Showing papers on "Password published in 2002"

Securing passwords against dictionary attacks

Abstract: The use of passwords is a major point of vulnerability in computer security, as passwords are often easy to guess by automated programs running dictionary attacks. Passwords remain the most widely used authentication method despite their well-known security weaknesses. User authentication is clearly a practical problem. From the perspective of a service provider this problem needs to be solved within real-world constraints such as the available hardware and software infrastructures. From a user's perspective user-friendliness is a key requirement.In this paper we suggest a novel authentication scheme that preserves the advantages of conventional password authentication, while simultaneously raising the costs of online dictionary attacks by orders of magnitude. The proposed scheme is easy to implement and overcomes some of the difficulties of previously suggested methods of improving the security of user authentication schemes.Our key idea is to efficiently combine traditional password authentication with a challenge that is very easy to answer by human users, but is (almost) infeasible for automated programs attempting to run dictionary attacks. This is done without affecting the usability of the system. The proposed scheme also provides better protection against denial of service attacks against user accounts.

Multi-factor authentication system

Abstract: A suspect user (110) seeks access to a network resource from an access authority (150) utilizing a passcode received from an authentication authority (130). Initially, an ID of a device is bound with a PIN, the device ID is bound with a private key of the device, and the device ID is bound with a user ID that has been previously bound with a password of an authorized user. The device ID is bound with the user ID by authenticating the user ID using the password. Thereafter, the suspect user communicates the device ID and the PIN from the device over an ancillary communications network (112); the authentication authority responds back over the ancillary communications network with a passcode encrypted with the public key of the device; and the suspect user decrypts and communicates over a communications network (114) the passcode with the user ID to the access authority.

Password hardening based on keystroke dynamics

Abstract: We present a novel approach to improving the security of passwords. In our approach, the legitimate user’s typing patterns (e.g., durations of keystrokes and latencies between keystrokes) are combined with the user’s password to generate a hardened password that is convincingly more secure than conventional passwords alone. In addition, our scheme automatically adapts to gradual changes in a user’s typing patterns while maintaining the same hardened password across multiple logins, for use in file encryption or other applications requiring a long-term secret key. Using empirical data and a prototype implementation of our scheme, we give evidence that our approach is viable in practice, in terms of ease of use, improved security, and performance.

Apparatus and method for authenticating access to a network resource

Abstract: A device for providing access to a remote site is disclosed. Access to the device is gained through an authentication process during which a user password and biometrics are provided to the device. The device also includes a security feature such that only authorized users of the specific device can gain access to it. Once authenticated, the device authorizes access to a remote site (e.g., a web site or a server on a local area network). The communications from the device to the remote site is encrypted and further the hand-held device uses a computer generated password to gain access to the site. In this way, user generated passwords, which are typically simple and infrequently changed, are avoided in favor of a more complex and frequently changed computer generated passwords for site access.

A portable device having biometrics-based authentication capabilities

Abstract: Apparatus and method for implementing biometrics-based authentication. In a preferred embodiment, the present invention is embodied in a portable device. Specifically, in one embodiment, the portable device includes a microprocessor, a non-volatile memory coupled thereto, and a biometrics-based authentication module controlled by the microprocessor. Preferably, the biometrics technology used is fingerprint authentication technology. The authentication module is capable of registering a fingerprint upon first use of the portable device, storing an encoded version of the fingerprint in the non-volatile memory. Subsequently, the authentication module can read a person's fingerprint and reliably determine whether the fingerprint matches the registered fingerprint stored in the non-volatile memory. If a match is found, access to information in the non-volatile memory is granted to that person; otherwise, access is denied. Embodiments of the present invention thus provide a highly convenient, secured and reliable method and system for user authentication and access control which was not achievable in prior art password-based authentication approaches.

Cryptographic methods for remote authentication

Abstract: Methods are described for two parties to use a small shared secret (S) to mutually authenticate one another other over an insecure network. The methods are secure against off-line dictionary attack and incorporate an otherwise unauthenticated public key distribution system. One embodiment uses two computers Alice and Bob, and a Diffie-Hellman exponential key exchange in a large prime-order finite group. Both parties choose the same generator of the group (g) as a function of S. Alice chooses a random number R A , and sends g R A to Bob. Bob chooses a random R B , sends g R B to Alice. Both compute a shared key K=g (R A R B ) . Each party insures that K is a generator of the group, verifies that the other knows K, and then uses K as an authenticated key. Constraints are described to prevent passive and active attacks. An extension is described where Alice proves knowledge of S to Bob who knows only a one-way transformation of S. These methods establish a secure, authenticated network session using only an easily memorized password.

