Verifying and fixing password authentication protocol

Password Authentication Protocol (PAP) is widely used in the Wireless Fidelity Point-to-Point Protocol to authenticate an identity and password for a peer. This paper uses a new knowledge-based framework to verify the PAP protocol and a fixed version. Flaws are found in both the original and the fixed versions. A new enhanced protocol is provided and the security of it is proved The whole process is implemented in a mechanical reasoning platform, Isabelle. It only takes a few seconds to find flaws in the original and the fixed protocol and to verify that the enhanced version of the PAP protocol is secure.

Efficient biometric and password based mutual authentication for consumer USB mass storage devices

A Universal Serial Bus (USB) Mass Storage Device (MSD), often termed a USB flash drive, is ubiquitously used to store important information in unencrypted binary format. This low cost consumer device is incredibly popular due to its size, large storage capacity and relatively high transfer speed. However, if the device is lost or stolen an unauthorized person can easily retrieve all the information. Therefore, it is advantageous in many applications to provide security protection so that only authorized users can access the stored information. In order to provide security protection for a USB MSD, this paper proposes a session key agreement protocol after secure user authentication. The main aim of this protocol is to establish session key negotiation through which all the information retrieved, stored and transferred to the USB MSD is encrypted. This paper not only contributes an efficient protocol, but also does not suffer from the forgery attack and the password guessing attack as compared to other protocols in the literature. This paper analyses the security of the proposed protocol through a formal analysis which proves that the information is stored confidentially and is protected offering strong resilience to relevant security attacks. The computational cost and communication cost of the proposed scheme is analyzed and compared to related work to show that the proposed scheme has an improved tradeoff for computational cost, communication cost and security.

A study on the authentication method for TAmI in ambient intelligence (secure group decision making toolkit)

It is difficult to get the decision about an opinion after many users get the meeting in same place. It used to spend too much time in order to find solve some problem because of the various opinions of each other. TAmI (Group Decision Making Toolkit) is the System to Group Decision in Ambient Intelligence [1]. This program was composed with IGATA [2], WebMeeting and the related Database system. But, because it is sent without any encryption in IP / Password, it can be opened to attacker. They can use the IP / Password to the bad purpose. As the result, although they make the wrong result, the joined member can’t know them. Therefore, in this paper, we studied the applying method of user’s authentication into TAmI.

An immunity based configuration for multilayer single featured biometric authentication algorithms

Immune systems have been used in the last years to inspire approaches for several computational problems. This paper focus on behavioural biometric authentication algorithms’ accuracy enhancement by using them more than once and with different thresholds in order to first simulate the protection provided by the skin and then look for known outside entities, like lymphocytes do. The paper describes the principles that support the application of this approach to Keystroke Dynamics, an authentication biometric technology that decides on the legitimacy of a user based on his typing pattern captured on he enters the username and/or the password and, as a proof of concept, the accuracy levels of one keystroke dynamics algorithm when applied to five legitimate users of a system both in the traditional and in the immune inspired approaches are calculated and the obtained results are compared.

QRP: An improved secure authentication method using QR codes

This paper presents the design and implementation of QRP, an open source proof-of-concept authentication system that uses a two-factorauthentication by combining a password and a camera-equipped mobile phone, acting as an authentication token. QRP is extremely secure asall the sensitive information stored and transmitted is encrypted, but it isalso an easy to use and cost-efficient solution. QRP is portable and can be used securely in untrusted computers. Finally, QRP is able to successfully authenticate even when the phone is offline.

A Secure Mobile-based Authentication System

Financial information is extremely sensitive. Hence, electronic banking must provide a robust system to authenticate its customers and let them access their data remotely. On the other hand, such system must be usable, affordable, and portable.We propose a challengeresponse based one-time password (OTP) scheme that uses symmetriccryptography in combination with a hardware security module. The proposed protocol safeguards passwords from keyloggers and phishing attacks.Besides, this solution provides convenient mobility for users who want to bank online anytime and anywhere, not just from their owntrusted computers.

Centralized password management in a global enterprise

Käyttäjien tunnistaminen tietojärjestelmissä on ollut yksi tietoturvan kulmakivistä vuosikymmenten ajan. Ajatus käyttäjätunnuksesta ja salasanasta on kaikkein kustannustehokkain ja käytetyin tapa säilyttää luottamus tietojärjestelmän ja käyttäjien välillä. Tietojärjestelmien käyttöönoton alkuaikoina, jolloin yrityksissä oli vain muutamia tietojärjestelmiä ja niitä käyttivät vain pieni ryhmä käyttäjiä, tämä toimintamalli osoittautui toimivaksi. Vuosien mittaan järjestelmien määrä kasvoi ja sen mukana kasvoi salasanojen määrä ja monimuotoisuus. Kukaan ei osannut ennustaa, kuinka paljon salasanoihin liittyviä ongelmia käyttäjät kohtaisivat ja kuinka paljon ne tulisivat ruuhkauttamaan yritysten käyttäjätukea ja minkälaisia tietoturvariskejä salasanat tulisivat aiheuttamaan suurissa yrityksissä. Tässä diplomityössä tarkastelemme salasanojen aiheuttamia ongelmia suuressa, globaalissa yrityksessä. Ongelmia tarkastellaan neljästä eri näkökulmasta; ihmiset, teknologia, tietoturva ja liiketoiminta. Ongelmat osoitetaan esittelemällä tulokset yrityksen työntekijöille tehdystä kyselystä, joka toteutettiin osana tätä diplomityötä. Ratkaisu näihin ongelmiin esitellään keskitetyn salasanojenhallintajärjestelmän muodossa. Järjestelmän eri ominaisuuksia arvioidaan ja kokeilu -tyyppinen toteutus rakennetaan osoittamaan tällaisen järjestelmän toiminnallisuus.

Password cracking for fun and profit

Abstract Passwords are the most common form of authentication, and most of us will have to log in to several accounts every day which require passwords. Unfortunately, passwords often do not do a good job of proving who we are, and come with a host of usability problems. Probably the only reason that passwords still exist is that there often isn't a better alternative, so we are likely to be stuck with them for the foreseeable future. Password cracking has been a problem for years, and becomes more problematic as computer become more powerful and attackers get a better idea of the sort of passwords people use. This presentation will look at two free password cracking tools: Hashcat and John the Ripper, and how even a non-expert on a laptop (i.e. me) can use them effectively. An introduction to some of the research surrounding the economics and usability of passwords will also be discussed. Note that the speaker is not an expert in this area, so it will be a fairly informal since I'm sure you're all tired after a long term.

A video-based biometric authentication for e-learning web applications

In the last years there was an exponential growth in the offering of Web-enabled distance courses and in the number of enrolments in corporate and higher education using this modality. However, the lack of efficient mechanisms that assures user authentication in this sort of environment, in the system login as well as throughout his session, has been pointed out as a serious deficiency. Some studies have been led about possible biometric applications for web authentication. However, password based authentication still prevails. With the popularization of biometric enabled devices and resultant fall of prices for the collection of biometric traits, biometrics is reconsidered as a secure remote authentication form for web applications. In this work, the face recognition accuracy, captured on-line by a webcam in Internet environment, is investigated, simulating the natural interaction of a person in the context of a distance course environment. Partial results show that this technique can be successfully applied to confirm the presence of users throughout the course attendance in an educational distance course. An efficient client/server architecture is also proposed. © 2009 Springer Berlin Heidelberg.

A practical approach for biometric authentication based on smartcards

Cryptographic systems are safe. However, the management of cryptographic keys of these systems is a tough task. They are usually protected by the use of password-based authentication mechanisms, which is a weak link on conventional cryptographic systems, as the passwords can be easily copied or stolen. The usage of a biometric approach for releasing the keys is an alternative to the password-based mechanisms. But just like passwords, we need mechanisms to keep the biometrical signal safe. One approach for such mechanism is to use biometrical key cryptography. The cryptographic systems based on the use of biometric characteristics as keys are called biometrical cryptographic systems. This article presents the implementation of Fuzzy Vault, a biometrical cryptographic system written in Java, along with its performance evaluation. Fuzzy Vault was tested on a real application using smartcards.

Context-aware multi-factor authentication

Trabalho apresentado no âmbito do Mestrado em Engenharia Informática, como requisito parcial para obtenção do grau de Mestre em Engenharia Informática

Viability and molecular authentication of Coccidioides spp. isolates from the Instituto de Medicina Tropical de São Paulo culture collection, Brazil

Coccidioidomycosis is an emerging fungal disease in Brazil; adequate maintenance and authentication of Coccidioides isolates are essential for research into genetic diversity of the environmental organisms, as well as for understanding the human disease. Seventeen Coccidioides isolates maintained under mineral oil since 1975 in the Instituto de Medicina Tropical de São Paulo (IMTSP) culture collection, Brazil, were evaluated with respect to their viability, morphological characteristics and genetic features in order to authenticate these fungal cultures. Only five isolates were viable after almost 30 years, showing typical morphological characteristics, and sequencing analysis using Coi-F and Coi-R primers revealed 99% identity with Coccidioides genera. These five isolates were then preserved in liquid nitrogen and sterile water, and remained viable after two years of storage under these conditions, maintaining the same features.

Migração de ligações Wi-Fi não seguras para ligações seguras, após autenticação em captive portal

Atualmente a popularidade das comunicações Wi-Fi tem crescido, os utilizadores acedem a partir de vários dispositivos como telemóveis, tablets, computadores portáteis sendo estes utilizados por qualquer pessoa nos mais variados locais. Com esta utilização massiva por parte dos utilizadores surgiram os hotspots Wi-Fi públicos (em aeroportos, estações de comboios, etc) que permitem a ligação de clientes recorrendo a ligações wireless não seguras (ou abertas). Tais hotspots utilizam, após a ligação de um cliente, um captive portal que captura o tráfego IP com origem no cliente e o redireciona para uma página Web de entrada. A página Web permite ao cliente comprar tempo de acesso à Internet ou, caso já seja um cliente da empresa, autenticar-se para ter acesso à Internet. A necessidade da ligação aberta assenta na possibilidade do operador do hotspot vender acesso à Internet a utilizadores não conhecidos (caso contrário teria de fornecerlhes uma senha previamente). No entanto, fornecer um acesso à Internet wireless sem qualquer tipo de segurança ao nível físico permite que qualquer outro utilizador consiga obter informação sobre a navegação Web dos utilizadores ligados (ex.: escuta de pedidos DNS). Nesta tese pretende-se apresentar uma solução que estenda um dos atuais mecanismos de autenticação Wi-Fi (WPA, WPA2) para que permita, após autenticação em captive portal, a migração de uma ligação aberta para uma ligação segura.

Viability and molecular authentication of Coccidioides immitis strains from culture collection of the Instituto Oswaldo Cruz, Rio de Janeiro, Brazil

Twenty Coccidioides immitis strains were evaluated. Only 5 of the 20 strains kept under mineral oil maintained their viability while all 5 subcultures preserved in water remained viable and none of the 13 subcultures kept in soil were viable. A 519 bp PCR product from the csa gene confirmed the identity of the strains.

The brushstroke and materials of Amadeo de Souza-Cardoso combined in an authentication tool

Nowadays, authentication studies for paintings require a multidisciplinary approach, based on the contribution of visual features analysis but also on characterizations of materials and techniques. Moreover, it is important that the assessment of the authorship of a painting is supported by technical studies of a selected number of original artworks that cover the entire career of an artist. This dissertation is concerned about the work of modernist painter Amadeo de Souza-Cardoso. It is divided in three parts. In the first part, we propose a tool based on image processing that combines information obtained by brushstroke and materials analysis. The resulting tool provides qualitative and quantitative evaluation of the authorship of the paintings; the quantitative element is particularly relevant, as it could be crucial in solving authorship controversies, such as judicial disputes. The brushstroke analysis was performed by combining two algorithms for feature detection, namely Gabor filter and Scale Invariant Feature Transform. Thanks to this combination (and to the use of the Bag-of-Features model), the proposed method shows an accuracy higher than 90% in distinguishing between images of Amadeo’s paintings and images of artworks by other contemporary artists. For the molecular analysis, we implemented a semi-automatic system that uses hyperspectral imaging and elemental analysis. The system provides as output an image that depicts the mapping of the pigments present, together with the areas made using materials not coherent with Amadeo’s palette, if any. This visual output is a simple and effective way of assessing the results of the system. The tool proposed based on the combination of brushstroke and molecular information was tested in twelve paintings obtaining promising results. The second part of the thesis presents a systematic study of four selected paintings made by Amadeo in 1917. Although untitled, three of these paintings are commonly known as BRUT, Entrada and Coty; they are considered as his most successful and genuine works. The materials and techniques of these artworks have never been studied before. The paintings were studied with a multi-analytical approach using micro-Energy Dispersive X-ray Fluorescence spectroscopy, micro-Infrared and Raman Spectroscopy, micro-Spectrofluorimetry and Scanning Electron Microscopy. The characterization of Amadeo’s materials and techniques used on his last paintings, as well as the investigation of some of the conservation problems that affect these paintings, is essential to enrich the knowledge on this artist. Moreover, the study of the materials in the four paintings reveals commonalities between the paintings BRUT and Entrada. This observation is supported also by the analysis of the elements present in a photograph of a collage (conserved at the Art Library of the Calouste Gulbenkian Foundation), the only remaining evidence of a supposed maquete of these paintings. The final part of the thesis describes the application of the image processing tools developed in the first part of the thesis on a set of case studies; this experience demonstrates the potential of the tool to support painting analysis and authentication studies. The brushstroke analysis was used as additional analysis on the evaluation process of four paintings attributed to Amadeo, and the system based on hyperspectral analysis was applied on the painting dated 1917. The case studies therefore serve as a bridge between the first two parts of the dissertation.