Your search keyword '"Zero-knowledge password proof"' showing total 827 results

1. DPPG: A Dynamic Password Policy Generation System

Author

Raheem Beyah, Shukun Yang, and Shouling Ji

Subjects

Password, 021110 strategic, defence & security studies, Password policy, Zero-knowledge password proof, Software_OPERATINGSYSTEMS, Cognitive password, Computer Networks and Communications, Salt (cryptography), Computer science, 0211 other engineering and technologies, Password cracking, Passphrase, 02 engineering and technology, Adversary, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, 020201 artificial intelligence & image processing, Safety, Risk, Reliability and Quality, computer

Abstract

To keep password users from creating simple and common passwords, major websites and applications provide a password-strength measure, namely a password checker. While critical requirements for a password checker to be stringent have prevailed in the study of password security, we show that regardless of the stringency, such static checkers can leak information and actually help the adversary enhance the performance of their attacks. To address this weakness, we propose and devise the Dynamic Password Policy Generator , namely DPPG , to be an effective and usable alternative to the existing password strength checker. DPPG aims to enforce an evenly-distributed password space and generate dynamic policies for users to create passwords that are diverse and that contribute to the overall security of the password database. Since DPPG is modular and can function with different underlying metrics for policy generation, we further introduce a diversity-based password security metric that evaluates the security of a password database in terms of password space and distribution. The metric is useful as a countermeasure to well-crafted offline cracking algorithms and theoretically illustrates why DPPG works well.

Published

2018

2. A provably secure password-based anonymous authentication scheme for wireless body area networks

Author

Jian Shen, Fushan Wei, Li Li, Ruijie Zhang, and Pandi Vijayakumar

Subjects

Password, Password policy, Zero-knowledge password proof, General Computer Science, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Random oracle, S/KEY, Control and Systems Engineering, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Zero-knowledge proof, Electrical and Electronic Engineering, business, computer, Anonymity, Computer network

Abstract

Wireless body area networks (WBANs) comprise many tiny sensor nodes which are planted in or around a patient’s body. These sensor nodes can collect biomedical data of the patient and transmit these valuable data to a data sink or a personal digital assistant. Later, health care service providers can get access to these data through authorization. The biomedical data are usually personal and privacy. Consequently, data confidentiality and user privacy are primary concerns for WBANs. In order to achieve these goals, we propose an anonymous authentication scheme for WBANs based on low-entropy password and prove its security in the random oracle model. Our scheme enjoys strong anonymity in the sense that only the client knows his identity during the authentication phase of the scheme. Compared with other related proposals, our scheme is efficient in terms of computation. Moreover, the authentication of the client relies on human-rememberable password, which makes our scheme more suitable for applications in WBANs.

Published

2018

3. A variant of password authenticated key exchange protocol

Author

Wei Wu, Abdulhameed Alelaiwi, Yang Xiang, and Yuexin Zhang

Subjects

Password, Password policy, Zero-knowledge password proof, Cognitive password, Computer Networks and Communications, Computer science, Key distribution, 020206 networking & telecommunications, 0102 computer and information sciences, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, Password strength, Authenticated Key Exchange, 010201 computation theory & mathematics, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Session key, computer, Software

Abstract

Password authenticated key exchange (PAKE) protocols are designed for a pair of users to establish a secret session key over a public and unreliable network. In existing PAKE protocols, it is assumed that short passwords are pre-shared between users. This assumption, however, would be impractical in certain applications. For instance, in the Internet of Things and Fog computing, billions of devices will be wirelessly connected. In practice, the devices are produced by different factories, and it is not practical to assume that these devices are pre-loaded with passwords when they leave factories. As a result, existing PAKE protocols cannot be directly employed in these applications. Moreover, it is investigated that devices can extract secrets using the wireless fading channel. However, the key extraction rate at the physical layer is slow. Motivated by these observations, this paper presents a variant of password authenticated key exchange (vPAKE) protocol without the password sharing assumption. To obtain the passwords, wireless devices, such as mobile phones, tablets, and laptops, are used to extract short secrets at the physical layer. Using the extracted secrets, users can establish a secret key at higher layers. The performance analysis shows that comparing with other PAKE protocols (which are proved secure in the standard model), the communication and computation consumptions of our protocol are significantly reduced. Additionally, the proposed protocol is proved secure in the standard model.

Published

2018

4. Provably leakage-resilient three-party password-based authenticated key exchange

Author

Ou Ruan, Qingping Wang, and Zihao Wang

Subjects

Password, Provable security, 020203 distributed computing, Zero-knowledge password proof, Encrypted key exchange, Cryptographic primitive, General Computer Science, Computer science, 02 engineering and technology, Computer security model, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Authenticated Key Exchange, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, Session key, 020201 artificial intelligence & image processing, Key derivation function, computer

Abstract

Three-party password-based authenticated key exchange (3PAKE) protocol is an important practical cryptographic primitive in the client-client communication environments, where two clients could generate a shared secure session key using their human-memorable passwords with a server’s help. Many 3PAKE protocols were proposed, but these protocols were only secure in the traditional model where no leakage attacks exist. In Mobile Internet, Wireless Networks and Sensor Networks environments, 3PAKE systems are very vulnerable to side-channel attacks. Therefore, it is very necessary to design 3PAKE protocols that are secure in the leakage environments. However, there is no previous works for formalizing the security model for leakage-resilient (LR) 3PAKE and designing the LR 3PAKE protocols. In the paper, we first define a continuous after-the-fact LR eCK-security model for 3PAKE and propose a LR 3PAKE protocol, then present a formal security proof in the standard model.

Published

2017

5. Someone in Your Contact List: Cued Recall-Based Textual Passwords

Author

Abdulrahman Alarifi, Mansour Alsaleh, and Noura Alomar

Subjects

Password, 021110 strategic, defence & security studies, Zero-knowledge password proof, Authentication, Password policy, User authentication, Cognitive password, Computer Networks and Communications, Computer science, 0211 other engineering and technologies, 02 engineering and technology, One-time password, Electronic mail, S/KEY, Password strength, World Wide Web, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Human–computer interaction, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Safety, Risk, Reliability and Quality, Password psychology

Abstract

Textual passwords remain the most commonly employed user authentication mechanism, and potentially will continue to be so for years to come. Despite the well-known security and usability issues concerning textual passwords, none of the numerous proposed authentication alternatives appear to have achieved a sufficient level of adoption to dominate in the foreseeable future. Password hints, consisting of a user generated text saved at the account setup stage, are employed in several authentication systems to help users to recall forgotten passwords. However, users are often unable to create hints that jog the memory without revealing too much information regarding the passwords themselves. We propose a rethink of password hints by introducing SỲNTHIMA , a novel cued recall-based textual password method that reveals no information regarding the password, requires no modifications to authentication servers, and requires no additional setup or registration steps. SỲNTHIMA makes use of users’ contact lists, so that mapped password hints extracted from a user’s contacts are automatically generated while the user is typing the password. We create formal models for relevant aspects of the password hint mechanism, define its threat model, and analyze the security and usability of SỲNTHIMA . We also present the results of an in-lab user study of SỲNTHIMA on 30 participants to evaluate its effectiveness and usability. The results demonstrate that SỲNTHIMA minimizes the number of incorrect login attempts and improves long-term password recall, with acceptable login times and positive user feedback. We summarize the lessons learned from the user study, with the hope of provoking further insights regarding the design of effective cued recall-based textual password schemes.

Published

2017

6. Security Analysis of Password-Authenticated Key Retrieval

Author

Kazukuni Kobara and SeongHan Shinand

Subjects

Password, Password policy, Zero-knowledge password proof, Computer science, Salt (cryptography), 020208 electrical & electronic engineering, 02 engineering and technology, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, Electrical and Electronic Engineering, computer

Abstract

A PAKR (Password-Authenticated Key Retrieval) protocol and its multi-server system allow one party (say, client), who has a memorable password, to retrieve a long-term static key in an exchange of messages with at least one other party (say, server) that has a private key associated with the password. In this paper, we analyze the only PAKR (named as PKRS-1) standardized in IEEE 1363.2 [9] and its multi-server system (also, [12] ) by showing that any passive/active attacker can find out the client’s password and the static key with off-line dictionary attacks. This result contradicts the security claims made for PKRS-1 (see Clause 10.2 of IEEE 1363.2 [9] ).

