Top

International Journal of Information Security

Published in:

21-11-2017 | Regular Contribution

Design and implementation of Negative Authentication System

Authors: Dipankar Dasgupta, Abhijit Kumar Nag, Denise Ferebee, Sanjib Kumar Saha, Kul Prasad Subedi, Arunava Roy, Alvaro Madero, Abel Sanchez, John R. Williams

Published in: International Journal of Information Security | Issue 1/2019

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Modern society is mostly dependent on online activities like official or social communications, fund transfers and so on. Unauthorized system access is one of the utmost concerns than ever before in cyber systems. For any cyber system, robust authentication is an absolute necessity for ensuring security and reliable access to all type of transactions. However, more than 80% of the current authentication systems are password based, and surprisingly, they are prone to direct and indirect cracking via guessing or side channel attacks. The inspiration of Negative Authentication System (NAS) is based on the negative selection algorithm. In NAS, the password-based authentication data for valid users are termed as password profile or self-region (positive profile); any element other than the self-region is defined as non-self-region in the same representative space. The anti-password detectors are generated which covers most of the non-self-region. There are also some uncovered regions left in the non-self-region for inducing uncertainty to the attackers. In this work, we describe the design and implementation of three approaches of NAS and its efficacy over the other authentication methods. These three approaches represent three different ways to achieve obfuscation of password points with non-password space. The experiments are conducted with both real and simulated password profiles to justify the efficiency of different implementations of NAS.

previous article Defeating SQL injection attack in authentication security: an experimental study

next article Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

http://geospatial.mit.edu/.

https://vimeo.com/98054594.

Bojinov, H., Bursztein, E., Boyen, X., Boneh, D.: Kamouflage: Loss-resistant password management. In: Computer Security—ESORICS 2010, pp. 286–302. Springer, Berlin (2010). http://crypto.stanford.edu/~dabo/papers/passwordmgr.pdf. Accessed 24 Jan 2017

Bond, M.: Comments on gridsure authentication. https://www.cl.cam.ac.uk/~mkb23/research/GridsureComments.pdf. (2008). Accessed 24 Jan 2017

Bonneau, J.: Guessing human-chosen secrets. Ph.D. Thesis, University of Cambridge (2012). https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-819.pdf. Accessed 24 Jan 2017

Brants, T., Franz, A.: The google web 1t 5-gram corpus version 1.1. LDC2006T13 (2006). https://catalog.ldc.upenn.edu/ldc2006t13. Accessed 24 Jan 2017

Butler, R.: List of the 1000 most common surnames in the U.S. (2009). http://names.mongabay.com/most_common_surnames.htm. Accessed 24 Jan 2017

Camenisch, J., Lehmann, A., Neven, G.: Optimal distributed password verification. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 182–194. ACM, New York (2015). http://dl.acm.org/citation.cfm?id=2813722. Accessed 24 Jan 2017

Cubrilovic, N.: Rockyou hack: from bad to worse (2009). https://techcrunch.com/2009/12/14/rockyou-hack-security-myspace-facebook-passwords/. Accessed 15 Nov 2017

Dasgupta, D., Azeem, R.: An investigation of negative authentication systems. In: Proceedings of the 3rd International Conference on Information Warfare and Security, pp. 117–126 (2008). http://citeseerx.ist.psu.edu/viewdoc/citations;jsessionid=14EA96BC1BB9B1B9B8EFB47ECE961758?doi=10.1.1.372.1491. Accessed 24 Jan 2017

Dasgupta, D., Ferebee, D., Saha, S., Nag, A.K., Madero, A., Sanchez, A., William, J., Subedi, K.P.: G-nas: A grid-based approach for negative authentication. In: Symposium on Computational Intelligence in Cyber Security (CICS) at IEEE Symposium Series on Computational Intelligence (SSCI), IEEE, Orlando, Florida (2014). http://ieeexplore.ieee.org/document/7013362/. Accessed 24 Jan 2017

10.

Dasgupta, D., Forrest, S.: An anomaly detection algorithm inspired by the immune system. In: Dasgupta, D. (ed.) Artificial Immune Systems and Their Applications, pp. 262–277. Springer, Berlin (1999)

11.

Dasgupta, D., Ji, Z., Gonzalez, F.: Artificial immune system (AIS) research in the last five years. In: The 2003 Congress on Evolutionary Computation, 2003. CEC ’03, vol. 1, pp. 123–130 (2003). http://ieeexplore.ieee.org/document/1299565/. Accessed 24 Jan 2017

12.

Dasgupta, D., Saha, S.: Password security through negative filtering. In: 2010 International Conference on Emerging Security Technologies (EST), pp. 83–89. IEEE, Washington (2010). http://dl.acm.org/citation.cfm?id=1902111. Accessed 24 Jan 2017

13.

De Castro, L.N., Timmis, J.: Artificial Immune Systems: A New Computational Intelligence Approach. Springer, Berlin (2002). http://www.springer.com/us/book/9781852335946. Accessed 24 Jan 2017

14.

Esponda, F., Ackley, E.S., Helman, P., Jia, H., Forrest, S.: Protecting data privacy through hard-to-reverse negative databases. In: Information Security, pp. 72–84. Springer, Berlin (2006). https://crypto.stanford.edu/portia/papers/HardNDB.pdf. Accessed 24 Jan 2017

15.

Everspaugh, A., Chaterjee, R., Scott, S., Juels, A., Ristenpart, T.: The pythia PRF service. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 547–562 (2015). https://www.usenix.org/node/190917. Accessed 24 Jan 2017

16.

