Showing papers on "Password published in 2009"

Password Cracking Using Probabilistic Context-Free Grammars

Abstract: Choosing the most effective word-mangling rules to use when performing a dictionary-based password cracking attack can be a difficult task In this paper we discuss a new method that generates password structures in highest probability order We first automatically create a probabilistic context-free grammar based upon a training set of previously disclosed passwords This grammar then allows us to generate word-mangling rules, and from them, password guesses to be used in password cracking We will also show that this approach seems to provide a more effective way to crack passwords as compared to traditional methods by testing our tools and techniques on real password sets In one series of experiments, training on a set of disclosed passwords, our approach was able to crack 28% to 129% more passwords than John the Ripper, a publicly available standard password cracking program

Post-download patient data protection in a medical device

Abstract: The disclosure describes techniques for protecting patient data stored in a medical device, such as an external defibrillator. The patient data may be transferred, or downloaded, from the medical device to another device, such as to a computing device for storage or analysis. In response to the download, the medical device may protect the patient data so that at least subset of users can no longer access the patient data. Patient data may be protected by modifying the data form, encrypting the data, moving the data to another memory module, password protecting the patient data, or modifying an access control list associated with the patient data. While the patient data may also be deleted as a technique for protecting the data, not deleting the data may allow the data to be recovered at a later time by an authorized user, i.e., a user not part of the subset.

Vanish: increasing data privacy with self-destructing data

Abstract: Today's technical and legal landscape presents formidable challenges to personal data privacy First, our increasing reliance on Web services causes personal data to be cached, copied, and archived by third parties, often without our knowledge or control Second, the disclosure of private data has become commonplace due to carelessness, theft, or legal actions Our research seeks to protect the privacy of past, archived data -- such as copies of emails maintained by an email provider -- against accidental, malicious, and legal attacks Specifically, we wish to ensure that all copies of certain data become unreadable after a userspecified time, without any specific action on the part of a user, and even if an attacker obtains both a cached copy of that data and the user's cryptographic keys and passwords This paper presents Vanish, a system that meets this challenge through a novel integration of cryptographic techniques with global-scale, P2P, distributed hash tables (DHTs) We implemented a proof-of-concept Vanish prototype to use both the million-plus-node Vuze Bit-Torrent DHT and the restricted-membership OpenDHT We evaluate experimentally and analytically the functionality, security, and performance properties of Vanish, demonstrating that it is practical to use and meets the privacy-preserving goals described above We also describe two applications that we prototyped on Vanish: a Firefox plugin for Gmail and other Web sites and a Vanishing File application

Two factor authentication using mobile phones

Abstract: This paper describes a method of implementing two factor authentication using mobile phones. The proposed method guarantees that authenticating to services, such as online banking or ATM machines, is done in a very secure manner. The proposed system involves using a mobile phone as a software token for One Time Password generation. The generated One Time Password is valid for only a short user-defined period of time and is generated by factors that are unique to both, the user and the mobile device itself. Additionally, an SMS-based mechanism is implemented as both a backup mechanism for retrieving the password and as a possible mean of synchronization. The proposed method has been implemented and tested. Initial results show the success of the proposed method.

Mobile device assisted secure computer network communications

Abstract: Mobile device assisted secure computer network communications embodiments are presented that employ a mobile device (e.g., a mobile phone, personal digital assistant (PDA), and the like) to assist in user authentication. In general, this is accomplished by having a user enter a password into a client computer which is in contact with a server associated with a secure Web site. This password is integrated with a secret value, which is generated in real time by the mobile device. The secret value is bound to both the mobile device's hardware and the secure Web site being accessed, such that it is unique to both. In this way, a different secret value is generated for each secure Web site accessed, and another user cannot impersonate the user and log into a secure Web site unless he or she knows the password and possesses the user's mobile device simultaneously.

Multiple password interference in text passwords and click-based graphical passwords

Abstract: The underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password for different systems or reveal other passwords as they try to log in. We report on a laboratory study comparing recall of multiple text passwords with recall of multiple click-based graphical passwords. In a one-hour session (short-term), we found that participants in the graphical password condition coped significantly better than those in the text password condition. In particular, they made fewer errors when recalling their passwords, did not resort to creating passwords directly related to account names, and did not use similar passwords across multiple accounts. After two weeks, participants in the two conditions had recall success rates that were not statistically different from each other, but those with text passwords made more recall errors than participants with graphical passwords. In our study, click-based graphical passwords were significantly less susceptible to multiple password interference in the short-term, while having comparable usability to text passwords in most other respects.