Published

2017

7. Untraceable biometric-based three-party authenticated key exchange for dynamic systems

Author

Chin-Chen Chang and Ngoc-Tu Nguyen

Subjects

Password, Zero-knowledge password proof, Biometrics, Revocation, Computer Networks and Communications, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, Authenticated Key Exchange, Data integrity, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, Smart card, business, 010301 acoustics, computer, Protocol (object-oriented programming), Software

Abstract

An authenticated key exchange (AKE) between two end-users is a crucial procedure to ensure data integrity and confidentiality while they communicate through a public channel. The existing three-party AKE schemes conventionally employ a relatively easy to remember password and a systematic identity to generate and protect shared secrets, which are used to verify the legitimate participants for subsequent communications. Thus, none of these protocols could simultaneously achieve robust security, identity privacy, and revocation. The security drawbacks commonly arise from the low-entropy password stored in a server or a smart card. This study briefly reviewed and analyzed the weaknesses of Islam, and Yon and Yons’ schemes. Biometric information and a random one-time password were then utilized to design a robust protocol for systems with highly dynamic users. The proposed scheme not only resists all currently known attacks, but also provides several desirable properties, including the revocations of smart cards or users, and the reuse of compromised biometric information.

Published

2017

8. One-time password authentication scheme based on the negative database

Author

Dongdong Zhao and Wenjian Luo

Subjects

Password, 021110 strategic, defence & security studies, Zero-knowledge password proof, Authentication, Computer science, computer.internet_protocol, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Negative database, Password strength, S/KEY, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Artificial Intelligence, Control and Systems Engineering, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Password authentication protocol, Electrical and Electronic Engineering, Challenge–response authentication, computer

Abstract

In this paper, a novel one-time password authentication scheme based on the negative database (NDB) is proposed. The authentication data, which involve a user password and random number, are converted to an NDB before they are transmitted to the network. Recovering the original database (DB) from an NDB is an NP-hard problem. Even if the data transmitted in the network have been intercepted by an attacker, the attacker cannot recover the password due to the hardness of reversing the NDB. The proposed scheme is the first one-time password authentication scheme based on the NDB. Following the method used in this paper, the NDB can be added to other authentication schemes as an extra layer to further improve security. The proposed scheme can be adopted into other applications such as business management, network-based consumer electronics, and intelligent household systems.

Published

2017

9. A novel secure and efficient hash function with extra padding against rainbow table attacks

Author

Sunghyuck Hong, Jungpil Shin, and Hyung-Jin Mun

Subjects

Zero-knowledge password proof, Computer Networks and Communications, Salt (cryptography), Computer science, computer.internet_protocol, Crypt, Hash function, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Padding, Password strength, S/KEY, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, Syskey, Key derivation function, Password psychology, Password, Authentication, Password policy, Cognitive password, Pass the hash, Password cracking, 020206 networking & telecommunications, Passphrase, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Hash chain, 020201 artificial intelligence & image processing, HMAC-based One-time Password Algorithm, Challenge–response authentication, computer, Software

Abstract

User authentication is necessary to provide services on an application system and the Internet. Various authentication methods are used such as ID/PW, biometric, and OTP authentications. One of the popular authentications is ID/PW authentication. As an inputted password is transferred by one-way hash function and then stored in DB, it is difficult for the DB administrator to figure out the password inputted by the user. However, when DB is leaked, and there is the time to decode, the password can be hacked. The time and cost to decode the original message from the hash value corresponding a short password decrease. Therefore, if the password is short, then attacking cost is low, and password crack possibility is high. In the case where an attacker utilizes pre-computing rainbow tables, and the hash value of short passwords is leaked, the password that the user inputted can be cracked. In this research, to block rainbow table attacks, when the user generates a short password, by adding additional messages of identification information of a system or the user and extending the length of the password, we try to resolve the vulnerability of short passwords. By proposing a model to minimize the length of the password and the authority accordingly in mobile devices on which inputting passwords is not easy, we take security into consideration. Our proposal model is strong against rainbow table attack and provides efficient password system to users. It contributes to resolving password vulnerability and upgrades mobile users’ convenience in typing passwords.

Published

2017

10. Anonymous Password Authenticated Key Exchange Protocol in the Standard Model

Author

Jiang Zhang, Zhenfeng Zhang, Fengmei Liu, and Xuexian Hu

Subjects

Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, computer.internet_protocol, Computer science, 0211 other engineering and technologies, 02 engineering and technology, Oakley protocol, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Random oracle, Universal composability, 0202 electrical engineering, electronic engineering, information engineering, Session key, Password authentication protocol, Electrical and Electronic Engineering, Password, 021110 strategic, defence & security studies, Authentication, Password policy, 020206 networking & telecommunications, Mutual authentication, Computer Science Applications, Authenticated Key Exchange, Authentication protocol, Challenge–response authentication, computer

Abstract

Anonymous password authenticated key exchange (APAKE) allows a client holding a low-entropy password to establish a session key with a server in an authenticated and anonymous way. As a very convenient solution for personal privacy protection, it has attracted much attention in recent years. However, almost all existing APAKE protocols are designed in the random oracle model. In this paper, we propose the first password-only APAKE protocol (called APAKE-S) with proven security in the standard model, i.e., without random oracle heuristic. The resulting protocol guarantees AKE security, client anonymity and mutual authentication. Moreover, since the building blocks in our construction can be instantiated based on numerous hard assumptions (e.g., decisional Diffie–Hellman, Quadratic Residuosity, and N-residuosity assumptions), our APAKE-S protocol is actually a generic construction which implies a series of efficient APAKE protocols in the standard model.

Published

2017

11. Comment and modification of RSA based remote password authentication using smart card

Author

Shipra Kumari and Hari Om

Subjects

Password, Zero-knowledge password proof, Authentication, Algebra and Number Theory, Computer science, business.industry, Applied Mathematics, 010103 numerical & computational mathematics, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, One-time password, Password strength, S/KEY, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Smart card, 0101 mathematics, Challenge–response authentication, business, computer, Analysis, Computer network

Abstract

Password based remote user authentication schemes with smart card is one of the important practical solutions for authenticating the remote users. In this paper, we discuss the drawbacks of the scheme RSA based remote password authentication using smart card [16] and propose suitable modifications to overcome its drawbacks and also provide some enhancement. In our scheme, we use the variant of RSA, called RPrime RSA [1], which is used to fast decrypt the message. Our scheme also provides flexibility to a user to easily choose and change his password.

Published

2017

12. A Provably Secure General Construction for Key Exchange Protocols Using Smart Card and Password

Author

Xiaowei Li, Yuqing Zhang, Gefei Zhang, and Dan Fan

Subjects

Password, OpenPGP card, Zero-knowledge password proof, 010308 nuclear & particles physics, business.industry, Computer science, Applied Mathematics, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, One-time password, S/KEY, Password strength, 0103 physical sciences, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Smart card, Electrical and Electronic Engineering, business, computer, Key exchange, Computer network

Abstract

Key exchange protocols using both smart card and password are widely used nowadays since they provide greater convenience and stronger security than protocols using only a password. Most of these protocols are often limited to simple network systems, and they may have security risks. We propose a general construction for key exchange protocols using smart card and password to avoid these flaws. The constructed protocol from the general construction has only one additional communication round than the original public encryption scheme. This construction is proven secure under random oracle model, so it can resist several common types of attacks. It is also adapted well to various networks. Compared with related protocols, the proposed key exchange protocol generated from the general construction has better secure properties and good computational efficiency in storage cost and operation time.

Published

2017

13. A New Efficient Chaotic Maps Based Three Factor User Authentication and Key Agreement Scheme

Author

Qi Xie, Wenhao Liu, Lidong Han, and Shengbao Wang

Subjects

Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, 020205 medical informatics, Computer science, Denial-of-service attack, Access control, 02 engineering and technology, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Lightweight Extensible Authentication Protocol, 0202 electrical engineering, electronic engineering, information engineering, Session key, Electrical and Electronic Engineering, Data Authentication Algorithm, Password, Password policy, business.industry, 020206 networking & telecommunications, Mutual authentication, Multi-factor authentication, Computer Science Applications, Authentication protocol, Challenge–response authentication, business, computer

Abstract

In order to provide secure remote access control, a robust and efficient authentication protocol should achieve mutual authentication and session key agreement between clients and the server over public channels. Recently, Wang et al. proposed a password based authentication protocol using chaotic maps. In this paper, we demonstrate the security of their scheme, and show that Wang et al.’s scheme cannot provide session key agreement and is insecure against denial of service attack for no detecting wrong password in password change. To remedy these issues, we use the techniques of fuzzy extractor and chaotic maps to propose a three-factor remote authentication scheme. The new scheme preserves user privacy and is secure against various attacks. Detailed analysis of previous schemes in efficiency and security shows our proposed scheme is more suitable for practical application.

Published

2017

14. A novel three-party password-based authenticated key exchange protocol with user anonymity based on chaotic maps

Author

Chien-Ming Chen, Cheng-Chi Lee, Chi-Yao Weng, Chin-Ling Chen, and Chun-Ta Li

Subjects

Zero-knowledge password proof, Computer science, 02 engineering and technology, Oakley protocol, Computer security, computer.software_genre, 01 natural sciences, One-time password, Theoretical Computer Science, Password strength, S/KEY, Random oracle, 0103 physical sciences, Universal composability, 0202 electrical engineering, electronic engineering, information engineering, Session key, 010301 acoustics, Password, Password policy, Authentication, Password cracking, Authenticated Key Exchange, 020201 artificial intelligence & image processing, Geometry and Topology, computer, Software

Abstract

Three-party authenticated key exchange (3PAKE) protocol allows two communication users to authenticate each other and to establish a secure common session key with the help of a trusted remote server. Recently, Farash and Attari propose an efficient and secure 3PAKE protocol based on Chebyshev chaotic maps and their protocol is supported by the formal proof in the random oracle model. However, in this paper, we analyze the security of Farash–Attari’s protocol and show that it fails to resist password disclosure attack if the secret information stored in the server side is compromised. In addition, their protocol is insecure against user impersonation attack and the server is not aware of having caused problem. Moreover, the password change phase is insecure to identify the validity of request where insecurity in password change phase can cause offline password guessing attacks and is not easily reparable. To remove these security weaknesses, based on Chebyshev chaotic maps and quadratic residues, we further design an improved protocol for 3PAKE with user anonymity. In comparison with the existing chaotic map-based 3PAKE protocols, our proposed 3PAKE protocol is more secure with acceptable computation complexity and communication overhead.

Published

2017

15. An enhanced dynamic ID-based authentication scheme for telecare medical information systems

Author

Sourav Mukhopadhyay, Dheerendra Mishra, and Ankita Chaturvedi

Subjects

Password, Zero-knowledge password proof, Password policy, Cognitive password, 020205 medical informatics, General Computer Science, Computer science, 02 engineering and technology, Computer security, computer.software_genre, Password based authentication, One-time password, lcsh:QA75.5-76.95, Telemedicine, S/KEY, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Privacy, Security, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, lcsh:Electronic computers. Computer science, Smart card, Challenge–response authentication, computer

Abstract

The authentication schemes for telecare medical information systems (TMIS) try to ensure secure and authorized access. ID-based authentication schemes address secure communication, but privacy is not properly addressed. In recent times, dynamic ID-based remote user authentication schemes for TMIS have been presented to protect user’s privacy. The dynamic ID-based authentication schemes efficiently protect the user’s privacy. Unfortunately, most of the existing dynamic ID-based authentication schemes for TMIS ignore the input verifying condition. This makes login and password change phases inefficient. Inefficiency of the password change phase may lead to denial of service attack in the case of incorrect input in the password change phase. To overcome these weaknesses, we proposed a new dynamic ID-based authentication scheme using a smart card. The proposed scheme can quickly detect incorrect inputs which makes the login and password change phase efficient. We adopt the approach with the aim to protect privacy, and efficient login and password change phases. The proposed scheme also resists off-line password guessing attack and denial of service attack. We also demonstrate the validity of the proposed scheme by utilizing the widely-accepted BAN (Burrows, Abadi, and Needham) logic. In addition, our scheme is comparable in terms of the communication and computational overheads with relevant schemes for TMIS.

Published

2017

16. New Graphic Password Scheme Containing Questions-Background-Pattern and Implementation

Author

Bulganmaa Togookhuu and Junxing Zhang

Subjects

Password, 021110 strategic, defence & security studies, Password policy, User authentication, Zero-knowledge password proof, Authentication, Database, Salt (cryptography), Computer science, 0211 other engineering and technologies, Password cracking, 02 engineering and technology, computer.software_genre, Computer security, One-time password, S/KEY, Password strength, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, General Earth and Planetary Sciences, computer, General Environmental Science

Abstract

Security of authentication is needed to be provided superlatively to secure users personal and exchange information since online information exchange systems have been developed according to internet speed. Therefore, the aim of this paper is to develop existing graphical password scheme based on one's memory, create and implement a new graphical password scheme that composed of three layer verification. We programmed our scheme in order to prove its superiority comparing with existing schemes. While we conducted survey on user by accessing participant to our system lied in participants local network and we analyzed in accordance with the average length of their created password and statistical significant of entropy bit. From the survey results of total participants, we find that our scheme has statistical significant, furthermore it was proved that it can secure from a variety of attacks due to its high entropy.

Published

2017

17. An Improved Rainbow Table Attack for Long Passwords

Author

Fei Yu, Lijun Zhang, and Cheng Tan

Subjects

Password, Zero-knowledge password proof, Dictionary attack, Salt (cryptography), Computer science, business.industry, Password cracking, 020206 networking & telecommunications, 02 engineering and technology, Encryption, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, Rainbow table, 0202 electrical engineering, electronic engineering, information engineering, General Earth and Planetary Sciences, 020201 artificial intelligence & image processing, business, computer, General Environmental Science

Abstract

The password recovery of popular encryption applications has great practical significance not only for the circumstance of retrieving forgotten password but also for assisting law enforcement officers to implement data forensics. In this paper, we propose an improved password recovery method based on rainbow table attack which enables the recovery feasibility of long human chosen passwords. We combine advantage of dictionary generator and rainbow table to produce an efficient and smart approach of cracking long and complicated passwords. We present the detailed attack process and algorithms of this novel cracking method including dictionary generator specification, transform rules configuration as well as the design of kernel functions in rainbow table attack. Finally, we also provide a practical test and relevant analysis of password recovery result.

Published

2017

18. Research on the Cloud Authentication on Anonymous One-Time Password Based on Fractional Function

Author

Wang Zhang

Subjects

Password, Zero-knowledge password proof, Authentication, Computer science, business.industry, Cloud computing, General Chemistry, Condensed Matter Physics, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, Computational Mathematics, General Materials Science, Electrical and Electronic Engineering, Challenge–response authentication, business, computer

Published

2016

19. Performance analysis and evaluation of secure password persuasive cued click points

Author

Atish Dipakbhai Nayak and Rajesh Bansode

Subjects

Password, 021110 strategic, defence & security studies, Zero-knowledge password proof, Password policy, General Computer Science, Computer science, 0211 other engineering and technologies, 02 engineering and technology, Login, Computer security, computer.software_genre, One-time password, Theoretical Computer Science, S/KEY, Password strength, Shoulder surfing, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, computer

Abstract

Purpose The purpose of this paper is to increase security using persuasive cued click points (PCCP) techniques and to make a system to provide security from the malware, key loggers and attacks. Design/methodology/approach The work methodology comprises two major phases. In phase one, the PCCP take place with the registration and login process done. It also includes text-based password which hides the character of password to protect from shoulder surfing attack. In phase two, the work includes background services which protect from key loggers. Findings Secure password persuasive cued click point (SPPCCP) is a module that facilitates authentication for the desktop-based applications and provides a single-machine licensing functionality. SPPCCP comprises little functionality to thwart attackers, such as persuasive click points with password protection. The techniques to protect against malware such as resist from debuggers and also to the key loggers that run on desktop computers. In this, Spearman rank correlation is used for detection of key loggers. There are functionalities used to secure desktop applications such as time constraint and user selection. Originality/value The contribution of this paper is to provide knowledge in the field of security. It makes the graphical password more secure and useful. The intention behind this research was to increase the security level up to 60-80 per cent. It is also used for prevention of shoulder surfing problem till 80 per cent; this research is also operated on key loggers, and SPPCCP finds the key loggers and removes it from the system. It also decrypts the data of database by encrypting it by SHA-512 algorithm and reduces the average login time up to 20-30 per cent; it will make a smaller view port of 33.5 × 33.5 pixel square to have more choice to select the password, thereby decreasing the probability of hotspot area up to 18-20 per cent.

