Downloads provided by UsageCountsHPAKE: Honey Password-Authenticated Key Exchange for Fast and Safer Online Authentication
Copyright policy )EC| IRIS ,
EC| TANGO ,
EC| ASSURED
Wenting Li; Ping Wang; Kaitai Liang;
HPAKE: Honey Password-Authenticated Key Exchange for Fast and Safer Online Authentication
L'authentification par mot de passe est l'un des mécanismes sécurisés les plus populaires pour les applications en ligne du monde réel. Mais il souffre facilement d'une menace pratique - la fuite de mot de passe, encourue par des attaquants externes et internes. L'attaquant externe peut compromettre le fichier de mot de passe stocké sur le serveur d'authentification, et l'initié peut délibérément voler les mots de passe ou les divulguer par inadvertance. Jusqu'à présent, il existe deux techniques principales pour remédier à la fuite : l'échange de clés d'authentification par mot de passe augmenté (aPAKE) contre les initiés et la technique des mots de miel pour les attaquants externes. Mais aucun d'entre eux ne peut résister aux deux attaques. Pour combler le vide, nous proposons la notion de honey PAKE (HPAKE) qui permet au serveur d'authentification de détecter la fuite de mot de passe et d'atteindre la sécurité au-delà de la limite traditionnelle de aPAKE. En outre, nous construisons une construction HPAKE sur le dessus du mécanisme honeyword, le cryptage honey et OPAQUE qui est un aPAKE standardisé. Nous analysons formellement la sécurité de notre conception, en réalisant la résistance interne et la détection de violation de mot de passe. Nous mettons en œuvre notre conception et la déployons dans l'environnement réel. Les résultats expérimentaux montrent que notre protocole ne coûte que 71,27 ms pour une exécution complète, en 20,67 ms sur le calcul et 50,6 ms sur la communication. Cela signifie que notre conception est sécurisée et pratique pour les applications du monde réel.
La autenticación solo con contraseña es uno de los mecanismos seguros más populares para las aplicaciones en línea del mundo real. Pero sufre fácilmente una amenaza práctica: la filtración de contraseñas, en la que incurren atacantes externos e internos. El atacante externo puede comprometer el archivo de contraseñas almacenado en el servidor de autenticación, y el insider puede robar deliberadamente las contraseñas o filtrarlas inadvertidamente. Hasta ahora, hay dos técnicas principales para abordar la fuga: el intercambio de claves de autenticación de contraseña aumentada (aPAKE) contra iniciados y la técnica de palabras clave para atacantes externos. Pero ninguno de ellos puede resistir ambos ataques. Para llenar el vacío, proponemos la noción de Honey PAKE (HPAKE) que permite al servidor de autenticación detectar la fuga de contraseñas y lograr la seguridad más allá del límite tradicional de aPAKE. Además, construimos una construcción HPAKE en la parte superior del mecanismo de palabra de miel, encriptación de miel y OPACO, que es un aPAKE estandarizado. Analizamos formalmente la seguridad de nuestro diseño, logrando la resistencia interna y la detección de violación de contraseñas. Implementamos nuestro diseño y lo desplegamos en el entorno real. Los resultados experimentales muestran que nuestro protocolo solo cuesta 71.27 ms para una ejecución completa, dentro de 20.67 ms en el cálculo y 50.6 ms en la comunicación. Esto significa que nuestro diseño es seguro y práctico para aplicaciones del mundo real.
Password-only authentication is one of the most popular secure mechanisms for real-world online applications. But it easily suffers from a practical threat - password leakage, incurred by external and internal attackers. The external attacker may compromise the password file stored on the authentication server, and the insider may deliberately steal the passwords or inadvertently leak the passwords. So far, there are two main techniques to address the leakage: Augmented password-authentication key exchange (aPAKE) against insiders and honeyword technique for external attackers. But none of them can resist both attacks. To fill the gap, we propose the notion of honey PAKE (HPAKE) that allows the authentication server to detect the password leakage and achieve the security beyond the traditional bound of aPAKE. Further, we build an HPAKE construction on the top of the honeyword mechanism, honey encryption, and OPAQUE which is a standardized aPAKE. We formally analyze the security of our design, achieving the insider resistance and the password breach detection. We implement our design and deploy it in the real environment. The experimental results show that our protocol only costs 71.27 ms for one complete run, within 20.67 ms on computation and 50.6 ms on communication. This means our design is secure and practical for real-world applications.