Feldmeier, D.C., Karn, P.R.: Unix password security-ten years later. In: Advances in Cryptology, CRYPTO89 Proceedings, pp. 44–63. Springer (1990). http://www.cs.technion.ac.il/~cs236350/Material/unix-password-security-ten.pdf. Accessed 24 Jan 2017

17.

Fülöp, Á., Kovács, L., Kurics, T., Windhager-Pokol, E.: Balabit mouse dynamics challenge data set (2016). https://github.com/balabit/Mouse-Dynamics-Challenge

18.

Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-nonself discrimination in a computer. In: IEEE Computer Society Symposium on Research in Security and Privacy, p. 202. Institute of Electrical and Electronics Engineers (1994). http://dl.acm.org/citation.cfm?id=884218. Accessed 24 Jan 2017

19.

Fossi, M., Johnson, E., Turner, D., Mack, T., Blackbird, J., McKinney, D., Low, M.K., Adams, T., Laucht, M.P., Gough, J.: Symantec report on the underground economy. Symantec Corporation (2008). http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_underground_economy_report_11-2008-14525717.en-us.pdf. Accessed 24 Jan 2017

20.

Gamboa, H., Fred, A.: A behavioral biometric system based on human-computer interaction. Proc. SPIE 5404, 381–392 (2004)CrossRef

21.

Gong, L.: Collisionful keyed hash functions with selectable collisions. Inf. Process. Lett. 55(3), 167–170 (1995). http://www.sciencedirect.com/science/article/pii/002001909500085Q. Accessed 24 Jan 2017

22.

Hofmeyr, S.A., Forrest, S.: Architecture for an artificial immune system. Evol. Comput. 8(4), 443–473 (2000). http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.486.3902&rep=rep1&type=pdf. Accessed 24 Jan 2017

23.

Ji, Z.: Negative selection algorithms: from the thymus to v-detector. Ph.D. Thesis (2006). http://dl.acm.org/citation.cfm?id=1237333. AAI3230960

24.

Ji, Z., Dasgupta, D.: V-detector: an efficient negative selection algorithm with probably adequate detector coverage. Inf. Sci. 179(10), 1390–1406 (2009). https://doi.org/10.1016/j.ins.2008.12.015. http://www.sciencedirect.com/science/article/pii/S0020025508005434. Accessed 24 Jan 2017

25.

Juels, A., Rivest, R.L.: Honeywords: Making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 145–160. ACM, New York (2013). https://people.csail.mit.edu/rivest/pubs/JR13.pdf. Accessed 24 Jan 2017

26.

Kanerva, P.: Sparse Distributed Memory. MIT Press, Cambridge (1988). https://mitpress.mit.edu/books/sparse-distributed-memory. Accessed 24 Jan 2017

27.

Khalil, G.: Password security thirty-five years late (2014). https://www.sans.org/reading-room/whitepapers/basics/password-security-thirty-five-years-35592. Accessed 24 Jan 2017

28.

Metropolis, N., Ulam, S.: The Monte Carlo method. J. Am. Stat. Assoc. 44(247), 335–341 (1949). http://homepages.rpi.edu/~angel/MULTISCALE/metropolis_Ulam_1949.pdf. Accessed 24 Jan 2017

29.

Pagh, R., Rodler, F.F.: Cuckoo hashing. J. Algorithms 51(2), 122–144 (2004). http://www.it-c.dk/people/pagh/papers/cuckoo-jour.pdf. Accessed 24 Jan 2017

30.

Perlroth, N.: Hackers in China attacked the times for last 4 months. NY Times, Jan 30 (2013). http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html. Accessed 24 Jan 2017

31.

Schechter, S., Herley, C., Mitzenmacher, M.: Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In: Proceedings of the 5th USENIX Conference on Hot Topics in Security, pp. 1–8. USENIX Association (2010). https://www.microsoft.com/en-us/research/publication/popularity-is-everything-a-new-approach-to-protecting-passwords-from-statistical-guessing-attacks/. Accessed 24 Jan 2017

32.

SkulSecurity: Password-skullsecurity (2011). https://wiki.skullsecurity.org/Passwords. Accessed 24 Jan 2017

33.

Smith, R.E.: Authentication: from passwords to public keys. Addison-Wesley Longman Publishing Co., Inc. (2001). http://dl.acm.org/citation.cfm?id=501593. Accessed 24 Jan 2017

34.

Song, H., Dharmapurikar, S., Turner, J., Lockwood, J.: Fast hash table lookup using extended bloom filter: an aid to network processing. ACM SIGCOMM Comput. Commun. Rev. 35(4), 181–192 (2005). http://conferences.sigcomm.org/sigcomm/2005/paper-SonDha.pdf. Accessed 24 Jan 2017

35.

Zheng, Y., Matsumoto, T., Imai, H.: Structural properties of one-way hash functions. In: Advances in Cryptology—CRYPT090, pp. 285–302. Springer, Berlin (1991). https://pdfs.semanticscholar.org/ed78/92387cd971e26241eb34f779a01807cb143c.pdf. Accessed 24 Jan 2017

Title: Design and implementation of Negative Authentication System
Authors: Dipankar Dasgupta
Abhijit Kumar Nag
Denise Ferebee
Sanjib Kumar Saha
Kul Prasad Subedi
Arunava Roy
Alvaro Madero
Abel Sanchez
John R. Williams
Publication date: 21-11-2017
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 1/2019
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-017-0395-8

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 1/2019

Defeating SQL injection attack in authentication security: an experimental study

Deployment and performance evaluation of mobile multicoupon solutions

Reverse engineering Java Card and vulnerability exploitation: a shortcut to ROM

Differential audio analysis: a new side-channel attack on PIN pads

Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications

Premium Partner