Fingerprint-based remote user authentication scheme using smart cards

Abstract: An authentication system, which does not require a password table to authenticate its users, is proposed. By removing a password table, and introducing smart card and fingerprint verification, the scheme can be more secure and reliable. In addition, the scheme can withstand message replaying attack and impersonation.

Secure remote access to data between peers

Abstract: A system for accessing data from any location and any device including those behind firewalls, proxy servers, address translations and other devices, while securing the data and network. The access may be by voice or wireless connection and the data may be PIM data such as calendaring or scheduling information or email. The system employs a secure peer network between data sources regardless of their location enabling data access devices to retrieve or submit data from any Internet enabled device from any location. Messages are tunneled to HTML that passes through firewalls. A Queue Manager in the EPN Server software creates a unique queue for data source which can only be accessed by the data source. The user with a browser enabled device can then access the EPN Server by providing the necessary credentials, such as user id and password, and can then access the data in the data sources for which the user is permissioned. The data source maintains a non-persistent connection through a polling algorithm and services the request in the queue.

Method and apparatus for providing and maintaining a user-interactive portal system accessible via internet or other switched-packet-network

Abstract: An Internet Portal is enabled by software executing on an Internet-connected server. The Portal, in response to a log-on by a user, presents a secure and personalized page for and to the user, the personalized page having listed plural Internet destinations enabled by hyperlinks, wherein upon invocation of a hyperlink by the subscriber, such as by a point-and-click technique, the portal invokes a URL for the destination, and upon connection with the destination, transparently provides any required log-on information for user access at the destination. In an enhanced embodiment a search function is provided wherein a user may configure searches in any or all of the listed destinations on a personalized page. Provision is provided for log-on by limited appliances, such as by a Smartcard or embedded password, and in some embodiments functionality is provided in a browser plug-in wherein a user may navigate to a site, and, in response to a request for log-in data, the subscriber may use a hot key or pointer input, which will cause the browser to access and provide the needed data from the Password-All source.

Secure remote access using enterprise peer networks

Abstract: A system for accessing data from any location and any device including those behind firewalls, proxy servers, address translations and other devices, while securing the data and network. The system employs a secure peer network between data sources regardless of their location enabling data access devices to retrieve or submit data from any Internet enabled device from any location. Messages are tunneled to HTML that passes through firewalls. A Queue Manager in the EPN Server software creates a unique queue for data source which can only be accessed by the data source. The user with a browser enabled device can then access the EPN Server by providing the necessary credentials, such as user id and password, and can then access the data in the data sources for which the user is permissioned. The data source maintains a non-persistent connection through a polling algorithm and services the request in the queue.

Simple, secure login with multiple authentication providers

Abstract: A secure distributed single-login authentication system comprises a client and a server. The client collects a user name and password from a user and tests that user name and password at a variety of potential authentication servers to check where the login is valid. It combines the password with a time varying salt and a service specific seed in a message digesting hash and generates a first hash value. The client sends the hash value along with the user name and the time varying salt to a currently selected server. The server extracts the user name and looks up an entry under the user name from the selected server's database. If an entry is found, it retrieves the password and performs the same hash function on the combination of the user name, the service specific seed, and the retrieved password to generate a second hash value. Then, it compares two hash values. If these two values match, the user is authenticated. In this way, the system never sufficiently reveals the password to authentication agents that might abuse the information.

Method and apparatus for increasing the security of wireless data services

Abstract: The security of wireless communications between two or more devices is enhanced by requiring detection of the physical proximity of the devices. One or more of the devices operates in a non-secure mode, wherein the authentication process required to enter into secure communications is disabled. Upon detection of the physical proximity of another device, the device enters a secure mode, wherein authentication is enabled. The entry of a security code required by the authentication process may comprise the transmission of a device address or other data, either across the proximity detection interface or via the wireless communications interface. In addition to the detection of physical proximity, a hardware handshake protocol between the two devices may be defined. For additional security, the device must enter a handshake mode before the hardware handshake will complete. The handshake mode may require entry of a password or screening by a biometric sensor. Preferrably, the wireless communication system is based on the Bluetooth technology.

A flexible remote user authentication scheme using smart cards

Abstract: In 1999, Hwang and Li proposed a new user authentication scheme using smart cards. The scheme does not need any password or verification table. Later, Sun proposed an efficient remote use authentication scheme to improve the efficiency of the Hwang-Li scheme. However, these two schemes do not allow users to freely choose and change their passwords. In this article, we shall propose a simple and efficient remote user authentication scheme that allows users to freely choose and change their passwords without significantly increasing the computation cost.

