Showing papers on "Password published in 2004"

An introduction to biometric recognition

Abstract: A wide variety of systems requires reliable personal recognition schemes to either confirm or determine the identity of an individual requesting their services. The purpose of such schemes is to ensure that the rendered services are accessed only by a legitimate user and no one else. Examples of such applications include secure access to buildings, computer systems, laptops, cellular phones, and ATMs. In the absence of robust personal recognition schemes, these systems are vulnerable to the wiles of an impostor. Biometric recognition, or, simply, biometrics, refers to the automatic recognition of individuals based on their physiological and/or behavioral characteristics. By using biometrics, it is possible to confirm or establish an individual's identity based on "who she is", rather than by "what she possesses" (e.g., an ID card) or "what she remembers" (e.g., a password). We give a brief overview of the field of biometrics and summarize some of its advantages, disadvantages, strengths, limitations, and related privacy concerns.

Automated on-line information service and directory, particularly for the world wide Web

Abstract: A computer network and a database are used to provide a hardware-independent, dynamic information system in which the information content is entirely user-controlled. Requests are received from individual users of the computer network to electronically publish information, and input is accepted from the individual users. Entries from the users containing the information to be electronically published are automatically collected, classified and stored in the database in searchable and retrievable form. Entries are made freely accessible on the computer network. In response to user requests, the database is searched and entries are retrieved. Entries are served to users in a hardware-independent page description language. The entries are password protected, allowing users to retrieve and update entries by supplying a correct password. Preferably, the process is entirely automated with any necessary billing being performed by secure, on-line credit card processing. The user making a database entry has complete control of that entry both at the time the entry is made and in the future after the entry has been made. The entry, when served to a client, is transformed on-the-fly to the page description language. Where the page description language is HTML and the computer network is the World Wide Web, the entry may function as a “mini” homepage for the user that made the entry. Provision is made for graphics and other kinds of content besides text, taking advantage of the content-rich nature of the Web.

Password memorability and security: empirical results

Abstract: Users rarely choose passwords that are both hard to guess and easy to remember. To determine how to help users choose good passwords, the authors performed a controlled trial of the effects of giving users different kinds of advice. Some of their results challenge the established wisdom.

A dynamic ID-based remote user authentication scheme

Abstract: Password-based authentication schemes are the most widely used techniques for remote user authentication. Many static ID-based remote user authentication schemes both with and without smart cards have been proposed. Most of the schemes do not allow the users to choose and change their passwords, and maintain a verifier table to verify the validity of the user login. In this paper we present a dynamic ID-based remote user authentication scheme using smart cards. Our scheme allows the users to choose and change their passwords freely, and do not maintain any verifier table. The scheme is secure against ID-theft, and can resist the reply attacks, forgery attacks, guessing attacks, insider attacks and stolen verifier attacks.

On user choice in graphical password schemes

Abstract: Graphical password schemes have been proposed as an alternative to text passwords in applications that support graphics and mouse or stylus entry. In this paper we detail what is, to our knowledge, the largest published empirical evaluation of the effects of user choice on the security of graphical password schemes. We show that permitting user selection of passwords in two graphical password schemes, one based directly on an existing commercial product, can yield passwords with entropy far below the theoretical optimum and, in some cases, that are highly correlated with the race or gender of the user. For one scheme, this effect is so dramatic so as to render the scheme insecure. A conclusion of our work is that graphical password schemes of the type we study may generally require a different posture toward password selection than text passwords, where selection by the user remains the norm today.

A survey of biometric recognition methods

Abstract: Biometric recognition refers to an automatic recognition of individuals based on a feature vector (s) derived from their physiological and/or behavioral characteristic. Biometric recognition systems should provide a reliable personal recognition schemes to either confirm or determine the identity of an individual. Applications of such a system include computer systems security, secure electronic banking, mobile phones, credit cards, secure access to buildings, health and social services. By using biometrics a person could be identified based on "who she/he is" rather then "what she/he has" (card, token, key) or "what she/he knows" (password, PIN). In this paper, a brief overview of biometric methods, both unimodal and multimodal, and their advantages and disadvantages, will be presented.

