|
|
|
On designing an unaided authentication service with threat detection and leakage control for defeating opportunistic adversaries |
Nilesh CHAKRABORTY1( ), Samrat MONDAL2() |
1. College of Computer Science and Software Engineering, Shenzhen University, Shenzhen 518060, China
2. Department of Computer Science, Indian Institute of Technology Patna, Bihar 801106, India |
|
|
|
|
Abstract Unaided authentication services provide the flexibility to login without being dependent on any additional device. The power of recording attack resilient unaided authentication services (RARUAS) is undeniable as, in some aspects, they are even capable of offering better security than the biometric based authentication systems. However, high login complexity of these RARUAS makes them far from usable in practice. The adopted information leakage control strategies have often been identified as the primary cause behind such high login complexities. Though recent proposals havemade some significant efforts in designing a usable RARUAS by reducing its login complexity, most of them have failed to achieve the desired usability standard. In this paper, we have introduced a new notion of controlling the information leakage rate. By maintaining a good security standard, the introduced idea helps to reduce the login complexity of our proposed mechanism − named as Textual-Graphical Password-based Mechanism or TGPM, by a significant extent. Along with resisting the recording attack, TGPM also achieves a remarkable property of threat detection. To the best of our knowledge, TGPM is the first RARUAS, which can both prevent and detect the activities of the opportunistic recording attackers who can record the complete login activity of a genuine user for a few login sessions. Our study reveals that TGPM assures much higher session resiliency compared to the existing authentication services, having the same or even higher login complexities. Moreover, TGPM stores the password information in a distributed way and thus restricts the adversaries to learn the complete secret from a single compromised server. A thorough theoretical analysis has been performed to prove the strength of our proposal from both the security and usability perspectives. We have also conducted an experimental study to support the theoretical argument made on the usability standard of TGPM.
|
| Keywords
authentication
recording attack
premature attack
opportunistic adversary
leakage control
threat prevention
threat detection
|
|
Corresponding Author(s):
Nilesh CHAKRABORTY
|
|
Just Accepted Date: 27 December 2019
Issue Date: 10 October 2020
|
|
| 1 |
J Bonneau, H Cormac, C Paul, O Van, F Stajano. The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 553–567
https://doi.org/10.1109/SP.2012.44
|
| 2 |
X Pan, Z Ling, A Pingley, W Yu, N Zhang, K Ren, X Fu. Password extraction via reconstructed wireless mouse trajectory. IEEE Transactions on Dependable and Secure Computing, 2016, 13(4): 461–473
https://doi.org/10.1109/TDSC.2015.2413410
|
| 3 |
D Wang, Z Zhang, P Wang, J Yan, X Huang. Targeted online password guessing: an underestimated threat. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security. 2016, 1242–1254
https://doi.org/10.1145/2976749.2978339
|
| 4 |
M Manulis, D Stebila, F Kiefer, N Denham. Secure modular password authentication for the web using channel bindings. International Journal of Information Security, 2016, 15(6): 597–620
https://doi.org/10.1007/s10207-016-0348-7
|
| 5 |
G Kontaxis, E Athanasopoulos, G Portokalidis, D A Keromytis. Sauth: protecting user accounts from password database leaks. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2013, 187–198
https://doi.org/10.1145/2508859.2516746
|
| 6 |
Q Yan, J Han, Y Li, J Zhou, R Deng. Leakage-resilient password entry: challenges, design, and evaluation. Computers & Security, 2015, 48(1): 196–211
https://doi.org/10.1016/j.cose.2014.10.008
|
| 7 |
X Bai, W Gu, S Chellappan, X Wang, D Xuan, B Ma. PAS: predicatebased authentication services against powerful passive adversaries. In: Proceedings of the IEEE Computer Security Applications Conference. 2008, 433–442
https://doi.org/10.1109/ACSAC.2008.23
|
| 8 |
M H Sun, T S Chen, H J Yeh, Y C Cheng. A shoulder surfing resistant graphical authentication system. IEEE Transactions on Dependable and Secure Computing, 2018, 15(2): 180–193
https://doi.org/10.1109/TDSC.2016.2539942
|
| 9 |
O Wiese, V Roth. Pitfalls of shoulder surfing studies. In: Proceedings of the Internet Society NDSS Workshop on Usable Security. 2015, 1–6
https://doi.org/10.14722/usec.2015.23007
|
