Threshold Single Password Authentication

Passwords are the most widely used form of online user authentication. In a traditional setup, the user, who has a human-memorable low entropy password, wants to authenticate with a login server. Unfortunately, existing solutions in this setting are either non-portable or insecure against many attacks, including phishing, man-in-the-middle, honeypot, and offline dictionary attacks. Three previous studies (Acar et al. 2013, Bicakci et al. 2011, and Jarecki et al. 2016) provide solutions secure against offline dictionary attacks by additionally employing a storage provider (either a cloud storage or a mobile device for portability). These works provide solutions where offline dictionary attacks are impossible as long as the adversary does not corrupt both the login server and the storage provider. For the first time, improving these previous works, we provide a more secure generalized solution employing multiple storage providers, where our solution is proven secure against offline dictionary attacks as long as the adversary does not corrupt the login server and threshold-many storage providers. We define ideal and real world indistinguishability for threshold single password authentication (Threshold SPA) schemes, and formally prove security of our solution via ideal-real simulation. Our solution provides security against all the above-mentioned attacks, including phishing, man-in-the-middle, honeypot, and offline dictionary attacks, and requires no change on the server side. Thus, our solution can immediately be deployed via a browser extension (or a mobile application) and support from some storage providers. We further argue that our protocol is efficient and scalable, and provide performance numbers where the user and storage load are only a few milliseconds

User Study on Single Password Authentication

Single password authentication (SPA) schemes are introduced to overcome the challenges of traditional password authentications, which are vulnerable to offline dictionary, phishing, honeypot, and man-in-the-middle attacks. Unlike classical password-based authentication systems, in SPA schemes the user is required to remember only a single password (and a username) for all her accounts, while the password is protected against offline dictionary attacks in a provably secure manner. Several cryptographic SPA solutions were proposed in this decade, some based on cloud storage, and some employing a trusted personal mobile device. However, studies on usability of these novel SPA systems are rare, hardening their deployment and the validation of their practicality. In this paper, we implement two very different SPA systems and assess their usability with the following two comparative experiments: one comparing the state-of-the-art cloud-based browser-extension SPA solution against traditional password-based authentication (where in both cases the user experience is simply entering a username and password), and another comparing the first mobile-application-based SPA solution against two-factor authentication (where, in both cases, in addition to the password, the user needs access to her mobile device). We obtain that the cloud-based SPA system is easier to use than the traditional approach, making it suitable for daily use deployment, and the mobile-based SPA system is as easy as, but less intimidating and more secure than two-factor authentication, making it a better alternative for online banking type deployments. Hence, SPA systems overall constitute a usable alternative to the existing solutions, while providing offline dictionary attack protection

Dynamic reciprocal authentication protocol for mobile cloud computing

A combination of mobile and cloud computing delivers many advantages such as mobility, resources, and accessibility through seamless data transmission via the Internet anywhere at any time. However, data transmission through vulnerable channels poses security threats such as man-in-the-middle, playback, impersonation, and asynchronization attacks. To address these threats, we define an explicit security model that can precisely measure the practical capabilities of an adversary. A systematic methodology consisting of 16 evaluation criteria is used for comparative evaluation, thereby leading other approaches to be evaluated through a common scale. Finally, we propose a dynamic reciprocal authentication protocol to secure data transmission in mobile cloud computing (MCC). In particular, our proposed protocol develops a secure reciprocal authentication method, which is free of Diffie–Hellman limitations, and has immunity against basic or sophisticated known attacks. The protocol utilizes multifactor authentication of usernames, passwords, and a one-time password (OTP). The OTP is automatically generated and regularly updated for every connection. The proposed protocol is implemented and tested using Java to demonstrate its efficiency in authenticating communications and securing data transmitted in the MCC environment. Results of the evaluation process indicate that compared with the existing works, the proposed protocol possesses obvious capabilities in security and in communication and computation costs

An Authentication Protocol for Future Sensor Networks

Authentication is one of the essential security services in Wireless Sensor Networks (WSNs) for ensuring secure data sessions. Sensor node authentication ensures the confidentiality and validity of data collected by the sensor node, whereas user authentication guarantees that only legitimate users can access the sensor data. In a mobile WSN, sensor and user nodes move across the network and exchange data with multiple nodes, thus experiencing the authentication process multiple times. The integration of WSNs with Internet of Things (IoT) brings forth a new kind of WSN architecture along with stricter security requirements; for instance, a sensor node or a user node may need to establish multiple concurrent secure data sessions. With concurrent data sessions, the frequency of the re-authentication process increases in proportion to the number of concurrent connections, which makes the security issue even more challenging. The currently available authentication protocols were designed for the autonomous WSN and do not account for the above requirements. In this paper, we present a novel, lightweight and efficient key exchange and authentication protocol suite called the Secure Mobile Sensor Network (SMSN) Authentication Protocol. In the SMSN a mobile node goes through an initial authentication procedure and receives a re-authentication ticket from the base station. Later a mobile node can use this re-authentication ticket when establishing multiple data exchange sessions and/or when moving across the network. This scheme reduces the communication and computational complexity of the authentication process. We proved the strength of our protocol with rigorous security analysis and simulated the SMSN and previously proposed schemes in an automated protocol verifier tool. Finally, we compared the computational complexity and communication cost against well-known authentication protocols.Comment: This article is accepted for the publication in "Sensors" journal. 29 pages, 15 figure

Security by Spatial Reference:Using Relative Positioning to Authenticate Devices for Spontaneous Interaction

Spontaneous interaction is a desirable characteristic associated with mobile and ubiquitous computing. The aim is to enable users to connect their personal devices with devices encountered in their environment in order to take advantage of interaction opportunities in accordance with their situation. However, it is difficult to secure spontaneous interaction as this requires authentication of the encountered device, in the absence of any prior knowledge of the device. In this paper we present a method for establishing and securing spontaneous interactions on the basis of emphspatial references that capture the spatial relationship of the involved devices. Spatial references are obtained by accurate sensing of relative device positions, presented to the user for initiation of interactions, and used in a peer authentication protocol that exploits a novel mechanism for message transfer over ultrasound to ensures spatial authenticity of the sender