Showing papers on "Password strength published in 2001"

Cryptographic key generation from voice

Abstract: We propose a technique to reliably generate a cryptographic key from a user's voice while speaking a password. The key resists cryptanalysis even against an attacker who captures all system information related to generating or verifying the cryptographic key. Moreover, the technique is sufficiently robust to enable the user to reliably regenerate the key by uttering her password again. We describe an empirical evaluation of this technique using 250 utterances recorded from 50 users.

Systems, methods and software for remote password authentication using multiple servers

Abstract: Systems, methods and software employ zero-knowledge password, ZKP, protocols to provide strong authentication using low-grade passwords that people can easily memorize. To enroll, a user chooses a password (201) and constructs a master key K composed of multiple shares. A set of random values, {y1, y2,...yn} is selected (202), and each share is computed as Ki=Pyi in a suitable finite group. Each yi value is distributed to the ith one of N servers (203). To authenticate, the client chooses a random secret with each server. The client reconstructs K (203, 204), performs a validation test on K (206), and uses K to decrypt a private digital signature key U (208). When the validation test succeeds, the client signs a message with U that contains P and any other values sent by the client based on incorrect passwords entered by the same user (207). Each server verifies the signed message to authenticate the user, and to forgive the user for some reasonable number of mistakes. With knowledge of valid messages, mistakes and all, the server fine-tunes the accounting of bad access attempts. Password security is maintained in a very simple model, requiring no previously secured or server authenticated channel between the client and any servers.

Pretty good persuasion: a first step towards effective password security in the real world

Abstract: In the past, research on password mechanisms has focussed almost entirely on technical issues. Only in recent years has the security research community acknowledged that user behavior plays a part in many security failures, and that policies alone may not be sufficient to ensure correct behavior. We argue that password mechanisms and their users form a socio-technical system, whose effectiveness relies strongly on users' willingness to make the extra effort that security-conscious behavior requires. In most organizations, users cannot be forced to comply; rather, they have to be persuaded to do so. Ultimately, the mechanisms themselves, policies, tutorials, training and the general discourse have to be designed with their persuasive power in mind. We present the results of a first study that can guide such persuasive efforts, and describe methods that can be used to persuade users to employ proper password practice.

User selectable authentication interface and universal password oracle

Abstract: A password interface application (1) presents successive arrays of images or other sensory cues (4) for display or playback on a client device. A user selects, or simply recognizes, one object from each of the successively presented arrays, wherein after recognizing the object subsequent arrays are presented for defining a complete password. Unlike image based authentication systems in which a graphic method merely replaces original username/password pair authentication, a client system is used which helps a user to recall a forgotten password without requiring modification to server software, such as a secure web server (3). Thus existing ATMs (2), online or telephone banking services, and the like, can function as is. The system provides enhanced security because, although people can possibly eavesdrop on the images or sensory cues selected, they cannot see into the user's mind to comprehend the password that the user recognizes.

Password Authentication Using Multiple Servers

Abstract: Safe long-term storage of user private keys is a problem in client/server systems. The problem can be addressed with a roaming system that retrieves keys on demand from remote credential servers, using password authentication protocols that prevent password guessing attacks from the network. Ford and Kaliski's methods [11] use multiple servers to further prevent guessing attacks by an enemy that compromises all but one server. Their methods use a previously authenticated channel which requires client-stored keys and certificates, and may be vulnerable to offine guessing in server spoofing attacks when people must positively identify servers, but don't. We present a multi-server roaming protocol in a simpler model without this need for a prior secure channel. This system requires fewer security assumptions, improves performance with comparable cryptographic assumptions, and better handles human errors in password entry.

A note on proactive password checking

Abstract: Nowadays, proactive password checking algorithms are based on the philosophy of the dictionary attack, and they often fail to prevent some weak passwords with low entropy. In this paper, a new approach is proposed to deal with this new class of weak passwords by (roughly) measuring entropy. A simple example is given to exploit effective patterns to prevent low-entropy passwords as the first step of entropy-based proactive password checking.

Architecture for secure remote access and transmission using a generalized password scheme with biometric features

Abstract: A remote computer access facility uses two dedicated computers outside the firewall. To ensure security the system makes use of biometrics features and a one-time password mechanism on top of secure socket layer (SSL) to authenticate a user. The system also provides three layers of security levels for transmission. The first layer establishes an SSL connection, the second layer periodically asks for a one-time password (OTP), and the third layer uses any kind of conventional encryption. The combination of the biometric, OTP and encryption key forms a strong password. The system also uses a mechanism for secure file accesses within the organization based on the security privileges assigned to various users. Based on the user's access privileges, the server side software module sends the requested file in an encrypted form along with the key to decrypt that file—this key is encrypted by the user's strong password.

Error-tolerant password recovery

Abstract: Many encryption systems require the user to memorize high entropy passwords or passphrases and reproduce them exactly. This is often a difficult task. We propose a more fault-tolerant scheme, where a high entropy key (or password) is derived from a sequence of low entropy passwords. The user is able to recover the correct key if she remembers a certain percentage of the passwords correctly. In contrast to other systems that have been proposed for fault-tolerant passwords, our basic design is provably secure against a computationally unbounded attacker.

Computer network security system

Abstract: A method and system are provided for authenticating a user of a computer over a computer network. In one embodiment of the invention, the method includes transmitting an applet having a challenge string and a first encryption key, receiving a login packet having the challenge string and a password that is encrypted using the first encryption key, decrypting the password, receiving information from an authentication provider, and authenticating the password by using the information provided by the authentication provider. The challenge string can be either a sequence number or a session identifier. The authentication provider can be a software program or an authentication server. An advantage of embodiments of the present invention is that a computer can provide secure Internet communications using a web browser that does not support SSL and can provide secure integration with third party security systems.

Radio communication device and user authentication method for use therewith

Abstract: To allow flexible security level switching according communication situations, a password holding section holds a plurality of device authentication passwords, for example, a temporary password and a private password. The temporary password is valid only under a certain situation and the private password has a high level of confidentiality to increase the device security. A password management section allows the user to add a new password to the password holding section and delete an existing password therefrom. A password selecting section selects the most suitable password for current connection from among passwords in the password holding section according to a user event, information acquired by an external factor acquisition section, and information from a time control section. The selected password is output to a password checking section.

One-time password authentication system, portable telephone and user identification server

Abstract: PROBLEM TO BE SOLVED: To easily manage secret information while securing the safety of a one-time password concerning user authentication using the one-time password in an information communication network system. SOLUTION: A hush generation part 113 in a portable telephone set 101 obtains a hush value by using a user ID, present time information and common secret information and generates the one-time password. In a user authentication server 103 receiving the user ID and the one-time password from a user PC 102, a hush generation part 124 generates the one-time password similarly by using the received user ID, the present time information and the common secret information to use it for verification by a one-time password verification part.

Enhanced user authentication through typing biometrics with artificial neural networks and k-nearest neighbor algorithm

Abstract: The emergence of global network access has promoted increased chances of malicious attack and intrusion. Password authentication has been known as the most commonly safeguard measure against these intrusions. Common it is, but the security measures that it provides have always been questionable. Thus, it gives rise to the need for a more secure and reliable authentication method in accessing computer systems. This paper proposes the design and development of a real time enhanced password security system through typing biometrics. Typing biometrics deals with the analysis of the unique habitual typing rhythms of individuals. The paper depicts the use of time latency between keystrokes to create typing patterns for individuals. Time latencies are extracted and classified accordingly; they are then used to recognize authentic users and reject imposters. The performance of both artificial neural networks and k-nearest neighbors as possible classifiers for this purpose were studied.

System and method for controlling access to a computer resource

Abstract: A stealth system and method that allows a resource to be practically invulnerable to fast online brute-force attacks is disclosed. The method for controlling access to a computer resource consists in performing a user authentication procedure upon receiving a request from a user to access the computer resource. As part of the user authentication procedure, a password verification procedure is performed which comprises the steps of requesting a password from the user and comparing the entered password with an expected valid one. The next steps are to compute the number of ungranted access for the user during a predefined time interval N if the password matches the expected one and to grant access to the user only if the computed number is lower than a predetermined number K of authorized requests. Otherwise, if either the password does not match the expected one or the number of unsuccessful attempts to log is higher than the predetermined number, the access is denied to the user and a time stamp of the ungranted access is stored.

