Frontiers of Computer Science >
On designing an unaided authentication service with threat detection and leakage control for defeating opportunistic adversaries
Received date: 17 Apr 2019
Accepted date: 07 Dec 2019
Published date: 15 Apr 2021
Copyright
Unaided authentication services provide the flexibility to login without being dependent on any additional device. The power of recording attack resilient unaided authentication services (RARUAS) is undeniable as, in some aspects, they are even capable of offering better security than the biometric based authentication systems. However, high login complexity of these RARUAS makes them far from usable in practice. The adopted information leakage control strategies have often been identified as the primary cause behind such high login complexities. Though recent proposals havemade some significant efforts in designing a usable RARUAS by reducing its login complexity, most of them have failed to achieve the desired usability standard. In this paper, we have introduced a new notion of controlling the information leakage rate. By maintaining a good security standard, the introduced idea helps to reduce the login complexity of our proposed mechanism − named as Textual-Graphical Password-based Mechanism or TGPM, by a significant extent. Along with resisting the recording attack, TGPM also achieves a remarkable property of threat detection. To the best of our knowledge, TGPM is the first RARUAS, which can both prevent and detect the activities of the opportunistic recording attackers who can record the complete login activity of a genuine user for a few login sessions. Our study reveals that TGPM assures much higher session resiliency compared to the existing authentication services, having the same or even higher login complexities. Moreover, TGPM stores the password information in a distributed way and thus restricts the adversaries to learn the complete secret from a single compromised server. A thorough theoretical analysis has been performed to prove the strength of our proposal from both the security and usability perspectives. We have also conducted an experimental study to support the theoretical argument made on the usability standard of TGPM.
Nilesh CHAKRABORTY , Samrat MONDAL . On designing an unaided authentication service with threat detection and leakage control for defeating opportunistic adversaries[J]. Frontiers of Computer Science, 2021 , 15(2) : 152803 . DOI: 10.1007/s11704-019-9134-9
| 1 |
Bonneau J, Cormac H, Paul C, Van O, Stajano F. The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 553–567
|
| 2 |
Pan X, Ling Z, Pingley A, Yu W, Zhang N, Ren K, Fu X. Password extraction via reconstructed wireless mouse trajectory. IEEE Transactions on Dependable and Secure Computing, 2016, 13(4): 461–473
|
| 3 |
Wang D, Zhang Z, Wang P, Yan J, Huang X. Targeted online password guessing: an underestimated threat. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security. 2016, 1242–1254
|
| 4 |
Manulis M, Stebila D, Kiefer F, Denham N. Secure modular password authentication for the web using channel bindings. International Journal of Information Security, 2016, 15(6): 597–620
|
| 5 |
Kontaxis G, Athanasopoulos E, Portokalidis G, Keromytis D A. Sauth: protecting user accounts from password database leaks. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2013, 187–198
|
| 6 |
Yan Q, Han J, Li Y, Zhou J, Deng R. Leakage-resilient password entry: challenges, design, and evaluation. Computers & Security, 2015, 48(1): 196–211
|
| 7 |
Bai X, Gu W, Chellappan S, Wang X, Xuan D, Ma B. PAS: predicatebased authentication services against powerful passive adversaries. In: Proceedings of the IEEE Computer Security Applications Conference. 2008, 433–442
|
| 8 |
Sun M H, Chen T S, Yeh H J, Cheng Y C. A shoulder surfing resistant graphical authentication system. IEEE Transactions on Dependable and Secure Computing, 2018, 15(2): 180–193
|
| 9 |
Wiese O, Roth V. Pitfalls of shoulder surfing studies. In: Proceedings of the Internet Society NDSS Workshop on Usable Security. 2015, 1–6
|
| 10 |
Kim D, Dunphy P, Briggs P, Hook J, Nicholson WJ, Nicholson J, Olivier P. Multi-touch authentication on tabletops. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 2010, 1093–1102
|
| 11 |
Schaub F, Walch M, Könings B, Weber M. Exploring the design space of graphical passwords on smartphones. In: Proceedings of the ACM Symposium on Usable Privacy and Security. 2013, 1–14
|
| 12 |
Tari F, Ozok A, Holden S. A comparison of perceived and real shouldersurfing risks between alphanumeric and graphical passwords. In: Proceedings of the ACM Symposium on Usable Privacy and Security. 2006, 56–66
|
| 13 |
Schaub F, Deyhle R, Weber M. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In: Proceedings of the ACM International Conference on Mobile and Ubiquitous Multimedia. 2012, 1–13
|
| 14 |
Wiedenbeck S, Waters J, Sobrado L, Birget C J. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the ACM Working Conference on Advanced Visual Interfaces. 2006, 177–184
|
| 15 |
Zhao H, Li X. S3PAS: a scalable shoulder-surfing resistant textualgraphical password authentication scheme. In: Proceedings of the IEEE Advanced Information Networking and Applications Workshops. 2007, 467–472
|
| 16 |
ˇCagalj M, Perkovíc T, Bugaríc M. Timing attacks on cognitive authentication schemes. IEEE Transactions on Information Forensics and Security, 2015, 10(3): 584–596
|
| 17 |
Yan Q, Han J, Li Y, Deng H R. On limitations of designing leakageresilient password systems: attacks, principals and usability. In: Proceedings of the Annual Network and Distributed System Security Symposium. 2012, 1–16
|
| 18 |
Weir M, Aggarwal S, Collins M, Stern H. Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the ACM Conference on Computer and Communications Security. 2010, 162–175
|
| 19 |
Forouzan B, Mukhopadhyay D. Cryptography and Network Security. 2nd ed. India: McGraw-Hill Education, 2011
|
| 20 |
Matsumoto T, Imai H. Human identification through insecure channel. In: Proceedings of Advances in Cryptology–EUROCRYPT, 91. 1991, 409–421
|
| 21 |
Chakraborty N, Mondal S. Towards incorporating honeywords in nsession recording attack resilient unaided authentication services. IET Information Security, 2018, 13(1): 7–18
|
| 22 |
Asghar J H, Pieprzyk J, Wang H. A new human identification protocol and coppersmith’s baby-stepgiant-step algorithm. In: Proceedings of the International Conference on Applied Cryptography and Network Security. 2010, 349–366
|
| 23 |
De ˜Luca A, Hertzschuch K, Hussmann H. Colorpin: securing pin entry through indirect input. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 2010, 1103–1106
|
| 24 |
Hopper N J, Blum M. Secure human identification protocols. In: Proceedings of Advances in Cryptology–ASIACRYPT 2001. 2001, 52–66
|
| 25 |
Juels A, Rivest R L. Honeywords: making password-cracking detectable. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2013, 145–160
|
| 26 |
Camenisch J, Lehmann A, Neven G. Optimal distributed password verification. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2015, 182–194
|
| 27 |
Weinshall D. Cognitive authentication schemes safe against spyware. In: Proceedings of the IEEE Symposium on Security and Privacy. 2006, 6–11
|
| 28 |
De ˜Luca A. Designing usable and secure authentication mechanisms for public spaces. LMU, PhD Thesis, 2011
|
| 29 |
Roth V, Richter K, Freidinger R. A PIN-entry method resilient against shoulder surfing. In: Proceedings of the ACM Conference on Computer and Communications Security. 2004, 236–245
|
| 30 |
Kwon T, Shin S, Na S. Covert attentional shoulder surfing: human adversaries are more powerful than expected. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2014, 44(6): 716–727
|
| 31 |
Florêncio D, Herley C, Coskun B. Do strong web passwords accomplish anything? In: Proceedings of USENIXWorkshop on Hot Topics in Security. 2007, 1–6
|
| 32 |
Sasamoto H, Christin N, Hayashi E. Undercover: authentication usable in front of prying eyes. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 2008, 183–192
|
| 33 |
Broder A, Mitzenmacher M. Network applications of bloom filters: a survey. Internet Mathematics, 2004, 1(4): 485–509
|
| 34 |
Do Q, Martini B, Choo R K. The role of the adversary model in applied= security research. Computers & Security, Elsevier, 2019, 81(4): 156–181
|
| 35 |
Goldwasser S, Micali S. Probabilistic encryption. Journal of Computer and System Sciences, 1984, 28(2): 270–299
|
| 36 |
Phan D H, Pointcheval D. About the security of ciphers (semantic security and pseudo-random permutations). In: Proceedings of the International Workshop on Selected Areas in Cryptography. 2004, 182–197
|
| 37 |
Koblitz N, Alfred J M. Another look at “provable security”. Journal of Cryptology Springer, 2007, 20(1): 3–37
|
| 38 |
Wagner D, Goldberg I. Proofs of security for the UNIX password hashing algorithm. In: Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security. 2000, 560–572
|
| 39 |
Kamara S. Encrypted search. ACM Crossroads, 2015, 21(3): 30–34
|
| 40 |
Das A, Bonneau J, Caesar M, Borisov N, Wang X. The tangled web of password reuse. In: Proceedings of the Annual Network and Distributed System Security Symposium. 2014, 1–16
|
| 41 |
Sternberg S. memory-scanning: mental processes revealed by reactiontime experiments. American Scientist, 1969, 57(4): 421–457
|
| 42 |
Nobel A P, Shiffrin M R. Retrieval processes in recognition and cued recall. Journal of Experimental Psychology: Learning, Memory, and Cognition American Psychological Association, 2001, 27(2): 384
|
| 43 |
Woodman G F, Chun M M. The role of working memory and long-term memory in visual search. Visual Cognition Taylor & Francis, 2006, 14(4–8): 808–830
|
| 44 |
Campbell J, Xue Q. Cognitive arithmetic across cultures. American Psychological Association Journal of Experimental Psychology: General, 2001, 130(2): 299–315
|
| 45 |
Corbin L, Marquer J. Effect of a simple experimental control: the recall constraint in sternberg’s memory scanning task. European Journal of Cognitive Psychology Taylor & Francis, 2008, 20(5): 913–935
|
| 46 |
Woodman G F, Luck S J. Visual search is slowed when visuospatial working memory is occupied. Psychonomic Bulletin &Review Springer, 2004, 11(2): 269–274
|
| 47 |
Hogan R M, Kintsch W. Differential effects of study and test trials on long-term recognition and recall. Journal of Verbal Learning and Verbal Behavior Elsevier, 1971, 10(5): 562–567
|
| 48 |
Teh P S, Zhang N, Teoh A B J, Chen K. A survey on touch dynamics authentication in mobile devices. Computers & Security Elsevier, 2016, 59(1): 210–235
|
| 49 |
Kambourakis G, Damopoulos D, Papamartzivanos D, Pavlidakis E. Introducing touchstroke: keystroke-based authentication system for smartphones. Security and Communication Networks Hindawi, 2016, 9(6): 542–554
|
| 50 |
Asghar H J, Li S, Pieprzyk J, Wang H. Cryptanalysis of the convex hull click human identification protocol. International Journal of Information Security Springer, 2013, 12(2): 83–96
|
| 51 |
Li S, Asghar H J, Pieprzyk J, Sadeghi A R, Schmitz R, Wang H. On the security of PAS (Predicate-based authentication service). In: Proceedings of the IEEE Computer Security Applications Conference. 2009, 209–218
|
| 52 |
Wang D, Cheng H, Wang P, Huang X, Jian G. Zipf’s law in passwords. IEEE Transactions on Information Forensics and Security, 2017 12(11): 2776–2791
|
| 53 |
Luby M, Rackoff C. A study of password security. In: Proceedings of Conference on the Theory and Application of Cryptographic Techniques. 1987, 392–397
|
/
| 〈 |
|
〉 |