PDF(702 KB)
On designing an unaided authentication service with threat detection and leakage control for defeating opportunistic adversaries
Nilesh CHAKRABORTY, Samrat MONDAL
PDF(702 KB)
PDF(702 KB)
On designing an unaided authentication service with threat detection and leakage control for defeating opportunistic adversaries
Unaided authentication services provide the flexibility to login without being dependent on any additional device. The power of recording attack resilient unaided authentication services (RARUAS) is undeniable as, in some aspects, they are even capable of offering better security than the biometric based authentication systems. However, high login complexity of these RARUAS makes them far from usable in practice. The adopted information leakage control strategies have often been identified as the primary cause behind such high login complexities. Though recent proposals havemade some significant efforts in designing a usable RARUAS by reducing its login complexity, most of them have failed to achieve the desired usability standard. In this paper, we have introduced a new notion of controlling the information leakage rate. By maintaining a good security standard, the introduced idea helps to reduce the login complexity of our proposed mechanism − named as Textual-Graphical Password-based Mechanism or TGPM, by a significant extent. Along with resisting the recording attack, TGPM also achieves a remarkable property of threat detection. To the best of our knowledge, TGPM is the first RARUAS, which can both prevent and detect the activities of the opportunistic recording attackers who can record the complete login activity of a genuine user for a few login sessions. Our study reveals that TGPM assures much higher session resiliency compared to the existing authentication services, having the same or even higher login complexities. Moreover, TGPM stores the password information in a distributed way and thus restricts the adversaries to learn the complete secret from a single compromised server. A thorough theoretical analysis has been performed to prove the strength of our proposal from both the security and usability perspectives. We have also conducted an experimental study to support the theoretical argument made on the usability standard of TGPM.
authentication / recording attack / premature attack / opportunistic adversary / leakage control / threat prevention / threat detection
| [1] |
Bonneau J, Cormac H, Paul C, Van O, Stajano F. The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 553–567
CrossRef
Google scholar
|
| [2] |
Pan X, Ling Z, Pingley A, Yu W, Zhang N, Ren K, Fu X. Password extraction via reconstructed wireless mouse trajectory. IEEE Transactions on Dependable and Secure Computing, 2016, 13(4): 461–473
CrossRef
Google scholar
|
| [3] |
Wang D, Zhang Z, Wang P, Yan J, Huang X. Targeted online password guessing: an underestimated threat. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security. 2016, 1242–1254
CrossRef
Google scholar
|
| [4] |
Manulis M, Stebila D, Kiefer F, Denham N. Secure modular password authentication for the web using channel bindings. International Journal of Information Security, 2016, 15(6): 597–620
CrossRef
Google scholar
|
| [5] |
Kontaxis G, Athanasopoulos E, Portokalidis G, Keromytis D A. Sauth: protecting user accounts from password database leaks. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2013, 187–198
CrossRef
Google scholar
|
| [6] |
Yan Q, Han J, Li Y, Zhou J, Deng R. Leakage-resilient password entry: challenges, design, and evaluation. Computers & Security, 2015, 48(1): 196–211
CrossRef
Google scholar
|
| [7] |
Bai X, Gu W, Chellappan S, Wang X, Xuan D, Ma B. PAS: predicatebased authentication services against powerful passive adversaries. In: Proceedings of the IEEE Computer Security Applications Conference. 2008, 433–442
CrossRef
Google scholar
|
| [8] |
Sun M H, Chen T S, Yeh H J, Cheng Y C. A shoulder surfing resistant graphical authentication system. IEEE Transactions on Dependable and Secure Computing, 2018, 15(2): 180–193
CrossRef
Google scholar
|
| [9] |
Wiese O, Roth V. Pitfalls of shoulder surfing studies. In: Proceedings of the Internet Society NDSS Workshop on Usable Security. 2015, 1–6
CrossRef
Google scholar
