A novel secure and efficient hash function with extra padding against rainbow table attacks

Article
First Online:
Received:
Revised:
Accepted:
  • 90 Downloads

Abstract

User authentication is necessary to provide services on an application system and the Internet. Various authentication methods are used such as ID/PW, biometric, and OTP authentications. One of the popular authentications is ID/PW authentication. As an inputted password is transferred by one-way hash function and then stored in DB, it is difficult for the DB administrator to figure out the password inputted by the user. However, when DB is leaked, and there is the time to decode, the password can be hacked. The time and cost to decode the original message from the hash value corresponding a short password decrease. Therefore, if the password is short, then attacking cost is low, and password crack possibility is high. In the case where an attacker utilizes pre-computing rainbow tables, and the hash value of short passwords is leaked, the password that the user inputted can be cracked. In this research, to block rainbow table attacks, when the user generates a short password, by adding additional messages of identification information of a system or the user and extending the length of the password, we try to resolve the vulnerability of short passwords. By proposing a model to minimize the length of the password and the authority accordingly in mobile devices on which inputting passwords is not easy, we take security into consideration. Our proposal model is strong against rainbow table attack and provides efficient password system to users. It contributes to resolving password vulnerability and upgrades mobile users’ convenience in typing passwords.

Keywords

Password Authentication Hash function Rainbow table Identity Password vulnerability 
This is a preview of subscription content, log in to check access.

