19,323 research outputs found
On the security of some password-based key agreement schemes
In this paper we show that two potential security vulnerabilities exist in the strong password-only authenticated key exchange scheme due to Jablon. Two standardised schemes based on Jablon's scheme, namely the first password-based key agreement mechanism in ISO/IEC FCD 11770-4 and the scheme BPKAS-SPEKE in IEEE P1363.2 also suffer from one or both of these security vulnerabilities. We further show that other password-based key agreement mechanisms, including those in ISO/IEC FCD 11770-4 and IEEE P1363.2, also suffer from these two security vulnerabilities. Finally, we propose means to remove these security vulnerabilities
Zero-Knowledge User Authentication: An Old Idea Whose Time Has Come
User authentication can rely on various factors (e.g., a password, a
cryptographic key, biometric data) but should not reveal any secret or private
information. This seemingly paradoxical feat can be achieved through
zero-knowledge proofs. Unfortunately, naive password-based approaches still
prevail on the web. Multi-factor authentication schemes address some of the
weaknesses of the traditional login process, but generally have deployability
issues or degrade usability even further as they assume users do not possess
adequate hardware. This assumption no longer holds: smartphones with biometric
sensors, cameras, short-range communication capabilities, and unlimited data
plans have become ubiquitous. In this paper, we show that, assuming the user
has such a device, both security and usability can be drastically improved
using an augmented password-authenticated key agreement (PAKE) protocol and
message authentication codes.Comment: International Workshop on Security Protocols (SPW) 201
Session Initiation Protocol Attacks and Challenges
In recent years, Session Initiation Protocol (SIP) has become widely used in
current internet protocols. It is a text-based protocol much like Hyper Text
Transport Protocol (HTTP) and Simple Mail Transport Protocol (SMTP). SIP is a
strong enough signaling protocol on the internet for establishing, maintaining,
and terminating session. In this paper the areas of security and attacks in SIP
are discussed. We consider attacks from diverse related perspectives. The
authentication schemes are compared, the representative existing solutions are
highlighted, and several remaining research challenges are identified. Finally,
the taxonomy of SIP threat will be presented
- …