Security interface for a mobile device

Abstract: A method and device are described which provide a security interface, preferably for a mobile device. The security interface provides user-selectable non-secure data that is displayed without the need for a password. The non-secure data is preferably updated on a regular basis, and can be obtained from different sources, as selected by a user. The secure data can be accessed after successful authentication, such as a positive password verification. Additional non-secure data, related to the displayed non-secure data, can preferably be accessed, with or without a need for a password. An indication can be provided to inform a user that secure data has been updated, without the need to access such secure data. The security interface is preferably enabled after a predetermined timeout period. The interface allows the device to operate in three data access states: a controlled access state; a verification state; and a full access state.

Security Proofs for an Efficient Password-Based Key Exchange.

Abstract: Password-based key exchange schemes are designed to provide entities communicating over a public network, and sharing a (short) password only, with a session key (e.g, the key is used for data integrity and/or confidentiality). The focus of the present paper is on the analysis of very efficient schemes that have been proposed to the IEEE P1363 Standard working group on password-based authenticated key-exchange methods, but which actual security was an open problem. We analyze the AuthA key exchange scheme and give a complete proof of its security. Our analysis shows that the AuthA protocol and its multiple modes of operations are provably secure under the computational Diffie-Hellman intractability assumption, in both the random-oracle and the ideal-ciphers models.

A remote user authentication scheme using hash functions

Abstract: Recently, Peyravian and Zunic proposed a simple but efficient password authentication system. Their scheme is based on the collision-resistant hash function, such as SHA-1. Their scheme did not use any cryptosystems (such as DES, RSA, etc.). However, their scheme is vulnerable to guess attack. An attacker can easily obtain a user's password by guessing attack and then impersonate the user to login and access resources in the server. To overcome the vulnerability of their scheme, we propose an improved scheme to enhance security of their scheme in this article.

Distributed, scalable cryptographic access control

Abstract: Published resources are made available in an encrypted form, using corresponding resource keys, published through resource key files, with the publications effectively restricted to authorized peer systems only by encrypting the resource keys in a manner only the authorized peer systems are able to recover them. In one embodiment, the resource keys are encrypted using encryption public keys of the authorized peer systems or the groups to which the authorized peer system are members. In one embodiment, the encryption public keys of individual or groups of authorized peer systems are published for resource publishing peer systems through client and group key files respectively. Group encryption private keys are made available to the group members through published group key files. Further, advanced features including but not limited to resource key file inheritance, password protected publication, obfuscated publication, content signing, secured access via gateways, and secured resource search are supported.

Data certification method and apparatus

Abstract: An apparatus and method for signing electronic data with a digital signature in which a central server comprises a signature server (110) and a authentication server (120). The signature server (110) securely stores the private cryptographic keys of a number of users (102). The user (102) contacts the central server using a workstation (101) through a secure tunnel which is set up for the purpose. The user (102) supplies a password or other token (190), based on information previously supplied to the user by the authentication server (120) through a separate authentication channel. The authentication server provides the signature server with a derived version of the same information through a permanent secure tunnel between the servers, which is compared with the one supplied by the user (102). If they match, data received from the user (102) is signed with the user's private key.

Mobile terminal with user identification card including personal finance-related information and method of using a value-added mobile service through said mobile terminal

Abstract: The present invention enables a user to receive a financial service anywhere through a mobile terminal equipped with a UIM (User Identification Module) electronic card. In the present invention, a user enters his or her password to a mobile terminal with a UIM card including subscriber telephone number, finance, authorization, and personal information, then, if the entered password is correct, authorization is processed with a remote authorizing server based on the authorization information. After authorization, user's requesting service, e.g., payment service, transaction particulars inquiry service, prepaid card recharging service is conducted through a mobile network.

Cross platform network authentication and authorization model

Abstract: A model for authentication and authorization of users and applications that use network services. A client requests a ticket by providing credentials (user ID and password), e.g., over HTTP/SOAP/XML in the UDDI framework. An authentication adapter in a receiving server deserializes the request into a data structure that provides access to the security ID and password attributes, and passes these attributes to an ID management system to perform authentication. The credentials also determine the user's or application's privileges. The authentication adapter constructs a ticket object for the client incorporating the privileges and other information, e.g., the security ID and a date/time stamp. The ticket object is serialized, encrypted, encoded for transmission and inserted into an appropriately-formatted XML message and returned to the requesting client. The client attaches the authentication ticket to subsequent service requests that require authentication. To validate the ticket, the ticket object is reconstructed from the request data.

Threshold Password-Authenticated Key Exchange

Abstract: In most password-authenticated key exchange systems there is a single server storing password verification data. To provide some resilience against server compromise, this data typically takes the form of a one-way function of the password (and possibly a salt, or other public values), rather than the password itself. However, if the server is compromised, this password verification data can be used to perform an offline dictionary attack on the user's password. In this paper we propose an efficient password-authenticated key exchange system involving a set of servers, in which a certain threshold of servers must participate in the authentication of a user, and in which the compromise of any fewer than that threshold of servers does not allow an attacker to perform an offline dictionary attack. We prove our system is secure in the random oracle model under the Decision Diffie-Hellman assumption against an attacker that may eavesdrop on, insert, delete, or modify messages between the user and servers, and that compromises fewer than that threshold of servers.

Contents delivery network service method and system

Abstract: When a user accesses an original server using a user PC (12), a router in a center (4) receives a user access request, and transmits it to a reception and authentication server (2), and inquires of a CDN management server (1) whether or not the request can be accepted. When the CDN management server (1) determines that the user access request can be accepted, it detects a splitter/cache server (8) geographically closest to the user PC (12), and passes a one-time password to the splitter/cache server. The user PC (12) uses the one-time password to access the splitter/cache server (8), and successfully accesses the target contents.

Authenticated ID-based Key Exchange and remote log-in with simple token and PIN number.

Abstract: Authenticated key exchange protocols tend to be either token based or password based. Token based schemes are often based on expensive (and irreplaceable) smart-card tokens, while password-only schemes require that a unique password is shared between every pair of correspondents. The magnetic strip swipe card and associated PIN number is a familiar and convenient format that motivates a combined “two-factor” approach. Finally we suggest an extension of the scheme for use in a client-server scenario.

Method of authentication using familiar photographs

Abstract: Authenticating a user operating an un-trusted access device includes causing the display, on the un-trusted access device, of a plurality of photographs to the user, at least one of the photographs being from the user's personal photograph collection and already familiar to the user, remaining photographs being decoy photographs, accepting an input selection from the user identifying one of the displayed photographs, and allowing access when the user's selection correctly identifies a sequence of displayed photographs from the user's photograph collection. No user training prior to using the authentication system is needed and no pre-selection of a password or photograph is necessary.

Doodling our way to better authentication

Abstract: Password security often fails in practice because users select predictable passwords. We conducted a study to explore the use of hand-drawn doodle password ("passdoodle"). Our findings show that users could recall all visual elements of the doodle as well as they could recall alphanumeric passwords, but most could not perfectly redraw their selected doodles. Users perceive passdoodles as easier to remember than alphanumeric passwords; however, they prefer whichever authentication method they perceive to be more secure.

Group Diffie-Hellman key exchange secure against dictionary attacks

Abstract: Group Diffie-Hellman schemes for password-based key exchange are designed to provide a pool of players communicating over a public network, and sharing just a human-memorable password, with a session key (e.g, the key is used for multicast data integrity and confidentiality). The fundamental security goal to achieve in this scenario is security against dictionary attacks. While solutions have been proposed to solve this problem no formal treatment has ever been suggested. In this paper, we define a security model and then present a protocol with its security proof in both the random oracle model and the ideal-cipher model.

Improving computer security for authentication of users: Influence of proactive password restrictions

Abstract: Entering a username—password combination is a widely used procedure for identification and authentication in computer systems. However, it is a notoriously weak method, in that the passwords adopted by many users are easy to crack. In an attempt to improve security, proactive password checking may be used, in which passwords must meet several criteria to be more resistant to cracking. In two experiments, we examined the influence of proactive password restrictions on the time that it took to generate an acceptable password and to use it subsequently to log in. The required length was a minimum of five characters in Experiment 1 and eight characters in Experiment 2. In both experiments, one condition had only the length restriction, and the other had additional restrictions. The additional restrictions greatly increased the time it took to generate the password but had only a small effect on the time it took to use it subsequently to log in. For the five-character passwords, 75% were cracked when no other restrictions were imposed, and this was reduced to 33% with the additional restrictions. For the eight-character passwords, 17% were cracked with no other restrictions, and 12.5% with restrictions. The results indicate that increasing the minimum character length reduces crackability and increases security, regardless of whether additional restrictions are imposed.