article

Free access

Undetectable on-line password guessing attacks

Authors:

Yun Ding,

Patrick HorsterAuthors Info & Claims

ACM SIGOPS Operating Systems Review, Volume 29, Issue 4

Pages 77 - 86

https://doi.org/10.1145/219282.219298

Published: 01 October 1995 Publication History

PDF eReader

Abstract

Several 3-party-based authentication protocols have been proposed, which are resistant to off-line password guessing attacks. We show that they are not resistant to a new type of attack called "undetectable on-line password guessing attack". The authentication server is not able to notice this kind of attack from the clients' (attacker's) requests, because they don't include enough information about the clients (or attacker). Either freshness or authenticity of these requests is not guaranteed. Thus the authentication server responses and leaks verifiable information for an attacker to verify his guess.

References

[1]

[BeMe92] S. Bellovin, M. Merritt, "Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks", Proceedings of the IEEE Symposium on Research in Security and Privacy, (1992), pp. 72-84.

Digital Library

Google Scholar

[2]

[Gong95] L. Gong, "Optimal Authentication Protocols Resistant to Password Guessing Attacks", Proceedings of the 8th IEEE Computer Security Foundations Workshop, (1995), pp. 24-29.

Digital Library

Google Scholar

[3]

[GLNS93] L. Gong, M. Lomas, R. Needham, J. Saltzer, "Protecting Poorly Chosen Secrets from Guessing Attacks", IEEE Journal on Selected Areas in Communications, Vol. 11, No. 5, (1993), pp. 648-656.

Digital Library

Google Scholar

[4]

[LGSN89] T. Mark, A. Lomas, L. Gong, J. Saltzer, R. Needham, "Reducing Risks from Poorly Chosen Keys", ACM Operating Systems Review, Vol. 23, No. 5, (1989), pp. 14-18.

Digital Library

Google Scholar

[5]

[Schn94] B. Schneier, "Applied Cryptography", New York, John Wiley & Sons, Inc., (1994).

Google Scholar

[6]

[StTW95] M. Steiner, G. Tsudik, M. Waidner, "Refinement and Extension of Encrypted Key Exchange", ACM Operating Systems Review, Vol. 29, No. 3, (1995), pp. 22-30.

Digital Library

Google Scholar

[7]

[TaAl91] J. J. Tardo, K. Alagappan, "SPX: Global Authentication Using Public Key Certificares", Proceedings of the 1991 IEEE Symposium on Research in Security and Privacy, (1991), pp. 23-244.

Crossref

Google Scholar

[8]

[TsHe93] G. Tsudik, E. Van Herreweghen, "Some Remarks on Protecting Weak Keys and Poorly-Chosen Secrets from Guessing Attacks", 1993 IEEE Symposium on Reliable Distributed Systems, (1993), pp. 136-142.

Crossref

Google Scholar

Cited By

View all

Li YOuyang CHuang H(2024)AEGANAuth: Autoencoder GAN-Based Continuous Authentication With Conditional Variational Autoencoder Generative Adversarial NetworkIEEE Internet of Things Journal10.1109/JIOT.2024.339954911:16(27635-27650)Online publication date: 15-Aug-2024
https://doi.org/10.1109/JIOT.2024.3399549
Guo SSong YGuo SYang YSong S(2023)Three-Party Password Authentication and Key Exchange Protocol Based on MLWESymmetry10.3390/sym1509175015:9(1750)Online publication date: 13-Sep-2023
https://doi.org/10.3390/sym15091750
Yang MYe ZPan HFarhat MCetin AChen P(2023)Electromagnetically unclonable functions generated by non-Hermitian absorber-emitterScience Advances10.1126/sciadv.adg74819:36Online publication date: 8-Sep-2023
https://doi.org/10.1126/sciadv.adg7481
Show More Cited By

Index Terms

Undetectable on-line password guessing attacks
1. Networks
  1. Network protocols
2. Security and privacy

Recommendations

An undetectable on-line password guessing attack on Nam et al.'s three-party key exchange protocol

Three-party key exchange protocol is one of the most essential cryptographic technique in the secure communication areas. In this protocol, two clients, each shares a human-memorable password, working with a trusted server, can agree a secure session ...
Security enhancement for a three-party encrypted key exchange protocol against undetectable on-line password guessing attacks

In 1995, a potential attack, called undetectable on-line password guessing attack, on three-party encrypted key exchange (3PEKE) protocol is highlighted by Ding and Horster. Since then, this attack has been one of the main concerns for developing a ...
Password-based group key exchange secure against insider guessing attacks
CIS'05: Proceedings of the 2005 international conference on Computational Intelligence and Security - Volume Part II

Very recently, Byun and Lee suggested two provably secure group Diffie-Hellman key exchange protocols using n participant’s distinct passwords. Unfortunately, the schemes were found to be flawed by Tang and Chen. They presented two password guessing ...