References

  1. 1.
    Han, K.-H., Bae, W.-S.: Proposing and verifying a security protocol for hash function-based IoT communication system. Cluster Comput. 19(1), 497–504 (2016)CrossRefGoogle Scholar
  2. 2.
    Zhang, W., Zhang, Y., Chen, J., Li, H., Wang, Yumin: End-to-end security scheme for machine type communication based on generic authentication architecture. Cluster Comput. 16(4), 861–871 (2013)CrossRefGoogle Scholar
  3. 3.
    Qin, B., Wang, H., Qianhong, W., Liu, J., Domingo-Ferrer, J.: Simultaneous authentication and secrecy in identity-based data upload to cloud. Cluster Comput. 16(4), 845–859 (2013)CrossRefGoogle Scholar
  4. 4.
    Jeong, Y.-S., Shin, S.-S., Han, K.-H.: High-dimentional data authentication protocol based on hash chain for Hadoop systems. Cluster Comput. 19(1), 475–484 (2016)CrossRefGoogle Scholar
  5. 5.
    Jung, H., Shin, D., Cho, K., Nam, C.: BLE-OTP authorization mechanism for ibeacon network security. J. KIISE 42(8), 979–989 (2015)CrossRefGoogle Scholar
  6. 6.
    Yong, S.: Password-based user authentication scheme using a dual-display method. J. Korea Soc. Comput. Inf. 20(1), 119–125 (2015)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Kim, H.J., Kim, H.S.: HOTP-Based Key Agreement Protocol Over Home Network. In: FutureTech2012. Lecture Notes in Electrical Engineering, vol. 164, pp. 171–179 (2012)Google Scholar
  8. 8.
    Mun, H.-J., Lee, K.M., Lee, S.-H. Person-wise privacy level access control for personal information directory services. In: Embedded and Ubiquitous Computing, Volume 4096 of the series Lecture Notes in Computer Science, pp. 89–98 (2006)Google Scholar
  9. 9.
    Mun, H.J.: A role based personal sensitive information protection with subject policy. PhD Thesis of Computer Science Paper, Chungbuk University, Korea (2008)Google Scholar
  10. 10.
    Mun, H.-J., Ju, Y., Yoo, J.: Multiple authentication system for privacy protection and efficient user authentication. Int. J. Adv. Comput. Technol. 5(13), 251–256 (2013)Google Scholar
  11. 11.
    Kwak, J., Oh, S., Yang, H., Won, D.: An improved optimal strong-password authentication protocol secure against stolen-verifier attack and impersonation attack. KIPS Trans. C 11–C(4), 439–446 (2004)Google Scholar
  12. 12.
    Mun, H.J., Han, K.H.: Blackhole attack: user identity and password seize attack using honeypot. J. Comput. Virol. Hacking Tech. 12(3), 185–190 (2016). doi: 10.1007/s11416-016-0270-6 CrossRefGoogle Scholar
  13. 13.
    Liao, I-En, Lee, C.-C., Hwang, M.-S.: A password authentication scheme over insecure networks. J. Comput. Syst. Sci. 72(4), 727–740 (2006)MathSciNetCrossRefMATHGoogle Scholar
  14. 14.
    Purdy, G.B.: A high security log-in procedure. Commun. ACM 17(8), 442–445 (1974)CrossRefGoogle Scholar
  15. 15.
    Kumar, H., Kumar, S., Joseph, R., Kumar, D. et al.: Rainbow table to crack password using MD5 hashing algorithm. In: IEEE Conference on Information & Communication Technologies (ICT), JeJu Island, pp. 433–439 (2013)Google Scholar
  16. 16.
    Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proceedings of the 12th ACM Conference on Computer and communications security, Alexandria, VA. doi: 10.1145/1102120.1102168 07–11 November (2005)
  17. 17.
    Papantonakis, P., Pnevmatikatos, D., Papaefstathiou, I. and Manifavas, C.: Fast, FPGA-based rainbow table creation for attacking encrypted mobile communications. In: The 23rd International Conference on Field Programmable Logic and Applications (FPL), pp. 1–6 (2013)Google Scholar
  18. 18.
    Ryu, H.R., Hong, M., Kwon, T.: Behavioural Analysis of Password Authentication and countermeasure to phishing attacks—from user experience and HCI perspectives. J. Internet Comput. Serv. 15(3), 79–90 (2014)CrossRefGoogle Scholar
  19. 19.
    Peyravian, M., Zunic, N.: Methods for protecting password transmission. Comput. Secur. 19(5), 466–469 (2000)CrossRefGoogle Scholar
  20. 20.
    Kwon, T., Song, J.: An efficient password-based authentication protocol secure against guessing attacks. J. KISS A 24(8), 795–806 (1997)Google Scholar
  21. 21.
    Rivest, R.: The MD5 message-digest algorithm. In: IETF Network Working Group, RFC 1321 (1992)Google Scholar
  22. 22.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) Advances in Cryptology—Crypto’96, Lecture Notes in Computer Science, pp. 1–15. Springer, New York (1996)Google Scholar
  23. 23.
  24. 24.
    Stallings, W.: Cryptography and Network Security, 3rd edn. Prentice-Hall, New Jersey (2003)Google Scholar
  25. 25.
    Mun, H.J.: CBNU-IUCF, Apparatus And Method For Amending Password Length, Korea Patent 1015966280000, Korea (2016)Google Scholar
  26. 26.
    Tahir, R., Hu, H., Gu, D., McDonald-Maier, K., Howells., G.: Resilience against brute force and rainbow table attacks using strong ICMetrics session key pairs. 1st International Conference on Communications, Signal Processing, and their Applications (ICCSPA), pp. 1–6 (2013)Google Scholar
  27. 27.
    Seo, H., Kim, H.: Two layered secure password generation with random number generator. JKIICE 18(4), 867–875 (2014). doi: 10.6109/jkiice.2014.18.4.867 Google Scholar
  28. 28.
    Sprengers, M., Batina, L.: Speeding up GPU-based password cracking. In SHARCS2012, pp. 35–54, Washington DC, 17–18 March 2012. http://2012.sharcs.org/record.pdf
  29. 29.
    Goodin, D.: 25-GPU cluster cracks every standard Windows password in 6 hours. http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ (2012)
  30. 30.
    Kak, A.: The Dictionary Attack and the Rainbow-Table Attack on Password, Purdue University, West Lafayette, IN. https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture24.pdf
  31. 31.
  32. 32.
    Moon, G., Kim, J., Hong, M.: A graphical password scheme resistant to shoulder surfing attack in mobile environments. J. KIISE 18(1), 90–94 (2012)Google Scholar
  33. 33.
    Jung, S., Kwon, T.: Automated smudge attacks based on machine learning and security analysis of pattern lock systems. J. Korea Inst. Inf. Secu. Cryptol 26(4), 903–910 (2016)MathSciNetCrossRefGoogle Scholar
  34. 34.
    Choi, D.-M.: Password authentication scheme resistant to smudge and shoulder surfing attack in mobile environments. Asia Pac. J. Multimedia Serv. Converg Art Humanit. Sociol. 6(6), 11–19 (2016). doi: 10.14257/AJMAHS.2016.06.03 Google Scholar

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  1. 1.Department of Information & Communication EngineeringSungkyul UniversityAnyangKorea
  2. 2.Division of Information and CommunicationBaekseok UniversityCheonanKorea
  3. 3.School of Computer Science and EngineeringThe University of AizuAizu-WakamatsuJapan

Personalised recommendations