Showing papers on "Password published in 2003"

Method and system for disaster recovery of data from a storage device

Abstract: Aspects of the invention provide a method and system for securely managing the storage and retrieval of data Securely managing the storage and retrieval of data may include receiving a first disaster recovery code and acquiring a first password corresponding to the first disaster recovery code A first disaster recovery key may be generated based on the first disaster recovery code and the first password Another aspect of the invention may also include generating the received first disaster recovery code based on said first password and the first disaster recovery key The generated disaster recovery code may be securely stored on at least a portion of a storage device or a removable media Data stored on the storage device may be encrypted using the first generated disaster recovery key Additionally, data read from the storage device may be decrypted using the generated first disaster recovery key

Comparing passwords, tokens, and biometrics for user authentication

Abstract: For decades, the password has been the standard means for user authentication on computers. However, as users are required to remember more, longer, and changing passwords, it is evident that a more convenient and secure solution to user authentication is necessary. This paper examines passwords, security tokens, and biometrics-which we collectively call authenticators-and compares these authenticators and their combinations. We examine their effectiveness against several attacks and suitability for particular security specifications such as compromise detection and nonrepudiation. Examples of authenticator combinations and protocols are described to show tradeoffs and solutions that meet chosen, practical requirements. The paper endeavors to offer a comprehensive picture of user authentication solutions for the purposes of evaluating options for use and identifying deficiencies requiring further research.

Mobile account authentication service

Abstract: A payment authentication service authenticates the identity of a payer during online transactions. The authentication service allows a card issuer to verify a cardholder's (110) identity using a variety of authentication methods, such as with the use of tokens. Authenticating the identity of a cardholder (110) during an online transaction involves querying an access control server to determine if a cardholder (110) is enrolled in the payment authentication service, requesting a password from the cardholder, verifying the password, and notifying a merchant whether the cardholder's (110) authenticity has been verified. Systems for imp lementing the authentication service in which a cardholder (110) uses a mobile device capable of transmitting messages via the Internet are described. Systems for implementing the authentication service in which a cardholder (110) uses a mobile device capable of transmitting messages through voice and messaging channels is also described.

A framework for password-based authenticated key exchange

Abstract: In this paper we present a general framework for passwordbased authenticated key exchange protocols, in the common reference string model. Our protocol is actually an abstraction of the key exchange protocol of Katz et al. and is based on the recently introduced notion of smooth projective hashing by Cramer and Shoup. We gain a number of benefits from this abstraction. First, we obtain a modular protocol that can be described using just three high-level cryptographic tools. This allows a simple and intuitive understanding of its security. Second, our proof of security is significantly simpler and more modular. Third, we are able to derive analogues to the Katz et al. protocol under additional cryptographic assumptions. Specifically, in addition to the DDH assumption used by Katz et al., we obtain protocols under both the Quadratic and N-Residuosity assumptions. In order to achieve this, we construct new smooth projective hash functions.

A taxonomy of single sign-on systems

Abstract: At present, network users have to manage one set of authentication credentials (usually a username/password pair) for every service with which they are registered Single Sign-On (SSO) has been proposed as a solution to the usability, security and management implications of this situation Under SSO, users authenticate themselves only once and are logged into the services they subsequently use without further manual interaction Several architectures for SSO have been developed, each with different properties and underlying infrastructures This paper presents a taxonomy of these approaches and puts some of the SSO schemes, services and products into that context This enables decisions about the design and selection of future approaches to SSO to be made within a more structured context; it also reveals some important differences in the security properties that can be provided by various approaches

Robust multi-factor authentication for secure application environments

Abstract: An improved authentication system utilizes multi-factor user authentication. In an exemplary embodiment, one authentication factor is the user's speech pattern, and another authentication factor is a one-time passcode. The speech pattern and the passcode may be provided via voice portal and/or browser input. The speech pattern is routed to a speaker verification subsystem, while the passcode is routed to a passcode validation subsystem. Many other combinations of input types are also possible. For heightened security, the two (or more) authentication factors are preferably, although not necessarily, provided over differing communication channels (i.e., they are out-of-band with respect to each other). If a user is authenticated by the multi-factor process, he is given access to one or more desired secured applications. Policy and authentication procedures may be abstracted from the applications to allow a single sign-on across multiple applications.

Method and apparatus of storage anti-piracy key encryption (SAKE) device to control data access for networks

Abstract: An apparatus and method of storage anti-piracy key encryption (SAKE) device controls data access for a storage/memory/network. An authentication system includes a first storage, a ROM and a microcontroller and verifies the password of a host. The first storage unit stores an authentication sequence (e.g. biometric information) and the authentication algorithm is programmed on the ROM. Upon receiving the password from the host the microcontroller loads and executes the authentication algorithm to verify the password with the hard coded authentication sequence. Access to the second storage unit/memory/network is permitted only if password is verified.

Password Interception in a SSL/TLS Channel

Abstract: Simple password authentication is often used e.g. from an email software application to a remote IMAP server. This is frequently done in a protected peer-to-peer tunnel, e.g. by SSL/TLS.

Security proofs for an efficient password-based key exchange

Abstract: Password-based key exchange schemes are designed to provide entities communicating over a public network, and sharing a (short) password only, with a session key (e.g, the key is used for data integrity and/or confidentiality). The focus of the present paper is on the analysis of very efficient schemes that have been proposed to the IEEE P1363 Standard working group on password-based authenticated key-exchange methods, but which actual security was an open problem. We analyze the AuthA key exchange scheme and give a complete proof of its security. Our analysis shows that the AuthA protocol and its multiple modes of operations are provably secure under the computational Diffie-Hellman intractability assumption, in both the random-oracle and the ideal-ciphers models.

Picture Password: A Visual Login Technique for Mobile Devices

Abstract: Adequate user authentication is a persistent problem, particularly with handheld devices such as Personal Digital Assistants (PDAs), which tend to be highly personal and at the fringes of an organization's influence. Yet, these devices are being used increasingly in corporate settings where they pose a security risk, not only by containing sensitive information, but also by providing the means to access such information over wireless network interfaces. User authentication is the first line of defense for a lost or stolen PDA. However, motivating users to enable simple PIN or password mechanisms and periodically update their authentication information is a constant struggle. This paper describes a general-purpose mechanism for authenticating a user to a PDA using a visual login technique called Picture Password. The underlying rationale is that image recall is an easy and natural way for users to authenticate, removing a serious barrier to compliance with organizational policy. Features of Picture Password include style dependent image selection, password reuse, and embedded salting, which overcome a number of problems with knowledge-based authentication for handheld devices. Though designed specifically for handheld devices, Picture Password is also suitable for notebooks, workstations, and other computational devices.

A shoulder-surfing resistant graphical password scheme - WIW

Abstract: We propose a new graphical password scheme. It is de ned as a challenge-response identi cation. Hence, a password in our scheme is time-variant. User who knows the password is able to meet the challenge and to respond correctly. As a consequence, our graphical password scheme is shoulder-sur ng resistant. An attacker still cannot tell what the password is, even if he/she has lmed a user's login process. Primary experiments on our graphical password scheme showed the scheme is promising.

Password interception in a SSL/TLS channel

Abstract: Simple password authentication is often used e.g. from an email software application to a remote IMAP server. This is frequently done in a protected peer-to-peer tunnel, e.g. by SSL/TLS. At Eurocrypt'02, Vaudenay presented vulnerabilities in padding schemes used for block ciphers in CBC mode. He used a side channel, namely error information in the padding verification. This attack was not possible against SSL/TLS due to both unavailability of the side channel (errors are encrypted) and premature abortion of the session in case of errors. In this paper we extend the attack and optimize it. We show it is actually applicable against latest and most popular implementations of SSL/TLS (at the time this paper was written) for password interception. We demonstrate that a password for an IMAP account can be intercepted when the attacker is not too far from the server in less than an hour in a typical setting. We conclude that these versions of the SSL/TLS implementations are not secure when used with block ciphers in CBC mode and propose ways to strengthen them. We also propose to update the standard protocol.

Centralized authentication system

Abstract: Centralized authentication systems are provided. A representative system, among others, includes a mobile authentication registration system, a content provider and a wireless internet server. The mobile authentication registration system resides on a content provider which is coupled to the internet, and is operable to receive a single identification number and password from a user independent of a platform the user is associated with, and determine that the identification number and password combination provided by the user is associated with a registered user. The content provider provides personalized internet content to any of a plurality of registered users on a plurality of platforms. The wireless internet server receives a connection request from a wireless device, sends an authentication request to the mobile authentication registration system, and provides a personalized internet content from the content provider to said at least one wireless device. Methods and other systems for multiple access portals are also provided.

