Abstract
When authenticating over the telephone or mobile headphone, the user cannot always assure that no eavesdropper hears the password or authentication secret. We describe an eavesdropper-resistant, challenge-response authentication scheme for spoken authentication where an attacker can hear the user’s voiced responses. This scheme entails the user to memorize a small number of plaintext-ciphertext pairs. At authentication, these are challenged in random order and interspersed with camouflage elements. It is shown that the response can be made to appear random so that no information on the memorized secret can be learned by eavesdroppers. We describe the method along with parameter value tradeoffs of security strength, authentication time, and memory effort. This scheme was designed for user authentication of wireless headsets used for hands-free communication by healthcare staff at a hospital.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Haller, N.: The S/KEY One-Time Password System. In: Proc. ISOC Symp. Network and Distributed System Security, San Diego, CA (February 1994)
Haller, N., Metz, C., Nesser, P., Straw, M.: A one-time password system. Internet RFC 2289 (1998)
Weiss, K.P.: Method and apparatus for positively identifying an individual. U.S. Patent 4720860, January 19 (1988)
O’Gorman, L., Bagga, A., Bentley, J.: Call center customer verification by query-directed passwords. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 54–67. Springer, Heidelberg (2004)
O’Gorman, L., Bagga, A., Bentley, J.: Query-directed passwords. Computers and Security 24(7), 546–560 (2005)
Ellison, C., Hall, C., Milbert, R., Schneier, B.: Protecting secret keys with personal entropy. J. of Future Generation Computer Systems 16(4), 311–318 (2000)
Frykholm, N., Juels, A.: Error-tolerant password recovery. In: Samarati, P. (ed.) Eighth ACM Conference on Computer and Communications Security, pp. 1–8. ACM Press, New York (2001)
Just, M.: Designing and evaluating challenge-question systems. IEEE Security and Privacy 2(5) (September/October 2004)
Dhamija, P., Dhamija, R., Perrig, A.: Déjà Vu: A user study using images for authentication. In: 9th USENIX Security Symposium (2000)
Kahn, D.: The Codebreakers, The Story of Secret Writing, Scribner, NY (1996)
Bond, M., Danezis, G.: The dining Freemasons (security protocols for secret societies). In: 13th Int. Workshop on Security Protocols, Cambridge, England, April 20-22 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
O’Gorman, L., Brotman, L., Sammon, M. (2009). How to Speak an Authentication Secret Securely from an Eavesdropper. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds) Security Protocols. Security Protocols 2006. Lecture Notes in Computer Science, vol 5087. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04904-0_30
Download citation
DOI: https://doi.org/10.1007/978-3-642-04904-0_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04903-3
Online ISBN: 978-3-642-04904-0
eBook Packages: Computer ScienceComputer Science (R0)