Cryptographic Key Generation from Voice (Extended Abstract)

Abstract: We propose a technique to reliably generate a cryptographic key from a user’s voice while speaking a password. The key resists cryptanalysis even against an attacker who captures all system information related to generating or verifying the cryptographic key. Moreover, the technique is sufficiently robust to enable the user to reliably regenerate the key by uttering her password again. We describe an empirical evaluation of this technique using utterances recorded from users.

Apparatus and method for multi-threaded password management

Abstract: An apparatus and method for multi-threaded password management are provided. With the apparatus and method, resources may be grouped into families of resources. A family of resources is defined as a group of resources that may make use of the same password. When a user sets a new password for a family of resources, all of the passwords for each of the resources in the family are reset to this new password. That is, the multi-threaded password management apparatus and method spawns threads to reset the passwords of the other resources in the family. In this way, a single operation of resetting a password for a resource in the family may cause a plurality of passwords to be reset. Moreover, the passwords need only be reset when the earliest reset time of the resources in the family occurs. Thus, the number of passwords that must be memorized by a user is significantly reduced. Furthermore, the number of times that passwords need be reset is also reduced due to the resetting of passwords on a group level.

PDM: a new strong password-based protocol

Abstract: In this paper we present PDM (Password Derived Moduli), a new approach to strong password-based protocols usable either for mutual authentication or for downloading security information such as the user's private key We describe how the properties desirable for strong password mutual authentication differ from the properties desirable for credentials download In particular, a protocol used solely for credentials download can be simpler and less expensive than one used for mutual authentication since some properties (such as authentication of the server) are not necessary for credentials download The features necessary for mutual authentication can be easily added to a credentials download protocol, but many of the protocols designed for mutual authentication are not as desirable for use in credentials download as protocols like PDM and basic EKE and SPEKE because they are unnecessarily expensive when used for that purpose PDM's performance is vastly more expensive at the client than any of the protocols in the literature, but it is more efficient at the server We claim that performance at the server, since a server must handle a large and potentially unpredictable number of clients, is more important than performance at the client, assuming that client performance is "good enough" We describe PDM for credentials download, and then show how to enhance it to have the properties desirable for mutual authentication In particular, the enhancement we advocate for allowing PDM to avoid storing a password-equivalent at the server is less expensive than existing schemes, and our approach can be used as a more efficient (at the server) variant of augmented EKE and SPEKE than the currently published schemes PDM is important because it is a very different approach to the problem than any in the literature, we believe it to be unencumbered by patents, and because it can be a lot less expensive at the server than existing schemes

Persuasive password security

Abstract: Users of password-protected systems have to be persuaded to follow certain regulations to keep systems secure. This paper describes the results of a first study of the mental models, metaphors, attitudes and skills users hold with respect to password mechanisms. It shows that users are currently not motivated to adopt proper password practices. They do not believe that they ultimately can stop somebody from getting into the system, or that somebody getting in could cause them any serious personal harm. We recommend a novel approach to the design of training and online support, which is based on an appropriate use of fear appeals.

Method for securely supporting password change

Abstract: A method of securely supporting password change is disclosed. The method comprises the steps of: detecting an occurrence of a password change operation in execution on a system and receiving a new password by the system; detecting the new password when provided; storing data indicative of the new password in a database other than the password database of the system for later retrieval, the data indicative of the new password for provision to the system.

Delegation of cryptographic servers for capture-resilient devices

Abstract: A device that performs private key operations (signatures or decryptions), and whose private key operations are protected by a password, can be immunized against offline dictionary attacks in case of capture by forcing the device to confirm a password guess with a designated remote server in order to perform a private key operation. Recent proposals for achieving this allow untrusted servers and require no server initialization per device. In this paper we extend these proposals to enable dynamic delegation from one server to another; i.e., the device can subsequently use the second server to secure its private key operations. One application is to allow a user who is traveling to a foreign country to temporarily delegate to a server local to that country the ability to confirm password guesses and aid the user's device in performing private key operations, or in the limit, to temporarily delegate this ability to a token in the user's possession. Another application is proactive security for the device's private key, i.e., proactive updates to the device and servers to eliminate any threat of offline password guessing attacks due to previously compromised servers.

