article

Free access

Reducing risks from poorly chosen keys

Authors:

T. Lomas,

L. Gong,

J. Saltzer,

R. NeedhamnAuthors Info & Claims

ACM SIGOPS Operating Systems Review, Volume 23, Issue 5

Pages 14 - 18

https://doi.org/10.1145/74851.74853

Published: 01 November 1989 Publication History

PDF eReader

Abstract

It is well-known that, left to themselves, people will choose passwords that can be rather readily guessed. If this is done, they are usually vulnerable to an attack based on copying the content of messages forming part of an authentication protocol and experimenting, e.g. with a dictionary, offline. The most usual counter to this threat is to require people to use passwords which are obscure, or even to insist on the system choosing their passwords for them. In this paper we show alternatively how to construct an authentication protocol in which offline experimentation is impracticable; any attack based on experiment must involve the real authentication server and is thus open to detection by the server noticing multiple attempts.

References

[1]

Diffie, W. and Hellman, M.E., "New Directions in Cryptography~, IEEE Transactions on Information Theory, Vol. IT-22, No.6, November, 1976, pp.644-654.

Google Scholar

[2]

Kahn, D., The Codebreakers, MacMillan, New York, 1967.

Google Scholar

[3]

"PIN Manual: A Guide to the Use of Personal Identification Numbers in Interchange~, MasterCard international, Inc., September, 1980, Reprinted in Cryptography: A New Dimensio~ in Computer Data Security by Meyer, C.H. and Matyas, S.M., John Wiley and Sons., 1982, pp.429-444.

Google Scholar

[4]

Morris, R. and Thompson, K., "Password Security: A Case History', Communications of the A CM, Vol.22, No. 11, November, 1979, pp.594-597.

Digital Library

Google Scholar

[5]

Needham, R.M. and Schroeder, M.D., "Using Encryption for Authentication in Large Networks of Computers", Communications of the A CM, Vol.21, No.12, December, 1978, pp.993-999.

Digital Library

Google Scholar

[6]

Steiner, J.G., Neuman, C., and Schiller, J.I., 'Kerberos' An Authentication Service for Open Network Systerns~, Proceedings of the USENIX Winter Conference, February, 1988, pp.191-202.

Google Scholar

[7]

Voydock, V.L. and Kent, S.T., ~Security Mechanisms in High-Level Network Protocols", Computing Surveys, Vol. 15, No.2, June 1983, pp.135-171.

Digital Library

Google Scholar

Cited By

View all

Hao Fvan Oorschot PSuga YSakurai KDing XSako K(2022)SoKProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3523256(697-711)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3523256
Lorente EMeijer CVerdult R(2015)Scrutinizing WPA2 password generating algorithms in wireless routersProceedings of the 9th USENIX Conference on Offensive Technologies10.5555/2831211.2831221(10-10)Online publication date: 10-Aug-2015
https://dl.acm.org/doi/10.5555/2831211.2831221
Liu BWang J(2013)Research on the Network Security Protocols Based on the Strand Spaces TheoryApplied Mechanics and Materials10.4028/www.scientific.net/AMM.457-458.1134457-458(1134-1138)Online publication date: Oct-2013
https://doi.org/10.4028/www.scientific.net/AMM.457-458.1134
Show More Cited By

Index Terms

Reducing risks from poorly chosen keys

Recommendations

Reducing risks from poorly chosen keys
SOSP '89: Proceedings of the twelfth ACM symposium on Operating systems principles

It is well-known that, left to themselves, people will choose passwords that can be rather readily guessed. If this is done, they are usually vulnerable to an attack based on copying the content of messages forming part of an authentication protocol and ...
Protecting poorly chosen secrets from guessing attacks

In a security system that allows people to choose their own passwords, people tend to choose passwords that can be easily guessed. This weakness exists in practically all widely used systems. Instead of forcing users to choose secrets that are likely to ...
Deniable encryptions secure against adaptive chosen ciphertext attack
ISPEC'12: Proceedings of the 8th international conference on Information Security Practice and Experience

The deniable encryption is a type of encryption which can hide the true message while revealing a fake one. Even if the sender or the receiver is coerced to show the plaintext and the used random numbers in encryption, a deniable encryption scheme ...

Comments

Information & Contributors

Information

Published In

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 1989

Published in SIGOPS Volume 23, Issue 5

Check for updates

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

93
Total Citations
View Citations
692
Total Downloads

Downloads (Last 12 months)60
Downloads (Last 6 weeks)16

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Hao Fvan Oorschot PSuga YSakurai KDing XSako K(2022)SoKProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3523256(697-711)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3523256
Lorente EMeijer CVerdult R(2015)Scrutinizing WPA2 password generating algorithms in wireless routersProceedings of the 9th USENIX Conference on Offensive Technologies10.5555/2831211.2831221(10-10)Online publication date: 10-Aug-2015
https://dl.acm.org/doi/10.5555/2831211.2831221
Liu BWang J(2013)Research on the Network Security Protocols Based on the Strand Spaces TheoryApplied Mechanics and Materials10.4028/www.scientific.net/AMM.457-458.1134457-458(1134-1138)Online publication date: Oct-2013
https://doi.org/10.4028/www.scientific.net/AMM.457-458.1134
Yi XLing SWang H(2013)Efficient Two-Server Password-Only Authenticated Key ExchangeIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2012.28224:9(1773-1782)Online publication date: 1-Sep-2013
https://dl.acm.org/doi/10.1109/TPDS.2012.282
Katz JMacKenzie PTaban GGligor V(2012)Two-server password-only authenticated key exchangeJournal of Computer and System Sciences10.1016/j.jcss.2011.09.00578:2(651-669)Online publication date: 1-Mar-2012
https://dl.acm.org/doi/10.1016/j.jcss.2011.09.005
Wang HTan GLiu L(2011)Authentication Protocol Security Assessment Framework Based on Attack ClassificationApplied Mechanics and Materials10.4028/www.scientific.net/AMM.143-144.859143-144(859-863)Online publication date: Dec-2011
https://doi.org/10.4028/www.scientific.net/AMM.143-144.859
Aboud SAlnuaimi MJabbar H(2011)Efficient Password Scheme Without Trusted ServerInternational Journal of Aviation Technology, Engineering and Management10.4018/ijatem.20110101051:1(52-57)Online publication date: 1-Jan-2011
https://doi.org/10.4018/ijatem.2011010105
Li ZWang WCheung BHui LSandhu RWong D(2011)Rethinking about guessing attacksProceedings of the 6th ACM Symposium on Information, Computer and Communications Security10.1145/1966913.1966954(316-325)Online publication date: 22-Mar-2011
https://dl.acm.org/doi/10.1145/1966913.1966954
Clarke D(2011)Design and implementation of a public key-based group collaboration systemComputer Communications10.1016/j.comcom.2010.02.03034:3(407-422)Online publication date: 1-Mar-2011
https://dl.acm.org/doi/10.1016/j.comcom.2010.02.030
SHIN SKOBARA KIMAI H(2010)An RSA-Based Leakage-Resilient Authenticated Key Exchange Protocol Secure against Replacement Attacks, and Its ExtensionsIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences10.1587/transfun.E93.A.1086E93-A:6(1086-1101)Online publication date: 2010
https://doi.org/10.1587/transfun.E93.A.1086
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations