Skip to main content
SpringerLink
Log in

AMOGAP: Defending Against Man-in-the-Middle and Offline Guessing Attacks on Passwords

  • Conference paper
  • First Online:
Information Security and Privacy (ACISP 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11547))

Included in the following conference series:

Abstract

Passwords are widely used in online services, such as electronic and mobile banking services, and may be complemented by other authentication mechanism(s) for example in two-factor or three-factor authentication systems. There are, however, a number of known limitations and risks associated with the use of passwords, such as man-in-the-middle (MitM) and offline guessing attacks. In this paper, we present AMOGAP, a novel text password-based user authentication mechanism, to defend against MitM and offline guessing attacks. In our approach, users can select easy-to-remember passwords, and AMOGAP converts currently-used salted and hashed password files into user tokens, whose security relies on the Decisional Diffie-Hellman (DDH) assumption, at the server end. In other words, we use a difficult problem in number theory (i.e., DDH problem), rather than a one-way hash function, to ensure security against offline password guessing attackers and MitM attackers. AMOGAP does not require any change in existing authentication process and infrastructure or incur additional costs at the server.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S.: Scrypt is maximally memory-hard. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 33–62. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_2

    Chapter  Google Scholar 

  2. Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 433–444. ACM (2011)

    Google Scholar 

  3. Baum, C., Damgård, I., Larsen, K.G., Nielsen, M.: How to prove knowledge of small secrets. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 478–498. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_17

    Chapter  Google Scholar 

  4. Bisson, D.: The 10 biggest data breaches of 2018... so far, July 2018. https://blog.barkly.com/biggest-data-breaches-2018-so-far

  5. Blocki, J., Harsha, B., Zhou, S.: On the economics of offline password cracking. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 35–53 (2018)

    Google Scholar 

  6. Bojinov, H., Bursztein, E., Boyen, X., Boneh, D.: Kamouflage: loss-resistant password management. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 286–302. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_18

    Chapter  Google Scholar 

  7. Boneh, D., Corrigan-Gibbs, H., Schechter, S.: Balloon hashing: a memory-hard function providing provable protection against sequential attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 220–248. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_8

    Chapter  Google Scholar 

  8. Callegati, F., Cerroni, W., Ramilli, M.: Man-in-the-middle attack to the HTTPS protocol. IEEE Secur. Priv. 7(1), 78–81 (2009)

    Article  Google Scholar 

  9. Cappos, J., Torres, S.: PolyPasswordHasher: protecting passwords in the event of a password file disclosure. Technical report (2014). https://password-hashing.net/submissions/specs/PolyPassHash-v1.pdf

  10. Di Crescenzo, G., Lipton, R., Walfish, S.: Perfectly secure password protocols in the bounded retrieval model. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 225–244. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_12

    Chapter  Google Scholar 

  11. Wang, D., Cheng, H., Wang, P., Yan, J., Huang, X.: A security analysis of honeywords. In: Proceedings of the 25th Annual Network and Distributed System Security Symposium (2018)

    Google Scholar 

  12. D’Orazio, C.J., Choo, K.K.R.: A technique to circumvent SSL/TLS validations on iOS devices. Future Gener. Comput. Syst. 74, 366–374 (2017)

    Article  Google Scholar 

  13. D’Orazio, C.J., Choo, K.K.R.: Circumventing iOS security mechanisms for APT forensic investigations: a security taxonomy for cloud apps. Future Gener. Comput. Syst. 79, 247–261 (2018)

    Article  Google Scholar 

  14. ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)

    Article  MathSciNet  Google Scholar 

  15. Gelernter, N., Kalma, S., Magnezi, B., Porcilan, H.: The password reset MitM attack. In: 2017 IEEE Symposium on Security and Privacy, pp. 251–267 (2017)

    Google Scholar 

  16. Grosse, E.: Gmail account security in Iran, September 2011. https://security.googleblog.com/2011/09/gmail-account-security-in-iran.html

  17. Güldenring, B., Roth, V., Ries, L.: Knock Yourself Out: secure authentication with short re-usable passwords. In: Proceedings of the 22nd Annual Network and Distributed System Security Symposium (2015)

    Google Scholar 

  18. Hackett, R.: Yahoo raises breach estimate to full 3 billion accounts, by far biggest known, October 2017. http://fortune.com/2017/10/03/yahoo-breach-mail/

  19. Halderman, J.A., Waters, B., Felten, E.W.: A convenient method for securely managing passwords. In: Proceedings of the 14th International Conference on World Wide Web, pp. 471–479. ACM (2005)

    Google Scholar 

  20. Heim, P.: Resetting passwords to keep your files safe, August 2016. blogs.dropbox.com/dropbox/2016/08/resetting-passwords-to-keep-your-files-safe/