Awase-E: Image-Based Authentication for Mobile Phones Using User’s Favorite Images

Abstract: There is a trade-off between security and usability in user authentication for mobile phones. Since such devices have a poor input interfaces, 4-digit number passwords are widely used at present. Therefore, a more secure and user friendly authentication is needed. This paper proposes a novel authentication method called “Awase-E”. The system uses image passwords. It, moreover, integrates image registration and notification interfaces. Image registration enables users to use their favorite image instead of a text password. Notification gives users a trigger to take action against a threat when it happens. Awase-E is implemented so that it has a higher usability even when it is used through a mobile phone.

Control system and method for controlling system

Abstract: A controller has a unit that stores therein a password specified by a user for each home electric appliance connected to a home network; a unit that, when a home-electric-appliance operation-request message is received, determines whether the message entry location is inside or outside the home; a unit that sends a password request message if it is determined as a result of the determination that the message entry location is outside the home; and a unit that, upon receiving a password in response to the request, determines if the received password matches the password of the controlled home electric appliance that is stored. The controller executes the operation of the home electric appliance connected to the home network only when the passwords match, thus preventing an unauthorized user outside the home from operating the home electric appliances at home.

Password encryption key

Abstract: A password-encrypted key (PEK) is generated from a user-supplied password or other identifyting data and then used to encrypt the user's password. The encrypted password is stored in a user record on a server. At login a would-be user's password is again used to make a key, which is then used to decrypt and compare the stored encrypted password with the would-be user's password to complete the login. The successful PEK is stored in a temporary session record and can be used to decrypt other sensitive user information previously encrypted and stored in the user record as well as to encrypt new information for storage in the user record. A public/private key system can also be used to maintain limited access for the host to certain information in the user record.

System and method for securing portable data

Abstract: A data storage device (110) that can be reversibly associated with one or more of a plurality of hosts (100). A 'trusted' host on which the device is mounted is allowed access to a secure data area of the device automatically, without the user having to enter a password. Ways in which a host is designated as 'trusted' include storing the host's ID (106) in a trusted host list of the device, storing a representation of the host's ID that was encrypted using a trust key of the device in a cookie on the host, or storing a storage password of the device in a password list of the host. Alternatively, an untrusted host is allowed access to the secure area if a user enters a correct user password.

Method for providing single step log-on access to a differentiated computer network

Abstract: A method for providing single step log-on access for a subscriber to a computer network. The computer network is differentiated into public and private areas. Secure access to the private areas is provided by a Service Selection Gateway (SSG) Server, introduced between a conventional Network Access Server (NAS) and an Authentication Authorization and Accounting (AAA) Server. The SSG Server intercepts and manipulates packets of data exchanged between the NAS and the AAA Server to obtain all the information it needs to automatically log the user on when the user logs on to the NAS. An authorized user is thus spared the task of having to re-enter username and password data or launch a separate application in order to gain secure access to private areas of the network.

Cryptographic methods and apparatus for secure authentication

Abstract: Secure authentication protocols, particularly well-suited for use in authenticating mobile communications devices having limited computational resources, are disclosed. In an illustrative embodiment, a network-based communication system includes a client device and at least two servers. First and second shares are generated from a first password associated with the client device, and stored in respective first and second servers. The client device submits additional information associated therewith to at least one of the first and second servers. Each of the first and second shares has the property that it is infeasible to determine solely therefrom correspondence of the additional information with the first password. The first and second servers then utilize the respective first and second shares to collectively determine said correspondence of the additional information with the first password. Advantageously, the correspondence determination may be made without requiring further interaction between the client device and one or both of the servers.

