Abstract
User authentication is necessary to provide services on an application system and the Internet. Various authentication methods are used such as ID/PW, biometric, and OTP authentications. One of the popular authentications is ID/PW authentication. As an inputted password is transferred by one-way hash function and then stored in DB, it is difficult for the DB administrator to figure out the password inputted by the user. However, when DB is leaked, and there is the time to decode, the password can be hacked. The time and cost to decode the original message from the hash value corresponding a short password decrease. Therefore, if the password is short, then attacking cost is low, and password crack possibility is high. In the case where an attacker utilizes pre-computing rainbow tables, and the hash value of short passwords is leaked, the password that the user inputted can be cracked. In this research, to block rainbow table attacks, when the user generates a short password, by adding additional messages of identification information of a system or the user and extending the length of the password, we try to resolve the vulnerability of short passwords. By proposing a model to minimize the length of the password and the authority accordingly in mobile devices on which inputting passwords is not easy, we take security into consideration. Our proposal model is strong against rainbow table attack and provides efficient password system to users. It contributes to resolving password vulnerability and upgrades mobile users’ convenience in typing passwords.
Similar content being viewed by others
Change history
01 July 2017
An erratum to this article has been published.
References
Han, K.-H., Bae, W.-S.: Proposing and verifying a security protocol for hash function-based IoT communication system. Cluster Comput. 19(1), 497–504 (2016)
Zhang, W., Zhang, Y., Chen, J., Li, H., Wang, Yumin: End-to-end security scheme for machine type communication based on generic authentication architecture. Cluster Comput. 16(4), 861–871 (2013)
Qin, B., Wang, H., Qianhong, W., Liu, J., Domingo-Ferrer, J.: Simultaneous authentication and secrecy in identity-based data upload to cloud. Cluster Comput. 16(4), 845–859 (2013)
Jeong, Y.-S., Shin, S.-S., Han, K.-H.: High-dimentional data authentication protocol based on hash chain for Hadoop systems. Cluster Comput. 19(1), 475–484 (2016)
Jung, H., Shin, D., Cho, K., Nam, C.: BLE-OTP authorization mechanism for ibeacon network security. J. KIISE 42(8), 979–989 (2015)
Yong, S.: Password-based user authentication scheme using a dual-display method. J. Korea Soc. Comput. Inf. 20(1), 119–125 (2015)
Kim, H.J., Kim, H.S.: HOTP-Based Key Agreement Protocol Over Home Network. In: FutureTech2012. Lecture Notes in Electrical Engineering, vol. 164, pp. 171–179 (2012)
Mun, H.-J., Lee, K.M., Lee, S.-H. Person-wise privacy level access control for personal information directory services. In: Embedded and Ubiquitous Computing, Volume 4096 of the series Lecture Notes in Computer Science, pp. 89–98 (2006)
Mun, H.J.: A role based personal sensitive information protection with subject policy. PhD Thesis of Computer Science Paper, Chungbuk University, Korea (2008)
Mun, H.-J., Ju, Y., Yoo, J.: Multiple authentication system for privacy protection and efficient user authentication. Int. J. Adv. Comput. Technol. 5(13), 251–256 (2013)
Kwak, J., Oh, S., Yang, H., Won, D.: An improved optimal strong-password authentication protocol secure against stolen-verifier attack and impersonation attack. KIPS Trans. C 11–C(4), 439–446 (2004)
Mun, H.J., Han, K.H.: Blackhole attack: user identity and password seize attack using honeypot. J. Comput. Virol. Hacking Tech. 12(3), 185–190 (2016). doi:10.1007/s11416-016-0270-6
Liao, I-En, Lee, C.-C., Hwang, M.-S.: A password authentication scheme over insecure networks. J. Comput. Syst. Sci. 72(4), 727–740 (2006)