On the Security of Methods for Protecting Password Transmission

Abstract: Institute of Applied Mathematics, National Chung Hsing UniversityTaichung, Taiwan 402, R.O.C.Received: October 2000Abstract. Peyravian and Zunic (2000) proposed a password transmission scheme and a passwordchange scheme over an insecure network. Their proposed solutions do not require the use of anysymmetric-key or public-key cryptosystems. However, this article points out that their schemeshave several security flaws for practical applications. A slight improvement on their schemes isproposed in this paper to remove the security flaws.Key words: cryptography, password, hash function, discrete logarithm.

Security analysis of the generalized key agreement and password authentication protocol

Abstract: We show that the enhanced version of the generalized key agreement and password authentication protocol, proposed by Kwon and Song (see IEICE Trans. Commun., vol.E83-B, no.9, p.2044-50, Sept. 2000), is insecure against off-line password guessing attacks.

Security for standalone systems running dedicated application

Abstract: According to one illustrative embodiment, a standalone computer system having a password maintenance capability includes an operating system, a password generator, and a password encryptor. The operating system is operable for executing a dedicated application. The password security generator couples with the operating system for generating a password in response to an occurrence of a prescribed password generation event, in connection with the operating system and the dedicated application. Lastly, the password encryptor couples to the password generator for producing a coded password as a function of the generated password.

Remarks on Wang-Chang's password authentication scheme

Abstract: An attack on a remote password authentication scheme proposed by Wang and Chang is presented. It is shown that the scheme is breakable. An intruder can easily construct a valid login request from a previously intercepted one and replay it later to pass the system authentication process.

Computer security during power-on self test

Abstract: A system and method of operating a computer system include ignoring all inputs from an input/output device during a power-on self test procedure except a pre-specified input; prompting a user for a password upon detection of the pre-specified input; comparing the password entered by the user in response to the prompting to a previously-stored password; and processing inputs other than the pre-specified input during the power-on self-test procedure if and only if the password entered by the user matches the previously-stored password. In one embodiment, the password must be entered by the user with a pre-specified period of time after the prompt.

Password-based Encryption for CMS

Abstract: This document provides a method of encrypting data using user- supplied passwords and, by extension, any form of variable-length keying material which is not necessarily an algorithm-specific fixed-format key. The Cryptographic Message Syntax data format does not currently contain any provisions for password-based data encryption.

Network agent password storage and retrieval scheme

Abstract: A password storage and retrieval system (8) for secure authentication and management of network agents (10). The password storage and retrieval system (8) includes a memory unit (18) and, in a network agent (10), a decryptor (12), an encryptor (14), and an encryption key (16). The decryptor (12) uses a symmetrical algorithm and an encryption key (16) to decrypt an encrypted password related to the network agent (10) to thereby obtain a decrypted password. The same symmetrical algorithm was previously used to encrypt the password with the key and store the encrypted password. In a preferred embodiment of the invention, the encryption key (16) is hard-coded in the network agent (10), and the memory unit (18) for the encrypted password is a designated directory easily accessible to the network agent (10). An obvious advantage of this invention is that in order to break through the system, a person would need to obtain at least two pieces of information; that is, the encryption key (16) and the encrypted password.

Log-in authenticating method, its operation system and processing program

Abstract: PROBLEM TO BE SOLVED: To provide a log-in authenticating method of a user utilizing a business system and a commercial service system, capable of reducing the communication, and allowing a plurality of persons to simultaneously use the service by one account. SOLUTION: The business system creates a password list prior to authentication, and transmits the list to a commercial service system. When the request for using the commercial service system 2 is transmitted from a client utilized by a user to the business system, the business system receiving the request for use checks the user's commercial service using authority, and selects one password from the password list to return the password to the client. The client transmits the returned password to the commercial service system, and the commercial service system compares the password with the password in the account information (password list), permits the log-in when they are agreed with each other, and defeats the used password. COPYRIGHT: (C)2003,JPO

Password authenticating device and password authenticating program

Abstract: PROBLEM TO BE SOLVED: To provide a password authenticating device and its program for preventing the illegal use of a password to identify a user himself by dynamically changing the password. SOLUTION: A user preliminarily registers the combination of dynamic factor ID being the elements of a dynamic password such as an exchange rate or weather, and the dynamic factor ID is extracted from received user ID, and the fluctuation information is acquired by using a network so that the dynamic password can be generated. The generated dynamic password is compared with the received password, and when those passwords are matched, it is authenticated that the user is the person himself. COPYRIGHT: (C)2003,JPO