A new two-server approach for authentication with short secrets

Abstract: Passwords and PINs continue to remain the most widespread forms of user authentication, despite growing awareness of their security limitations This is because short secrets are convenient, particularly for an increasingly mobile user population Many users are interested in employing a variety of computing devices with different forms of connectivity and different software platforms Such users often find it convenient to authenticate by means of passwords and short secrets, to recover lost passwords by answering personal or "life" questions, and to make similar use of relatively weak secrets In typical authentication methods based on short secrets, the secrets (or related values) are stored in a central database Often overlooked is the vulnerability of the secrets to theft en bloc in the event of server compromise With this in mind, Ford and Kaliski and others have proposed various password "hardening" schemes involving multiple servers, with password privacy assured provided that some servers remain uncompromised In this paper, we describe a new, two-server secure roaming system that benefits from an especially lightweight new set of protocols In contrast to previous ideas, ours can be implemented so as to require essentially no intensive cryptographic computation by clients This and other design features render the system, in our view, the most practical proposal to date in this area We describe in this paper the protocol and implementation challenges and the design choices underlying the system

A remote user authentication scheme using smart cards with forward secrecy

Abstract: In 2000, Hwang and Li proposed a new remote user authentication scheme using smart cards. Chan and Chang showed that the masquerade attack is successful on this scheme. Recently Shen, Lin and Hwang pointed out a different type of attack on this scheme and presented a modified scheme to remove these defects. In this paper we present a new scheme which also overcomes these attacks. In this scheme previously generated passwords are secure even if the secret key of the system is leaked or is stolen.

Inter-authentication method and device

Abstract: An inter-authentication method capable of safely and easily performing inter-authentication In the inter-authentication process, a private key K0 of the initial value is stored in a client and a server (Pc0, Ps0) The client generates a random number R, calculates password data C and authentication data A, and transmits the result to the server (Pc1) The server receives the authentication data A and the password data C from the client, generates a random number R, calculates and returns password data S and authentication data Q, and updates the private key K0 to a new private key K1 (Ps1) The client receives the authentication data B and the password data S from the server, generates a random number R, calculates the password data C2 and the authentication data A2, returns the results to the server, and updates the private key K0 to the new private key K1 (Pc2) The client and the server check whether validity is satisfied

System and method for user authentication with enhanced passwords

Abstract: A system and method for enhancing passwords, access codes, and personal identification numbers by making them pace, rhythm, or tempo sensitive. The password includes a sequence of characters and an associated timing element. To access a restricted device or function a user enters the correct character sequence according to the correct pace, rhythm, or tempo. The entered sequence and timing element are compared with stored values and access is granted only if the entered and stored values match. In an alternative embodiment the stored timing element is set, and periodically altered, by a computer or program without consent from the user and visual, auditory, and/or tactile prompts indicate the correct timing element to the user during the authentication process. The meaning of the prompts are provided to the user in advance.

User authentication method and user authentication system

Abstract: The present invention is a user verification method and a user verification system, in which a password derivation pattern for each user is pre-registered into a verification server, and when a user is to use the system, the verification server generates a presented pattern and presents this to the user, the user inputs a password corresponding to the user's own password derivation pattern for the presented pattern, the verification server performs verification of the inputted password based on the presented pattern and the user's own password derivation pattern that was registered, and a verification result is then notified to the usage target system.

GA-SVM wrapper approach for feature subset selection in keystroke dynamics identity verification

Abstract: Password is the most widely used identity verification method in computer security domain. However, due to its simplicity, it is vulnerable to imposter attacks. Keystroke dynamics adds a shield to password. Password typing patterns or timing vectors of a user are measured and used to train a novelty detector model. However, without manual pre-processing to remove noises and outliers resulting from typing inconsistencies, a poor detection accuracy results. Thus, in this paper, we propose an automatic feature subset selection process that can automatically selects a relevant subset of features and ignores the rest, thus producing a better accuracy. Genetic algorithm is employed to implement a randomized search and SVM, an excellent novelty detector with fast learning speed, is employed as a base learner. Preliminary experiments show a promising result.

ID-based password authentication scheme using smart cards and fingerprints

Abstract: This paper proposes two ID-based password authentication schemes, which does not require a dictionary of passwords or verification tables, with smart card and fingerprint. In these schemes, users can change their passwords freely. For a network without synchronization clocks, the proposed nonce-based authentication scheme can withstand message replay attacks. The proposed two schemes require a system to authenticate each user by each user's knowledge, possession, and biometrics, and this feature makes our schemes more reliable.