Implementing Strong Authentication Interoperability with Legacy Systems

  • Jan Zibuschka
  • Heiko Roßnagel
Part of the The International Federation for Information Processing book series (IFIPAICT, volume 261)

In a WWW environment, users need to come up with passwords for a lot of different services, e.g. in the area of e-commerce. These authentication secrets need to be unrelated if the user does not want to make himself vulnerable to insider attacks. This leads to a large number of passwords that a user has to generate, memorize, and remember. This password management is quite straining for users. Single sign on systems provide a solution for this dilemma. However, existing solutions often require the implementation of specific interfaces by the individual service providers, and usually do not support existing strong authentication factors, e.g. smart cards, without protocol extensions or modification of implementations. In this paper we propose a different approach that generates strong passwords using electronic signatures. Our approach builds on existing smart card infrastructures to achieve strong authentication, while at the same time it provides an interface to legacy password authentication systems.


Hash Function Smart Card Electronic Signature Password Authentication Strong Authentication 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Bharat, K. and Marais, J. (1997) System and method for generating unique passwords, United States Patent 6141760.Google Scholar
  2. 2.
    Adams, A., Sasse, M. A. and Lunt, P. (1997) Making Passwords Secure and Usable, Proceedings of HCI on People and Computers XII, Bristol, UK, Springer, 1-19.Google Scholar
  3. 3.
    Ball, P. (2001) Hacktivism and Human Rights: Using Technology to Raise the Bar, Panel Discussion, DEF CON 9, Las Vegas, USA.Google Scholar
  4. 4.
    Brown, B. J. and Callis, K.(2004) Computer Password Choice and Personality Traits Among College Students, Southeast Missouri State University, Cape Girardeau, Missouri, USA.Google Scholar
  5. 5.
    De Cock, D., Wouters, K. und Preneel, B. (2004) Introduction to the Belgian EID Card, S. K. Katsikas, S. Gritzalis und J. Lopez (Eds.), Public Key Infrastructures, Berlin Heidelberg, Springer, 1-13.Google Scholar
  6. 6.
    Economides, N. (1996) The Economics of networks, International Journal of Industrial Organization, 14, 673-699.CrossRefGoogle Scholar
  7. 7.
    Fraunhofer SIT (2006) Der PasswordSitter, White Paper.Google Scholar
  8. 8.
    Gabber, E., Gibbons, P., Matias, Y. and Mayer, A. (1997) How to Make Personalized Web Browsing Simple, Secure and Anonymous, Proceedings of the First International Conference on Financial Cryptography, Anguilla, British West Indies, Springer, 17-32.Google Scholar
  9. 9.
    Halderman, J. A., Waters, B. and Felten, E. W. (2005) A convenient method for securely managing passwords, WWW '05: Proceedings of the 14th international conference on World Wide Web, Chiba, Japan, ACM Press, 471-479.Google Scholar
  10. 10.
    Hvarre, J. (2004) Electronic signatures in Denmark: free for all citizens, e-Signature Law Journal, 1, 1, 12-17.Google Scholar
  11. 11.
    Ives, B., Walsh, K. and Schneider, H. (2004) The Domino Effect of Password Reuse, Communications of the ACM, 4, 47, 75-78.CrossRefGoogle Scholar
  12. 12.
    Karp, A.H. (2003) Site-Specific Passwords, Technical Report, HP Laboratories Palo Alto.Google Scholar
  13. 13.
    Lopez, J., Opplinger, R. and Pernul, G. (2005) Why Have Public Key Infrastructures Failed So Far? Internet Research, 15, 5, 544 - 556.CrossRefGoogle Scholar
  14. 14.
    RSA Security (2005) RSA Security Survey Reveals Multiple Passwords Creating SecurityRisksandEnd User Frustration:Press Release,,September 27.
  15. 15.
    Rivest, R. L., Shamir, A. and Adleman, L. (1978) A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Communications of the ACM, 21, 2, 120-126.MATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Ross, B., Jackson, C., Miyake, N., Boneh, D. and Mitchell, J. C. (2005) Stronger Password Authentication Using Browser Extensions, Proceedings of the 14th Usenix Security Symposium, Baltimore, Maryland.Google Scholar
  17. 17.
    Roßnagel, H., Zibuschka, J. (2007) Integrating Qualified Electronic Signatures with Password Legacy Systems, Digital Evidence Journal, 4, 1, 1-10.Google Scholar
  18. 18.
    Roßnagel, H. (2007) Mobile Qualifizierte Elektronische Signaturen: Analyse der Hemmnisfaktoren und Gestaltungsvorschläge zur Einführung, unpublished doctoral dissertation, Department of Business Administration and Economics, Johann Wolfgang Goethe University, Frankfurt am Main.Google Scholar
  19. 19.
    Savard, J. (1999) Keystream Base Conversion and Random Bit Unbiasing, A Cryptographic Compendium.Google Scholar
  20. 20.
    Secure Information Technology Center - Austria (2006) The Austrian Citizen Card,,February 28.
  21. 21.
    Weitzel, T. (2003) A Network ROI, Proceedings of the MISQ Academic Workshop on ICT standardization, ICIS 2003, Seattle WA, USA.Google Scholar

Copyright information

© International Federation for Information Processing 2008

Authors and Affiliations

  • Jan Zibuschka
    • 1
  • Heiko Roßnagel
    • 1
  1. 1.Chair for Mobile Business and Multilateral SecurityJohann Wolfgang Goethe University FrankfurtGermany

Personalised recommendations