Abstract
The inherent tradeoff between security and usability in the design of leakage resilient password (LRP) systems reveals that a secure LRP system without using any secure channel inevitably incurs a high cognitive workload on its users. To break the barrier on usability and maintain a high level of security, CoverPad relies on a temporary secure channel between user and touch-screen mobile device to deliver hidden transformation messages during password entry. While CoverPad is designed to retain most of the benefits of legacy passwords, it still requires its users to perform certain transformation operations for inputting each password element. To further improve the usability in the design of secure LRP systems, we introduce a new LRP system, which is named as ShadowKey. ShadowKey makes use of either permanent secure channel, which naturally exists between user and the display unit of certain types of mobile devices such as smart glasses, or temporary secure channel, which can be easily realized between user and touch screen by placing a hand-shielding gesture. The secure channel is used to protect the mappings between original password symbols and associated random symbols. After viewing the mappings, a user of ShadowKey may input the random symbols, instead of the original password, in an open channel. ShadowKey is easy to use in a sense that users do not need to remember anything else except passwords, and they do not need to perform any transformation operations in their minds as it is required in the previous LRP systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of IEEE symposium on security and privacy (2012)
Lev, G., Paul, S., George, K.F.: User authentication system and method. US Patent: US7725712 B2 (2010)
Li, Y.: Method for leakage resilient password entry. Singapore Provisional Patent 10201405977P (2014)
McIntyre, K.E., Sheets, J.F.: Gougeon, D.A.J., Watson, C.W., Morlang, K.P., Faoro, D.: Method for secure PIN entry on touch screen display. US Patent: US 6549194 B1 (2003)
Shin, H.-S.: Device and method for inputting password using random keypad. US Patent: US7698563 B2 (2010)
Yan, Q., Han, J., Li, Y., Deng, R.H.: On limitations of designing leakage-resilient password systems: attacks, principles and usability. In: Proceedings of the 19th annual network and distributed system security symposium (2012)
Yan, Q., Han, J., Li, Y., Zhou, J., Deng, R.H.: Designing leakage-resilient password entry on touchscreen mobile devices. In: Proceedings of the 8th ACM symposium on information, computer and communications security (ASIACCS), pp. 37–48 (2013)
Yan, Q., Han, J., Li, Y., Zhou, J., Deng, R.H.: Leakage-resilient password entry: challenges, design, and evaluation. Comput. Secur. 48(2015), 196–211 (2015)
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2015 The Author(s)
About this chapter
Cite this chapter
Li, Y., Yan, Q., Deng, R.H. (2015). ShadowKey: A Practical Leakage Resilient Password System. In: Leakage Resilient Password Systems. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-17503-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-17503-4_3
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17502-7
Online ISBN: 978-3-319-17503-4
eBook Packages: Computer ScienceComputer Science (R0)