المصادقة بكلمة المرور فقط هي واحدة من أكثر الآليات الآمنة شيوعًا للتطبيقات عبر الإنترنت في العالم الحقيقي. لكنها تعاني بسهولة من تهديد عملي - تسرب كلمة المرور، الذي يتكبده المهاجمون الخارجيون والداخليون. قد يضر المهاجم الخارجي بملف كلمة المرور المخزن على خادم المصادقة، وقد يسرق المطلع كلمات المرور عن قصد أو يسرب كلمات المرور عن غير قصد. حتى الآن، هناك تقنيتان رئيسيتان لمعالجة التسرب: تبادل مفتاح مصادقة كلمة المرور المعزز (aPAKE) ضد المطلعين وتقنية الكلمات العسل للمهاجمين الخارجيين. لكن لا أحد منهم يستطيع مقاومة كلا الهجومين. لملء الفجوة، نقترح فكرة HONEY PAKE (HPAKE) التي تسمح لخادم المصادقة باكتشاف تسرب كلمة المرور وتحقيق الأمان خارج الحدود التقليدية لـ aPAKE. علاوة على ذلك، نحن نبني بناء HPAKE على الجزء العلوي من آلية كلمة العسل، وتشفير العسل، وغير شفاف وهو aPAKE موحد. نحلل رسميًا أمان تصميمنا، ونحقق المقاومة الداخلية واكتشاف خرق كلمة المرور. ننفذ تصميمنا وننشره في البيئة الحقيقية. تظهر النتائج التجريبية أن بروتوكولنا يكلف 71.27 مللي ثانية فقط لتشغيل كامل واحد، في غضون 20.67 مللي ثانية على الحساب و 50.6 مللي ثانية على التواصل. وهذا يعني أن تصميمنا آمن وعملي للتطبيقات في العالم الحقيقي.
Netherlands
- Institute of Software China (People's Republic of)
- Delft University of Technology Netherlands
- Peking University China (People's Republic of)
- Chinese Academy of Sciences China (People's Republic of)
- National Engineering Research Center for Information Technology in Agriculture China (People's Republic of)
FOS: Computer and information sciences, Challenge–response authentication, Password cracking, User Authentication Methods and Security Measures, Computer Networks and Communications, FOS: Political science, Zero-knowledge password proof, FOS: Law, S/KEY, Password, Characterization and Detection of Android Malware, leakage detection, Computer security, honeyword, Password strength, One-time password, Key Exchange, Political science, password-authenticated key exchange, Insider, Security Protocols for Authentication and Key Exchange, 020, Authentication, Computer network, SAFER, Graphical Passwords, Computer science, Information leakage, Password policy, Authentication (law), Computer Science, Physical Sciences, Signal Processing, Security, Authentication protocol, Passwords, Law, Information Systems
FOS: Computer and information sciences, Challenge–response authentication, Password cracking, User Authentication Methods and Security Measures, Computer Networks and Communications, FOS: Political science, Zero-knowledge password proof, FOS: Law, S/KEY, Password, Characterization and Detection of Android Malware, leakage detection, Computer security, honeyword, Password strength, One-time password, Key Exchange, Political science, password-authenticated key exchange, Insider, Security Protocols for Authentication and Key Exchange, 020, Authentication, Computer network, SAFER, Graphical Passwords, Computer science, Information leakage, Password policy, Authentication (law), Computer Science, Physical Sciences, Signal Processing, Security, Authentication protocol, Passwords, Law, Information Systems
selected citations These citations are derived from selected sources.This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).3 popularity This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.Top 10% influence This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).Average impulse This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.Average views 41 downloads 37 - 41views37downloads
selected citations
Citations provided by BIP!
These citations are derived from selected sources.
This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).
Citations provided by BIP!popularityPopularity provided by BIP!
This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.
Popularity provided by BIP!influenceInfluence provided by BIP!
This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).
Influence provided by BIP!impulseImpulse provided by BIP!
This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.
Impulse provided by BIP!viewsViews provided by UsageCounts
Views provided by UsageCountsdownloadsDownloads provided by UsageCounts
Downloads provided by UsageCounts 3
Top 10%
Average
Average
41
37
Green
Fields of Science
Funded by
Related to Research communities
EGI : advanced computing for research