|
| [10] |
Kim D, Dunphy P, Briggs P, Hook J, Nicholson WJ, Nicholson J, Olivier P. Multi-touch authentication on tabletops. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 2010, 1093–1102
CrossRef
Google scholar
|
| [11] |
Schaub F, Walch M, Könings B, Weber M. Exploring the design space of graphical passwords on smartphones. In: Proceedings of the ACM Symposium on Usable Privacy and Security. 2013, 1–14
CrossRef
Google scholar
|
| [12] |
Tari F, Ozok A, Holden S. A comparison of perceived and real shouldersurfing risks between alphanumeric and graphical passwords. In: Proceedings of the ACM Symposium on Usable Privacy and Security. 2006, 56–66
CrossRef
Google scholar
|
| [13] |
Schaub F, Deyhle R, Weber M. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In: Proceedings of the ACM International Conference on Mobile and Ubiquitous Multimedia. 2012, 1–13
CrossRef
Google scholar
|
| [14] |
Wiedenbeck S, Waters J, Sobrado L, Birget C J. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the ACM Working Conference on Advanced Visual Interfaces. 2006, 177–184
CrossRef
Google scholar
|
| [15] |
Zhao H, Li X. S3PAS: a scalable shoulder-surfing resistant textualgraphical password authentication scheme. In: Proceedings of the IEEE Advanced Information Networking and Applications Workshops. 2007, 467–472
CrossRef
Google scholar
|
| [16] |
ˇCagalj M, Perkovíc T, Bugaríc M. Timing attacks on cognitive authentication schemes. IEEE Transactions on Information Forensics and Security, 2015, 10(3): 584–596
CrossRef
Google scholar
|
| [17] |
Yan Q, Han J, Li Y, Deng H R. On limitations of designing leakageresilient password systems: attacks, principals and usability. In: Proceedings of the Annual Network and Distributed System Security Symposium. 2012, 1–16
|
| [18] |
Weir M, Aggarwal S, Collins M, Stern H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the ACM Conference on Computer and Communications Security. 2010, 162–175
CrossRef
Google scholar
|
| [19] |
Forouzan B, Mukhopadhyay D. Cryptography and Network Security. 2nd ed. India: McGraw-Hill Education, 2011
|
| [20] |
Matsumoto T, Imai H. Human identification through insecure channel. In: Proceedings of Advances in Cryptology–EUROCRYPT, 91. 1991, 409–421
CrossRef
Google scholar
|
| [21] |
Chakraborty N, Mondal S. Towards incorporating honeywords in nsession recording attack resilient unaided authentication services. IET Information Security, 2018, 13(1): 7–18
CrossRef
Google scholar
|
| [22] |
Asghar J H, Pieprzyk J, Wang H. A new human identification protocol and coppersmith’s baby-stepgiant-step algorithm. In: Proceedings of the International Conference on Applied Cryptography and Network Security. 2010, 349–366
CrossRef
Google scholar
|
| [23] |
De ˜Luca A, Hertzschuch K, Hussmann H. Colorpin: securing pin entry through indirect input. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 2010, 1103–1106
CrossRef
Google scholar
|
| [24] |
Hopper N J, Blum M. Secure human identification protocols. In: Proceedings of Advances in Cryptology–ASIACRYPT 2001. 2001, 52–66
CrossRef
Google scholar
|
| [25] |
Juels A, Rivest R L. Honeywords: making password-cracking detectable. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2013, 145–160
CrossRef
Google scholar
|
| [26] |
Camenisch J, Lehmann A, Neven G. Optimal distributed password verification. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2015, 182–194
CrossRef
Google scholar
|
| [27] |
Weinshall D. Cognitive authentication schemes safe against spyware. In: Proceedings of the IEEE Symposium on Security and Privacy. 2006, 6–11
CrossRef
Google scholar
|
| [28] |
De ˜Luca A. Designing usable and secure authentication mechanisms for public spaces. LMU, PhD Thesis, 2011
|
| [29] |
Roth V, Richter K, Freidinger R. A PIN-entry method resilient against shoulder surfing. In: Proceedings of the ACM Conference on Computer and Communications Security. 2004, 236–245
CrossRef
Google scholar
|
| [30] |
Kwon T, Shin S, Na S. Covert attentional shoulder surfing: human adversaries are more powerful than expected. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2014, 44(6): 716–727
CrossRef
Google scholar
|
| [31] |
Florêncio D, Herley C, Coskun B. Do strong web passwords accomplish anything? In: Proceedings of USENIXWorkshop on Hot Topics in Security. 2007, 1–6
|
| [32] |
Sasamoto H, Christin N, Hayashi E. Undercover: authentication usable in front of prying eyes. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 2008, 183–192
CrossRef
Google scholar
|
| [33] |
Broder A, Mitzenmacher M. Network applications of bloom filters: a survey. Internet Mathematics, 2004, 1(4): 485–509
CrossRef
Google scholar
|
| [34] |
Do Q, Martini B, Choo R K. The role of the adversary model in applied= security research. Computers & Security, Elsevier, 2019, 81(4): 156–181
CrossRef
Google scholar
|
| [35] |
Goldwasser S, Micali S. Probabilistic encryption. Journal of Computer and System Sciences, 1984, 28(2): 270–299
CrossRef
Google scholar
|
| [36] |
Phan D H, Pointcheval D. About the security of ciphers (semantic security and pseudo-random permutations). In: Proceedings of the International Workshop on Selected Areas in Cryptography. 2004, 182–197
CrossRef
Google scholar
|
| [37] |
Koblitz N, Alfred J M. Another look at “provable security”. Journal of Cryptology Springer, 2007, 20(1): 3–37
CrossRef
Google scholar
|
| [38] |
Wagner D, Goldberg I. Proofs of security for the UNIX password hashing algorithm. In: Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security. 2000, 560–572
CrossRef
Google scholar
|
| [39] |
Kamara S. Encrypted search. ACM Crossroads, 2015, 21(3): 30–34
CrossRef
Google scholar
|
| [40] |
Das A, Bonneau J, Caesar M, Borisov N, Wang X. The tangled web of password reuse. In: Proceedings of the Annual Network and Distributed System Security Symposium. 2014, 1–16
CrossRef
Google scholar
|
| [41] |
Sternberg S. memory-scanning: mental processes revealed by reactiontime experiments. American Scientist, 1969, 57(4): 421–457
|
| [42] |
Nobel A P, Shiffrin M R. Retrieval processes in recognition and cued recall. Journal of Experimental Psychology: Learning, Memory, and Cognition American Psychological Association, 2001, 27(2): 384
CrossRef
Google scholar
|
| [43] |
Woodman G F, Chun M M. The role of working memory and long-term memory in visual search. Visual Cognition Taylor & Francis, 2006, 14(4–8): 808–830
CrossRef
Google scholar
|
| [44] |
Campbell J, Xue Q. Cognitive arithmetic across cultures. American Psychological Association Journal of Experimental Psychology: General, 2001, 130(2): 299–315
CrossRef
Google scholar
|
| [45] |
Corbin L, Marquer J. Effect of a simple experimental control: the recall constraint in sternberg’s memory scanning task. European Journal of Cognitive Psychology Taylor & Francis, 2008, 20(5): 913–935
CrossRef
Google scholar
|
| [46] |
Woodman G F, Luck S J. Visual search is slowed when visuospatial working memory is occupied. Psychonomic Bulletin &Review Springer, 2004, 11(2): 269–274
CrossRef
Google scholar
|
| [47] |
Hogan R M, Kintsch W. Differential effects of study and test trials on long-term recognition and recall. Journal of Verbal Learning and Verbal Behavior Elsevier, 1971, 10(5): 562–567
CrossRef
Google scholar
|
| [48] |
Teh P S, Zhang N, Teoh A B J, Chen K. A survey on touch dynamics authentication in mobile devices. Computers & Security Elsevier, 2016, 59(1): 210–235
CrossRef
Google scholar
|
| [49] |
Kambourakis G, Damopoulos D, Papamartzivanos D, Pavlidakis E. Introducing touchstroke: keystroke-based authentication system for smartphones. Security and Communication Networks Hindawi, 2016, 9(6): 542–554
CrossRef
Google scholar
|
| [50] |
Asghar H J, Li S, Pieprzyk J, Wang H. Cryptanalysis of the convex hull click human identification protocol. International Journal of Information Security Springer, 2013, 12(2): 83–96
CrossRef
Google scholar
|
| [51] |
Li S, Asghar H J, Pieprzyk J, Sadeghi A R, Schmitz R, Wang H. On the security of PAS (Predicate-based authentication service). In: Proceedings of the IEEE Computer Security Applications Conference. 2009, 209–218
CrossRef
Google scholar
|
| [52] |
Wang D, Cheng H, Wang P, Huang X, Jian G. Zipf’s law in passwords. IEEE Transactions on Information Forensics and Security, 2017 12(11): 2776–2791
CrossRef
Google scholar
|
| [53] |
Luby M, Rackoff C. A study of password security. In: Proceedings of Conference on the Theory and Application of Cryptographic Techniques. 1987, 392–397
CrossRef
Google scholar
|
/
| 〈 |
|
〉 |
AI Summary