Comments

Information & Contributors

Information

Published In

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 1995

Published in SIGOPS Volume 29, Issue 4

Check for updates

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

196
Total Citations
View Citations
1,348
Total Downloads

Downloads (Last 12 months)139
Downloads (Last 6 weeks)20

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Li YOuyang CHuang H(2024)AEGANAuth: Autoencoder GAN-Based Continuous Authentication With Conditional Variational Autoencoder Generative Adversarial NetworkIEEE Internet of Things Journal10.1109/JIOT.2024.339954911:16(27635-27650)Online publication date: 15-Aug-2024
https://doi.org/10.1109/JIOT.2024.3399549
Guo SSong YGuo SYang YSong S(2023)Three-Party Password Authentication and Key Exchange Protocol Based on MLWESymmetry10.3390/sym1509175015:9(1750)Online publication date: 13-Sep-2023
https://doi.org/10.3390/sym15091750
Yang MYe ZPan HFarhat MCetin AChen P(2023)Electromagnetically unclonable functions generated by non-Hermitian absorber-emitterScience Advances10.1126/sciadv.adg74819:36Online publication date: 8-Sep-2023
https://doi.org/10.1126/sciadv.adg7481
Nie CQuinan PTraore IWoungang I(2022)Intrusion Detection using a Graphical Fingerprint Model2022 22nd IEEE International Symposium on Cluster, Cloud and Internet Computing (CCGrid)10.1109/CCGrid54584.2022.00095(806-813)Online publication date: May-2022
https://doi.org/10.1109/CCGrid54584.2022.00095
Kirss JLaud PSnetkov NVakarjuk J(2022)Server-Supported Decryption for Mobile DevicesSecurity and Trust Management10.1007/978-3-031-29504-1_4(71-81)Online publication date: 29-Sep-2022
https://dl.acm.org/doi/10.1007/978-3-031-29504-1_4
Paladi NTiloca MNikbakht Bideh PHell M(2021)Flowrider: Fast On-Demand Key Provisioning for Cloud NetworksSecurity and Privacy in Communication Networks10.1007/978-3-030-90022-9_11(207-228)Online publication date: 4-Nov-2021
https://doi.org/10.1007/978-3-030-90022-9_11
Abuarqoub A(2019)D-FAP: Dual-Factor Authentication Protocol for Mobile Cloud Connected DevicesJournal of Sensor and Actuator Networks10.3390/jsan90100019:1(1)Online publication date: 20-Dec-2019
https://doi.org/10.3390/jsan9010001
Anitha Kumari KSudha Sadasivam G(2019)Two-Server 3D ElGamal Diffie-Hellman Password Authenticated and Key Exchange Protocol Using Geometrical PropertiesMobile Networks and Applications10.1007/s11036-018-1104-124:3(1104-1119)Online publication date: 1-Jun-2019
https://dl.acm.org/doi/10.1007/s11036-018-1104-1
Liu CZheng ZJia KYou Q(2019)Provably Secure Three-Party Password-Based Authenticated Key Exchange from RLWEInformation Security Practice and Experience10.1007/978-3-030-34339-2_4(56-72)Online publication date: 6-Nov-2019
https://doi.org/10.1007/978-3-030-34339-2_4
Chen CDeng YTang YChen JLin Y(2018)An Improvement on Remote User Authentication Schemes Using Smart CardsComputers10.3390/computers70100097:1(9)Online publication date: 15-Jan-2018
https://doi.org/10.3390/computers7010009
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations

An undetectable on-line password guessing attack on Nam et al.'s three-party key exchange protocol

Security enhancement for a three-party encrypted key exchange protocol against undetectable on-line password guessing attacks

Password-based group key exchange secure against insider guessing attacks

Comments

Information

Published In

Publisher

Publication History

Check for updates

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations