scispace - formally typeset
Search or ask a question

Showing papers on "Password published in 2011"


Proceedings ArticleDOI
23 Oct 2011
TL;DR: The evaluation shows that CryptDB has low overhead, reducing throughput by 14.5% for phpBB, a web forum application, and by 26% for queries from TPC-C, compared to unmodified MySQL.
Abstract: Online applications are vulnerable to theft of sensitive information because adversaries can exploit software bugs to gain access to private data, and because curious or malicious administrators may capture and leak data. CryptDB is a system that provides practical and provable confidentiality in the face of these attacks for applications backed by SQL databases. It works by executing SQL queries over encrypted data using a collection of efficient SQL-aware encryption schemes. CryptDB can also chain encryption keys to user passwords, so that a data item can be decrypted only by using the password of one of the users with access to that data. As a result, a database administrator never gets access to decrypted data, and even if all servers are compromised, an adversary cannot decrypt the data of any user who is not logged in. An analysis of a trace of 126 million SQL queries from a production MySQL server shows that CryptDB can support operations over encrypted data for 99.5% of the 128,840 columns seen in the trace. Our evaluation shows that CryptDB has low overhead, reducing throughput by 14.5% for phpBB, a web forum application, and by 26% for queries from TPC-C, compared to unmodified MySQL. Chaining encryption keys to user passwords requires 11--13 unique schema annotations to secure more than 20 sensitive fields and 2--7 lines of source code changes for three multi-user web applications.

1,269 citations


Proceedings ArticleDOI
07 May 2011
TL;DR: A large-scale study investigates password strength, user behavior, and user sentiment across four password-composition policies, and describes the predictability of passwords by calculating their entropy, finding that a number of commonly held beliefs about password composition and strength are inaccurate.
Abstract: Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., requiring passwords to contain symbols and numbers). Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. We present a large-scale study that investigates password strength, user behavior, and user sentiment across four password-composition policies. We characterize the predictability of passwords by calculating their entropy, and find that a number of commonly held beliefs about password composition and strength are inaccurate. We correlate our results with user behavior and sentiment to produce several recommendations for password-composition policies that result in strong passwords without unduly burdening users.

398 citations


01 May 2011
TL;DR: This document describes an extension of one-time password algorithm HOTP as defined in [RFC4226] to support time based moving factor.
Abstract: This document describes an extension of one-time password (OTP) algorithm, namely the HAMC-Based One-Time Password (HOTP) Algorithm as defined in RFC 4226, to support time-based moving factor. The HOTP algorithm specifies an event based OTP algorithm where the moving factor is an event counter. The present work bases the moving factor on a time value. A time-based variant of the OTP algorithm provides short-lived OTP values, which are desirable for enhanced security. The proposed algorithm can be used across a wide range of network applications ranging from remote Virtual Private Network (VPN) access, Wi-Fi network logon to transaction-oriented Web applications. The authors believe that a common and shared algorithm will facilitate adoption of two-factor authentication on the Internet by enabling interoperability across commercial and open-source implementations.

296 citations


Patent
28 Feb 2011
TL;DR: In this paper, an encoded acoustic signal is employed for authenticating a user to a web site hosted by a web server, where the smart phone securely communicates with an authentication server which informs the web server whether the user has been authenticated or not.
Abstract: Techniques for simplifying an authentication process from the viewpoint of a user while providing improved security to the many users currently employing no or weak security techniques. In logging into a web site hosted by a web server, a session begins by a user connecting and logging in with a device, such as a personal computer. Rather than a user name and password approach which is presently typical, the personal computer communicates with another user device, such as a smart phone. In one approach, an encoded acoustic signal is employed for this communication. The smart phone securely communicates with an authentication server which informs the web server whether the user has been authenticated or not.

274 citations


Journal ArticleDOI
TL;DR: An enhanced authentication scheme is proposed, which covers all the identified weaknesses of Wang et al.'s scheme and is more secure and efficient for practical application environment.

239 citations


Journal ArticleDOI
TL;DR: This paper presents a secure dynamic identity based authentication protocol for multi-server architecture using smart cards that resolves the aforementioned security flaws, while keeping the merits of Hsiang and Shih's protocol.

235 citations


Journal ArticleDOI
TL;DR: The author shows that the improved scheme provides strong authentication with the use of verifying biometric, password as well as random nonces generated by the user and the server as compared to that for the Li-Hwang's scheme and other related schemes.
Abstract: The author first reviews the recently proposed Li-Hwang's biometric-based remote user authentication scheme using smart cards; then shows that the Li-Hwang's scheme has some design flaws in their scheme. In order to withstand those flaws in their scheme, an improvement of their scheme is further proposed. The author also shows that the improved scheme provides strong authentication with the use of verifying biometric, password as well as random nonces generated by the user and the server as compared to that for the Li-Hwang's scheme and other related schemes.

228 citations


Journal ArticleDOI
TL;DR: A generic and secure framework is proposed to upgrade two-Factor authentication to three-factor authentication, which not only significantly improves the information assurance at low cost but also protects client privacy in distributed systems.
Abstract: As part of the security within distributed systems, various services and resources need protection from unauthorized use. Remote authentication is the most commonly used method to determine the identity of a remote client. This paper investigates a systematic approach for authenticating clients by three factors, namely password, smart card, and biometrics. A generic and secure framework is proposed to upgrade two-factor authentication to three-factor authentication. The conversion not only significantly improves the information assurance at low cost but also protects client privacy in distributed systems. In addition, our framework retains several practice-friendly properties of the underlying two-factor authentication, which we believe is of independent interest.

224 citations


Patent
16 Mar 2011
TL;DR: In this article, a method and system for conducting automatic teller machine (ATM) transactions without the use of an ATM card, using a mobile user device is described, which can be used as a password, an authentication value, an account identifier or a transaction identifier.
Abstract: A method and system are provided for conducting automatic teller machine (ATM) transactions without the use of an ATM card, using a mobile user device. The mobile user device communicates with an ATM, a provider interface or a network. The ATM communicates with the mobile user device through a contact or contactless means, which may include communication through any wireless connection such as RFID, Bluetooth™ or other near field communication means, or through a USB port or other means of contact. A mobile user device may provide transaction information or authentication information to an ATM or to an authentication system in communication with an ATM. The transaction may be associated with the user's ATM account or another account. The mobile user device may generate a dynamic value which may be used as a password, an authentication value, an account identifier or a transaction identifier.

211 citations


Patent
27 May 2011
TL;DR: In this article, a logic circuit with electronic memory is used to monitor signal traffic with at least one client and a computer network to determine, without changing the signal traffic, for each client, a network address and a port to which that client is connected; access an authentication server that has a second table of user names and corresponding passwords for network login.
Abstract: An apparatus includes: a logic circuit with electronic memory to: monitor signal traffic with at least one client and a computer network to determine, without changing the signal traffic, for each client, a network address and a port to which that client is connected; provide to a first dynamic table the network address and port for each said client; access an authentication server that has a second table of user names and corresponding passwords for network login, in which the second table also includes for each user name and password a corresponding virtual local network (VLAN) membership and/or VLAN tag and/or Quality of Service (QoS); and add to the first dynamic table the user name, VLAN membership, VLAN tag and QoS information learnt from the authentication server in the second table.

201 citations


Journal ArticleDOI
TL;DR: A secure and light-weight authentication scheme with user anonymity for wireless communications that is secure in the case that the information stored in thesmart card is disclosed but the user password of the smart card owner is unknown to the attacker.

Journal ArticleDOI
TL;DR: An improved scheme to solve the weaknesses of Liao-Wang’s dynamic ID based remote user authentication scheme for multi-server environment, which is vulnerable to insider attack, masquerade attack, server spoofing attack, registration center attack and is not easily reparable.
Abstract: Recently, Hsiang et al. pointed out that Liao-Wang’s dynamic ID based remote user authentication scheme for multi-server environment is vulnerable to insider attack, masquerade attack, server spoofing attack, registration center attack and is not easily reparable. Besides, Liao-Wang’s scheme cannot achieve mutual authentication. For this, Hsiang et al. proposed an improved scheme to overcome these weaknesses and claimed that their scheme is efficient, secure, and suitable for the practical application environment. However, we observe that Hsiang et al.’s scheme is still vulnerable to a masquerade attack, server spoofing attack, and is not easily reparable. Furthermore, it cannot provide mutual authentication. Therefore, in this paper we propose an improved scheme to solve these weaknesses.

Journal ArticleDOI
TL;DR: Significant differences were found between the two methods, with the two-factor version being perceived as offering higher levels of security than the single-factor authentication version; however, this gain was offset by significantly lower perceptions of usability, and lower ratings for convenience and ease of use for theTwo-Factor version.

Patent
30 Sep 2011
TL;DR: In this paper, the authors describe techniques for unlocking certain functionality of a mobile computing device upon wirelessly detecting that an external device is in relatively close proximity to the mobile computing devices.
Abstract: In general, this disclosure describes techniques for unlocking certain functionality of a mobile computing device upon wirelessly detecting that an external device is in relatively close proximity to the mobile computing device. One example method comprises: providing a phone application and a second, different application; initiating a first mode of operation when the mobile computing device becomes locked; prohibiting user access to the second application during the first mode of operation when the mobile computing device fails to wirelessly detect a presence of an external device; and initiating a second mode of operation when the mobile computing device wirelessly detects the presence of the external device and when the mobile computing device has received user input specifying an access password, wherein the mobile computing device allows complete user access to both the phone application and the second application during the second mode of operation.

Proceedings ArticleDOI
01 Dec 2011
TL;DR: A strong user authentication framework for cloud computing, where user legitimacy is strongly verified before enter into the cloud, is proposed, which provides identity management, mutual authentication, session key establishment and achieves efficiency.
Abstract: Cloud computing is combination of various computing entities, globally separated, but electronically connected. As the geography of computation is moving towards corporate server rooms, it bring more issues including security, such as virtualization security, distributed computing, application security, identity management, access control and authentication. However, strong user authentication is the paramount requirement for cloud computing that restrict illegal access of cloud server. In this regard, this paper proposes a strong user authentication framework for cloud computing, where user legitimacy is strongly verified before enter into the cloud. The proposed framework provides identity management, mutual authentication, session key establishment between the users and the cloud server. A user can change his/her password, whenever demanded. Furthermore, security analysis realizes the feasibility of the proposed framework for cloud computing and achieves efficiency.

Proceedings ArticleDOI
20 Jul 2011
TL;DR: This paper proposes three innovative shoulder surfing defence techniques for recall-based graphical password systems such as Draw-A-Secret and Background Draw- a-Secret, where users doodle their passwords on a drawing grid, and proposes and conducts two separate controlled laboratory experiments to evaluate both security and usability perspectives.
Abstract: Graphical passwords are often considered prone to shoulder-surfing attacks, where attackers can steal a user's password by peeking over his or her shoulder in the authentication process. In this paper, we explore shoulder surfing defence for recall-based graphical password systems such as Draw-A-Secret and Background Draw-A-Secret, where users doodle their passwords (i.e. secrets) on a drawing grid. We propose three innovative shoulder surfing defence techniques, and conduct two separate controlled laboratory experiments to evaluate both security and usability perspectives of the proposed techniques. One technique was expected to work to some extent theoretically, but it turned out to provide little protection. One technique provided the best overall shoulder surfing defence, but also caused some usability challenges. The other technique achieved reasonable shoulder surfing defence and good usability simultaneously, a good balance which the two other techniques did not achieve. Our results appear to be also relevant to other graphical password systems such as Pass-Go.

Patent
25 Jul 2011
TL;DR: In this article, a method and apparatus for exercising access control over television programs using a parental control user interface that has different functions is provided, which requires a password to enter into a master mode for obtaining access to all the functions of the parental control interface.
Abstract: A method and apparatus for exercising access control over television programs using a parental control user interface that has different functions is provided. The method requires a password to enter into a master mode for obtaining access to all the functions of the parental control user interface. Once in the master mode, the user may enter a criterion for blocking a television program from being viewed or recorded or the user can override an already blocked television program. If a user, not in the master mode, attempts to watch or record a program that meets the blocking criterion and the program does not meet the overriding criterion, a prompt is provided to the user to enter the password. Upon entering a correct password, the program is unblocked.

Book ChapterDOI
28 Mar 2011
TL;DR: A general framework for constructing passwordbased authenticated key exchange protocols with optimal round complexity - one message per party, sent simultaneously - in the standard model, assuming a common reference string is assumed.
Abstract: We show a general framework for constructing passwordbased authenticated key exchange protocols with optimal round complexity - one message per party, sent simultaneously - in the standard model, assuming a common reference string. When our framework is instantiated using bilinear-map cryptosystems, the resulting protocol is also (reasonably) efficient. Somewhat surprisingly, our framework can be adapted to give protocols in the standard model that are universally composable while still using only one (simultaneous) round.

Book ChapterDOI
28 Mar 2011
TL;DR: An alternative design based on a hardware token called Pico that relieves the user from having to remember passwords and PINs and scales to thousands of credentials, provides "continuous authentication" and is resistant to brute force guessing, dictionary attacks, phishing and keylogging.
Abstract: From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different, regularly changed and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can't abandon passwords until we come up with an alternative method of user authentication that is both usable and secure. We present an alternative design based on a hardware token called Pico that relieves the user from having to remember passwords and PINs. Unlike most alternatives, Pico doesn't merely address the case of web passwords: it also applies to all the other contexts in which users must at present remember passwords, passphrases and PINs. Besides relieving the user from memorization efforts, the Pico solution scales to thousands of credentials, provides "continuous authentication" and is resistant to brute force guessing, dictionary attacks, phishing and keylogging.

Proceedings ArticleDOI
TL;DR: A non-intrusive identity verification scheme based on behavior biometrics where keystroke dynamics based-on free-text is used continuously for verifying the identity of a user in real-time and the number of false results is decreased.
Abstract: Internet services are important part of daily activities for most of us. These services come with sophisticated authentication requirements which may not be handled by average Internet users. The management of secure passwords for example creates an extra overhead which is often neglected due to usability reasons. Furthermore, password-based approaches are applicable only for initial logins and do not protect against unlocked workstation attacks. In this paper, we provide a non-intrusive identity verification scheme based on behavior biometrics where keystroke dynamics based-on free-text is used continuously for verifying the identity of a user in real-time. We improved existing keystroke dynamics based verification schemes in four aspects. First, we improve the scalability where we use a constant number of users instead of whole user space to verify the identity of target user. Second, we provide an adaptive user model which enables our solution to take the change of user behavior into consideration in verification decision. Next, we identify a new distance measure which enables us to verify identity of a user with shorter text. Fourth, we decrease the number of false results. Our solution is evaluated on a data set which we have collected from users while they were interacting with their mail-boxes during their daily activities.

Journal ArticleDOI
TL;DR: A lightweight and provably secure user authentication scheme with anonymity for the GLOMONET that uses only symmetric cryptographic and hash operation primitives for secure authentication and can defend smart card security breaches.
Abstract: Seamless roaming in the global mobility network (GLOMONET) is highly desirable for mobile users, although their proper authentication is challenging. This is because not only are wireless networks susceptible to attacks, but also mobile terminals have limited computational power. Recently, some authentication schemes with anonymity for the GLOMONET have been proposed. This paper shows some security weaknesses in those schemes. Furthermore, a lightweight and provably secure user authentication scheme with anonymity for the GLOMONET is proposed. It uses only symmetric cryptographic and hash operation primitives for secure authentication. Besides, it takes only four message exchanges among the user, foreign agent and home agent. We also demonstrate that this protocol enjoys important security attributes including prevention of various attacks, single registration, user anonymity, user friendly, no password/verifier table, and use of one-time session key between mobile user and foreign agent. The security properties of the proposed protocol are formally validated by a model checking tool called AVISPA. Furthermore, as one of the new features in our protocol, it can defend smart card security breaches. Copyright © 2010 John Wiley & Sons, Ltd. (In this paper, we propose a lightweight and provably secure user authentication scheme with anonymity for the global mobility network. It uses only symmetric cryptographic and hash operation primitives for secure authentication. Besides, it takes only four message exchanges among the user, foreign agent and home agent. We also demonstrate that this protocol enjoys important security attributes including prevention of various attacks, single registration, user anonymity and user friendly. Furthermore, it can defend smart card security breaches.)

Patent
28 Jul 2011
TL;DR: In this article, a method of generating a multi-factor encryption key using a simple password in order to access control over information stored at a second entity from a first entity via at least one communication network is presented.
Abstract: The present invention relates to a method of generating a multi-factor encryption key using a simple password in order to access control over information stored at a second entity from a first entity via at least one communication network. In one embodiment this is accomplished by, requesting to receive an application at the first entity from the second entity via the communication network, activating the first entity to generate a shared secret key, wherein the shared secret key is computed from a first entity specific ID and a random number generated at the first and second entity and allowing the user to register with the application of the second entity by the first entity, wherein the registration include entry of a personal PIN (personal identification number), a personal message etc.

