Top

Published in:

2014 | OriginalPaper | Chapter

Better Authentication: Password Revolution by Evolution

Authors : Daniel R. Thomas, Alastair R. Beresford

Published in: Security Protocols XXII

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

We explore the extent to which we can address three issues with passwords today: the weakness of user-chosen passwords, reuse of passwords across security domains, and the revocation of credentials. We do so while restricting ourselves to changing the password verification function on the server, introducing the use of existing key-servers, and providing users with a password management tool. Our aim is to improve the security and revocation of authentication actions with devices and end-points, while minimising changes which reduce ease of use and ease of deployment. We achieve this using one time tokens derived using public-key cryptography and propose two protocols for use with and without an online rendezvous point.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Dancing with the Adversary: A Tale of Wimps and Giants (Transcript of Discussion)

next chapter Better Authentication Password Revolution by Evolution (Transcript of Discussion)

Existing key-servers do not maintain auditable append only logs.

[A-Za-z0-9].

DSA is broken if the random number used for nonces is biased which is problematic as frequently devices have bad random number generators that would leak the private key [15].

NIST minimum number of security-bits to 2030 [2].

We are going to ignore TCP handshakes here and retransmissions as these are implementation details (we could implement this with UDP).

\(A\) and \(S\) adjacent and \(R\) on the opposite side of the world.

http://web.monkeysphere.info/

It also aims to augment/replace the CA hierarchy for TLS but that is not our focus.

The source code is available https://github.com/ucam-cl-dtg/dtg-puppet/.

Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999). doi:10.1145/322796.322806 CrossRef

Barker, E., Barker, W., Burr, W., Polk, W., Smid. M.: SP 800–57 Recommendation for Key Management - Part 1: General. In: NIST Special Publication, pp. 1–142 (2007)

Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)CrossRef

Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In: IEEE Security and Privacy, Oakland, California, pp. 72–84. IEEE, May 1992. doi:10.1109/RISP.1992.213269, ISBN: 0818628251

Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Crypt. 17(4), 297–319 (2004)MathSciNetMATH

Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: The Ninth Workshop on the Economics of Information Security, WEIS (2010)

Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy (2012). doi:10.1109/SP.2012.44

Burrows, M., Abadi, M., Needham, R.M.: A logic of authentication. In: Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences 426.1871, pp. 233–271, December 1989. doi:10.1098/rspa.1989.0125, ISSN: 1364-5021

Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE Symposium on Security and Privacy 2013, pp. 511–525 (2013). doi:10.1109/SP.2013.41

10.

Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefMATH

11.

Ducas, L., Nguyen, P.Q.: Learning a zonotope and more: cryptanalysis of NTRUSign countermeasures. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 433–450. Springer, Heidelberg (2012)CrossRef

12.

FIPS 186–3: Digital Signature Standard (DSS). In: National Institute of Standards and Technology (NIST) (2009)

13.

Florêncio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web. Banff, Alberta, Canada. ACM, pp. 657–666. (2007). doi:10.1145/1242572.1242661, ISBN: 9781595936547

14.

Hao, F., Ryan, P.Y.A.: Password authenticated key exchange by juggling. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 159–171. Springer, Heidelberg (2011)CrossRef

15.

Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23(3), 283–290 (2001). doi:10.1023/A:1011214926272 MathSciNetCrossRefMATH

16.

Jablon, D.P.: Strong password-only authenticated key exchange. ACM SIGCOMM Comput. Commun. Rev. 26(5), 5–26, October 1996. doi:10.1145/242896.242897, ISSN: 01464833

17.

Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005)CrossRef

18.

Lamport, L.: Constructing digital signatures from a one-way function. Technical report. SRI International, pp. 1–7, October 1979

19.

Laurie, B., Langley, A., Kasper, E.: RFC6962: Certificate Transparency. Technical report IETF, pp. 1–27, June 2013

20.

Madhavapeddy, A., Sharp, R., Scott, D., Tse, A.: Audio networking: the forgotten wireless technology. In: Pervasive Computing, pp. 55–60, July 2005. doi:10.1109/MPRV.2005.50

21.

Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979). doi:10.1145/359168.359172 CrossRef

22.

Naccache, D., Stern, J.: Signing on a postcard. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 121–135. Springer, Heidelberg (2001)CrossRef

23.

Nyberg, K., Rueppel, R.A.: Message recovery for signature schemes based on the discrete logarithm problem. Des. Codes Crypt. 7(1-2), 61–81 (1996). doi:10.1007/BF00125076, ISSN: 0925-1022

24.

Percival, C.: Stronger key derivation via sequential memory-hard functions, May 2009. http://www.unixhowto.de/docs/87_scrypt.pdf. Accessed 07 January 2014

25.

Pintsov, L.A., Vanstone, S.A.: Postal revenue collection in the digital age. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 105–120. Springer, Heidelberg (2001)CrossRef

26.

Riley, S.: Password security: What users know and what they actually do (2006). http://usabilitynews.org/password-security-what-users-know-and-what-they-actually-do/. Accessed 07 January 2014

27.

Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978). doi:10.1145/359340.359342, ISSN: 00010782

28.

Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th USENIX Security Symposium, pp. 17–31 (2005)

29.

Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)

30.

Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011)CrossRef

31.

Thomas, D.R., Beresford, A.R.: Nigori: Secrets in the cloud (2013). http://www.cl.cam.ac.uk/research/dtg/nigori/. Accessed 2013

32.

Wagner, D.T., Rice, A., Beresford, A.R.: Device Analyzer: Large-scale mobile data collection. In: Sigmetrics, Big Data Workshop. ACM, Pittsburgh, June 2013

Title: Better Authentication: Password Revolution by Evolution
Authors: Daniel R. Thomas
Alastair R. Beresford
Publisher: Springer International Publishing
Book: Security Protocols XXII
Print ISBN: 978-3-319-12399-8

Electronic ISBN: 978-3-319-12400-1

Copyright Year: 2014
DOI: https://doi.org/10.1007/978-3-319-12400-1_13

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner