Abstract
Passwords are widely used in online services, such as electronic and mobile banking services, and may be complemented by other authentication mechanism(s) for example in two-factor or three-factor authentication systems. There are, however, a number of known limitations and risks associated with the use of passwords, such as man-in-the-middle (MitM) and offline guessing attacks. In this paper, we present AMOGAP, a novel text password-based user authentication mechanism, to defend against MitM and offline guessing attacks. In our approach, users can select easy-to-remember passwords, and AMOGAP converts currently-used salted and hashed password files into user tokens, whose security relies on the Decisional Diffie-Hellman (DDH) assumption, at the server end. In other words, we use a difficult problem in number theory (i.e., DDH problem), rather than a one-way hash function, to ensure security against offline password guessing attackers and MitM attackers. AMOGAP does not require any change in existing authentication process and infrastructure or incur additional costs at the server.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S.: Scrypt is maximally memory-hard. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 33–62. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_2
Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 433–444. ACM (2011)
Baum, C., Damgård, I., Larsen, K.G., Nielsen, M.: How to prove knowledge of small secrets. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9816, pp. 478–498. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_17
Bisson, D.: The 10 biggest data breaches of 2018... so far, July 2018. https://blog.barkly.com/biggest-data-breaches-2018-so-far
Blocki, J., Harsha, B., Zhou, S.: On the economics of offline password cracking. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 35–53 (2018)
Bojinov, H., Bursztein, E., Boyen, X., Boneh, D.: Kamouflage: loss-resistant password management. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 286–302. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_18
Boneh, D., Corrigan-Gibbs, H., Schechter, S.: Balloon hashing: a memory-hard function providing provable protection against sequential attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 220–248. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_8
Callegati, F., Cerroni, W., Ramilli, M.: Man-in-the-middle attack to the HTTPS protocol. IEEE Secur. Priv. 7(1), 78–81 (2009)
Cappos, J., Torres, S.: PolyPasswordHasher: protecting passwords in the event of a password file disclosure. Technical report (2014). https://password-hashing.net/submissions/specs/PolyPassHash-v1.pdf
Di Crescenzo, G., Lipton, R., Walfish, S.: Perfectly secure password protocols in the bounded retrieval model. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 225–244. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_12
Wang, D., Cheng, H., Wang, P., Yan, J., Huang, X.: A security analysis of honeywords. In: Proceedings of the 25th Annual Network and Distributed System Security Symposium (2018)
D’Orazio, C.J., Choo, K.K.R.: A technique to circumvent SSL/TLS validations on iOS devices. Future Gener. Comput. Syst. 74, 366–374 (2017)
D’Orazio, C.J., Choo, K.K.R.: Circumventing iOS security mechanisms for APT forensic investigations: a security taxonomy for cloud apps. Future Gener. Comput. Syst. 79, 247–261 (2018)
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)
Gelernter, N., Kalma, S., Magnezi, B., Porcilan, H.: The password reset MitM attack. In: 2017 IEEE Symposium on Security and Privacy, pp. 251–267 (2017)
Grosse, E.: Gmail account security in Iran, September 2011. https://security.googleblog.com/2011/09/gmail-account-security-in-iran.html
Güldenring, B., Roth, V., Ries, L.: Knock Yourself Out: secure authentication with short re-usable passwords. In: Proceedings of the 22nd Annual Network and Distributed System Security Symposium (2015)
Hackett, R.: Yahoo raises breach estimate to full 3 billion accounts, by far biggest known, October 2017. http://fortune.com/2017/10/03/yahoo-breach-mail/
Halderman, J.A., Waters, B., Felten, E.W.: A convenient method for securely managing passwords. In: Proceedings of the 14th International Conference on World Wide Web, pp. 471–479. ACM (2005)
Heim, P.: Resetting passwords to keep your files safe, August 2016. blogs.dropbox.com/dropbox/2016/08/resetting-passwords-to-keep-your-files-safe/
Juels, A., Rivest, R.L.: Honeywords: making password-cracking detectable. In: Proceedings of the 20th ACM Conference on Computer and Communications Security, pp. 145–160. ACM (2013)
Kelsey, J., Schneier, B., Hall, C., Wagner, D.: Secure applications of low-entropy keys. In: Okamoto, E., Davida, G., Mambo, M. (eds.) ISW 1997. LNCS, vol. 1396, pp. 121–134. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0030415
Komanduri, S., Shay, R., Cranor, L.F., Herley, C., Schechter, S.E.: Telepathwords: preventing weak passwords by reading users’ minds. In: USENIX Security Symposium, pp. 591–606 (2014)
Kontaxis, G., Athanasopoulos, E., Portokalidis, G., Keromytis, A.D.: SAuth: Protecting user accounts from password database leaks. In: Proceedings of the 20th ACM Conference on Computer and Communications Security, pp. 187–198 (2013)
Leininger, H.: Libpathwell 0.6.1 released (2015). https://blog.korelogic.com/blog/2015/07/31/libpathwell-0_6_1
Percival, C.: Stronger key derivation via sequential memory-hard functions. In: BSDCan 2009 (self-published), pp. 1–16 (2009)
Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 161–170. ACM (2002)
Provos, N., Mazieres, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91 (1999)
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: USENIX Security, Baltimore, MD, USA, pp. 17–32 (2005)
Schechter, S., Herley, C., Mitzenmacher, M.: Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In: USENIX Conference on Hot Topics in Security, pp. 1–8 (2010)
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Shetty, R., Grispos, G., Choo, K.K.R.: Are you dating danger? An interdisciplinary approach to evaluating the (in) security of android dating apps. IEEE Trans. Sustain. Comput. (2017, in press). https://doi.org/10.1109/TSUSC.2017.2783858
Bernard, T.S., Hsu, T., Perlroth, N., Lieber, R.: Equifax says cyberattack may have affected 143 million in the U.S. September 2017. https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
Wang, D., Cheng, H., Wang, P., Huang, X., Jian, G.: Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 12(11), 2776–2791 (2017)
Wang, D., Wang, P.: The emperor’s new password creation policies: an evaluation of leading web services and the effect of role in resisting against online guessing. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 456–477. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_23
Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1242–1254. ACM (2016)
Wu, L., Wang, J., Choo, K.K.R., He, D.: Secure key agreement and key protection for mobile device user authentication. IEEE Trans. Inf. Forensics Secur. 14(2), 319–330 (2019)
Yoo, C., Kang, B.T., Kim, H.K.: Case study of the vulnerability of OTP implemented in internet banking systems of South Korea. Multimed. Tools Appl. 74(10), 3289–3303 (2015)
Acknowledgement
This work has been partly supported by National NSF of China under Grant No. 61772266, 61572248, 61431008.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Shen, J., Yuen, T.T., Choo, KK.R., Zeng, Q. (2019). AMOGAP: Defending Against Man-in-the-Middle and Offline Guessing Attacks on Passwords. In: Jang-Jaccard, J., Guo, F. (eds) Information Security and Privacy. ACISP 2019. Lecture Notes in Computer Science(), vol 11547. Springer, Cham. https://doi.org/10.1007/978-3-030-21548-4_28
Download citation
DOI: https://doi.org/10.1007/978-3-030-21548-4_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-21547-7
Online ISBN: 978-3-030-21548-4
eBook Packages: Computer ScienceComputer Science (R0)