426 research outputs found
ZETA - Zero-Trust Authentication: Relying on Innate Human Ability, not Technology
Reliable authentication requires the devices and
channels involved in the process to be trustworthy; otherwise
authentication secrets can easily be compromised. Given the
unceasing efforts of attackers worldwide such trustworthiness
is increasingly not a given. A variety of technical solutions,
such as utilising multiple devices/channels and verification
protocols, has the potential to mitigate the threat of untrusted
communications to a certain extent. Yet such technical solutions
make two assumptions: (1) users have access to multiple
devices and (2) attackers will not resort to hacking the human,
using social engineering techniques. In this paper, we propose
and explore the potential of using human-based computation
instead of solely technical solutions to mitigate the threat of
untrusted devices and channels. ZeTA (Zero Trust Authentication
on untrusted channels) has the potential to allow people to
authenticate despite compromised channels or communications
and easily observed usage. Our contributions are threefold:
(1) We propose the ZeTA protocol with a formal definition
and security analysis that utilises semantics and human-based
computation to ameliorate the problem of untrusted devices
and channels. (2) We outline a security analysis to assess
the envisaged performance of the proposed authentication
protocol. (3) We report on a usability study that explores the
viability of relying on human computation in this context
Password Cracking and Countermeasures in Computer Security: A Survey
With the rapid development of internet technologies, social networks, and
other related areas, user authentication becomes more and more important to
protect the data of the users. Password authentication is one of the widely
used methods to achieve authentication for legal users and defense against
intruders. There have been many password cracking methods developed during the
past years, and people have been designing the countermeasures against password
cracking all the time. However, we find that the survey work on the password
cracking research has not been done very much. This paper is mainly to give a
brief review of the password cracking methods, import technologies of password
cracking, and the countermeasures against password cracking that are usually
designed at two stages including the password design stage (e.g. user
education, dynamic password, use of tokens, computer generations) and after the
design (e.g. reactive password checking, proactive password checking, password
encryption, access control). The main objective of this work is offering the
abecedarian IT security professionals and the common audiences with some
knowledge about the computer security and password cracking, and promoting the
development of this area.Comment: add copyright to the tables to the original authors, add
acknowledgement to helpe
Multi-Factor Credential Hashing for Asymmetric Brute-Force Attack Resistance
Since the introduction of bcrypt in 1999, adaptive password hashing
functions, whereby brute-force resistance increases symmetrically with
computational difficulty for legitimate users, have been our most powerful
post-breach countermeasure against credential disclosure. Unfortunately, the
relatively low tolerance of users to added latency places an upper bound on the
deployment of this technique in most applications. In this paper, we present a
multi-factor credential hashing function (MFCHF) that incorporates the
additional entropy of multi-factor authentication into password hashes to
provide asymmetric resistance to brute-force attacks. MFCHF provides full
backward compatibility with existing authentication software (e.g., Google
Authenticator) and hardware (e.g., YubiKeys), with support for common usability
features like factor recovery. The result is a 10^6 to 10^48 times increase in
the difficulty of cracking hashed credentials, with little added latency or
usability impact
Recommended from our members
Pico without public keys
This document is the Accepted Manuscript version of the following paper: Frank Stajano, Bruce Christianson, Mark Lomas, Graeme Jenkinson, Jeunese Payne, Max Spencer, and Quentin Stafford Fraser, 'Pico without Public Keys', Security Protocols XXIII, 23rd International Workshop Cambridge, March 31- April 2, 2015, Revised Selected Papers, pp. 195-211, part of the Lecture Notes in Computer Science book series (LNCS, Vol. 9379), first online 25 November 2015, ISBN: 978-3-319-26095-2. The final publication is available at Springer via: https://link.springer.com/chapter/10.1007%2F978-3-319-26096-9_21v.Pico is a user authentication system that does not require remembering secrets. It is based on a personal handheld token that holds the user’s credentials and that is unlocked by a “personal aura” generated by digital accessories worn by the owner. The token, acting as prover, engages in a public-key-based authentication protocol with the verifier. What would happen to Pico if success of the mythical quantum computer meant secure public key primitives were no longer available, or if for other reasons such as energy consumption we preferred not to deploy them? More generally, what would happen under those circumstances to user authentication on the web, which relies heavily on public key cryptography through HTTPS/TLS? Although the symmetric-key-vs-public-key debate dates back to the 1990s, we note that the problematic aspects of public key deployment that were identified back then are still ubiquitous today. In particular, although public key cryptography is widely deployed on the web, revocation still doesn’t work. We discuss ways of providing desirable properties of public-key-based user authentication systems using symmetric-key primitives and tamperevident tokens. In particular, we present a protocol through which a compromise of the user credentials file at one website does not require users to change their credentials at that website or any other. We also note that the current prototype of Pico, when working in compatibility mode through the Pico Lens (i.e. with websites that are unaware of the Pico protocols), doesn’t actually use public key cryptography, other than that implicit in TLS. With minor tweaks we adopt this as the native mode for Pico, dropping public key cryptography and achieving much greater deployability without any noteworthy loss in security
- …