The domino effect of password reuse

Abstract: One weak spot is all it takes to open secured digital doors and online accounts causing untold damage and consequences.

Managing digital identity information

Abstract: A basic architecture for managing digital identity information in a network such as the World Wide Web is provided. A user of the architecture can organize his or her information into one or more profiles which reflect the nature of different relationships between the user and other entities, and grant or deny each entity access to a given profile. Various enhancements which may be provided through the architecture are also described, including tools for filtering email, controlling access to user web pages, locating other users and making one's own location known, browsing or mailing anonymously, filling in web forms automatically with information already provided once by hand, logging in automatically, securely logging in to multiple sites with a single password and doing so from any machine on the network, and other enhancements.

Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards

Abstract: Recently, Chien et al. proposed an efficient remote authentication scheme using smart cards. However, we find that their scheme is vulnerable to a reflection attack and an insider attack. In addition, their scheme lacks reparability. Herein, we first show the weaknesses of Chien et al.'s scheme, and then propose an improved scheme with better security strength.

Typing patterns: a key to user identification

Abstract: As the deficiencies of traditional password-based access systems become increasingly acute, researchers have turned their focus to keystroke biometrics, which seeks to identify individuals by their typing characteristics. However, this field still faces many challenges before it can see full acceptance.

Efficient multi-server password authenticated key agreement using smart cards

Abstract: Remote user authentication and key agreement scheme using smart cards is a very practical solution to validate the eligibility of a remote user and provide secure communication later. Also, due to fast progress of networks and information technology, most of provided services are in multi-server environments. In this paper, we propose a novel user authentication and key agreement scheme using smart cards for multi-server environments with much less computational cost and more functionality. The major merits include: (1) users only need to register at the registration centre once and can use permitted services in eligible servers; (2) the scheme does not need a verification table: (3) users can freely choose their passwords; (4) the computation and communication cost is very low; (5) servers and users can authenticate each other; (6) it generates a session key agreed by the user and the server; and (7) it is a nonce-bayed scheme which does not have a serious time-synchronization problem.

System and Method to Capture and Manage Input Values for Automatic Form Fill

Abstract: A system for automatically completing fields in online forms, such as login forms and new user registration forms, which employs a Master Cookie File containing sets of records associated with the user, his or her accounts or web sites, and registered values associated with form tags (e.g. username, password, address, email, telephone, etc.). When the user encounters another form, the MCF is automatically searched for matching values and form tags, primarily from the same account or web site, or alternatively from other accounts or sites. A flowing pop-up menu is displayed nearby the form fields from which the user can select values to automatically complete the form. Automatic account information updating, value expiration management, mapping of favorite values, and sharing of values are optional, enhanced functions of the invention.

Biometrics-based cryptographic key generation

Abstract: Instead of using PINs and passwords as cryptographic keys that are either easy to forget or vulnerable to dictionary attacks, easy-to-carry and difficult-to-transfer keys can be generated based on user-specific biometric information. A framework is proposed to generate stable cryptographic keys from biometric data that is unstable in nature. The proposed framework differs from prior work in that user-dependent transforms are utilized to generate more compact and distinguishable features. Thereby, a longer and more stable bitstream can be generated as the cryptographic key. Experiments are performed on a face database to verify the feasibility of the proposed framework. The preliminary result is very encouraging.

Generating and remembering passwords

Abstract: A survey evaluating the generation and use of passwords revealed that students have 8.18 password uses. With 4.45 different passwords to cover these functions, the average password has 1.84 applications. Two thirds of passwords are designed around one's personal characteristics, with most of the remainder relating to relatives, friends or lovers. Proper names and birthdays are the primary information used in constructing passwords, accounting for about half of all password constructions. Almost all respondents reuse passwords, and about two thirds of password uses are duplications. Passwords have been forgotten by a third of respondents, and over half keep a written record of them. We found empirical confirmation of some ‘bad password practices’ discussed in the literature, and provide suggestions for password construction and use. Copyright © 2004 John Wiley & Sons, Ltd.

A Model for Delimited Information Release

Abstract: Much work on security-typed languages lacks a satisfactory account of intentional information release. In the context of confidentiality, a typical security guarantee provided by security type systems is noninterference, which allows no information flow from secret inputs to public outputs. However, many intuitively secure programs do allow some release, or declassification, of secret information (e.g., password checking, information purchase, and spreadsheet computation). Noninterference fails to recognize such programs as secure. In this respect, many security type systems enforcing noninterference are impractical. On the other side of the spectrum are type systems designed to accommodate some information leakage. However, there is often little or no guarantee about what is actually being leaked. As a consequence, such type systems are vulnerable to laundering attacks, which exploit declassification mechanisms to reveal more secret data than intended. To bridge this gap, this paper introduces a new security property, delimited release, an end-to-end guarantee that declassification cannot be exploited to construct laundering attacks. In addition, a security type system is given that straightforwardly and provably enforces delimited release.

System and method for authenticating users using image selection

Abstract: A general-purpose method is provided for authenticating, i.e., verifying the claimed identity of, users of a computer system through the selection of a sequence of images from a displayed assembly of images. The method is based on the capability of computer systems to display and manipulate individual thumbnail images via a graphical user display interface. The method takes image sequences selected by a user and formulates a password that is dependent on both the sequence and style of their selection. To ease the users' burden of complying with organizational policy to change passwords after some period of time, the method allows the same image sequence to be used repeatedly in a password change dialogue, yet generate a completely different password value each time. A new method of “salting” passwords to make them less vulnerable is also provided.

Method and system for maintaining backup of portable storage devices

Abstract: Data stored in a portable storage device are encrypted, for example by a processor of the portable storage device itself, using a backup key and stored in a backup medium. The backup key is protected by being stored in a backup key storage medium, such as an internet server, a pocketable medium or a trusted computer, preferably after being encrypted using a password. As needed, the backup key is retrieved and used to decrypt the data from the backup medium. The decrypted data are restored to the original portable storage device or to a different portable storage device.

Further improvement of an efficient password based remote user authentication scheme using smart cards

Abstract: Recently, Ku-Chen proposed an improvement to Chien et al.'s scheme to prevent from some weaknesses. However, the improved scheme is not only still susceptible to parallel session attack, but also insecure for changing the user's password in password change phase. Accordingly, the current paper presents an enhancement to resolve such problems. As a result, the proposed scheme enables users to change their passwords freely and securely without the help of a remote server, while also providing secure mutual authentication.

New Security Results on Encrypted Key Exchange

Abstract: Schemes for encrypted key exchange are designed to provide two entities communicating over a public network, and sharing a (short) password only, with a session key to be used to achieve data integrity and/or message confidentiality. An example of a very efficient and “elegant” scheme for encrypted key exchange considered for standardization by the IEEE P1363 Standard working group is AuthA. This scheme was conjectured secure when the symmetric-encryption primitive is instantiated via either a cipher that closely behaves like an “ideal cipher”, or a mask generation function that is the product of the message with a hash of the password. While the security of this scheme in the former case has been recently proven, the latter case was still an open problem. For the first time we prove in this paper that this scheme is secure under the assumptions that the hash function closely behaves like a random oracle and that the computational Diffie-Hellman problem is difficult. Furthermore, since Denial-of-Service (DoS) attacks have become a common threat we enhance AuthA with a mechanism to protect against them.

User authentication without prior user enrollment

Abstract: Authenticating a user includes providing a plurality of questions based on user related information stored in at least one data source, wherein none of the plurality of questions is password related. At least one of the plurality of questions is presented to the user in response to receiving a request from the user to access one or more protected resources. Access is granted to the authorized set of protected resources if the user correctly answers each of the at least one questions presented. According to the present invention, the user's identity is authenticated without requiring the user to provide a password or biometric data, and without requiring the user to enroll prior to access.