Proactive security for mobile devices

Abstract: Methods, program products, and systems for proactively securing mobile devices are described. A mobile device can proactively determine whether the mobile device is associated with a security risk and the level of the security risk. Upon determining a security risk, the mobile device can transmit coordinates of its current geographic location to a server. To protect privacy of authorized users, the transmission can be disabled by entering a password. If multiple failed password attempts are detected, the mobile device can proactively increase a security level of the device, and selectively protect files or other content stored on the mobile device. In some implementations, the mobile device can be transitioned into a surveillance mode where the mobile device records or captures information associated with one or more of user actions, ambient sound, images, a trajectory of the device, and transmits the recorded or captured information to the network resource.

Provably Secure Remote Truly Three-Factor Authentication Scheme With Privacy Protection on Biometrics

Abstract: A three-factor authentication scheme combines biometrics with passwords and smart cards to provide high-security remote authentication. Most existing schemes, however, rely on smart cards to verify biometric characteristics. The advantage of this approach is that the user's biometric data is not shared with remote server. But the disadvantage is that the remote server must trust the smart card to perform proper authentication which leads to various vulnerabilities. To achieve truly secure three-factor authentication, a method must keep the user's biometrics secret while still allowing the server to perform its own authentication. Our method achieves this. The proposed scheme fully preserves the privacy of the biometric data of every user, that is, the scheme does not reveal the biometric data to anyone else, including the remote servers. We demonstrate the completeness of the proposed scheme through the GNY (Gong, Needham, and Yahalom) logic. Furthermore, the security of our proposed scheme is proven through Bellare and Rogaway's model. As a further benefit, we point out that our method reduces the computation cost for the smart card.

Smooth Projective Hashing and Password-Based Authenticated Key Exchange from Lattices

Abstract: We describe a public-key encryption scheme based on lattices -- specifically, based on the hardness of the learning with error (LWE) problem -- that is secure against chosen-ciphertext attacks while admitting (a variant of) smooth projective hashing. This encryption scheme suffices to construct a protocol for password-based authenticated key exchange (PAKE) that can be proven secure based on the LWE assumption in the standard model. We thus obtain the first PAKE protocol whose security relies on a lattice-based assumption.

User interface design affects security: patterns in click-based graphical passwords

Abstract: Design of the user interface for authentication systems influences users and may encourage either secure or insecure behaviour. Using data from four different but closely related click-based graphical password studies, we show that user-selected passwords vary considerably in their predictability. Our post-hoc analysis looks at click-point patterns within passwords and shows that PassPoints passwords follow distinct patterns. Our analysis shows that many patterns appear across a range of images, thus motivating attacks which are independent of specific background images. Conversely, Cued Click-Points (CCP) and Persuasive Cued Click-Points (PCCP) passwords are nearly indistinguishable from those of a randomly generated simulated dataset. These results provide insight on modeling effective password spaces and on how user interface characteristics lead to more (or less) security resulting from user behaviour.

Look into my eyes!: can you guess my password?

Abstract: Authentication systems for public terminals and thus public spaces have to be fast, easy and secure. Security is of utmost importance since the public setting allows manifold attacks from simple shoulder surfing to advanced manipulations of the terminals. In this work, we present EyePassShapes, an eye tracking authentication method that has been designed to meet these requirements. Instead of using standard eye tracking input methods that require precise and expensive eye trackers, EyePassShapes uses eye gestures. This input method works well with data about the relative eye movement, which is much easier to detect than the precise position of the user's gaze and works with cheaper hardware. Different evaluations on technical aspects, usability, security and memorability show that EyePassShapes can significantly increase security while being easy to use and fast at the same time.

Passwords: If We're So Smart, Why Are We Still Using Them?

Abstract: While a lot has changed in Internet security in the last 10 years, a lot has stayed the same --- such as the use of alphanumeric passwords. Passwords remain the dominant means of authentication on the Internet, even in the face of significant problems related to password forgetting and theft. In fact, despite large numbers of proposed alternatives, we must remember more passwords than ever before. Why is this? Will alphanumeric passwords still be ubiquitous in 2019, or will adoption of alternative proposals be commonplace? What must happen in order to move beyond passwords? This note pursues these questions, following a panel discussion at Financial Cryptography and Data Security 2009.

Information server and mobile delivery system and method

Abstract: A user is provided with access to his or her account information using a client. The account information is stored on a server which receives the information from a feed source and transmits the information to the client. A method for downloading and installing specialized software for viewing the account information on the client is also provided. The information can be received from different feed sources in different formats and converted to a format that is compatible with the intended receiving client. Encryption can be used to protect the privacy of the users of the system and the account information therein. Additionally, a special access password and a privileged access routine can be used to provide access to an authorized third party user on a temporary basis.