Published

2016

20. Provably secure user authentication and key agreement scheme for wireless sensor networks

Author

Ashok Kumar Das, Xiong Li, Fan Wu, Saru Kumari, Xinyi Huang, and Vanga Odelu

Subjects

Password, 021110 strategic, defence & security studies, Zero-knowledge password proof, Computer Networks and Communications, Computer science, 0211 other engineering and technologies, Password cracking, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, One-time password, S/KEY, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Challenge–response authentication, Elliptic curve cryptography, computer, Information Systems

Abstract

In recent years, user authentication has emerged as an interesting field of research in wireless sensor networks. Most recently, in 2016, Chang and Le presented a scheme to authenticate the users in wireless sensor network using a password and smart card. They proposed two protocols P1 and P2. P1 is based on exclusive or XOR and hash functions, while P2 deploys elliptic curve cryptography in addition to the two functions used in P1. Although their protocols are efficient, we point out that both P1 and P2 are vulnerable to session specific temporary information attack and offline password guessing attack, while P1 is also vulnerable to session key breach attack. In addition, we show that both the protocols P1 and P2 are inefficient in authentication and password change phases. To withstand these weaknesses found in their protocols, we aim to design a new authentication and key agreement scheme using elliptic curve cryptography. Rigorous formal security proofs using the broadly accepted, the random oracle models, and the Burrows-Abadi-Needham logic and verification using the well-known Automated Validation of Internet Security Protocols and Applications tool are preformed on our scheme. The analysis shows that our designed scheme has the ability to resist a number of known attacks comprising those found in both Chang-Le's protocols. Copyright © 2016 John Wiley & Sons, Ltd.

Published

2016

21. Password Security: An Analysis of Password Strengths and Vulnerabilities

Author

Katha Chanda

Subjects

Zero-knowledge password proof, Computer Networks and Communications, Computer science, Internet privacy, 02 engineering and technology, Computer security, computer.software_genre, 01 natural sciences, One-time password, S/KEY, Password strength, 0202 electrical engineering, electronic engineering, information engineering, Password psychology, Password, Password policy, Cognitive password, business.industry, Applied Mathematics, 010401 analytical chemistry, 0104 chemical sciences, Computer Science Applications, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 020201 artificial intelligence & image processing, business, Safety Research, computer, Software, Information Systems

Abstract

Passwords can be used to gain access to specific data, an account, a computer system or a protected space. A single user may have multiple accounts that are protected by passwords. Research shows that users tend to keep same or similar passwords for different accounts with little differences. Once a single password becomes known, a number of accounts can be compromised. This paper deals with password security, a close look at what goes into making a password strong and the difficulty involved in breaking a password. The following sections discuss related work and prove graphically and mathematically the different aspects of password securities, overlooked vulnerabilities and the importance of passwords that are widely ignored. This work describes tests that were carried out to evaluate the resistance of passwords of varying strength against brute force attacks. It also discusses overlooked parameters such as entropy and how it ties in to password strength. This work also discusses the password composition enforcement of different popular websites and then presents a system designed to provide an adaptive and effective measure of password strength. This paper contributes toward minimizing the risk posed by those seeking to expose sensitive digital data. It provides solutions for making password breaking more difficult as well as convinces users to choose and set hard-to-break passwords.

Published

2016

22. Dual Layer Secured Password Manager using Blowfish and LSB

Author

Mukesh Ramrakhyani, Sonal Shroff, Bunty Manchundiya, and Raaj Ahuja

Subjects

Password, Zero-knowledge password proof, Password policy, Cognitive password, Blowfish, business.industry, Computer science, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Password cracking, Cryptography, Encryption, Computer security, computer.software_genre, Login, One-time password, S/KEY, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Email address, Cipher, business, computer, Computer network

Abstract

Today’s era is the era of Smart phones. Smart phones are continually becoming smaller, more powerful and can perform variety of tasks. The data generated by these devices need to be stored and accessed securely. One example of such sensitive data is password. Computer users are increasingly using password for online accounts, email servers, ecommerce sites, financial services and social media websites and it is always advisable that passwords should be complex and reuse of passwords should be avoided. Therefore this leads to a challenge of remembering several complex passwords for various applications, something an average human being is not very good at. In this paper, a Password Manager, an Android Application is proposed. This password manager takes login credentials (Email Address & Password) as input from user which is then being encrypted using Blowfish algorithm and finally the cipher is stored inside an image selected by user using LSB (least Significant Bit) Technique. A typical password manager uses database to store all login credentials but our proposed approach replaces database with image and stores all login credentials inside an image and in turn providing dual layer security of data that uses combination of both cryptography and steganography in which first layer is to scramble information using Blowfish Algorithm and second layer is insertion of scramble information inside an Image using least significant approach (LSB). Finally, performance analysis of cover-image and stego-image shows that image quality is preserved in terms of MSE and PSNR

Published

2016

23. Verifier-based Password Authenticated 3P-EKE Protocol using PCLA keys

Author

Premchand Parvataneni and Archana Raghuvamshi

Subjects

Zero-knowledge password proof, Encrypted key exchange, Computer Networks and Communications, Computer science, 0102 computer and information sciences, 02 engineering and technology, Computer security, computer.software_genre, Encryption, 01 natural sciences, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), Protocol (object-oriented programming), Password, Class (computer programming), business.industry, Applied Mathematics, Password cracking, 020206 networking & telecommunications, Computer Science Applications, 010201 computation theory & mathematics, business, Safety Research, computer, Software, Information Systems

Abstract

This paper endeavors to present a novel framework for the generic structure of a verifier-based password authenticated Three-Party Encrypted Key Exchange (3P-EKE) protocol which yields more efficient protocol than the ones knew before. A previous framework presented by Archana and Premchand is more secured against all types of attacks like password guessing, replay, pre-play, man-in-the-middle attack etc. But unfortunately, this protocol does not solve the problem of a server compromise. These proofs help as inspiration to search for another framework. The framework we offer produces more efficient 3P-EKE protocol, and, in addition, delivers perceptive clarification about the existing attacks that do not solve in the previous framework. Moreover, it allows direct change from a class of verge private-key encryption to a hybrid (symmetric & Asymmetric) one without significant overhead.

Published

2016

24. ENHANCED CIPHER METHOD FOR CLOUD AUTHENTICATION

Author

Arif Mohammad Abdul, Sudarson Jena, M. Kiran Sastry, and M Balraju

Subjects

Password, Zero-knowledge password proof, Password policy, Computer science, Data_MISCELLANEOUS, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, 021105 building & construction, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, 020201 artificial intelligence & image processing, Challenge–response authentication, computer

Abstract

Cloud computing, is a technology that provides dynamic and scalable resources for computing as pay per use through internet. In cloud identifying an appropriate user is a challenging task for the service provider, but basing on the unique identification methods like password, smartcard and many other different authentication techniques, a user can be identified. Even though many authentication schemes are introduced in past but they failed with various drawbacks. This paper is to introduce an authentication scheme using Modified Double ceasar cipher encryption technique in which the password is encrypted using a key that is kept secret and is tough to guess. Our encryption technique is secured from the attacks like guessing or brute force attack. The proposed system uses a Modified Double ceasar cipher encryption technique which uses the English alphabets to create password and a key to encrypt basing on the value of its character by performing addition a cipher key is generated and stored in the waveform. The proposed scheme has an interesting feature of storing and representing the password in waveforms using Manchester encoding [7], which makes the system more effective in avoiding some attacks like guessing attack and tampering the password. The work clearly specifies the different authentication schemes used so far.

