Cited By
View all- Pendegraft NRounds M(2012)A Simulation Model of IS SecurityCyber Crime10.4018/978-1-61350-323-2.ch201(214-227)Online publication date: 2012
State based authentication
Pages 160 - 165
Abstract
Access to systems that need protection is usually restricted by asking the user to prove her identity and to authenticate. Combination of user name and password (or PIN) is the most common technique used for this purpose. Unfortunately, user-name/password based authentication is vulnerable to various types of password guessing attacks. Some techniques of making password guessing very difficult do exist. With these techniques, policies for very strong passwords can be avoided, however, they usually rely on manual intervention by the security administrator to manually reset the passwords. Such manual steps result in significant expense in large enterprises to deal with password issues. Here we present a novel technique that uses a State Based Authentication method to significantly increase the cost of brute-force and dictionary attack on passwords. When deployed, it has the potential to reduce the cost of password helpdesk significantly by eliminating the need of most password-reset requests.
References
[1]
Bergadano, F., Crispo, B., and Ruffo., G., Proactive password checking with, decision trees, ACM conference on computer and communications security, (Apr. 1997), 67--77.
[2]
Bergadeno, F., Crispo, B., and Ruffo, G. High dictionary compression for, proactive password checking, In Proc.s of 4th ACM trans. on info. and system security 1, 1 (Nov. 1998), 3--25.
[3]
Delaune, S., and Jacquemard, F. A theory of dictionary attacks and its complexity, In Proc.s of 17th IEEE computer security foundations workshop, 2004, (June 2004), 2--15.
[4]
Denning, D. E., and Denning, P. J. Data security, ACM Computing Surveys (CSUR) 11, 3 (Sep. 1979), 227--228.
[5]
Feldmeier, D. C., and Karn, P. R. UNIX password security-Ten years later. Advance in Cryptology - CRYPTO 89, G. Brassard (Ed.) Lec. notes in CS, Springer-Verlag, 1990, 1--9.
[6]
Fuller, S. H. Price/performance comparison of C.mmp and the PDP-10. ACM SIGARCH Computer Architecture News, Proc.s of the 3rd annual symp. on computer architecture 4, 4 (Jan. 1976), 195--201.
[7]
Gong, L., et. al. Protecting poorly chosen secrets from guessing attacks, J. of selected areas in comm.s, IEEE 11, 5 (June 1993), 648--656.
[8]
Gong, L., Lomas, M. A., Needham, R. M., and Saltzer, J. H., Protecting poorly chosen secrets from guessing attacks, IEEE J. selected areas in comm.s, 11, 5 (June 1993), 648--656.
[9]
Jablon, D. P. Extended password key exchange protocols immune to dictionary attack, In the Proc.s, 6th IEEE workshop on enabling technologies: infrastructure for collaborative enterprises, (June 1997), 248--255.
[10]
Jablon, D. P. Extended, password key exchange protocols immune to dictionary attack, In Proc.s, 6th IEEE workshop on enabling technologies: Infrastructure for collaborative enterprises, 1997, (June 1997), 248--255.
[11]
Khan, S. A., Rajput, S. A., and Hussain, B. Method and Apparatus for Binding Electronic Impressions Made by Digital Identities To Documents, US Patent Number 6401206, June 2002.
[12]
Klein, D. Foiling the Cracker: A Survey of, and, improvements to Unix password security, In Proc.s of the USENIX Security Workshop, USENIX Association, (Portland, OR, summer 1990).
[13]
Lemos, R., Passeords: the weakest link. CNET News.com http://news.com.com/Passwords+The+weakest+link/2009-1001_3-916719.html, May 22, 2002.
[14]
Li, G., Optimal authentication protocols resistant to password guessing attacks, In the Proc.s, 8th IEEE computer security foundations workshop 1995, (June 1995), 24--29.
[15]
Lomas, T. L., Gong, J. S., and Needhamn, R., Reducing risks from poorly chosen keys. In Proc.s of 12th ACM symposium on operating systems principles, Operating systems review, ACM SIGOPS 23, 5(Nov. 1989), 14--18.
[16]
Morris, R., and Thompson, K. Password security: a case history, Comm.s of the ACM 22, 11 (Nov. 1979), 1--4.
[17]
O'Gorman, L. Comparing passwords, tokens, and biometrics for user authentication, In the Proc.s of the IEEE, 91, 12 (Dec. 2003), 2021--2040.
[18]
Pinkas, B., and Sander, T. Authentication and authorization: securing passwords against dictionary attacks, In Proc.s, 9th ACM conf. on computers & communications security, (Nov. 2002), 161--170.
[19]
Sandhu, R. Good-enough security, Internet Computing, IEEE 7, 1 (Jan.-Feb. 2003), 66--68.
[20]
Sandhu, R., and Samarati, P., Authentication, access control, and audit. ACM Computing Surveys (CSUR) 28, 1 (Mar. 1996), 241--243.
[21]
Summers, W. C., and Bosworth, E., Password policy: the good, the bad, and the ugly, In Proc.s of the winter intl. symp. on info. and comm. technologies, Security procedures effects on network communication, (Jan. 2004), 1--6.
[22]
Wang, X., Heydari, M. H., and Lin, H. An intrusion-tolerant password authentication system, In Proc.s, 19th annual computer security app.s conf., 2003, 110--118.
[23]
Yan, J. J. A note on proactive password checking. In Proc.s, 2001, workshop on new security paradigms, sess. 7: passwords revisited, (Sep. 2001), 127--135.
Recommendations
Improvement upon Mutual Password Authentication Scheme
ISBIM '08: Proceedings of the 2008 International Seminar on Business and Information Management - Volume 01Many password authentication schemes have been proposed for electronic commerce environment; however, none of them is secure enough. Hwang and Yeh proposed an improvement on the Peyravian-Zunic password authentication scheme including protected password ...
On the Security of Some Password Authentication Protocols
In an internet environment, such as UNIX, a remote user has to obtain the access right from a server before doing any job. The procedure of obtaining acess right is called a user authentication protocol. User authentication via user memorable password ...
Using Episodic Memory for User Authentication
Passwords are widely used for user authentication, but they are often difficult for a user to recall, easily cracked by automated programs, and heavily reused. Security questions are also used for secondary authentication. They are more memorable than ...
Comments
Information & Contributors
Information
Published In
Copyright © 2005 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 18 March 2005
Check for updates
Author Tags
Qualifiers
- Article
Conference
ACM SE05
Sponsor:
Acceptance Rates
Overall Acceptance Rate 502 of 1,023 submissions, 49%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 478Total Downloads
- Downloads (Last 12 months)4
- Downloads (Last 6 weeks)0
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
Cited By
View all- Pendegraft NRounds M(2012)A Simulation Model of IS SecurityCyber Crime10.4018/978-1-61350-323-2.ch201(214-227)Online publication date: 2012
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in