| 10 |
D Kim, P Dunphy, P Briggs, J Hook, WJ Nicholson, J Nicholson, P Olivier. Multi-touch authentication on tabletops. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 2010, 1093–1102
https://doi.org/10.1145/1753326.1753489
|
| 11 |
F Schaub, M Walch, B Könings, M Weber. Exploring the design space of graphical passwords on smartphones. In: Proceedings of the ACM Symposium on Usable Privacy and Security. 2013, 1–14
https://doi.org/10.1145/2501604.2501615
|
| 12 |
F Tari, A Ozok, S Holden. A comparison of perceived and real shouldersurfing risks between alphanumeric and graphical passwords. In: Proceedings of the ACM Symposium on Usable Privacy and Security. 2006, 56–66
https://doi.org/10.1145/1143120.1143128
|
| 13 |
F Schaub, R Deyhle, M Weber. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In: Proceedings of the ACM International Conference on Mobile and Ubiquitous Multimedia. 2012, 1–13
https://doi.org/10.1145/2406367.2406384
|
| 14 |
S Wiedenbeck, J Waters, L Sobrado, C J Birget. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the ACM Working Conference on Advanced Visual Interfaces. 2006, 177–184
https://doi.org/10.1145/1133265.1133303
|
| 15 |
H Zhao, X Li. S3PAS: a scalable shoulder-surfing resistant textualgraphical password authentication scheme. In: Proceedings of the IEEE Advanced Information Networking and Applications Workshops. 2007, 467–472
https://doi.org/10.1109/AINAW.2007.317
|
| 16 |
M ˇCagalj, T Perkovíc, M Bugaríc. Timing attacks on cognitive authentication schemes. IEEE Transactions on Information Forensics and Security, 2015, 10(3): 584–596
https://doi.org/10.1109/TIFS.2014.2376177
|
| 17 |
Q Yan, J Han, Y Li, H R Deng. On limitations of designing leakageresilient password systems: attacks, principals and usability. In: Proceedings of the Annual Network and Distributed System Security Symposium. 2012, 1–16
|
| 18 |
M Weir, S Aggarwal, M Collins, H Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of the ACM Conference on Computer and Communications Security. 2010, 162–175
https://doi.org/10.1145/1866307.1866327
|
| 19 |
B Forouzan, D Mukhopadhyay. Cryptography and Network Security. 2nd ed. India: McGraw-Hill Education, 2011
|
| 20 |
T Matsumoto, H Imai. Human identification through insecure channel. In: Proceedings of Advances in Cryptology–EUROCRYPT, 91. 1991, 409–421
https://doi.org/10.1007/3-540-46416-6_35
|
| 21 |
N Chakraborty, S Mondal. Towards incorporating honeywords in nsession recording attack resilient unaided authentication services. IET Information Security, 2018, 13(1): 7–18
https://doi.org/10.1049/iet-ifs.2017.0538
|
| 22 |
J H Asghar, J Pieprzyk, H Wang. A new human identification protocol and coppersmith’s baby-stepgiant-step algorithm. In: Proceedings of the International Conference on Applied Cryptography and Network Security. 2010, 349–366
https://doi.org/10.1007/978-3-642-13708-2_21
|
| 23 |
A De ˜Luca, K Hertzschuch, H Hussmann. Colorpin: securing pin entry through indirect input. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 2010, 1103–1106
https://doi.org/10.1145/1753326.1753490
|
| 24 |
N J Hopper, M Blum. Secure human identification protocols. In: Proceedings of Advances in Cryptology–ASIACRYPT 2001. 2001, 52–66
https://doi.org/10.1007/3-540-45682-1_4
|
| 25 |
A Juels, R L Rivest. Honeywords: making password-cracking detectable. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2013, 145–160
https://doi.org/10.1145/2508859.2516671
|
| 26 |
J Camenisch, A Lehmann, G Neven. Optimal distributed password verification. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 2015, 182–194
https://doi.org/10.1145/2810103.2813722
|
| 27 |
D Weinshall. Cognitive authentication schemes safe against spyware. In: Proceedings of the IEEE Symposium on Security and Privacy. 2006, 6–11
https://doi.org/10.1109/SP.2006.10
|
| 28 |
A De ˜Luca. Designing usable and secure authentication mechanisms for public spaces. LMU, PhD Thesis, 2011
|
| 29 |
V Roth, K Richter, R Freidinger. A PIN-entry method resilient against shoulder surfing. In: Proceedings of the ACM Conference on Computer and Communications Security. 2004, 236–245
https://doi.org/10.1145/1030083.1030116
|
| 30 |
T Kwon, S Shin, S Na. Covert attentional shoulder surfing: human adversaries are more powerful than expected. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 2014, 44(6): 716–727
https://doi.org/10.1109/TSMC.2013.2270227
|
| 31 |
D Florêncio, C Herley, B Coskun. Do strong web passwords accomplish anything? In: Proceedings of USENIXWorkshop on Hot Topics in Security. 2007, 1–6
|
| 32 |
H Sasamoto, N Christin, E Hayashi. Undercover: authentication usable in front of prying eyes. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems. 2008, 183–192
https://doi.org/10.1145/1357054.1357085
|
| 33 |
A Broder, M Mitzenmacher. Network applications of bloom filters: a survey. Internet Mathematics, 2004, 1(4): 485–509
https://doi.org/10.1080/15427951.2004.10129096
|
| 34 |
Q Do, B Martini, R K Choo. The role of the adversary model in applied= security research. Computers & Security, Elsevier, 2019, 81(4): 156–181
https://doi.org/10.1016/j.cose.2018.12.002
|
| 35 |
S Goldwasser, S Micali. Probabilistic encryption. Journal of Computer and System Sciences, 1984, 28(2): 270–299
https://doi.org/10.1016/0022-0000(84)90070-9
|
| 36 |
D H Phan, D Pointcheval. About the security of ciphers (semantic security and pseudo-random permutations). In: Proceedings of the International Workshop on Selected Areas in Cryptography. 2004, 182–197
https://doi.org/10.1007/978-3-540-30564-4_13
|
| 37 |
N Koblitz, J M Alfred. Another look at “provable security”. Journal of Cryptology Springer, 2007, 20(1): 3–37
https://doi.org/10.1007/s00145-005-0432-z
|
| 38 |
D Wagner, I Goldberg. Proofs of security for the UNIX password hashing algorithm. In: Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security. 2000, 560–572
https://doi.org/10.1007/3-540-44448-3_43
|
| 39 |
S Kamara. Encrypted search. ACM Crossroads, 2015, 21(3): 30–34
https://doi.org/10.1145/2730908
|
| 40 |
A Das, J Bonneau, M Caesar, N Borisov, X Wang. The tangled web of password reuse. In: Proceedings of the Annual Network and Distributed System Security Symposium. 2014, 1–16
https://doi.org/10.14722/ndss.2014.23357
|
| 41 |
S Sternberg. memory-scanning: mental processes revealed by reactiontime experiments. American Scientist, 1969, 57(4): 421–457
|
| 42 |
A P Nobel, M R Shiffrin. Retrieval processes in recognition and cued recall. Journal of Experimental Psychology: Learning, Memory, and Cognition American Psychological Association, 2001, 27(2): 384
https://doi.org/10.1037/0278-7393.27.2.384
|
| 43 |
G F Woodman, M M Chun. The role of working memory and long-term memory in visual search. Visual Cognition Taylor & Francis, 2006, 14(4–8): 808–830
https://doi.org/10.1080/13506280500197397
|
| 44 |
J Campbell, Q Xue. Cognitive arithmetic across cultures. American Psychological Association Journal of Experimental Psychology: General, 2001, 130(2): 299–315
https://doi.org/10.1037/0096-3445.130.2.299
|
| 45 |
L Corbin, J Marquer. Effect of a simple experimental control: the recall constraint in sternberg’s memory scanning task. European Journal of Cognitive Psychology Taylor & Francis, 2008, 20(5): 913–935
https://doi.org/10.1080/09541440701688793
|
| 46 |
G F Woodman, S J Luck. Visual search is slowed when visuospatial working memory is occupied. Psychonomic Bulletin &Review Springer, 2004, 11(2): 269–274
https://doi.org/10.3758/BF03196569
|
| 47 |
R M Hogan, W Kintsch. Differential effects of study and test trials on long-term recognition and recall. Journal of Verbal Learning and Verbal Behavior Elsevier, 1971, 10(5): 562–567
https://doi.org/10.1016/S0022-5371(71)80029-4
|
| 48 |
P S Teh, N Zhang, A B J Teoh, K Chen. A survey on touch dynamics authentication in mobile devices. Computers & Security Elsevier, 2016, 59(1): 210–235
https://doi.org/10.1016/j.cose.2016.03.003
|
| 49 |
G Kambourakis, D Damopoulos, D Papamartzivanos, E Pavlidakis. Introducing touchstroke: keystroke-based authentication system for smartphones. Security and Communication Networks Hindawi, 2016, 9(6): 542–554
https://doi.org/10.1002/sec.1061
|
| 50 |
H J Asghar, S Li, J Pieprzyk, H Wang. Cryptanalysis of the convex hull click human identification protocol. International Journal of Information Security Springer, 2013, 12(2): 83–96
https://doi.org/10.1007/s10207-012-0161-x
|
| 51 |
S Li, H J Asghar, J Pieprzyk, A R Sadeghi, R Schmitz, H Wang. On the security of PAS (Predicate-based authentication service). In: Proceedings of the IEEE Computer Security Applications Conference. 2009, 209–218
https://doi.org/10.1109/ACSAC.2009.27
|
| 52 |
D Wang, H Cheng, P Wang, X Huang, G Jian. Zipf’s law in passwords. IEEE Transactions on Information Forensics and Security, 2017 12(11): 2776–2791
https://doi.org/10.1109/TIFS.2017.2721359
|
| 53 |
M Luby, C Rackoff. A study of password security. In: Proceedings of Conference on the Theory and Application of Cryptographic Techniques. 1987, 392–397
https://doi.org/10.1007/3-540-48184-2_34
|
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
| |
Shared |
|
|
|
|
| |
Discussed |
|
|
|
|