Published

2016

25. A SIMPLISTIC MOBILE SOLUTION FOR PASSWORD SECURITY

Author

Sahana M D

Subjects

Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Password policy, Zero-knowledge password proof, Cognitive password, Computer science, Computer security, computer.software_genre, Login, computer, One-time password, Password strength, S/KEY

Abstract

Authentication through passwords are the most common method for a person to login into a remote server. However, they are very frustrating when it comes to security. Every server asks their users to avoid common passwords which is easy guess by snoopers. Often the usersare required to enter a combination of alphabets, numbers and special characters. Due to which more often than not users usually reuse the same passwords for all servers. As a matter of fact users have fewer than three passwords set up all their online log-ins. Even if one of those master passwords are compromised the user will need to go through a hectic procedure to retrieve their passwords where in most likely they would need to enter a new passwords since the old one was compromised. In this paper, we introduce an application that amazingly uses all the different methods of user authentication to come up with a unique way to store and retrieve the users passwords for utmost security. Each password is encrypted with a unique key for utmost security. To access the passwords which are stored in this cryptic format on the server, the user needs to only say the predefined words set by the user himself and the application will detect the speaker and give him access. The user also needs to go through another authentication system where he needs to set a color pattern to detect the pattern based on the colors. Once this is done, the user will be able to access his secured data which comes from the secured server in an encrypted format and is decrypted on the users phone. The user does not need to trust the server since every data is stored in an encrypted format and cannot be viewed by the server administrators.

Published

2016

26. An Efficient Remote User Password Authentication Scheme based on Rabin’s Cryptosystem

Author

Hari Om and Pratik Ranjan

Subjects

Password, Zero-knowledge password proof, Authentication, 020205 medical informatics, Computer science, computer.internet_protocol, business.industry, Password cracking, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Computer Science Applications, Password strength, S/KEY, Ciphertext, 0202 electrical engineering, electronic engineering, information engineering, Cryptosystem, Password authentication protocol, Smart card, Electrical and Electronic Engineering, Challenge–response authentication, business, computer

Abstract

Authentication prevents any illegal access to system resources. An entity authentication scheme is a mechanism to solve the problem of authenticity in a wired or wireless network environment. A remote user authentication scheme proposed by Kim et al. (IEICE Trans Fundam Electron Commun Comput Sci 94(6):1426---1433, 2011) claims that this scheme is secure against the offline password guessing attack, unlimited online password guessing attack, server impersonation, user impersonation, and reply attacks. Tai et al. (2012 26th international conference on advanced information networking and applications workshops (WAINA), pp 160---164, 2012) report some fatal security flaws in the password change phase of the Kim et al.'s scheme. Though these two schemes have used the Rabin's cryptosystem and claim their suitability for implementation, yet none of them describes the process of selecting one root out of four plaintexts from the single cipher text. In this paper, we use the Blum---Blum---Shub pseudo-random bit generator algorithm to select the original one among the four plaintexts. We also present the security analysis of our scheme. Our scheme is much secure and suitable for practical implementation.

Published

2016

27. A privacy preserving three-factor authentication protocol for e-Health clouds

Author

Muhammad Khurram Khan, Xiang Lu, Qi Jiang, Jianfeng Ma, and Debiao He

Subjects

Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, Computer science, 02 engineering and technology, Login, Computer security, computer.software_genre, One-time password, Theoretical Computer Science, S/KEY, Lightweight Extensible Authentication Protocol, 0202 electrical engineering, electronic engineering, information engineering, Data Authentication Algorithm, Password, 020203 distributed computing, Authentication, Password policy, Cognitive password, Revocation, business.industry, Password cracking, 020206 networking & telecommunications, Mutual authentication, Multi-factor authentication, Hardware and Architecture, Elliptic curve cryptosystem, Authentication protocol, Smart card, Challenge–response authentication, Reflection attack, business, computer, Software, Information Systems

Abstract

E-Health clouds are gaining increasing popularity by facilitating the storage and sharing of big data in healthcare. However, such an adoption also brings about a series of challenges, especially, how to ensure the security and privacy of highly sensitive health data. Among them, one of the major issues is authentication, which ensures that sensitive medical data in the cloud are not available to illegal users. Three-factor authentication combining password, smart card and biometrics perfectly matches this requirement by providing high security strength. Recently, Wu et al. proposed a three-factor authentication protocol based on elliptic curve cryptosystem which attempts to fulfill three-factor security and resist various existing attacks, providing many advantages over existing schemes. However, we first show that their scheme is susceptible to user impersonation attack in the registration phase. In addition, their scheme is also vulnerable to offline password guessing attack in the login and password change phase, under the condition that the mobile device is lost or stolen. Furthermore, it fails to provide user revocation when the mobile device is lost or stolen. To remedy these flaws, we put forward a robust three-factor authentication protocol, which not only guards various known attacks, but also provides more desired security properties. We demonstrate that our scheme provides mutual authentication using the Burrows---Abadi---Needham logic.

Published

2016

28. Secure Authentication Using Click Draw Based Graphical Password Scheme

Author

Pratibha Rane, Prarthana M. Modak, and Nilam N. Shaikh

Subjects

Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Zero-knowledge password proof, Authentication, Alphanumeric, Computer science, Human–computer interaction, Challenge–response authentication, One-time password, S/KEY, Password strength

Abstract

Graphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called Secure Authentication using Click Draw Based graphical password scheme, and evaluated it with human users. Secure Authentication using Click Draw Based graphical password scheme, including USAbility and security evaluations, and implementation considerations. An important USAbility goal for knowledge-based authentication systems is to support users in selecting passwords of higher security, in the sense of being from an expanded effective security pace. We use the sequence of multiple images along with a dummy image and alsoa pattern on any single image to influence user choice in click draw based graphical passwords, encouraging users to select more random, and hence more difficult to guess patterns.

Published

2016

29. The Shoulder Surfing Resistant Graphical Password Authentication Technique

Author

Aakansha Gokhale and Vijaya Waghmare

Subjects

Zero-knowledge password proof, Computer science, computer.internet_protocol, Salt (cryptography), 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Shoulder surfing, S/KEY, Password strength, 0202 electrical engineering, electronic engineering, information engineering, Key stretching, Syskey, Microsoft Office password protection, Password authentication protocol, Password psychology, General Environmental Science, Password, 021110 strategic, defence & security studies, Password policy, Authentication, Cognitive password, Password cracking, Authorization, Graphical Password, 020206 networking & telecommunications, Passphrase, Information security, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Security, General Earth and Planetary Sciences, Challenge–response authentication, computer

Abstract

Nowadays computer as well as information security is the most significant challenge. Authorized users should access the system or information. Authorization can’t occur without authentication. For this authentication various techniques are available. Among them the most popular and easy is the password technique. Password ensures that computer or information can be accessed by those who have been granted right to view or access them. Traditional password technique is a textual password which is also called alphanumeric password. But these textual passwords are easy to crack through various types of attack. So to overcome these vulnerabilities, a graphical password technique is introduced. As name suggests in this technique images (pictures) are used as a password instead of text. Also psychological study says that human can easily remember images than text. So according to this fact, graphical passwords are easy to remember and difficult to guess. But because of graphic nature, nearly all the graphical password techniques are vulnerable to shoulder surfing attack. So here, a new graphical password authentication technique is proposed which is resistant to shoulder surfing and also other types of possible attacks to some extent. It is a combination of recognition and recall based approach. It can be useful for smart held devices like smart phones, PDA, iPod, iPhone etc.

Published

2016

30. Cued-Click Point Graphical Password Using Circular Tolerance to Increase Password Space and Persuasive Features

Author

Debi Prasad Mishra, Karmajit Patra, Prajnya Priyadarsini Satapathy, and Bhushan Nemade

Subjects

0106 biological sciences, Zero-knowledge password proof, Software_OPERATINGSYSTEMS, Salt (cryptography), Computer science, 0211 other engineering and technologies, 02 engineering and technology, 01 natural sciences, One-time password, S/KEY, Password strength, World Wide Web, Human–computer interaction, Key stretching, Syskey, Key derivation function, Password psychology, General Environmental Science, Password, Authentication, 021110 strategic, defence & security studies, tolerance, Cognitive password, Passphrase, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, cued-click point (CCP), password space, General Earth and Planetary Sciences, 010606 plant biology & botany

Abstract

Graphical password can be used as an alternative to text based (alphanumeric) password in which users click on images to set their passwords. Text based password uses username and password. So recalling of password is necessary which may be a difficult one. Images are generally easier to be remembered than text and in Graphical password; user can set images as their password. Therefore graphical password has been proposed by many researchers as an alternative to text based password Graphical passwords can be applied to workstation, web log-in applications, ATM machines, mobile devices etc. This paper presents implementation of Cued click point (CCP) graphical password which uses circular tolerance. Then it is found that CCP with circular tolerance is better as compared to CCP with rectangular tolerance.

