Abstract
We explore the extent to which we can address three issues with passwords today: the weakness of user-chosen passwords, reuse of passwords across security domains, and the revocation of credentials. We do so while restricting ourselves to changing the password verification function on the server, introducing the use of existing key-servers, and providing users with a password management tool. Our aim is to improve the security and revocation of authentication actions with devices and end-points, while minimising changes which reduce ease of use and ease of deployment. We achieve this using one time tokens derived using public-key cryptography and propose two protocols for use with and without an online rendezvous point.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Existing key-servers do not maintain auditable append only logs.
- 2.
[A-Za-z0-9].
- 3.
DSA is broken if the random number used for nonces is biased which is problematic as frequently devices have bad random number generators that would leak the private key [15].
- 4.
NIST minimum number of security-bits to 2030Â [2].
- 5.
We are going to ignore TCP handshakes here and retransmissions as these are implementation details (we could implement this with UDP).
- 6.
\(A\) and \(S\) adjacent and \(R\) on the opposite side of the world.
- 7.
- 8.
It also aims to augment/replace the CA hierarchy for TLS but that is not our focus.
- 9.
The source code is available https://github.com/ucam-cl-dtg/dtg-puppet/.
References
Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999). doi:10.1145/322796.322806
Barker, E., Barker, W., Burr, W., Polk, W., Smid. M.: SP 800–57 Recommendation for Key Management - Part 1: General. In: NIST Special Publication, pp. 1–142 (2007)
Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)
Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In: IEEE Security and Privacy, Oakland, California, pp. 72–84. IEEE, May 1992. doi:10.1109/RISP.1992.213269, ISBN: 0818628251
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Crypt. 17(4), 297–319 (2004)
Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: The Ninth Workshop on the Economics of Information Security, WEIS (2010)
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy (2012). doi:10.1109/SP.2012.44
Burrows, M., Abadi, M., Needham, R.M.: A logic of authentication. In: Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences 426.1871, pp. 233–271, December 1989. doi:10.1098/rspa.1989.0125, ISSN: 1364-5021
Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE Symposium on Security and Privacy 2013, pp. 511–525 (2013). doi:10.1109/SP.2013.41
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Ducas, L., Nguyen, P.Q.: Learning a zonotope and more: cryptanalysis of NTRUSign countermeasures. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 433–450. Springer, Heidelberg (2012)
FIPS 186–3: Digital Signature Standard (DSS). In: National Institute of Standards and Technology (NIST) (2009)
Florêncio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web. Banff, Alberta, Canada. ACM, pp. 657–666. (2007). doi:10.1145/1242572.1242661, ISBN: 9781595936547
Hao, F., Ryan, P.Y.A.: Password authenticated key exchange by juggling. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 159–171. Springer, Heidelberg (2011)
Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23(3), 283–290 (2001). doi:10.1023/A:1011214926272
Jablon, D.P.: Strong password-only authenticated key exchange. ACM SIGCOMM Comput. Commun. Rev. 26(5), 5–26, October 1996. doi:10.1145/242896.242897, ISSN: 01464833
Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005)
Lamport, L.: Constructing digital signatures from a one-way function. Technical report. SRI International, pp. 1–7, October 1979
Laurie, B., Langley, A., Kasper, E.: RFC6962: Certificate Transparency. Technical report IETF, pp. 1–27, June 2013
Madhavapeddy, A., Sharp, R., Scott, D., Tse, A.: Audio networking: the forgotten wireless technology. In: Pervasive Computing, pp. 55–60, July 2005. doi:10.1109/MPRV.2005.50
Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979). doi:10.1145/359168.359172
Naccache, D., Stern, J.: Signing on a postcard. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 121–135. Springer, Heidelberg (2001)
Nyberg, K., Rueppel, R.A.: Message recovery for signature schemes based on the discrete logarithm problem. Des. Codes Crypt. 7(1-2), 61–81 (1996). doi:10.1007/BF00125076, ISSN: 0925-1022
Percival, C.: Stronger key derivation via sequential memory-hard functions, May 2009. http://www.unixhowto.de/docs/87_scrypt.pdf. Accessed 07 January 2014
Pintsov, L.A., Vanstone, S.A.: Postal revenue collection in the digital age. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 105–120. Springer, Heidelberg (2001)
Riley, S.: Password security: What users know and what they actually do (2006). http://usabilitynews.org/password-security-what-users-know-and-what-they-actually-do/. Accessed 07 January 2014
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978). doi:10.1145/359340.359342, ISSN: 00010782
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th USENIX Security Symposium, pp. 17–31 (2005)
Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)
Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011)
Thomas, D.R., Beresford, A.R.: Nigori: Secrets in the cloud (2013). http://www.cl.cam.ac.uk/research/dtg/nigori/. Accessed 2013
Wagner, D.T., Rice, A., Beresford, A.R.: Device Analyzer: Large-scale mobile data collection. In: Sigmetrics, Big Data Workshop. ACM, Pittsburgh, June 2013
Acknowledgement
Frank Stajano, Nicholas Wilson, Oliver Chick, Andrew Rice, Markus Kuhn, Robert Watson, Joseph Bonneau and Bruce Christianson all provided useful feedback on various versions of this idea.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Thomas, D.R., Beresford, A.R. (2014). Better Authentication: Password Revolution by Evolution. In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds) Security Protocols XXII. Security Protocols 2014. Lecture Notes in Computer Science(), vol 8809. Springer, Cham. https://doi.org/10.1007/978-3-319-12400-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-12400-1_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12399-8
Online ISBN: 978-3-319-12400-1
eBook Packages: Computer ScienceComputer Science (R0)