Purdy, G.B.: A high security log-in procedure. Commun. ACM 17(8), 442–445 (1974)
Kumar, H., Kumar, S., Joseph, R., Kumar, D. et al.: Rainbow table to crack password using MD5 hashing algorithm. In: IEEE Conference on Information & Communication Technologies (ICT), JeJu Island, pp. 433–439 (2013)
Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: Proceedings of the 12th ACM Conference on Computer and communications security, Alexandria, VA. doi:10.1145/1102120.1102168 07–11 November (2005)
Papantonakis, P., Pnevmatikatos, D., Papaefstathiou, I. and Manifavas, C.: Fast, FPGA-based rainbow table creation for attacking encrypted mobile communications. In: The 23rd International Conference on Field Programmable Logic and Applications (FPL), pp. 1–6 (2013)
Ryu, H.R., Hong, M., Kwon, T.: Behavioural Analysis of Password Authentication and countermeasure to phishing attacks—from user experience and HCI perspectives. J. Internet Comput. Serv. 15(3), 79–90 (2014)
Peyravian, M., Zunic, N.: Methods for protecting password transmission. Comput. Secur. 19(5), 466–469 (2000)
Kwon, T., Song, J.: An efficient password-based authentication protocol secure against guessing attacks. J. KISS A 24(8), 795–806 (1997)
Rivest, R.: The MD5 message-digest algorithm. In: IETF Network Working Group, RFC 1321 (1992)
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) Advances in Cryptology—Crypto’96, Lecture Notes in Computer Science, pp. 1–15. Springer, New York (1996)
Stallings, W.: Cryptography and Network Security, 3rd edn. Prentice-Hall, New Jersey (2003)
Mun, H.J.: CBNU-IUCF, Apparatus And Method For Amending Password Length, Korea Patent 1015966280000, Korea (2016)
Tahir, R., Hu, H., Gu, D., McDonald-Maier, K., Howells., G.: Resilience against brute force and rainbow table attacks using strong ICMetrics session key pairs. 1st International Conference on Communications, Signal Processing, and their Applications (ICCSPA), pp. 1–6 (2013)
Seo, H., Kim, H.: Two layered secure password generation with random number generator. JKIICE 18(4), 867–875 (2014). doi:10.6109/jkiice.2014.18.4.867
Sprengers, M., Batina, L.: Speeding up GPU-based password cracking. In SHARCS2012, pp. 35–54, Washington DC, 17–18 March 2012. http://2012.sharcs.org/record.pdf
Goodin, D.: 25-GPU cluster cracks every standard Windows password in 6 hours. http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ (2012)
Kak, A.: The Dictionary Attack and the Rainbow-Table Attack on Password, Purdue University, West Lafayette, IN. https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture24.pdf
HashKiller: https://hashkiller.co.uk/
Moon, G., Kim, J., Hong, M.: A graphical password scheme resistant to shoulder surfing attack in mobile environments. J. KIISE 18(1), 90–94 (2012)
Jung, S., Kwon, T.: Automated smudge attacks based on machine learning and security analysis of pattern lock systems. J. Korea Inst. Inf. Secu. Cryptol 26(4), 903–910 (2016)
Choi, D.-M.: Password authentication scheme resistant to smudge and shoulder surfing attack in mobile environments. Asia Pac. J. Multimedia Serv. Converg Art Humanit. Sociol. 6(6), 11–19 (2016). doi:10.14257/AJMAHS.2016.06.03
Author information
Authors and Affiliations
Corresponding author
Additional information
The original version of this article is revised: “The original version of the article contained a mistake. Data in the Figure 6 has been missed. The correct Figure 6 has been updated and the original article is corrected”.
An erratum to this article is available at https://doi.org/10.1007/s10586-017-0984-3.
Rights and permissions
About this article
Cite this article
Mun, HJ., Hong, S. & Shin, J. A novel secure and efficient hash function with extra padding against rainbow table attacks. Cluster Comput 21, 1161–1173 (2018). https://doi.org/10.1007/s10586-017-0886-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-017-0886-4