Published

2016

31. Towards Improving Storage Cost and Security Features of Honeyword Based Approaches

Author

Nilesh Chakraborty and Samrat Mondal

Subjects

Honeyword, Storage Cost, Zero-knowledge password proof, Computer science, 0211 other engineering and technologies, 02 engineering and technology, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, Password, Attack model, Syskey, General Environmental Science, 021110 strategic, defence & security studies, Authentication, Plaintext, Adversary, Inversion Attack, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Security, General Earth and Planetary Sciences, Challenge–response authentication, computer

Abstract

Password based authentication shows its vulnerability against inversion attack model in which adversary obtains plaintext password from its corresponding hashed value. To cope up with such attack, honeyword based authentication technique is introduced. In this technique, along with the original password of user, some dummy passwords or honeywords are also stored. Although this technique is good enough to address the aforementioned security breach, but use of additional storage to store the honeywords is still an overhead associated with such approach. In this paper, we have proposed few directions to minimize the storage cost of some of the existing honeyword generation approaches. We have even found that in some cases no additional storage overhead is required. A comparative analysis at the end also shows that the proposed techniques are able to raise some of the security features compared to existing honeyword generation approaches.

Published

2016

32. Automatic Fortified Password Generator System Using Special Characters

Author

Junho Jeong and Jung-Sook Kim

Subjects

Password, Password policy, Zero-knowledge password proof, Cognitive password, Logic, Computer science, Computer security, computer.software_genre, One-time password, Computer Science Applications, S/KEY, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Keystroke dynamics, Computational Theory and Mathematics, Artificial Intelligence, Signal Processing, computer

Abstract

The developed security scheme for user authentication, which uses both a password and the various devices, is always open by malicious user. In order to solve that problem, a keystroke dynamics is introduced. A person’s keystroke has a unique pattern. That allows the use of keystroke dynamics to authenticate users. However, it has a problem to authenticate users because it has an accuracy problem. And many people use passwords, for which most of them use a simple word such as “password” or numbers such as “1234.” Despite people already perceive that a simple password is not secure enough, they still use simple password because it is easy to use and to remember. And they have to use a secure password that includes special characters such as “#!(*)ˆ”. In this paper, we propose the automatic fortified password generator system which uses special characters and keystroke feature. At first, the keystroke feature is measured while user key in the password. After that, the feature of user’s keystroke is classified. We measure the longest or the shortest interval time as user’s keystroke feature. As that result, it is possible to change a simple password to a secure one simply by adding a special character to it according to the classified feature. This system is effective even when the cyber attacker knows the password.

Published

2015

33. Secure Graphical One Time Password (GOTPass): An Empirical Study

Author

Maria Papadaki, Hussain Alsaiari, Paul Dowland, and Steven Furnell

Subjects

Password, Password policy, Zero-knowledge password proof, Information Systems and Management, Cognitive password, Computer science, Password cracking, Computer security, computer.software_genre, One-time password, Computer Science Applications, S/KEY, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, computer, Software

Abstract

The traditional text-based password has been the default security medium for years; however, the difficulty of memorizing secure strong passwords often leads to insecure practices. A possible alternative solution is graphical authentication, which is motivated by the fact that the capability of humans’ memory for images is superior to text, which helps to improve password usability and security. Recently, some implementations of graphical authentication techniques have been deployed in practice. This paper introduces a new hybrid graphical authentication, “GOTPass,” that authenticates by means of a one-time numerical code that needs to be typed in based on a sequence of secret images and a prechosen input format. An important focus for this paper was the security aspects of the graphical password scheme. This paper reports an in-depth analysis of the security evaluation and shows a high resistance capability of GOTPass against common graphical password attacks. Three attacks were simulated Guessing, Intersection, and Shoulder-surfing, and the results showed that nearly 98% of the 690 attempts failed to compromise the system.

Published

2015

34. A mobile authentication system resists to shoulder-surfing attacks

Author

Ming-Hour Yang and Jia-Ning Luo

Subjects

Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, Computer Networks and Communications, Computer science, Salt (cryptography), Data_MISCELLANEOUS, 050801 communication & media studies, 02 engineering and technology, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, 0508 media and communications, Shoulder surfing, 0202 electrical engineering, electronic engineering, information engineering, Media Technology, Password, Password policy, Authentication, Cognitive password, 05 social sciences, 020207 software engineering, Multi-factor authentication, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Hardware and Architecture, Challenge–response authentication, computer, Software

Abstract

Traditional password-based authentication schemes are vulnerable to shoulder-surfing attacks. Attackers may steal user's sensitive information through direct observation, particularly at crowded places. In this paper, we propose a novel mobile authentication mechanism to prevent shoulder-surfing attacks. Even though an attacker can capture a user's input, he cannot derive the original password from his observation. Our authentication mechanism can be applied in various systems, especially on mobile devices. In the security analysis section, we prove that our scheme is secure against shoulder-surfing attacks, phishing attacks, and other malicious software attacks.

Published

2015

35. Efficient provably secure password-based explicit authenticated key agreement

Author

Jong-Hyouk Lee, Ou Ruan, Debiao He, and Neeraj Kumar

Subjects

Password, Encrypted key exchange, Password policy, Zero-knowledge password proof, Computer Networks and Communications, Computer science, Computer security, computer.software_genre, One-time password, Computer Science Applications, Password strength, S/KEY, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Hardware and Architecture, Challenge–response authentication, computer, Software, Information Systems

Abstract

A password-based authenticated key agreement enables several parties to establish a shared cryptographically strong key over a public unreliable and insecure network using short low-entropy passwords. This authenticated key agreement is definitely required even in Internet of Things (IoT) environments, since no additional device is required. There are only few proposals reported in literature for password-based explicit authenticated key agreement (EAKA). Recently, Zheng et?al. proposed a 3-round password-based EAKA protocol. In this paper, we reveal that their protocol is vulnerable to impersonation attack, and the used security definition is not formally treated. We then formalize the security definition of two-party password-based EAKA protocol and improve the construction of Zheng et?al. to eliminate its security vulnerabilities. The security of the proposal is formally proved using a new security model.

Published

2015

36. Three Way Graphical Password Authentication

Author

Ashwini Waghmare and R S Yenape

Subjects

Password, Zero-knowledge password proof, computer.internet_protocol, Computer science, HMAC-based One-time Password Algorithm, Challenge–response authentication, Computer security, computer.software_genre, Password psychology, computer, One-time password, Password strength, S/KEY

Published

2017

37. Provably Secure Password Reset Protocol: Model, Definition, and Construction

Author

Satsuya Ohata, Takahiro Matsuda, and Kanta Matsuura

Subjects

Password, Provable security, Zero-knowledge password proof, Authentication, Computer science, 05 social sciences, 0102 computer and information sciences, Computer security, computer.software_genre, Login, 01 natural sciences, Password strength, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, 010201 computation theory & mathematics, Backup, 0501 psychology and cognitive sciences, computer, Reset (computing), 050107 human factors

Abstract

Many online services adopt a password-based user authentication system because of its usability. However, several problems have been pointed out on it, and one of the well-known problems is that a user forgets his/her password and cannot login the services. To solve this problem, most online services support a backup authentication mechanism with which a user can reset a password. However, negative facts about security have been reported for a popular backup authentication mechanism. In this paper, we consider a provable security treatment for a password reset protocol. First, we formalize a model and security definitions. We consider security against active adversaries that can mount man-in-the-middle attacks and concurrent attacks. Then we propose a generic construction of a password reset protocol secure under our definitions based on pseudorandom functions and public key encryption. In addition, we implement a prototype of our protocol to evaluate its efficiency.

