an improved smart card based password authentication scheme with provable security

Password authentication has been adopted as one of the most commonly used solutions in network environment to protect resources from unauthorized access. Recently, Lee–Kim–Yoo [S.W. Lee, H.S. Kim, K.Y. Yoo, Improvement of Chien et al.'s remote user authentication scheme using smart cards, Computer Standards & Interfaces 27 (2) (2005) 181–183] and Lee-Chiu [N.Y. Lee, Y.C. Chiu, Improved remote authentication scheme with smart card, Computer Standards & Interfaces 27 (2) (2005) 177–180] respectively proposed a smart card based password authentication scheme. We show that these two schemes are both subject to forgery attacks provided that the information stored in the smart card is disclosed by the adversary. We also propose an improved scheme with formal security proof.

security analysis of two password authentication schemes

National Natural Science Foundation of China; Dalian University of Technology

a new client-to-client password-authenticated key agreement protocol

Natl Univ Defen Technol, China & Nanyang Technol Univ, NUDT

Mac Printing Password update (workaround)

Quick video for iSolutions to sanity check workaround as all staff will be asked to change network passwords which could have a major affecting on staff authenticating to network printers from a Mac. If good can be used by Serviceline. Do not Contact Adam Procter about this

Password cracking for fun and profit

Abstract Passwords are the most common form of authentication, and most of us will have to log in to several accounts every day which require passwords. Unfortunately, passwords often do not do a good job of proving who we are, and come with a host of usability problems. Probably the only reason that passwords still exist is that there often isn't a better alternative, so we are likely to be stuck with them for the foreseeable future. Password cracking has been a problem for years, and becomes more problematic as computer become more powerful and attackers get a better idea of the sort of passwords people use. This presentation will look at two free password cracking tools: Hashcat and John the Ripper, and how even a non-expert on a laptop (i.e. me) can use them effectively. An introduction to some of the research surrounding the economics and usability of passwords will also be discussed. Note that the speaker is not an expert in this area, so it will be a fairly informal since I'm sure you're all tired after a long term.

Verifying and fixing password authentication protocol

Password Authentication Protocol (PAP) is widely used in the Wireless Fidelity Point-to-Point Protocol to authenticate an identity and password for a peer. This paper uses a new knowledge-based framework to verify the PAP protocol and a fixed version. Flaws are found in both the original and the fixed versions. A new enhanced protocol is provided and the security of it is proved The whole process is implemented in a mechanical reasoning platform, Isabelle. It only takes a few seconds to find flaws in the original and the fixed protocol and to verify that the enhanced version of the PAP protocol is secure.

Efficient biometric and password based mutual authentication for consumer USB mass storage devices

A Universal Serial Bus (USB) Mass Storage Device (MSD), often termed a USB flash drive, is ubiquitously used to store important information in unencrypted binary format. This low cost consumer device is incredibly popular due to its size, large storage capacity and relatively high transfer speed. However, if the device is lost or stolen an unauthorized person can easily retrieve all the information. Therefore, it is advantageous in many applications to provide security protection so that only authorized users can access the stored information. In order to provide security protection for a USB MSD, this paper proposes a session key agreement protocol after secure user authentication. The main aim of this protocol is to establish session key negotiation through which all the information retrieved, stored and transferred to the USB MSD is encrypted. This paper not only contributes an efficient protocol, but also does not suffer from the forgery attack and the password guessing attack as compared to other protocols in the literature. This paper analyses the security of the proposed protocol through a formal analysis which proves that the information is stored confidentially and is protected offering strong resilience to relevant security attacks. The computational cost and communication cost of the proposed scheme is analyzed and compared to related work to show that the proposed scheme has an improved tradeoff for computational cost, communication cost and security.

A hybrid graphical password based system

In this age of electronic connectivity, where we all face viruses, hackers, eavesdropping and electronic fraud, there is indeed no time when security is not critical. Passwords provide security mechanism for authentication and protection services against unwanted access to resources. A graphical based password is one promising alternatives of textual passwords. According to human psychology, humans are able to remember pictures easily. In this paper, we have proposed a new hybrid graphical password based system, which is a combination of recognition and recall based techniques that offers many advantages over the existing systems and may be more convenient for the user. Our scheme is resistant to shoulder surfing attack and many other attacks on graphical passwords. This resistant scheme is proposed for small mobile devices (like smart phones i.e. ipod, iphone, PDAs etc) which are more handy and convenient to use than traditional desktop computer systems.

Further observations on smart-card-based password-authenticated key agreement in distributed systems

This paper initiates the study of two specific security threats on smart-card-based password authentication in distributed systems. Smart-card-based password authentication is one of the most commonly used security mechanisms to determine the identity of a remote client, who must hold a valid smart card and the corresponding password to carry out a successful authentication with the server. The authentication is usually integrated with a key establishment protocol and yields smart-card-based password-authenticated key agreement. Using two recently proposed protocols as case studies, we demonstrate two new types of adversaries with smart card: 1) adversaries with pre-computed data stored in the smart card, and 2) adversaries with different data (with respect to different time slots) stored in the smart card. These threats, though realistic in distributed systems, have never been studied in the literature. In addition to point out the vulnerabilities, we propose the countermeasures to thwart the security threats and secure the protocols. © 2013 IEEE.

Cryptanalysis of an efficient three-party password-based key exchange scheme

Three-party password-authenticated key exchange (3PAKE) protocols allow entities to negotiate a secret session key with the aid of a trusted server with whom they share a human-memorable password. Recently, Lou and Huang proposed a simple 3PAKE protocol based on elliptic curve cryptography, which is claimed to be secure and to provide superior efficiency when compared with similar-purpose solutions. In this paper, however, we show that the solution is vulnerable to key-compromise impersonation and offline password guessing attacks from system insiders or outsiders, which indicates that the empirical approach used to evaluate the scheme's security is flawed. These results highlight the need of employing provable security approaches when designing and analyzing PAKE schemes. Copyright (c) 2011 John Wiley & Sons, Ltd.

Sicurezza dei sistemi di autenticazione basati su credenziali, raccolta ed analisi di un vasto insieme di password

Nell’era dell’informazione in cui viviamo, ogni persona viene sdoppiata in due entità: oltre alla parte reale e materiale vi è un alterego fatto di dati ed informazioni che vive nei database e nei server che compongono il web. Il collegamento tra le due parti è dato dagli account e dalle chiavi di autenticazione, che si presumono essere segrete. Al giorno d’oggi ogni persona possiede almeno un account, sia esso una web mail, un profilo su un social network o l’account di online banking. Quasi la totalità di questi sistemi effettua l’autenticazione dell’utente tramite l’immissione di una password, e la sicurezza di quest’ultima è essenziale per la protezione delle informazioni personali, dei dati bancari e della propria identità. Col passare del tempo le informazioni personali che diamo in custodia al web crescono sempre più velocemente e diventano sempre più personali e delicate, ma purtroppo l’importanza che viene data alla sicurezza informatica non cresce di pari passo sia da parte degli utenti, sia da parte dei fornitori dei servizi web. Questa tesi ha come scopo quello di portare il lettore ad avere più coscienza rispetto alle tematiche della sicurezza informatica e di esporre in modo chiaro e semplice alcune delle problematiche che riguardano la sicurezza dei sistemi di autenticazione.