Better Authentication: Password Revolution by Evolution

  • Daniel R. ThomasEmail author
  • Alastair R. Beresford
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8809)


We explore the extent to which we can address three issues with passwords today: the weakness of user-chosen passwords, reuse of passwords across security domains, and the revocation of credentials. We do so while restricting ourselves to changing the password verification function on the server, introducing the use of existing key-servers, and providing users with a password management tool. Our aim is to improve the security and revocation of authentication actions with devices and end-points, while minimising changes which reduce ease of use and ease of deployment. We achieve this using one time tokens derived using public-key cryptography and propose two protocols for use with and without an online rendezvous point.


Authentication Public-key cryptography Passwords One time token 



Frank Stajano, Nicholas Wilson, Oliver Chick, Andrew Rice, Markus Kuhn, Robert Watson, Joseph Bonneau and Bruce Christianson all provided useful feedback on various versions of this idea.


  1. 1.
    Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999). doi: 10.1145/322796.322806 CrossRefGoogle Scholar
  2. 2.
    Barker, E., Barker, W., Burr, W., Polk, W., Smid. M.: SP 800–57 Recommendation for Key Management - Part 1: General. In: NIST Special Publication, pp. 1–142 (2007)Google Scholar
  3. 3.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In: IEEE Security and Privacy, Oakland, California, pp. 72–84. IEEE, May 1992. doi: 10.1109/RISP.1992.213269, ISBN: 0818628251
  5. 5.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Crypt. 17(4), 297–319 (2004)MathSciNetzbMATHGoogle Scholar
  6. 6.
    Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: The Ninth Workshop on the Economics of Information Security, WEIS (2010)Google Scholar
  7. 7.
    Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy (2012). doi: 10.1109/SP.2012.44
  8. 8.
    Burrows, M., Abadi, M., Needham, R.M.: A logic of authentication. In: Proceedings of the Royal Society A: Mathematical, Physical and Engineering Sciences 426.1871, pp. 233–271, December 1989. doi: 10.1098/rspa.1989.0125, ISSN: 1364-5021
  9. 9.
    Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE Symposium on Security and Privacy 2013, pp. 511–525 (2013). doi: 10.1109/SP.2013.41
  10. 10.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Ducas, L., Nguyen, P.Q.: Learning a zonotope and more: cryptanalysis of NTRUSign countermeasures. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 433–450. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  12. 12.
    FIPS 186–3: Digital Signature Standard (DSS). In: National Institute of Standards and Technology (NIST) (2009)Google Scholar
  13. 13.
    Florêncio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web. Banff, Alberta, Canada. ACM, pp. 657–666. (2007). doi: 10.1145/1242572.1242661, ISBN: 9781595936547
  14. 14.
    Hao, F., Ryan, P.Y.A.: Password authenticated key exchange by juggling. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 159–171. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23(3), 283–290 (2001). doi: 10.1023/A:1011214926272 MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Jablon, D.P.: Strong password-only authenticated key exchange. ACM SIGCOMM Comput. Commun. Rev. 26(5), 5–26, October 1996. doi: 10.1145/242896.242897, ISSN: 01464833
  17. 17.
    Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Lamport, L.: Constructing digital signatures from a one-way function. Technical report. SRI International, pp. 1–7, October 1979Google Scholar
  19. 19.
    Laurie, B., Langley, A., Kasper, E.: RFC6962: Certificate Transparency. Technical report IETF, pp. 1–27, June 2013Google Scholar
  20. 20.
    Madhavapeddy, A., Sharp, R., Scott, D., Tse, A.: Audio networking: the forgotten wireless technology. In: Pervasive Computing, pp. 55–60, July 2005. doi: 10.1109/MPRV.2005.50
  21. 21.
    Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979). doi: 10.1145/359168.359172 CrossRefGoogle Scholar
  22. 22.
    Naccache, D., Stern, J.: Signing on a postcard. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 121–135. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  23. 23.
    Nyberg, K., Rueppel, R.A.: Message recovery for signature schemes based on the discrete logarithm problem. Des. Codes Crypt. 7(1-2), 61–81 (1996). doi: 10.1007/BF00125076, ISSN: 0925-1022
  24. 24.
    Percival, C.: Stronger key derivation via sequential memory-hard functions, May 2009. Accessed 07 January 2014
  25. 25.
    Pintsov, L.A., Vanstone, S.A.: Postal revenue collection in the digital age. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 105–120. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  26. 26.
    Riley, S.: Password security: What users know and what they actually do (2006). Accessed 07 January 2014
  27. 27.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978). doi: 10.1145/359340.359342, ISSN: 00010782
  28. 28.
    Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th USENIX Security Symposium, pp. 17–31 (2005)Google Scholar
  29. 29.
    Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)Google Scholar
  30. 30.
    Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  31. 31.
    Thomas, D.R., Beresford, A.R.: Nigori: Secrets in the cloud (2013). Accessed 2013
  32. 32.
    Wagner, D.T., Rice, A., Beresford, A.R.: Device Analyzer: Large-scale mobile data collection. In: Sigmetrics, Big Data Workshop. ACM, Pittsburgh, June 2013Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUK

Personalised recommendations