scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

State based authentication

18 Mar 2005-pp 160-165
TL;DR: A novel technique is presented that uses a State Based Authentication method to significantly increase the cost of brute-force and dictionary attack on passwords and has the potential to reduce thecost of password helpdesk significantly by eliminating the need of most password-reset requests.
Abstract: Access to systems that need protection is usually restricted by asking the user to prove her identity and to authenticate. Combination of user name and password (or PIN) is the most common technique used for this purpose. Unfortunately, user-name/password based authentication is vulnerable to various types of password guessing attacks. Some techniques of making password guessing very difficult do exist. With these techniques, policies for very strong passwords can be avoided, however, they usually rely on manual intervention by the security administrator to manually reset the passwords. Such manual steps result in significant expense in large enterprises to deal with password issues. Here we present a novel technique that uses a State Based Authentication method to significantly increase the cost of brute-force and dictionary attack on passwords. When deployed, it has the potential to reduce the cost of password helpdesk significantly by eliminating the need of most password-reset requests.
Citations
More filters
Proceedings ArticleDOI
09 Apr 1979
TL;DR: The need for computer security has grown every year since the creation of computer systems, but yet with such a high demand, there are many systems that are, by no means, adecuetly protected.
Abstract: The need for computer security has grown every year since the creation of computer systems, but yet with such a high demand, there are many systems that are, by no means, adecuetly protected.This paper will discuss the three classes of vulnerabilities of security. The three classes are: those that threaten the physical integrity of the computer installation and its data, those that threaten the loss or compromise of the data from outside the computersite, and those that threaten loss or compromise of data from inside the computer site.The chief physical risk to a computer site is fire, acts of sabotage, industrial accidents, natural disasters, and mechanical or electrial malfunction of the computer system. Outside threats are those people who do not work for a particular firm, but yet wish to gain information about it that is not readily accessible to them. Inside threats come from employees who wish to compromise the computer system weither for gain, accident, or past time. Each one of these topics will be dealt withThe next part of the paper deals with the subject of setting up a security program. The first step in this subject is the study to access the probability of an event occuring, and determining it as either fatal to the business, very serious, moderately serious, relatively unimportant, or seriousness unknown. Some of the security techniques of checks and tests on the system are then discused.

110 citations

Proceedings ArticleDOI
18 Mar 2005
TL;DR: Simulation results suggest that the marginal value of additional security may be positive or negative as can the time rate of change of system value, and policy implications include the realization that IT security policy makers should be aware of their location in the state space before setting ITSecurity policy.
Abstract: Determination of the actual value of security measures is an area currently undergoing scrutiny by many researchers. One method to determine this is to devise a simulation model that incorporates interactions between an information system, its users and a population of attackers. Initial simulation results suggest that the marginal value of additional security may be positive or negative as can the time rate of change of system value. Policy implications include the realization that IT security policy makers should be aware of their location in the state space before setting IT security policy.

4 citations

References
More filters
Journal ArticleDOI
Robert Morris1, Ken Thompson1
TL;DR: The present design of the password security scheme was the result of countering observed attempts to penetrate the system and is a compromise between extreme security and ease of use.
Abstract: This paper describes the history of the design of the password security scheme on a remotely accessed time-sharing system. The present design was the result of countering observed attempts to penetrate the system. The result is a compromise between extreme security and ease of use.

1,015 citations


"State based authentication" refers background or methods in this paper

  • ...However, since these passwords are also difficult to remember [ 16 ], users often write them down or store them [21], making them vulnerable to theft or exposure attacks....

    [...]

  • ...The estimates given in [ 16 ] are for brute force attacks on a 1979’s PDP-11/70 computer....

    [...]

  • ...A dictionary attack, in which each dictionary word is tried against all values stored in the database, can then be launched offline on the copied password database, thus making it much easier to break just one of the passwords in it. An approach called “salt” [ 16 ] is used to make such offline attacks more difficult....

    [...]

  • ...Unfortunately, this type of authentication is vulnerable to password guessing attacks because users usually choose easy to remember passwords that are also easy to guess [ 16 ]....

    [...]

Journal ArticleDOI
Lawrence O'Gorman1
01 Dec 2003
TL;DR: This paper examines passwords, security tokens, and biometrics-which they collectively call authenticators-and compares their effectiveness against several attacks and suitability for particular security specifications such as compromise detection and nonrepudiation.
Abstract: For decades, the password has been the standard means for user authentication on computers. However, as users are required to remember more, longer, and changing passwords, it is evident that a more convenient and secure solution to user authentication is necessary. This paper examines passwords, security tokens, and biometrics-which we collectively call authenticators-and compares these authenticators and their combinations. We examine their effectiveness against several attacks and suitability for particular security specifications such as compromise detection and nonrepudiation. Examples of authenticator combinations and protocols are described to show tradeoffs and solutions that meet chosen, practical requirements. The paper endeavors to offer a comprehensive picture of user authentication solutions for the purposes of evaluating options for use and identifying deficiencies requiring further research.

732 citations

Journal Article
TL;DR: Some of the problems of current password security are outlined by demonstrating the ease by which individual accounts may be broken, and one solution to this point of system vulnerability, a proactive password checker is proposed.
Abstract: With the rapid burgeoning of national and international networks, the question of system security has become one of growing importance. High speed inter-machine communication and even higher speed computational processors have made the threats of system {open_quotes}crackers,{close_quotes} data theft, and data corruption very real. This paper outlines some of the problems of current password security by demonstrating the ease by which individual accounts may be broken. Various techniques used by crackers are outlined, and finally one solution to this point of system vulnerability, a proactive password checker, is proposed. 11 refs., 2 tabs.

453 citations


Additional excerpts

  • ...Thus, a 6-character password (that permits using the 95 printable ASCII characters) can be broken in about 2 hours on the average....

    [...]

Journal ArticleDOI
TL;DR: The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an offline verification of whether a guess is successful or not and to examine protocols to detect vulnerabilities to such attacks.
Abstract: In a security system that allows people to choose their own passwords, people tend to choose passwords that can be easily guessed. This weakness exists in practically all widely used systems. Instead of forcing users to choose secrets that are likely to be difficult for them to remember, solutions that maintain user convenience and a high level of security at the same time are proposed. The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an offline verification of whether a guess is successful or not. Common forms of guessing attacks are examined, examples of cryptographic protocols that are immune to such attacks are developed, and a systematic way to examine protocols to detect vulnerabilities to such attacks is suggested. >

425 citations

Proceedings ArticleDOI
18 Nov 2002
TL;DR: The key idea is to efficiently combine traditional password authentication with a challenge that is very easy to answer by human users, but is (almost) infeasible for automated programs attempting to run dictionary attacks.
Abstract: The use of passwords is a major point of vulnerability in computer security, as passwords are often easy to guess by automated programs running dictionary attacks. Passwords remain the most widely used authentication method despite their well-known security weaknesses. User authentication is clearly a practical problem. From the perspective of a service provider this problem needs to be solved within real-world constraints such as the available hardware and software infrastructures. From a user's perspective user-friendliness is a key requirement.In this paper we suggest a novel authentication scheme that preserves the advantages of conventional password authentication, while simultaneously raising the costs of online dictionary attacks by orders of magnitude. The proposed scheme is easy to implement and overcomes some of the difficulties of previously suggested methods of improving the security of user authentication schemes.Our key idea is to efficiently combine traditional password authentication with a challenge that is very easy to answer by human users, but is (almost) infeasible for automated programs attempting to run dictionary attacks. This is done without affecting the usability of the system. The proposed scheme also provides better protection against denial of service attacks against user accounts.

375 citations