Published

2018

38. Access right management by extended password capabilities

Author

Lanfranco Lopriore

Subjects

Zero-knowledge password proof, Computer Networks and Communications, Computer science, Salt (cryptography), 0102 computer and information sciences, 02 engineering and technology, Distribution, Computer security, computer.software_genre, 01 natural sciences, One-time password, S/KEY, Password strength, Password, 0202 electrical engineering, electronic engineering, information engineering, Revocation, Safety, Risk, Reliability and Quality, Reduction, Password policy, Cognitive password, Access right, 010201 computation theory & mathematics, 020201 artificial intelligence & image processing, computer, Access right, Distribution, Password, Reduction, Revocation, Software, Information Systems

Abstract

With reference to a classic protection system featuring active subjects that reference protected objects, we approach the problem of identifying the objects that each subject can access, and the operations that the subject can carry out on these objects. Password capabilities are a classical solution to this problem. We propose a new form of password capability, called extended password capability (or e-capability, for short). An e-capability can specify any combination of access rights. A subject that holds a given e-capability can generate new e-capabilities for reduced sets of access rights. Furthermore, a subject that created a given object is in a position to revoke the access permissions granted by every e-capability referencing this object, completely or in part. The size of an e-capability is comparable to that of a traditional password capability. The number of passwords that need to be stored in memory permanently is kept to a minimum, and is equal to a single password for each object.

Published

2018

39. A Security Analysis, and a Fix, of a Code-Corrupted Honeywords System

Author

Gabriele Lenzini, Ziya Alper Genç, Peter Y. A. Ryan, and Itzel Vazquez Sandoval

Subjects

Password, Secure Protocols Design, Computer science [C05] [Engineering, computing & technology], Zero-knowledge password proof, Password policy, Computer science, Password cracking, Computer security, computer.software_genre, Sciences informatiques [C05] [Ingénierie, informatique & technologie], One-time password, Password strength, S/KEY, Formal Analysis, Honeywords, Password-based Authentication, Challenge–response authentication, computer

Abstract

In 2013 Juels and Rivest introduced the Honeywords System, a password-based authentication system designed to detect when a password file has been stolen. A Honeywords System stores passwords together with indistinguishable decoy words so when an intruder steals the file, retrieves the words, and tries to log-in, he does not know which one is the password. By guessing one from the decoy words, he may not be lucky and reveal the leak. Juels and Rivest left a problem open: how to make the system secure even when the intruder corrupted the login server’s code. In this paper we study and solve the problem. However, since “code corruption” is a powerful attack, we first define rigorously the threat and set a few assumptions under which the problem is still solvable, before showing meaningful attacks against the original Honeywords System. Then we elicit a fundamental security requirement, implementing which, we are able to restore the honeywords System’s security despite a corrupted login service. We verify the new protocol’s security formally, using ProVerif for this task. We also implement the protocol and test its performance. Finally, at the light of our findings, we discuss whether it is still worth using a fixed honeywords-based system against such a powerful threat, or whether it is better, in order to be resilient against code corruption attacks, to design afresh a completely different password-based authentication solution.

Published

2018

40. Mechanism on Computer Access Permission Management Based on the Proposed Dynamic Password Algorithm

Author

Shao Jianyu, Liao Jingxue, Yang Yang, and Cheng Jiujun

Subjects

Password, Zero-knowledge password proof, Password policy, General Computer Science, Computer science, Password cracking, Computer security, computer.software_genre, One-time password, Password strength, S/KEY, Syskey, computer, Algorithm

Abstract

With the rapid development of information technology, personal computer privacy and permission management are becoming more and more important. Based on RSA encryption algorithm, we design a dynamic password encryption and codec algorithm, and propose a mechanism on computer access permission management which is capable of dealing with situations both online and offline. In the offline mode, administrators can authenticate users by matching their contact information to that registered in administrators’ mobile terminal. Generated by the co-work of a personal computer and a mobile terminal, the dynamic password makes cracking the password a trickier task. Permission control information is also added into the dynamic password, and file filter system will be loaded once the screen is successfully unlocked, so as to protect private directories or files from being accessed without authorization. In online mode, the system provides real-time video for identity verification, which makes the system more secure and convenient. Experiment results show that this dynamic password based mechanism on computer access permission management is efficient in dealing with existing problems in personal privacy and access permission management.

Published

2015

41. Design and Implementation of a Two-Factor, One Time Password Authentication System

Author

TokulaUmaha I and EsiefarienrheBukohwo Michael

Subjects

Password, Password policy, Zero-knowledge password proof, Computer science, business.industry, computer.internet_protocol, One-time password, Password strength, S/KEY, HMAC-based One-time Password Algorithm, Challenge–response authentication, business, computer, Computer network

Published

2015

42. An improved secure and efficient password and chaos-based two-party key agreement protocol

Author

Kaiping Xue and Yu Liu

Subjects

Key-agreement protocol, Zero-knowledge password proof, Otway–Rees protocol, Computer science, Applied Mathematics, Mechanical Engineering, Aerospace Engineering, Ocean Engineering, 02 engineering and technology, Cryptographic protocol, Computer security, computer.software_genre, 01 natural sciences, One-time password, Password strength, Control and Systems Engineering, Authentication protocol, 0103 physical sciences, Universal composability, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Electrical and Electronic Engineering, 010301 acoustics, computer

Abstract

Recently, chaos has been treated as a good way to reduce computational complexity while satisfying security requirements of a key agreement protocol. Guo and Zhang (Inf Sci 180(20):4069–4074, 2010) proposed an chaotic public-key cryptosystem-based key agreement protocol. Lee (Inf Sci 290:63–71, 2015) has proved that Guo et al.’s scheme cannot resist off-line password guess attack. In this paper, we furtherly demonstrate Guo et al.’s scheme has redundancy in protocol design and still has some security flaws. Furthermore, we present an improved secure password and chaos-based two-party key agreement protocol, which can solve the security threats of replay and denial-of-service attacks. Meanwhile, we simplify the protocol steps to reduce redundancy in protocol design. From security and performance analysis, our proposed protocol can resist the security flaws in related works, and it has less communication overhead and computational complexity.

Published

2015

43. A Study of Interpretation Effect of Passwords to Password Generation

Author

Taekyoung Kwon and Seungyeon Kim

Subjects

Password, Zero-knowledge password proof, Cognitive password, Salt (cryptography), Computer science, Computer security, computer.software_genre, Password psychology, One-time password, computer, Password strength, S/KEY

Abstract

The purpose of this study was to find if the password compositi on of domestic users is affected by the different form of the word ‘Password’ in the interface of login or password change. I n particular, ‘Password’, foreign notation, and ‘Secret Number’ , notation translated by Korean, have a semantic difference. Acco rding to the survey of 200 students in S university, passwords made under the word ‘Secret Number’ are heavy on numbers than a lphabet. Because these passwords make much smaller composition space than another case, they have bad security imp act. We expect to make use of this paper as a base line data for study to find how improve domestic user’s password security .Keywords: Password, Secret Number, Number-oriented password I.서 론 * 1.1배경패스워드는 사용자 인증을 위해 사용되는 비밀 문자열을 의미하며 일반적으로 영문자와 숫자, 그리고 경우에 따라 특수문자를 조합하여 구성된다. 영어권 접수일(2015년 5월 29일), 수정일(2015년 9월 15일), 게재확정일(2015년 10월 8일)* 본 연구는 미래창조과학부 및 정보통신기술진흥센터의 대학 ICT연구센터육성 지원사업의 연구결과(IITP-2015- H8501-15-1008)로 수행되었음. 또한, 정부(미래창

Published

2015

44. Design of a password-based authenticated key exchange protocol for SIP

Author

Dheerendra Mishra

Subjects

Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, Interlock protocol, Computer Networks and Communications, Computer science, computer.internet_protocol, 02 engineering and technology, Shared secret, Oakley protocol, Computer security, computer.software_genre, Random oracle, Universal composability, 0202 electrical engineering, electronic engineering, information engineering, Media Technology, Strong authentication, Session key, Pre-shared key, Elliptic curve cryptography, Password, Key-agreement protocol, Stateless protocol, Session Initiation Protocol, Authentication, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 020206 networking & telecommunications, 020207 software engineering, Authenticated Key Exchange, Hardware and Architecture, Authentication protocol, Challenge–response authentication, business, Communications protocol, computer, Software, Computer network

Abstract

The Session Initiation Protocol (SIP) is a signaling communications protocol, which has been chosen for controlling multimedia communication in 3G mobile networks. In recent years, password-based authenticated key exchange protocols are designed to provide strong authentication for SIP. In this paper, we address this problem in two-party setting where the user and server try to authenticate each other, and establish a session key using a shared password. We aim to propose a secure and anonymous authenticated key exchange protocol, which can achieve security and privacy goal without increasing computation and communication overhead. Through the analysis, we show that the proposed protocol is secure, and has computational and computational overheads comparable to related authentication protocols for SIP using elliptic curve cryptography. The proposed protocol is also provably secure in the random oracle model.

Published

2015

45. Multi Server Password Authenticated Key Exchange Using Attribute-Based Encryption

Author

Minkyung Park, Ted Taekyoung Kwon, and Eunsang Cho

Subjects

Password, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Zero-knowledge password proof, Password policy, Computer science, Salt (cryptography), Syskey, Computer security, computer.software_genre, computer, One-time password, S/KEY, Password strength

Abstract

Password authenticated key exchange (PAKE) is a protocol that a client stores its password to a server, authenticates itself using its password and shares a session ke y with the server. In multi-server PAKE, a client splits its password and stores them to several servers separately. Unless all the servers are compromised, client's password will not be disclosed in the multi-server setting. In attribute-based encryption (ABE), a sender encrypts a message M using a set of attributes and then a receiver decrypts it using the same set of attributes. In this paper, we introduce multi-server PAKE protocol that utilizes a set of attributes of ABE as a client's password. In the protocol, the client and servers do not need to create additional public/private key pairs because the password is used as a set of public keys. Also, the client and the servers exchange only one round-trip message per server. The protocol is secure against dictionary attacks. We prove our system is secure in a proposed threat model. Finally we show feasibility through evaluating the execution time of the protocol.

Published

2015

46. Hash Based Multi-server Key Exchange Protocol Using Smart Card

Author

Prakash Chand Gupta and Joydip Dhar

Subjects

Zero-knowledge password proof, Spoofing attack, Computer science, Hash function, 02 engineering and technology, Computer security, computer.software_genre, Login, One-time password, Password strength, S/KEY, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, Key exchange, Password, Password policy, OpenPGP card, business.industry, Password cracking, 020206 networking & telecommunications, Mutual authentication, Multi-factor authentication, Smart card application protocol data unit, Computer Science Applications, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Authentication protocol, 020201 artificial intelligence & image processing, Smart card, business, computer

Abstract

With the aim to use numerous network based services through one time user/client registration, lots of works have been done. Most of the work uses password based login mechanism, out of which biometric information based login mechanism, is considered to be the most secured. But all of the previous work for establishing multi-server mutual authentication between client and server are based on single registration center, where all servers and clients are registered at common registration center. In this paper, we are propose a novel biometric password based key exchange authentication protocol using smart card for multi-registration centers in distributed multiple client---server architecture. Proposed protocol equipped with many security feature like user's identity protection and its traceability and resistance to attacks such as password guessing, known password, stolen smart card, smart card forgery, inside, message spoofing and replay. This protocol also has user friendly and efficient user's login password update.

Published

2015

47. Cracking More Password Hashes With Patterns

Author

Emin Islam Tatli

Subjects

Dictionary Attacks, Zero-knowledge password proof, Dictionary attack, Computer Networks and Communications, Computer science, Salt (cryptography), Data Security, Hash function, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Password Security, Key stretching, pwdump, Safety, Risk, Reliability and Quality, Password psychology, Hacker, Password, Authentication, Password policy, Cognitive password, Password cracking, Plaintext, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Rainbow table, Hash list, Hash Cracking, computer

Abstract

WOS: 000359984600009 It is a common mistake of application developers to store user passwords within databases as plaintext or only as their unsalted hash values. Many real-life successful hacking attempts that enabled attackers to get unauthorized access to sensitive database entries including user passwords have been experienced in the past. Seizing password hashes, attackers perform brute-force, dictionary, or rainbow-table attacks to reveal plaintext passwords from their hashes. Dictionary attacks are very fast for cracking hashes but their success rate is not sufficient. In this paper, we propose a novel method for improving dictionary attacks. Our method exploits several password patterns that are commonly preferred by users when trying to choose a complex and strong password. In order to analyze and show success rates of our developed method, we performed cracking tests on real-life leaked password hashes using both a traditional dictionary and our pattern-based dictionary. We observed that our pattern-based method is superior for cracking password hashes.

Published

2015

48. An Efficient Remote User Authentication with Key Agreement Scheme Using Elliptic Curve Cryptography

Author

Baojun Huang, Libing Wu, Fahad T. Bin Muhaya, Muhammad Khurram Khan, and Debiao He

Subjects

Password, Zero-knowledge password proof, Authentication, business.industry, Computer science, Data_MISCELLANEOUS, Password cracking, Mutual authentication, Computer security, computer.software_genre, Computer Science Applications, S/KEY, Key (cryptography), Smart card, Electrical and Electronic Engineering, Challenge–response authentication, Elliptic curve cryptography, business, computer

Abstract

As the internet technology's evolution, identity authentication in the network is becoming more and more significant. In 2014, Qu et al. proposed a two-factor remote mutual authentication and key agreement scheme. They pointed out that their scheme could withstand smart card loss attack, offline password guessing attack, impersonation attack and so on. However, based on our analysis, it shows that the scheme suffers from offline password guessing attack and impersonation attack. Moreover, their scheme could not achieve perfect user anonymity. In this paper, we propose a scheme, which can withstand those attacks mentioned above. After the function and efficiency comparison with other schemes, our scheme is much more secure and practical as the secure universal access control mechanism.

Published

2015

49. Provably secure extended chaotic map-based three-party key agreement protocols using password authentication

Author

Tian Fu Lee, Ching Ying Lin, Chun-Li Lin, and Tzonelih Hwang

Subjects

Challenge-Handshake Authentication Protocol, Key-agreement protocol, Zero-knowledge password proof, Otway–Rees protocol, Computer science, business.industry, Applied Mathematics, Mechanical Engineering, Aerospace Engineering, Ocean Engineering, Oakley protocol, Control and Systems Engineering, Authentication protocol, Wide Mouth Frog protocol, Electrical and Electronic Engineering, Challenge–response authentication, business, Computer network

Abstract

This paper presents a novel three-party key agreement protocol using password authentication, which enables each client sharing a long-lived secret only with a trusted server to exchange confidential and authenticated information with another client over an insecure network via the server. The proposed protocol is based on extended chaotic maps and adopts the technique that the clients can publicly exchange the factors for generating the session key without the help of the server such that the numbers of transmissions are reduced. A round-efficient version of the proposed key agreement protocol is also described. Compared to related chaotic map-based approaches, the proposed protocol not only possesses higher security and lower computational cost, but also has fewer transmissions. Additionally, the proposed protocol is proven secure in the random oracle model and realizes optimal in communications.

Published

2015

50. Design and Analysis of Bilinear Pairing Based Mutual Authentication and Key Agreement Protocol Usable in Multi-server Environment

Author

Ruhul Amin and G. P. Biswas

Subjects

Challenge-Handshake Authentication Protocol, Zero-knowledge password proof, Otway–Rees protocol, Computer science, Computer security, computer.software_genre, One-time password, S/KEY, Session key, Electrical and Electronic Engineering, Key-agreement protocol, Password, Password policy, Cognitive password, business.industry, Password cracking, Mutual authentication, Computer Science Applications, Authentication protocol, Protected Extensible Authentication Protocol, The Internet, Wide Mouth Frog protocol, Smart card, Reflection attack, Challenge–response authentication, business, computer, Computer network

Abstract

With the increasing popularity and demand for various applications, the internet user accesses remote server by performing remote user authentication protocol using smart card over the insecure channel. In order to resist insider attack, most of the users remember a set of identity and password for accessing different application servers. Therefore, remembering set of identity and password is an extra overhead to the user. To avoid the mentioned shortcoming, many remote user authentication and key agreement protocols for multi-server architecture have been proposed in the literature. Recently, Hsieh---Leu proposed an improve protocol of Liao et al. scheme and claimed that the improve protocol is applicable for practical implementation. However, through careful analysis, we found that Hsieh---Leu scheme is still vulnerable to user anonymity, password guessing attack, server masquerading attack and the password change phase is inefficient. Therefore, the main aim of this paper was to design a bilinear pairing based three factors remote user authentication scheme using smart card for providing security weaknesses free protocol. In order to validate security proof of the proposed protocol, this paper uses BAN logic which ensures that the same protocol achieves mutual authentication and session key agreement property securely. Furthermore, this paper also informally illustrates that the proposed protocol is well protected against all the relevant security attacks. The performance analysis and comparison with other schemes are also made, and it has been found that the proposed protocol achieves complete security requirements with comparatively lesser complexities.

Published

2015