44. Security Improvement of One-Time Password Using Crypto-Biometric Model

Author

Dilip Kumar Yadav and Dindayal Mahto

Subjects

Password, Password policy, Computer science, computer.internet_protocol, HMAC-based One-time Password Algorithm, Passphrase, Computer security, computer.software_genre, One-time password, computer, Replay attack, S/KEY, Password strength

Abstract

In many e-commerce systems, to counter network eavesdropping/replay attack, OTP concept has been used. However if the OTP itself gets attacked and then there might be possibility of attacking the account of the legitimate client too. This paper proposes a model for improving the security of OTP using ECC with iris biometric for an e-commerce transaction. This model also offers improve security with shorter key length than the RSA and also avoids to remember the private keys as the private keys are generated dynamically as and when required.

Published

2015

45. Servers Voice Graphical Authentication

Author

Muhammad A. Khan, Habib Akbar, Sultan Ullah, Samiullah Afzal, Mudasser A. Khan, and Syed S. Hassan

Subjects

Challenge-Handshake Authentication Protocol, Password, Password policy, Zero-knowledge password proof, Authentication, Cognitive password, Computer science, computer.internet_protocol, Salt (cryptography), Password cracking, Multi-factor authentication, Adversary, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Shoulder surfing, Authentication protocol, Password authentication protocol, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer, ComputingMethodologies_COMPUTERGRAPHICS

Abstract

Graphical password authentication techniques have been opening new doors in the world of Password Security. This technique acquires graphical password authentication in such a way that it prevents Shoulder Surfing Attack when an adversary is watching a user while user enters a password. Graphical password authentication is more venerable to shoulder attack. The Servers Voice Graphical Authentication having graphical passwords prevents them along with the users ease. This technique involves a server voice coming to a user which the user only listens. Processes and then enters it into a graphical symbol pad. So this technique comprises of a server voice, then a factor of authentication Something You Process and lastly graphical password entrance.

Published

2015

46. A review towards enhancing authentication scheme using Image Fusion and multishared Cryptography

Author

A.S. Alvi and V.B. Gadicha

Subjects

Zero-knowledge password proof, Software_OPERATINGSYSTEMS, computer.internet_protocol, Salt (cryptography), Computer science, Cryptography, Shared secret, Computer security, computer.software_genre, One-time password, PBKDF2, Password strength, S/KEY, Key stretching, Syskey, Key derivation function, Password psychology, Password, Password policy, Authentication, Cognitive password, business.industry, Password cracking, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Key (cryptography), HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer

Abstract

Passwords are used for user authentication, validation, and verification in various software applications (may be Commercial, or Research based). All the existing schemes which are used to generate the password will always provide enough scope for the Intruder (Cracker) to crack or guess the password. All the existing schemes of password generation works on a basic assumption that the resultant password should be easy to remember for a user. This ultimately brings the downfall of the scheme. Therefore, a Password Generator Scheme is proposed here which will restrict the Intruders to crack the password or a scheme should exist which will cause sufficient delay in cracking of a password so that the Generator of the password will change the previous password. Here a strong password generator scheme is proposed by using Image Fusion & Visual key Cryptography.

Published

2015

47. Cryptanalysis and Improvement of Zhuang-Chang-Wang-Zhu Password Authentication Scheme

Author

Shih-Ming Chen, Chiu-Shu Pan, and Min-Shiang Hwang

Subjects

Password, Zero-knowledge password proof, computer.internet_protocol, Computer science, Computer security, computer.software_genre, One-time password, law.invention, S/KEY, Password strength, law, HMAC-based One-time Password Algorithm, Challenge–response authentication, Cryptanalysis, computer

Published

2015

48. Security and performance analysis of identity based schemes in sensor networks

Author

K. Ragini and S. Sivasankar

Subjects

computer.internet_protocol, business.industry, Computer science, Encryption, Hash-based message authentication code, Digital signature, Cryptographic hash function, Key (cryptography), HMAC-based One-time Password Algorithm, Message authentication code, business, Wireless sensor network, computer, Computer network

Abstract

Security and efficient data transmission without any hurdles caused by external Attackers is an issue in sensor networks. This paper deals with the provision of an assured efficient data transmission in the sensor networks. To ensure this requirement Hash based Message Authentication Code (HMAC) and Message Digest (MD) is envisaged by employing identity based digital signature scheme (IBS). Identity based scheme is an encryption scheme that generates an operation of developing secret code with secret key that protects the data during transmission without any cryptanalysis. To achieve the above requisite the modalities used in HMAC and MD5 which simulates the functional efficiency &security of data transmission in sensor networks.

Published

2015

49. Transaction Authentication Using HMAC-Based One-Time Password and QR Code

Author

Puchong Subpratatsavee and Pramote Kuacharoen

Subjects

Password, computer.internet_protocol, Computer science, Hash-based message authentication code, Computer security, computer.software_genre, One-time password, Phishing, S/KEY, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer

Abstract

Conducting financial transactions over the Internet has been widely adopted due to the convenience and usability. However, conducting financial transactions via the Internet may be subjected to many types of attacks including password attacks, malware, phishing, and other unauthorized activities. Many banks have enhanced their security by using One-Time Password (OTP) as another authentication method in addition to traditional username and password. The OTP may be sent to the mobile phone number of the account owner via SMS. Even with the enhanced security measure, internet banking is still vulnerable to different types of attacks such as online phishing. We propose, design, and implement a transaction authentication scheme using HMAC-based mobile OTP and QR Code. Our scheme is resilient to known attacks including, but not limited to, eavesdropping, replay, message modification, and phishing.

Published

2015

50. Research on Differential Power Analysis of HMAC-SM3

Author

Dawu Gu, Zheng Guo, Junrong Liu, Wei Sun, Sigang Bao, Bo Ma, and Jun Xie

Subjects

Cryptographic primitive, Length extension attack, Computer science, computer.internet_protocol, Cryptographic hash function, HMAC-based One-time Password Algorithm, Side channel attack, Security of cryptographic hash functions, Hash-based message authentication code, Computer security, computer.software_genre, computer, Preimage attack

Abstract

The HMAC algorithm is widely used to provide authentication and message integrity in digital communications. However, if the HMAC cryptographic algorithm is implemented in cryptographic circuit, it is vulnerable to side-channel attacks. A typical example is that in 2007, McEvoy proposed an attack strategy for hardware-based implementation of HMAC-SHA2. In this paper, we research on SM3 cryptographic hash algorithm and propose a DPA attack strategy for the software-based implementation of HMAC-SM3. In the experiment, we launch a successful DPA attack on the practical cryptographic circuit and then discuss the security issues about the software-based implementation of HMAC-SM3.

Published

2015