Graphical dictionaries and the memorable space of graphical passwords

Abstract: In commonplace textual password schemes, users choose passwords that are easy to recall. Since memorable passwords typically exhibit patterns, they are exploitable by brute-force password crackers using attack dictionaries. This leads us to ask what classes of graphical passwords users find memorable. We postulate one such class supported by a collection of cognitive studies on visual recall, which can be characterized as mirror symmetric (reflective) passwords. We assume that an attacker would put this class in an attack dictionary for graphical passwords and propose how an attacker might order such a dictionary. We extend the existing analysis of graphical passwords by analyzing the size of the mirror symmetric password space relative to the full password space of the graphical password scheme of Jermyn et al. (1999), and show it to be exponentially smaller (assuming appropriate axes of reflection). This reduction in size can be compensated for by longer passwords: the size of the space of mirror symmetric passwords of length about L + 5 exceeds that of the full password space for corresponding length L ≤ 14 on a 5 × 5 grid. This work could be used to help in formulating password rules for graphical password users and in creating proactive graphical password checkers.

An efficient and secure multi-server password authentication scheme using smart cards

Abstract: With the rapid growth of computer networks and communication technologies, more and more computers are linked together such that facilities can be shared through the networks However, most resources provided by the servers over the Internet are not free for all users Therefore, providers of the facilities have to make resources under appropriate protection The password authentication schemes are usually regarded as the most efficient and practical ones to protect the resources of the remote servers Nevertheless, most of the proposed password schemes are only designed for the single-server environment, the user who wants to access from the different servers needs to register many times In 2004, Juang proposed an authentication scheme for multiserver architecture However, Juang's scheme lacks efficiency In this article, we propose a more efficient and secure authentication scheme for multiserver architecture such that it can be applied in the real world

Multiple party benefit from an online authentication service

Abstract: An account authentication service where a trusted party verifies an account holder's identity for the benefit of a requestor during an online transaction. The account authentication involves requesting a password from the account holder, verifying the password, and notifying the requestor whether the account holder's authenticity has been verified. An alternative embodiment of the account authentication service includes a value-adding component where information about a customer is shared with a value-adding party. The customer information is rich in detail about the customer since it is collected by each of the parties in the account authentication process. The value-adding party can then use this information in various manners. All of the parties involved can benefit from sharing the customer information. The value-adding party can be, for example, a merchant, a shipper, a security organization, or a governmental organization. A transaction identifier identifies a specific transaction between a customer, a merchant, and the customer information.

Towards secure design choices for implementing graphical passwords

Abstract: We study the impact of selected parameters on the size of the password space for "Draw-A-Secret" (DAS) graphical passwords. We examine the role of and relationships between the number of composite strokes, grid dimensions, and password length in the DAS password space. We show that a very significant proportion of the DAS password space depends on the assumption that users will choose long passwords with many composite strokes. If users choose passwords having 4 or fewer strokes, with passwords of length 12 or less on a 5 /spl times/ 5 grid, instead of up to the maximum 12 possible strokes, the size of the DAS password space is reduced from 58 to 40 bits. Additionally, we found a similar reduction when users choose no strokes of length 1. To strengthen security, we propose a technique and describe a representative system that may gain up to 16 more bits of security with an expected negligible increase in input time. Our results can be directly applied to determine secure design choices, graphical password parameter guidelines, and in deciding which parameters deserve focus in graphical password user studies.

System and method providing disconnected authentication

Abstract: In a system for disconnected authentication, verification records corresponding to given authentication token outputs over a predetermined period of time, sequence of events, and/or set of challenges are downloaded to a verifier. The records include encrypted or hashed information for the given authentication token outputs. In one embodiment using time intervals, for each time interval, token output data, a salt value, and a pepper value, are hashed and compared with the verification record for the time interval. After a successful comparison, a user can access the computer. A PIN value can also be provided as an input the hash function. A portion of the hash function output can be used as a key to decrypt an encrypted (Windows) password, or other sensitive information.