A comprehensive study of frequency, interference, and training of multiple graphical passwords

Abstract: Graphical password systems have received significant attention as one potential solution to the need for more usable authentication, but nearly all prior work makes the unrealistic assumption of studying a single password. This paper presents the first study of multiple graphical passwords to systematically examine frequency of access to a graphical password, interference resulting from interleaving access to multiple graphical passwords, and patterns of access while training multiple graphical passwords. We find that all of these factors significantly impact the ease of authenticating using multiple facial graphical passwords. For example, participants who accessed four different graphical passwords per week were ten times more likely to completely fail to authenticate than participants who accessed a single password once per week. Our results underscore the need for more realistic evaluations of the use of multiple graphical passwords, have a number of implications for the adoption of graphical password systems, and provide a new basis for comparing proposed graphical password systems.

Shoulder Surfing attack in graphical password authentication

Abstract: Information and computer security is supported largely by passwords which are the principle part of the authentication process The most common computer authentication method is to use alphanumerical username and password which has significant drawbacks To overcome the vulnerabilities of traditional methods, visual or graphical password schemes have been developed as possible alternative solutions to text-based scheme A potential drawback of graphical password schemes is that they are more vulnerable to shoulder surfing than conventional alphanumeric text passwords When users input their passwords in a public place, they may be at risk of attackers stealing their password An attacker can capture a password by direct observation or by recording the individual's authentication session This is referred to as shoulder- surfing and is a known risk, of special concern when authenticating in public places In this paper we will present a survey on graphical password schemes from 2005 till 2009 which are proposed to be resistant against shoulder surfing attacks

Access Control System And Method Based On Hierarchical Key, And Authentication Key Exchange Method Thereof

Abstract: Disclosed relates to an access control system and method based on hierarchical keys. The system comprises an access control server (ACS), a home gateway, and a plurality of sensor devices disposed on a home network. The ACS sets up user's access limits of authority and authorization verifier, and saves the related data of user's password and the user's access limits of authority. The gateway records the authority limits' level and the authority limits' key which are constructed based on a hierarchical key structure. When a user logs in the ACS to request access, an one-time communication key between the user and the home gateway is established by exchanging the ticket and the token that are issued by the ACS. This allows the user to access the information of the sensor devices.

System and Method for Authenticating a User Using a Graphical Password

Abstract: The present invention is directed to a system and method for authenticating a user of a device or computer system using a graphical password. In an exemplary embodiment, a user is presented with a plurality of graphical images on a display screen of an access device, such as a handheld smart phone. Each graphical image includes one or more associated attributes. The user sequential selects graphical images and a password is generated based on the combination of attributes of the selected images. The generated password is compared with a stored password to authenticate the user and grant access to the device. In another aspect, the graphical password includes time, motion, and/or keyboard input attributes such that the password is multidimensional.

Vibrapass: secure authentication based on shared lies

Abstract: Authentication in public spaces is a risky task. Frauds on cash machines (ATMs) are not uncommon nowadays. The biggest group of attacks is observation attacks, which focus on recording the input done by the users. In this work, we present VibraPass, a system created to be resilient against observation attacks using tactile feedback provided by the users' own mobile devices. In this way, secret information is shared between the terminal and the users to add an over-head of 'lies' to the input which makes it hard for attackers to steal the real PIN or password. We present an evaluation, which shows that VibraPass has the potential to replace current authentication systems due to increased security combined with reasonable input speed and error rates.

Robust Authentication Using Physically Unclonable Functions

Abstract: In this work we utilize a physically unclonable function (PUF) to improve resilience of authentication protocols to various types of compromise. As an example application, we consider users who authenticate at an ATM using their bank-issued PUF and a password. We present a scheme that is provably secure and achieves strong security properties. In particular, we ensure that (i) the user is unable to authenticate without her device; (ii) the device cannot be used by someone else to successfully authenticate as the user; (iii) the device cannot be duplicated (e.g., by a bank employee); (iv) an adversary with full access to the bank's personal and authentication records is unable to impersonate the user even if he obtains access to the device before and/or after the setup; (v) the device does not need to store any information. We also give an extension that endows the solution with emergency capabilities: if a user is coerced into opening her secrets and giving the coercer full access to the device, she gives the coercer alternative secrets whose use notifies the bank of the coercion in such a way that the coercer is unable to distinguish between emergency and normal operation of the protocol.

User authentication using keystroke dynamics for cellular phones

Abstract: A new approach for keystroke-based authentication when using a cellular phone keypad as input device is presented. In the proposed method, users are authenticated using keystroke dynamics acquired when typing fixed alphabetic strings on a mobile phone keypad. The employed statistical classifier is able to perform user verification with an average equal error rate of about 13%. The obtained experimental results suggest that, when using mobile devices, a strong secure authentication scheme cannot rely on the sole keystroke dynamics, which however can be a module of a more complex system including, as basic security, a password-based protocol eventually hardened by keystroke analysis.

QR-TAN: Secure Mobile Transaction Authentication

Abstract: The security of electronic transactions depends on the security of the user's terminal. An insecure terminal may allow an attacker to create or manipulate transactions. Several techniques have been developed that help to protect transactions performed over insecure terminals. TAN codes, security tokens, and smart cards prevent an attacker who obtained the user's password from signing transactions under the user's identity. However, usually these techniques do not allow a user to assert that the content of a transaction has not been manipulated. This paper contributes with the QR-TAN authentication technique. QR-TANs are a transaction authentication technique based on two-dimensional barcodes. Compared to other established techniques, QR-TANs show three advantages: First, QR-TANs allow the user to directly validate the content of a transaction within a trusted device. Second, validation is secure even if an attacker manages to gain full control over a user’s computer. Finally, QR-TANs in combination with smart cards can also be utilized for offline transactions that do not require any server.

Activity-aware ECG-based patient authentication for remote health monitoring

Abstract: Mobile medical sensors promise to provide an efficient, accurate, and economic way to monitor patients' health outside the hospital. Patient authentication is a necessary security requirement in remote health monitoring scenarios. The monitoring system needs to make sure that the data is coming from the right person before any medical or financial decisions are made based on the data. Credential-based authentication methods (e.g., passwords, certificates) are not well-suited for remote healthcare as patients could hand over credentials to someone else. Furthermore, one-time authentication using credentials or trait-based biometrics (e.g., face, fingerprints, iris) do not cover the entire monitoring period and may lead to unauthorized post-authentication use. Recent studies have shown that the human electrocardiogram (ECG) exhibits unique patterns that can be used to discriminate individuals. However, perturbation of the ECG signal due to physical activity is a major obstacle in applying the technology in real-world situations. In this paper, we present a novel ECG and accelerometer-based system that can authenticate individuals in an ongoing manner under various activity conditions. We describe the probabilistic authentication system we have developed and present experimental results from 17 individuals.

Identity theft, computers and behavioral biometrics

Abstract: The increase of online services, such as eBanks, WebMails, in which users are verified by a username and password, is increasingly exploited by Identity Theft procedures. Identity Theft is a fraud, in which someone pretends to be someone else is order to steal money or get other benefits. To overcome the problem of Identity Theft an additional security layer is required. Within the last decades the option of verifying users based on their keystroke dynamics was proposed during login verification. Thus, the imposter has to be able to type in a similar way to the real user in addition to having the username and password. However, verifying users upon login is not enough, since a logged station/mobile is vulnerable for imposters when the user leaves her machine. Thus, verifying users continuously based on their activities is required. Within the last decade there is a growing interest and use of biometrics tools, however, these are often costly and require additional hardware. Behavioral biometrics, in which users are verified, based on their keyboard and mouse activities, present potentially a good solution. In this paper we discuss the problem of Identity Theft and propose behavioral biometrics as a solution. We survey existing studies and list the challenges and propose solutions.

It's not what you know, but who you know: a social approach to last-resort authentication

Abstract: Backup authentication mechanisms help users who have forgotten their passwords regain access to their accounts-or at least try. Today's systems fall short in meeting both security and reliability requirements. We designed, built, and tested a new backup authentication system that employs a social-authentication mechanism. The system employs trustees previously appointed by the account holder to verify the account holder's identity. We ran three experiments to determine whether the system could (1) reliably authenticate account holders, (2) resist email attacks that target trustees by impersonating account holders, and (3) resist phone-based attacks from individuals close to account holders. Results were encouraging: seventeen of the nineteen participants who made the effort to call trustees authenticated successfully. However, we also found that users must be reminded of who their trustees are. While email-based attacks were largely unsuccessful, stronger countermeasures will be required to counter highly-personalized phone-based attacks.

Multifactor username based authentication

Abstract: A hashed value is computed from an encrypted password value and a displayed code value from a hardware token at a client. The encrypted password value is based on a username, a context identifier, and a password. The client provides the username and the hashed value to a server. The encrypted password value associated with the username is retrieved at the server. An expected hashed value is computed at the server. The client is validated based on a comparison of the hashed value and the expected hashed value.