  21. Juels, A., Rivest, R.L.: Honeywords: making password-cracking detectable. In: Proceedings of the 20th ACM Conference on Computer and Communications Security, pp. 145–160. ACM (2013)

    Google Scholar 

  22. Kelsey, J., Schneier, B., Hall, C., Wagner, D.: Secure applications of low-entropy keys. In: Okamoto, E., Davida, G., Mambo, M. (eds.) ISW 1997. LNCS, vol. 1396, pp. 121–134. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0030415

    Chapter  Google Scholar 

  23. Komanduri, S., Shay, R., Cranor, L.F., Herley, C., Schechter, S.E.: Telepathwords: preventing weak passwords by reading users’ minds. In: USENIX Security Symposium, pp. 591–606 (2014)

    Google Scholar 

  24. Kontaxis, G., Athanasopoulos, E., Portokalidis, G., Keromytis, A.D.: SAuth: Protecting user accounts from password database leaks. In: Proceedings of the 20th ACM Conference on Computer and Communications Security, pp. 187–198 (2013)

    Google Scholar 

  25. Leininger, H.: Libpathwell 0.6.1 released (2015). https://blog.korelogic.com/blog/2015/07/31/libpathwell-0_6_1

  26. Percival, C.: Stronger key derivation via sequential memory-hard functions. In: BSDCan 2009 (self-published), pp. 1–16 (2009)

    Google Scholar 

  27. Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 161–170. ACM (2002)

    Google Scholar 

  28. Provos, N., Mazieres, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91 (1999)

    Google Scholar 

  29. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: USENIX Security, Baltimore, MD, USA, pp. 17–32 (2005)

    Google Scholar 

  30. Schechter, S., Herley, C., Mitzenmacher, M.: Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In: USENIX Conference on Hot Topics in Security, pp. 1–8 (2010)

    Google Scholar 

  31. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)

    Article  MathSciNet  Google Scholar 

  32. Shetty, R., Grispos, G., Choo, K.K.R.: Are you dating danger? An interdisciplinary approach to evaluating the (in) security of android dating apps. IEEE Trans. Sustain. Comput. (2017, in press). https://doi.org/10.1109/TSUSC.2017.2783858

  33. Bernard, T.S., Hsu, T., Perlroth, N., Lieber, R.: Equifax says cyberattack may have affected 143 million in the U.S. September 2017. https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html

  34. Wang, D., Cheng, H., Wang, P., Huang, X., Jian, G.: Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 12(11), 2776–2791 (2017)

    Article  Google Scholar 

  35. Wang, D., Wang, P.: The emperor’s new password creation policies: an evaluation of leading web services and the effect of role in resisting against online guessing. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 456–477. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_23

    Chapter  Google Scholar 

  36. Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1242–1254. ACM (2016)

    Google Scholar 

  37. Wu, L., Wang, J., Choo, K.K.R., He, D.: Secure key agreement and key protection for mobile device user authentication. IEEE Trans. Inf. Forensics Secur. 14(2), 319–330 (2019)

    Article  Google Scholar 

  38. Yoo, C., Kang, B.T., Kim, H.K.: Case study of the vulnerability of OTP implemented in internet banking systems of South Korea. Multimed. Tools Appl. 74(10), 3289–3303 (2015)

    Article  Google Scholar 

Download references

Acknowledgement

This work has been partly supported by National NSF of China under Grant No. 61772266, 61572248, 61431008.

Author information

Authors and Affiliations

  1. State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing, 210023, Jiangsu Province, China

    Jaryn Shen & Qingkai Zeng

  2. Department of Interdisciplinary Learning and Teaching, University of Texas at San Antonio, San Antonio, TX, 78249, USA

    Timothy T. Yuen

  3. Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX, 78249, USA

    Kim-Kwang Raymond Choo

Authors
  1. Jaryn Shen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Timothy T. Yuen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kim-Kwang Raymond Choo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Qingkai Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qingkai Zeng .

Editor information

Editors and Affiliations

  1. Massey University, Palmerston North, New Zealand

    Julian Jang-Jaccard

  2. University of Wollongong, Wollongong, NSW, Australia

    Fuchun Guo

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Shen, J., Yuen, T.T., Choo, KK.R., Zeng, Q. (2019). AMOGAP: Defending Against Man-in-the-Middle and Offline Guessing Attacks on Passwords. In: Jang-Jaccard, J., Guo, F. (eds) Information Security and Privacy. ACISP 2019. Lecture Notes in Computer Science(), vol 11547. Springer, Cham. https://doi.org/10.1007/978-3-030-21548-4_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-21548-4_28

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-21547-7

  • Online ISBN: 978-3-030-21548-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation