Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top
Published in:
Fine-Grained Privacy Control for Fitness and Health Applications Using the Privacy Management Platform Read chapter Read first chapter

2019 | OriginalPaper | Chapter

A Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption Attack

Authors : Ziya Alper Genç, Gabriele Lenzini, Peter Y. A. Ryan, Itzel Vazquez Sandoval

Published in: Information Systems Security and Privacy

Publisher: Springer International Publishing

Log in

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

Password-based authentication is a widespread method to access into systems, thus password files are a valuable resource often target of attacks. To detect when a password file has been stolen, Juels and Rivest introduced the Honeywords System in 2013. The core idea is to store the password with a list of decoy words that are “indistinguishable” from the password, called honeywords. An adversary that obtains the password file and, by dictionary attack, retrieves the honeywords can only guess the password when attempting to log in: but any incorrect guess will set off an alarm, warning that file has been compromised. In a recent conference paper, we studied the security of the Honeywords System in a scenario where the intruder also manages to corrupt the server’s code (with certain limiting assumptions); we proposed an authentication protocol and proved it secure despite the corruption. In this extended journal version, we detail the analysis and we extend it, under the same attacker model, to the other two protocols of the original Honeywords System, the setup and change of password. We formally verify the security of both of them; further, we discuss that our design suggests a completely new approach that diverges from the original idea of the Honeywords System but indicates an alternative way to authenticate users which is robust to server’s code-corruption.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

inform now
previous chapter The Current State of the Holistic Privacy and Security Modelling Approach in Business Process and Software Architecture Modelling
next chapter GenVote: Blockchain-Based Customizable and Secure Voting Platform
Footnotes
1
This is what R. Gonggrijp did when, in 2006, proved insecure a Dutch electronic voting machine.
 
2
Source code is available under GPLv3 at https://​github.​com/​codeCorruption/​HoneywordsM.
 
Literature
1.
Furnell, S.M., Dowland, P., Illingworth, H., Reynolds, P.L.: Authentication and supervision: a survey of user attitudes. Comput. Secur. 19, 529–539 (2000)CrossRef
2.
3.
4.
5.
Juels, A., Rivest, R.L.: Honeywords: Making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 145–160. ACM (2013)
6.
Erguler, I.: Achieving flatness: selecting the honeywords from existing user passwords. IEEE Trans. Dependable Secure Comput. 13(2), 284–295 (2016)CrossRef
7.
Genc, Z.A., Lenzini, G., Ryan, P.Y.A., Vazquez-Sandoval, I.: A security analysis, and a fix, of a code-corrupted honeywords system. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy (2018)
8.
Botha, R.A., Eloff, J.H.P.: Separation of duties for access control enforcement in workflow environments. IBM Syst. J. 40, 666–682 (2001)CrossRef
9.
NIST: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions (2015)
10.
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: 14th IEEE Computer Security Foundations Workshop, pp. 82–96. IEEE (2001)
11.
Metadata
Title
A Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption Attack
Authors
Ziya Alper Genç
Gabriele Lenzini
Peter Y. A. Ryan
Itzel Vazquez Sandoval
Copyright Year
2019
Book
Information Systems Security and Privacy

Print ISBN: 978-3-030-25108-6

Electronic ISBN: 978-3-030-25109-3

Copyright Year: 2019

DOI
https://doi.org/10.1007/978-3-030-25109-3_7

Premium Partner

    Image Credits