Patent
09 Feb 2011
TL;DR: In this article, the authors present a near post-sessional data acquisition system with consent, signature, recording and retention functions, which is based on an enforceable contract by storing ACKs and recorded session.
Abstract: System has consent, signature, recording and retention functions. Near post-sessional data acquisition gathers nominal comm device information from participants. Active online phones are sent a SMS with the recorded event ID, a hyperlink and password for system access. Otherwise, data is acquired for another text message enabled phone or user email. If disconnected, the user is called for additional data. A contractual relationship is established with these functions. With an ACK-consent upon system access, an ACK-consent by the parties, a RECORD ON command, and a recorded intent-to-contract, the system creates an enforceable contract by storing the ACKs and recorded session.

Proceedings ArticleDOI
07 May 2011
TL;DR: Through a diary study, all usage of passwords is examined, and some new findings based on quantitative analyses regarding how often people log in, where theyLog in, and how frequently people use foreign computers are offered.
Abstract: While past work has examined password usage on a specific computer, web site, or organization, there is little work examining overall password usage in daily life. Through a diary study, we examine all usage of passwords, and offer some new findings based on quantitative analyses regarding how often people log in, where they log in, and how frequently people use foreign computers. Our analysis also confirms or updates existing statistics about password usage patterns. We also discuss some implications for design as well as security education.

Journal ArticleDOI
TL;DR: This paper investigates real password use in the context of daily life with a high level set of password guidelines, along with suggestions for mechanisms to support creating, encoding, retrieving and executing multiple passwords.

Proceedings ArticleDOI
17 Oct 2011
TL;DR: This work formalizes the solution to protecting user's private data against adversarial compromise of user's device(s) which store this data as Password-Protected Secret-Sharing (PPSS), and proposes an efficient PPSS protocol in the PKI model, secure under the DDH assumption, using non-interactive zero-knowledge proofs with efficient instantiations in the Random Oracle Model.
Abstract: We revisit the problem of protecting user's private data against adversarial compromise of user's device(s) which store this data. We formalize the solution we propose as Password-Protected Secret-Sharing (PPSS), which allows a user to secret-share her data among n trustees in such a way that (1) the user can retrieve the shared secret upon entering a correct password into a reconstruction protocol, which succeeds as long as at least t+1 uncorrupted trustees are accessible, and (2) the shared data remains secret even if the adversary which corrupts t trustees, with the level of protection expected of password-authentication, i.e. the probability that the adversary learns anything useful about the secret is at most q/|D| where q is the number of reconstruction protocol the adversary manages to trigger and |D| is the size of the password dictionary. We propose an efficient PPSS protocol in the PKI model, secure under the DDH assumption, using non-interactive zero-knowledge proofs with efficient instantiations in the Random Oracle Model. Our protocol is practical, with fewer than 16 exponentiations per trustee and 8t+17 exponentiations per user, with O(1) bandwidth between the user and each trustee, and only three message flows, implying a single round of interaction in the on-line phase. As a side benefit our PPSS protocol yields a new Threshold Password Authenticated Key Exchange (T-PAKE) protocol in the PKI model with significantly lower message, communication, and server computation complexities then existing T-PAKE's.

Journal ArticleDOI
TL;DR: A robust user authentication and key agreement scheme suitable for ubiquitous computing environments and can preserve the privacy of the client's secret key even if the secret information stored in a smart card is compromised.

Journal ArticleDOI
TL;DR: This paper describes an efficient 3PAKE based on LHL-3PAKE proposed by Lee et al. that requires neither the server public keys nor symmetric cryptosystems such as DES.

Journal ArticleDOI
TL;DR: A robust and efficient authentication scheme based on strong-password approach to provide secure remote access in digital home network environments and it can be validated that the proposed scheme is more robust authentication mechanism having better security properties.

Patent
10 May 2011
TL;DR: In this paper, a method of using a one-time password for a transaction between a user and a merchant is disclosed, where the method may include generating the password and authenticating the user by the authentication server in response to a request from the user to use the password.
Abstract: According to the invention, a method of using a one-time password for a transaction between a user and a merchant is disclosed. The method may include generating the one-time password. The method may also include authenticating the user by the authentication server in response to a request from the user to use the one-time password. The method may further include authorizing the use of the one-time password for the transaction in response to authenticating the user by the authentication server. The method may moreover include using the one-time password in combination with an account number to settle the transaction between the user and the merchant. The method may additionally include sending a message to the authentication server originating from the merchant, wherein the message comprises the one-time password, and wherein the message requests a determination whether the one-time password is authorized for use in the transaction. The method may also include sending a message to the merchant originating from the authentication server, wherein the message includes a determination whether the transaction should be approved in response to the authentication server determining whether the one-time password is authorized for use in the transaction.