Skip to main content
SpringerLink
Log in
Book cover

Cambridge International Workshop on Security Protocols

Security Protocols 2014: Security Protocols XXII pp 130–145Cite as

Better Authentication: Password Revolution by Evolution

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8809))

Abstract

We explore the extent to which we can address three issues with passwords today: the weakness of user-chosen passwords, reuse of passwords across security domains, and the revocation of credentials. We do so while restricting ourselves to changing the password verification function on the server, introducing the use of existing key-servers, and providing users with a password management tool. Our aim is to improve the security and revocation of authentication actions with devices and end-points, while minimising changes which reduce ease of use and ease of deployment. We achieve this using one time tokens derived using public-key cryptography and propose two protocols for use with and without an online rendezvous point.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Existing key-servers do not maintain auditable append only logs.

  2. 2.

    [A-Za-z0-9].

  3. 3.

    DSA is broken if the random number used for nonces is biased which is problematic as frequently devices have bad random number generators that would leak the private key [15].

  4. 4.

    NIST minimum number of security-bits to 2030 [2].

  5. 5.

    We are going to ignore TCP handshakes here and retransmissions as these are implementation details (we could implement this with UDP).

  6. 6.

    \(A\) and \(S\) adjacent and \(R\) on the opposite side of the world.

  7. 7.

    http://web.monkeysphere.info/

  8. 8.

    It also aims to augment/replace the CA hierarchy for TLS but that is not our focus.

  9. 9.

    The source code is available https://github.com/ucam-cl-dtg/dtg-puppet/.

References

  1. Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999). doi:10.1145/322796.322806

    Article  Google Scholar 

  2. Barker, E., Barker, W., Burr, W., Polk, W., Smid. M.: SP 800–57 Recommendation for Key Management - Part 1: General. In: NIST Special Publication, pp. 1–142 (2007)

    Google Scholar 

  3. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  4. Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In: IEEE Security and Privacy, Oakland, California, pp. 72–84. IEEE, May 1992. doi:10.1109/RISP.1992.213269, ISBN: 0818628251

  5. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Crypt. 17(4), 297–319 (2004)

    MathSciNet  MATH  Google Scholar 

  6. Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: The Ninth Workshop on the Economics of Information Security, WEIS (2010)

    Google Scholar 

  7. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy (2012). doi:10.1109/SP.2012.44

  8. Burrows, M., Abadi, M., Needham, R.M.: A logic of authentication. In: Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences 426.1871, pp. 233–271, December 1989. doi:10.1098/rspa.1989.0125, ISSN: 1364-5021

  9. Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE Symposium on Security and Privacy 2013, pp. 511–525 (2013). doi:10.1109/SP.2013.41

  10. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  11. Ducas, L., Nguyen, P.Q.: Learning a zonotope and more: cryptanalysis of NTRUSign countermeasures. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 433–450. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  12. FIPS 186–3: Digital Signature Standard (DSS). In: National Institute of Standards and Technology (NIST) (2009)

    Google Scholar 

  13. Florêncio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web. Banff, Alberta, Canada. ACM, pp. 657–666. (2007). doi:10.1145/1242572.1242661, ISBN: 9781595936547

  14. Hao, F., Ryan, P.Y.A.: Password authenticated key exchange by juggling. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 159–171. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  15. Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23(3), 283–290 (2001). doi:10.1023/A:1011214926272

    Article  MathSciNet  MATH  Google Scholar 

  16. Jablon, D.P.: Strong password-only authenticated key exchange. ACM SIGCOMM Comput. Commun. Rev. 26(5), 5–26, October 1996. doi:10.1145/242896.242897, ISSN: 01464833

  17. Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  18. Lamport, L.: Constructing digital signatures from a one-way function. Technical report. SRI International, pp. 1–7, October 1979

    Google Scholar 

  19. Laurie, B., Langley, A., Kasper, E.: RFC6962: Certificate Transparency. Technical report IETF, pp. 1–27, June 2013

    Google Scholar 

  20. Madhavapeddy, A., Sharp, R., Scott, D., Tse, A.: Audio networking: the forgotten wireless technology. In: Pervasive Computing, pp. 55–60, July 2005. doi:10.1109/MPRV.2005.50

  21. Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979). doi:10.1145/359168.359172

    Article  Google Scholar 

  22. Naccache, D., Stern, J.: Signing on a postcard. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 121–135. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  23. Nyberg, K., Rueppel, R.A.: Message recovery for signature schemes based on the discrete logarithm problem. Des. Codes Crypt. 7(1-2), 61–81 (1996). doi:10.1007/BF00125076, ISSN: 0925-1022

  24. Percival, C.: Stronger key derivation via sequential memory-hard functions, May 2009. http://www.unixhowto.de/docs/87_scrypt.pdf. Accessed 07 January 2014

  25. Pintsov, L.A., Vanstone, S.A.: Postal revenue collection in the digital age. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 105–120. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  26. Riley, S.: Password security: What users know and what they actually do (2006). http://usabilitynews.org/password-security-what-users-know-and-what-they-actually-do/. Accessed 07 January 2014

  27. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978). doi:10.1145/359340.359342, ISSN: 00010782

  28. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th USENIX Security Symposium, pp. 17–31 (2005)

    Google Scholar 

  29. Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)

    Google Scholar 

  30. Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  31. Thomas, D.R., Beresford, A.R.: Nigori: Secrets in the cloud (2013). http://www.cl.cam.ac.uk/research/dtg/nigori/. Accessed 2013

  32. Wagner, D.T., Rice, A., Beresford, A.R.: Device Analyzer: Large-scale mobile data collection. In: Sigmetrics, Big Data Workshop. ACM, Pittsburgh, June 2013

    Google Scholar 

Download references

Acknowledgement

Frank Stajano, Nicholas Wilson, Oliver Chick, Andrew Rice, Markus Kuhn, Robert Watson, Joseph Bonneau and Bruce Christianson all provided useful feedback on various versions of this idea.

Author information

Authors and Affiliations

  1. Computer Laboratory, University of Cambridge, Cambridge, UK

    Daniel R. Thomas & Alastair R. Beresford

Authors
  1. Daniel R. Thomas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alastair R. Beresford
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel R. Thomas .

Editor information

Editors and Affiliations

  1. University of Hertfordshire, Hertfordshire, United Kingdom

    Bruce Christianson

  2. University of Hertfordshire, Hertfordshire, United Kingdom

    James Malcolm

  3. Masaryk University Faculty of Informatics, Brno, Czech Republic

    Vashek Matyáš

  4. Masaryk University Faculty of Informatics, Brno, Czech Republic

    Petr Švenda

  5. University of Cambridge, Cambridge, United Kingdom

    Frank Stajano

  6. Memorial University of Newfoundland, St. John's, Newfoundland and Labrador, Canada

    Jonathan Anderson

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Thomas, D.R., Beresford, A.R. (2014). Better Authentication: Password Revolution by Evolution. In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds) Security Protocols XXII. Security Protocols 2014. Lecture Notes in Computer Science(), vol 8809. Springer, Cham. https://doi.org/10.1007/978-3-319-12400-1_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12400-1_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12399-8

  • Online ISBN: 978-3-319-12400-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation