On Countering Online Dictionary Attacks with Login Histories and Humans-in-the-Loop

Automated Turing Tests (ATTs), also known as human-in-the-loop techniques, were recently employed in a login protocol by Pinkas and Sander (2002) to protect against online password-guessing attacks. We present modifications providing a new history-based login protocol with ATTs, which uses failed-login counts. Analysis indicates that the new protocol o#ers opportunities for improved security and user-friendliness (fewer ATTs to legitimate users), and greater flexibility (e.g., allowing protocol parameter customization for particular situations and users). We also note that the Pinkas-Sander and other protocols involving ATTs are susceptible to minor variations of well-known middle-person attacks. We discuss complementary techniques to address such attacks, and to augment the security of the original protocol

Countering Identity Theft through Digital Uniqueness, Location Cross-Checking, and Funneling

One of today's fastest growing crimes is identity theft -- the unauthorized use and exploitation of another individual's identity-corroborating information. It is exacerbated by the availability of personal information on the Internet. Published research proposing technical solutions is sparse. In this paper, we identify some underlying problems facilitating identity theft. To address the problem of identity theft and the use of stolen or forged credentials, we propose an authentication architecture and system combining a physical location cross-check, a method for assuring uniqueness of location claims, and a centralized verification process. We suggest that this system merits consideration for practical use, and hope it serves to stimulate within the security research community, further discussion of technical solutions to the problem of identity theft

Addressing Online Dictionary Attacks with Login Histories and Humans-in-the-Loop

Automated Turing Tests (ATTs), also known as human-in-the-loop techniques, were recently employed in a login protocol by Pinkas and Sander (2002) to protect against online password-guessing attacks. We begin by noting that this, and other protocols involving ATTs, are susceptible to minor variations of well-known middle-person attacks. We discuss techniques to address such attacks, and present complementary modifications in a new historybased protocol with ATTs. Analysis indicates that the new protocol o#ers opportunities for improved security and user-friendliness (fewer ATTs to legitimate users), and greater flexibility (e.g. allowing protocol parameter customization for particular situations and users)

Cryptographic Verification of Test Coverage Claims

The market for software components is growing, driven on the “demand side ” by the need for rapid deployment of highly functional products, and on the “supply side ” by distributed object standards. As components and component vendors proliferate, there is naturally a growing concern about quality, and the effectiveness of testing processes. White-box testing, particularly the use of coverage criteria, is a widely used method for measuring the “thoroughness ” of testing efforts. High levels of test coverage are used as indicators of good quality control procedures. Software vendors who can demonstrate high levels of test coverage have a credible claim to high quality. However, verifying such claims involves knowledge of the source code, test cases, build procedures, etc. In applications where reliability and quality are critical, it would be desirable to verify test coverage claims without forcing vendors to give up valuable technical secrets. In this paper, we explore cryptographic techniques that can be used to verify such claims. Our techniques have certain limitations, which we discuss in this paper. However, vendors who have done the hard work of developing high levels of test coverage can use these techniques (for a modest additional cost) to provide credible evidence of high coverage, while simultaneously reducing disclosure of intellectual property. 1

Addressing online dictionary attacks with login histories and humans-in-the-loop (extended abstract)

Pinkas and Sander's (2002) login protocol protects against online guessing attacks by employing human-in-the-loop techniques (also known as Reverse Turing Tests or RTTs). We first note that this, and other protocols involving RTTs, are susceptible to minor variations of well-known middle-person attacks, and suggest techniques to address such attacks. We then present complementary modifications in what we call a history-based protocol with RTT's. Preliminary analysis indicates that the new protocol offer opportunities for improved security, improved user-friendliness (fewer RTTs to legitimate users), and greater flexibility (e.g. in customizing protocol parameters to particular situations)